enterprise information system notes for ca intermediate ... · accounting, human resource (hr)...

PRINCIPAL

MR. J. K. SHAH

INTER CA Information Technology

Head Office Shraddha, 4th Floor, Old Nagardas Road,

Near Chinai College, Andheri (E), Mumbai - 400 069.

022 - 2683 66 66

CAFCINTER CAFINAL CA

THE RANKERS FACTORY

INTER C.A. - INFORMATION TECHNOLOGY

INDEX

CHAPTER PARTICULARS PAGE NO

1. AUTOMATED BUSINESS PROCESSES 1 – 42

2. FINANCIAL AND ACCOUNTING SYSTEMS 43 – 77

3. INFORMATION SYSTEMS & IT’S

COMPONENTS 78 – 141

4. E-COMMERCE, M-COMMERCE & EMERGING

TECHNOLOGIES 142 – 183

5. CORE BANKING SYSTEMS 184 - 237

J.K.SHAH CLASSES INTER C.A. – I.T.

: 1 :

CHAPTER-1AUTOMATED BUSINESS PROCESSES

CHAPTER OVERVIEWEN

TER

PR

ISE

BU

SIN

ESS

PR

OC

ESSE

S

Categories

Automation

Risk Management andControls

Specific BusinessProcesses

DiagrammaticReresentation

Regulatory andCompliance

Requirements

Operational

Management

Objectives

Benefits

Implementation

Procure to Pay (P2P)

Order to Cash (O2C)

Inventory Cycle

Human Resources

Fixed Assets

General Ledger

Flow charts

Data Flow Diagrams

The Companies Act,2013

IT Act, 2000

Supporting


: 2 :

1. Explain Enterprise Information System (EIS)

An Enterprise Information System (EIS) may be defined as any kind of informationsystem which improves the functions of an enterprise business processes byintegration. This means classically offering high quality services, dealing with largevolumes of data and capable of supporting some huge and possibly complexorganization or enterprise. All parts of EIS should be usable at all levels of anenterprise as relevant. An EIS provide a technology platform that enable organizationsto integrate and coordinate their business processes on a robust foundation. An EISprovides a single system that is central to the organization that ensures informationcan be shared across all functional levels and management hierarchies. It may beused to amalgamate existing applications. An EIS can be used to increase businessproductivity and reduce service cycles, product development cycles and marketing lifecycles. Other outcomes include higher operational efficiency and cost savings.For example, when a customer places an order, the data flow automatically to otherfractions of the company that are affected by them leading to the enhancedcoordination between these different parts of the business which in turn lowers costsand increase customer satisfaction.· The order transaction triggers the warehouse to pick the ordered products and

schedule shipment.· The warehouse informs the factory to replenish whatever has depleted.· The accounting department is notified to send the customer an invoice.· Customer service representatives track the progress if the order through every

step to inform customers about the status of their orders.

2. Explain following terms:· Business Process· Business Process Management

Business Process:A Business Process is an activity or set of activities that will accomplish a specificorganizational goal.Business Process Management (BPM):Business Process Management (BPM) is a systematic approach to improving theseprocesses.

The details of these processes are shown in below:Vision,Strategy,BusinessManagement

Operational Processes with Cross FunctionalLinkages

Management and Support Processes]

Develop andManage

Products andServices

Market and SellProducts and

Services

Deliver Productsand Services

ManageCustomerServices

HumanResource

Management

InformationTechnology

Management

FinancialManagement

FacilitiesManagement

Vision andStrategy

Business Planning,Merger Acquisition


: 3 :

3. In Enterprise Business Processes, what is the difference between OperationalProcesses, Supporting Processes and Management Processes? Give examples.

Depending on the organization, industry and nature of work; business processes areoften broken up into different categories as shown

Categories of Business Processes

Operational Processes Supporting Processes Management Processes

I. Operational Processes (or Primary Processes)Operational or Primary Processes deal with the core business and valuechain. These processes deliver value to the customer by helping to produce aproduct or service. Operational processes represent essential business activitiesthat accomplish business objectives, eg. Generating revenue - Order to Cashcycle, procurement - Purchase to Pay cycle.

Order to Cash Cycle (Example)Order to Cash (OTC or 02C) is a set of business processes that involvesreceiving and fulfilling customer requests for goods or services.An order to cash cycle consists of multiple sub-processes as shown in the Fig.· Customer Order: Customer order received is documented.· Order Fulfillment: Order is fulfilled or service is scheduled.· Delivery Note: Order is shipped to customer or service is performed with

delivery note.· Invoicing: Invoice is created and sent to customer.· Collections: Customer sends payment /collection.· Accounting: Collection is recorded in general ledger.

CustomerOrder

OrderFulfilment

DeliveryNote Invoicing Collections Accounting

Order to Cash Cycle

II. Supporting Processes (or Secondary Processes)Supporting Processes back core processes and functions within anorganization. Examples of supporting or management processes includeAccounting, Human Resource (HR) Management and workplace safety. One keydifferentiator between operational and support processes is that supportprocesses do not provide value to customers directly. However, it should benoted that hiring the right people for the right job has a direct impact on theefficiency of the enterprise.

Legal,Regulatory,

Environment,Health & SafetyManagement

ExternalRelationshipManagement

Knowledge,Improvementand ChangeManagement

Governance andCompliance


: 4 :

Human Resource Management (Example)The main HR Process Areas are grouped into logical functional areas and theyare as follows:· Recruitment and Staffing· Goal Setting· Training and Development· Compensation and Benefits· Performance Management· Career Development· Leadership Development

III. Management ProcessesManagement processes measure, monitor and control activities related tobusiness procedures and systems. Examples of management processes includeinternal communications, governance, strategic planning, budgeting, andinfrastructure or capacity management. Like supporting processes, managementprocesses do not provide value directly to the customers. However, it has a directimpact on the efficiency of the enterprise.Budgeting (Example)Referring to the following Fig., in any enterprise, budgeting needs to be driven bythe vision (what enterprise plans to accomplish) and the strategic plan (the stepsto get there). Having a formal and structured budgeting process is the foundationfor good business management, growth and development.

Vision Strategic Plan Business Goals RevenueProjections Cost Projections Profit Projections Board Approval Budget Review

Budgeting Process

4. Explain Business Process Automation· Business Process Automation (BPA) is the technology-enabled automation of

activities or services that accomplish a specific function and can be implementedfor many different functions of company activities, including sales, management,operations, supply chain, human resources, information technology, etc.

· In other words, BPA is the tactic a business uses to automate processes tooperate efficiently and effectively.

· It consists of integrating applications and using software applications throughoutthe organization.

· BPA is the tradition of analyzing, documenting, optimizing and then automatingbusiness processes.

5. Explain the success factors while implementing BPA in an organization? OrWhat are the objectives of Business Process Automation (BPA) (PM) (Nov 14)

The key objectives of BPA are to provide efficient and effective businessprocess. The success of any business process automation shall only beachieved when BPA ensures:

· Confidentiality: To ensure that data is only available to persons who haveright to see the same;


: 5 :

· Integrity: To ensure that no un-authorized amendments can be made in thedata. i.e. data is error free.

· Availability: To ensure that data is available as and when required.· Timeliness: To ensure that data is made available in at the right time.In order to successfully achieve above parameter, BPA needs to implementappropriate controls.

6. What are the benefits of Automating Business Processes?

Quality & Consistency· Ensures that every action is performed identically - resulting in high quality,

reliable results and stakeholders will consistently experience the same level ofservice.

Time Saving· Automation reduces the number of tasks employees would otherwise need to do

manually.· It frees up time to work on items that add genuine value to the business, allowing

innovation and increasing employees’ levels of motivation.Visibility· Automated processes are controlled and consistently operate accurately within

the defined timeline. It gives visibility of the process status to the organisation.Improved Operational Efficiency· Automation reduces the time it takes to achieve a task, the effort required to

undertake it and the cost of completing it successfully.· Automation not only ensures systems run smoothly and efficiently, but that errors

are eliminated and that best practices are constantly leveraged.Reliability· The consistency of automated processes means stakeholders can rely on

business processes to operate and offer reliable processes to customers,maintaining a competitive advantage.

Reduced Turnaround Times· Eliminate unnecessary tasks and realign process steps to optimise the flow of

information throughout production, service, billing and collection. This adjustmentof processes distills operational performance and reduces the turnaround timesfor both staff and external customers.

Reduced Costs· Manual tasks, given that they are performed one-at-a-time and at a slower rate

than an automated task, will cost more. Automation allows you us accomplishmore by utilising fewer resources.

7. Explain How to go about BPA?Explain steps in implementing business process automation.

Business process automation is a complex task especially for organizations involvedin complex processes. In addition, it is difficult to automate all the business processestherefore organization should analyze the critical processes which will provide betterbenefits through automation.


: 6 :

The steps to go about implementing business process automation:

Step 1: Define why we plan to implement a BPA - The primary purpose for whichenterprise implements automation may vary from enterprise to enterprise.§ Errors in manual processes leading to higher costs.§ Payment processes not streamlined, due to duplicate or late payments, missing

early pay discounts, and losing revenue.§ Paying for goods and services not received.§ Poor debtor management leading to high invoice aging and poor cash flow.§ Not being able to find documents quickly during an audit or lawsuit or not being

able to find all documents.§ Poor customer service.

Step 2: Understand the rules / regulation under which enterprise needs tocomply with - One of the most important steps in automating any business process isto understand the rules of engagement, which include the rules, adhering toregulations and document retention requirements. i.e. BPA should be as perapplicable laws and policies. It is important to understand that laws may requiredocuments to be retained for specified number of years and in a specified format.Entity needs to ensure that any BPA adheres to the requirements of law.

Step 3: Document the process, we wish to automate - At this step, the processeswhich organization wants to automate should be documented. The processes aredesigned on paper or with computer software. The design of the process is normallyprepared with flowcharts.The key benefits of documenting the processes are:§ Provides clarity about the processes§ It helps to determine the problems and issues in the processes

Step 4: Define the objectives / goals to be achieved by implementing BPA - Oncethe above steps have been completed, entity needs to determine the key objectives /reasons of the process improvement activities. The BPA needs to follow theSMART principle i.e.;§ Specific: Clearly defined,§ Measurable: Easily quantifiable in monetary terms,§ Attainable: Achievable through best efforts,§ Relevant: Entity must be in need of these, and§ Timely: Achieved within a given time frame.

Step 5: Engage the business process consultant - To achieve BPA, decide whichcompany / consultant to partner with, depends upon following:§ Objectivity of consultant in understanding/evaluating entity situation.§ Does the consultant have experience with entity business process?§ Is the consultant experienced in resolving critical business issues?§ Whether the consultant is capable of recommending and implementing a

combination of hardware, software and services as appropriate to meetingenterprise BPA requirements?

Overall, the appointed consultant should help organization to achieve the businessobjectives of BPA and should help organization to adopt optimum BPA solutions.


: 7 :

Step 6: Calculate the ROI for project - The right stakeholders need to be engagedand involved to ensure that the benefits of BPA are clearly communicated andimplementation becomes successful.Some of points which may justify BPA implementation are;§ Cost Savings, being clearly computed and demonstrated.§ How BPA could lead to reduction in required manpower leading to no new

recruits need to be hired and how existing employees can be re-deployed orused for further expansion.

§ Savings in employee salary by not having to replace those due to attrition.§ The cost of space regained from paper, file cabinets, reduced.§ Eliminating fines to be paid by entity due to delays being avoided.§ Reducing the cost of audits and lawsuits.§ Taking advantage of early payment discounts and eliminating duplicate

payments.§ New revenue generation opportunities.§ Collecting accounts receivable faster and improving cash flow.

Step 7: Developing the BPA - Once the requirements have been document, ROI hasbeen computed and top management approval to go ahead has been received, theconsultant develops the requisite BPA.

Step 8: Testing the BPA - Once developed, it is important to test the new process todetermine how well it works and the process of testing is an iterative process, theobjective being to remove all problems during this phase.

Step 1: Define why we plan to implementBPA?

The answer to this question will providejustification for implementing BPA.

Step 2: Understand the rules/ regulationunder which it needs to comply with?

The underlying issue is that any BPAcreated needs to comply with applicablelaws and regulations.

Step 3: Document the process, we wish toautomate.

The current processes which are plannedto be automated need to be correctly andcompletely documented at this step.

Step 4: Define the objectives/goals to beachieved by implementing BPA.

This enables the developer and user tounderstand the reasons for going for BPA.The goals need to be precise and clear.

Step 5: Engage the business processconsultant.

Once the entity has been able to define theabove, the entity needs to appoint anexpert, who can implement it for the entity.

Step 6: Calculate the Rol for project. The answer to this question can be usedfor convincing top management to say ‘yes’to the BPA exercise.

Step 7: Development of BPA. Once the top management grant theirapproval, the right business solution has tobe procured and implemented ordeveloped and implemented covering thenecessary BPA.

Step 8: Testing the BPA. Before making the process live, the BPAsolutions should be fully tested.


: 8 :

8. Explain enterprise risk management

Enterprise Risk Management (ERM) may be defined as a process, effected by anentity’s Board of Directors, management and other personnel, designed to identifypotential events that may affect the entity, and manage risk to be within its riskappetite, to provide reasonable assurance regarding the achievement of entityobjectives.The underlying premise of Enterprise Risk Management (ERM) is that every entity,whether for profit, not-for-profit, or a governmental body, exists to provide value for itsstakeholders. All entities face uncertainty, and the challenge for management is todetermine how much uncertainty the entity is prepared to accept as it strives to growstakeholder value. Uncertainty presents both risk and opportunity, with the potential toerode or enhance value. ERM provides a framework for management to effectivelydeal with uncertainty and associated risk and opportunity and thereby enhance itscapacity to build value.

9. What are the benefits of Enterprise Risk Management

No entity operates in a risk-free environment, and ERM does not create such anenvironment. Rather, it enables management to operate more effectively inenvironments filled with risks. ERM provides enhanced capability to do the following:· Align risk appetite and strategy: Risk appetite is the degree of risk, on a broad-

based level that an enterprise (any type of entity) is willing to accept to achieveits goals. Management considers the entity’s risk appetite first in evaluatingstrategic alternatives and setting objectives.

· Link growth, risk and return: Entities accept risk as part of value creation andpreservation, and they expect return matching with the risk. ERM provides anenhanced ability to identify and assess risks, and establish acceptable levels ofrisk relative to growth and return objectives.

· Enhance risk response decisions: ERM provides the means to identify andselect among alternative risk responses - risk avoidance, reduction, sharing andacceptance. ERM provides methodologies and techniques for making thesedecisions.

· Minimize operational surprises and losses: Entities have enhanced capabilityto identify potential events, assess risk and establish responses, therebyreducing the occurrence of surprises and related costs or losses.

· Identify and manage cross-enterprise risks: Every entity faces number ofrisks affecting different parts of the enterprise. Management needs to not onlymanage individual risks, but also understand interrelated impacts.

· Provide integrated responses to multiple risks: Business processes carrymany inherent risks, and ERM enables integrated solutions for managing therisks.

· Seize opportunities: Management considers potential events, rather than justrisks, and by considering a full range of events, management gains anunderstanding of how certain events represent opportunities.

10. Explain the main components of Enterprise Risk Management

ERM consists of eight interrelated components. These components are as follows:(i) Internal Environment: The internal environment encompasses the tone of an

organization, and sets the basis for how risk is viewed and addressed by an


: 9 :

entity’s people, and the environment in which they operate. The internalenvironment sets the foundation for how risk and control are viewed andaddressed by an entity’s people.

(ii) Objective Setting: Objectives in line with entity’s mission / vision should be setbefore management can identify events potentially affecting their achievement.

(iii) Event Identification: Potential events which includes risks and opportunities thatmight have an impact on the entity should be identified. Event identificationincludes identifying factors - internal and external - that influence how potentialevents may affect strategy implementation and achievement of objectives.

(iv) Risk Assessment: Identified risks are analyzed to form a basis for determininghow they should be managed. Risk assessment is done to identify impact of suchrisks on the organization objectives and strategy.

(v) Risk Response: Management selects a response strategy or combination of itincluding avoiding, accepting, reducing and sharing risk.

(vi) Control Activities: Policies and procedures are established and executed tohelpensure that the risk responses management selected, are effectively carried out.

(vii) Information and Communication: Relevant information is identified, capturedand communicated in a form and time frame that enable people to carry out theirresponsibilities. Information is needed at all levels of an entity for identifying,assessing and responding to risk.

(viii) Monitoring: The entire ERM process should be monitored, and modificationsmade as necessary. Monitoring is accomplished through ongoing managementactivities, separate evaluations of the ERM processes or a combination of theboth.

11. Explain Risk and risks of business process automation.

Risk is any event that may result in a significant deviation from a planned objectiveresulting in an unwanted negative consequence. The degree of risk associated with anevent is determined by the likelihood (uncertainty, probability) of the event occurring,the consequences (impact) if the event were to occur and it’s timing.Risks of Business Process AutomationThe risks are classified below:· Input & Access: All input transaction data may not be accurate, complete andauthorized.· File & Data Transmission: All files and data transmitted may not be processed

accurately and completely, due to network error.· Processing: Valid input data may not have been processed accurately and

completely due to program error or bugs.· Output: Is not complete and accurate due to program error or bugs and is

distributed to unauthorized personnel due to weak access control.· Data: Master data and transaction data may be changed by unauthorized

personnel due to weak access control.· Infrastructure (facility): All data & programs could be lost if there is no proper

backup in the event of a disaster and the business could come to a standstill.

12. Explain the different types of Business Risks

· Strategic: Risk that would prevent an organization from accomplishing itsobjectives (meeting its goals).


: 10 :

· Financial: Risk that could result in a negative financial impact to theorganization (waste or loss of assets).

· Regulatory (Compliance): Risk that could expose the organization to fines andpenalties from a regulatory agency due to non-compliance with laws andregulations.

· Reputational: Risk that could expose the organization to negative publicity.· Operational: Risk that could prevent the organization from operating in the

most effective and efficient manner.

13. Explain term control

Control is defined as policies, procedures, practices and organization structure thatare designed to provide reasonable assurance that business objectives are achievedand undesired events are prevented or detected and corrected.SA-315 defines the system of internal control as the plan of enterprise and all themethods and procedures adopted by the management of an entity to assist inachieving management’s objective of ensuring, as far as practicable, the orderly andefficient conduct of its business, including adherence to management policies, thesafeguarding of assets, prevention and detection of fraud and error, the accuracy andcompleteness of the accounting records, and the timely preparation of reliablefinancial information.The system of internal control is said to be well designed and properly operatedwhen:· All transactions are executed in accordance with management’s general or

specific authorization;· All transactions are promptly recorded in the correct amount, in the appropriate

accounts and in the accounting period during which it is executed to permitpreparation of financial information within a framework of recognized accountingpolicies and practices and relevant statutory requirements, if any, and to maintainaccountability for assets;

· Assets are safeguarded from unauthorized access, use or disposition; and· The recorded assets are compared with the existing assets at reasonable

intervals and appropriate action is taken to reconcile any differences.

Based on the mode of implementation, these controls can be manual, automated orsemi-automated (partially manual and partially automated). The objective of a controlis to mitigate the risk.· Manual Control: Manually verify that the goods ordered in PO (A) are received

(B) in good quality and the vendor invoice (C) reflects the quantity & price are asper the PO (A).

· Automated Control: The above verification is done automatically by thecomputer system by comparing (D), (E) & (F) and exceptions highlighted.

· Semi-Automated Control: Verification of. Goods Receipt (E) with PO (D) couldbe automated but the vendor invoice matching could be done manually in areconciliation process (G).

Example - Purchase to Pay: Given below is a simple example of controls for thePurchase to Pay cycle, which is broken down to four main components as shown inthe Fig.· Purchases: When an employee working in a specific department (i.e.,

marketing, operations, sales, etc.) wants to purchase something required for


: 11 :

carrying out the job, he/she will submit a Purchase Requisition (PR) to amanager for approval. Based on the approved PR a Purchase Order (PO) israised. The PO may be raised manually and then input into the computer systemor raised directly by the computer system.

· Goods Receipt: The PO is then sent to the vendor, who will deliver the goods asper the specifications mentioned in the PO. When the goods are received at thewarehouse, the receiving staff checks the delivery note, PO number etc. andacknowledges the receipt of the material. Quantity and quality are checked andany unfit items are rejected and sent back to the vendor. A Goods Receipt Note(GRN) is raised indicating the quantity received. The GRN may be raisedmanually and then input into the computer system or raised directly by thecomputer system.

PURCHASES GOODS RECEIPT INVOICEPROCESSING PAYMENT

PurchaseRequisition Vendor Vendor Invoice Vendor Invoice

Payment

Credit PurchaseOrder Goods Receipt Input Invoice

Details

Input PurchaseOrder

Input ReceiptInformation Reconciliation

Purchase Order Accounts Payable

D E G

FB

Purchase Cycle - Sample Controls· Invoice Processing: The vendor sends the invoice to the accounts payable

department who will input the details into the computer system. The vendorinvoice is checked with the PO to ensure that only the goods ordered have beeninvoiced and at the negotiated price. Further the vendor invoice is checked withthe GRN to ensure that the quantity ordered has been received.

· Payment: If there is no mismatch between the PO, GRN and vendor invoice, thepayment is released to the vendor based on the credit period negotiated withthe vendor.

14. Explain internal Control System

· Internal Controls are a system consisting of specific policies and proceduresdesigned to provide management with reasonable assurance that the goals andobjectives it believes important to the entity will be met.

· “Internal Control System” means all the policies and procedures adopted bythe management of an entity to assist in achieving management’s objective ofensuring, as far as practicable, the orderly and efficient conduct of its business,including adherence to management policies, the safeguarding of assets, theprevention and detection of fraud and error, the accuracy and completeness ofthe accounting records, and the timely preparation of reliable financialinformation.


: 12 :

An Internal Control System:· Facilitates the effectiveness and efficiency of operations.· Helps ensure the reliability of internal and external financial reporting.· Assists compliance with applicable laws and regulations.· Helps safeguarding the assets of the entity. The extent and nature of the risks to internal control vary depending on the natureand characteristics of the entity’s information system. The entity responds to the risksarising from the use of IT or from use of manual elements in internal control byestablishing effective controls considering the characteristics of the entity’s informationsystem.

15. Explain five components of Internal Control as per SA 315.

SA 315 explains the five components of any internal control as they relate to afinancial statement audit. The five components are as follows:· Control Environment· Risk Assessment· Control Activities· Information and Communication· Monitoring of Controls

I. Control EnvironmentThe Control Environment is the set of standards, processes, and structures thatprovide the basis for carrying out internal control across the organization. The board ofdirectors and senior management establish the tone at the top regarding theimportance of internal control, including expected standards of conduct.The control environment is manifested in management’s operating style, theways authority and responsibility are assigned, the functional method of the auditcommittee, the methods used to plan and monitor performance and so on.

II. Risk AssessmentEvery entity faces a variety of risks from external and internal resources. Risk may bedefined as the possibility that an event will occur and adversely affect the achievementof objectives. Risk assessment involves process for identifying and assessing risks tothe achievement of objectives. Risks to the achievement of these objectives fromacross the entity are considered relative to established risk tolerances.

III. Control ActivitiesControl Activities are the actions established through policies and procedures thathelp ensure achievement of objectives are carried out. Control activities are performedat all levels of the entity, at various stages within business processes, and over thetechnology environment. They may be preventive or detective in nature and mayencompass a range of manual and automated activities.

Control includes,Segregation of Duties (SOD) is the process of assigning different people theresponsibilities of authorizing transactions, recording transactions, and maintainingcustody of assets. Segregation of duties is intended to reduce errors or fraud in thenormal course of the person’s duties.


: 13 :

General Controls include controls over information technology management,information technology infrastructure, security management and software acquisition,development and maintenance.Application Controls are designed to ensure completeness, accuracy, authorizationand validity of data capture and transaction processing.

IV. Information & CommunicationInformation is necessary for the entity to carry out internal control responsibilities insupport of the achievement of its objectives. Management obtains and uses relevantand quality information from both internal and external sources to support thefunctioning of other components of internal control.Communication is the continues process of providing, sharing, and obtainingnecessary information.It contains elements which inform and communicate to users on timely basis.

V. Monitoring of ControlsOngoing evaluations, separate evaluations, or some combination of the two are usedto ascertain whether each of the five components of internal control present andfunctioning. Findings are evaluated against management’s criteria and deficiencies arecommunicated to management and the board of directors as appropriate.

16 Explain Limitations of Internal Control SystemInternal control, no matter how effective, can provide an entity with only reasonableassurance and not absolute assurance about achieving the entity’s operational,financial reporting and compliance objectives. Internal control systems are subject tocertain inherent limitations, such as:· Management’s consideration that the cost of an internal control doesn’t exceed

the expected benefits to be derived.· The fact that most internal controls do not tend to be directed at transactions of

unusual nature. The potential for human error, such as, due to carelessness,distraction, mistakes of judgement and misunderstanding of instructions.

· The possibility of circumvention of internal controls through collusion withemployees or with parties outside the entity.

· The possibility that a person responsible for exercising an internal control couldabuse that responsibility, for example, a member of management overriding aninternal control.

· Manipulations by management with respect to transactions or estimates andjudgements required in the preparation of financial statements.

DIAGRAMMATIC REPRESENTATION OF BUSINESS PROCESSES

17. Explain Flowchart· Flowcharts are used in designing and documenting simple processes or

programs. Like other types of diagrams, they help visualize what is going on andthereby help understand a process, and perhaps also find flaws, bottlenecks.There are many different types of flowcharts, and each’ type has its ownrepertoire of boxes and notational conventions.

· The two most common types of boxes in a flowchart are as follows:§ Processing step, usually called activity, and denoted as a rectangular box.§ Decision, usually denoted as a diamond.


: 14 :

I. Flowcharting Symbols

II. Steps for creating flowcharts for business processes· Identify the business process that are to be documented with a flowchart and

establish the overall goal of the business process.· Based on inputs from the business process owner obtain a complete

understanding of the process flow.· Prepare an initial rough diagram and discuss with the business process owner

to confirm your understanding of the processes.· Obtain additional information about the business process from the people

involved in each step, such as end users, stakeholders, administrative assistantsand department heads.

· Identify the activities in each process step and who is responsible for eachactivity.

· Identify the starting point of the process. The starting point of a businessprocess should be what triggers the process to action. In other words, it is theinput that the business seeks to convert into an output.

· Separate the different steps in the process. Identify each individual step in theprocess and how it is connected to the other steps.

· In traditional Business Process Modeling Notation (BPMN), the steps arerepresented by different shapes depending on their function. For example, wewould use steps such as “customer order” (an event), “process order” (anactivity), “Check credit” (an action), “Credit” (a decision gateway that leads to oneof two other actions, depending on a “yes” or “no” determination), and so on.


: 15 :

· Clarify who or what performs each step.

Lamp doesn’t work

Plug in lamp

Replace bulb

Repair lamp

Lampplugged in?

Bulbburned out?

No

Yes

Yes

No

Simple Flowchart

18. Explain various advantages of flowcharts(i) Quicker grasp of relationships - The relationship between various elements of

the application program/business process must be identified. Flowchart can helpdepict a lengthy procedure more easily than by describing it by means of writtennotes.

(ii) Effective Analysis - The flowchart becomes a blue print of a system that can bebroken down into detailed parts for study. Problems may be identified and newapproaches may be suggested by flowcharts.

(iii) Communication - Flowcharts aid in communicating the facts of a businessproblem to those whose skills are needed for arriving at the solution.

(iv) Documentation - Flowcharts serve as a good documentation which aid greatlyin future program conversions. In the event of staff changes, they serve astraining function by helping new employees in understanding the existingprograms.

(v) Efficient coding - Flowcharts act as a guide during the system analysis andprogram preparation phase. Instructions coded in a programming language maybe checked against the flowchart to ensure that no steps are omitted.

(vi) Program Debugging - Flowcharts serve as an important tool during programdebugging. They help in detecting, locating and removing mistakes.

(vii) Efficient program maintenance - The maintenance of operating programs isfacilitated by flowcharts. The charts help the programmer to concentrate attentionon that part of the information flow which is to be modified.

19. Explain various limitations of Flowchart(i) Complex logic - Flowchart becomes complex and clumsy where the problem

logic is complex.(ii) Modification - If modifications to a flowchart are required, it may require

complete re-drawing.(iii) Reproduction - Reproduction of flowcharts is often a problem because the

symbols used in flowcharts cannot be typed.(iv) Link between conditions and actions - Sometimes it becomes difficult to

establish the linkage between various conditions and the actions to be takenthere upon for a condition.

(v) Standardization – No uniform practice is followed for drawing.


: 16 :

Example 1: Draw a Flowchart for finding the sum of first 100 odd numbers.Solution : The flowchart is drawn as Fig. 1.7.3 and is explained step by step below. Thestep numbers are shown in the flowchart in circles and as such are not a part of theflowchart but only a referencing device.Our purpose is to find the sum of the series 1, 3, 5, 7, 9,…………………….(100 terms.) Thestudent can verify that the 100th term would be 199. We propose to set A = 1 and then goon incrementing it by 2 so that it holds the various terms of the series in turn. B is anaccumulator in the sense that A is added to B whenever A is incremented. Thus, B will hold:11 + 3 = 44 + 5 = 9,9 + 7 = 16, etc. in turn.Step 1 - All working locations are set at zero. This is necessary because if they are holdingsome data of the previous program, that data is liable to corrupt the result of the flowchart.Step 2 - A is set at 1 so that subsequently by incrementing it successively by 2, we get thewanted odd terms: 1,3,5,7 etc.Step 3 - A is poured into B i.e., added to B. B being 0 at the moment and A being 1, Bbecomes 0 + 1 = 1.Step 4 - Step 4 poses a question. “Has A become 1999” if not, go to step 5, we shallincrement A by 2. So that although at the moment A is 1, it will be made 3 in step 5, and soon. Then go back to step 3 by forming loop.

START

END

1

2

3

4

56

CLEAR WORKINGLOCATIONS

SETA=1

B = B + A

A = A + 2

?A = 199

PRINT B

NO

YES

Flowchart for addition of first 100 odd numbersSince we must stop at the 100th term which is equal to 199, Thus, A is repeatedlyincremented in step 5 and added to B in step 3. In other words, B holds the cumulative sumup to the latest terms held in A.When A has become 199 that means the necessary computations have been carried out sothat in step 6 the result is printed.


: 17 :

Example 2An E-commerce site has the following cash back offers.(i) If the purchase mode is via website, an initial discount of 10% is given on the bill

amount.(ii) If the purchase mode is via phone app, an initial discount of 20% is given on the bill

amount.(iii) If done via any other purchase mode, the customer is not eligible for any discount.Every purchase eligible to discount is given 10 reward points.(a) If the reward points are between 100 and 200 points, the customer is eligible for a

further 30% discount on the bill amount after initial discount.(b) If the reward points exceed 200 points, the customer is eligible for a further 40%

discount on the bill amount after initial discount.Taking purchase mode, bill amount and number of purchases as input; draw aflowchart to calculate and display the total reward points and total bill amount payableby the customer after all the discount calculation.

SolutionRefer Fig. 1.7.4, let us define the variables first:PM: Purchase Mode BA: Bill Amount TBA: Total Bilk AmountNOP: Number of Purchases TRP: Total Reward Points IN DISC: Initial DiscountET_DISC: Extra Discount on purchases eligible to Initial DiscountN: Counter (to track the no. of purchases),


: 18 :

20. Explain data flow diagrams.· Data Flow Diagram (DFD) is a graphical representation of the flow of data

through a business process and information system.· It represents the flow of data from source to destination.· DFD is a graphical representation for logical flow of data. It helps in expressing

system logics in a simple and easy to understand form.DFD basically provides an overview of:

· What data a system processes;· What transformations are performed;· What data are stored;· What results are produced and where they flow.

It is mainly used by technical staff for graphically communicating betweensystemsanalysts and programmers.

Main symbols used in DFDProcess Step-by-step instructions are followed that

transform inputs into outputs (a computeror person or both doing the work).

Data flow Data flowing from place to place, such asan input or output to process.

External agent The source or destination of data outsidethe system.

Data Store Data at rest, being stored for later use.Usually corresponds to a data entity on anentity-relationship diagram.

Real-time link Communication back and forth between anexternal agent and a process as theprocess is executing (e.g., credit cardverification.

DFD SymbolsData Flow Diagrams - Processes are identified to functional departments.Given below is a simple scenario depicting a book borrowed from a library being, returnedand the fine calculated, due to delay.

Book Scan BarCode

CalculateFine Borrower

Library database

Bar Code Book Id Fine

Date due back

Simple DFD (Example)· The book is represented as an external entity and the input is the bar code.· The process is the scanning of the bar code and giving an output of the Book ID.· The next process calculates the fine based on accessing the “library database” and

establishing the “due back” date.· Finally, the fine is communicated to the borrower who is also shown as an external

entity.


: 19 :

Diagrammatic Representation of Specific Business ProcessesI. Customer Order Fulfillment (Refer Fig.)

· The process starts with the customer placing an order and the sales departmentcreating a sales order.

· The sales order goes through the Credit & Invoicing process to check credit (anactivity) is it OK? (a decision gateway).

· If the customer’s credit check is not OK, you would move to the step “creditproblem addressed” (an activity), followed by a decision “OK?”. If, “No” the orderwill be stopped.

· If the customer’s “credit check” response is “yes”, and if stock is available, aninvoice is prepared, goods shipped and an invoice is sent to the customer. If thestock is not available, the order is passed to “production control” for manufactureand then shipped to customer with the invoice.

· The process ends with the payment being received from customer.

Customer Order Fulfillment (Example)

II. Order to CashFollowing Fig. indicates the different sub processes within the main processes in theOrder to Cash cycle.

(i) Sales and Marketing (SM)· Advertises and markets the company’s products and books sales orders from

customers.


: 20 :

(ii) Order Fulfillment· Receives orders from SM.· Checks inventory to establish availability of the product. If the product is

available in stock, transportation is arranged and the product is sent to thecustomer.

(iii) Manufacturing· If the product is not available in stock, this information is sent to the

manufacturing department so that the product is manufactured and subsequentlysent to the customer.

Order to Cash (Example)(iv) Receivables

· The invoice is created, sent to the customer, payment received and the invoiceclosed.

III Procure to PayThe Purchase to Pay Process in following Fig. indicates the different processesidentified specifically to department/entity so that the responsibilities are clearlydefined. Let’s understand flow from the perspective of each department/entity.(i) User Department

· A user in an enterprise may require some material or service. Based on theneed and justification, the user raises a Purchase Request (PR) to theProcurement department.

(ii) Procurement Department (PD)· PD receives the PR and prioritizes the request based on the need and

urgency of the user.· It is then the responsibility of the PD to find the best source of supply, for

the specific material/service. PD will then request the potential vendors tosubmit their quotes, based on which negotiations on price, quality andpayment terms, will take place.

· The Purchase Order (PO) will then be released to the selected vendor.(iii) Vendor

· The vendor receives the PO and carries out his own internal checks.· Matches the PO with the quotation sent and in the event of any discrepancy

will seek clarification from the enterprise.

Sales and Marketing Services

ReceiveOrders

CheckInventory

ArrangeTransportati

on

Send toCustomer

Send info tomanufacturing

Productmanufactured

CreateInvoice forthe Orders

Send tocustomer

Receivepayments

Close theinvoice


: 21 :

· If there are no discrepancies, the vendor will raise an internal sales orderwithin the enterprise.

· The material is then shipped to the address indicated in the PO.· The Vendor Invoice (VI) is sent to the Accounts Payable department, based

on the address indicated in the PO.(iv) Stores

· Receives the material.· Checks the quantity received with the PO and quality with the users. If there

is any discrepancy the vendor is immediately informed.· The Goods Received Note (GRN) is prepared based on the actual receipt

of material and the stores stock updated. The GRN is then, sent to theAccounts Payable department for processing the payment.

· A Material Issue Note is created and the material is sent to the concerneduser.

(v) Accounts Payable (AP)· AP will do a “3-way match” of PO/GRN/Invoice. This is to ensure that the

price, quantity and terms indicated in the Invoice matches with the PO andthe quantity received in the PO matches with the GRN quantity. This checkestablishes that what has been ordered has been delivered.

· If there is no discrepancy, the payment voucher is prepared for paymentand the necessary approvals obtained.

· If there is a discrepancy, the Invoice is put “on hold” for further clarificationand subsequently processed.

· Finally, the payment is made to the vendor.


: 22 :

Procure to Pay (Example)


: 23 :

RISKS AND CONTROLS FOR SPECIFIC BUSINESS PROCESSES

Business Processes - Risks and ControlsSuitable controls should be implemented to meet the requirements of the control objectives.These controls can be manual, automated or semi-automated provided the risk is mitigated.Based on the scenario, the controls can be Preventive, Detective or Corrective. Incomputer systems, controls should be checked at three levels, namely Configuration,Master & Transaction- level.

1. ConfigurationConfiguration refers to the way a software system is set up. Configuration is theprocess of defining options that are provided. Configuration will define how softwarewill function and what menu options are displayed. When the any software is installed,values for various parameters should be set up (configured) as per policies andbusiness process work flow and business process rules of the enterprise. The variousmodules of the enterprise such as Purchase, Sales, Inventory, Finance, User Accessetc. have to be configured. Some examples of configuration are given below:

· Mapping of accounts to front end transactions like purchase and sales

· Control on parameters: Creation of Customer Type, Vendor Type, year-endprocess

· User activation and deactivation

· User Access & privileges - Configuration & its management

· Password Management

2. Masters· Masters refer to the way various parameters are set up for all modules of

software, like Purchase, Sales, Inventory, Finance etc. These drives how thesoftware will process relevant transactions.

· The masters are set up first time during installation and these are changedwhenever the business process rules or parameters are changed.

· Examples are Vendor Master, Customer Master, Material Master, AccountsMaster, Employee Master etc.

· Any changes to these data have to be authorised by appropriate personnel andthese are logged and captured in exception reports.

· The way masters are set up will drive the way software will process transactionsof that type. For example: The Customer Master will have the credit limit of thecustomer. When an invoice is raised, the system will check against the approvedcredit limit and if the amount invoiced is within the credit limit the invoice will becreated if not the invoice will be put on “credit hold” till proper approvals areobtained.

Some examples of masters are given here:

· Vendor Master: Credit period, vendor bank account details, etc.

· Customer Master: Credit limit, Bill to address, Ship to address, etc.

· Material Master: Material type, Material description, Unit of measure, etc.

· Employee Master: Employee name, designation, salary details, etc.


: 24 :

3. TransactionsTransactions refer to the actual transactions entered through menus and functions inthe application software, through which all transactions for specific modules areinitiated, authorized or approved. For example:· Sales transactions· Purchase transactions· Stock transfer transactions· Journal entries· Payment transactions

Risk & Control objectives for various processes

Procure to Pay (P2P) - Risks and ControlsProcure to Pay (Purchase to Pay or P2P) is the process of obtaining and managing theraw materials needed for manufacturing a product or providing a service.

MastersRisks and Control Objectives (Masters-P2P)

Risk Control ObjectiveUnauthorized changes to suppliermaster file.

Only valid changes are made to thesupplier master file.

All valid changes to the supplier masterfile are not input and processed.

All valid changes to the supplier masterfile are input and processed.

Changes to the supplier master file arenot correct.

Changes to the supplier master file areaccurate.

Changes to the supplier master file aredelayed and not processed in a timelymanner.

Changes to the supplier master file areprocessed in a timely manner.

Supplier master file data is not up todate.

Supplier master file data remain up todate.

System access to maintain vendormasters has not been restricted to theauthorized users.

System access to maintain vendormasters has been restricted to theauthorized users.

TransactionsRisks and Control Objectives (Transactions-P2P)

Risk Control ObjectiveUnauthorized purchase requisitions areordered.

Purchase orders are placed only forapproved requisitions.

Purchase orders are not enteredcorrectly in the system.

Purchase orders are accurately entered.

Purchase orders issued are not inputand processed.

All purchase orders issued are input andprocessed.

Amounts posted to accounts payableare not properly calculated andrecorded.

Accounts payable amounts are accuratelycalculated and recorded.

Amounts for goods or services receivedare recorded in the wrong period.

Amounts for goods or services receivedare recorded in the appropriate period.

Credit notes and other adjustments arenot accurately calculated and recorded.

Credit notes and other adjustments areaccurately calculated and recorded.

Credit notes and other adjustments arerecorded in the wrong period.

Credit notes and other adjustments arerecorded in the appropriate period.


: 25 :

Disbursements are made for goods andservices that have not been received.

Disbursements are made only for goodsand services received.

Disbursements are distributed tounauthorized suppliers.

Disbursements are distributed to theappropriate suppliers.

System access to process transactionshas not been restricted to theauthorized users.

System access to process transactionshas been restricted to the authorizedusers.

Order to Cash (02C) - Risks and ControlsOrder to Cash (OTC or O2C) is a set of business processes that involve receiving andfulfilling customer requests for goods or services. An order to cash cycle consists of multiplesub-processes including:1. Customer order is documented;2. Order is fulfilled or service is scheduled;3. Order is shipped to customer or service is performed;4. Invoice is created and sent to customer;5. Customer sends payment /Collection; and6. Payment is recorded in general ledger.

MastersRisks and Control Objectives (Masters-02C)

Risk Control ObjectiveThe customer master file is notmaintained properly and the informationis not accurate.

The customer master file is maintainedproperly and the information is accurate.

Invalid changes are made to thecustomer master file.

Only valid changes are made to thecustomer master file.

All valid changes to the customer masterfile are not input and processed.

All valid changes to the customer masterfile are input and processed.

Changes to the customer master file arenot accurate

Changes to the customer master file areaccurate.

Changes to the customer master file arenot processed in a timely manner.

Changes to the customer master file areprocessed in a timely manner

Customer master file data is not up-to-date and relevant.

Customer master file data is up to date andrelevant.

System access to maintain customermasters has not been restricted to theauthorized users.

System access to maintain customermasters has been restricted to theauthorized users.

TransactionsRisks and Control Objectives (Transactions-02C)

Risk Control ObjectiveOrders are processed exceedingcustomer credit limits without approvals.

Orders are processed only withinapproved customer credit limits.

Orders are not approved bymanagement as to prices and terms ofsale.

Orders are approved by management asto prices and terms of sale.

Orders and cancellations of orders arenot input accurately.

Orders and cancellations of orders areinput accurately.


: 26 :

Order entry data are not transferredcompletely and’ accurately to theshipping and invoicing activities.

Order entry data are transferredcompletely and accurately to the shippingand invoicing activities.

All orders received from customers arenot input and processed.

All orders received from customers areinput and processed.

Invalid & unauthorized orders are inputand processed.

Only valid & authorized orders are inputand processed.

Invoices are generated usingunauthorized terms and prices.

Invoices are generated using authorizedterms and prices.

Invoices are not accurately calculatedand recorded.

Invoices are accurately calculated andrecorded.

Invoices are not recorded in the system. All invoices issued are recorded.Invoices are recorded in the wrongperiod.

Invoices are recorded in the appropriateperiod.

Cash receipts are not recorded in theperiod in which they are received.

Cash receipts are recorded in the periodin which they are received.

Cash receipts data are not enteredcorrectly.

Cash receipts data are entered forprocessing accurately.

Cash receipts are not entered in thesystem for processing.

All cash receipts data are entered forprocessing.

Inventory Cycle - Risks and ControlsThe Inventory Cycle is a process of accurately tracking the on-hand inventory levels for anenterprise. An inventory system should maintain accurate record of all stock movements tocalculate the correct balance of inventory. The typical phases of the Inventory Cycle forManufacturers are as follows:1. The ordering phase: The amount of time it takes to order and receive raw materials.2. The production phase: The work in progress phase relates to time it takes to convert

the raw material to finished goods ready for use by customer.3. The finished goods and delivery phase: The finished goods that remain in stock

and the delivery time to the customer. The inventory cycle is measured in number ofdays.

MastersRisks and Control Objectives (Masters-Inventory)

Risk Control ObjectiveInvalid changes are made to theinventory management master file.

Only valid changes are made to theinventory management master file.

Invalid changes to the inventorymanagement master file are input andprocessed.

All valid changes to the inventorymanagement master file are input andprocessed.

Changes to the inventory managementmaster file are not accurate.

Changes to the inventory managementmaster file are accurate.

Inventory management master file datais not up to date.

Inventory management master file dataremain up to date.

System access to maintain inventorymasters has not been restricted to theauthorized users.

System access to maintain inventorymasters has been restricted to theauthorized users.


: 27 :

TransactionsRisks and Control Objectives (Transactions-Inventory)

Risk Control ObjectiveRaw materials are received andaccepted without valid purchase orders.

Raw materials are received and acceptedonly if they have valid purchase orders.

Raw materials received are notrecorded accurately.

Raw materials received are recordedaccurately.

Raw materials received are notrecorded in system.

All raw materials received are recorded.

Defective raw materials are notreturned promptly to suppliers.

Defective raw materials are returnedpromptly to suppliers.

Transfers of raw materials to productionare not recorded accurately and are notin the appropriate period.

All transfers of raw materials to productionare recorded accurately and in theappropriate period.

Transfers of completed units ofproduction to finished goods inventoryare not recorded completely andaccurately and are posted in aninappropriate period.

All transfers of completed units ofproduction to finished goods inventory arerecorded completely and accurately in theappropriate period.

Finished goods returned by customersare not recorded completely andaccurately and are posted in aninappropriate period.

Finished goods returned by customers arerecorded completely and accurately in theappropriate period.

Shipments are not recorded in thesystem.

All shipments are recorded.

Shipments are not recorded accurately. Shipments are recorded accurately.Costs of shipped inventory are notaccurately recorded.

Costs of shipped inventory are accuratelyrecorded.

System access to process inventoryrelated [transactions has not beenrestricted to the authorized users.

System access to process inventoryrelated transactions has been restricted tothe authorized users.

21. Give two examples each of the Risks and Control Objectives for the followingbusiness processes:· Procure to Pay· Order to Cash· Inventory Cycle

Human Resources - Risks and ControlsThe Human Resources life cycle refers to human resources management and covers allthe stages of an employee’s time within a specific enterprise and the role the humanresources department plays at each stage. Typical stage of HR cycle includes the following:1. Recruiting and On boarding: Recruiting is the process of hiring a new employee.

The role of the human resources department in this stage is to assist in hiring. Thismight include placing the job ads, selecting candidates whose resumes lookpromising, conducting employment interviews and administering assessments such aspersonality profiles to choose the best applicant for the position.

2. Orientation and Career Planning: Orientation is the process by which the employeebecomes a member of the company’s work force through learning her new job duties,establishing relationships with co-workers and supervisors and developing a niche.Career planning is the stage at which the employee and her supervisors work out herlong-term career goals with the company.


: 28 :

3. Career Development: Career development opportunities are essential to keep anemployee engaged with the company over time. This can include professional growthand training to prepare the employee for more responsible positions with the company.

4. Termination or Transition: Some employees will leave a company throughretirement after a long and successful career. Others will choose to move on to otheropportunities or be laid off. The role of HR in this process is to manage the transitionby ensuring that all policies and procedures are followed, carrying out an exit interviewif that is company policy and removing the employee from the system.

ConfigurationRisks and Control Objectives (Configuration-Human Resources)

Risk Control ObjectiveEmployees who have left the companycontinue to have system access.

System access to be immediatelyremoved when employees leave thecompany.

Employees have system access inexcess of their job requirements.

Employees should be given systemaccess based on a “need to know” basisand to perform their job function.

MastersRisks and Control Objectives (Masters-Human Resources)

Risk Control ObjectiveAdditions to the payroll master files donot represent valid employees.

Additions to the payroll master filesrepresent valid employees.

New employees are not added to thepayroll master files.

All new employees are added to thepayroll master files.

Terminated employees are not removedfrom the payroll master files.

Terminated employees are removed fromthe payroll master files.

Deletions from the payroll master files donot represent valid terminations.

Deletions from the payroll master filesrepresent valid terminations.

Invalid changes are made to the payrollmaster files.

Only valid changes are made to thepayroll master files.

Payroll master file data is not up to date. Payroll master file data remain up todate.

Payroll is disbursed to inappropriateemployees.

Payroll is disbursed to appropriateemployees.

System access to process employeemaster changes has not been restrictedto the authorized users.

System access to process employeemaster changes has been restricted tothe authorized users.

Fixed Assets - Risks and ControlsFixed Assets process ensures that all the fixed assets of the enterprise are tracked for thepurposes of financial accounting, preventive maintenance, and theft deterrence. Fixedassets process ensures that all fixed assets are tracked and fixed asset record maintainsdetails of location, quantity, condition, maintenance and depreciation status.Typical steps of fixed assets process are as follows:1. Procuring an asset: An asset is most often entered into the accounting system; when

the invoice for the asset is entered; into the accounts payable; or purchasing moduleof the system.


: 29 :

2. Registering or Adding an asset: Most of the information needed to set up the assetfor depreciation is available at the time the invoice is entered. Information entered atthis stage could include; acquisition date, placed-in-service date, description, assettype, cost basis, depreciable basis etc.

3. Adjusting the Assets: Adjustments to existing asset information is often needed tobe made. Events may occur that can change the depreciable basis of an asset.Further, there may be improvements or repairs made to asset that either adds value tothe asset or extend its economic life.

4. Transferring the Assets: A fixed asset maybe sold or transferred to anothersubsidiary, reporting entity, or department within the company. These may result inchanges that impact the asset’s depreciable basis, depreciation, or other asset data.This needs to be reflected accurately in the fixed assets management system.

5. Depreciating the Assets: Depreciation is an expense which should be periodicallyaccounted on a company’s books, and allocated to the accounting periods, to matchincome and expenses.

6. Disposing the Assets: When a fixed asset is, no longer in use, becomes obsolete, isbeyond repair, the asset is typically disposed. Any difference between the book value,and realized value, is reported as a gain or loss.

MastersRisks and Control Objectives (Masters-Fixed Assets)

Risk Control ObjectiveInvalid changes are made to the fixedasset register and/or master file.

Only valid changes are made to the fixedasset register and/or master file.

Valid changes to the fixed asset registerand/ or master file are not input andprocessed.

All valid changes to the fixed assetregister and/or master file are input andprocessed.

Changes to the fixed asset registerand/or master file are not accurate.

Changes to the fixed asset register and/ormaster file are accurate.

Changes to the fixed asset registerand/or master file are not promptlyprocessed.

Changes to the fixed asset register and/ormaster file are promptly processed.

Fixed asset register and/or master filedata are not kept up to date.

Fixed asset register and/or master filedata remain up to date.

System access to fixed asset masterfile / system configuration is notrestricted to the authorized users.

System access to fixed asset master file /system configuration is restricted to theauthorized users.

TransactionsRisks and Control Objectives (Transactions-Fixed Assets)Risk Control ObjectiveFixed asset acquisitions are notaccurately recorded.

Fixed asset acquisitions are accuratelyrecorded.

Fixed asset acquisitions are not recordedin the appropriate period.

Fixed asset acquisitions are recorded inthe appropriate period.

Fixed asset acquisitions are not recorded. All fixed asset acquisitions are recorded.Depreciation charges are not accuratelycalculated and recorded.

Depreciation charges are accuratelycalculated and recorded.

Depreciation charges are not recorded inthe appropriate period.

All depreciation-charges are recorded inthe appropriate period.


: 30 :

Fixed asset disposals/transfers are notrecorded.

All fixed asset disposals/transfers arerecorded.

Fixed asset disposals/transfers are notaccurately calculated and recorded.

Fixed asset disposals/transfers areaccurately calculated and recorded.

Fixed asset disposals/transfers are notrecorded in the appropriate period.

Fixed asset disposals/transfers arerecorded in the appropriate period.

System access to process fixed assettransactions has not been restricted to theauthorized users.

System access to process fixed assettransactions has been restricted to theauthorized users.

General Ledger - Risks and ControlsGeneral Ledger (GL) process refers to the process of recording the transactions in thesystem to finally generating the reports from financial transactions entered in the system.The input for GL Process Flow is the financial transactions and the outputs are varioustypes of financial reports such as balance sheet, profit and loss a/c, funds flow statement,ratio analysis, etc.The typical steps in general ledger process flow are as follows:1. Entering financial transactions into the system2. Reviewing Transactions3. Approving Transactions4. Posting of Transactions5. Generating Financial Reports

ConfigurationRisks and Control Objectives (Configuration-General Ledger)Risk Control ObjectiveUnauthorized general ledger entries couldbe passed

Access to general ledger entries isappropriate and authorized.

System functionality does not exist tosegregate the posting and approvalfunctions.

System functionality exists to segregatethe posting and approval functions.

Systems do not generate reports of allrecurring and non recurring journal entriesfor review by management for accuracy.

Systems generate reports of all recurringand nonrecurring journal entries for reviewby management for accuracy.

Non standard journal entries are nottracked and are inappropriate.

All non standard journal entries aretracked and are appropriate.

System controls are not in place forappropriate approval of write-offs.

System controls are in place forappropriate approval of write-offs.

Transactions can be recorded outside offinancial close cutoff requirements.

Transactions cannot be recorded outsideof financial close cutoff requirements.

The sources of all entries are not readilyidentifiable.

The sources of ail- entries are readilyidentifiable

Transactions are not rejected, acceptedand identified, on exception reports in theevent of data exceptions.

Transactions are rejected, or acceptedand identified, on exception reports in theevent of data exceptions.

Adding to or deleting general ledgeraccounts is not limited to authorizedaccounting department personnel.

Adding to or deleting general ledgeraccounts is limited to authorizedaccounting department personnel.


: 31 :

MastersRisks and Control Objectives (Masters-General Ledger)Risk Control ObjectiveGeneral ledger master file change reportsare not generated by the system and arenot reviewed as necessary by an individualwho does not input the changes.

General ledger master file change reportsare generated by the system and reviewedas necessary by an individual who doesnot input the changes.

A standard chart of accounts has not beenapproved by management and is notutilized within all entities of the corporation

A standard chart of accounts has beenapproved by management and is notutilized within all entities of the corporation

TransactionsRisks and Control Objectives (Transactions-General Ledger)Risk Control ObjectiveGeneral ledger balances are not reconciledto sub ledger balances and suchreconciliation are not reviewed for accuracyand not approved by supervisorypersonnel.

General ledger balances reconcile to subledger balances and such reconciliation arereviewed for accuracy and approved bysupervisory personnel.

Interrelated balance sheets and incomestatement accounts do not undergoautomated reconciliation to confirmaccuracy of such accounts.

Interrelated balance sheets and incomestatement: accounts undergo automatedreconciliation to confirm accuracy of suchaccounts.

Account codes and transaction amountsare not accurate and not complete, andexceptions are not reported.

Account codes and transaction amountsare accurate and complete, with exceptionsreported.

A report of all journal entries completed aspart of the closing process is not reviewedby management to confirm thecompleteness and appropriateness of allrecorded entries.

A report of all journal entries completed aspart of the closing process is reviewed bymanagement to confirm the completenessand appropriateness of all recordedentries.

Entries booked in the close process are notcomplete and accurate.

Entries booked in the close process arecomplete and accurate.

REGULATORY AND COMPLIANCE REQUIREMENTS

The core to any enterprise’s success is to have an efficient and effective financialinformation system to support decision-making and monitoring. The risks, controls andsecurity of such systems should be clearly understood in order to pass an objective opinionabout the adequacy of control in an IT environment.

22. Explain the salient features of Section 134 & Section 143 of the Companies Act 2013.

The Companies Act, 2013The Companies Act, 2013 has two very important Sections - Section 134 and Section 143,which have a direct impact on the audit and accounting profession.(i) Section 134

Section 134 of the Companies Act, 2013 on “Financial statement, Board’s report,etc.” states inter alia:


: 32 :

The Directors’ Responsibility Statement referred to in clause (c) of sub-section (3)shall state that:the Directors had taken proper and sufficient care for the maintenance of adequateaccounting records in accordance with the provisions of this Act for safeguarding theassets of the company and for preventing and detecting fraud and other irregularities;the directors, in the case of a listed company, had laid down internal financial controlsto be followed by the company and that such internal financial controls areadequate and were operating effectively.Explanation: For the purposes of this clause, the term “internal financial controls”means the policies and procedures adopted by the company for ensuring the orderlyand efficient conduct of its business, including adherence to company’s policies, thesafeguarding of its assets, the prevention and detection of frauds and errors, theaccuracy and completeness of the accounting records, and the timely preparation ofreliable financial information the directors had devised proper systems to ensurecompliance with the provisions of all applicable laws and that such systems wereadequate and operating effectively.

(ii) Section 143Section 143, of the Companies Act 2013, on “Powers and duties of auditors andauditing standards” states inter alia:Section 143(3) contains the auditor’s report which states:“whether the company has adequate internal financial controls system in place and theoperating effectiveness of such controls”;When we talk in terms of “adequacy and effectiveness of controls”; it refers to theadequacy of the control design and whether the control has been working effectivelyduring the relevant financial year. The impact of this statement is that it involvescontinuous control monitoring during the year and not a review “as at” a particulardate.For example, let us assume that a company has a sales invoicing control wherein allsales invoices raised by the salesman which is greater that Rs.50,000/- are reviewedand approved by the sales manager. In terms of the of the control design this controlmay seem adequate. However, if during audit, it was found that, during the year, therewere many invoices raised by the salesman which was greater than Rs. 50,000/- andnot reviewed and approved by the sale’s manager. In such a case, although thecontrol design was adequate, the control was not working effectively, due to manyexceptions without proper approval.As per ICAI’s “Guidance Note on Audit of Internal Financial Controls overFinancial Reporting”:Clause (i) of Sub-section 3 of Section 143 of the Companies Act, 2013 (“the 2013 Act”or “the Act”) requires the auditors’ report to state whether the company has adequateinternal financial controls system in place and the operating effectiveness of suchcontrols.

I. Management’s ResponsibilityThe 2013 Act has significantly expanded the scope of internal controls to beconsidered by the management of companies to cover all aspects of the operations ofthe company. Clause (e) of Sub-section 5 of Section 134 to the Act requires thedirectors’ responsibility statement to state that the directors, in the case of a listedcompany, had laid down internal financial controls to be followed by the company andthat such internal financial controls are adequate and were operating effectively.Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 requires the Board ofDirectors’ report of all companies to state the details in respect of adequacy of internalfinancial controls with reference to the financial statements.


: 33 :

The inclusion of the matters relating to internal financial controls in the directors’responsibility statement is in addition to the requirement for the directors to state thatthey have taken proper and sufficient care for the maintenance of adequateaccounting records in accordance with the provisions of the 2013 Act, for safeguardinghe assets of the company and for preventing and detecting fraud and otherirregularities.

II. Auditors’ ResponsibilityThe auditor’s objective in an audit of internal financial controls over financial reportingis to express an opinion on the effectiveness of the company’s internal financialcontrols over financial reporting and the procedures in respect thereof are carried outalong with an audit of the financial statements. Because a company’s internal controlscannot be considered effective if one or more material weakness exists, to form abasis for expressing an opinion, the auditor should plan and perform the audit toobtain sufficient appropriate evidence to obtain reasonable assurance about whethermaterial weakness exists as of the date specified in management’s assessment. Amaterial weakness in internal financial controls may exist even when the financialstatements are not materially misstated.

III. Corporate Governance RequirementsCorporate Governance is the framework of rules and practices by which a board ofdirectors ensures accountability, fairness, and transparency in a company’srelationship with its all stakeholders (financiers, customers, management, employees,government, and the community).The corporate governance framework consists of:(i) Explicit and implicit contracts between the company and the stakeholders for

distribution of responsibilities, rights, and rewards(ii) Procedures for reconciling the sometimes-conflicting interests of stakeholders in

accordance with their duties, privileges, and roles, and(iii) Procedures for proper supervision, control, and information-flows to serve as a

system of checks-and-balances.

IV. Enterprise Risk Management’s FrameworkAs discussed in the previous section of the chapter, Enterprise Risk Management(ERM) in business includes the methods and processes used by organizations tomanage risks and seize opportunities related to the achievement of their objectives.As shown in the Fig. ERM provides a framework for risk management, which typicallyinvolves identifying particular events or circumstances relevant to the organization’sobjectives (risks and opportunities), assessing them in terms of likelihood andmagnitude of impact, determining a response strategy, and monitoring progress. Byidentifying and pro-actively addressing risks and opportunities, business enterprisesprotect and create value for their stakeholders, including owners, employees,customers, regulators, and society overall.


: 34 :

RiskManagement

Risk Assessment

Risk Mitigation / Control

Risk Identification

Risk Analysis

Risk Prioritization

Risk Reduction

Risk Planning

Risk Monitoring

Fig. Framework Provided by ERM

Management selects a risk response strategy for specific risks identified and analysed,which may include:(i) Avoidance: Not doing an activity which causes risk.(ii) Reduction: taking action to reduce the likelihood or impact related to the risk.(iii) Alternative Actions: deciding and considering other feasible steps to minimize risks.(iv) Share or Insure: transferring or sharing a portion of the risk, to finance it.(v) Accept: no action is taken, due to a cost/benefit decision.

Information Technology Act (IT Act)This Act aims to provide the legal infrastructure for e-commerce in India. And the cyber lawshave a major impact for e-businesses and the new economy in India. So, it is important tounderstand what are the various perspectives of the IT Act, 2000 (as amended in 2008) andwhat it offers.The Act also aims to provide for the legal framework so that legal sanctity is accorded to allelectronic records and other activities carried out by electronic means. The Act states thatunless otherwise agreed, an acceptance of contract may be expressed by electronic meansof communication and the same shall have legal validity and enforceability.

I. Advantages of Cyber LawsThe IT Act 2000 attempts to change outdated laws and provides ways to deal withcyber-crimes. We need such laws so that people can perform purchase transactionsover the Net without fear of misuse. The Act offers the much-needed legal frameworkso that information is not denied legal effect, validity or enforceability, solely on theground that it is in the form of electronic records.In view of the growth in transactions and communications carried out throughelectronic records, the Act seeks to empower government departments to accept filing,creating and retention of official documents in the digital format. The Act has alsoproposed a legal framework for the authentication and origin of electronic records/communications through digital signature.From the perspective of e-commerce in India, the IT Act 2000 and its provisionscontain many positive aspects which are as follows:· The implications for the e-businesses would be that email would now be-a valid

and legal form of communication in India that can be duly produced andapproved in a court of law.

· Companies shall now be able to carry out electronic commerce using the legalinfrastructure provided by the Act.

· Digital signatures have been given legal validity and sanction in the Act.


: 35 :

· The Act throws open the doors for the entry of corporate companies in thebusiness of being Certifying Authorities for issuing Digital Signatures Certificates.

· The Act now allows Government to issue notification on the web thus heraldinge-governance.

· The Act enables the companies to file any form, application or any otherdocument with any office, authority, body or agency owned or controlled by theappropriate Government in electronic form by means of such electronic form asmay be prescribed by the appropriate Government.

· The IT Act also addresses the important issues of security, which are so criticalto the success of electronic transactions.

· The Act has given a legal definition to the concept of secure digital signaturesthat would be required to have been passed through a system of a securityprocedure, as stipulated by the Government at a later date.

Under the IT Act, 2000, it shall now be possible for corporates to have a statutoryremedy in case if anyone breaks into their computer systems or network and causesdamages or copies data. The remedy provided by the Act is in the form of monetarydamages, not exceeding Rs. 1 crore.

II. Computer Related Offences23 Give five examples of computer related offences that can be prosecuted under

the IT Act 2000 (amended via 2008)Common Cyber-crime scenarios : Let us look at some common cyber-crimescenarios which can attract prosecution as per the penalties and offences prescribedin IT Act 2000 (amended via 2008) Act.· Harassment via fake public profile on social networking site : A fake profile

of a person is created on a social networking site with the correct address,residential information or contact details but he/she is labelled as a person of’loose character’. This leads to harassment of the victim.

· Email Account Hacking : If victim’s email account is hacked and obsceneemails are sent to people in victim’s address book.

· Credit Card Fraud : Unsuspecting victims would use infected computers tomake online transactions.

· Web Defacement : The homepage of a website is replaced with a defamatorypage. Government sites generally face the wrath of hackers on symbolic days.

· Introducing Viruses, Worms, Backdoors, Rootkits, Trojans, Bugs : All of theabove are some sort of malicious programs which are used to destroy or gainaccess to some electronic information.

· Cyber Terrorism : Many terrorists use virtual (Drive, FTP sites) and physicalstorage media (USB’s, hard drives) for hiding information and records of theirillicit business.

· Online sale of illegal Articles : Where sale of narcotics drugs, weapons andwildlife is facilitated by the Internet

· Phishing and Email Scams : Phishing involves fraudulently acquiring sensitiveinformation through masquerading a site as a trusted entity (e.g. Passwords,credit card information).

· Theft of Confidential Information : Many business organizations store theirconfidential information in computer systems. This information is targeted byrivals, criminals and disgruntled employees.


: 36 :

III. PrivacyThe main principles on data protection and privacy enumerated under the IT Act, 2000are:· defining ‘data’, ‘computer database’, ‘information’, ‘electronic form’, ‘originator’,

‘addressee’ etc.· creating civil liability if any person accesses or secures access to computer,

computer system or computer network· creating criminal liability if any person accesses or secures access to computer,

computer system or computer network· declaring any computer, computer system or computer network as a protected

system· imposing penalty for breach of confidentiality and privacy· setting up of hierarchy of regulatory authorities, namely adjudicating officers, the

Cyber Regulations Appellate Tribunal etc.

Example - Privacy PolicyA sample privacy policy is given below which highlights key aspects of how and what typeof information is collected from the customer, how it is used and secured andoptions for user providing the information.:“At ABC Ltd., we take your privacy very seriously. Because of this, we want to provideyou with explicit information on how we collect, gather, and identify information duringyour visit to our site. This information may be expanded or updated as we change ordevelop our site. For this reason, we recommend that you review this policy from time-to-time to see if anything has changed. Your continued use of our site signifies youracceptance of our privacy policy.Personally, identifiable information refers to information that tells us specifically whoyou are, such as your name, phone number, email or postal address. In many cases,we need this information to provide the personalized or enhanced service that youhave requested. The amount of personally identifiable information that you choose todisclose to ABC Ltd is completely up to you. The only way we know something aboutyou personally is if you provide it to us in conjunction with one of our services.

What information do we collect and how do we use it?· ABC Ltd. Collects information on our users by your voluntary submissions (e.g.,

when you sign up for a white paper or request product information). We alsocollect, store and accumulate certain non-personally identifiable informationconcerning your use of this, web site, such as which of our pages are most visited.

· The information ABC Ltd. collects is used in a variety of ways: for internal review;to improve the content of the site, thus making your user experience morevaluable; and to let you know about products and services of interest.

Email:· If you have provided us your email address, ABC Ltd. Periodically sends promotional

emails about products offered by us. If you do not wish to receive email informationfrom ABC Ltd. please let us know by emailing us.

· ABC Ltd. does not sell, rent, or give away your personal information to thirdparties. By using our web site, you provide consent to the collection and use ofthe information described in this by Privacy Policy of ABC Ltd.”


: 37 :

IV. Cyber crimeThe term ‘Cyber Crime’ finds no mention either in The Information Technology Act2000or in any legislation of the Country. Cyber Crime is not different than the traditionalcrime. The only difference is that in Cyber Crime the computer technology is involved.This can be explained by the following instance:· Traditional Theft: ‘A’ thief enters in B’s house and steals an object kept in the

house.· Hacking: ‘A’ Cyber Criminal sitting in his own house, through his computer hacks

the computer of ‘B’ and steals the data saved in B’s computer without physicallytouching the computer or entering in B’s house. Hence Cyber Crime is aComputer related crime.

The IT Act, 2000 defines the terms access in computer network in section 2(a),computer in section 2(i), computer network in section (2j), data in section 2(o) andinformation in section 2(v). These are all the necessary ingredients that are useful totechnically understand the concept of Cyber Crime.

Definitions2(a) “Access” with its grammatical variations and cognate expressions means gaining

entry into, instructing or communicating with the logical, arithmetical, or memoryfunction resources of a computer, computer system or computer network;(i) “Computer” means any electronic, magnetic, optical or other high-speed data

processing device or system which performs logical, arithmetic, and memoryfunctions by manipulations of electronic, magnetic or optical impulses, andincludes all input, output, processing, storage, computer software, orcommunication facilities which are connected or related to the computer in acomputer system or computer network;

2(j) “Computer Network” means the interconnection of one or more Computers orComputer systems or Communication device through-(i) the use of satellite, microwave, terrestrial line, wire, wireless or other

communication media; and(ii) terminals or a complex consisting of two or more interconnected computers or

communication device whether or not the interconnection is continuouslymaintained;

2(o) “Data” means a representation of information, knowledge, facts, concepts orinstructions which are being prepared or have been prepared in a formalized manner,and is intended to be processed, is being processed or has been processed in acomputer system or computer network and may be in any form (including computerprintouts magnetic or optical storage media, punched cards, punched tapes) or storedinternally in the memory of the computer;

2(v) “Information” includes data, message, text, images, sound, voice, codes, computerprogrammes, software and databases or micro film or computer generated micro fiche;

V. Sensitive Personal Data Information (SPDI)Reasonable Security Practices and Procedures and Sensitive Personal Data orInformation Rules 2011 formed under section 43A of the Information Technology Act2000 define a data protection framework for the processing of digital data by BodyCorporate.


: 38 :

Scope of Rules: Currently the Rules apply to Body Corporate and digital data. As perthe IT Act, Body Corporate is defined as “Any company and includes a firm, soleproprietorship or other association of individuals engaged in commercial orprofessional activities.”Definition of Personal and Sensitive Personal data: Rule 2(i) defines personalinformation as “information that relates to a natural person which either directly orindirectly, or combination with other information available or likely to be available witha body corporate, is capable of identifying such person.”Rule 3 defines sensitive personal information as:· Passwords· Financial information· Physical/physiological/mental health condition· Medical records and history; and· Biometric information

Consent: Rule 5(1) requires that Body Corporate should, prior to collection, obtain consentin writing through letter or fax or email from the provider of sensitive personal data regardingthe use of that data.In a context where services are delivered with little or no human interaction, data iscollected through sensors, data is collected on a real time and regular basis, and data isused and re-used for multiple and differing purposes - it is not practical, and often notpossible, for consent to be obtained through writing, letter, fax,, or email for each instance ofdata collection and for each use.


: 39 :

Q.1 Draw a flowchart to compute simple interest

Q.2 Draw a flowchart to calculate discount on sales , where discount is 5 % of salesOutput needs name also & PAN also.

Q.3 Draw a flowchart to draw & print discounted amount , where Discount is 5 %

Q.4 Draw a flowchart to calculate & print discounted amount , discount rate is 20 % , if saleis < 10,000 Or else 30 %

Q.5 Draw a flowchart to calculate Simple Interest, if rate of interest for Indians 10 % andFor others 20 %

Q.6 The goods imported from the foreign countries are classified into four categories forthe purpose of levying custom duty. The rate of custom duty of value of goods for eachcategory is given below:

1. Electronic items 10

2. Heavy machinery 15

3. Footwear items 20

4. All Other Uncategorized items 25

Draw a flow chart to compute appropriate custom duty including educational cess atthe rate of 3% of the value of custom duty

Q 7 Draw a flowchart to compute

Total Bill where rate of

Cycle is as followsModel 1 10 Rs per dayModel 2 20 Rs per dayModel 3 30 Rs per dayWhere deposit is 25

Q. 8. Draw a Flowchart to compute and print income tax, surcharge and education cess onthe income of a person, where income is to be read from terminal and tax is to becalculated as per the following rates:

Slab(Rs) Rate(1) 1 to 1,00,000 No Tax(2) 1,00,001 to 1,50,000 @10% amt above 1,00,000(3) 1,50,001 to 2,50,000 Rs 5000 + 20% of amt above 1,50,000(4) 2,50,001 onwards Rs 25,000 + 30% of Amt above 2,50,000

Surcharge @10% on the amount of total tax, if income of a person exceedsRs.10,00,000 Education cess 2% on the total tax.


: 40 :

Q. 9. Draw flow chart to compute and print income-tax and surcharge on the income of theindividual, the income is to be read from terminal and tax is to be calculated as per thefollowing rates:

Income(in RS.) Rate

Up to 50,000 No tax

From50,001 to 60,000 @10% of amount above Rs. 50,000

From 60,001 to 1,50,000 1000+20%of amount above Rs. 60,000

Above Rs. 1,50,000 Rs.19,000+30%of amount above Rs.1,50,000

charge surcharge @5% on the amount of total tax, if the income of a personexceeds Rs.60,000

Q.10.(I) Input name & basic salary for 100 employees.

Each employee contributes 10 % of basic salary towards provident fund. Findand print the name , P.F. contribution made by each employee.

(II) Also print the total contribution of all employees

Q.11.Draw a flowchart to calculate Simple Interest of 50 customers & calculate total simpleinterest of 50 customers

Q.12.A book publisher offers discount to customers on the basis of customer type andnumber of copies ordered as shown below

Customer type Book SellerNumber of Copies Ordered % of discountMore than 10 25Less than or equal to 10 15LibraryMore than 5 20Less than or equal to 5 10

Customer number , name , type , book number , number of copies ordered and unitprice are given as input . Draw a flow chart to calculate the net amount of the bill foreach customer and print it . The above is to be carried out for 50 customers.

Q.13.An electric supply company charges the following rates from its consumers No. of Unitconsumed Charges/unit

(Rs.)For the first 200 units 2.50For the next 300 units 3.50Over 500 units 5.00


: 41 :

Computer database of the company has the following information :1) Consumer name2) Address3) Unit consumed4) Bill Date5) Payment dateif the consumer pays his bill within 15 days from the bill date,10 % discount is given.

If he makes the payment after 15 days from the bill date,5 % surcharge is levied .Draw a flow chart to calculate the net amount of the bill for each consumer and print it.

Q.14.An electricity distribution company has three categories of consumers namely

(i) Domestic(ii) Commercial(iii) IndustryThe charges of electricity per unit consumed by these consumers are Rs.3, Rs.4 andRs.5 respectively. The computer Database of the company has the followinginformation:

Consumers Category Units consumed Billdate Date of payment

The company processes bills according to the following criterion. If the consumer isdomestic and pays bill within 10 days of the bill date 5% discount is given. If he paysthe bill within 15 days, no discount is given. If he makes the payment after 15 days ofthe bill date, 10% surcharge is levied.

For the non-domestic consumers(commercial or industry), corresponding percentagesbe 10%, 0% and 15% respectively draw a flow chart to calculate the bill amount,discount, surcharge and net amount of the bill for each type of consumer and print it.

Q.15. An electric supply company charges the following rates from its consumers

No. of Unit consumed Charges/unit(Rs.)

For the first 200 units 2.50For the next 300 units 3.50Over 500 units 5.00

Surcharge @ 20 % of total bill is to be added to the charges to the bill .

Draw a flowchart to read the consumer no & no of units consumed & print out Totalcharges with customer number & units consumed

Q.16.A bicycle shop in a city hires bicycles by the day at different rates for different modelsas below

Model no Hire rate per day(Rs.)Model No.1 14.00Model No.2 12.00Model No.3 10.00


: 42 :

In order to attract customers , the shopkeeper gives a discount on the number of daysa bicycle is hired for .The policy of discount is as given below

No.of days Discount Rate(%)1-5 0.006-10 811 and over 15

For every bicycle hired a deposit of Rs.30.00 must be paid. Develop a flow chart toprint out details for each customer such as name of the customer, bicycle modelnumber, number of days a bicycle is hired for, hire charges , discount and totalcharges.

Q.17. A Housing Society in a newly developed Smart City has provided several advancedsecurity systems to each house in that city. Based on the value of these advancedsecurity systems installed in each house, the Society has divided all the houses in fourcategories and fixed the criteria for annual maintenance charges as under:

House Category Maintenance charges as % of value ofadvanced security systems installed at house

A 8%B 6%C 4%D 3%

In addition to above there is a service tax @ 12.36% on the amount of maintenancecharges. Considering house number and value of advanced security system installed,as input, draw a flow chart to have printed output as house number, maintenancecharges, service tax and the total amount to be paid by each house owner.

Q 18.ABC Limited is a software development company, which appointed 50 softwareengineers in August’ 2014 at a monthly salary of ` 30,000. All these engineers shall beentitled for an increment in their monthly salary after six months. The increment onpresent monthly salary shall be based on their performance to be evaluated on a 100marks scale as per detains given below:

- Performance Marks < 70, then increment shall be 10% of present salary.

- 70 ≤ Performance marks < 80, then increment shall be 20% of present salary.

- Performance marks ≥ 80, then increment shall be 30% of present salary.

Draw a Flow-Chart to enable to print the details like name of the engineer,performance marks, monthly increment amount and revised monthly salary foreach of these 50 engineers.

�

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��


: 43 :

CHAPTER-2FINANCIAL AND ACCOUNTING SYSTEMS

CHAPTER OVERVIEW

· Integrated & Non Integrated System

· Business Process Modules and Their Integration with Financial & AccountingSystems

· Business Process Modules and Their Integration with Financial & AccountingSystems

· Data Analytics and Business Intelligence

· Business Reporting and Fundamental XBRL

· Applicable Regulatory and Compliance Requirements


: 44 :

INTRODUCTION1 What is a System?· The system is a set of interrelated & interdependent elements or components that

operate together to accomplish common objectives by taking inputs and producingoutputs in an organized manner.

· All systems generally have –§ Inputs, Outputs and feedback mechanisms,§ Systems have number of interrelated & interdependent sub-system. No sub-

systems can function in isolation. It depends on other sub-systems for inputs.§ If one sub-system / component fails, in most of the cases the whole system

doesn’t work.

2 What is a Business Process?

· In the systems engineering arena, a Process is defined as a sequence of events thatuses inputs to produce outputs.

· This is a broad definition and can include sequences as mechanical as reading a fileand transforming the file to a desired output format; to taking a customer order,filling that order, and issuing the customer invoice.

· From a business perspective, a Process is a coordinated and standardized flow ofactivities performed by people or machines, which can overcome functional ordepartmental boundaries to achieve a business objective and creates value forinternal or external customers.

· Organizations have many different business processes such as completing a sale,purchasing raw materials, paying employees or vendors, maintain accounts etc.

· Each of the business processes has either direct or indirect effect on the financialstatus of the organization.

Concepts in Computerized Accounting Systems3. Explain the types of data used in Financial & Accounting system

Every accounting systems stores data in two ways: Master Data and Non-Master Data (orTransaction Data) as shown.


: 45 :

1) Master Data:· Master data is relatively permanent data that is not expected to change again

and again frequently.

· Master data is generally not typed by the user but it is created by Databaseadministrator.

· On the basis of Master data, user incorporates transaction data into the system.· All business process modules must use common master data.

· Master data is selected from the available list of masters (e.g. Ledgers) tomaintain standardization as we need to collect all the transactions relating toone master data at one place for reporting.

· While inputting the information, user is forced to select master data from theavailable list just to avoid confusion while preparing reports. For example -same ledger name may be written differently.

In accounting systems, there may be following type of master data,a. Accounting Master Data:

· This includes names of ledgers, groups cost centers, accounting voucher types,etc.

· E.g. Capital Ledger, sales, purchase, expenses and income ledgers are createdonce and not expected to change frequently.

b. Inventory Master Data:· This includes stock items, stock groups, godowns, inventory voucher types, etc.

c. Payroll Master Data:· Payroll is a system for calculation of salary and recoding of transactions relating

to employees. Master data in case of payroll can be names of employees, groupof employees, salary structure, pay heads, etc.

· These data are not expected to change frequently. E.g. Employee created in thesystem will remain as it is for a longer period of time, his/her salary structuremay change but not frequently.

d. Statutory Master Data:· This is a master data relating to statute/law. It may be different for different

type of taxes.· E.g. Goods and Service Tax (GST), Headings of Income, Tax rate, Nature of

Payments for Tax Deducted at Source (TDS), etc.


: 46 :

2) Non-Master Data:· It is a data which is expected to change frequently, again and again and not a

permanent data.· Non-master data is typed by the user and not selected from available list as it is

a non-permanent and it keeps on changing again and again.· E.g. Amounts recorded in each transaction shall be different every time and

expected to change again and again. Date recorded in each transaction isexpected to change again and again and will not be constant in all thetransactions.

4. Explain types of vouchers used in accounting system

· Voucher is a documentary evidence of a transaction. There may be differentdocumentary evidences for different types of transactions. E.g. Receipt given toa customer after making payment by him/her is documentary evidence ofamount received.

· A sales invoice, a purchase invoice, is also a documentary evidence oftransaction.

· Voucher is a place where transactions are recorded. It is a data input form forinputting transaction data.

Voucher Types

Sr.No. Voucher TypeName Module Use

1 Contra Accounting For recording of four types of transactions asunder.a. Cash deposit in bankb. Cash withdrawal from bankc. Cash transfer from one location to another.d. Fund transfer from our one bank account

to our own another bank account.2 Payment Accounting For recording of all types of payments.

Whenever the money is going out of businessby any mode (cash/bank)

3 Receipt Accounting For recording of all types of receipts. Whenevermoney is being received into business fromoutside

4 Journal Accounting For recording of all non-cash/banktransactions, E.g. Depreciation, Provision,Write-off, Write-back, discount given/received,Purchase / Sale of fixed assets on credit, etc.


: 47 :

5 Sales Accounting For recording all types of trading sales by anymode (cash/bank/credit).

6 Purchase Accounting For recording all types of trading purchase byany mode (cash/bank/credit).

7 Credit Note Accounting For making changes/corrections in alreadyrecorded sales/purchase transactions.

8 Debit Note Accounting For making changes/corrections in alreadyrecorded sales/purchase transactions.

9 Purchase Order Inventory For recording of a purchase order raised on avendor.

10 Sales Order Inventory For recording of a sales order received from acustomer.

11 Stock Journal Inventory For recording of physical movement of stockfrom one location to another.

12 Physical Stock Inventory For making corrections in stock after physicalcounting.

13 Delivery Note Inventory For recording of physical delivery of goods soldto a customer.

14 Receipt Note Inventory For recording of physical receipt of goodspurchased from a vendor.

15 Memorandum Accounting For recording of transaction which will be inthe system but will not affect the trial balance.

16 Attendance Payroll For recording of attendance of employees.17 Payroll Payroll For salary calculations.

5. Explain Characteristics / qualities of voucher number

A Voucher Number or a Document Number is a unique identity of any voucher/document. A voucher may be identified or searched using its unique voucher number.Characteristics of voucher numbering;· Voucher number must be unique.

· Every voucher type shall have a separate numbering series· A voucher number may have prefix or suffix or both, e.g. ICPL/2034/17-18. In this

case “ICPL” is the prefix, “17-18” is the suffix and “2034” is the actual number of thevoucher.

· All vouchers must be numbered serially, i.e. 1,2,3,4,5,6 and so on.

· All vouchers are recorded in chronological order. If first voucher number is 51 thennext voucher number will be 52 & so on.


: 48 :

6. Explain Accounting Flow from the angle of software

Transactions

Voucher Entry

Posting

Balancing

Trial Balance

Profit & Loss Account Balance Sheet

Humans

Software

Flow of Accounting

As shown in the Fig. regarding the flow of accounting, in all there are seven steps inaccounting flow, out of which only first two steps require human intervention.Remaining five steps are mechanical steps and can be performed by software with highspeed and accuracy. Also, last five steps, i.e. Posting, Balancing, Trial Balancepreparation, Profit & Loss Account preparation and Balance Sheet preparation are timeconsuming jobs and requires huge efforts.

7. Explain various types of ledgersIn accounting, there are three types of ledger accounts, i.e. Personal, Real and Nominal.But as far as Financial and Accounting Systems ledgers may be classified in two types i.e.Ledger having Debit Balance and ledger having Credit Balance.


: 49 :

Types of LedgersKey Points -· Basic objective of accounting software is to generate to two primary accounting reports, i.e.

Profit & Loss Account and Balance Sheet. Income and Expense ledgers are considered inProfit & Loss Account and Asset and Liability ledgers are considered in Balance Sheet. Henceevery ledger is classified in one of the four categories, i.e. Income, Expense, Asset orLiability.

· Difference between Total Income and Total Expenses, i.e. Profit or Loss as the case may be,is taken to Balance Sheet. Balance Sheet is the last point in accounting process.

· Any ledger can be categorized in any one category only, i.e. Asset, Liability, Income orExpense. It cannot be categorized in more than one category.

· Ledger grouping is used for preparation of reports, i.e. Balance Sheet and Profit & LossAccount.

Accounting software does not recognize any ledger as Personal, Real or Nominal, insteadit recognizes it as an Asset, Liability, Income or Expense Ledger.

8. Explain the concept of Grouping of Ledgers· At the time of creation of any new ledger, it must be placed under a particular

group. There are four basic groups in Accounting, i.e. Income, Expense, Asset,Liability. There may be any number of sub groups under these four basic groups.

· E.g. Cash ledger is an asset ledger and should be shown under current assets inBalance Sheet.


: 50 :

Technical Concepts in Computerized Financial & Accounting Systems

9. Explain working of any software through ‘Front end’ and ‘back end’ modules

Working of any software

(i) Front End & Back End• Front End - It is part of the software which actually interacts with the user who is

using the software.• Back End - It is a part of the software which does not directly interact with the

user, but interact with Front End only.

If a user wants to have some information from the system:• User will interact with Front End part of the software and request front end to

generate the report.• Front End will receive the instruction from user and pass it on to the back end.• Back End will process the data, generate the report and send it to the front end.

Front end will now display the information to user.• This is how the process gets completed each and every time.


: 51 :

· A customer will place an order with waiter (Front End) and not with a cook (Back End)directly.

· Waiter will receive the order and pass it on to the cook in the kitchen.· Cook will process the food as per requirement and had it over to the waiter.

· Waiter will serve the food to the customer.

10. Explain difference between Installed Applications V/s Web Applications· Installed Applications are programs installed on the hard disc of the user’s

computer.

· Web Applications are not installed on the hard disc of the user’s computer, it isinstalled on a web server and it is accessed using a browser and internet connection.

Particulars Installed Application Web Application (Cloud based)Installation &Maintenance

As software is installed on harddisc of the computer used by user,it needs to be installed on everycomputer one by one. This maytake lot of time. Also,maintenance and updating ofsoftware may take lot time andefforts.

As software is installed on only onecomputer, i.e. a web server, it neednot be installed on each computer.Hence, installation on usercomputer is not required andmaintenance and updating ofsoftware becomes extremely easy.

Accessibility As software is installed on thehard disc of the user’s computer,user needs to go the computeronly where software is installed,to use the software. It cannot beused from any computer.

As software is not installed on thehard disc of user’s computer and itis used through browser andinternet, it can be used from anycomputer in the world. Access tothe software becomes very easy.Also, it can be used 24 x 7.

MobileApplication

Using the software through mobileapplication is difficult in this case.

Using mobile application becomesvery easy as data is available 24 x7.

Data Storage Data is physically stored in thepremises of the user, i.e. on thehard disc of the user’s servercomputer. Hence user will havefull control over the data.

Data is not stored in the user’sserver computer. It is stored on aweb server. Hence user will nothave any control over the data.


: 52 :

Data Security As the data is in physical control ofthe user, it cannot be accessed byunauthorized users.

As data is maintained on a webserver, it can be accessed byunauthorized users.

Performance A well written installed applicationshall always be faster than webapplication, as data is picked fromlocal server without internet.

As data is picked from web serverusing internet, speed of operationmay be slower.

Integrated & Non-Integrated System

11. Explain Integrated & Non Integrated System

Non – Integrated SystemA Non-Integrated System is a system of maintaining data in a decentralized way. Eachdepartment shall maintain its own data separately and not in an integrated way. This isthe major problem with non-integrated systems.

Non-Integrated SystemsAbove is a typical non-integrated environment where all the departments are workingindependently and using their own set of data. They need to communicate with each butstill they use their own data.This results in two major problems:a. Communication Gapsb. Mismatched DataCommunication between different business units is a major aspect for success of anyorganization.

Integrated System - Enterprise Resource Planning (ERP) Systems

· ERP can be defined as a system, which is a fully integrated businessmanagement system that integrates the core business and management processesto provide an organization a structured environment in which decisions concerningdemand, supply, operational, personnel, finance, logistics etc. are fully supported byaccurate and reliable real time information.

· An ERP system is a multi module software system that integrates all businessprocess and functions of the entire Enterprise into a single software system, usinga single integrated database. Each module is intended to collect, process and storedata of a functional area of the organization and to integrate with related processes.


: 53 :

· An ERP system is based on a common database and a modular software design. Thecommon database can allow every department of a business to store and retrieveinformation in real-time.

· Ideally, the data for the various business functions are integrated. In practice the ERPsystem may comprise a set of discrete applications, each maintaining a discrete datastore within one physical database.

· Some of the well-known ERPs in the market today include SAP, Oracle, MFG Pro, MSAxapta etc.

12. Explain advantages of an ERP System

• Ability to customize an organization’s requirements;• Integrate business operations with accounting and financial reporting functions;• Increased data security and application controls;• Build strong access and segregation of duties controls;• Automate many manual processes thus eliminating errors;• Process huge volumes of data within short time frames; and• Strong reporting capabilities which aids management and other stakeholders in

appropriate decision making.

13. Explain various features of an Ideal ERP System

· It should caters all types of needs of an organization.

· It should provide right data at right point of time to right users for their purpose.· It should be flexible enough to adapt to changes in the organization.

· It must have single database and contains all data for various software modules toperform all the functions of organization to achieve goals and objectives.

14. Explain various modules of ERP

ERP modules can include the following:• Manufacturing: Some of the functions include engineering, capacity, workflow

management, quality control, bills of material, manufacturing process, etc.• Financials: Accounts payable, accounts receivable, fixed assets, general ledger and

cash management, etc.• Human Resources: Benefits, training, payroll, time and attendance, etc.• Supply Chain Management: Inventory, supply chain planning, supplier scheduling,

claim processing, order entry, purchasing, etc.


: 54 :

• Projects: Costing, billing, activity management, time and expense, etc.• Customer Relationship Management (CRM):

§ CRM is a term applied to processes implemented by a company to handle itscontact with its customers.

§ It provides information to management as to the customer requirement,customer account balance, payment details, types of products etc.

§ Details on any customer contacts can also be stored in the system.§ The rationale behind this approach is to improve services provided directly to

customers and to use the information in the system for targeted marketing.• Data Warehouse:

§ Data warehouse is a repository of an organization’s electronically stored data.§ It is designed to extract relevant data from various databases, load it into

repository for supporting data analysis and provide data reporting.§ Usually this is a module that can be accessed by an organizations customers,

suppliers and employees.

RISKS AND CONTROLS

15. Explain various risks in ERP environment

Risks in an ERP EnvironmentBy and large, we say that most of the risks in ERP environment are relating to data only.These risks can be summarized as under.· Risk of total loss of data

· Risk of partial loss of data

· Risk of unauthorised changes in data· Risk of partial / complete deletion of data

· Risk of leakage of information· Risk of incorrect input of data

16. Explain various risks associated and Controls required in ERP Systems

Aspect Risk Associated Control RequiredDataAccess

Data is stored centrally and all thedepartments access the centraldata. This creates a possibility ofaccess to non-relevant data.

Access rights need to be defined verycarefully. Access to be given on“Need to know” and Need to do”basis only.


: 55 :

DataSafety

As there is only one set of data, ifthis data is lost, whole businessmay come to stand still.

Back up arrangement needs to bevery strong. Also strict physicalcontrol is needed for data.

Speed ofOperation

As data is maintained centrally,gradually the data size becomesmore and more and it may reducethe speed of operation.

This can be controlled by removingredundant data on a continuousbasis.

Change inprocess

As the overall system is integrated,a small change in process for onedepartment may require lot ofefforts and money.

All the processes must be documentscarefully in the beginning ofimplementation itself so as to avoidany discomfort in future.

StaffTurnover

As the overall system is integratedand connected with each otherdepartment, it becomescomplicated and difficult tounderstand. In case of staffturnover, it becomes increasinglydifficult to maintain the system.

This can be controlled and minimizedwith help of proper staff trainingsystem, having help manuals, havingbackup plans for staff turnover, etc.

SystemFailure

As everybody is connected to asingle system and central database,in case of failure of system, thewhole business may come to standstill may get affected badly.

This can be controlled and minimizedby having proper and updated backup of data as well as alternatehardware / internet arrangements.In case of failure of primary system,secondary system may be used.

17. Explain role Based Access Control (RBAC) in ERP System· In computer systems security, role-based access control is an approach to

restricting system access to authorized users.· Roles for staff are defined in organization and access to the system can be given

according to the role assigned.· E.g. a junior accountant in accounting department is assigned a role of recording

basic accounting transactions, an executive in human resource department isassigned a role of gathering data for salary calculations on monthly basis, etc.

Types of AccessWhile assigning access to different users, following options are possible.(i) Create - Allows to create data(ii) Alter - Allows to alter data(iii) View - Allows only to view data(iv) Print - Allows to print dataAbove type of access can be allowed / disallowed for -a. Master Datab. Transaction Datac. Reports


: 56 :

18. Audit of ERP System

Some of the questions auditors should ask during an ERP audit are pretty much the same

as those that should be asked during development and implementation of the system:

• Does the system process according to GAAP (Generally Accepted Accounting

Principles) and GAAS (Generally Accepted Auditing Standards)?

• Does it meet the needs for reporting, whether regulatory or organizational?

• Were adequate user requirements developed through meaningful interaction?

• Does the system protect confidentiality and integrity of information assets?

• Does it have controls to process only authentic, valid, accurate transactions?

• Are effective system operations and support functions provided?

• Are all system resources protected from unauthorized access and use?

• Are user privileges based on what is called “role-based access?”

• Is there an ERP system administrator with clearly defined responsibilities?

• Is the functionality acceptable? Are user requirements met? Are users happy?

• Have workarounds or manual steps been required to meet business needs?

• Are there adequate audit trails and monitoring of user activities?

• Can the system provide management with suitable performance data?

• Are users trained? Do they have complete and current documentation?

• Is there a problem-escalation process?

BUSINESS PROCESS MODULES AND THEIR INTEGRATION WITH FINANCIAL &ACCOUNTING SYSTEMS

19. What is a Business Process. Explain examples.A Business Process consists of a set of activities that are performed in coordination in anorganizational and technical environment. These activities jointly realize a business goal.Each business process is enacted by a single organization, but it may interact withbusiness processes performed by other organizations. To manage a process-· The first task is to define it. This involves defining the steps (tasks) in the process

and mapping the tasks to the roles involved in the process.· Once the process is mapped and implemented, performance measures can be

established. Establishing measurements creates a basis to improve the process.· The last piece of the process management definition describes the organizational

setup that enables the standardization of and adherence to the process throughoutthe organization.


: 57 :

20. Explain Accounting process flow in Accounting Cycle.

· Accounting or Book keeping cycle covers the business processes involved inrecording and processing accounting events of a company.

· It begins when a transaction or financial event occurs and ends with its inclusion inthe financial statements.

· A typical life cycle of an accounting transaction may include the followingtransactions as depicted in Fig.:

(a) Source Document: A document that captures data from transactions and events.(b) Journal: Transactions are recorded into journals from the source document.(c) Ledger: Entries are posted to the ledger from the journal.(d) Trial Balance: Unadjusted trial balance containing totals from all account heads is

prepared.(e) Adjustments: Appropriate adjustment entries are passed.(f) Adjusted Trial balance: The trial balance is finalized post adjustments.(g) Closing Entries: Appropriate entries are passed to transfer accounts to financial

statements.(h) Financial statement: The accounts are organized into the financial statements.

21. Explain different nature & types of business.

There are three different nature and types of businesses that are operated with thepurpose of earning profit. Each type of business has distinctive features.• Trading Business - Trading simply means buying and selling goods without any

modifications, as it is. Hence inventory accounting is a major aspect in this case.Purchase and sales transactions cover major portion of accounting. This industryrequires accounting as well as inventory modules.

• Manufacturing Business - This type of business includes all aspects of tradingbusiness plus additional aspect of manufacturing. Manufacturing is simply buyingraw material, changing its form and selling it as a part of trading. Here also,inventory accounting plays a major role. This type of industry requires accounting


: 58 :

and complete inventory along with manufacturing module.• Service Business - This type of business does not have any inventory. It is selling of

skills / knowledge / Efforts / time. E.g. Doctors, Architects, Chartered Accountants,are the professionals into service business. There may be other type of businessinto service, i.e. courier business, security service, etc. This industry does notrequire inventory module.

22. Explain various Business Process Modules in ERP

· Financial Accounting Module· Controlling Module

· Sale & distribution Module· Human Resource Module

· Production planning (PP) Module· Material Management (MM) Module

· Quality Management Module· Plant Maintenance Module

· Project Systems Module

· Supply Chain Module· Customer Relationship Module (CRM)

23. Explain Financial Accounting Module & key features of Financial AccountingModuleThis module is the most important module of the overall ERP System and itconnects all the modules to each other. Every module is somehow connectedwith module.Following are the key features of this module:• Tracking of flow of financial data across the organization in a controlled

manner and integrating all the information for effective strategic decisionmaking.

• Creation of Organizational Structure (Defining Company, Company Codes,business Areas, Functional Areas, Credit Control, Assignment of CompanyCodes to Credit Controls).

• Financial Accounting Global Settings (Maintenance of Fiscal Year, PostingPeriods, defining Document types, posting keys, Number ranges fordocuments).

• General Ledger Accounting (Creation of Chart of Accounts, Account groups,


: 59 :

defining data transfer rules, creation of General Ledger Account).• Tax Configuration & Creation and Maintenance of House of Banks.• Account Payables (Creation of Vendor Master data and vendor-related

finance attributes like account groups and payment terms).• Account Receivables (Creation of Customer Master data and customer-

related finance attributes like account groups and payment terms.• Asset Accounting.• Integration with Sales and Distribution and Materials Management.

24. Explain Controlling Module & key features of Controlling ModuleThis module facilitates coordinating, monitoring, and optimizing all the processesin an organization. It controls the business flow in an organization. This modulehelps in analyzing the actual figures with the planned data and in planningbusiness strategies. Two kinds of elements are managed in Controlling - CostElements and Revenue Elements. These elements are stored in the FinancialAccounting module.Key features of this module are as under:• Cost Element Accounting (Overview of the costs and revenues that occur in

an organization);• Cost Center Accounting;• Activity-Based-Accounting (Analyzes cross-departmental business processes);• Internal Orders;• Product Cost Controlling (Calculates the costs that occur during the

manufacture of a product or provision of a service);• Profitability Analysis; and• Profit Center Accounting (Evaluates the profit or loss of individual,

independent areas within an organization).

25. Explain Sales & distribution Module & key features of Sales & distributionModule

It has a high level of integration complexity. Sales and Distribution is used byorganizations to support sales and distribution activities of products and services,starting from enquiry to order and then ending with delivery.This module includes various activities that take place in an organization such asproducts enquires, quotation, placing order, pricing, scheduling deliveries, picking,packing, goods issue, shipment of products to customers, delivery of products and


: 60 :

billings.In all these processes, multiple modules are involved such as FA (Finance &Accounting), CO (Controlling), MM (Material Management), PP (ProductionPlanning), LE (Logistics Execution), etc., which shows the complexity of theintegration involved.

Sales and Distribution with ERPKey features of Sales and Distribution Module are discussed as under:• Setting up Organization Structure (creation of new company, company codes,

sales organization, distribution channels, divisions, business area, plants, salesarea, maintaining sales offices, storage location)

• Assigning Organizational Units (Assignment of individual components created inthe above activities with each other according to design like company code tocompany, sales organization to company code, distribution channel to salesorganization, etc.)

• Defining Pricing Components (Defining condition tables, condition types, conditionsequences)

• Setting up sales document types, billing types, and tax-related components• Setting up Customer master data records and configuration

26. Explain Sales & distribution Process• Pre - Sales Activities – Includes process of prospecting of customers, identifying

prospective customers, gathering data, contacting them and fixing appointments,showing demo, discussion, submission of quotations, etc.

• Sales Order - Sales order is recorded in our books after getting a confirmedpurchased order from our customer. Sales order shall contain details just likepurchase order. E.g. Stock Item Details, Quantity, Rate, Due Date of Delivery, Placeof Delivery, etc.

• Inventory Sourcing - It includes making arrangements before delivery of goods,ensuring goods are ready and available for delivery.


: 61 :

• Material Delivery - Material is delivered to the customer as per sales order. Allinventory details are copied from Sales Order to Material Delivery for saving user’stime and efforts. This transaction shall have a linking with Sales Order. Stockbalance shall be reduced on recording of this transaction.

• Billing - This is a transaction of raising an invoice against the delivery of material tocustomer. This transaction shall have a linking with Material Delivery and all thedetails shall be copied from it. Stock balance shall not affect again.

• Receipt from Customer - This is a transaction of receiving amount fromcustomer against sales invoice and shall have a linking with sales invoice.

27. Write short note on Human Resource Module

· This module enhances the work process and data management within HRdepartment of enterprises. Human resource is the most valuable asset for anorganization. Utilization of this resource in most effective & efficient way is animportant function for any organization.

· The most important objective of master data administration in Human Resourcesis to enter employee-related data for administrative, time-recording, and payrollpurposes. This module maintains total employee database including wages &attendance, preparing wage sheet for workmen, handle provident fund etc.

· The objectives of HR Management is:§ To ensure least to least disputes,§ To right utilization of manpower,§ To keep status and track of employee’s efficiency, and§ To keep track of leave records of all employees

· It contains skill database of all users with details of qualifications, training,experience, interests etc. for allocating manpower to right activity at the time ofneed.

· It includes various functions such as Recruitment Management, Personneladministration, Training Management, Attendance Management, PayrollManagement, Promotion Management.

28. Write short note on Production Planning (PP) Module

PP Module is includes software designed specifically for production planning andmanagement. This module also consists of master data, system configuration andtransactions in order to accomplish plan procedure for production. PP modulecollaborate with master data, sales and operations planning, distribution resourceplanning, material requirements planning, product cost planning and so on while workingtowards production management in enterprises.

Process in Production Planning Module


: 62 :

29. Write short note on Material Management (MM) Module

· MM Module manages materials required, processed and produced in enterprises.Different types of procurement processes are managed with this system.

· Various sub components of MM module are vendor master data, consumptionbased planning, purchasing, inventory management, invoice verification and so on.

· It also deals with movement of materials via other modules like logistics, SupplyChain Management, sales and delivery, warehouse management, production andplanning.

Process showing Overall Purchase Process

30. Explain purchase process under MM Module

· Purchase Requisition from Production Department - Production department sends arequest to purchase department for purchase of raw material required for production.

· Evaluation of Requisition - Purchase department shall evaluate the requisition with thecurrent stock position and purchase order pending position and shall decide about acceptingor rejection the requisition.

· Asking for Quotation - If requisition is accepted, quotations shall be asked to approvevendors for purchase of material.

· Evaluation of quotations - Quotations received shall be evaluated and compared.· Purchase Order – Purchase order will be prepared by purchase department of organization

after evaluation of various quotations and send it to vendors stating details about theproduct willing to buy such as description, quantity, rate, delivery due date etc.

· Material Receipt - This is a transaction of receipt of material against purchase order. This iscommonly known as Material Receipt Note (MRN) or Goods Receipt Note (GRN). Thistransaction shall have a linking with Purchase Order. Stock is increased after recording of thistransaction.


: 63 :

· Issue of material - Material received by stores shall be issued to production department asper requirement.

· Purchase Invoice - This is a financial transaction. Trial balance is affected due thistransaction. Material Receipt transaction does not affect trial balance. This transaction shallhave a linking with Material Receipt Transaction and all the details of material received shallbe copied automatically in purchase invoice. As stock is increased in Material Receipttransaction, it will not be increased again after recording of purchase invoice.

· Payment to Vendor - Payment shall be made to vendor based on purchase invoice recordedearlier. Payment transaction shall have a linking with purchase invoice.

31. Write short note on Quality Management (QM) Module.

Quality Management Module helps in management of quality in productions acrossprocesses in an organization. It helps an organization to accelerate their business byadopting a structured and functional way of managing quality in different processes. Ithas various sub components such as collaboration in procurement and sales, production,planning, inspection, notification, control, audit management and so on.

Plan Quality

Perform QualityAssurance

Perform QualityControl

Perform IntegratedChange Control

Direct & Manage ProjectExecution

Process in Quality Management Module

32. Explain Quality Management process under QM ModuleQuality Management Process includes the following:• Master data and standards are set for quality management;• Set Quality Targets to be met;• Quality management plan is prepared;• Define how those quality targets will be measured;• Take the actions needed to measure quality;

Quality Management Plan Quality Management Plan

QualityCheck List

Quality Metrics Quality Metrics

Work Performance InformationDeliverables

Approved ChangeRequests

Quality ControlMeasurements

Change Requests


: 64 :

• Identify quality issues and improvements and changes to be made;• In case of any change is needed in the product, change requests are sent;• Report on the overall level of quality achieved; and• Quality is checked at multiple points, e.g. inwards of goods at warehouse,

manufacturing, procurement, returns.

33. Write short note on Plant Maintenance (PM) Module.

This is a functional module which handles the maintaining of equipment and enablesefficient planning of production and generation schedules. Plant Maintenance (PM)application component provides you with a comprehensive software solution for allmaintenance activities that are performed within a company. It supports cost-efficientmaintenance methods, such as risk-based maintenance or preventive maintenance, andprovides comprehensive outage planning and powerful work order management.

Process in Plant Maintenance

34. Write short note on Project Systems Module.

This is an integrated project management tool used for planning and managing projects.It has several tools that enable project management process such as cost and planningbudget, scheduling, requisitioning of materials and services.

Project Request

CreateTemplates

CreateProject

ProjectPlanning

Budgetingand Release

ProjectImplementation

ProjectCompletion

Process in Project Systems


: 65 :

35. Write short note on Supply Chain Module.

It is cross functional system used to provide information about movement of rawmaterials from supplier’s place to organization and movement of finished goods fromorganization’s place to customer’s place. It provides tracking of raw material, work inprogress and finished goods.It has various components such as logistics management, inventory management,production management, distribution management.

Process in Supply Chain

36. Write short note on Customer Relationship Management (CRM) Module.

· It provides information to management as to the customer requirement, customeraccount balance, payment details, types of products etc.

· Details on any customer contacts can also be stored in the system.

· It helps in managing company’s interaction with customers, managing customerrelationships through marketing, customer service and technical support.

· It addresses customer’s issues and problems within a prescribed time in an efficientmanner.

37. Explain various benefits of CRM Module.

Key benefits of a CRM module are as under.• Improved customer relations:

§ It helps in obtaining better customer satisfaction. By using this strategy, alldealings involving servicing, marketing, and selling your products to yourcustomers can be carried out in an organized and systematic way.

§ It also helps in understanding all queries and complaints of customers &provides instant better solution and this in turn helps in increasing customerloyalty. In this way, you can also receive continuous feedback from yourcustomers regarding your products and services.

• Increase customer revenues: It helps in increasing the revenue of company bydoing effective marketing campaign on the basis of customer’s data collected. It


: 66 :

ensure that the product promotions reach a different and brand new set ofcustomers, and not only to existing ones who had already purchased product, andthus effectively increase customer revenue.

• Maximize up-selling and cross-selling: A CRM system allows up-selling which isthe practice of giving customers premium products that fall in the same categoryof their purchase. The strategy also facilitates cross selling which is the practice ofoffering complementary products to customers, based on their previouspurchases. This is done by interacting with the customers and getting an ideaabout their wants, needs, and patterns of purchase. The details thus obtained willbe stored in a central database, which is accessible to all company executives.

• Better internal communication: It helps in building up better communicationwithin the company. The sharing of customer data between different departmentswill enable them to work as a team. This is better than functioning as an isolatedentity, as it will help in increasing the company’s profitability and enabling betterservice to customers.

• Optimize marketing: It helps in understanding customer needs and behavior,thereby allowing to identify the correct time to market your product to thecustomers. CRM will also give you an idea about the most profitable customergroups so that they can be targeted at the right time. In this way, organization willbe able to optimize marketing resources efficiently and avoid wasting time andresources on less profitable customer groups.

38. Explain various concepts of Inventory Accounting concepts

Inventory stands for list of stock items intended for trading or consumption. It includesraw material, work in process, finished goods and consumables. All the transactionsinvolving inventory are covered in this module.


: 67 :

Inventory Accounting ConceptsS.No. Concept Description

1 StockItem

Item of stock intended for sale / consumption in normal course ofbusiness. E.g. for a person dealing in white goods, TV, Fridge, AirConditioner, Cooler, Heater shall be inventory for him.

2 StockGroup

Group used for reporting of similar stock items, e.g. All television ofdifferent sizes of one brand are placed under one group for reportingpurpose.

3 Godown Just like physical godown, this is an electronic place for storing stockitems in the software.

4 Unit ofmeasure

A unit for measuring movement of stock items, e.g. kilogram, litre,meter numbers, dozens, boxes, pieces, pairs,, etc. Units of measuresare attached to stock items and not stock groups. Normally a unit ofmeasure once set cannot be altered after recording of transactions ina stock item.

5 Re-orderLevel

It is level of stock set for placing an order for purchase. If stockbalance for a stock item touches this level, order for purchase ofgoods is to be placed.

6 PriceLevels

It is pre-decided rate structure for different stock items for differentcustomers for different quantities. E.g. We may have three differenttypes of customers as Wholesale, Retail and Government. Threedifferent selling rates may be applied for these three different typesof customers. Also, there may be a different rate structure dependingon the quantity purchased.

7 StockAgeing

Identifying age of stock items and arranging it as per its age. This isnecessary as “Old is Gold” hardly works in Inventory Management intoday’s ever changing world. As the age of stock item increases, itbecomes increasingly difficult to sell it and possibility of loss increasesday by day.

8 CostTracking

To arrive at the correct value of closing stock and to obtain correctdata for management decisions, all the costs associated withprocurement of inventory must be tracked and added to inventorycosts. E.g. Purchase cost is recorded through purchase transactions.But costs like loading/ unloading, transportation, insurance, etc. paidseparately are not recorded in purchase voucher and hence need tobe added to cost of stock items separately. This is possible with costtracking.

9 Batch This concept is used in manufacturing of goods. Every batch ofproduction is given a unique number as a batch number. At the timeof checking stock balance, batch wise stock is identified andseparated for handling purpose. At the time of all movement ofgoods, stock is updated along with batch. This is again used forknowing balance for old and new batches.

10 ExpiryDates

This is a concept associated with Batch. This is used for perishablegoods, food items, medicines, etc. At the time of buying ormanufacturing of such goods, expiry date is set. Based on this already


: 68 :

set expiry date, position of “expired stock” and “about to expirestock” is displayed. This information is useful management for takinginventory related decisions.

Integration with Other ModulesAny ERP System is like human body. There are different units and each unit relates toanother units. All the units must work in harmony with other units to generate desiredresult.

39. Explain important points for integration of modules with Financial & AccountingSystem

Following points are important for integration of modules with Financial & AccountingSystem• Master data across all the modules must be same and must be shared with other

modules where-ever required.• Common transaction data must be shared with other modules where-ever

required.• Separate voucher types to be used for each module for easy identification of

department recording it.• Figures and transaction may flow across the department, e.g. closing stock value is

taken to Trading Account as well as Balance Sheet. Closing stock quantity isrequired by Purchase Department, Stores Department, Accounts Department,Production Department etc. Hence, it is necessary to design the systemaccordingly.

40. Explain important points for integration with other modules

Some of the points where integration with other modules is required are discussed here.

(i) Material Management Integration with Finance & Controlling (FICO)It is integrated in the area like Material Valuation, Vendor payments, Material costingetc. Whenever any inventory posting is done, it updates the G/L accounts online in thebackground. Logistics invoice verification will create vendor liability in vendor accountimmediately on posting the document. Any advance given against the purchase orderupdates the Purchase Order history. For every inventory posting there is correspondingControlling document to update profit center accounting reporting.


: 69 :

(ii) Human Resource Module Integration with Finance & ControllingAttendance and leave record is used for calculation of salary on monthly basis. Salary isalso a part of financial accounting. Hence salary processed and calculated by HumanResource Module shall be integrated with Finance & Controlling Module.

(iii) Material Management Integration with Production Planning (PP)It is integrated in the areas like Material Requirement Planning, Receipts/issues againstproduction orders, Availability check for stocks etc. Material requirement Planning is d-based on Stocks, expected receipts, expected issues. It generates planned orders orpurchase requisitions which can be converted to purchase orders/Contracts. InventoryManagement is responsible for staging of the components required for productionorders. The receipt of the finished products in the Warehouse is posted in InventoryManagement.

(iv) Material Management Integration with Sales & Distribution (SD)It is integrated in the areas like Delivery, Availability Check, Stock transfers requirementsetc. As soon as a sales order is created, it can initiate a dynamic availability check ofstocks on hand. When the delivery is created, the quantity to be delivered is marked as“Scheduled for delivery”. It is deducted from the total stock when the goods issue isposted. Purchase order can be directly converted to delivery for a stock transferrequirement.

(v) Material Management Integration with Quality Management (QM)It is integrated with QM for Quality inspection at Goods Receipt, In process inspectionetc. In the case of a goods movement, the system determines whether the material issubject to an inspection operation. If so, a corresponding activity is initiated for themovement in the Quality Management system. Based on quality parameters vendorevaluation is done.

(vi) Material Management Integration with Plant Maintenance (PM)The material/service requirement is mentioned in Maintenance order. This leads togeneration of Purchase Requisition. This PR will be converted to Purchase Order by MM.The goods for a PO will be in warded to Maintenance by MM. The spares which werereserved for maintenance order will be issued by MM against the reservation number.


: 70 :

MANAGEMENT INFORMATION SYSTEMS (MIS)41. Explain Management Information System (MIS)

· It is a system which provides accurate, timely and meaningful data to managersfor decision making.

· MIS systems automatically collect data from various areas within a business. Thesesystems can produce daily reports that can be sent to key members throughout theorganization.

· Most MIS systems can also generate on-demand reports. On-demand MIS reportsallow managers and other users of the system to generate an MIS report wheneverthey need it.

· It provides various types of sales reports i.e. month wise, quarter wise etc.· It is user friendly system.

42. Explain various benefits / criteria of MIS

• Relevant - MIS reports need to be specific to the business area they address. This isimportant because a report that includes unnecessary information might beignored.

• Timely – It provides information to the manager as and when it is required by him.An example of timely information for your report might be customer phone callsand emails going back 12 months from the current date.

• Accurate – It should provide accurate information to the manager. Managers andothers who rely on MIS reports can’t make sound decisions with information that iswrong. Financial information is often required to be accurate to the decimal. Inother cases, it may be OK to round off numbers.

• Structured - Information in an MIS report can be complicated. Making thatinformation easy to follow helps management understand what the report is saying.Try to break long passages of information into more readable blocks or chunks andgive these chunks meaningful headings.

DATA ANALYTICS AND BUSINESS INTELLIGENCEData Analytics is the process of examining data sets to draw conclusions about theinformation they contain, increasingly with the aid of specialized systems and software.Data analytics technologies and techniques are widely used in commercial industries toenable organizations to make more-informed business decisions and by scientists andresearchers to verify or disprove scientific models, theories and hypotheses.


: 71 :

43. Explain Business Intelligence (BI)

· Bl in simple words refers to the process of collecting and refining information frommany sources, analyzing and presenting the information in useful ways so thatusers can make better business decisions.

· Business intelligence (Bl) is a set of theories, methodologies, architectures, andtechnologies that transform raw data into meaningful and useful information forbusiness purposes.

· Bl has been made possible because of advances in a number of technologies, suchas computing power, data storage, computational analytics, reporting andnetworking.

· From the perspective of decision making, Bl uses data about yesterday andtoday to facilitate making better decisions about tomorrow.

· This is done through arranging information in a manner that best providesinsights into the future thus making enterprise to work smarter.

· Bl enables managers to see things with more clarity, and empowers them to peekinto the possible future.

Fig. showing example of Business Intelligence use .


: 72 :

Example of Business IntelligenceBusiness Intelligence uses data from different sources and helps to finds answers tovarious questions as shown on right hand side of above image.BI data can include historical information, as well as new data gathered from sourcesystems as it is generated, enabling BI analysis to support both strategic and tacticaldecision-making processes. Initially, BI tools were primarily used by data analysts andother IT professionals who ran analyses and produced reports with query results forbusiness users. Increasingly, however, business executives and workers are using BIsoftware themselves, thanks partly to the development of self-service BI and datadiscovery tools.

BUSINESS REPORTING AND FUNDAMENTALS OF XBRL

44. What is business reporting and why it is important

Business Reporting or Enterprise Reporting is the public reporting of operating andfinancial data by a business enterprise, or the regular provision of information todecision-makers within an organization to support them in their work.Reporting is a fundamental part of the larger movement towards improved businessintelligence and knowledge management. Often implementation involves Extract,


: 73 :

Transform, and Load (ETL) procedures in coordination with a data warehouse and thenusing one or more reporting tools. While reports can be distributed in print form or viaemail, they are typically accessed via a corporate intranet.Organizations conduct a wide range of reporting, including financial and regulatoryreporting; Environmental, Social, and Governance (ESG) reporting (or sustainabilityreporting); and, increasingly, integrated reporting.Organizations communicate with their stakeholders about:� mission, vision, objectives, and strategy;� governance arrangements and risk management;� financial, social, and environmental performance (how they have fared against

their objectives in practice).

Importance of Business Reporting· Effective and transparent business reporting allows organizations to present

detailed explanation of their business and helps them engage with internal andexternal stakeholders, including customers, employees, shareholders, creditors, andregulators.

· It helps stakeholders to assess organizational performance and make informeddecisions with respect to an organization’s capacity to create and preserve value.

· As organizations fully depend on their stakeholders for sustainable success, it is intheir interest to provide them with high- quality reports. For example, effectivehigh-quality reporting reduces the risk for lenders and may lower the cost of capital.

· High-quality reports also promote better internal decision-making.· High-quality information is integral to the successful management of the business,

and is one of the major drivers of sustainable organizational success.

45. Explain XBRL· XBRL (extensible Business Reporting Language) is a freely available and global

standard for exchanging business information.· XBRL is used by Government, companies, regulators, Accountants and Investors.

· One use of XBRL is to define and exchange financial information, such as a financialstatement.

· XBRL provides a language in which reporting terms can be used to uniquelyrepresent the contents of financial statements or other kinds of compliance,performance and business reports. XBRL let’s reporting information move betweenorganizations rapidly, accurately and digitally.

· XBRL makes reporting more accurate and more efficient.


: 74 :

46. What is XBRL tagging?XBRL Tagging is the process by which any financial data is tagged with the mostappropriate element in an accounting taxonomy (a dictionary of accounting terms) thatbest represents the data in addition to tags that facilitate identification/classification(such as enterprise, reporting period, reporting currency, unit of measurement etc.).Since all XBRL reports use the same taxonomy, numbers associated with the sameelement are comparable irrespective of how they are described by those releasing thefinancial statements.Comprehensive definitions and accurate data tags allow preparation, validation,publication, exchange, consumption; and analysis of business information of all kinds.Information in reports prepared using the XBRL standard is interchangeable betweendifferent information systems in entirely different organizations. This allows for theexchange of business information across a reporting chain. People that want to reportinformation, share information, publish performance information and allow straightthrough information processing all rely on XBRL.

47. What is basic purpose of XBRL. Discuss its important features as well.

XBRL is used in many ways, for many different purposes, including by:

(i) Regulators· Financial regulators that need significant amounts of complex performance

and risk information about the institutions that they regulate.

· Securities regulators and stock exchanges that need to analyze theperformance and compliance of listed companies and securities, and need toensure that this information is available to markets to consume and analyze.

· Business registrars that need to receive and make publicly available a range ofcorporate data about private and public companies, including annual financialstatements.

· Tax authorities that need financial statements and other complianceinformation from companies to process and review their corporate tax affairs.

(ii) Companies· Companies that need to provide information to one or more of the regulators

mentioned above.· Enterprises that need to accurately move information around within a complex

group.


: 75 :

(iii) Governments· Government agencies that are simplifying the process of businesses reporting

to government· Government agencies that are improving government reporting by

standardizing the way that consolidated or transactional reports are preparedand used within government agencies and/or published into the publicdomain.

(iv) Data Providers· Specialist data providers that use performance and risk information published

into the market place and create comparisons, ratings and other value-addedinformation products for other market participants.

(v) Analysts and Investors· Analysts that need to understand relative risk and performance.· Investors that need to compare potential investments and understand the

underlying performance of existing investments.

(vi) Accountants· Accountants use XBRL in support of clients reporting requirements and are

often involved in the preparation of XBRL reports.

Important features of XBRL� Clear Definitions: XBRL allows the creation of reusable, authoritative definitions,

called taxonomies that capture the meaning contained in all the reporting termsused in a business report, as well as the relationships between all of the terms.

� Testable Business Rules: XBRL allows the creation of business rules that constrainwhat can be reported. Business rules can be logical or mathematical, or both andcan be used, for example, these business rules can be used to:o stop poor quality information being sent to a regulator or third party, by

being run by the preparer while the report is in draft.o flagging or highlighting questionable information, allowing prompt follow

up, correction or explanation.o create ratios, aggregations and other kinds of value-added information,

based on the fundamental data provided.· Multi-lingual Support: XBRL allows concept definitions to be prepared in as many

languages as necessary. Translations of definitions can also be added by third parties.This means that it’s possible to display a range of reports in a different language tothe one that they were prepared in, without any additional work.

· Strong Software Support: XBRL is supported by a very wide range of software fromvendors large and small, allowing a very wide range of stakeholders to work with thestandard.


: 76 :

APPLICABLE REGULATORY & COMPLIANCE REQUIREMENTSWhat is Regulatory Compliance?In general, Compliance means conforming to a rule, such as a specification, policy,standard or law. Regulatory Compliance describes the goal that organizations aspire toachieve in their efforts to ensure that they are aware of and take steps to comply withrelevant laws, policies, and regulations.Regulatory compliance is an organization’s adherence to laws, regulations, guidelines andspecifications relevant to its business. Violations of regulatory compliance regulationsoften result in legal punishment, including interest, penalty and prosecution in somecases.By and large we can classify the compliance and regulatory requirements in two types asunder.a. General - Applicable to all irrespective of anything.b. Specific - Applicable to specific type of businesses only.E.g. Income Tax compliance is applicable to all subject to basic exemption limit. Butcompliance regarding GST, Labour Law, Company Law, etc. are applicable to specific typeof businesses / entities only.

Regulatory Compliance and Accounting SystemsRegulatory compliance and accounting systems are closely connected with each other.Most of the regulatory compliance requires accounting data and accounting data comesfrom accounting systems. E.g. Income tax returns are prepared based on accounting dataonly. There may be two approaches for making compliances requiring accounting data.a. Using same software for accounting and tax compliance; andb. Using different software for accounting and tax compliance.Software is needed for tax compliances as almost all the tax compliance today is throughelectronic mode only. If separate software is used for accounting and tax compliance, weneed to put data in tax compliance software either manually or electronically. There aresome pros and cons of both the approaches as discussed in the Table.

48. What are the pros and cons of having single software for accounting and taxcompliance.

Pros and Cons of having single software forAccounting and Tax Compliance

S.No. Particulars Accounting & Tax ComplianceSoftware

Only Tax ComplianceSoftware

1 Ease ofsoftwareoperation

Less - as this is integrated systemof accounting and taxcompliance, everythingconnected with other and makingchanges at one place may affectother aspects also.

More - as this is used only forone single purpose, i.e. taxcompliance, it is lesscomplicated and bound to beeasy.


: 77 :

2 Featuresand facilities

Less - as this system is not anexclusive system for taxcompliance, it may have limitedfeatures for tax compliance.

More - as this is an exclusiveand specifically designedsystem for tax compliance,naturally more features andfacilities shall exist in thissystem.

3 Time andeffortsrequired

Less - as this is an integratedsystem, time required to transferdata to compliance software iszero.

More - as this is a separatesoftware, data fromaccounting software need toput in this for preparation ofreturns. This may take extratime and efforts.

4 AccuracyCost

More - As this is an integratedsystem and hence accountingdata and tax compliance datashall always be same. No need totransfer data to compliancesoftware and reconcile the data.

Less - as there are twoseparate system, reconci-liation with accounting data isneeded, possibility ofmismatch of data is alwaysthere.

5 More - if tax compliance featureis not available in accountingsystem, getting it customizedmay require some amount of costwhich may be higher than buyingseparate software.

Less - as this is specificpurpose software, there shallbe less complications and thecost also shall be less.

�

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��


: 78 :

CHAPTER 3 INFORMATION SYSTEMS & IT’S COMPONENTS


: 79 :

Section 1: Information Systems Components

1. What is Information system

Data:· Data is a raw fact and can take the form of a number or statement, such as a

date or a measurement, which has no meaning.

Information:· Processed data is known as information.· Information is organized and compiled data that has some value to the

receiver or information is data that has been transferred into a meaningfuland useful form for specific purpose.

System:· The system is a set of mutually related, coordinated elements or components

that operate together to accomplish common objectives by taking inputs andproducing outputs in an organized manner.

Information System:· It is a combination of people, hardware, software, communication

devices, network and data resources that processes data and generatesinformation for a specific purpose.

· In other words, Information System is a set of interrelated components workingtogether to collect, retrieve, process, store and disseminate (distribute)information for the purpose of achieving objectives such as planning,coordination, analysis and decision making.

Five activities of Generic System:

· Input- is the data flowing into the system from outside· Processing- is converting the input into useful form· Output- is the information flowing out of a system· Storage- is the means of holding information for use at a later date· Feedback- occurs when the outcome has an influence on the input.

2. What are the Characteristics of information system / computer basedinformation system?· All system works for predetermined objectives & the system is designed &

developed accordingly.


: 80 :

· Systems have number of interrelated & interdependent sub-system. Nosub-systems can function in isolation. It depends on other sub-systems forinputs.

· If one sub-system / component fails, in most of the cases the whole systemdoesn’t work.

· The way a sub-system works with another sub-systems is called asinteraction. The different sub-systems interact with each other to achieve thegoals of the system.

· The work done by individual sub-systems is integrated to achieve the centralgoal of the system.

3. Explain the components of Information System (PM)

· Information System is a set of interrelated components working together tocollect, retrieve, process, store and disseminate (distribute) information for thepurpose of achieving objectives such as planning, coordination, analysis anddecision making.

· The main purpose of Information system is to convert the data into informationwhich is useful and meaningful.

· An Information system [IS] consists of four basicconcepts/components/basic resources:

§ People: Human resources consist of end users and IT specialists.§ Hardware: Hardware involves machines and media.§ Software: Software resources consist of programs and procedures.§ Data: Data resources includes data, model, and knowledge base§ Network & communication system: Network means communication media

and includes Internet, Intranet and Extranet.· All components of information systems are mutually connected and cannot

exist individually.

4. What is meant by Hardware?

· Hardware is the tangible portion / physical component of computersystems which a user can touch and see.

· It basically consists of devices that perform the functions of input,processing, data storage and output activities of the computer.

· Hardware consists of Input devices, Processing devices, data storagedevices and output devices.


: 81 :

5. Explain briefly about Input devices and processing devices (Centralprocessing Unit)?

Input devices:

· Are devices through which we interact with the systems· i.e. Input devices are used for providing data and instructions to computer.· They include devices like Keyboard, Mouse and other pointing devices,

Scanners & Bar code, Webcams, and Microphone.§ Keyboard helps to provide text based input.§ Mouse helps to provide menu or selection based input.§ Scanners & Webcams help to provide image based input.§ Microphone helps to provide voice based input.

Processing devices:Central Processing Unit (CPU):· It is like the brain / heart of the computer.· The CPU is built on a small chip of silicon and it can contain several million

transistors.· The main function of CPU or Processor is to interpret and execute

Programs stored in memory and coordinates the other hardware devices.· It consists of three functional units:§ Control Unit (CU): CU controls the flow of data and instruction to and from

memory, interprets the instruction and controls which tasks to executeand when.

§ Arithmetic and Logical Unit (ALU): Performs arithmetic operations suchas addition, subtraction, multiplication, and logical operations such as AND,OR, NOT and comparison operations such as Equal to, Greater than, Lessthan, etc.

§ Registers: These are high speed memory / storage units within CPU forstoring small amount of data (mostly 32 or 64 bits). Registers are used aswork area for temporary storage of instructions and data during theoperations of the control and Arithmetical Logical Unit.

Registers could be:


: 82 :

· Accumulators: They store the intermediate results of a processing or can keeprunning totals of arithmetic values.

· Address Registers: They can store memory addresses which tell the CPU as towhere in the memory an instruction is located.

· Storage Registers: They can temporarily store data that is being sent to orcoming from the system memory.

· Miscellaneous: These are used for several functions for general purpose.

(Q: What is CPU. What are the three functional units of CPU) (PM)

6. Explain briefly about Memory concept?Explain about data storage devices.

As the name indicates this type of devices refer to the memory where data andprograms are stored. Various types of memory techniques/devices are given asfollows:

A. Internal memory:

(i) Registers: Registers are internal memory within CPU, which are veryfast and very small.

(ii) Cache Memory:· Cache can be used in order to bridge the speed differences

between Registers and Primary memory (RAM).

· It is a smaller, faster memory, which stores copies of the datafrom the most frequently used main memory locations so thatProcessor / Registers can access it more rapidly than it’s accessfrom main memory.

B. Primary Memory: These are devices in which any location can be accessedin any order (in contrast with sequential order) i.e. randomly. These areprimarily of two types:

(i) Random Access Memory (RAM):· This is Read Write memory.

· Information can be read as well as modified (i.e. write).

· Volatile in nature means Information is lost as soon as power isturned off.

· RAM is an expandable memory i.e. we can expand the size ofRAM.

(ii) Read Only Memory (ROM):· This is non-volatile in nature (content remains even in absence of

power).

· Information can be read, not modified.

· Generally used by manufacturers to store data & Programmes likestartup program and configuration of computer.


: 83 :

· ROM is provided by manufacturer on motherboard and generally itis not expandable memory.

C. Virtual Memory:

· Virtual Memory is not an actual Memory, it’s an imaginary memory. It is amemory technique which helps to execute big size programs with smallsize available RAM.

· If a computer lacks the RAM needed to run a Program or operation,Windows uses virtual memory to compensate.

· Virtual memory combines computer's RAM with temporary space onthe hard disk. When RAM runs low, virtual memory moves data fromRAM to a space called a paging file or segmentation on hard disk.

· Moving data to and from the paging file frees up RAM to complete itswork.

· Thus, Virtual memory is an allocation of hard disk space to help RAM.

(Q. Difference between cache memory and virtual memory Nov 15)D. Secondary Memory:

· Primary memory storage capacity is limited, expensive and volatile.Hence, it is necessary to have secondary storage to hold data andProgrammes permanently.

· These memories are known as secondary storage because thesememories are not directly accessible by CPU. Data in these memoriesare transferred through RAM or primary memory.

· Some of the commonly used secondary storage devices are – magnetictape drives, magnetic disk drives (Hard disks, floppy disks, etc.), opticaldisk drives (CDs, DVDs, Blue ray disks etc.)

Characteristics of secondary storage devices:

a) Non volatile: Content can be stored permanently.b) Large capacity: These are available in large size ex: Hard disk

c) Low cost: The cost of this type of memory is lower compared to registeror RAM.

d) Slow speed: Slower in speed compared to registers or RAM.

7. Explain output devices.

· Computers provide output to decision makers at all levels of an enterpriseto solve business problems.

· The desired output may be text, graphics or video information. Outputdevices can be used to view the output in Hard copy form and Softcopyform.

· Output devices are devices through which system responds.· Various types of Output Devices are:§ Textual output comprises of characters that are used to create words,

sentences, and paragraphs.


: 84 :

§ Graphical outputs are digital representations of non-text information such asdrawings, charts, photographs, and animation.

§ Tactile output such as raised line drawings may be useful for someindividuals who are blind.

§ Audio output is any music, speech, or any other sound.§ Video output consists of images played back at speeds to provide the

appearance of full motion.· Examples of output devices: Screen, Printer, Speaker etc.

8. Define the term Software. Write about different types of Software.

· Software is a programme or a set of programs.

· It is used to describe the instructions that tell the hardware how to perform atask. Without software, hardware cannot do any work.

There are basically two types of software’s:1. Operating system’s software2. Application software

9. Write about Operating System Software in detail.

· O/S is a set of computer Programs that manages computer hardwareresources and acts as an interface with computer applications Programmes.

· Application programs usually require an operating system to function thatprovides a convenient environment to users for executing their programs.

· Some prominent Operating System in use now a days are Windows 7,Windows 8, Linux, Unix etc.

A variety of activities are executed by Operating Systems which include:

· Managing hardware functions: O/S helps in performing hardware tasks suchas obtaining inputs from keyboards and mouse, access of data from hard disk& display of outputs on monitor. It acts as an intermediary between theapplication program and the hardware.

· User Interfaces: O/S provides a user interface for working on a computer. Inearlier day’s command User Interfaces (CUI) were widely used, but todaymost of the O/S’s are Graphic User Interface (GUI) which uses icons &menus for executing activities on a computer in a user friendly manner. So,how we interface with our system will be provided by O/S.

· Memory Management: Allow controlling how memory is accessed andmaximize available memory & storage. OS also provides Virtual Memory byimproving the capacity of RAM. (Nov 16)

· Task Management: O/S can execute many tasks simultaneously and itmaintains track of resources used by multiple jobs / tasks being executedsimultaneously. In case of multitasking, O/S Helps in allocating resources tomake optimum utilization of resources. This facilitates a user to work withmore than one application at a time.

· Networking Capability: O/S Provide many features & capabilities to helpconnect computer networks. Like Linux & Windows 8 give us an excellentcapability to connect to internet.


: 85 :

· Logical access security: It provides logical security by establishing aprocedure for identification & authentication using a User ID and Password.It can log the user access thereby providing security control.

· File management: O/S does efficient file management by allowing users togive appropriate name to file and provide folders or directories for filemanagement. It keeps a track of where each file is stored and who can accessit.

(Q: What is operating system and various activities performed by O/S)(PM)

10. Define the term Application Software? Mention briefly the different types ofapplication software. (PM) (Nov 15)

Software which is used to perform a specific task is called as an ApplicationSoftware. It helps users to solve real life problem such as banking, stock tradingetc.

The different types of application software are:

· Application Suite: Has multiple applications bundled together. Relatedfunctions, features and user interfaces interact with each other. E.g. MS Office2010 which has MSWord, MS Excel, MS Access, etc.

· Enterprise Software: This type of software helps to manage enterprise’sresources in an integrated manner. E.g. ERP Applications like SAP.

· Enterprise Infrastructure Software: Provides capabilities required tosupport enterprise software systems. E.g.: email servers, Securitysoftware.

· Information Worker Software: Addresses individual needs required tomanage and create information. E.g. Spreadsheets, CAAT (ComputerAssisted Audit Tools), etc.

· Content Access Software: Used to access and publish the digital andmultimedia content. E.g. Media Players, Adobe Digital etc.

· Educational Software: Holds contents adopted for use by students. E.g.Examination Test CDs

· Media Development Software: Addresses individual needs to generate andprint electronic media for others to consume. E.g. Desktop Publishing, VideoEditing etc.

11. Explain its advantages and disadvantages of Application software.

Benefits of Application Software:· Addressing User needs: The main advantage is that it meets the exact

needs of the user since it is designed specifically with one purpose / specificpurpose in mind.

· Less threat from virus: The threat of viruses invading custom-madeapplications is very small, since any business that incorporates it can restrictaccess and can come up with means to protect their network as well.


: 86 :

· Regular updates: Licensed application software gets regular updates fromthe developer for security reasons. Additionally, the developer also regularlysends personnel to correct any problems that may arise from time to time.

Disadvantages:· Development is costly: Developing application software designed to meet

specific purposes can prove to be quite costly for user / organization.

· Infection from Malware: If application software is used commonly by manypeople and shared online, it carries a highly real threat of infection by acomputer virus or other malicious programs.

12. What are the major areas of computers based applications orApplication areas of Computer based application

1. Inventory Management(Stores Management)· The inventory management system is designed with a view to keeping

track of materials in the stores.· It is used to regulate the following aspects of inventory:§ Maximum and minimum level of stocks§ Raising alarm at danger level stock of any material§ Give timely alerts for re-ordering of materials with optimal re-order

quantity2. Production (Manufacturing)

· The objective of this subsystem is to optimally deploy men, machinesand materials to maximize production or service.

· The system generates production schedules and schedules of materialrequirements

· It monitors the product quality and also helps in overhead cost controland waste control.

3. Marketing and Sales· The objective of this subsystem is to maximize sales and ensure

customer satisfaction.· The marketing system increases the chances of order procurement by

facilitating the marketing of products of the company, and facilitatingcreating of new customers and advertising of products.

· The sales department may use the system to keep status and track oforders and generate bills for the orders executed and delivered to thecustomer.

4. Finance and Accounting· The main goal of this system is to ensure financial viability of the organization,

enforce financial discipline and plan and monitor the financial budget.· It helps forecasting revenues, determining the best resources and uses of

funds and managing other financial resources.5. Human Resources Management


: 87 :

· Human resource is the most valuable asset for an organization.Utilization of this resource in most effective and efficient way is animportant function for any enterprise. Human resource managementsystem aims to achieve the goal of less disputes and right utilization ofmanpower.

13. Define the terms Database, Database Management System (DBMS).

Data is very crucial resources for an organization and for smooth functioning oforganization it is necessary that this data should be managed very effectively. LikeBanks, Insurance companies, Stock exchanges etc. the data is the key asset andany loss to data or mismanagement of data may result in economic and reputationlosses.

Data: Data represents the facts and figures such as name, address, age, numbersetc.A Database is a collection of related data.

DBMS: A DBMS is a collection of Programs that enables users to create andmaintain a database and facilitates the processes of defining, constructing, andmanipulating databases for various applications.

14. Explain the major objectives of the organization while using DBMS andoperations performed by DBMS?

DBMS can be used to solve the following objectives.· Know the information needs· Acquiring the needed information· Organizing the acquired information in a meaningful way· Assuring information quality· Providing software tools so that users in the enterprise can access

information they require.The following operations can be performed on Database.· Adding new files to database

· Deleting existing files from database

· Inserting data in existing files

· Modifying data in existing files

· Deleting data in existing files

· Retrieving or querying data from existing files.

Commercially available Data Base Management Systems are Oracle, My SQL,SQL Servers and DB2 etc.

15. Explain hierarchy of database

Hierarchy of Database:

· Database: This is a collection of Files.


: 88 :

· File: This is a collection of Records.· Record: This is a collection of Fields.· Field: This is a collection of Characters.· Characters: These are a collection of Bits.

Q: List four phases of evolution in the Hierarchy of Database modeling (Nov 16)

16. What is database model. Discuss its various types. (PM)

Database model is a data model which provides logical structure of databasei.e. how data records and files will be arranged in the database.

There are four database models or database structures;

· Hierarchical Database Model· Network Database Model· Relational Database Model· Object oriented Database Model

17. Explain the Hierarchical Database Model in detail. (PM)

a) A hierarchically structured database is arranged logically in an invertedtree pattern.

b) All records in hierarchy are called nodes. Each node is related to theothers in a parent-child relationship. For example: Arranging data foraccounts for companies as – under company make primary Accounts suchas Fixed Assets, Current Assets and then Ledger records under theseprimary accounts.

c) Each parent record may have one or more child records, but no childrecord may have more than one parent record. The top parent record iscalled the root record.

d) Thus, this implements one-to-one and one-to-many relationships.

Features:a) The hierarchy should be pre-determined and implemented and therefore,

they are fixed in structure and are less flexible than other databasestructures.

b) Adhoc queries can’t be made by the managers.

c) If a particular record has to be traced then tracing will start from the root,continues downwards until the requisite record is located.

a) When the parent node is deleted, all the child nodes get automaticallydeleted.


: 89 :

18. Explain the Network Database Model in detail. (PM)

a) The network model is able to represent redundancy in data more efficientlythan in the hierarchical model.

b) In network model a relationship is a set. Each set is made of atleast twotypes of records. An owner record (Parent in Hierarchical) and a memberrecord (child in Hierarchical). The difference is network model allows arecord to appear as a member in more than a set.

c) This feature allows the network model to implement the one-to-one, one-to-many, many-to-one and the many-to-many relationship types.

Features:a) It is a modified version of Hierarchical Data model.b) It is very difficult to develop this type of database structures.c) It is useful for one to one, one to many, many to many and many to many

record relationships.d) The relationships should be pre-determined.

19. Explain the Relational Database Model in detail. (PM)

a) Relational structure is most popular database structure.b) It stores the data in the form of table. Relation database are powerful

because they require few assumptions on how data would be related andhow data would be extracted.

c) Another important feature of relational structure is that single database canbe spread across several tables. It uses table to organize the data.

d) Each table is equivalent to an entity like employee and each record (row) isobject of application.

Example:


: 90 :

A relational database consists of a set of tables, where each table consists a fixedcollection of columns (also called fields). An indefinite number of rows (or records)occurs within each table. However, each row must have a unique primary key,which is a sort of name for that particular bundle of data. Above Figure illustratesrelational database structure. As well as having primary keys, tables typicallyhave some secondary keys. The secondary keys correspond with primary keys inother tables. For example, in Figure 2, the BOOKS table has secondary keysAuthorID and PubID. These, in turn, serve as primary keys for the AUTHORS andPUBLISHERS tables. The idea here is that every BOOKS row has a distinct ISBNvalue, each AUTHORS a unique AuthorID, and each PUBLISHERS a uniquePubID.

As a constraint on the relation between tables, you can state, for example, that fora row to exist in BOOKS, there must exist a row in PUBLISHERS with the PubIDyou want to use in BOOKS. If one publisher can "have" multiple books in this way,it's called a one-to-many relation. On the other hand, if one author can havemultiple books, and one book can also have multiple authors, it's called a many-to-many relation. To round things out, you can also define one-to-one relations,where one primary key must match exactly one secondary key. It is the job ofRDBMSs to enforce just these types of rules.

(Source: www.ibm.com)

Advantages:a) Highly flexible to Programme and retrieve data.b) It is much easier to use as it uses SQL (structured query language) serves

as uniform interface for creating and manipulating database.c) Can handle queries in a more efficient way.

Disadvantages:a) Storage space requirements are high.b) Processing efficiency is comparatively low.c) Requires more processing capacity and memory.d) Processing can’t be done without establishing the relationships.

20. Explain Object Oriented Database Model in detail. (PM) (Nov 16)

http://www.ibm.com/


: 91 :

a) The object oriented database model is the latest development in databasetechnology. In this all the elements of database are modeled as objects andthese objects can be linked together to create entire database structure.

b) Objects are predefined set of program code that is used to perform aspecific task. It is based on the concept of objects and their interactions.

c) An Object-oriented database provides a mechanism to store complexdata such as images, audio and video, etc.

d) An object-oriented database management system (OODBMS) helpsprogrammers to create objects in a programming language, behave as adatabase object.

e) Here, new objects can be created or old objects can be modified, reused orcopied.

f) Many engineering applications such as Computer Aided Design (CAD),Computer Aided Engineering (CAE), Multimedia Systems, ImageProcessing Systems and Expert Systems are some of the examples.

21. List out the Advantages and Disadvantages of a DBMS. (PM) (Nov 15)

Major advantages are as follows:a) Permitting data sharing: One of the advantages is that the same

information can be made available to different users. Ex: Railwayreservation etc.

b) Minimizing Data Redundancy: Duplication of information is carefullycontrolled or reduced. Minimizing redundancy can reduce the cost ofstoring information on hard drives and other storage devices. Ex: Bycreating centralized database or data in linked tables by DBMS, the dataredundancy can be avoided.

c) Integrity can be maintained: Data integrity is maintained with accurate,consistent, and up-to-date data. Updates and changes to the data onlyhave to be made in one place in DBMS ensuring Integrity. Ex: E106cannot enter into loan to employee table until the same E106 exist inEmployee Master.

d) User-friendly: It makes the data access and manipulation easier for theuser. It also reduces the reliance of users on computer experts.

e) Improved security: DBMS provide various security features which can beused for providing a secured database. Ex: User authentication and Accesscontrol.

f) Faster application development: In DBMS environment the data isalready there in databases, application developer has to think of only thelogic required to retrieve the data in the way a user needs.

Major disadvantages are as follows:a) Cost: Implementing a DBMS system can be expensive and time-

consuming, especially in large enterprises. Training requirements alonecan be quite costly.


: 92 :

b) Security: Even with safeguards in place, it may be possible for someunauthorized users to access the database. If one gets access to databasethen it could be an all or nothing proposition.

Some related Concepts of Database22. Explain concept of Big Data

· Big data refers to such massively large data sets that conventional database toolsdo not have the processing power to analyze them.

· For example, Walmart must process over one million customer transactions everyhour.

· Storing and analyzing that much data is beyond the power of traditional database-management tools.

· Understanding the best tools and techniques to manage and analyze these largedata sets is a problem that governments and businesses alike are trying to solve.

23. Explain Data Warehouse and its advantages.Data Warehouse: As organizations, have begun to utilize databases as the center pieceof their operations, the need to fully understand and leverage the data they are collectinghas become more and more apparent.

· However, directly analyzing the data that is needed for day-to-day operations isnot a good idea.

· Further, organizations also want to analyze data in a historical sense.

· How does the data we have today compare with the same set of data this time lastmonth, or last year?

From these needs arose the concept of the data warehouse.

· The concept of the data warehouse is simple: extract data from one or more of theorganization’s databases and load it into the data warehouse (which is itselfanother database) for storage and analysis.

However, the execution of this concept is not that simple.

A data warehouse should be designed so that it meets the following criteria:§ It uses non-operational data. This means that the data warehouse is using a

copy of data from the active databases that the company uses in its day-to-dayoperations, so the data warehouse must pull data from the existing databaseson a regular, scheduled basis.

§ The data is time-variant. This means that whenever data is loaded into the datawarehouse, it receives a time stamp, which allows for comparisons betweendifferent time periods.

§ The data is standardized. Because the data in a data warehouse usually comesfrom several different sources, it is possible that the data does not use the samedefinitions or units. This process is called Extraction-Transformation-Load(ETL).

§ There are two primary schools of thought when designing a datawarehouse: Bottom-Up and Top- Down.


: 93 :

· The Bottom-Up Approach starts by creating small data warehouses, calleddata marts, to solve specific business problems. As these data marts arecreated, they can be combined into a larger data warehouse.

· The Top-Down Approach suggests that we should start by creating anenterprise-wide data warehouse and then, as specific business needs areidentified, create smaller data marts from the data warehouse.

Benefits of Data Warehouse

· The process of developing a data warehouse forces an organization to betterunderstand the data that it is currently collecting and, equally important, whatdata is not being collected.

· A data warehouse provides a centralized view of all data being collected acrossthe enterprise and provides a means for determining data that is inconsistent.

· Once all data is identified together, which help organization to compare presentdata with historical data.

· By having a data warehouse, snapshots of data can be taken over time. Thiscreates a historical record of data, which allows for an analysis of trends.

· A data warehouse provides tools to combine data, which can provide newinformation and analysis

24. Explain Data Mining:

· Data Mining is the process of analyzing data to find previously unknowntrends, patterns, and associations to make decisions.

· Generally, data mining is accomplished through automated means againstextremely large data sets, such as a data warehouse.

· Some examples of data mining include:

§ An analysis of sales from a large grocery chain might determine that milk ispurchased more frequently the day after it rains in cities with a population ofless than 50,000

§ A bank may find that loan applicants whose bank accounts show particulardeposit and withdrawal patterns are not good credit risks.

25. Write about computer networks or network links.

· It is a collection of computers and other hardware interconnected bycommunication channel that allow sharing of resources and informationbetween connected computers and devices.

· Each component, namely the computer or a hardware device in a computernetwork is called a 'Node'.

· Types of Network:a) Connection Oriented networks: Where in a connection is first

established and then data is exchanged. Example is telephonenetworks. This uses a data communication technique known ascircuit switching.

b) Connectionless Networks: Where no prior connection is madebefore data exchanges. Data which is being exchanged from sender


: 94 :

to receiver in fact has a complete information of recipient and ateach intermediate destination, it is decided how to proceed furtherlike it happens in case of postal networks. This uses a datacommunication technique known as packet switching. Example isInternet.

The following four terms can be considered while transferring data fromSender to Receiver / Basic issues to be addressed;

a) Routing: It refers to the process of deciding on how to communicate thedata from source to destination in a network.

b) Bandwidth: It refers to the amount of data which can be sent across anetwork in given time. It indicates the speed of network communicationand bandwidth is measured in MBPS / GBPS etc.

c) Resilience: It refers to the ability of a network to recover from any kind oferror like connection failure, loss of data etc.

d) Contention: It refers to the situation that arises when there is a conflict forsome common resource. For example, network contention could arisewhen two or more computer systems try to communicate at the same time.

26. Write about several benefits of a computer network.

The following are the important benefits of a computer network:

a) Distributed nature of information: Computer networks provide distributeddata processing system wherein information can be distributedgeographically and data can be processed from anywhere. E.g. In the caseof Banking Company, accounting information of various customers could bedistributed across various branches but to make Consolidated BalanceSheet at the year-end, it would need networking to access information fromall its branches.

b) Resource Sharing: Data could be stored at a central location andcan be shared across different systems. Even resource sharingcould be in terms of sharing peripherals like printers, which arenormally shared by many systems. E.g. In the case of a CBS, Bankdata is stored at a Central Data Centre and could be accessed by allbranches as well as ATMs.

c) Computational Power: The computational power of most of theapplications would increase drastically as computers in network canuse and share each other’s computational power. For example:processing in an ATM machine in a bank is distributed between ATMmachine and the central Computer System in a Bank, thus reducingload on both.

d) Reliability: Many critical applications should be available 24x7, if suchapplications are run across different systems which are distributed,across network then the Tenability of the application would be high. E.g.In a city there could 'be multiple ATM machines so that if one ATM fails,one could withdraw money from another ATM.

e) User communication: Networks allow users to communicate using e-mail, newsgroups, video conferencing, etc


: 95 :

27. Explain following terms

· Packet:§ The fundamental unit of data transmitted over the Internet. When a device intends

to send a message to another device (for example, your PC sends a request toYouTube to open a video), it breaks the message down into smaller pieces, calledpackets.

§ Each packet has the sender’s address, the destination address, a sequencenumber, and a piece of the overall message to be sent.

· Repeater:§ A repeater regenerates the signal over the same network before the signal

becomes too weak or corrupted to extend the length to which the signal can betransmitted over the same network.

§ They do no amplify the signals, however, when the signal becomes weak, theycopy the signal bit by bit and regenerate it at the original strength.

· HUB: Hub is used in LAN for sharing of the network resources such as servers,LAN workstations, printers, etc.

· Bridges: Bridge is a communications processor that connects numerous Local AreaNetworks (LAN). It magnifies the data transmission signal while passing data fromone LAN to another.

· Routers: Router is a communication processor that interconnects networks basedon different rules or protocols. This device also helps to select the best route(shortest and most reliable route) when there are multiple paths available.

· MAC Address:§ These are most often assigned by the manufacturer of a Network Interface

Controller (NIC) and are stored in its hardware, such as the card’s read-onlymemory.

§ If assigned by the manufacturer, a MAC address usually encodes themanufacturer’s registered identification number.

· Network topology:§ The geometrical arrangement of computer resources, remote devices, and

communication facilities is known as network structure or network topology.§ A network structure determines how one computer in the network can

communicate with other computers.§ Common topologies are;

o Star Network that involves a central unit with number of terminals tied intoit;

o Bus Network in which a single length of wire, cable, or optical fiber (calledbus) connects several computers;

o Ring Network much like a bus network, except the length of wire, cable, oroptical fiber connects to form a loop; and

o Mesh Network in which each node is connected by a dedicated point topoint link to every node.

· Transmission Mode:§ It determines the direction of data flow from one system to another system in

a communication network.§ There are three different transmission modes.

o Simplex: In this mode data is transmitted in one direction only.


: 96 :

o Half duplex: It allows data can be transmitted in both the directions but onlyone side at a time.

o Full duplex: A full duplex connection can simultaneously transmit andreceive data between two stations.

· Protocols:§ A protocol is the formal set of rules for error free and reliable data

communications. In a network, there are many devices connected with each otherfor exchange of data and information with each other. In order to have a smoothand correct exchange of information between various connected devices innetwork, these devices must adhere to some set of rules and these rules areknown as protocols.

§ Protocols allow heterogeneous computers to talk to each other.· IP Address:§ Every device that communicates on the Internet, whether it be a personal

computer, a tablet, a smartphone, or anything else, is assigned a uniqueidentifying number called an IP (Internet Protocol) address.

§ For example, let’s say the domain wikipedia.org has the IP address of107.25.196.166.

§ Historically, the IP-address standard used has been IPv4 (version 4), currently thestandard which is in use is IPv6 (version 6)

· Domain Name:§ A Domain Name is a human-friendly name for a device on the Internet.§ These names generally consist of a descriptive text followed by the toplevel

domain (TLD).§ For example, Wikipedia’s domain name is wikipedia.org; Wikipedia describes the

organization and .org is the top-level domain.§ In this case, the .org TLD is designed for non-profit organizations.§ Other well- known TLDs include .com, .net, and .gov.

· Domain Name System (DNS):§ DNS which acts as the directory on the Internet.§ When a request to access a device with a domain name is given, a DNS server is

queried. It returns the IP address of the device requested, allowing for properrouting.

· Packet Switching:§ When a packet is sent from one device out over the Internet, it does not follow a

straight path to its destination.§ Instead, it is passed from one router to another across the Internet until it is

reaches its destination.§ In fact, sometimes two packets from the same message will take different routes.

· Wi-Fi:§ Wi-Fi is the name of a popular Wireless Networking technology that uses radio

waves to provide wireless high-speed Internet and reliable network connections.§ It has limited range. A typical wireless access point might have a range of 65 ft.§ The Wi-Fi Alliance defines Wi-Fi products based on the Institute of Electrical and

Electronics Engineers' (IEEE) 802.11 standards.


: 97 :

§ One of the primary places where Wi-Fi is being used is in the home.§ However, with increase in smart phone sales, Wi-Fi hotspot services are being

provided at various public places to provide better customer service.

· Voice Over IP (VoIP):§ A growing class of data being transferred over the Internet is Voice Data.§ A protocol called VoIP enables sounds to be converted to a digital format for

transmission over the Internet and then recreated at the other end.§ By using many existing technologies and software, voice communication over the

Internet is now available to anyone with a browser (think Skype, Google Hangouts,Whatsapp calls).

Section 2: Information System Controls

1. Definition of Information Systems Control & its objective.· Controls are the Policies, Procedures, Practices and Organizational Structures,

Designed to Provide Reasonable Assurance that Business Objectives will be achievedand that Undesired Events will be Prevented or Detected and Corrected. Controlspertaining specifically to the Information Systems are referred as Information SystemsControls.

· Objective of Controls:§ The objective of controls is to reduce or if possible eliminate the causes of the

exposure to potential loss.§ Exposures are potential losses due to threats materializing. All exposures have

causes.

2. Effect or Impact of technology on Internal ControlsFollowing are the impact of Computer / Computerized environment on Internal Control.

· Personnel: Skilled / trained employees are considered as a form of preventivecontrol. Whether or not staff is trustworthy, if they known what they are doing &, ifthey have the appropriate skills & training to carry out their jobs to a competentstandard.

· Segregation of duties: Segregation of duties is required to ensure that a singleemployee or group cannot put through a complete transaction. In computerizedenvironment this is achieved by enabling role based access / restricting accessprivileges.Apart from the segregation at the transaction level, it is important to have the sameeven at the job definition level for IT staff i.e. system developers cannot initiatesystem maintenance activity.

3. What are the different Information Systems Control Techniques / Categorization ofIS ControlsInternal controls can be classified into various categories as under,

Categorization based onObjective

Categorization based onNature of IS Resource

Categorization based onAudit Function


: 98 :

Preventive controls Environmental Managerial Controls

Detective controls Physical Access Application Controls

Corrective controls Logical AccessCompensatory controls

4. Explain preventive controls and its characteristics.Preventive controls: (PM)· Detect problems before they arise.· Attempt to predict potential problems before they occur & make adjustments.· Prevent an error, omission or malicious act from occurring.· Ex: Proper training, job definition & segregation of duties, physical & logical access

control, firewalls.

Characteristics of Preventive Controls· Understanding vulnerabilities of the asset is required· Understanding of probable threats is required· Provision of necessary controls for preventing probable threats from materializing and

exploiting the vulnerabilities.

5. Explain detective controls and its characteristics.Detective controls:· Are designed to detect errors, omissions or malicious acts that occur and report the

occurrence.· Ex: Hash totals, CCTV, Review of Audit logs, BRS.Characteristics of Detective Controls· Clear understanding of lawful activities so that anything which deviates from these

is reported as unlawful, malicious, etc.· An established mechanism to refer the reported unlawful activities to the appropriate

person or group· Interaction with the preventive control to prevent such acts from occurring

6. Explain corrective controls and its characteristics.

Corrective controls· Are designed to reduce the impact or correct an error once it has been detected.· Ex: Cleaning a file detected to contain virus, data backups, stand by server, failover

networks etc. (Business continuity plan)

Characteristics of Corrective Controls· Minimize the impact of the threat· Correct error arising from a problem· Feedback from preventive and detective controls· Modify the processing systems to minimize future occurrences of the problem.

7. Explain compensatory controls


: 99 :

While ideally the organization would like to implement a primary control. Due to variousconstraints like technology, cost etc. they may not be able to do so. In suchcircumstances it is advisable to implement compensatory controls which can be definedas “compensatory controls reduce the risk of the original / primary controls notbeing in place.” They do not replace the original controls & are not as effective as theoriginal controls.

8. Explain environmental controls

Environmental Controls: These are the controls relating to IT environment such aspower, air-conditioning, Uninterrupted Power Supply (UPS), smoke detection, fire-extinguishers, dehumidifiers etc.

Fire Damage:

1. Hand-Held Fire Extinguishers· Fire extinguishers should be in calculated locations throughout the area. They should

be tagged for inspection and inspected at least annually.

2. Manual Fire Alarms· Hand-pull fire alarms should be purposefully placed throughout the facility. The

resulting audible alarm should be linked to a monitored guard station.

3. Fire Suppression Systems· These alarms are activated when extensive heat is generated due to fire. Like smoke

alarms they are designed to produce audible alarms when activated and should beregularly monitored. In addition to precautionary measures, the system should besegmented so that fire in one part of a large facility does not activate the entiresystem.

4. Smoke Detectors· Smoke detectors are positioned at places above and below the ceiling tiles.· Upon activation, these detectors should produce an audible alarm and must be linked

to a monitored station {for example a fire station).

5. Regular Inspection by Fire Department· An annual inspection by the fire department should be carried out to ensure that all fire

detection systems act in accordance with building codes. Also, the fire departmentshould be notified of the location of the computer room, so it should be equipped withtools and appropriate electrical fires.

6. Fireproof Walls, Floors and Ceilings surrounding the Computer Room· Information processing facility should be surrounded by walls that should control or

block fire from spreading. The surrounding walls should have at least a more than one-two-hour fire resistance rating.


: 100 :

7. Strategically Locating the Computer Room· The reduce the risk of flooding, the computer room should not be located in the

basement of a multi-storied building. Studies reveal that the computer room located inthe top floor are less prone to the risk of fire, smoke and water.

8. Wiring Placed in Electrical Panels and Conduit· Electrical fires are always a risk. To reduce the risk of such a fire occurring and

spreading, wiring should be placed in the fire resistant panels and conduit. Thisconduit generally lies under the fire-resistant raised computer room floor.

Power Spikes:

9. Electrical Surge Protectors· The risk of damage due to power spikes can be reduced to a great extent using

electrical surge protectors.

10. Uninterruptible Power Supply (UPS) / Generator· A UPS system consists of a battery or gasoline powered generator that interfaces

between the electrical power entering the facility and the electrical power entering thecomputer. The system typically cleanses the power to ensure wattage into thecomputer is consistent.

11. Emergency Power-Off Switch· When there arises a necessity of immediate power shut down during emergency

situations a two emergency power-off switch one at computer room and other near butoutside the computer room would serve the purpose.

Water Damage:

12. Water Detectors· Water detectors should be present near any unattended equipment storage facilities.· When activated, the detectors should produce an audible alarm that can be heard by

security and control personnel.

13. Some of the other major ways of protecting the installation against water damage areas follows:

· Wherever possible have waterproof ceilings, walls and floors;· Ensure an adequate positive drainage system exists;· Install alarms at strategic points within the installation;· In flood areas have the installation above the upper floors but not at the top floor;· Water proofing; and· Water leakage Alarms.

Pollution damage and others:


: 101 :

14. Power Leads from Two Substations· Electrical power lines that are exposed to many environmental dangers - such as

waters fire, lightning, cutting due to careless digging etc. To avoid these types ofevents, redundant power links should feed into the facility. Interruption of one powersupply does not adversely affect electrical supply.

15. Prohibitions Against Eating, Drinking and Smoking within the InformationProcessing Facility

· These things should be prohibited from the information processing facility. Thisprohibition should be clear, e.g. a sign on the entry door.

16.The major pollutant in a computer installation is dust. Dust caught between thesurfaces of magnetic tape / disk and the reading and writing heads may cause eitherpermanent damage to data or read/ write errors.

9. Explain various physical access control techniques

· Physical access controls are designed to protect the organisation fromunauthorized access or in other words, to prevent illegal entry.

1. Door Locks: (PM)· Cipher locks (combination door locks): Which works on numbers of

combinations, lock consists of a push button panel that is mounted near the dooroutside of secured area. There are ten numbered buttons on the panel. To entera person presses a four digit numbers sequence & the door will unlock for apredetermined period. (can include bio-metric as well)

· Bolting door locks: Which operate with a special metal key.· Electronic door locks: Which works based on card swipe or proximity card

which involves issuing cards to users with authorization privileges embedded inthe card. This is a superior method compared to other methods as it facilitieseasy user access management & restriction or deactivation can be centrallymanaged.

2. Physical Identification Medium:· Personnel identification numbers (PIN): A secret number will be assigned to

the individual in conjunction with some means of identifying the individual,servers to verify the authenticity of the individual. The visitor will be asked to logon by inserting a card in some device & then enter their PIN via a PIN keypad forauthentication. His entry will be matched with the PIN numbers available in thesecurity database.

· Plastic cards: These cards are used for identification purposes. Controls overcard seek to ensure that customers safeguard their card so it does not fall intounauthorized hands.

· Identification Badges: Special identification badges can be issued to personnelas well as visitors


: 102 :

§ Sophisticated photo of IDs can also be utilized as electronic card keys.§ Issuing accounting for and retrieving the badges administrative prices that

must carefully controlled.

3. Logging on utilities:· Manual logging:

§ All visitors should be prompted to sign a visitor’s log indicating their name,company represented, their purpose of visit & person to see.

§ Logging may happen at both the front reception & entrance to the computerroom.

§ A valid & acceptable identification such as driver’s license, business card orvendor identification tag may also be asked for before gaining entry inside thecompany.

· Electronic logging: This feature is a combination of electronic & biometricsecurity system. The users logging in can be monitored & the unsuccessfulattempts being highlighted.

4. Other means of controlling physical Access:· Video cameras: Cameras strategically located & footage monitored at security

station. The footage is retained for a period of time for future playback.· Security Guards: Physical monitoring of visitors accessing the facilities.· Controlled visitors access: All visitors are escorted by employee - through the

organization & until they leave the organization.· Bonded personnel: A NDA or bond needs to be executed by all service or

contract staff - to reduce the risk arising out of financial exposures.· Computer terminal locks: These locks ensure that the device to the desk is not

turned on or disengaged by authorized persons.· Controlled Single Point Entry: The physical entry point should be only one so

that it is easy to monitor.· Perimeter fencing: Fencing at boundary of the facility· Alarm System: Illegal entry can be avoided by linking alarm system to inactive

entry point motion detectors and the reverse flows of enter or exit only doors, soas to avoid illegal entry. Security personnel should be able to hear the alarm whenactivated.

10. What are logical Access controls.Meaning:

· Computer based access controls are called logical access controls.· Logical access controls are the system based mechanism used to designate:

who or what to have access to a specific system resource & the typetransaction & functions that are permitted.

11. Explain logical access violators


: 103 :

Logical Access Violators are often the same people who exploit physical exposures,although the skills needed to exploit logical exposures are more technical and complex.They are mainly:

· Hackers: Hackers try their best to overcome restrictions to prove their ability.· Employees (authorized or unauthorized);· IS Personnel: They have easiest to access to computerized information since

they come across to information during discharging their duties. Segregation ofduties and supervision help to reduce the logical access violations;

· Former Employees: should be cautious of former employees who have left theorganization on unfavorable terms;

· End Users; Interested or Educated Outsiders; Competitors; Foreigners; OrganizedCriminals; Crackers; Part-time and Temporary Personnel; Vendors andconsultants; and Accidental Ignorant – Violation done unknowingly.

12. What are the different types of Logical access exposures / threats.

1. Technical exposureTechnical exposures include unauthorized implementation or modification of data andsoftware. Technical exposures include the following:

i) Data Diddling:Data diddling involves the change of data before or as they are entered intothe system. A limited technical knowledge is required to data diddle and theworst part with this is that it occurs before computer security can protect data.

ii) Logic Bombs: (PM)Malicious codes planted into a computer program which would trigger on thelogic being satisfied.Ex: If Income is 1,80,000/- delete all data.

iii) Time Bombs: (PM)Malicious codes planted into a computer program which be triggered onparticulars data or time as set.Ex: If date is 29th feb delete all data.

iv) Trojan horse: (PM)A malicious program hidden inside a ultimate program causing illegitimate

action. It may be password stealing Trojan or modify records in files or allowaccess to unauthorized user. They are difficult to detect.

v) Worms: (PM)· A worm is a program that resides into the computer’s memory & replicates

into areas of idle memory.· Worm systematically occupies idle memory until the memory is exhausted &

the system fails. Limited in damage, as the network traffic they generategrows so experientially they that can quickly identified & blocked.

· Worm is similar to virus in terms of self replication.

vi) Rounding down:Refers to rounding small fraction of a denomination down & transferring thesmall fractions into the unauthorized account ex.21,23,560.59 a becomes21,23,560,58.


: 104 :

vii) Salami TechniqueRefers to slicing of small amounts of money from a computerized transactionor account.Ex: 21,23,560.59 becomes 21,23,560.50 or 21,23,560.00

viii) Trapdoors:· System programmers insert code (in program) which compromises the usual

controls, but only with a positive objective.· EX: For program debugging – used by developer / maintenance staff.· These codes are generally removed after the activity. But, when they are not

removed they may become reason for compromise.

2. Asynchronous Attacks (PM)

They occur in many environments where data can be moved asynchronously acrosstelecommunication lines. Numerous transmissions must wait for the clearance of theline before data being transmitted. Data that are waiting to be transmitted areliable to unauthorized access called asynchronous attack.

There are many forms of asynchronous attacks.

i) Data Leakage:Stealing information from computers by unauthorized copy into external media likeCDS, USB Storage etc. or taking print outs of reports.

ii) Subversive Threats: Subversive attacks can provide intruders with importantinformation about messages being transmitted and the intruder can manipulatethese messages in many ways.

iii) Piggybacking:· This is the act of electronically attaching to an authorized telecommunication link /

authorized user through a secured door or through on authorizedtelecommunication link.

· Ex: When a user logged into an website an authorized user follows & enters.After an authorized user has physically entered an information processing facility,an unauthorized user follows when the door is yet to close.

iv) Wire-tapping:This involves spying on information being transmitted over telecommunicationnetwork.

13. List few logical access control measures.Logical access controls serve as one of the means of information security. The purposeof logical access controls is to restrict access to information assets/resources.They are expected to provide access to information resources on a need to know andneed to do basis using principle of least privileges.

Following are logical access controls.· User Access Management:

§ User registration: Information about every user is documented. The following


: 105 :

questions are to be answered : Why is the user granted the access? Has thedata owner approved the access?

§ Privilege management: Access privileges are to be aligned with jobrequirements and responsibilities.

§ User password management: Allocations, storage, revocation, and reissue ofpassword are password management functions. Educating users is a criticalcomponent about passwords, and making them responsible for their password.

§ Review of user access rights: A user's need for accessing informationchanges with time and requires a periodic review of access rights to checkanomalies in the user's current job profile, and the privileges granted earlier.

· User responsibilities:§ Password use: Mandatory use of strong passwords to maintain confidentiality.§ Unattended user equipment: Users should ensure that none of the

equipment under their responsibility is ever left unprotected. They should alsosecure their PCs with a password, and should not leave it accessible to others.

· Network Access Control:§ Firewall:

Ø They provide perimeter security to the organizations network from theexternal networks. It enforces access controls between two networks.

Ø All traffic between the outside network & the organization intranet shouldpass through the firewall. The firewall has a rule based access list as perthe security policy which decides the permitted traffic between theorganizations intranet & the outside networks.

Ø Firewall does not allow data packets entry to private network server fromunauthorized users, sources and with malicious content.

§ Enforced path: Based on risk assessment, it is necessary to specify the exactpath or route connecting the networks; say for example internet access byemployees will be routed through a firewall. And to maintain ahierarchical access levels for both internal and external user logging.

§ Encryption:Ø In this technique data to be transmitted is converted into secret form from

normal form.Ø Sender converts the original message known as clear text into a coded

equivalent known as cipher text. This cipher text is transmitted overcommunication channel. If any hacker gains access to this text, thehacker will not be able to understand the cipher text. This cipher text isagain converted back into clear text by receiver by using a decryptionalgorithm.

Ø Two general approaches are used for encryption viz. Private keyencryption & Public key encryption.

§ Call Back Devices:Ø It is based on the principle that the key to network security is to keep the

intruder off the Intranet rather than imposing security measure after thecriminal has connected to the intranet.


: 106 :

Ø The call- back device requires the user to enter a password and then thesystem breaks the connection.

Ø If the caller is authorized, the call back device dials the caller’s number toestablish a new connection.

Ø This limits access only from authorized terminals or telephone numbersand prevents an intruder masquerading as a legitimate user.

§ Policy on use of network services: An enterprise wide applicable network /internet policy should be there. Selection of appropriate services and approvalto access them will be part of this policy.

· Operating System Access Control:§ Terminal log-on procedures: This is the key security feature provided by

operating system which helps to prevent unauthorized access. It allows onlyauthorized users to access the computer system by validating user’s ID andPassword.

§ Access control list: User ID and passwords are compared with access controllist and if matches user is granted access.

§ Access Token: If user’s long-in is successful then operating system createsaccess token that contain key information about users such as ID, password,user group and access rights granted to user. Access token remains valid for aparticular session and it keeps all the events information of that session in logfile.

§ Password management system: An operating system could enforceselection of good passwords. Internal storage of password should useone-way encryption algorithms and the password file should not beaccessible to users.

·§ Terminal time out: Log out the user if the terminal is inactive for a defined

period. This will prevent misuse in absence of the legitimate user.§ Limitation of connection time: Define the available time slot. Do not allow

any transaction beyond this time period. For example, no computer accessafter 8.00 p.m. and before 8.00 a.m.—or on a Saturday or Sunday.

· Application and Monitoring System Access Control:§ Information access restriction: The access to information is prevented by

application specific menu interfaces, which limit access to system function. Auser is allowed to access only to those items, s/he is authorized to access.Controls are implemented on the access rights of users, For example, read,write, delete, and execute.

§ Sensitive system isolation: Based on the criticality of system in an enterpriseit may even be necessary to run the system in an isolated environment.

§ Event logging: In Computer systems it is easy and viable to maintainextensive logs for all types of events. It is necessary to review if logging isenabled and the logs are archived properly.

§ Monitor system use: Based on the risk assessment a constant monitoring ofsome critical system is essential.


: 107 :

· Mobile Computing:§ Theft of data carried on the disk drives of portable computers is a high risk

factor. Both physical and logical access to these systems is critical.Information is to be encrypted and access identifications like fingerprint,eye-iris etc. are necessary security features.

Classification on the basis of “Audit Functions”

Auditors might choose to factor systems in several different ways. Auditors have foundtwo ways to be especially useful when conducting information systems audits. These arediscussed below:

(A) Managerial Controls: In this part, we shall examine controls over the managerialcontrols that must be performed to ensure the development, implementation,operation and maintenance of information systems in a planned andcontrolled manner in an organization. The controls at this level provide a stableinfrastructure in which information systems can be built, operated, and maintainedon a day-today basis as discussed in following table;

Management

Control

Description of Control

Top

Management

Top management must ensure that information systems function iswell managed. It is responsible primarily for long – run policydecisions on how Information Systems will be used in theorganization.

Information

Systems

Management

IS management has overall responsibility for the planning and controlof all information system activities. It also provides advice to topmanagement in relation to long-run policy decision making andtranslates long-run policies into short-run goals and objectives.

SystemsDevelopment

Management

Systems Development Management is responsible for the design,implementation, and maintenance of application systems.

Programming

Management

It is responsible for programming new system; maintain old systemsand providing general systems support software.

Data

Administration

Data administration is responsible for addressing planning and controlissues in relation to use of an organization’s data.

Quality

Assurance

It is responsible for ensuring information systems development;implementation, operation, and maintenance conform to established


: 108 :

Management quality standards.

Security

Administration

It is responsible for access controls and physical security over theinformation systems function.

Operations

Management

It is responsible for planning and control of the day-to-day operationsof information systems.

(B) Application Controls: These include the programmatic routines within theapplication program code. The objective of application controls is to ensure that dataremains complete, accurate and valid during its input, update and storage. The specificcontrols could include form design, source document controls, input, processing andoutput controls, media identification, movement and library management, data back-upand recovery, authentication and integrity, legal and regulatory requirements. Anyfunction or activity that works to ensure the processing accuracy of the application can beconsidered an application control. Necessary controls belonging to this category arediscussed in separate headings.

Application

Control

Description of Control

Boundary Comprises the components that establish the interface between theuser and the system.

Input Comprises the components that capture, prepare, and entercommands and data into the system.

Communication Comprises the components that transmit data among subsystemsand systems.

Processing Comprises the components that perform decision making,computation, classification, ordering, and summarization of data in thesystem.

Database Comprises the components that define, add, access, modify, anddelete data in the system.

Output Comprises the components that retrieve and present data to users ofthe system.

1. Explain Managerial controls in details

Managerial Functions Based Controls(i) Top Management and Information Systems Management Controls: The seniormanagers who take responsibility for IS function in an organization face manychallenges. The major functions that a senior manager must perform are as follows:


: 109 :

Ø Planning – determining the goals of the information systems function and the meansof achieving these goals;· Preparing the plan: This involves the following tasks:§ Recognizing opportunities and problems that confront the organization in

which Information technology and Information systems can be applied costeffectively;

§ Identifying the resources needed to provide the required informationtechnology and information systems; and

§ Formulating strategies and tactics for acquiring the needed resources.· Types of plans: Top management must prepare two types of information systems

plans for the information systems function: a Strategic plan and an Operationalplan. The strategic Plan is the long-run plan covering, say, the next three to fiveyears of operations whereas the Operational Plan is the short-plan covering, say,next one to three years of operations.

· Role of a Steering Committee: The steering committee shall comprise ofrepresentatives from all areas of the business, and IT personnel. The committeewould be responsible for the overall direction of IT.

Ø Organizing – gathering, allocating, and coordinating the resources needed toaccomplish the goals;· Resourcing the Information Systems Function: These resources include

hardware, software, personnel, finances and facilities. Adequate funding should beprovided to support the acquisition and development of resources.

· Staffing the Information systems Function: Staffing the Information systemsfunction involves three major activities - Acquisition of information systemspersonnel, Development of information systems personnel through training; andTermination of information systems personnel.

Ø Leading – motivating, guiding, and communicating with personnel; The purpose ofleading is to achieve the harmony of objectives; i.e. a person’s or group’s objectivesmust not conflict with the organization’s objectives.· Motivating and Leading Information Systems Personnel: Though many

theories exist, however there is no one best way of motivating and guiding allpeople and thus the strategies for motivating/leading people need to changedepending upon particular characteristics of an individual person.

· Communicating with IS Personnel: Effective communications are also essentialto promoting good relationships and a sense of trust among personnel.

Ø Controlling – comparing actual performance with planned performance as a basis fortaking any corrective actions that are needed.· Overall Control of IS function: When top managers seek to exercise overall

control of the information systems function, two questions arise:§ How much the organization should be spending on the information systems

function?§ Is the organization getting value for the money from its information systems

function?· Control of Information System Activities: Top managers should seek to control

the activities on the basis of Policies and Procedures.

(ii) Systems Development Management Controls:


: 110 :

System development includes the activities for developing a new system and systemdevelopment processes follow the System Development Life Cycle (SDLC) steps.Thus, system development controls are mainly controls related to SDLC.

1. System Authorization Activities· All new systems requests must be properly authorized, to ensure that their economic

and other feasibilities are evaluated.· As with any transaction, system’s authorization should be formal and in writing.

2. User Specification Activities· Users must be actively involved in the systems development process.· User involvement should not be ignored because of a high degree of technical

complexity in the system.· A user specification document should be created by the joint efforts of the user and

systems professionals.

3. Technical Design Activities· The technical design activities in the SDLC translate the user specifications into a set

of detailed technical specifications of a system that meets the user’s needs.· The scope of these activities includes general systems design and detailed

systems design.

4. Program Testing· All programs must be thoroughly tested before they are implemented.· The results of the tests are then compared against predetermined results to identify

programming and logic errors.5. User Test and Acceptance Procedures

· Just before implementation, the individual modules of the system must be tested as aunified whole.

· A test team comprising user personnel, systems professionals, and internal auditpersonnel subjects the system to rigorous testing.

· Once the test team is satisfied that the system meets its stated requirements, thesystem is formally accepted by the user departments.

6. Internal Auditor’s Participation· The internal auditor plays an important role in the control of systems development

activities, particularly in organizations whose users lack technical expertise.· Auditor’s involvement should be continued throughout all phases of the development

process and into the maintenance phase.

(iii) Programming Management Controls: Program development and implementation is amajor phase within the systems development life cycle. The primary objectives of thisphase are to produce or acquire and to implement high-quality programs. Theprogram development life cycle comprises six major phases – Planning; Design; Control;Coding; Testing; and Operation and Maintenance with Control phase running in parallelfor all other phases as shown in the Table below. The purpose of the control phase


: 111 :

during software development or acquisition is to monitor progress against plan and toensure software released for production use is authentic, accurate, and complete.

Phase Controls

Planning Techniques like Work Breakdown Structures (WBS), PERT (ProgramEvaluation and Review Technique) Charts can be used to monitorprogress against plan.

Design A systematic approach to program design, such as any of thestructured design approaches design is adopted.

Coding Programmers must choose a module implementation and integrationstrategy, a documentation strategy (to ensure program code is easilyreadable and understandable).

Testing Three types of testing can be undertaken:

• Unit Testing – which focuses on individual program modules;

• Integration Testing – Which focuses in groups of program modules;and

• Whole-of-Program Testing – which focuses on whole program.These tests are to ensure that a developed or acquired programachieves its specified requirements.

Operation

and

Maintenance

Three types of maintenance can be used –

Corrective Maintenance – in which program errors are corrected;

Adaptive Maintenance – in which the program is modified to meetchanging user requirements; and

Perfective Maintenance - in which the program is tuned to decreasethe resource consumption.

(iv) Data Resource Management Controls: Many organizations now recognize thatdata is a critical resource that must be managed properly and therefore, accordingly,centralized planning and control are implemented. For data to be managed better usersmust be able to share data, data must be available to users when it is needed, in thelocation where it is needed, and in the form in which it is needed. Further it must bepossible to modify data fairly easily and the integrity of the data be preserved. If datarepository system is used properly, it can enhance data and application system reliability.It must be controlled carefully, however, because the consequences are serious if thedata definition is compromised or destroyed. Careful control should be exercised overthe roles by appointing senior, trustworthy persons, separating duties to the extentpossible and maintaining and monitoring logs of the data administrator’s anddatabase administrator’s activities.


: 112 :

The control activities involved in maintaining the integrity of the database is asunder:· Definition Controls: These controls are placed to ensure that the database always

corresponds and comply with its definition standards.

· Access Controls: Access controls are designed to prevent unauthorized individualfrom accessing data. Controls are established in the following manner:§ User Access Controls: through passwords, tokens and biometric Controls; and§ Data Encryption: Keeping the data in database in encrypted form.

· Update Controls: These controls restrict update of the database to authorized usersin two ways:§ By permitting only addition of data to the database; and§ Allowing users to change or delete existing data.

· Existence/Backup Controls: These ensure the existence of the database byestablishing backup and recovery procedures. Various backup strategies are givenas follows:§ Dual recording of data: Under this strategy, two complete copies of the database

are maintained. The databases are concurrently updated.§ Periodic dumping of data: This strategy involves taking a periodic dump of all or

part of the database onto some backup storage medium – magnetic tape,removable disk, Optical disk etc. The dump may be scheduled.

§ Logging input transactions: This involves logging the input data transactionswhich cause changes to the database. Normally, this works in conjunction with aperiodic dump.

§ Logging changes to the data: This involves copying a record each time it ischanged.

(v) Quality Assurance Management Controls:

Quality Assurance management is concerned with ensuring that the;· Information systems produced by the information systems function achieve certain

quality goals; and· Development, implementation, operation and maintenance of Information systems

comply with a set of quality standards.

The reasons for the emergence of Quality assurance in many organizations are asfollows:· Users are becoming more demanding in terms of the quality of the software they

employ to undertake their work.· Organizations are undertaking more ambitious information systems projects that

require more stringent quality requirements.· Organizations are becoming more concerned about their liabilities if they produce

and sell defective software.· Improving the quality of Information Systems is a part of a worldwide trend among

organizations to improve the quality of the goods and services they sell.


: 113 :

Quality Assurance (QA) personnel should work to improve the quality of informationsystems produced, implemented, operated, and maintained in an organization. Theyperform a monitoring role for management to ensure that –· Quality goals are established and understood clearly by all stakeholders; and· Compliance occurs with the standards that are in place to attain quality information

systems.

(vi) Security Management Controls:Information security administrators are responsible for ensuring that information systemsassets categorized under Personnel, Hardware, Facilities, Documentation, Supplies,Data, Application Software and System Software are secure. Assets are secure when theexpected losses that will occur over some time are at an acceptable level. The control’sclassification on the basis of “Nature of Information System Resources – EnvironmentalControls, Physical Controls and Logical Access Controls (discussed in chapter 3)” are allsecurity measures against the possible threats.

Some of the major threats and to the security of information systems and their controlsare as discussed following table;

Threat Control

Fire Well-designed, reliable fire-protection systems must beimplemented.

Water Facilities must be designed and sited to mitigate losses from waterdamage.

EnergyVariations

Voltage regulators, circuit breakers, and uninterruptible powersupplies can be used.

StructuralDamage

Facilities must be designed to withstand structural damage.

Pollution Regular cleaning of facilities and equipment should occur.

Unauthorized

Intrusion

Physical access controls can be used.

Viruses andWorms

Controls to prevent use of virus-infected programs and to closesecurity loopholes that allow worms to propagate.

Misuse ofsoftware,

data andservices

Code of conduct to govern the actions of information systemsemployees.

Hackers Strong, logical access controls to mitigate losses from the activitiesof hackers.

However, in spite of the controls on place, there could be a possibility that a control mightfail. When disaster strikes, it still must be possible to recover operations and mitigatelosses using the last resort controls - A Disaster Recovery Plan (DRP) and Insurance.


: 114 :

· DRP: A comprehensive DRP comprise four parts – an Emergency Plan, a BackupPlan, a Recovery Plan and a Test Plan. The plan lays down the policies, guidelines,and procedures for all Information System personnel.

· Insurance: Adequate insurance must be able to replace Information Systems assetsand to cover the extra costs associated with restoring normal operations. Policiesusually can be obtained to cover the resources like – Equipment, Facilities, StorageMedia, Valuable Papers and Records etc.

(vii) Operations Management Controls: Operations management is responsible for thedaily running of hardware and software facilities. Operations management typicallyperforms controls over the functions as below;· Computer Operations: The controls over computer operations govern the activities

that directly support the day-to-day execution of either test or production systems onthe hardware/software platform available. Three types of controls fall under thiscategory:§ Operation controls§ Scheduling controls§ Maintenance controls

· Network Operations: This includes the proper functioning of network operations andmonitoring the performance of network communication channels, network devices,and network programs and files. Data may be lost or corrupted through componentfailure. The primary components in the communication sub-systems are given asfollows:§ Communication lines viz. twisted pair, coaxial cables, fiber optics, microwave

and satellite etc.§ Hardware – ports, modems, multiplexers, switches and concentrators etc.§ Software – Packet switching software, polling software, data compression

software etc.Due to component failure, transmission between sender and receiver may be disrupted,destroyed or corrupted in the communication system.

· File Library: This includes the management of an organization’s machine-readablestorage media like magnetic tapes, cartridges, and optical disks.

· Documentation and Program Library: This involves that documentation librariansensure that documentation is stored securely; that only authorized personnel gainaccess to documentation; that documentation is kept up-to-date and that adequatebackup exists for documentation. Documentation will include security policy,BCP/DRP, System development related documents etc.

· Help Desk/Technical support: This assists end-users to employ end-user hardwareand software such as micro-computers, spreadsheet packages, databasemanagement packages etc. and also provides the technical support for productionsystems by assisting with problem resolution.

· Capacity Planning and Performance Monitoring: Regular performance monitoringfacilitates the capacity planning wherein the resource deficiencies must be identifiedwell in time so that they can be made available when they are needed.

· Management of Outsourced Operations: This has the responsibility for carrying outday-to-day monitoring of the outsourcing contract.

Application Controls


: 115 :

· Application controls deal with exposure or risks with the application in terms of input,processing and output. For example, banking application, railway application needscontrols for error free inputs, processing and outputs.

· Application Controls can be divided into following major categories / types.§ Boundary Controls,§ Input Controls,§ Process Controls,§ Output Controls,§ Database Controls,§ Communication controls

1. Boundary Controls:§ Boundary Controls establish interface between the user of the system and the

system itself.§ The major controls of the boundary system are the Access controls. Access

controls are implemented with an access control mechanism and links theauthentic users to the authorized resources they are permitted to access.

§ The access control mechanism has three steps of “identification”,“authentication” and “authorization” with respect to the access controlpolicy.

§ Examples of Boundary Control techniques are:o Cryptographyo Passwordso Personal Identification Numbero Identification Cardso Biometric devices

2. Input controls:· Data collection component of information system is responsible for bringing data into

the system for processing. Input control at this stage ensures that data input is valid,accurate and complete. Data input can be by either using source document or directinput (online)

· Input controls are divided into the following broad classes:§ Source Document Control,§ Data Coding Controls,§ Batch controls, and§ Validation Controls.

(a) Source Document Controls:· Source documents are major cause of errors and frauds in any accounting system.

The controls must be applied in system which uses source document to inputtransaction to ensure error free inputs to system. Organizations must implementcontrol procedure over source documents to avoid any document fraud.

· The following controls can be exercised for Source Document Control:§ Use pre-numbered source documents: Source documents should come pre-

numbered from the printer with a unique sequential number on each document.


: 116 :

Source document numbers enable accurate accounting of document usage andprovide an audit trail for tracing transactions through accounting records.

§ Use source documents in sequence: Source documents should be distributedto the users and used in sequence. This requires the adequate physical securitybe maintained over the source document inventory at the user site. When not inuse, documents should be kept under lock and key and access to sourcedocuments should be limited to authorized persons.

§ Periodically audit source documents: Missing source documents should beidentified by reconciling document sequence numbers. Periodically, the auditorshould compare the numbers of documents used to date with those remaining ininventory plus those voided due to errors. Documents not accounted for should bereported to management.

(b) Data Coding Controls:

Data Coding Controls are required primarily to check two types of errors which cancorrupt a data code and cause processing errors, i.e. the transcription andtransposition errors.

Transcription Errors: These fall into three classes:§ Addition errors occur when an extra digit or character is added to the code. For

example, inventory item number 83276 is recorded as 832766.§ Truncation errors occur when a digit or character is removed from the end of a

code. In this type of error, the inventory item above would be recorded as 8327.§ Substitution errors are the replacement of one digit in a code with another. For

example, code number 83276 is recorded as 83266.

Transposition Errors: There are two types of transposition errors:§ Single transposition errors occur when two adjacent digits are reversed. For

instance, 12345 is recorded as 21345.§ Multiple transposition errors occur when nonadjacent digits are transposed. For

example, 12345 is recorded as 32154.

Controls for Data coding Error:Addition and Truncation errors can be controlled using fixed length digits code, e.g. 16digits account number. Substitution and Transposition errors can be controlled by usingcheck digit control method.

(c) Batch Controls: Batching is the process of grouping together transactions that bearsome type of relationship to each other. Various controls can be exercises over the batchto prevent or detect errors or irregularities. Two types of batches occur:• Physical Controls: These controls are groups of transactions that constitute a physicalunit. For example – source documents might be obtained via the email, assembled intobatches, spiked and tied together, and then given to a data-entry clerk to be entered intoan application system at a terminal.


: 117 :

• Logical Controls: These are group of transactions bound together on some logicalbasis, rather than being physically contiguous. For example - different clerks might usethe same terminal to enter transaction into an application system. Clerks keep controltotals of the transactions into an application system.

To identify errors or irregularities in either a physical or logical batch, three types ofcontrol totals can be calculated as shown in following Table;Control TotalType

Explanation

Financial totals Grand totals calculated for each field containing money amounts.

Hash totals Grand totals calculated for any code on a document in the batch,eg., the source document serial numbers can be totaled.

Document/RecordCounts

Grand totals for the number of documents in record in the batch.

(d) Validation Controls:· Input validation controls are used for detecting errors in data before the data is

processed.· Depending upon type of information system, data validation for input may occur at

various points in system. Some at the time of entry and some validations areperformed by each processing module prior to updating the master file record andsome validations are done by back-end database.

· There are three levels of input validation controls:(i) Field Interrogation(ii) Record Interrogation(iii) File Interrogation

(i) Field Interrogation:· It involves programmed procedures that examine the characters of the data in the

field. The following are some common types of field interrogation. Various field checksused to ensure data integrity have been described below:§ Limit Check: This is a basic test for data processing accuracy and may be applied

to both the input and output data. The field is checked by the program againstpredefined limits to ensure that no input/output error has occurred or at least noinput error exceeding certain pre-established limits has occurred.

§ Picture Checks: These check against entry into processing of predefined type ofcharacter (incorrect / invalid characters.)

§ Valid Code Checks: Checks are made against predetermined transactionscodes to ensure that input data are valid.

§ Check Digit: One method for detecting data coding errors is a check digit. Acheck digit is a control digit (or digits) added to the code when it is originallyassigned that allows the integrity of the code to be established during subsequentprocessing.

§ Arithmetic Checks: Simple Arithmetic is performed in different ways to validatethe result of other computations of the values of selected data fields. Example:


: 118 :

The discounted amount for 5,000 at 10% discounted may be computed twice bythe following different ways:5,000 — 5,000 x 10/100 = 4,500 orNext time again at (4500/(100-10))*100 = 5,000

§ Cross Checks: These may be employed to verity fields appearing in different filesto see that the result tally.

(ii) Record Interrogation:This includes the following:§ Reasonableness Check: Whether the value specified in a field is reasonable for

that particular field?§ Valid Sign: The contents of one field may determine which sign is valid for a

numeric field.§ Sequence Check: Whether physical records follow a required order matching with

logical records?

(iii) File Interrogation:· The purpose of file interrogation is to check that correct file is being processed.· These controls are for master files, which contain permanent records of the firm and

which if destroyed or corrupted are difficult to replace.§ Version Usage: Proper version of a file should be used for processing. In this

regard it should be ensured that only the most current file be processed.§ Internal and External Labeling: Labeling of storage media is important to ensure

that the proper files are loaded for process. Where there is a manual process forloading files, external labeling is important to ensure that the correct file is beingprocessed. Where there is an automated tape loader system, internal labeling ismore important.

§ Data File Security: Unauthorized access to data file should be prevented, toensure its confidentiality, integrity and availability.

§ File Updating and Maintenance Authorization: Sufficient controls should existto ensure that only authorized person should make modification / updates to thefiles maintained.

3. Processing Controls:

The processing subsystem is responsible for computing, sorting, classifying, andsummarizing data. Its major components are the Central Processor in which programsare executed, the real or virtual memory in which program instructions and data arestored, the operating system that manages system resources, and the applicationprograms that execute instructions to achieve specific user requirements.

(i) Processor Controls: The processor has three components:(a) A Control unit, which fetches programs from memory and determines their type;(b) An Arithmetic and Logical Unit, which performs operations; and(c) Registers, that are used to store temporary results and control information.


: 119 :

Four types of controls that can be used to reduce expected losses from errors andirregularities associated with Central processors are explained in the Table;

Control Explanation

Error Detection

And Correction

Occasionally, processors might malfunction. The causes could bedesign errors, manufacturing defects, damage etc. Various types oferror detection and correction strategies must be used.

Timing Controls An operating system might get stuck in an infinite loop. In the absenceof any control, the program will retain use of processor and preventother programs from undertaking their work.

ComponentReplication

In some cases, processor failure can result in significant losses. Insuch cases redundant processors should be there which can performthe task.

(ii) Real Memory Controls: This comprises the fixed amount of primary storage in whichprograms or data must reside for them to be executed or referenced by the centralprocessor. Real memory controls seek to detect and correct errors that occur in memoryand to protect areas of memory assigned to a program from illegal access by anotherprogram.

(iii) Virtual Memory Controls: Virtual Memory exists when the addressable storagespace is larger than the available RAM. To achieve this outcome, a control mechanismmust be in place that maps virtual memory addresses into real memory addresses.

(iv) Data Processing controls:· After the input validations, the transactions enter into the processing stage. In

the processing stage, the controls help for correct processing of transactions.· The processing controls are divided into the following categories.§ Run-to-run Totals: These help in verifying data that is subject to process through

different stages. For ex: If the current balance of an invoice ledger is 150,000 andthe additional invoices for the period total 20,000 then the total sales value shouldbe 170,000. A specific record probably the last record can be used to maintain thecontrol total.

§ Reasonableness Verification: Two or more fields can be compared and crossverified to ensure their correctness. For example, the statutory percentage ofprovident fund can be calculated on the gross pay amount to verify if the providentfund contribution deducted is accurate.

§ Edit Checks: Edit checks similar to the data validation controls can also be usedat the processing stage to verify accuracy and completeness of data.

§ Field Initialization: Fields are only added to a record after initializing it, i.e. settingall values to zero/blank before inserting the information. This is done to ensurethat data overflow does not occur, if records are constantly added to a table.


: 120 :

§ Exception Reports: Exception reports are generated to identify errors in the dataprocessed. Such exception reports give the transaction code and what is the errorin processing the transaction. For example, while processing a journal entry if onlydebit entry was updated and the credit entry was not updated due to the absenceof one of the important fields, then the exception report would detail thetransaction code, and why it was not updated in the database.

4. Output Controls:· These controls ensure that error free output is delivered to authorized users and in a

secured manner.· Controls can be for different form of outputs (i.e. for printed and display outputs), and

can be for batch processing and online system.· Some of the key output controls are:§ Storage and logging of sensitive, critical forms: Pre-printed stationery should

be stored securely and only authorized persons should be allowed access tostationery supplies such as negotiable instruments etc.

§ Spooling / queuing section: Spool” is an acronym for Simultaneous PeripheralsOperations Online. This is a process used to ensure that the user is able tocontinue working, while the print operation is getting completed. When a file is tobe printed, the operating system stores the data stream to be sent to the printer ina temporary file on the hard disk. This file is then spooled to the printer as soon asthe printer is ready to accept the data. This intermediate storage of output couldlead to unauthorized disclosure and/ or modification. A queue is the list ofdocuments waiting to be printed on a particular printer; this should not be subjectto unauthorized modifications.

§ Controls over printing: Outputs should be made on the correct printer. Usersmust be trained to select the correct printer and access restrictions may be placedon the workstations that can be used for printing.

§ Report distribution and collection controls: Distribution of reports should bemade in a secure way to prevent unauthorized disclosure of data. It should bemade immediately after printing to ensure that the time gap between generationand distribution is reduced. A log should be maintained for reports that weregenerated and to whom these were distributed. Uncollected reports should bestored securely.

§ Retention controls: Retention controls consider the duration for which outputsshould be retained before being destroyed. Various factors ranging from the needof the output, use of the output, to legislative requirements would affect theretention period.

5. Database controls: (PM)§ Meaning: These controls are used for protecting integrity of database when

users update database through application software.

§ Database controls categorized into;i) Update control:


: 121 :

Ø Sequence check when transaction file update the master file to ensurecorrect updation.

Ø Ensure all records in the transaction files a processed: Whileprocessing, the transaction file records mapped to the respective masterfile, and the end-of-file of the transaction file with respect to the end-of-fileof the master file is to be ensured.

Ø Ensure every transaction records are processed in correct order.Ø Maintain a suspense account: When mapping between the master

record to transaction record results in a mismatch due to failure; thenthese transactions are maintained in a suspense account. A nonzerobalance of the suspense accounts reflects the errors to be corrected.

ii) Report control:Ø Print Suspense Account Entries: Similar to the update controls, the

suspense account entries are to be periodically monitors with therespective error file and action taken on time.

Ø Review existence of backup & recovery controls to ensure safe recoveryof data in any adverse situation.

6. Communication Controls:(a) Physical Component Controls: These controls incorporate features that mitigate thepossible effects of exposures. The Table below gives an overview of how physicalcomponents can affect communication subsystem reliability.Transmission

Media

It is a physical path along which a signal can be transmittedbetween a sender and a receiver. It is of two types:

• Guided/Bound Media in which the signals are transported alongan enclosed physical path like – Twisted pair, coaxial cable, andoptical fiber.

• In Unguided Media the signals propagate via free-space emissionlike – satellite microwave, radio frequency and infrared.

Communication

Lines

The reliability of data transmission can be improved by choosing aprivate (leased) communication line rather than a publiccommunication line.

Modem • Increases the speed with which data can be transmitted over acommunication line.

• Reduces the number of line errors that arise through distortion ifthey use a process called equalization.

• Reduces the number of line errors that arise through noise.

(b) Line Error Control: Whenever data is transmitted over a communication line, recallthat it can be received in error because of attenuation distortion, or noise that occurs onthe line. These errors must be detected and corrected.


: 122 :

· Error Detection: The errors can be detected by either using a loop (echo) check orbuilding some form of redundancy into the message transmitted.

· Error Correction: When line errors have been detected, they must then be correctedusing either forward error correcting codes or backward error correcting codes.

(c) Flow Controls: Flow controls are needed because two nodes in a network can differin terms of the rate at which they can send, received, and process data. To ensureproper communication flow controls are required.

(d) Topological Controls: A communication network topology specifies the location ofnodes within a network, the ways in which these nodes will be linked.· Local Area Network Topologies:§ They are implemented using four basic types of topologies: (1) bus topology, (2)

Tree topology, (3) Ring topology, and (4) Star topology. Hybrid topologies like thestar-ring topology and the star-bus topology are also used.

· Wide Area Network Topologies:§ With the exception of the bus topology, all other topologies that are used to

implement LANs can also be used to implement WANs.

(e) Inter networking Controls: Internetworking is the process of connecting two or morecommunication networks together to allow the users of one network to communicate withthe users of other networks. Three types of devices are used to connect networks viz.Bridge, Router, Gateway as shown in following table;

Device Functions

Bridge A bridge connects similar local area networks (e.g. one token ringnetwork to another token ring network).

Router A router performs all the functions of a bridge. In addition, it canconnect heterogeneous local area networks (e.g. a bus network to atoken ring network).

Gateway Their primary function is to perform protocol conversion to allowdifferent types of communication architectures to communicate withone another.

Section 3 - Information Systems Auditing

1. Meaning of IS Auditing & Objectives of IS Auditing

IS Audit is defined as the process of attesting following objectives;· Asset Safeguarding Objectives: The information system assets (hardware,

software, data information etc.) must be protected by a system of internal controlsfrom unauthorised access.


: 123 :

· Maintenance of Privacy: Audit of Information Systems ensures that datacollected in a business process are adequately guarded and their privacy ismaintained.

· System Effectiveness Objectives: Audit of Information Systems ensureseffectiveness of a system is continuously evaluated by auditing the characteristicsand objective of the system to ascertain that it meets substantial userrequirements.

· System Efficiency Objectives: Control and Audit of Information Systems arerequired to optimize the use of various information system resources.

2. Why do we need control & Audit of information system.Factors which influences implementation of controls and audit.Following factors are the driving force for controls and audit / Need for IS Controland Audit

· To prevent Organisational Costs of Data Loss: Audit of Information Systems isrequired to protect Data Loss, as data is the most critical resource for anorganisation for its present as well as future development.

· To ensure Correct Decision Making: Audit of Information Systems ensure thataccurate data is available for managers to take high level decisions.

· To control Costs of Computer Abuse: Unauthorised access to computersystems, computer virusescan lead to destruction of assets (hardware, software,documentation etc.), and Audit of Information Systems is required to verify suchaccess.

· To protect Hardware, Software and Personnel: Hardware, Software andPersonnel are critical resources of an organization which has a significant impacton business competitiveness, and Audit activities support the same.

· To avoid High costs of computer error: In a computerized enterpriseenvironment where many critical business processes are performed, a data errorduring entry or process would cause great damage. Such damage is intended tobe avoided.

3. Explain Audit Documentation.

· According to SA-230, Audit Documentation refers to the record of auditprocedures performed, relevant audit evidence obtained, and conclusionsthe auditor reached (terms such as working papers or work papers are alsosometimes used).

· The objects of an auditor’s working papers are to record and demonstrate theaudit work from one year to another.

· Evidences are also necessary for the following purposes:§ Means of controlling current audit work;§ Evidence of audit work performed;§ Schedules supporting or additional item in the accounts; and§ Information about the business being audited, including the recent history.


: 124 :

· In IS environment, the critical issue is that evidences are not available in physicalform, but are in electronic form. Following is list of actions that auditor needs totake to address the problems:§ Use of special audit techniques, referred to as Computer Assisted Audit

Techniques, for documenting evidences.§ Audit timing can be so planned that auditor is able to validate transactions

as they occur in system.

4. Explain inherent limitations of Audit.

Any opinion formed by the auditor is subject to inherent limitations of an audit, whichinclude:§ The nature of financial reporting;§ The nature of audit procedures;§ The need for the audit to be conducted within a reasonable period of time and at a

reasonable cost.§ The matter of difficulty, time, or cost involved is not in itself a valid basis for the

auditor to omit an audit procedure for which there is no alternative or to besatisfied with audit evidence that is less than persuasive.

§ Fraud, particularly fraud involving senior management or collusion.§ The existence and completeness of related party relationships and transactions.§ The occurrence of non-compliance with laws and regulations.§ Future events or conditions that may cause an entity to cease to continue as a

going concern.

Concurrent & Continuous Audit

1. Why there is a need to use Concurrent Audit technique. What are the differenttypes of it.

Need for Continuous Audit: On line systems process heavy volume of data and leavevery little audit trails. In such cases evidence gathered after date processing is insufficient foraudit purpose. Also it may be difficult to stop the system in order to perform the audit tests.Hence there is a need to use concurrent audit techniques i.e. continuous monitoring ofthe system to collect audit evidence even while data are being processed in live area.

Types of Audit tools: 1) Snapshot, 2) Integrated Test Facility (ITF), 3) System Control AuditReview File (SCARF), 4) Continuous & Intermittent Simulation (CIS), 5) Audit hooks

2. Write Short note on Snapshot Technique. (PM)

Snapshot Technique:· Examines the way transactions are processed.· Selected transaction points are marked with a special code that triggers a snapshot i.e.

takes a pictures of transactions as they move through an application system.· The before image and after image is captured to validate the processing.


: 125 :

· Auditor reviews the images to ensure that the processing logic is executed properly, itsauthenticity, accuracy and completeness.

Key areas to focus while using snapshots are,(i) Choosing the right location / points based on materiality of the transactions.(ii) Deciding on the time of capture.(iii) Reporting system design and implementation to present data in a meaningful way for the

auditors to understand.

3. Write Short note on Integrated Test Facility (ITF).

Integrated test Facility (ITF):· A small set of fictitious entities are placed in master file. The entities may be fictitious

division, department or branch office or a customer or a supplier & creates dummytransactions.

· These dummy transactions processed along with regular records.· They don’t affect actual records and employees unaware of the testing taking place.· The transactions to be tested have to be tagged. The application Software to be

programmed to recognize such transactions and invoke two updates - one for the livedata and another for ITF dummy entries.

· At the end of processing, the system collects ITF records and the processing results.· The auditor compares with expected results to verify if controls working as desired.· In such cases the auditor has to decide what would be the method to be used to enter

test data and the methodology for removal of the effects of the ITF transactions.

4. Write Short note on System Control Audit Review File (SCARF).(PM)

System Control audit review file (SCARF)· I t involves embedding audit modules to continuously monitor transaction

activi ties which the audi tor feels is material / signif icant.· The data deemed important by auditor are recorded in a SCARF fi le. (Say

petty cash payment above Rs. 5000).· The auditor takes printouts of the SCARF fi le to examine whether any

transactions require fol low up.

5. Write Short note on Continuous & Intermittent Simulation (CIS).

Continuous & intermittent simulation (CIS):Meaning: This is a variation of SCARF Technique. This technique can be

used to trap exceptions whenever the application system uses a DatabaseManagement System (DBMS).

Working Process:· Embeds audit modules in a data base management System.


: 126 :

· Once processing logic / condit ion programmed, CIS Module examinesselected transactions. If found signif icant, i t independently processes thedata similar to parallel simulation.

· Compares the resul t with that of the database & if variations found, detai lsare captured in an audit log.

· I f serious discrepancies found, CIS may prevent DBMS from executing theupdate process.

Advantage: The advantage of CIS is that i t does not require any modificationto the appl ication Software yet provides an online audit ing capabil i ty.

6. Write short note on Audit hooks. (PM)

· There are audit routines that flag suspicious transactions.· For example, internal auditors at Insurance Company determined that their policyholder

system was vulnerable to fraud every time a policyholder changed his or her name oraddress and then subsequently withdrew funds from the policy. They devised a system ofaudit hooks to tag records with a name or address change. The internal audit departmentwill investigate these tagged records for detecting fraud.

· When audit hooks are employed, auditors can be informed of questionable transactionsas soon as they occur.

· This approach of real-time notification displays a message on the auditor’s terminal.

7. Explain Audit Trail.

· Meaning: It refers to recording or logging of activities at the operating system, network,application software, user & database levels.

· Example: Application logs contain details of who initiated a transaction, who authorizedit, date & time and other related details etc.

Objectives of audit trail:Ø Detecting unauthorized Access: This detection can be either real time detection or after the fact detection. Real time

detections are alerts configured to trigger even when unauthorized access is beingattempted. These are very effective but require a lot of processing resources &monitoring mechanism.Ex: An unauthorized user trying a user ID-Password wrong three times would be loggedby the system.

Ø Facilitate reconstruction of events: Logs keep track of events leading to system failures, security violation & processing

errors. These logs help analyze the error condition & prevent future occurrence. Similarlylogs help reconstruct account balances if the files are corrupted.

Ø Fixing accountability: Using logs user’s activity can be monitored & this acts as adeterrent against unauthorized access or policy violations by users.


: 127 :

[Q. Explain three major ways by which audit trails can be used to support securityobjective. [PM]

Section 4: Audit of controls

1. Explain role of Auditor in Audit of Environmental Controls§ Audit of environmental controls requires the IS auditor to conduct physical inspections

and observe practices.§ Auditing environmental controls requires attention to these and other factors and

activities, including:§ Power conditioning: The IS auditor should determine how frequently power

conditioning equipment, such as UPS, line conditioners, surge protectors, or motorgenerators, are used, inspected and maintained and if this is performed byqualified personnel.

§ Backup power: The IS auditor should determine if backup power is available viaelectric generators or UPS and how frequently they are tested. He or she shouldexamine maintenance records to see how frequently these components aremaintained and if this is done by qualified personnel.

§ Heating, Ventilation, and Air Conditioning (HVAC): The IS auditor shoulddetermine if HVAC systems are providing adequate temperature and humiditylevels, and if they are monitored. Also, the auditor should determine if HVACsystems are properly maintained and if qualified persons do this.

§ Water detection: The IS auditor should determine if any water detectors are usedin rooms where computers are used. He or she should determine how frequentlythese are tested and if they are monitored.

§ Fire detection and suppression: The IS auditor should determine if fire detectionequipment is adequate, if staff members understand their function, and if they aretested. He or she should determine how frequently fire suppression systems areinspected and tested, and if the organization has emergency evacuation plans andconducts fire drills.

§ Cleanliness: The IS auditor should examine data centers to see how clean theyare. IT equipment air filters and the inside of some IT components should beexamined to see if there is an accumulation of dust and dirt.

2. Explain role of Auditor in Audit of Physical Controls

Auditing physical security controls requires knowledge of natural and manmadehazards, physical security controls, and access control systems.

· This involves the following:§ Assessing the risks associated with the assets, the threats & vulnerabilities.§ Review of existing controls in place & its adequacy.§ Planning the audit by review of documents like security policy, layout plan of

facilities, list of inventory etc.

Following controls to be reviewed;


: 128 :

· Sitting and Marking: Auditing building sitting and marking requires attention toseveral key factors and features, including:§ Proximity to hazards: The IS auditor should estimate the building’s distance to

natural and manmade hazards, such as Dams; Rivers, Natural gas and petroleumpipelines; Flood zones; Military bases.

§ Marking: The IS auditor should inspect the building and surrounding area to see ifbuilding(s) containing information processing equipment identify the organization.Marking may be visible on the building itself, but also on signs or parking stickerson vehicles.

· Physical barriers: This includes fencing, walls, barbed/razor wire, bollards, andcrash gates. The IS auditor needs to understand how these are used to controlaccess to the facility and determine their effectiveness.

· Surveillance: The IS auditor needs to understand how video and humansurveillance are used to control and monitor access. He or she needs to understandhow (and if) video is recorded and reviewed, and if it is effective in preventing ordetecting incidents.

· Guards and dogs: The IS auditor needs to understand the use and effectiveness ofsecurity guards and guard dogs.

· Key-Card systems: The IS auditor needs to understand how key-card systems areused to control access to the facility like How key-card are issued, to whom it isissued etc.

3. Explain role of Auditor in Audit of Logical Access Controls

(A) User Access Controls:User access controls are often the only barrier between unauthorized parties andsensitive or valuable information. This makes the audit of user access controlsparticularly significant. Auditing user access controls requires keen attention to severalkey factors and activities in four areas:

1. Auditing User Access Controls: These are to determine if the controls them-selveswork as designed. Auditing user access controls requires attention to several factors,including:· Authentication: The auditor should examine network and system resources to

determine if they require authentication, or whether any resources can beaccessed without first authenticating.

· Access violations: The auditor should determine if systems, networks, andauthentication mechanisms can log access violations. These usually exist inthe form of system logs showing invalid login attempts when any unauthorizeduser tries to log in.

· User account lockout: The auditor should determine if systems and networkscan automatically lock user accounts that are the target of attacks. For ex: lock auser account after five unsuccessful logins attempts within a short period.

· Dormant accounts: The IS auditor should determine if any automated or manualprocess exists to identify and close dormant (unused) accounts.


: 129 :

· Shared accounts: The IS auditor should determine if there are any shared useraccounts by more than one person. The principal risk with shared accounts isthe inability to determine accountability for actions performed with the account.

2. Auditing Password Management: Auditing password management requiresattention to several key technologies and activities, including the following:· Password standards: The IS auditor needs to examine password

configuration settings to areas like how many characters must a passwordhave and whether there is a maximum length; how frequently must passwords bechanged; whether former passwords may be used again; whether the passwordis displayed when logging in or when creating a new password etc.

3. Auditing User Access Provisioning: Auditing the user access provisioning processrequires attention to several key activities, including:· Access request processes: The IS auditor should determine that all user

access request processes are used consistently throughout the organization.· Access approvals: The IS auditor needs to determine how requests are

approved and by what authority they are approved.· New employee provisioning: The IS auditor should examine the new

employee provisioning process to see how a new employee’s user accountsare initially set up.

· Segregation of Duties (SOD): The IS auditor should determine if theorganization makes any effort to identify segregation of duties. This may includewhether there are any SOD procedures in existence and if they are activelyused to make user access request decisions.

· Access reviews: The IS auditor should determine if there are any periodicaccess reviews and what aspects of user accounts are reviewed; this mayinclude termination reviews, internal transfer reviews, SOD reviews, and dormantaccount reviews.

4. Auditing Employee Terminations: Auditing employee terminations requiresattention to several key factors, including:· Termination process: The IS auditor should examine the employee

termination process and determine its effectiveness.· Access reviews: The IS auditor should determine if any internal reviews of

terminated accounts are performed, if any missed terminations are identifiedand if any process improvements are undertaken.

· Contractor access and terminations: The IS auditor needs to determine howcontractor access and termination is managed and if such management iseffective.

(B) User Access Logs:The IS auditor needs to determine what events are recorded in access logs todetermine if the right events are being logged, or if logging is suppressed onevents that should be logged.


: 130 :

· Centralized access logs: The IS auditor should determine if the organization’saccess logs are centralized or if they are stored on individual systems.

· Access log protection: The auditor needs to determine if access logs can bealtered, destroyed, or attacked to cause the system to stop logging events.

· Access log review: The auditor should determine if access log reviews takeplace, who performs them, how issues requiring attention are identified, and whatactions are taken when necessary.

· Access log retention: The IS auditor should determine how long access logs areretained by the organization and if they are back up.

(C) Investigative Procedures:Auditing investigative procedures requires attention to several key activities,including:

· Investigation policies and procedures: The IS auditor should determine properprocedures regarding security investigations including who is responsible, whereinformation is stored, and to whom results are reported.

· Computer crime investigations: The IS auditor should determine if there arepolicies, processes, procedures, and records regarding computer crimeinvestigations.

· Computer forensics: The IS auditor should determine if there are procedures forconducting computer forensics. The auditor should also identify tools andtechniques used, qualification & skill set of employees performing investigations.

(D) Internet Points of Presence:· Search engines: Google, Yahoo!, and other search engines should be consulted

to see what information about the organization is available. Searches shouldinclude the names of company officers and management, key employees etc.

· Social networking sites: Social networking sites such as Facebook, Linkedln,and Twitter should be searched to see what employees, former employees, andothers are saying about the organization. Any authorized or unauthorized “fanpages” should be searched as well.

· Online sales sites: Sites such as eBay should be searched to see if anythingrelated to the organization is sold online.

· Justification of Online Presence: The IS auditor should examine businessrecords to determine on what basis the organization established online capabilitiessuch as e-mail, web sites, e-commerce, Internet access for employees.

4. Explain role of Auditor in Audit / Audit trail of Managerial Controls

Ø Top Management and Information Systems Management Controls

The major activities that senior management must perform are – Planning, Organizing,Controlling and Leading (already explained in Chapter – 3). The Role of auditor at eachactivity is discussed below:· Planning: Auditors need to evaluate whether top management has formulated a

high-quality information system’s plan that is appropriate to the needs of an


: 131 :

organization or not. A poor-quality information system is ineffective and inefficientleading to losing of its competitive position.

· Organizing: Auditors should be concerned about how well top management acquiresand manages staff resources for three reasons:§ The effectiveness of the IS function depends primarily on the quality of its staff.

The IS staff need to remain up to date and motivated in their jobs.§ Intense competition and high turnover have made acquiring and retaining good

information system staff a complex activity.§ Staff should have skills set and trustworthy.

· Leading: Generally, the auditors examine variables that often indicate whenmotivation problems exist or suggest poor leadership. To verify the same Auditorsmay use both formal and informal sources of evidence to evaluate how well topmangers’ communicate with their staff.

· Controlling: Auditors must evaluate whether top management’s choice to the meansof control over the users of IS services is likely to be effective or not.

Ø System Development Management Controls

Systems Development Management has responsibility for the functions concerned withanalyzing, designing, building, implementing, and maintaining information systems.Three different types of audits may be conducted during system development processas discussed as under;

An external auditor is more likely to undertake general audits rather than concurrent orpost-implementation audits of the systems development process. For internal auditors,management might require that they participate in the development of materialapplication systems or undertake post-implementation reviews of material applicationsystems as a matter of course.

Ø Programming Management Controls

Some of the major concerns that an auditor should address under different activitiesinvolved in Programming Management Control Phase are provided in Table as under:

Concurrent

Audit

Auditors are members of the system development team. They assistthe team in improving the quality of systems development for thespecific system they are building and implementing.

Post-implementation

Audit

Auditors seek to help an organization learn from its experiences inthe development of an application system. In addition, they might beevaluating whether the system needs to be scrapped, continued, ormodified in some way.

General Audit Auditors evaluate systems development controls overall. It isperformed as part of compliance testing. They seek to determinewhether auditor can reduce the extent of substantive testing neededto form an audit opinion.


: 132 :

Phase Audit Trail

Planning · They should evaluate whether the nature of and extent ofplanning are appropriate to the different types of software thatare developed or acquired.

· They must evaluate how well the planning work is beingundertaken.

Design · Auditors should find out whether programmers use some typeof systematic approach to design.

Coding Auditors should seek evidence –

· On the level of care exercised by programming management inchoosing a module implementation and integration strategy.

· To check whether programmers employ automated facilities toassist them with their coding work.

Testing · Auditors can use interviews, observations, and examination ofdocumentation to evaluate how well unit testing, integrationtesting & whole of programme testing is conducted.

Operation andMaintenance

· Auditors need to ensure effectively and timely reporting ofmaintenance needs occurs and maintenance is carried out in awell-controlled manner.

· Auditors should ensure that management has implemented areview system and assigned responsibility for monitoring thestatus of operational programs.

Ø Data Resource Management Controls· Auditors should determine what controls are exercised to maintain data integrity.

They might also interview database users to determine their level of awareness ofthese controls.

· Auditors might employ test data to evaluate whether access controls andupdate controls are working.

Ø Quality Assurance Management Controls· Auditors might use interviews, observations and reviews of documentation to

evaluate how well Quality Assurance (QA) personnel perform their monitoringrole.

· Auditors can evaluate how well QA personnel undertake the reporting functionand training through interviews, observations, and reviews of documentation.

Ø Security Management Controls· Auditors must evaluate whether security administrators are conducting ongoing,

high-quality security reviews or not;· Auditors check whether the organizations audited have appropriate, high-quality

disaster recovery plan in place; and· Auditors check whether the organizations have opted for an appropriate

insurance plan or not.

Ø Operations Management Controls


: 133 :

· Auditors should pay concern to see whether the documentation is maintainedsecurely and that it is issued only to authorized personnel.

· Auditors can use interviews, observations, and review of documentation toevaluate -§ the activities of documentation librarians;§ how well operations management undertakes the capacity planning and

performance monitoring function;§ the reliability of outsourcing vendor controls;§ whether operations management is monitoring compliance with the outsourcing

contract; and§ Whether operations management regularly assesses the financial viability of

any outsourcing vendors that an organization uses.

5. Explain role of Auditor in Audit / Audit trail of Application Controls

Two type of audit trails that should exist in each system.· An Accounting Audit Trail to maintain a record of events within the subsystem; and· An Operations Audit Trail to maintain a record of the resource consumption

associated with each event in the subsystem.

We shall now discuss Audit Trails for Application Controls in detail.1. Boundary Controls: This maintains the chronology of events that occur when a user

attempts to gain access to and employ systems resources.

Accounting Audit Trail

· Identity of the would-be user of the system;· Authentication information supplied;· Resources requested;· Action privileges requested;· Terminal Identifier;· Start and Finish Time;· Number of Sign-on attempts;· Resources provided/denied; and· Action privileges allowed/denied.

Operations Audit Trail· Resource usage from log-on to log-out time.· Log of Resource consumption.

2. Input Controls: This maintains the chronology of events from the time data andinstructions are captured and entered into an application system until the time they aredeemed valid and passed onto other subsystems within the application system.

Accounting Audit Trail· The identity of the person(organization) who was the source of the data;· The identity of the person(organization) who entered the data into the system;


: 134 :

· The time and date when the data was captured;· The identifier of the physical device used to enter the data into the system;· The account or record to be updated by the transaction;· The details of the transaction; and· The number of the physical or logical batch to which the transaction belongs.

3. Processing Controls: The audit trail maintains the chronology of events from thetime data is received from the input or communication subsystem to the time data isdispatched to the database, communication, or output subsystems.

Accounting Audit Trail· To trace the processing performed on a data item.· Triggered transactions to monitor input data entry, processing and output.

Operations Audit Trail· A comprehensive log on hardware consumption – CPU time used, secondary storage

space used, and communication facilities used.· A comprehensive log on software consumption.

4. Output Controls: The audit trail maintains the chronology of events that occur fromthe time the content of the output is determined until the time users complete theirdisposal of output because it no longer should be retained.

Accounting Audit Trail· What output was presented to users;· Who received the output;· When the output was received; and· What actions were taken with the output?Operations Audit Trail· To maintain the record of resources consumed – graphs, report pages.

5. Database Controls: The audit trail maintains the chronology of events that occureither to the database definition or the database itself.

Accounting Audit Trail· To attach a unique time stamp to all transactions,· To attach before images and after images of the data; and· Any modifications or corrections to audit trail transactions accommodating the

changes that occur within an application system.

Operations Audit Trail:· To maintain a chronology of resource consumption events that affects the database.

6. Communication Controls: This maintains a chronology of the events from the time asender dispatches a message to the time a receiver obtains the message.


: 135 :

· Unique identifier of the source / destination node;· Unique identifier of each node in the network that transfer the message;· Time and date at which the message was dispatched;· Time and date at which the message was received by the sink node;· Time and date at which node in the network was traversed by the message; and· Message sequence number;

Organization Structure & Responsibilities

· Organizations require structure to distribute responsibility to groups of people withspecific skills and knowledge.

· The structure of an organization is called an organization chart (org chart).· Organizing and maintaining an organization structure requires that many factors be

considered.

In most organizations, the organization chart is a living structure that changesfrequently, based upon several conditions including the following:

· Short- and long-term objectives: Organizations sometimes move executives fromone department to another so that departments that were once far from each other (interms of the org chart structure) will be near each other.


: 136 :

§ These organizational changes are usually performed to help an organization meetnew objectives that require new partnerships and teamwork that were lessimportant before.

· Market conditions: Changes in market positions can cause an organization to realignits internal structure in order to strengthen itself.§ For example, if a competitor lowers its prices based on a new sourcing strategy, an

organization may need to respond by changing its organizational structure to putexperienced executives in charge of specific activities.

· Regulation: New regulations may force an organization to change its organizationalstructure.§ For instance, an organization has to appoint some director or officer to comply to

some legal requirement.· Available talent: When someone leaves the organization (or moves to another

position within the organization), particularly in positions of leadership, a space opensin the org chart that often cannot be filled right away.§ Instead, senior management will temporarily change the structure of the

organization by moving the leaderless department under the control of someoneelse.

Roles and Responsibilities:The topic of roles and responsibilities is multidimensional: it encompasses positions andrelationships on the organization chart, it defines specific job titles and duties, andresponsibilities regarding the use and protection of assets.

Individual Roles and Responsibilities:Several roles and responsibilities fall upon all individuals throughout the organization.· Executive management: The senior managers and executives in an organization are

responsible for developing the organization’s mission, objectives, and goals, as well aspolicy including security policy, which defines (among other things) the protection ofassets.

· Owner: An owner is an individual (usually but not necessarily a manager) who is thedesignated owner of an asset.§ Depending upon the organization’s security policy, an owner may be responsible

for the maintenance and integrity of the asset, as well as for deciding who ispermitted to access and make changes the asset.

· Manager: A manager is responsible for obtaining policies and procedures and makingthem available to their staff members.§ They should also, to some extent, be responsible for their staff members’ behavior.

· User: Users are individuals (at any level of the organization) who use assets in theperformance of their job duties.§ Each user is responsible for how he or she uses the asset, and does not permit

others to access the asset in his or her name.§ Users are responsible for performing their duties lawfully and for conforming to

organization policies.

Job Titles and Job Descriptions· A Job Title is a label that is assigned to a job description.


: 137 :

· It denotes a position in the organization that has a given set of responsibilities, andwhich requires a certain level and focus of education and prior experience.

· Job titles in IT have matured and are quite consistent across organizations.· This consistency helps organizations in several ways:§ Recruiting: When the organization needs to find someone to fill an open position,

the use of standard job titles will help prospective candidates more easily findpositions that match their criteria.

§ Compensation baselining: Because of the chronic shortage of talented ITworkers, organizations are forced to be more competitive when trying to attract newworkers.o To remain competitive, many organizations periodically undertake a regional

compensation analysis to better understand the levels of compensation paid toIT workers in other organizations.

o The use of standard job titles makes the task of comparing compensation fareasier.

§ Career advancement: When an organization uses job titles that are consistent inthe industry, IT workers have a better understanding of the functions ofpositions within their own organizations and can more easily plan how they canadvance.

The remainder of this section includes many IT job titles with a short description (not a fulljob description by any measure) of the function of that position.

(a) Executive Management: Executive managers are the chief leaders andpolicymakers in an organization. They set objectives and work directly with theorganization’s most senior management to help make decisions affecting the futurestrategy of the organization.

· CIO (Chief Information Officer): This is the title of the top most leader in alarger IT organization.

· CTO (Chief Technical Officer): This position is usually responsible for anorganization’s overall technology strategy.§ Depending upon the purpose of the organization, this position may be

separate from IT.· CSO (Chief Security Officer): This position is responsible for all aspects of

security, including information security, physical security etc.· CISO (Chief Information Security Officer): This position is responsible for all

aspects of data-related security.§ This usually includes incident management, disaster recovery, vulnerability

management, and compliance.· CPO (Chief Privacy Officer): This position is responsible for the protection and

use of personal information.§ This position is found in organizations that collect and store sensitive

information for large numbers of persons.

(b) Software Development:Positions in software development are involved in the design, development, and testingof software applications.

· Systems Architect: This position is usually responsible for the overallinformation systems architecture in the organization.

· Systems Analyst: A systems analyst is involved with the design of applications,including changes in an application’s original design.


: 138 :

§ This position may develop technical requirements, program design, andsoftware test plans.

· Software Developer, Programmer: This position develops applicationsoftware.§ Depending upon the level of experience, persons in this position may also

design programs or applications.· Software Tester: This position tests programs made by software developers.

(c) Data ManagementPositions in data management are responsible for developing and implementingdatabase designs and for maintaining databases.

· Database Architect: This position develops logical and physical designs ofdata models for applications.§ With sufficient experience, this person may also design an organization’s

overall data architecture.· Database Administrator (DBA): This position builds and maintains databases

designed by the database architect and those databases that are included as apart of purchased applications.§ The DBA monitors databases, tunes them for performance and efficiency,

and troubleshoots problems.· Database Analyst: This position performs tasks that are junior to the database

administrator, carrying out routine data maintenance and monitoring tasks.

(d) Network ManagementPositions in network management are responsible for designing, building, monitoring,and maintaining voice and data communications networks, including connections tooutside business partners and the Internet.

· Network Architect: This position designs networks and designs changes andupgrades to the network as needed to meet new organization objectives.

· Network Engineer: This position builds and maintains network devices suchas routers, switches, firewalls, and gateways.

· Network Administrator: This position performs routine tasks in the networksuch as making minor configuration changes and monitoring event logs.

· Telecom Engineer: Positions in this role work with telecommunicationstechnologies such as data circuits, phone systems, and voice email systems.

(e) Systems ManagementPositions in systems management are responsible for architecture, design, building, andmaintenance of servers and operating systems. This may include desktop operatingsystems as well.

· Systems Architect: This position is responsible for the overall architecture ofsystems (usually servers).§ This position is usually also responsible for the design of services such as

authentication, e-mail, and time synchronization.· Systems Engineer: This position is responsible for designing, building, and

maintaining servers and server operating systems.· Storage Engineer: This position is responsible for designing, building, and

maintaining storage subsystems.· Systems Administrator: This position is responsible for performing

maintenance and configuration operations on systems.


: 139 :

(f) General OperationsPositions in operations are responsible for day-to-day operational tasks that mayinclude networks, servers, databases, and applications.

· Operations Manager: This position is responsible for overall operations that arecarried out by others. Responsibilities will include establishing operations shiftschedules.

· Operations Analyst: This position may be responsible for the development ofoperational procedures; examining the health of networks, systems, anddatabases; setting and monitoring the operations schedule; and maintainingoperations records.

· Controls Analyst: This position is responsible for monitoring batch jobs, dataentry work, and other tasks to make sure that they are operating correctly.

· Systems Operator: This position is responsible for monitoring systems andnetworks, performing backup tasks, and other operational tasks.

· Data Entry: This position is responsible for keying batches of data from hardcopy sources.

· Media Librarian: This position is responsible for maintaining and tracking the useand storage of backup tapes and other media.

(g) Security Operations:Positions in security operations are responsible for designing, building, andmonitoring security systems and security controls, to ensure the confidentiality,integrity, and availability of information systems.· Security Architect: This position is responsible for the design of security

controls and systems such as authentication, audit logging, intrusion detectionsystems, and firewalls.

· Security Engineer: This position is responsible for designing, building, andmaintaining security services and systems that are designed by the securityarchitect.

· Security Analyst: This position is responsible for examining logs from firewalls,intrusion detection systems, and audit logs from systems and applications.§ This position may also be responsible for issuing security advisories to

others in IT.· User Account Management: This position is responsible for accepting

approved requests for user access management changes and performing thenecessary changes at the network, system, database, or application level.

· Security Auditor: This position is responsible for performing internal audits ofIT controls to ensure that they are being operated properly.

(h) Service DeskPositions at the service desk are responsible for providing front line support servicesto IT and IT’s customers.· Help desk Analyst: This position is responsible for providing front line user

support services to personnel in the organization.· Technical Support Analyst: This position is responsible for providing technical

support services to other IT personnel, and perhaps also to IT customers.


: 140 :

SEGREGATION OF DUTIES· Information systems often process large volumes of information that is sometimes

highly valuable or sensitive.· Measures need to be taken in IT organizations to ensure that individuals do not

possess sufficient privileges to carry out potentially harmful actions on theirown.

· Checks and balances are needed, so that high-value and high- sensitivity activitiesinvolve the coordination of two or more authorized individuals.

· The concept of Segregation of Duties (SOD), also known as separation ofduties, ensures that single individuals do not possess excess privileges thatcould result in unauthorized activities such as fraud or the manipulation orexposure of sensitive data.

· The concept of segregation of duties has been long-established in organizationaccounting departments where, for instance, separate individuals or groups areresponsible for the creation of vendors, the request for payments, and the printingof checks.

Segregation of Duties Controls· Preventive and detective controls should be put into place to manage

segregation of duties matters.· In most organizations, both the preventive and detective controls will be manual,

particularly when it comes to unwanted combinations of access between differentapplications.

· However, in some transaction-related situations, controls can be automated,although they may still require intervention by others.

Some Examples of Segregation of Duties Controls· Transaction Authorization: Information systems can be programmed or

configured to require two (or more) persons to approve certain transactions.§ Many of us see this in retail establishments where a manager is required to

approve a large transaction or a refund.§ In IT applications, transactions meeting certain criteria (for example,

exceeding normally accepted limits or conditions) may require a manager’sapproval to be able to proceed.

· Split custody of high-value assets: Assets of high importance or value can beprotected using various means of split custody.§ For example, a password to an encryption key that protects a highly valued

asset can be split in two halves (parts), one half assigned to two persons, andthe other half assigned to two persons, so that no single individual knows theentire password.

§ Banks do this for central vaults, where a vault combination is split into two ormore pieces so that two or more are required to open it.

· Workflow: Applications that are workflow-enabled can use a second (or third)level of approval before certain high-value or high-sensitivity activities can takeplace.§ For example, a workflow application that is used to provision user accounts

can include extra management approval steps in requests for administrativeprivileges.


: 141 :

· Periodic reviews: IT or internal audit personnel can periodically review useraccess rights to identify whether any segregation of duties issues exist.§ The access privileges for each worker can be compared against a segregation

of duties control matrix.When SOD issues are encountered during a segregation of duties review,management will need to decide hew to mitigate the matter.The choices for mitigating a SOD issue include;§ Reduce access privileges: Management can reduce individual user

privileges so that the conflict no longer exists.§ Introduce a new mitigating control: If management has determined that the

person(s) need to retain privileges that are viewed as a conflict, then newpreventive or detective controls need to be introduced that will prevent ordetect unwanted activities.

§ Examples of mitigating controls include increased logging to record the actionsof personnel, improved exception reporting to identify possible issues, andexternal reviews of high-risk controls.

�

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��


: 142 :

CHAPTER 4

E-COMMERCE, M-COMMERCE & EMERGING TECHNOLOGIES

CHAPTER OVERVIEW :

EMERGING TECHNOLOGIES

o Virtualizationo Grid Computingo Cloud Computingo Mobile Computingo Green ITo BYODo Web 3.0o Artificial Intelligenceo Machine Learning


: 143 :

INTRODUCTION TO E-COMMERCE

1. Define E-Commerce.

· E-Commerce: “Sale / Purchase of goods / services through electronic mode isecommerce.” This could include the use of technology in the form of Computers,Desktops, Mobile Applications, etc.

· E-Commerce is the process of doing business electronically. It refers to the useof technology to enhance the processing of commercial transactions between acompany, its customers and its business partners. It involves the automation of avariety of Business-To-Business (B2B) and Business-To-Consumer (B2C)transactions through reliable and secure connections.

· Illustrates the new business model enabled by technology. In this model the linkto consumer and supplier is virtually direct.

2 Differentiate Traditional Commerce and E-Commerce.

BASE FORCOMPARISON

TRADITIONAL COMMERCE E-COMMERCE

Definition Traditional commerce includes allthose activities which encourageexchange, in some way or theother of goods / services whichare manual and non-electronic.

E-Commerce meanscarrying out commercialtransactions or exchange ofinformation, electronicallyon the internet.

TransactionProcessing

Manual Electronically

Availability forcommercialtransactions

For limited time. This time may bedefined by Jaw. Like specialstores which may run 24 hours,but in general available for limitedtime.

24*7*365

Nature ofpurchase

Goods can be inspectedphysically before purchase.

Goods cannot be inspectedphysically before purchase.

Customerinteraction

Face to face Face to screen

Business scope Limited to particular area Worldwide reach


: 144 :

Payment Cash, cheque, credit card, etc. Credit card, fund transfer,Cash in Delivery, PaymentWallets, UPCI applicationetc.

Delivery ofgoods

Instantly Takes time, but now e-commerce websites havecreated options of sameday delivery, or deliverywithin 4 hours.

3. Benefits of E-Business

E-business benefits individuals, businesses, government and society at large. The majorbenefits from e-business are as follows;

A. Benefits to Customer / Individual / User

· Convenience: Every product at the tip of individual’s fingertips on internet.· Time saving: No. of operations that can be performed both by potential buyers and

sellers increase.· Various Options: There are several options available for customers which are not

only being easy to compare but are provided by different players in the market.· Easy to find reviews: There are often reviews about a particular site or product

from the previous customers which provides valuable feedback.· Coupon and Deals: There are discount coupons and reward points available for

customers to encourage online transaction.· Anytime Access: Even midnight access to the e commerce platforms is available

which brings in customer suitability.

B. Benefits to Business / Sellers

· Increased Customer Base: Since the number of people getting online is increasing,which are creating not only new customers but also retaining the old ones.

· Instant Transaction: The transactions of e commerce are based on real timeprocesses. This has made possible to crack number of deals.

· Provides a dynamic market: Since there are several players, providing a dynamicmarket which enhances quality and business.

· Reduction in costs:§ To buyers from increased competition in procurement as more suppliers are

able to compete in an electronically open marketplace.§ To suppliers by electronically accessing on-line databases of bid opportunities,

on-line abilities to submit bids, and on-line review of rewards.§ In overhead costs through uniformity, automation, and large-scale integration of

management processes.§ Advertising costs.

· Efficiency improvement due to:§ Reduction in time to complete business transactions, particularly from delivery

to payment.§ Reduction in errors, time, for information processing by eliminating

requirements for re-entering data.§ Reduction in inventories and reduction of risk of obsolete inventories as the

demand for goods and services is electronically linked through just-in- timeinventory and integrated manufacturing techniques.


: 145 :

(Q.: Explain efficiency improvement due to E-Business.)

· Creation of new markets: This is done through the ability to easily and cheaplyreach potential customers.

· Easier entry into new markets: This is especially into geographically remotemarkets, for enterprises regardless of size and location.

· Better quality of goods: As standardized specifications and competition haveincreased and improved variety of goods through expanded markets and the abilityto produce customized goods.

· Elimination of Time Delays: Faster time to market as business processes arelinked, thus enabling seamless processing and eliminating time delays.

C. Benefits to Government

· Instrument to fight corruption: In line with Government’s vision, e commerceprovides an important hand to fight corruption.

· Reduction in use of ecologically damaging materials through electroniccoordination of activities and the movement of information rather than physicalobjects.

4. Explain various Components of E-COMMERCE.

(i) User: This may be individual / organization or anybody using the e-commerceplatforms. As e-commerce, has made procurement easy and simple, just on a clickof button e-commerce vendors needs to ensure that their products are not deliveredto wrong users. In fact, e—commerce vendors selling products like medicine / drugsneed to ensure that such products are not delivered to wrong person/user.

(ii) E-commerce Vendors: This is the organization / entity providing the user,goods/ services asked for. For example: www.flipkart.com. E-commerce Vendorsfurther needs to ensure following for better, effective and efficient transaction.

· Suppliers and Supply Chain Management: These being another importantcomponent of the whole operations. For effectiveness, they need to ensure that –§ They have enough and the right goods suppliers.§ They (suppliers) financially and operational safe.


: 146 :

§ Suppliers are able to provide real-time stock inventory.§ The order to deliver time is very short.

· Warehouse operations: When a product is bought, it is delivered from thewarehouse of e-commerce vendor. This place is where online retailers pick productsfrom the shelf, pack them as per customer’s specification / pre-decided standardsand prepare those products to be delivered. These operations have become verycritical to the success of the whole ecommerce business.

· Shipping and returns: Shipping is supplementary and complementary to wholewarehouse operations. Fast returns have become Unique Selling Preposition (USP)for many e-commerce vendors, so these vendors need very effective and efficientreturn processing.

· E - Commerce catalogue and product display: Proper display of all productsbeing sold by vendor including product details, technical specifications, makes for abetter sales conversion ratio. These help customers gauge the products / servicesbeing sold. A good catalogue makes a lot of difference to whole customerexperience.

· Marketing and loyalty programs: Loyalty programs establish a long-termrelationship with customer. The best examples can be customer loyalty programsbeing run by airline industry. In airline industry, customer can get good discount /free tickets based on loyalty points accumulated.

· Showroom and offline purchase: Few e-commerce vendors over period haverealized that their products can be sold fast if customers are able to feel / touch / seethose products. These vendors have opened outlets for customer experience oftheir products. For ex: Lens kart

· Different Ordering Methods: These are the way customer can place his/her order,say Cash on Delivery is today most preferred method.

· Guarantees: The product / service guarantee associated with product / servicebeing sold. Money back guarantees help generate a security in customer’s mind thatin case of any problems there money shall be safely returned back.

· Privacy Policy: Represents policy adopted by the e-commerce vendor vis-a-viscustomer data / information. E-commerce website must have a privacy policy.

· Security: Represents the security policy adopted by the e-commerce vendors.Vendor website needs to state that online data used to transact is safe that vendorsis using appropriate security including security systems like SSL (Secure SocketLayer). This guarantees that the data provided by customer will not fall into the handof a hacker while transferring from his / her computer to the web server.

(iii) Technology Infrastructure: The computers, servers, database, mobile apps, digitallibraries, data interchange enabling the e-commerce transactions.

· Computers, Servers and Database§ These are the backbone for the success of the venture. Big ecommerce

organization invest huge amount of money / time in creating these systems.§ They store the data / program used to run the whole operation of the

organization.§ As cloud computing is increasingly being used, many small / mid-sized e-

commerce originations have started using shared infrastructures.· Mobile Apps

§ Just as with the personal computer, mobile devices such as tablet computersand smart phones also have operating systems and application software.


: 147 :

§ A mobile app is a software application programmed to run specifically on amobile device.

§ These days, most mobile devices run on one of two operating systems: Androidor iOS.

§ Android is an open-source operating system supported by Google whereas iOSis Apple’s mobile operating system.

§ There are other mobile Operating systems like BlackBerry OS, Windows Mobile,and FireFox OS.

§ As organizations consider making their digital presence compatible with mobiledevices, they will have to decide whether to build a mobile app.

§ A mobile app is an expensive proposition, and it will only run on one type ofmobile device at a time.

§ For example, if an organization creates an iPhone app, those with Androidphones cannot run the application.

§ One option many companies have is to create a website that is mobile friendly.§ A mobile website works on all mobile devices and costs about the same as

creating an app.§ It includes the following:§ Mobile store front modules are an integral part of m-commerce apps, where all

commodities and services are categorized and compiled in catalogues forcustomers to easily browse through the items on sale and get essentialinformation about the products.

§ Mobile customer support and information module is a point of reference forinformation about a particular retailer, its offerings and deals.

§ The news about the company, current discounts, shop locations and otherinformation is either pushed to users’ m-commerce apps or can be found in m-commerce app itself.

§ Mobile banking is inextricably linked to selling process via m-commerce apps,because no purchase can be finalized without a payment.

§ There are various options for executing mobile payments, among which aredirect mobile billing, payments via SMS, credit card payments through a familiarmobile web interface, and payments at physical POS terminals with NFCtechnology.

· Digital Libraries:§ A Digital Library is a special library with a focused collection of digital objects that

can include text, visual material, audio material, video material, stored aselectronic media formats (as opposed to print, microform, or other media), alongwith means for organizing, storing, and retrieving the files and media containedin the library collection.

§ Digital libraries can vary immensely in size and scope, and can be maintained byindividuals, organizations, or affiliated with established physical library buildingsor institutions, or with academic institutions.

§ The digital content may be stored locally, or accessed remotely via computernetworks.

· Data Interchange: Data Interchange is an electronic communication of data.§ For ensuring the correctness of data interchange between multiple players in e-

commerce, business specific protocols are being used.


: 148 :

§ There are defined- standards to ensure seamless / exact communication in e-commerce.

· Internet / Network: This is the key to success of e-commerce transactions.§ This is the critical enabler for e-commerce. Internet connectivity is important for

any e-commerce transactions to go through.§ Net connectivity in present days can be through traditional as well as new

technology.§ The faster net connectivity leads to better e-commerce. Many mobile companies

in India have launched 4G services.§ At a global level, it is linked to the countries capability to create a high speed

network.

· Web portal:§ This shall provide the interface through which an individual / organization

shall perform e-commerce transactions.§ Web Portal is the application through which user interacts with the ecommerce

vendor.§ The front end through which user interacts for an e-commerce transaction.§ These web portals can be accessed through desktops / laptops / PDA / hand-

held computing devices / mobiles and now through smart TVs also.§ The simplicity and clarity of content on web portal is directly linked to customer

experience of buying a product online.

· Payment Gateway:§ The payment mode through which customers shall make payments.§ Payment gateway represents the way e-commerce / m-commerce vendors

collects their payments. The payment gateway is another critical component ofe-commerce set up.

§ These are the last and most critical part of e-commerce transactions. Theseassures seller of receipt of payment from buyer of goods / services fromecommerce vendors.

§ Presently numerous methods of payments by buyers to sellers are being used,including Credit / Debit Card Payments, Online bank payments, Vendors ownpayment wallet, Third Party Payment wallets, like SBI BUDDY or PAYTM, Cashon Delivery (COD) and Unified Payments Interface (UPI).

5. Discuss the architecture of Networked Systems.OR Explain the types of Network Architecture.

Architecture is a term to define the style of design and method of construction, usedgenerally for buildings and other physical structures.In e-commerce, it denotes the way network architectures are build.E-commerce runs through network-connected systems. Networked systems can havetwo types of architecture namely;(i) Two tier, and(ii) Three tier.


: 149 :

Two Tier Client Server

In a Two-tier network, client (user) sends request to Server and the Server respondsto the request by fetching the data from it. The Two-tier architecture is divided into twotiers- Presentation Tier and Database Tier.

(i) Presentation Tier (Client Application/Client Tier):· This is the interface that allows user to interact with the e-commerce / m-

commerce vendor.· User can login to an e-commerce vendor through this tier.· This application also connects to database tier and displays the various products

/ prices to customers.

(ii) Database Tier (Data Tier):· The product data / price data / customer data and other related data are kept

here. User has not access to data / information at this level but he/she candisplay all data / information stored here through application tier.

The Advantages of Two-Tier Systems are as follows:

· The system performance is higher because business logic and database arephysically close.

· Since processing is shared between the client and server, more users couldinteract with system.

· By having simple structure, it is easy to setup and maintain entire systemsmoothly.

The Disadvantages of Two-Tier Systems are as follows:

· Performance deteriorates if number of users’ increases.· There is restricted flexibility.

Three Tier Client Server

· Three - Tier architecture Is a software design pattern and well-established softwarearchitecture.

· Its three tiers are the Presentation Tier, Application Tier and Data Tier.


: 150 :

· Three-tier architecture is a client-server architecture in which the functional processlogic, computer data storage and user interface are developed and maintained asindependent modules on separate platforms.

The three-tier architecture are as follows:

(i) Presentation Tier: Occupies the top level and displays information related toservices available on a website. This tier communicates with other tiers bysending results to the browser and other tiers in the network.

(ii) Application Tier: Also, called the Middle Tier, Logic Tier, Business Logic or LogicTier; this tier is pulled from the presentation tier. It controls applicationfunctionality by performing detailed processing. In computer software,business logic is the part of the program that encodes the real-world business rulesthat determine how data can be created, displayed, stored, and changed.

(iii) Database Tier: This tier houses the database servers where information isstored and retrieved.

· Data in this tier is kept independent of application servers or business logic.· The data tier includes the data access layer which should provide an

Application Programming Interface (API) to the application tier that exposesmethods of managing the stored data without exposing or creatingdependencies on the data storage mechanisms.

· Avoiding dependencies on the storage mechanisms allows for updates orchanges without the application tier clients being affected by or even aware ofthe change.

To conclude, in Three Tier Architecture three layers like Client, Server and Database areinvolved.

· In this, the Client sends a request to Server, where the Server sends the request toDatabase for data, based on that request the Database sends back the data toServer and from Server the data is forwarded to Client.

The following are the Advantages of Three-Tier Systems:

· Clear separation of user interface and data presentation from application logic:Through this separation more clients can have access to a wide variety of serverapplications.The two main advantages for client - applications are quicker development and ashorter test phase.

· Dynamic load balancing: If bottlenecks in terms of performance occur, the serverprocess can be moved to other servers at runtime.

· Change management: It is easy and faster to exchange a component on the serverthan to furnish numerous PCs with new program versions.

The Disadvantages of Three-Tier Systems are as follows:

· It create an increased need for network traffic management, server load balancing,and fault tolerance.

· Current tools are relatively immature and are more complex.· Maintenance tools are currently inadequate for maintenance.


: 151 :

Which Architecture is used?

· In two tier architecture, application performance will be degraded upon increasingthe users and it is cost in-effective whereas a three-tier architecture provides Highperformance, flexibility, maintainability, scalability, performance, improved securitywherein client does not have direct access to database, easy to maintain andapplication performance is good.

· Apart from the usual advantages of modular software with well-defined interfaces,the three-tier architecture is intended to allow any of the three tiers to be upgraded orreplaced independently in response to changes in requirements or technology.

· All e-commerce applications follow the three-tier network architecture.

E-Commerce Architecture Vide Internet

Following diagram depicts the E-commerce architecture vide Internet

Description of each layer

Sr. No. Layer Includes Purpose1 Client/ User

InterfaceWeb Server, Web Browserand Internet. For example:where user buys a mobilephone from an ecommercemerchant it includes -User - Web Browser(Internet Explorer / Chrome)- Web Server

This layer helps the e-commerce customerconnect toecommercemerchant.

2 Application Layer Application Server and BackEnd’ Server. For example - itincludes - E-merchant -Reseller - Logistics partner

Through theseapplication’s customerlogs to merchantsystems. This layerallows customer to


: 152 :

check the productsavailable onmerchant’s website.

3 Database Layer The information store house,where all data relating toproducts, price it kept.

This layer is accessibleto user throughapplication layer.

E-Commerce Architecture Vide Mobile Apps

M-Commerce (Mobile Commerce): M-commerce (mobile commerce) is the buying andselling of goods and services through wireless handheld devices such as cellulartelephone and personal digital assistants (PDAs). M-commerce enables users to accessthe Internet from anywhere.Sr. No. Layer Includes Purpose

1 Client / UserInterface

Mobile Web Browser andInternet. For example: Inexample discussed abovewhere user buys a mobilephone from ecommercemerchant it includes,- Mobile APP (Application)- User

This layer helps the e-commerce customerconnect to e-commerce merchant.

2 Application Layer Application Server and backend server. For example: Inthe same example, itincludes- E-merchant- Reseller- Logistics partner- Payment Gateway

Through theseapplication’s customerlogs to merchantsystems. This layerallows customer tocheck the productsavailable onmerchant’s website.

3 Database Layer The information store house,where all data relating toproducts, price it kept.

This layer is accessibleto user throughapplication layer.


: 153 :

WORK FLOW DIAGRAM FOR E-COMMERCE

Description of E-Commerce Work Flow Diagram

Sr.No.

Steps Activities

1 Customerslogin

Few e-commerce merchants may allow sametransactions to be done through phone, but the basicinformation flow is e-mode.

2 Product /ServiceSelection

Customer selects products / services from availableoptions.

3 CustomerPlaces Order

Order placed for selected product / service by customer.This step leads to next important activity PAYMENTGATEWAY.

4 PaymentGateway

Here customer makes a selection of the paymentmethod. In case payment methods is other than cash ondelivery (COD), the merchant gets the update frompayment gateway about payment realisation fromcustomer. In case of COD, e-commerce vendor may doan additional check to validate customer.

5 Dispatch andShippingProcess

This process may be executed at two different ends.First if product / service inventory is managed by e-commerce vendor than dispatch shall be initiated atmerchant warehouse.Second, many e-commerce merchants allow third partyvendors to sale through merchant websites. Forexample: FLIPKART states that it has more than 1 lacregistered third party vendors on its website.

6 DeliveryTracking

Another key element denoting success of e-commercebusiness is timely delivery. Merchants keep a track ofthis. All merchants have provided their delivery staff withhand held devices, where the product / service deliveryto customers are immediately updated.

7 COD tracking In case products are sold on COD payment mode,merchants need to have additional check on matchingdelivery with payments.


: 154 :

6. What are the risks associated with E-Commerce Transactions that are high ascompared to general Internet activities?Risk: Risk is possibility of loss. The same may be result of intentional or un-intentional action by individuals.Risks associated with e-commerce transactions are high compared to general internetactivities.These include the following:· Privacy and Security: Comes in the point of hacking. There are often issues of

security and privacy due to lack of personalized digital access and knowledge.· Quality issues: There are quality issues raised by customers as the original product

differs from the one that was ordered.· Delay in goods and Hidden Costs: When goods are ordered from another country,

there are hidden costs enforced by Companies.· Needs Access to internet and lack of personal touch: The e commerce requires

an internet connection which is extra expensive and lacks personal touch.· Security and credit card issues: There is cloning possible of credit cards and debit

cards which poses a security threat.· Infrastructure: There is a greater need of not only digital infrastructure but also

network expansion of roads and railways which remains a substantial challenge indeveloping countries.

· Problem of anonymity: There is need to identify and authenticate users in thevirtual global market where anyone can sell to or buy from anyone, anything fromanywhere.

· Repudiation of contract: There is possibility that the electronic transaction in theform of contract, sale order or purchase by the trading partner or customer maybedenied.

· Lack of authenticity of transactions: The electronic documents that areproduced during an e-Commerce transaction may not be authentic and reliable.

· Data Loss or theft or duplication: The data transmitted over the Internet may belost, duplicated, tampered with.

· Attack from hackers: Web servers used for e-Commerce maybe vulnerable tohackers.

· Denial of Service: Service to customers may be denied due to non-availability ofsystem as it may be affected by viruses, e-mail bombs and floods.

· Non-recognition of electronic transactions: E-Commerce transactions, aselectronic records and digital signatures may not be recognized as evidence incourts of law.

· Problem of piracy: Intellectual property may not be adequately protected whensuch property is transacted through e-Commerce.

7. Explain meaning of control and relevance of control in E-business.Controls are the Policies, Procedures, Practices and Organizational Structures, Designedto Provide Reasonable Assurance that Business Objectives will be achieved and thatUndesired Events will be Prevented or Detected and Corrected.For example:· Company may have a policy to force employees to change their passwords every 30

days.· A CA firm may not allow office staff access to social sites during office hours.


: 155 :

In an e-business environment, controls are necessary for all persons in the chain,including:

· Users: This is important to ensure that the genuine user is using the e-commerce/ m-commerce platform.There is risk if user accounts are hacked and hackers buy products / services.

· Sellers / Buyers / Merchants: These people need to proper framework in place toensure success of business.Many e-commerce businesses have lost huge amount of money as they did not haveproper controls put in place.These include controls on:§ Product catalogues§ Price catalogues§ Discounts and promotional schemes§ Product returns§ Accounting for cash received through Cash on Delivery mode of sales.

· Government: Governments across the world and in India have few critical concernsvis-a-vis electronic transactions, namely:§ Tax accounting of all products / services sold.§ All products / services sold are legal.

There have been instances where narcotics drugs have found to be sold andbought through electronic means.

· Network Service Providers: They need to ensure availability and security ofnetwork. Any downtime of network can be disastrous for business.

· Technology Service Providers: These include all other service provider other thannetwork service provider, for example, cloud computing back-ends, applicationsback-ends etc. They are also prone to risk of availability and security.

· Logistics Service Providers: Success or failure of any e-commerce / m-commerceventure finally lies here.Logistics service providers are the ones who are finally responsible for timely productdeliveries.

· Payment Gateways: E-commerce vendors’ business shall run only when theirpayment gateways are efficient, effective and fool proof.

- Each participant needs to put in place controls in an e-commerce environment.- Any lack of exercising controls by anyone can bring the risk to whole chain.- All participants as discussed above need to trained and educated for proper controls.- Each participant needs to put in place policies, practices and procedures in place to

protect from e-commerce / m-commerce related risks.- These will include the following:

1. Educating the participant about the nature of risks.Every participant needs to be educated towards risk associated with such transactions.Organizations need to put in place infrastructure / policy guidelines for the same.These policies may include the following:§ Frequency and nature of education programs.§ The participants for such program.


: 156 :

For example: All bank in India, allowing on line payments put ads on their websites“Dos and Don’ts for online payments.”The more informed your organisation is, the easier it will be to combat online threatsand to carry out risk mitigating measures.

2. Communication of organizational policies to its customers.To avoid customer dissatisfaction and disputes, it is necessary to make the followinginformation clear throughout your website including:Privacy Policies, Information security, Shipping and billing policies, Refundpolicies.

3. Ensure Compliance with Industry Body Standards.All e-Commerce organisations are required to be complying with and adhere to therules outlined by the law.In India Reserve Bank of India, has been releasing these standards from time to time.

4. Protect your e-Commerce business from intrusion.· Viruses: Check your website daily for viruses, the presence of which can result

in the loss of valuable data.· Hackers: Use software packages to carry out regular assessments of how

vulnerable your website is to hackers.· Passwords: Ensure employees change these regularly and that passwords set by

former employees of your organization are defunct.· Regular software updates: Your site should always be up to date with the newest

versions of security software.· Sensitive data: Consider encrypting financial information and other confidential

data (using encryption software).Hackers or third parties will not be able to access encrypted data without a key.This is particularly relevant for any e-Commerce sites that use a shopping cartsystem.

· Know the details of your payment service provider contract.

(Q: What are the ways of protecting your e-commerce business from intrusion?)

8. Explain various Control Objective’s

· Prevent organizational costs of data Loss: Data is a critical resource of anorganization for Its present and future process and its ability to adapt and survive ina changing environment.

· Prevent loss from incorrect decision making: Management and operationalcontrols taken by managers involve detection, investigations and correction of out-of-control processes. These high-level decisions require accurate data to makequality decision rules.

· Prevent loss of Computer Hardware, Software and Personnel: These arecritical resources of an organization which has a credible impact on itsinfrastructure and business competitiveness.

· Prevent from high costs of computer Error: In a computerized enterpriseenvironment where many critical business processes are performed a data errorduring entry or process would cause great damage.

· Safeguard assets from un-authorized access: The information system assets(hardware, software, data files etc.) must be protected by a system of internalcontrols from unauthorized access.


: 157 :

· Ensure data integrity: The importance to maintain integrity of data of ahorganization depends on the value of information, the extent of access to theinformation and the value of data to the business from the perspective of thedecision maker, competition and the market environment

· System Effectiveness Objectives: Effectiveness of a system is evaluated byauditing the characteristics and objective of the system to meet substantial userrequirements.

· System Efficiency Objectives: To optimize the use of various information systemresources (machine time, peripherals, system software and labour) along with theimpact on its computing environment.

9. Briefly explain Cyber Security Risk Considerations & Impact.

The business and technological environment in which the entities operate are rapidlychanging on account of the E-Commerce platforms on which most of them nowoperate. Therefore, it is imperative for the consideration of Cyber Security Risks in theaudit procedures. Risk Assessment is always a very important part and parcel of theaudit procedures.One of the most important aspects to be kept in mind during the risk assessmentprocess is giving due consideration to the changing risks in the entity and itsenvironment due to the ever-evolving technology landscape which can have a potentialimpact on the financial statements.

There could be cyber security risks with Direct as well as Indirect impact.· A Direct Financial Impact could be if the Application at the Company’s Retailers

which contains financial information has weak passwords resulting in harming theintegrity of data.

· An Indirect Operational Impact could be if the sensitive customer information inthe form of Bank Account Numbers, Recipes of Patented products, etc. could bebreached which would result in legal and regulatory actions on the Company onaccount of breach of confidential information.

(Standard on Auditing) SA 315 recognizes that IT poses specific risks to anentity’s internal control in the form of the following:· Reliance on systems or programs that are inaccurately processing data,

processing inaccurate data, or both.· Unauthorized access to data that may result in destruction of data or improper

changes to data, including the recording of unauthorized or non-existenttransactions, or inaccurate recording of transactions.

· Particular risks may arise where multiple users access a common database.· Unauthorized changes to data in master files.· Unauthorized changes to systems or programs.· Inappropriate manual intervention.· Potential loss of data or inability to access data as required.

Illustrations of the considerations as controls addressing key cyber securityrisks, are as under:· A Network Diagram detailing servers, databases, hubs, routers, internal and

external network, etc.· List of the Digital Assets used by the Company along with the physical location

of those assets.· Policy and Procedure document of the criticality of the Digital Assets


: 158 :

· Any incidents of cyber security breach which occurred and the actions takenand controls built in to avoid them from occurring again.

· Annual review by the CIO· The Entity should have a IT Security Policy circulated to all Employees

detailing the procedures to be adhered to when accessing IT systems/resourceslike password security, restricted use of internet, etc.

· Periodical review of access rights to all IT resources to ensure that the accessto the users is commensurate with their functional roles and responsibilities.

· Adequate approvals exist before the access is granted to any IT resources.· Use of firewalls by the Company to allow internet activity· All remote access logins are configured for two factor authentication using of

username, password, pin, token, etc.· Are the backups scheduled properly and timely checked by restoration of data.

The above procedures are even to be considered for the assets not owned by theCompany but where the Company is utilizing services from another service providerlike the Server maintenance and security is outsourced to an outsourced serviceprovider.

GUIDELINES AND LAWS GOVERNING E-COMMERCE

10. Define the Guidelines for E-Commerce.

Guidelines for E-CommerceAll entity going for e-commerce / m-commerce business needs to create clear policyguidelines for the following:

1. Billing: The issues are –· Format of bill· The details to be shared in bills.· Applicable GST.

2. Product guarantee / warranty: Proper display of product guarantee / warrantyonline as well as documents sent along with the products.

3. Shipping: The shipping time, frequency of shipping, the packing at time ofshipping, all these needs to be put in policy documents. This will ensure products areproperly packed and timely shipped.

4. Delivery: Policy needs to be defined for:· Which mode of delivery to be chosen? Say through courier / third party had

delivery / own staff hand delivery· When deliveries to be made? Say time of day.· Where deliveries to be made? Say buyer’s office / home or through dedicated

delivery shops.

5. Return: Policy for return of goods need to be put in place defining:· Which goods to be accepted in return? Food products would generally not be

accepted.· The number of days within which returns can be accepted.· The process of verifying the authenticity of products received back.· The time within which buyer shall be paid his/her amount back for goods

returned.


: 159 :

6. Payment: Policy guidelines need to be created for the following payment relatedissues:· Mode of payment.· For which products, specific payment mode shall be there. Organisation

restricts cash on delivery for few consumable products.

11. Define Commercial Laws Governing E-Commerce

All e-commerce transactions are commercial business transactions. All thesetransactions are covered under multiple laws, including commercial laws. Followingcommercial laws are applicable to e-commerce and m-commerce transactions.

1. Income Tax Act, 1961: Income Tax Act, has detailed provisions regardingtaxation of income in India. In respect of e-commerce / m-commerce transactions,the issue of deciding place of origin transaction for tax purpose is critical.

2. Companies Act, 2013: Companies Act, 2013, regulates the corporate sector. Thelaw defines all regulatory aspects for companies in India. Most of the merchants ine-commerce / m-commerce business are companies, both private and public.

3. Foreign Trade (Development and Regulation) Act, 1992: An Act to provide forthe development and regulation of foreign trade by facilitating imports into,augmenting exports from, India and for matters connected therewith or incidentalthereto. Amazon has recently allowed Indian citizens to purchase from its globalstores. All these shall be regulated through above law.

4. The Factories Act, 1948: Act to regulate working conditions of workers. The actextends to place of storage as well as transportation. Most of the merchants in e-commerce / m-commerce business need to comply with provision of the act.

5. The Custom Act, 1962: The act that defines import / export of goods / servicesfrom India and provides for levy of appropriate customs duty. India being a signatoryto General Agreement on Trade and Tariff (GATT) under World Trade Organisation,cannot levy any custom duty that GATT non-compliant. This one law is subject todebate across the world. For example: An Indian company downloads software beingsold by a foreign company whether the same shall be chargeable to duty of import.

6. The Goods and Services Tax Act, 2017 (GST): This Act requires each applicablebusiness, including e-commerce/ m-commerce, to upload each sales and purchaseinvoice on one central IT infrastructure, mandating reconciliations of transactionsbetween business, triggering of tax credits on payments of GST, facilitating filling of e-returns, etc.

7. Indian Contract Act 1872: The act defines constituents of a valid contract. In caseof e-commerce / m-commerce business it becomes important to define theseconstituents.

8. The Competition Act, 2002: Law to regulate practices that may have adverseeffect on competition in India. Competition Commission have been vigilant to ensurethat e-commerce / m-commerce merchants do not engage in predatory practices.

9. Foreign Exchange Management Act (FEMA1999): The law to regulate foreigndirect investments, flow of foreign exchange in India. The law has important


: 160 :

implications for e-commerce / m-commerce business. With a view to promote foreigninvestment, as per regulations framed under Foreign Exchange Management Act,(FEMA) 1999, FDI up to 100% under the automatic route is permitted in companiesengaged in e-commerce provided that such companies would engage in Business toBusiness (B2B) e-commerce. Foreign- investment in Business to Customer (B2C) e-commerce activities has been opened in a calibrated manner and an entity ispermitted to undertake retail trading through e-commerce under the followingcircumstances:(i) A manufacturer is permitted to sell its products manufactured in India through e-commerce retail.(ii) A single brand retail trading entity operating through brick and mortar stores, ispermitted to undertake retail trading through e-commerce.(iii) An Indian manufacturer is permitted to sell its own single brand products throughe-commerce retail. Indian manufacturer would be the investee company, which is theowner of the Indian brand and which manufactures in India, in terms of value, at least70% of its products in house, and sources, at most 30% from Indian manufacturers.

10. Consumer Protection Act, 1986: The law to protect consumer rights has beensource of most of litigations for transaction done through e-commerce and m-commerce.

All laws above have same nature of applicability as in a normal commercialtransaction. The fact that transactions are done electronically gives rise to issueswhich are unique in nature.

12. Define Special Laws governing E-CommerceE-commerce are covered under few other laws as these transactions are doneelectronically.§ Information Technology Act, 2000 (As amended 2008)§ Reserve Bank of India, 1932.

I. Information Technology Act, 2000This law governs all internet activities in India. The law is applicable to all onlinetransactions in India, and provides for penalties, prosecution for non-compliances.The important issues dealt in by the law includes:· Legality of products / services being offered online.· Data Protection· Protecting Your Customer’s Privacy Online· Online Advertising Compliance· Compliance with Information Technology Act, provisions.

II. Reserve Bank of India, 1932Reserve Bank of India (RBI), from time to time frames guidelines to be followed byecommerce / m-commerce merchants allowing online payments through variousmodes. The merchant needs to comply with these guidelines.For example:· The conversion of all Credit / Debit cards to be made CHIP based.· An OTP / PIN for all transactions done on point of sale machines through debit /

credit cards.· The compliance with capital adequacy norms for payments wallet like SBI

BUDDY/ PAYTM etc.


: 161 :

13. Explain Digital Payments? Define different Types of Digital Payments?

DIGITAL PAYMENTS· Digital Payment is a way of payment which is made through digital modes.· In digital payments, payer and payee both use digital modes to send and

receive money.· It is also called electronic payment.· No hard cash is involved in the digital payments.· All the transactions in digital payments are completed online.· It is an instant and convenient way to make payments.· New digital payment platforms such as UPI and IMPS are becoming increasingly

popular.· Using these new platforms, banks have been scaling rapidly.

Different Types of Digital Payments

I. New Methods of Digital Payment

(i) UPI Apps: Unified Payment Interface (UPI) and retail payment banks arechanging the very face of banking in terms of moving most of banking to digitalplatforms using mobiles and apps.

· UPI is a system that powers multiple bank accounts (of participating banks),several banking services features like fund transfer, and merchant payments ina single mobile application.

· UPI or unified payment interface is a payment mode which is used to make fundtransfers through the mobile app.

· User can transfer funds between two accounts using UPI apps.· User must register for mobile banking to use UPI apps.· User need to download a UPI app and create a UPI ID.· There are too many good UPI apps available such as BHIM, SBI UPI app, HDFC

UPI app, iMobile, PhonePe app etc.

(ii) Immediate Payment Service (IMPS): It is an instant interbank electronic fundtransfer service through mobile phones.

· It is also being extended through other channels such as ATM, Internet Banking,etc.

(iii) Mobile Apps: BHIM (Bharat Interface for Money) is a Mobile App developedby National Payments Corporation of India (NPCI) based on UPI (UnifiedPayment Interface).

· It facilitates e-payments directly through banks and supports all Indian bankswhich use that platform.

· It is built on the Immediate Payment Service infrastructure and allows the user toinstantly transfer money between the bank accounts of any two parties.

· BHIM works on all mobile devices and enables users to send or receive moneyto other UPI payment addresses by scanning QR code or using account numberwith Indian Financial Systems Code (IFSC) code or MMID (Mobile MoneyIdentifier) Code for users who do not have a UPI-based bank account.


: 162 :

(iv) Mobile Wallets: It is defined as virtual wallets that stores payment cardinformation on a mobile device.

· Mobile Wallets provide a convenient way for a user to make-in-store paymentsand can be used that merchants listed with the mobile wallet service providers.

· There are mobile wallets like PayTm, Freecharge, Buddy, MobiKwick etc.· Some of these are owned by banks and some are owned by private companies.

(v) Aadhar Enabled Payment Service (AEPS): Government of India, is planning tolaunch this in near future.

· AEPS is an Aadhaar based digital payment mode.· Customer needs only his or her Aadhaar number to pay to any merchant.· AEPS allows bank to bank transactions.· It means the money you pay will be deducted from your account and credited to

the payee’s account directly.· Customers will need to link their AADHAR numbers to their bank accounts.· APES once launched can be used at POS terminals also.

(vi) Unstructured Supplementary Service Data (USSD): A revolutionary idea,where to make payments through mobiles there is neither need for internet norany smart phone.

· USSD banking or *99# Banking is a mobile banking based digital paymentmode.

· User does not need to have a smartphone or internet connection to use USSDbanking.

· S/he can easily use it with any normal feature phone.· USSD banking is as easy as checking of mobile balance.· S/he can use this service for many financial and non-financial operations such as

checking balance, sending money, changing Mobile Banking PersonalIdentification number (MPIN) and getting Mobile Money Identifier (MMID).

II. Traditional Methods of Digital Payment

(i) E-Wallet: E-wallet or mobile wallet is the digital version of physical walletwith more functionality.

· User can keep his / her money in an -E-wallet and use it when needed.· Use the E-wallets to recharge phone, pay at various places and send money to

friends.· If user’s have a smartphone and a stable internet connection, they can use E-

wallets to make payments.· These E-Wallets also give additional cashback offers.· Some of the most used E-wallets are State bank buddy, ICICI Pockets,

Freecharge, Paytm etc.

(ii) Cards: Cards are provided by banks to their account holders. These have beenthe most used digital payment modes till now. Various types of cards are asfollows:Credit Cards: A small plastic card issued by a bank, or issuer etc., allowingthe holder to purchase goods or services on credit.In this mode of payment, the buyer’s cash flow is not immediatelyimpacted. User of the card makes payment to card issuer at end of billingcycle which is generally a monthly cycle.


: 163 :

Credit Card issuer charge customers per transactions / 5% of transaction astransaction fees.

Debit Cards: A small plastic card issued by a bank.Allowing the holder to purchase goods or services on credit. In this mode ofpayment, the buyer’s cash flow is immediately affected that as soon aspayment is authorized buyers account is debited.

(iii) Net Banking: In this mode, the customers log to his / her bank account andmakes payments.All public sectors, large private sector banks allow net banking facilities to theircustomers.

14. Advantages of Digital Payments

· Easy and convenient: Digital payments are easy and convenient. Person do notneed to take loads of cash with themselves.

· Pay or send money from anywhere: With digital payment modes, one can payfrom anywhere anytime.

· Discounts from taxes: Government has announced many discounts toencourage digital payments.User get 0.75% discounts on fuels and 10% discount on insurance premiums ofgovernment insurers.

· Written record: User often forgets to note down his / her spending, or even ifnothing is done it takes a lot of time.These are automatically recorded in passbook or inside E-Wallet app.This helps to maintain record, track spending and budget planning.

· Less Risk: Digital payments have less risk if used wisely. If user losses mobilephone or debit/credit card or Aadhar card, no need to worry a lot. No one can useanyone else’s money without MPIN, PIN or fingerprint in the case of Aadhar. It isadvised that user should get card blocked, if lost.

15. What are some drawbacks of Digital Payments?

· Difficult for a Non-technical person: As most of the digital payment modes arebased on mobile phone, the internet and cards. These modes are somewhatdifficult for non-technical persons such as farmers, workers etc.

· The risk of data theft: There is a big risk of data theft associated with the digitalpayment.Hackers can hack the servers of the bank or the E-Wallet a customer is using andeasily get his/her personal information.They can use this information to steal money from the customer’s account.

· Overspending: One keeps limited cash in his/her physical wallet and hence thinkstwice before buying anything.But if digital payment modes are used, one has an access to all his/her money thatcan result in overspending.


: 164 :

Computing Technologies

Virtualization

1. What do you means by the term Virtualization? Explain Major applicationof Virtualization. (Nov 16)

· In computing, virtualization means to create a virtual version of adevice or resource, such as a server, storage device, network oreven an operating system where the framework divides the resourceinto one or more execution environments. Virtualization refers totechnologies designed to provide a layer of abstraction betweencomputer hardware systems and the software running on them.

· The core concept of Virtualization lies in Partitioning, which dividesa single physical server into multiple logical servers. Once thephysical server is divided, each logical server can run anoperating system and applications independently.

· For example - Partitioning of a hard drive is considered virtualizationbecause one drive is partitioned in a way to create two separate harddrives. Devices, applications and human users are able to interact withthe virtual resource as if it were a real single logical resource..

Major applications:a) Server Consolidation: Virtual machines are used to consolidate many

physical servers into fewer servers, which in turn host virtual machines.This is also known as “Physical-to-Virtual” or 'P2V' transformation.

b) Disaster Recovery: Virtual machines can be used as "hot standby"environments for physical production servers. This helps to take overor shift the load of physical server to virtual server in case of disaster orshutdown of physical server.

c) Testing and Training: Hardware virtualization also help to act astraining platforms as these provide combination of multiple resourcesand without affecting the working of underlying physical resources. Thiscan be very useful such as in kernel development and operatingsystem courses.

d) Portable Applications: Portable applications are needed whenrunning an application from a removable drive, without installing it onthe system's main disk drive.

e) Portable Workspaces: Recent technologies have used virtualizationto create portable workspaces on devices like iPods and USB memorysticks.

2. Explain different types of virtualization

· Hardware Virtualization: (Nov 14)§ Hardware Virtualization or Platform Virtualization refers to the creation

of a virtual machine that acts like a real computer with anoperating system.

§ Software executed on these virtual machines is separated from theunderlying hardware resources. For example, a computer that isrunning Microsoft Windows may host a virtual machine that looks like a


: 165 :

computer with the Linux operating system; based software that can berun on the virtual machine.

§ The basic idea of Hardware virtualization is to consolidate manysmall physical servers into one large physical server so that theprocessor can be used more effectively. The software that creates avirtual machine on the host hardware is called a hypervisor or VirtualMachine Manager. The hypervisor controls the processor, memoryand other components by allowing several different operating systemsto run on the same machine. The operating system running on themachine will appear to have its own processor, memory and othercomponents.

· Network Virtualization: (PM) (May 15)§ Network virtualization is a method of combining the available resources

in a network by splitting up the available bandwidth into channels, eachof which is independent from the others, and each of which can beassigned (or reassigned) to a particular server or device in real time.

§ This allows a large physical network to be provisioned intomultiple smaller logical networks and conversely allows multiplephysical LANs to be combined into a larger logical network.

§ This behavior allows administrators to improve network traffic,enterprise security.

§ Network virtualization involves platform virtualization, often combinedwith resource virtualization like Network hardware such as switchesand network interface cards (NICs); Networks such as virtual LANs(VLANs); Network storage devices; etc. Network virtualization isintended to optimize network speed, reliability, flexibility, and security.

· Storage Virtualization: (PM) (May 16)§ Storage virtualization is the apparent pooling of data from multiple

storage devices, even different types of storage devices, into whatappears to be a single device that is managed from a central console.

§ Storage virtualization helps the storage administrator perform thetasks of backup, archiving, and recovery more easily -- and in lesstime.

§ Administrators can implement virtualization with software applicationsor by using hardware and software hybrid appliances. The users orservers connected to the storage system aren’t aware of wherethe data really is. Storage virtualization is sometimes described as“abstracting the logical storage from the physical storage.

Grid Computing

3. What is Grid Computing. What are the possible application areas forusing grid computing. (PM)(Nov 14)

Grid Computing:a) This is a computer network in which each computer's resources are

shared with every other computer in the system.


: 166 :

b) Processing power, memory and data storage are all communityresources that authorized users can tap into and leverage for specifictasks.

c) In Grid computing, every distributed resources (i.e. which may belocated at different location) is shared in such a way that gridcomputing network turns into a powerful supercomputer for processing.

d) In grid computing, every authorized user or computer system getsaccess to enormous processing power.

Some of the application areas / reasons of using Grid Computing are asfollows;

a) Grid computing helping people involved in complex science andengineering research by allowing them to use heterogeneouscomputing resources, information systems and instruments which arelocated around the world.

b) Civil engineers work together to design, execute, & analyze shaketable experiments (i.e. earthquake experiment for building structure)

c) An insurance company mines data from partner hospitals for frauddetection.

d) An application service provider offloads excess load to a compute cycleprovider.

e) An enterprise like Amazon uses grid computing to configure internal &external resources to support e-Business.

4. Explain benefits of grid computing (PM)

· Access to additional resources: Grid computing also helps to use theadditional resources than multiple servers and storage devices based onrequirements.

· Making use of Underutilized Resources: In most organizations, there are largeamounts of underutilized computing resources including server machines. Gridcomputing provides a framework for exploiting these underutilized resources and


: 167 :

thus has the possibility of substantially increasing the efficiency of resourceusage.

· Resource Balancing: Grid helps to perform the resource balancing by using allthe resources in an optimum manner to provide efficient performance.

· Parallel CPU capacity: Grid computing helps to use many CPUs of differentservers in parallel which further helps to increase the performance.

· Reliability: Grid computing provides high reliability environment for working thatis users can work without failure.

· Virtual Resources and Virtual Organization for collaboration: Grid computinghelps to provide collaboration among large number of organizations and large noof users for performing complex task.

· Management: Grid computing offers a range of network management activitiesincluding virtualization to increase the effectiveness of grid network. The gridoffers management of priorities among different projects.

5. Explain different types of resources for grid computing

A grid is a collection of machines, referred as nodes, and devices which form agrid as whole.

· Computation: This is the most common resource of grid computing. Thiscontains the CPUs which perform the computation or process the given request.

· Storage: This is the second most common resource in grid. Each machineusually contains some storage and together a grid use large volume of storageresources. Storage can be memory attached to the processor or it can besecondary storage, using hard disk drives or other permanent storage media.

· Communication: This resource helps in data flow between different servers. Thebandwidth available for such communications can often be a critical resource thatcan limit utilization of the grid.

· Software and Licenses: Software is one of the most expensive resources of gridand installing software at each server requires software and license.

· Special equipment, capabilities and architecture and policies: Grid usesdifferent architectures, operating systems, devices and may include machinesthat may be designed for specific type of tasks. For example, some machinesmay be designated to only be used for medical research.

6. Discuss the constraints that need to be taken into consideration whiledeveloping a secured Grid Architecture. (PM) (May 16)

Grid computing requires standard security functions such as Authentication, Accesscontrol, Integrity, Privacy and non repudiation.

To develop security architecture, following constraints need to be considered:

· Single sign-on: A user should be authenticated once and they should be ableto acquire resources, use them, and release them and to communicate internallywithout any further authentication.


: 168 :

· Protection of credential: User’s password and private key should be protected.· Support for secure group communication: There should be secure group

communication to provide coordinated activities for group.· Support for multiple implementations: There should be security policy which

should provide a common security to multiple resources / installations based onpublic and private key cryptography.

· Interoperability with local security solutions: Access to local resources shouldhave local security policy at a local level. Despite of modifying every localresource there is an inter-domain security server for providing security to localresource.

Cloud Computing

7. What is Cloud Computing.

· It is a network technique which helps organizations to share resources usingInternet.

· Cloud Computing is the use of various services, such as software developmentplatforms, servers, storage, and software, over the Internet, often referred to asthe "cloud."

· The best example of cloud computing is Google Apps where any applicationcan be accessed using a browser and it can be deployed on thousands ofcomputers through the Internet. Other ex: Apple iCloud, Amazon web servicesetc.

8. What are the Characteristics of Cloud Computing? (PM) (May 15)

a) Elasticity and Scalability: Gives us the ability to expand and reduce resourcesaccording to the specific service requirement.

b) Pay-per-Use: We pay for cloud services only when we use them, either for the shortterm or for a longer duration.

c) On-demand: Because we invoke cloud services only when we need them, they arenot permanent parts of the IT infrastructure, this is a significant advantage for clouduse as opposed to internal IT services. With cloud services there is no need to havededicated resources waiting to be used, as is the case with internal services.


: 169 :

d) Resiliency: The resiliency of a cloud service offering can completely isolate thefailure of server and storage resources from cloud users. Work is migrated to adifferent physical resource in the cloud with or without user awareness andintervention.

e) Multi Tenancy / Sharing: Public cloud service providers often can host the cloudservices for multiple users within the same infrastructure.

f) Workload Movement: This characteristic is related to resiliency and costconsiderations. Here, cloud-computing providers can migrate workloads acrossservers both inside the data center and across data centers (even in a differentgeographic area). This migration might be necessitated by cost.

9. Advantages of Cloud Computing

· Achieve economies of scale: Volume output or productivity can be increasedeven with fewer systems and thereby reduce the cost per unit of a project orproduct.

· Globalize the workforce: People worldwide can access the cloud with Internetconnection.

· Streamline business processes: Getting more work done in less time with lessresources are possible.

· Reduce capital costs: Not required to spend huge money on hardware, software,or licensing fees.

· Pervasive accessibility: Data and applications can be accesses any timeanywhere using any smart computing device, making our life so much easier.

· Monitor projects more effectively: It is feasible to confine within budgetaryallocations and can be ahead of completion cycle times.

· Less personnel training is needed: It takes fewer people to do more work on acloud, with a minimal learning curve on hardware and software issues.

· Minimize maintenance and licensing software: As there is no too much of non-premise computing resources, maintenance becomes simple and updates andrenewals of software systems rely on the cloud vendor or provider.

· Improved flexibility: It is possible to make fast changes in our work environmentwithout serious issues at stake.

10. Drawbacks of Cloud Computing:

· If Internet connection is lost, the link to the cloud and thereby to the data andapplications is lost.

· Security is a major concern as entire working with data and applications depend onother cloud vendors or providers.

· Although Cloud computing supports scalability (i.e. quickly scaling up and downcomputing resources depending on the need), it does not permit the control on theseresources as these are not owned by the user or customer.

· Depending on the cloud vendor or provide, customers may have to face restrictionson the availability of applications, operating systems and infrastructure options.


: 170 :

· Interoperability (ability of two or more applications that are required to support abusiness need to work together by sharing data and other business-relatedresources) is an issue wherein all the applications may not reside with a single cloudvendor and two vendors may have applications that do not cooperate with each other.

11. What are the different types of cloud computing environments.

Types of clouds· Cloud architecture typically involves into multiple cloud components· The cloud computing environment can consist of multiple types of clouds based on

their deployment and usage. Such typical Cloud computing environments, cateringto special requirements, are briefly described as follows:

Public Clouds (Can be asked as a separate question: What is public cloudand its advantages) [PM]· This environment can be used by the general public.· This includes individuals, corporations and other types of organizations.

Typically, public clouds are administrated by third parties or vendors overthe Internet, and the services are offered on pay-per-use basis.

· These are also called provider clouds.· Public cloud consists of users from all over the world wherein a user can simply

purchase resources on an hourly basis and work with the resources which areavailable in the cloud provider’s premises.

· Characteristics of Public Cloud are as follows:§ Highly Scalable: The resources in the public cloud are large in number

and the service providers make sure that all requests are granted.§ Highly Available: It is highly available because anybody from any part of

the world can access the public cloud with proper permission.§ Affordable: The cloud is offered to the public on a pay-as-you-go basis;

hence the user has to pay only for what he or she is using (using on aper-hour basis).

§ Less Secure: Since it is offered by a third party and they have full controlover the cloud, the public cloud is less secure out of all the other models.

§ Stringent SLAs: As the service provider’s business reputation and customerstrength are totally dependent on the cloud services, they follow the SLAsstrictly and violations are avoided.

· The Advantages of public cloud include the following:§ They are available at affordable costs.§ It allows the organizations to deliver highly scalable and reliable

applications rapidly and at more affordable costs.§ There is no need for establishing infrastructure for setting up and

maintaining the cloud.§ Strict SLAs are followed.§ There is no limit for the number of users.

· The limitations of public cloud include the following:§ Security assurance and thereby building trust among the clients.


: 171 :

§ Further, privacy and organizational autonomy are not possible.

Private Clouds (Can be asked as a separate que: What is private cloud and itsadvantages) [PM]

· This cloud computing environment resides within the boundaries of anorganization and is used exclusively for the organization’s benefits. These arealso called internal clouds.

· Private Clouds can either be private to the organization and managed bythe single organization (On-Premise Private Cloud) or can be managed bythird party (Outsourced Private Cloud).

· They are built primarily by IT departments within enterprises.

· Characteristics of Private cloud:§ Secure: The private cloud is secure as it is owned and managed by the

organization itself, and hence there is least chance of data being leakedout of the cloud.

§ Central Control: Since private cloud is managed by the organization itself,there is no need for the organization to rely on anybody and it’s controlled bythe organization itself.

§ Weak Service Level Agreements (SLAs): SLAs play a very important rolein any cloud services. In private cloud, either Formal SLAs do not exist or areweak as it is between the organization and user of the same organization.

· The advantages of private clouds include the following:§ They improve average server utilization;§ Reducing operations costs and administrative overheads.§ It provides a high level of security and privacy to the user.§ It is small in size and controlled and maintained by the organization.

· The limitations of private clouds include the following:§ IT teams in the organization may have to invest separately in buying,

building and managing the clouds. Budget is a constraint in private clouds.§ They have loose SLAs.

Hybrid Clouds[PM]

· This is a combination of both at least one private (internal) and at least one public(external) cloud computing environments.

· The usual method of using the hybrid cloud is to have a private cloud initially, andthen for additional resources, the public cloud is used. The hybrid cloud can beregarded as a private cloud extended to the public cloud and aims at utilizing thepower of the public cloud by retaining the properties of the private cloud.

· Characteristics of Hybrid Cloud are as follows:§ Scalable: The hybrid cloud has the property of public cloud with a private cloud

environment and as the public cloud is scalable; the hybrid cloud is also scalable.§ Partially Secure: The private cloud is considered as secured and public cloud

has high risk of security breach. The hybrid cloud thus are partly secured.


: 172 :

§ Stringent SLAs: Overall the SLAs are more stringent than the private cloud andmight be as per the public cloud service providers.

§ Complex Cloud Management: Cloud management is complex as it involvesmore than one type of deployment models.

· The Advantages of Hybrid Cloud include the following:§ It is highly scalable and gives the power of both private and public clouds.§ It provides better security than the public cloud.

· The limitations of Hybrid Cloud include the following:§ Security features are not as good as the private cloud and§ It is complex to manage.

Community cloud

· The community cloud is the cloud infrastructure that is provisioned for exclusive useby a specific community of consumers. It may be owned, managed, and operatedby one or more of the organizations in the community.

· In this, a private cloud is shared between several organizations. This model issuitable for organizations that cannot afford a private cloud and cannot rely onthe public cloud either.

· Characteristics of Community Clouds are as follows:§ Collaborative: In this, no single company has full control over the whole cloud.

Hence better cooperation provides better results.§ Partially Secure: In community cloud where few organizations share the cloud,

so there is a possibility that the data can be leaked from one organization toanother, though it is safe from the external world.

§ Cost Effective: As the complete cloud is being shared by several organizationsor community, not only the responsibility gets shared; the community cloudbecomes cost effective too.


: 173 :

· Advantages of Community Clouds are as follows:§ It allows establishing a low-cost private cloud.§ It allows collaborative work on the cloud.§ It allows sharing of responsibilities among the organizations.§ It has better security than the public cloud.

· Advantages of Community Clouds are as follows:§ Autonomy of the organization is lost.§ Security features are not as good as the private cloud.§ It is not suitable in the cases where there is no collaboration.

12. Explain various cloud computing models / service models[PM]

· Cloud computing is a model that enables the end users to access the shared pool ofresources such as compute, network, storage, database and application as an ondemand service without the need to buy or own it. The services are provided andmanaged by the service provider, reducing the management effort from theend user side. The essential characteristics of the cloud include on-demand, selfservice, broad network access, resource pooling, rapid elasticity, and measuredservice. The National Institute of Standards and Technology (NIST) defines threebasic service models - Infrastructure as a Service (IaaS), Platform as a Service(PaaS), and Software as a Service (SaaS).

(A) Infrastructure as a Service (IaaS)· IaaS, a hardware-level service, provides computing resources such as processing

power, memory, storage, and networks for cloud users.· This allows users to maximize the utilization of computing capacities without having

to own and manage their own resources.· IaaS changes the computing from a physical infrastructure to a virtual

infrastructure i.e. they offer virtual machines and other services.· The user’s need not maintain physical servers as it is maintained by service provider.· IaaS providers provide the infrastructure/ storage required to host the services by

the cloud clients.· In order to deploy their applications, cloud clients install operating-systems and their

application software on the cloud infrastructure.

Characteristics of IaaS are as follows:


: 174 :

§ Web access: The IaaS model enables the IT users to access infrastructureresources over the Internet. The IT user need not get physical access to theservers.

§ Centralized management: The resources distributed across different parts arecontrolled from any centralized management console that ensures effective andeffective resource utilization.

§ Highly scalable: Depending on the load, IaaS services can provide theresources and services. The usage of resources can be increased or decreasedaccording to the requirements.

§ Shared infrastructure: IaaS follows a one-to-many delivery model and allowsmultiple IT users to share the same physical infrastructure and thus ensurehigh resource utilization.

§ Metered Services: Services are available on pay per use basis.

The different instances of IaaS are as follows:§ Network as a Service (NaaS): NaaS provides users with needed data

communication capacity. It is an ability given to the end-users to accessvirtual network services on pay-per-use basis. NaaS offers virtual networkscomponents like virtual network interface cards (NICs), virtual routers, virtualswitches, and other networking components. NaaS providers operate using threecommon service models: Virtual Private Network (VPN), Bandwidth on Demand(BoD) and Mobile Virtual Network (MVN).

§ Storage as a Service (STaaS): STaaS provides storage infrastructure on asubscription basis to users who want a low-cost and convenient way to storedata, synchronize data across multiple devices, manage off-site backups,mitigate risks of disaster recovery, and preserve records for the long-term.STaaS allows the end users to access the files at any time from any place.

§ Database as a Service (DBaaS): DBaaS provides users with mechanisms tocreate, store, and access databases at a host site on demand. It is an abilitygiven to the end users to access the database service without the need to installand maintain it on the pay-per-use basis.

(B) Platform as a Service (PaaS)· PaaS provides the users the ability to develop an application software on the

development platform provided by the service provider.· In traditional application development, the application will be developed locally and

will be hosted in the central location. PaaS changes the application developmentfrom local machine to online. (For Ex: Google AppEngine, Windows AzureCompute etc.)

· Cloud providers deliver a computing platform including operating system,programming language, software development tools, database etc.

(C ) Software as a Service (SaaS)· SaaS provides ability to the end users to access an application over the Internet

that is hosted and managed by the service provider. Thus, the end users areexempted from managing or controlling an application, the development platform,and the underlying infrastructure.

· SaaS changes the way the software is delivered to the customers. In the traditionalsoftware model, the software is delivered as a license-based product that needs tobe installed in the end user device.


: 175 :

· Since SaaS is delivered as an on-demand service over the Internet, there is no needto install the software to the end-user’s devices. SaaS services can be accessedor disconnected at any time based on the end user’s needs.

· SaaS provides users to access large variety of applications over internets that arehosted on service provider’s infrastructure.

· For example, one can make own word document in Google docs online. Similarly,one can edit a photo online on pixlr.com, without the need to install the photo editingsoftware on his/her system.

The different instances of SaaS are as follows:§ Testing as a Service (TaaS): This provides users with software testing

capabilities such as generation of test data or test cases, execution of test casesand test result evaluation on a pay-per-use basis.

§ API as a Service (APIaaS): This allows users to explore functionality of Webservices such as Google Maps, Payroll processing, and credit card processingservices etc.

§ Email as a Service (EaaS): This provides users with an integrated system ofemailing, office automation, records management, migration, spam blocking,malware protection etc.

Other cloud service models

Communication as a Service (CaaS)· CaaS is an outsourced enterprise communication solution that can be leased

from a single vendor.· The CaaS vendor is responsible for all hardware and software management and

offers guaranteed Quality of Service (QoS).· Examples are: Voice over IP (VoIP), Instant Messaging (IM), Collaboration and

Videoconferencing application using fixed and mobile devices.

Data as a Service (DaaS):· DaaS provides data on demand to a diverse set of users, systems or application.

The data may include text, images, sounds, and videos. DaaS users have access tohigh-quality data in a centralized place and pay by volume or data type, as needed.However, as the data is owned by the providers, users can only perform readoperations on the data. DaaS is highly used in geography data services andfinancial data services.

Security as a Service (SECaaS):· It is an ability given to the end user to access the security service provided by the

service provider on a pay-per-use basis. It is a new approach to security. Ex: Emailfiltering, Web content filtering, Vulnerability management and Identitymanagement.

Identity as a service (IDaas):· Such provider offer identification and authentication service to the infrastructure used

by service provider or end user. Generally, IDaas includes authentication services,event monitoring, sign-on services etc.


: 176 :

Mobile Computing

13. What is mobile computing and components of mobile computing.[PM]Meaning:· It refers to the technology that allows transmission of data via any portable device

without having to be connected to a fixed physical link.

Components of Mobile Computing:Mobile computing involves Mobile Communication, Mobile Hardware and MobileSoftware;

a) Mobile Communication:· Refers to the infrastructure put in place to ensure that seamless and reliable

communication goes on.

· These would include devices such as Protocols, Services, Bandwidth and Portalsnecessary to facilitate and support the stated services.

b) Mobile Hardware:· It includes mobile devices or device components that receive or access the

service of mobility.

· They would range from Portable laptops, Smart phones, Tablet PC's to PersonalDigital Assistants.

· These devices will have receptors that are capable of sensing and receiving signals.

c) Mobile Software:· It is the actual Program that runs on the mobile hardware.

· This is the engine of that mobile device. In other terms, it is the essential componentthat makes the mobile device operates.

· Example: Apple IOS, Google Android, Blackberry Operating system.

14. How Mobile Computing Works.

· The user enters or access data using the application on handheld computing device.· Using one of several connecting technologies, the new data are transmitted from

handheld to server system where files are updated and the new data are accessibleto other system user.

· Now both systems (handheld and server computer) have the same information andare in sync.

· The process work the same way starting from the other direction.

15. Explain various mobile computing benefits. (PM)· It provides mobile workforce with remote access to work order details, such as

work order location, contact information, required completion date, relevantwarranties/ service contracts.

· It enables mobile sales personnel to update work order status in real-time.· It facilitates access to corporate information at any time, from anywhere.· It provides remote access to the corporate Knowledge base at the job location.· It enables to improve management effectiveness by enhancing information quality,

information flow.


: 177 :

16. Limitations of Mobile Computing

· Insufficient Bandwidth: Mobile Internet access is generally slower than directcable connections. These networks are usually available within limited range ofcommercial cell phone towers.

· Power consumption: When a power outlet is not available, mobile computers mustrely entirely on battery power.

· Transmission interferences: Weather, terrain, and the range from the nearestsignal point can all interfere with signal reception. Reception in tunnels, somebuildings, and rural areas is often poor.

· Potential health hazards: People who use mobile devices while driving are oftendistracted from driving which results in traffic accidents. Cell phones may interferewith sensitive medical devices. There are allegations that cell phone signals maycause health problems.

· Human interface with device: Screens and keyboards tend to be small, which maymake them hard to use. Alternate input methods such as speech or handwritingrecognition require training.

· Security: When using mobile one has to be dependent on public network i.e.Internet. Security is major concern as one can easily attack public network includingVPN.

Green IT

17. What is green IT and steps to be followed for green IT (PM)

Meaning:· Green IT refers to the study and practice of establishing/ using computers and

IT resources in a more efficient and environmentally friendly and responsibleway.

· Computers consume a lot of natural resources, from the raw materials needed tomanufacture them, the power used to run them, and the problems of disposing themat the end of their life cycle. Green computing is the environmentally responsible useof these computers and related resources.

18. List down green computing best practices.

Some of steps for Green IT include the following:

· Develop a sustainable Green Computing plan:§ Involve stakeholders to include checklists, recycling policies, recommendations

for disposal of used equipment, government guidelines etc.§ Encourage the IT community for using the best practices.§ On-going communication is required towards continuous commitment of green IT.§ Include power usage, reduction of paper consumption, as well as

recommendations for new equipment and recycling old machines.§ Use cloud computing so that multiple organizations share the same computing

resources, thus increasing the utilization by making more efficient use ofhardware resources.


: 178 :

· Recycle:§ Dispose e-waste according to central, state and local regulations;§ Discard used or unwanted electronic equipment in a environmentally

responsible manner as computers emit harmful emissions;§ Manufacturers must offer safe end-of-life recycling options; and§ Recycle computers through manufacturer’s recycling services.

· Make environmentally sound purchase decisions:§ Purchase of desktop computers, notebooks and monitors based on

environmental attributes;§ Provide a set of performance criteria for the design of products;§ Recognize manufacturer to reduce the environmental impact of products by

reducing or eliminating environmentally sensitive materials; and§ Use Server and storage virtualization that can help to improve resource

utilization, reduce energy costs and simplify maintenance.

· Reduce Paper Consumption:§ Reduce paper consumption by use of e-mail;§ Use of “track changes” feature in electronic documents, rather than corrections

on paper;§ Use online marketing or e-mail marketing rather than paper based marketing;

that are greener, more affordable, flexible and low-cost; and§ While printing documents; make sure to use both sides of the paper, recycle

regularly, use smaller fonts and margins, and selectively print required pages.

· Conserve Energy:§ Use Liquid Crystal Display (LCD) monitors rather than Cathode Ray Tube (CRT)

monitors;§ Use notebook computers rather than desktop computers whenever possible;§ Use the power-management features to turn off displays after several minutes of

inactivity;§ Power-down the CPU and all peripherals during extended periods of inactivity;§ Power-up and power-down energy-intensive peripherals such as laser printers

according to need;§ Employ alternative energy sources for computing workstations, servers, networks

and data centers; and§ Adapt more of video conferencing in order to go green and save energy.

Bring your own device19. What is BYOD [PM]

· BYOD (Bring Your Own Device) refers to business policy that allows employees touse their preferred computing devices, like smart phones and laptops forbusiness purposes.

· It means employees are welcome to use personal devices (laptops, smart phones,tablets etc.) to connect to the corporate network to access information andapplication.

· The BYOD policy has rendered the workspaces flexible, empowering employees tobe mobile and giving them the right to work beyond their required hours.


: 179 :

20. Explain advantages of BYOD

· Happy Employees: Employees love to use their own devices when at work. Thisalso reduces the number of devices an employee has to carry; otherwise he wouldbe carrying his personal as well as organization provided devices.

· Increased employee efficiency: The efficiency of employees is more when theemployee works on his / her own device. Apart from it employee is not required tospend much time on training.

· Lower IT budgets: The employees could involve financial savings to theorganization since employees would be using the devices they already possess, thusreducing the outlay of the organization in providing devices to them.

· Reduces IT support requirement: IT department does not have to provide enduser support and maintenance for all these devices resulting in cost savings.

· Early adoption of new Technologies: Employees are generally proactive inadoption of new technologies that result in enhanced productivity of employees.

21. Explain emerging BYOD threats

Every business decision is accompanied with a set of threats and this is there withBYOD program also. A BYOD program that allows access to corporate network, emails,client data etc. is one of the top security concerns for enterprises. Overall, these riskscan be classified into four areas as outlined below:

1. Network Risks

· When company-owned devices are used by all employees within an organization,the organization’s IT practice has complete visibility of the devices connected to thenetwork. This helps to analyze traffic and data exchanged over the Internet. But if thecompany has a policy of BYOD, it would permit the employees to carry their owndevices (smart phones, laptops for business use). In that scenario, the IT practiceteam maybe unaware about the number of devices being connected to the network.As network visibility is of high importance, this lack of visibility can be hazardous.

2. Device Risks

· A lost or stolen device can result in an enormous financial and reputationalembarrassment to an organization as the device may hold sensitive corporateinformation.

· With easy access to company emails as well as corporate intranet, company tradesecrets can be easily retrieved from a misplaced device.

3. Application Risks

· Majority of employees’ phones and smart devices that were connected to thecorporate network weren’t protected by security software.

· With an increase in mobile usage, mobile vulnerabilities have increasedconcurrently.

· Organizations are not clear in deciding that ‘who is responsible for device security —the organization or the user’.


: 180 :

4. Implementation Risks

· The effective implementation of the BYOD program should not only cover thetechnical issues mentioned above but also mandate the development of a robustimplementation policy.

· Because corporate knowledge and data are key assets of an organization, theabsence of a strong BYOD policy would fail to communicate employee expectations,thereby increasing the chances of device misuse.

· In addition to this, a weak policy fails to educate the user, thereby increasingvulnerability to the above mentioned threats.

22. Explain Web 3.0

The term Web 3.0, also known as the Semantic Web, describes sites wherein thecomputer generates raw data on their own without direct user interaction. Web 3.0 isconsidered as the next logical step in the evolution of the Internet and Webtechnologies. For Web 1.0 and Web 2.0; the Internet is confined within the physicalwalls of the computer, but as more and more devices such as smartphones, carsand other household appliances become connected to the web, the Internet will beomnipresent and could be utilized in the most efficient manner.Web 3.0 technology uses the “Data Web” Technology, which features the datarecords that are publishable and reusable on the web through query ableformats. The Web 3.0 standard also incorporates the latest researches in thefield of artificial intelligence.

The two major components of Web 3.0 are as follows:§ Semantic Web: This provides the web user a common framework that could

be used to share and reuse the data across various applications, enterprises,and community. This allows the data and information to be readily interceptedby machines, so that the machines are able to take decisions on their own byfinding, combining and acting upon relevant information on the web.

§ Web Services: It is a software system that supports computer-to-computerinteraction over the Internet. For example – Social media interacting withother applications like Google drive, instagram etc.

To conclude, Web 3.0 helps to achieve a more connected open and intelligent webapplications using the concepts of natural language processing machine learning,machine reasoning and autonomous agents.

23. Explain Internet of Things (IoT)

Definition: The Internet of Things (IoT) is a system of interrelated computingdevices, mechanical and digital machines, objects, people that are provided withunique identifiers and the ability to transfer data over a network without requiringhuman-to-human or human-to-computer interaction.For example:Washing machines with Wi-Fi networking capabilities can connect themselves tohome Wi-Fi. Once these machines are so connected they can be controlled throughmachine manufacturer mobile APP from anywhere in the world.


: 181 :

Applications: Some of the applications are as follows:1. All home appliances to be connected and that shall create a virtual home.a. Home owners can keep track of all activities in house through their hand helddevices.b. Home security CCTV is also monitored through hand held devices.

2. Office machines shall be connected through net.a. Human resource managers shall be able to see how many people have had a cupof coffee from vending machine and how many are present.b. How many printouts are being generated through office printer?

3. Governments can keep track of resource utilisations / extra support needed.a. Under SWACHH mission government can tag all dustbins with IOT sensors. They(dustbins) generate a message once they are full. Being connected to wifi, they canintimate the cleaning supervisor of Municipal Corporation so that BIN can beemptied.

4. As a research study, individuals have got themselves implanted with electronicchips in their bodies. This chip allows him / her to connect to home / office wifi. Onceconnected person can enter home / office and perform designated function. This chipbecomes individual’s authentication token. The whole world becomes a connectedworld. Above may appear / read like science fiction but same is reality.

Risks: Internet of thing is an evolving phenomenon. The risk listed are those whichare most discussed for IOT today. As technology evolves issues shall crop up. Therisk due to IOT has various facets to it:

(A) Risk to Product manufacturerManufacturers may be out of business in few years if IOT becomes a necessaryproduct feature.Data storage and analytics: The manufacturers will to ensure the huge datagenerated from IOT devices is kept secured. Hacking / Loosing this data may bedistractors for entity as well as the individual to whom it relates to.

(B) Risk to user of these products· Security: This is the greatest risk due to IOT. As home devices / office

equipment’s are connected to network they shall be hit by all network relatedrisks, including hacking, virus attacks, stealing confidential data etc.

· Privacy, autonomy and control: There is a huge risk that individuals may losecontrol over their personal life. Their personal life can be hacked and madepublic. The other major concern is who has the ownership of this personal data.For example: A person daily eats a burger at 12.00 in night and takes bottle ofchilled hard drink with it. S/he uses his / her mobile to operate the griller andrefrigerator. The griller and refrigerator are both sold by say XYZ ltd. This datais available on XYZ database.§ Who owns this information?§ The data can be used by insurance companies to deny an insurance claim

saying the person was a habitual drinker or raise his / her medicalinsurance premium as the person is having a risky life style.


: 182 :

Above illustrates the big risk IOT may create for individuals.· Intentional obsolescence of devices: This may happen due to –

§ Companies which want to bring a new product may force users to dump theold products. This they can do by disabling the operating software of oldproduct.

(C) Technology RiskPlatform fragmentation and lack of technical standards are situations where thevariety of IoT devices, in terms of both hardware variations and differences in thesoftware running on them, makes the task of developing applications tough.

(D) Environmental Risk due to TechnologyThese studies are being done to see the impact on house air quality, due to use ofheavy earth metals in devices. There no definitive data available as of now, but therisk is being considered.

24. Explain Artificial Intelligence

Definition: Intelligence, as defined in Chambers dictionary; “The ability to usememory, knowledge, experience, understanding, reasoning, imagination andjudgement to solve problems and adapt to new situations”. The ability describedabove when exhibited by machines is called as Artificial intelligence (AI). It isintelligence exhibited by machines. For example:i. This technology is being is being used in autonomous vehicles, the google car.ii. Apple online assistant SIRI is supposed to use it.

Applications:Artificial Intelligence is being used in the following applications:§ Autonomous vehicles (such as drones and self-driving cars)§ Medical diagnosis, in cancer research. Predicting the chances of an individual

getting ill by a disease;§ Proving mathematical theorems;§ Playing games (such as Chess or Go), and predicting the outcomes. Say

which number on a lottery ticket may win;§ Search engines (such as Google search);§ Online assistants (such as Siri);

Risks:1. AI relies heavily of data it gets. Incorrect data can lead to incorrect conclusions.2. AI (robots) carries a security threats. Countries are discussing to have a KILLbutton in all AI capable machines. This is important otherwise someday machinemay start controlling humans.3. AI in long term may kill human skills of thinking the unthinkable. All data shallbe processed in a structured manner, where machines shall provide solution basedon their learning over a period of time. These machines shall not have capability ofthinking out of box.

Controls: The set of controls in AI will be extremely complex because of the natureof processing of information and must be dealt with based on the nature of the AItool and the purpose, etc.


: 183 :

25. Explain Machine Learning

Definition: Machine Learning is a type of Artificial Intelligence (AI) that providescomputers with the ability to learn without being explicitly programmed. Machinelearning focuses on the development of computer programs that can change whenexposed to new data. The process of machine learning is similar to that of datamining. For example:§ Machine learning has been used for image, video, and text recognition, as

well as serving as the power behind recommendation engines. Apple SIRI is agood example.

§ This technology is being used in autonomous vehicles, the google car.

Applications: Virtually all applications were in AI using Machine learning so thatsome value is added. It includes specifically following application:§ Autonomous vehicles (such as drones and self-driving cars),§ Medical diagnosis, in cancer research. Predicting the chances of an individual

getting ill by a disease.§ Playing games (such as Chess or Go), and predicting the outcomes. Say

which number on a lottery ticket may win.§ Search engines (such as Google search),§ Online assistants (such as Siri),

Risk: Machine learning being an application based on AI, the nature of risk to itremain similar to those posed by AI systems.

�

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��


: 184 :

CHAPTER-5CORE BANKING SYSTEMS

CHAPTER OVERVIEW

COREBANKINGSYSTEMS

(CBS)

Components

Architecture

Working of CBS

Related Risks andControls

Banking Services

Business Process Flowof key bank products

Data Analytics andBusiness Intelligence

Applicable Regulatoryand ComplianceRequirements

Risk Assessment andRisk Management

Process

CASA

Credit Cards

Loans and Trade Finance

Treasury Process

Mortgages

Internet Banking Process

E-Commerce TransactionProcessing

0


: 185 :

Core Banking Solution / System (CBS)

Introduction

· CORE stands for ‘Centralized online real-time environment’ banking system.

· CBS refers to a common IT solution wherein a central shared database supports theentire banking application. Business processes in all the branches of a bank update acommon database in a central server located at a Data Center, which gives aconsolidated view of the bank’s operations.

· It allows bank branches access applications from centralized data centers.

· These systems are running 24*7 basis to support Internet banking, global operations,Mobile banking and real time transactions via ATM, Internet, phone etc.

· CBS is centralized Banking Application software that has several components whichhave been designed to meet the demands of the banking industry. CBS is supportedby advanced technology infrastructure and has high standards of businessfunctionality. These factors provide banks with a competitive edge.

· CBS performs core operations of banking like recording of transactions, passbookmaintenance, interest calculations on loans & advances, customer records etc. It willalso include deposit accounts, loans, mortgages and payments.

1. Explain key features of banking businessThe key features of a banking business are as follows:· The custody of large volumes of monetary items, including cash and negotiable

instruments, whose physical security should be ensured.

· Dealing in large volume (in number, value and variety) of transactions.· Operating through a wide network of branches and departments, which are

geographically dispersed.· Increased possibility of frauds as banks directly deal with money making it

mandatory for banks to provide multi-point authentication checks and thehighest level of information security.

2. Explain the major products and services provided by commercial banks orExplain the core banking services provided by commercial banks

Some of the major products and services provided and rendered by commercial bankswhich constitute core banking services are briefly explained here.


: 186 :

· Acceptance of Deposits§ Deposits involve deposits by customers in various schemes for pre-defined

periods.§ Deposits fuel the growth of banking operations, this is the most important

function of a commercial bank.§ Commercial banks accept deposits in various forms such as term deposits,

savings bank deposits, current account deposits, recurring deposit, saving-cum-term deposit and various others innovative products.

· Granting of Advances§ Advances constitute a major source of lending by commercial banks. The type of

advances such as cash credit, overdrafts, purchase/ discounting of bills, termloans, etc.

§ Apart from granting traditional facilities, banks also provide facilities like issuanceof commercial papers, ECB (External Commercial Borrowing) on behalf of bank/borrower, securitization of credit sales, housing loans, educational loans, and carloans, etc.

· Remittances§ Remittances involve transfer of funds from one place to another.§ Two of the most common modes of remittance of funds are demand drafts and

Telegraphic/ Mail Transfers (TT/ MT).§ Drafts are issued by one branch of the Bank and are payable by another branch

of the Bank. The drafts are handed over to the applicant. In the case oftelegraphic/ mail transfer, no instrument is handed over to the applicant; thetransmission of the instrument is the responsibility of the branch. Generally, thepayee of both the TT and the MT is an account holder of the paying branch.

§ Electronic Funds Transfer is another mode of remittance which facilitates almostinstant transfer of funds between two centers electronically. Most of the bankshave now introduced digital mode of remittance which makes remittancepossible online and on mobile devices directly by the customer in a few clicks.

· Collections§ Collections involve collecting proceeds on behalf of the customer.§ Customers can lodge various instruments to the banks for collection such as

cheques, drafts, pay orders, dividend and interest warrants, tax refund orders,etc. drawn in their favor.

§ Banks also collect instruments issued by post offices, like national savingscertificates, postal orders, etc.


: 187 :

· Clearing§ Clearing involves collecting instruments on behalf of customers of bank.§ The instruments such as cheque, pay order etc. may be payable locally or at an

outside center. The instruments payable locally are collected through clearinghouse mechanism, while the instruments payable outside is sent by the Bank toits branch.

§ Clearing house settles the inter-Bank transactions among the local participatingmember banks. There may be separate clearing houses for MICR (Magnetic InkCharacter Recognition) and non-MICR instruments.

§ Electronic Clearing Services (ECS) is used extensively now for clearing. ECS takestwo forms: ECS Credit or ECS Debit.- In the case of ECS credit, there is a single receiver of funds from a large

number of customers, e.g., public utilities, mutual funds, etc. The beneficiary(i.e., the receiver of funds) obtains mandate from its customers to withdrawfunds from their specified Bank accounts on a specific date.

- In the case of ECS debit, there is a single account to be debited against whichmany accounts with a number of banks in the same clearing house area arecredited. This system is useful for distribution of dividend/ interest, paymentof salaries by large units, etc.

· Letters of Credit and Guarantees§ Issuing letters of credit and guarantees are two important services rendered by

banks to customers engaged in business, industrial and commercial activities.§ A Letter of Credit (LC) is an undertaking by a bank to the payee (the supplier of

goods and/ or services) to pay to him, on behalf of the applicant (the buyer) anyamount up to the limit specified in the LC, provided the terms and conditionsmentioned in the LC are complied with.

§ The Guarantees are required by the customers of banks for submission to thebuyers of their goods/ services to guarantee the performance of contractualobligations undertaken by them or satisfactory performance of goods supplied bythem.

· Credit Cards§ It is a service provided by bank to customers to enable him to pay to a merchant for

goods and services on credit basis, based on the customer’s promise to the cardissuer to pay to them for the amount so paid.

§ Most credit cards issued by banks are linked to one of the international credit cardnetworks like VISA, Master, Amex.


: 188 :

· Debit Cards§ Debit Cards are issued by the bank where customer is having their account.§ Debit Cards facilitates customers to pay at any authorized outlet as well as to

withdraw money from an ATM from their account.§ Debit cards are networked with an inter-bank network. When a debit card is used

for a transaction, the amount is immediately deducted from the customer’s accountbalance.

· Other Banking Services§ Retail Banking: These are also called front-office operations that cover all

operations which provide direct retail services to customers.§ High Net-worth Individuals (HNI): Banks provide special services to customers

classified as High Net-worth Individuals (HNI) based on value of deposits/transactions.

§ Risk Management: Risks are all pervasive in the banking sector. This should be doneat strategic, tactical, operational and technology areas of the bank. Riskmanagement is best driven as per policy with detailed standards, procedures andguidelines provided for uniform implementation.

§ Specialized Services: Banks also perform other services such as insurance broking,claims, underwriting, life insurance, non-life insurance, etc. However, these wouldbe offered by separate entities set up by the bank.

3. Explain IT risks & challenges in banks / CBS

(i) Frequent changes or obsolescence of technology. Technology keeps onevolving and changing constantly and becomes obsolete very quickly. Hence,there is always a risk that the investment in technology solutions unless properlyplanned may result in loss to bank due to risk of obsolescence.

(ii) Multiplicity and complexity of systems: The Technology architecture used forservices could include multiple digital platforms and is quite complex. Hence, thisrequires the bank to have personnel with requisite technology skills or themanagement of the bank’s technology could be outsourced to a company havingthe relevant skill set.

(iii) Different types of controls for different types of technologies/ systems:Deployment of Technology gives rise to new types of risks. These risks need to bemitigated by relevant controls as applicable to the technology/informationsystems deployed in the bank.


: 189 :

(iv) Proper alignment with business objectives and legal/ regulatory requirements:Banks must ensure that the CBS and allied systems implemented, cater to all thebusiness objectives and needs of the bank, in addition to the legal/regulatoryrequirements envisaged.

(v) Dependence on vendors due to outsourcing of IT services: In a CBS environment,the bank requires staff with specialized domain skills to manage IT deployed bythe bank. Hence, these services could be outsourced to vendors and there isheavy dependency on vendors and gives rise to vendor risks which should bemanaged by proper contracts, controls and monitoring.

(vi) Segregation of Duties (SoD):

§ Banks have a highly-defined organization structure with clearly defined roles,authority and responsibility. The segregation of duties as per organizationstructure should be clearly mapped in the CBS used by the bank.

§ This is a high-risk area since any SoD conflicts can be a potential vulnerabilityfor fraudulent activities. For example, if a single employee can initiate,authorize and disburse a loan the possibility of misuse cannot be ignored.

(vii) External threats leading to cyber frauds/ crime:

§ The CBS environment provides access to customers anytime, anywhere usinginternet. As a result risks of increased threats from hackers and others whocould access the software to commit frauds/crime.

(viii) Higher impact due to intentional or unintentional acts of internal employees:Employees in a technology environment are the weakest link in an enterprise. Thisis much more relevant in bank as banks deal directly with money. Hence, theemployee acts done intentionally or unintentionally may compromise security ofthe IT environment.

(ix) Need to ensure continuity of business processes in the event of majordisaster: The high dependence on technology makes it imperative to ensureresilience to ensure that failure does not impact banking services. Hence, adocumented business continuity plan with adequate technology and informationsystems should be planned, implemented and monitored.

IT Risks and Risk Assessment


: 190 :

4. Explain Risk, Risk analysis, Risk Assessment

Risk: The potential harm caused if a threat exploits a particular vulnerability to causedamage to an asset. For example: inadequate security is a vulnerability which could beexploited by a hacker.Risk Analysis: is defined as the process of identifying security risks and determining theirmagnitude and impact on an organization. Information systems can generate many directand indirect risks.These risks lead to a gap between the need to protect systems and the degree ofprotection applied. The gap is caused by:§ Widespread use of technology§ Interconnectivity of systems;§ Increase in unconventional electronic attacks;§ Devolution of management and control;§ External factors such as legislative, legal and regulatory requirements or IT

developments.

Risk Assessment:Risks are mitigated by implementing risk assessment. This involves the following:

o Identification of threats and vulnerabilities in the system;o Potential impact or magnitude of harm that a loss of security would have on

enterprise operations or enterprise assets; ando The identification and analysis of security controls for information systems:

5. Explain the impact of IT RisksIT risks not only have a direct impact on banks as operational risks but can also promoteother risks like credit risks and market risks. Given the increasing reliance of customerson digital delivery channels to conduct transactions, any security related issues have thepotential to undermine public confidence in the use of online banking channels and leadto reputation risks to the banks. Inadequate and improper IT implementation can alsoinduce strategic risk in terms of strategic decision making based on inaccurate data/information. Compliance risk is also an outcome in the event of non-adherence toregulatory or legal requirements arising out of the use of IT.There are new IT risks which could have a significant impact on critical businessoperations, such as:(i) External dangers from hackers, leading to denial of service and virus attacks,

extortion and leakage of .corporate information.


: 191 :

(ii) Growing potential for misuse and abuse of information system affecting privacyand ethical values; and Increasing requirements for availability and robustness.

(iii) Phishing attacks through Internet Banking. Phishing is the attempt to obtainsensitive information such as usernames, passwords, and credit card details (and,indirectly, money), often for malicious reasons, by disguising as a trustworthyentity in an electronic communication.

6. Explain concept of IT Risk ManagementEffective risk management begins with a clear understanding of the bank’s risk appetiteand identifying high-level risk exposures. After defining risk appetite and identified riskexposure, strategies for managing risk can be set and responsibilities clarified. Based onthe type of risk, Board and Senior Management may choose to take up any of thefollowing risk management strategy in isolation or combination as required:· Avoid: Eliminate the risk by not taking up or avoiding the specific business process

which involves risk.· Mitigate: Implement controls (e.g. acquire and deploy security technology to protect

the IT infrastructure).

· Transfer: Share risk with partners or transfer to insurance coverage.· Accept: Formally acknowledge that the risk exists and monitor it.

7. Examples of IT risks relating to bankingAutomation makes each of the banking areas prone to different types of risks. Someexamples of risks are as follows:

Risks to Data· Unauthorized data changes affecting integrity of data;

· Absence of logs and audit trail/ logs;· Unauthorized transactions;

· Unauthorized entry/ corrections/ deletions;· Transactions without vouchers;

· Changing data using other’s password;· Willful and wrong inputs; and

Other IT Risks· Unauthorized or incorrect Interest rate changes;· Incorrect Interest computation;

· Incorrect computation of charges;· Unauthorized increased in credit limits;


: 192 :

· Payment of stopped cheques;

· Payment of duplicate drafts/ Fixed Deposit Certificates issued; and· Opening of New accounts without complying with KYC (Know Your Customer)

norms as specified by RBI.

8. Explain the indicators of higher IT riskThe review of risk assessment and risk management should be done on regular basis asrisks are dynamic and keep on changing.Some of the risk indicators are:· IT security is not given required priority;

· Attitude of “Computer will take care of everything - no checking is required”;· Lack of transparency of IT operations and responsibility assigned;

· Lack of Input control;· Lack of output verification;

· Lack of access control;· Lack of audit trails;

· Lack of dual checks for sensitive and high value transactions;

· Lack of documented disaster recovery plan/ contingency plan/ Business ContinuityPlan;

· Lack of controls leading to temptation to commit frauds; and· Over-dependence on long serving - ‘trusted’ operators, supervisors, managers, etc.

9. Explain the key indicators of effective IT controls· The ability to execute and plan new work such as IT infrastructure upgrades required

to support new products and services.

· Development projects that are delivered on time and within Budget, resulting in cost-effective and better product and service offerings compared to competitors.

· Ability to allocate resources predictably.

· Consistent availability and reliability of information and IT services across theorganisation and for customers, business partners, and other external interfaces.

· Clear communication to management of key indicators of effective controls.· The ability to protect against new vulnerabilities and threats and to recover from any

disruption of IT services quickly and efficiently.

· Heightened security awareness on the part of the users and a security consciousculture.


: 193 :

Internal Control System in Banks

10. Give examples of internal Controls in BanksRisks are mitigated by implementing internal controls as appropriate to the businessenvironment. These types of controls must be integrated in the IT solution implementedat the bank’s branches.Some examples of internal controls in bank branch are given here:

· Work of one staff member is invariably supervised/ checked by another staffmember, irrespective of the nature of work (Maker-Checker process).

· A system of job rotation among staff exists.· Financial and administrative powers of each official/ position is fixed and

communicated to all persons concerned.

· All books are to be balanced periodically. Balancing is to be confirmed by anauthorized official.

· Details of lost security forms are immediately advised to controlling so that they canexercise caution.

· Fraud prone items like currency, valuables, draft forms, term deposit receipts,traveler’s cheques and other such security forms are in the custody of at least twoofficials of the branch.

11. Give Examples of IT Controls in BanksIT risks need to be mitigated by implementing the right type and level of controls in theautomated environment. This is done by integrating controls into IT. Sample list of ITrelated controls are:

· The system maintains a record of all log-ins and log-outs.· If the transaction is sought to be posted to a dormant (or inoperative) account, the

processing is halted and can be proceeded with only with a supervisory password.· The system checks whether the amount to be withdrawn is within the drawing

power.

· Access to the system is available only between stipulated hours and specified daysonly.

· Individual users can access only specified directories and files. Users should be givenaccess only on a “need-to-know basis” based on their role in the bank. This isapplicable for internal users of the bank and customers.

· Exception situations such as limit excess, reactivating dormant accounts, etc. can behandled only with a valid supervisory level password.

· A user timeout is prescribed. This means that after a user logs-in and there is no


: 194 :

activity for a pre-determined time, the user is automatically, logged- out of thesystem.

· Once the end-of-the-day process is over, the ledgers cannot be opened without asupervisory level password.

Applying IT Controls – General & Application controlsThe risks and controls explained earlier in the section should be implemented within IT.Hence, it is important for the bank to identify controls as per policy, procedures andorganization structure of the bank and configure it within IT software as used in the bank.There are different options for implementing controls as per risk management strategy.

IT controls are selected and implemented based on the risks they are designed tomanage. In case of banking industry, risks are all pervasive.However, the focus in this chapter is not on business related risks of banking but ITrelated risks and controls of banking automation.Apart from the classification of controls already discussed in detail in previous chapter, acommon classification of IT controls is General Controls and Application Controls.General Controls are macro in nature whereas Application Controls are controls whichare specific to the application software.

12. Explain various General controls

General ControlsGeneral Controls, also known as Infrastructure Controls present across different layers ofIT environment and information systems. General Controls are pervasive controls andapply to all systems components, processes, and data for a given enterprise or systemsenvironment. General controls include, but are not limited to:

· Information Security Policy: The security policy is approved by the seniormanagement and encompasses all areas of operations of bank and drives access toinformation across the enterprise and other stakeholders.

· Administration, Access, and Authentication: IT should be administered withappropriate policies and procedures clearly defining the levels of access toinformation and authentication of users.

· Separation of key IT functions: Secure deployment of IT requires the bank to haveseparate IT organization structure with clear demarcation of duties for differentpersonnel within IT department and to ensure that there are no Segregation ofduties conflicts.


: 195 :

· Management of Systems Acquisition and Implementation: Software solutions forCBS are either developed or acquired and implemented. Hence, process ofacquisition and implementation of systems should be properly controlled.

· Change Management: IT solutions deployed and its various components must bechanged in tune with changing needs as per changes in technology environment,business processes, regulatory and compliance requirements. These changes impactthe live environment of banking services.Hence, change management process should be implemented to ensure smoothtransition to new environments covering all key changes including hardware,software and business processes. All changes must be properly approved by themanagement, before implementation.

· Backup, Recovery and Business Continuity: Heavy dependence on IT and criticalitymakes it imperative that resilience of banking operations should be ensured byhaving appropriate business continuity including backup, recovery and off-sitedata Centre.

· Confidentiality, Integrity and Availability of Software and data files: Security isimplemented to ensure confidentiality, integrity and availability of information.

· Incident response and management: There may be various incidentscreated due to failure of IT. These incidents need to be appropriatelyresponded and managed as per pre-defined policies and procedures.

13. Explain Application controls & examples of Application controlsApplication Controls are controls which are implemented in an application toprevent or detect and correct errors. These controls are in-built in the applicationsoftware to ensure accurate and reliable processing. Application controls ensurethat all transactions are authorized, complete and accurate.For example: application software ensures that only transactions of the day areaccepted by the system. Withdrawals are not allowed beyond limits, etc.Some examples of Application controls are as follows:· Data edits i.e. editing of data is allowed only for permissible fields;· Separation of business functions (e.g., transaction initiation versus authorization);· Balancing of processing totals (debit and credit of all transactions are

tallied);· Transaction logging (all transactions are identified with unique id and

logged);· Error reporting (errors in processing are reported); and· Exception Reporting (all exceptions are reported).A detailed discussion of Application Controls has already been provided in the previouschapter. (Chapter 3)

COMPONENT AND ARCHITECTURE OF CBS


: 196 :

14. Examples of CBS software

· Finacle: Core banking software suite developed by Infosys that provides universalbanking functionality covering all modules for banks covering all banking services.

· FinnOne: Web-based global banking product designed to support banks and financialsolution companies in dealing with assets, liabilities, core financial accounting andcustomer service.

· Flexcube: Comprehensive, integrated, interoperable, and modular solution thatenables banks to manage evolving customer expectations.

· BaNCS: A customer-centric business model which offers simplified operationscomprising loans, deposits, wealth management, digital channels and risk andcompliance components.

· bankMate: A full-scale Banking solution which is a scalable, integrated e-bankingsystems that meets the deployment requirements in traditional and non-traditionalbanking environments. It enables communication through any touch point to providefull access to provide complete range of banking services with anytime, anywhereparadigm.

15. Explain key aspects inbuilt into the CBS architecture

Some key aspects in-built into architecture of a CBS are as follows:· Information flow: Facilitates information flow within the bank and Improves the

speed and accuracy of decision-making. It deploys systems that streamlineintegration and unite corporate information to create a comprehensive database.

· Customer centric: Through a holistic core banking architecture, enables banks totarget customers with the right offers at the right time with the right channel toincrease profitability.

· Regulatory compliance: It is facilitated by compliance module, it will regularly updateregulatory platform that ensures regulatory compliance.

· Resource optimization: Optimizes utilization of information and resources of banksand lowers costs through improved asset reusability, faster turnaround times, fasterprocessing and increased accuracy.

16. Explain core features of CBS

· On-line real-time processing.· Transactions are posted immediately.

· All databases updated simultaneously.· Centralized Operations (All transactions are stored in one common database/server).

· Remote interaction with customers.


: 197 :

· Reliance on transaction balancing.· Highly dependent system-based controls.· Authorizations occur within the application.· Increased access by staff at various levels based on authorization.· Daily, half yearly and annual closing,· Automatic processing of standing instructions,· Centralized interest applications for all accounts and account types· Anytime, anywhere access to customers and vendors.

17. Explain major components of CBS

· Opening new accounts and customer on-boarding.· Managing deposits and withdrawals.· Transactions management from initiation to reporting.· Interest calculation and management.· Payments processing (cash, cheques/ mandates, NEFT, RTGS, IMPS etc.).· Loans disbursement and management.· Processing cash deposits and withdrawals.· Processing payments and cheques.· Processing and servicing loans.· Accounts management.· Configuring and calculating interest.· Customer Relationship Management (CRM) activities.· Setting criteria for minimum balances, interest rates, withdrawals allowed, limits and

so on.· Maintaining records for all the bank’s transactions.

18. Explain significant changes brought by CBS in accounting processes or workflowactivitiesCBS is a Technology environment based on client-server architecture, having a RemoteServer (called Data Centre) and Client (called Service Outlets which are connectedthrough channel servers) branches. CBS has brought significant changes so far asworkflow and housekeeping activities/ accounting processes at branches are concerned.· User-actions and controls are elaborately menu-driven.· User is prompted by software to initiate an action and to apply a control.· Various periodical runs/ mass activities like Application of Interest & Service Charges,· Updating of parameters globally, balancing/ reconciliation of ledgers and TDS etc. are

carried out centrally at the Data Centre, leaving various control actions to be taken atbranches.


: 198 :

19. Explain key technology components of CBSThe software resides in a centralized application server which is in the Central Office DataCentre, so the application software is not available at the branch but can be accessedfrom the branches or online. Along with database servers and other servers, anapplication server is located at the Central Data Centre.

The key technology components of CBS are as follows:· Database Environment

· Application Environment· Web Environment

· Connectivity to the Corporate Network and the Internet· Data Centre and Disaster Recovery Centre

· Network Solution architecture to provide total connectivity

· Enterprise Security architecture· Branch and Delivery channel environment

· Online Transaction monitoring for fraud risk management

20. What are the technological architecture of CBSIn this architecture, it provides overview of CBS with client access devices at the topwhich interface with channel servers which in turn interface with application serverswhich are connected to the database servers hosted on windows/Unix platform. Theseconcepts are further explained in later section (CBS IT Environment) of this chapter.


: 199 :

Technology Architecture of CBS

21. What are the functional architecture of CBS

A Core Banking Solution is the enterprise resource planning software of a bank. It coversall aspects of banking operations from a macro to micro perspective and covers theentire gamut of banking services ranging from front office to back office operations,transactions at counters to online transactions up to general ledger and reporting asrequired.However, a CBS is modular in nature and is generally implemented for all functions or for


: 200 :

core functions as decided by the bank. For example, if treasury operations or foreignexchange transactions are minimal, then this may not be implemented in CBS but theresults could be linked to CBS as linked with the proper interface. Hence, theimplementation would depend on the need and criticality of specific banking servicesprovided by the bank. The following Fig. provides a functional architecture of CBScovering the complete range of banking services.

22. How Does CBS Work?The deployment and implementation of CBS should be controlled at various stages toensure that banks automation objectives are achieved:

· Planning: Planning for implementing the CBS should be done as per strategic andbusiness objectives of bank.


: 201 :

· Approval: The decision to implement CBS requires high investment and recurringcosts and will impact how banking services are provided by the bank. Hence, thedecision must be approved by the board of directors.

· Selection: Although there are multiple vendors of CBS, each solution has keydifferentiators. Hence, bank should select the right solution considering variousparameters as defined by the bank to meet their specific requirements and businessobjectives.

· Design and develop or procured: CBS solutions used to be earlier developed in-house by the bank. Currently, most of the CBS deployment are procured. Thereshould be appropriate controls covering the design or development or procurementof CBS for the bank.

· Testing: Extensive testing must be done before the CBS is live. The testing is to bedone at different phases at procurement stage to test suitability to data migration toensure all existing data is correctly migrated and testing to confirm processing ofvarious types of transactions of all modules produces the correct results.

· Implementation: CBS must be implemented as per pre-defined and agreed plan withspecific project milestones to ensure successful implementation.

· Maintenance: CBS must be maintained as required. E.g. program bugs fixed, versionchanges implemented, etc.

· Support: CBS must be supported to ensure that it is working effectively.· Updation: CBS modules must be updated based on requirements of business

processes, technology updates and regulatory requirements.· Audit: Audit of CBS must be done internally and externally as required to ensure that

controls are working as envisaged.

Fundamentally, in a CBS, all the bank’s branches access applications from centralizeddata-centers. Core banking systems are akin to a human heart in terms of importanceand functionality. All transactions are routed through core systems, which are available24 x7 and accessible from anywhere, anytime and through multiple devices such asdesktops, laptops, ATM, Internet, mobile phone, tablets, etc.The following diagram provides an overview of how a CBS works. It may be noted thatthe core of CBS is the customer who interacts with CBS through various channels such asbranches, ATMs, call centres, internet banking, relationship officers of bank or throughmobile phones. These delivery channels connect to different business modules / silos inan integrated manner. These functional modules connect to various types of servers suchas database server, CRM server, application server, data warehouse server, ATM servers,etc. In addition, partners/ vendors may also be connected to the CBS.


: 202 :

Technology architecture of CBS2Customer Identification File (CIF) is a digital or virtual file where the customer identitydetails with a valid photo ID and address details are stored and given a unique numberwhich is called CIF number. A customer may have many accounts of different nature, likecurrent account, savings account, loans etc., but all these accounts will be mapped to oneCIF only.


: 203 :

CBS IT Environment

23. Explain the various types of server used in CBS IT environmentThe core banking environment would comprise of a Central Application Server that runsthe Core Banking Solution (CBS) with the application software being centrally accessed byall the branches as also customers.

Servers· The Server is a sophisticated computer that accepts service requests from different

machines called clients. The requests are processed by the server and sent back tothe clients. This server is a powerful and robust system as performs the entire corebanking operations. CBS is developed as internet based application and therefore canbe accessed through browser application.

· Application server may be decentralized and located at regional office or at branchfor easy and quick response. No user is granted access to CBS directly. Access isalways through channel server that processes the request and fetches or sends datato CBS for updating.

· The validation is a complete process in the computer so that it ensures that data thatis fed in, conforms to certain prerequisite conditions e.g., if an operator keys in datafor withdrawal of money, the account number of customer would be entered by theoperator naturally. But there would be a built-in control so that further processingwould be entertained only after the systems verifies that the account number whichis now entered is already in the database i.e., it is an existing customer.

· After the data is validated at the branch, it would be sent to the respective channelserver in the centralized data center. The channel (which houses the respectivechannel software) after receiving data performs necessary operations and updatesthe core database, etc.

· There are different types of servers used in deploying CBS. Some of these are brieflyexplained here:

(i) Application Server(ii) Database Server(iii) Automated Teller Machine channel Server,(iv) Internet Banking Channel Server,(v) Internet Banking Application Server(vi) Web Server,(vii) Proxy Server, t(viii) Anti-Virus Software Server, etc.


: 204 :

Application Server· All the transactions of the customer are processed by the data center. The

Application Server performs necessary operations and this updates the account ofthe customer “A” in the database server.

· The customer may do some other operation in branch “Y”. The process is validatedat branch “Y” and the data is transmitted to the application software at the datacenter. The results are updated in the database server at the centralized datacenter. Thus, it would be observed that whatever operations a customer may do atany of the branches of the bank the accounting process being centralized at thecentralized data center is updated at the centralized database.

· The application software, CBS, which is in the application server is always to be thelatest version as accepted after adequate testing. These changes are made to aseparate server called a test server. The programs are debugged and certified thatthe program is now amended as required and performs as expected.

· The changed and latest application software will be moved into the applicationserver under proper authority. The earlier version would be archived and the latestcopy of the software would always have a backup copy.

Database Server· The Database Server of the Bank contains the entire data of the Bank. The data

would consist of various accounts of the customers and master data (e.g., of masterdata are customer data, employee data, base rates for advances, FD rates, the ratefor loans, penalty to be levied under different circumstances, etc.).

· Application software, ATM server & Internet Banking Application Server wouldaccess the database server. The data contained in the database must be very secureand no direct access should be permitted to prevent unauthorized changes. Strictdiscipline is followed regarding the maintenance of the database server, there is adesignated role for maintenance of the database. The individual who performs thisrole is called the Database Administrator. His activities will also be monitored as allchanges made would be recorded in a Log. Scrutiny of the log would disclose thetype of activities and the effect of such activities.

Automated Teller Machines (ATM) Channel Server· This server contains the details of ATM account holders. Soon after the facility of

using the ATM is created by the Bank, the details of such customers are loaded onto the ATM server.

· When the Central Database is busy with central end-of- day activities or for any


: 205 :

other reason, the file containing the account balance of the customer is sent to theATM switch. Such a file is called Positive Balance File (PBF). Till the central databasebecomes accessible, the ATM transactions are passed and the balance available inthe ATM server. Once the central database server becomes accessible all thetransactions that took place till such time as the central database became un-accessible would be updated in the central database. This ensures not onlycontinuity of ATM operations but also ensures that the Central database is alwaysup-to-date.

Internet Banking Channel Server (IBCS)· Just as in the case of ATM servers, where the details of all the account holders who

have ATM facility are stored, the Internet Banking database server stores the username and passwords of all the internet banking customers. IBCS (Internet BankingChannel Server) software stores the name and password of the entire internetbanking customers. Please note that the ATM server does not hold the PIN numbersof the ATM account holders. IBCS server also contains the details about the branchto which the customer belongs.

· The Internet Banking customer would first have to log into the bank’s website withthe user name and password.

Internet Banking Application Server· The Internet Banking Software which is stored in the IBAS (Internet Banking

Application Server) authenticates the customer with the login details stored in theIBCS.

· Authentication process is the method by which the details provided by thecustomer are compared with the data already stored in the data server to makesure that the customer is genuine and has been provided with internet bankingfacilities.

Web Server· The Web Server is used to host all web services and internet related software. All

the online requests and websites are hosted and serviced through the web server.· A Web server is a program that uses HTTP (Hypertext Transfer Protocol) to serve

the files that form Web pages to users, in response to their requests, which areforwarded by their computers’ HTTP clients. All computers that host Web sites musthave Web server programs.


: 206 :

Proxy Server· A Proxy Server is a computer that offers a computer network service to allow

clients to make indirect network connections to other network services. A clientconnects to the proxy server, and then requests a connection, file, or otherresource available on a different server.

· In some cases, the proxy may alter the client’s request or the server’s response forvarious purposes.

Anti-Virus Software Server· The Anti-Virus Server is used to host anti-virus software which is deployed for

ensuring all the software deployed are first scanned to ensure that appropriatevirus/ malware scans are performed.

CORE BUSINESS PROCESSES FLOW AND RELEVANT RISKS AND CONTROLSBanks carry out variety of functions across the broad spectrum of products offered bythem. Some of the key products that are provided by most commercial banks are -

Current & Savings Accounts (CASA), Credit Cards, Loans and Advances, Treasuryand Mortgages.

24. Explain Business process flow of Current & Savings Accounts (CASA)Process Flow of CASA facility (as shown in the Fig.)

(i) Either the customer approaches the relationship manager to apply for a CASAfacility or will apply the same through internet banking, the charges/ rates forthe facility are provided by the relationship manager basis the request madeby the customer.

(ii) Once the potential customer agrees for availing the facilities / products of thebank, the relationship manager request for the relevant documents i.e. KYCand other relevant documents of the customer depending upon thefacility/product. KYC (Know Your Customer) is a process by which banks obtaininformation about the identity and address of the customers. KYC documentscan be Passport, Driving License, etc.

(iii) The documents received from the customers are handed over to the Creditteam / Risk team for sanctioning of the facilities/limits of the customers.

(iv) Credit team verifies the document’s, assess the financial and credit worthinessof the borrowers and updates facilities in the customer account.

(v) Current / Account savings account along with the facilities requested areprovided to the customer for daily functioning.


: 207 :

(vi) Customers can avail facilities such as cheque deposits / withdrawal, Cashdeposit / withdrawal, Real Time Gross Settlement (RTGS), National ElectronicsFunds Transfer System (NEFT), Electronic Clearing Service (ECS), OverdraftFund Transfer services provided by the bank.

25. What are the risks & controls around the CASA ProcessRisk & Controls around the CASA Process

S.No. Risk Key Controls1. Credit Line setup is

unauthorized and not inline with the banks policy.

The credit committee checks that the FinancialRatios, the Net-worth, the Risk factors and itscorresponding mitigating factors, the Credit Lineoffered and the Credit amount etc. is in line withCredit Risk Policy and that the Client can be given theCredit Line.

2. Credit Line setup in CBS isunauthorized and not inline with the banks policy.

Access rights to authorize the credit limit in case ofaccount setup system should be restricted toauthorized personnel.

3. Customer Master definedin CBS is not in

Access rights to authorize the customer master inCBS should be restricted to authorized personnel.


: 208 :

accordance with the Pre-Disbursement Certificate.

4. Inaccurate interest /charge being calculated inCBS.

Interest on fund based facilities are automaticallycalculated in the CBS as per the defined rules.

5. Unauthorized personnelapproving the CASAStransaction in CBS.

Segregation of Duties to be maintained between theinitiator and authorizer of the transaction forprocessing transaction in CBS.

6. Inaccurate accountingentries generated in CBS.

Accounting entries are generated by CBS basis thefacilities requested by the customer and basisdefined configurations for those facilities in CBS.

26. Explain Business Process flow of Credit CardsProcess Flow of Issuance of Credit Card Facility (as shown in the Fig.)(i) Either the customer approaches the relationship manager to apply for a credit card

facility or customer will apply the same through internet banking, the charges/ratesfor the facility are provided by the relationship manager basis the credit applicationmade by the customer.

(ii) Once the potential customer agrees for availing the facilities/products of the bank,the relationship manager request for the relevant documents i.e. KYC and otherrelevant documents of the customer depending upon the facility/product.

(iii) The documents received from the customers are handed over to the Credit teamfor sanctioning of the facilities/limits of the customers.

(iv) Credit team, verifies the document’s, assess the financial and credit worthiness ofthe borrowers and issues a credit limit to the customer in CBS and allots a creditcard.

(v) Credit Card is physically transferred to the customer’s address.


: 209 :

Process Flaw of Issuance of Credit Card Facility

27. Explain the business process flow of authorization process of credit card.

Process Flow of Sale - Authorization process of Credit Card Facility (as shown inthe Fig.)(i) Customer will swipe the credit card for the purchase made by him/her on the POS

machine (Point of Sale) at merchant’s shop/establishment.(ii) POS (Point of Sale) will process the transaction only once the same is

authenticated.(iii) The POS (Point of Sale) will send the authentication request to the merchant’s

bank (also referred as “acquiring bank”) which will then send the transactionauthentication verification details to the credit card network (such as VISA,MASTER CARD, AMEX, RUPAY) from which the data will be validated by the creditcard issuing bank within a fraction of seconds.

(iv) Once the transaction is validated, the approval message is received from creditcard issuing bank to the credit card network which then flows to the merchant’s


: 210 :

bank and approves the transaction in the POS (Point of Sale) machine.(v) The receipt of the transaction is generated and the sale is completed. The

transaction made is charged during the billing cycle of that month.

Process Flow of Sale - Authorization and Clearing & Settlement of Credit CardFacility

28. Explain the business process flow of clearing & settlement process of credit card

Process Flow of Clearing & Settlement process of Credit Card Facility (as shown inthe above Fig.)(i) The transaction data from the merchant is transferred to the merchant’s bank.

Merchant’s bank clears settlement amount to Merchant after deducting Merchantfees. Merchant’s bank, in turn now provides the list of settlement transactions tothe credit card network which then provides the list of transactions made by thecustomer to the credit card issuing bank.

(ii) The credit card issuing bank basis the transactions made, clears the amount toMerchant’s bank but after deducting interchange transaction fees.

(iii) At the end of billing cycle, card issuing company charges the customer’s creditcard account with those transactions in CBS.


: 211 :

29. What are the Risks and Controls around the Credit Card ProcessRisks and Controls around the Credit Card Process

S.No. Risk Key Controls1. Credit Line setup is

unauthorized and not inline with the banks policy

The credit committee checks that the FinancialRatios, the Net-worth, the Risk factors and itscorresponding mitigat-ing factors, the Credit Lineoffered and the Credit amount; etc. is in line withCredit Risk Policy and that the Client can be given theCredit Line.

2. Credit Line setup isunauthorized and not inline with the banks policy.

Access rights to authorize the credit limit in the creditcard system should be restricted to authorizedpersonnel.

3. Masters defined for thecustomer are not inaccordance with the Pre-Disbursement Certificate

Access rights to authorize the customer master incredit card system should be restricted to authorizedpersonnel. Segregation of duties exist in credit cardsystem such that the system restricts the makerhaving checker rights to approve the facilities bookedby self in the credit card system.

4. Credit Line setup can bebreached.

Transaction cannot be made if the aggregate limit ofoutstanding amount exceeds the credit limit assignedto customer.

5. Inaccurate interest /charge being calculated inthe Credit Card system.

Interest on fund based credit cards and charges areauto-matically calculated in the credit card system asper the de-fined masters.

6. Inaccurate reconciliationsperformed.

Daily reconciliation for the balances received fromcredit card network with the transactions updated inthe credit card system on card network level.

Business Process Flow of MortgagesA Mortgage loan is a secured loan which is secured on the borrower’s property bymarking a lien on the property as collateral for the loan. If the borrower stops paying,then the lender has the first charge on the property.Mortgages are used by individuals and businesses to make large real estate purchaseswithout paying the entire value of the purchase up front. Over the period of many years,the borrowers repay the loan amount along with interest until there is no outstanding.

30. Explain various types of Mortgage Loan· Home Loan: This is a traditional mortgage where customer has an option of selecting

fixed or variable rate of interest and is provided for the purchase of property

· Top Up Loan: Here the customer already has an existing loan and is applying foradditional amount either for refurbishment or renovation of the house

· Loans for Under Construction Property: In case of under construction properties theloan is disbursed in tranches / parts as per construction plan.


: 212 :

31. Explain the Process Description of Mortgage loan.(i) Loans are provided by the lender which is a financial institution such as a bank or a

mortgage company. There are two types of loan widely offered to customer first isfixed rate mortgage where rate of interest remains constant for the life of the loansecond is variable/floating rate mortgage where rate of interest is fixed for aperiod but then it fluctuates with the market interest rates.

(ii) Borrower / Customer approaches the bank for a mortgage and relationshipmanager/ loan officer explains the customer about home loan and its variousfeature. Customer to fill loan application and provide requisite KYC documents(Proof of Identity, Address, Income and obligation details etc.) to the loan officer.

(iii) Loan officer reviews the loan application and sends it to Credit risk team who willcalculate the financial obligation income ratio which is to determine customer’sfinancial eligibility on how much loan can be provided to the customer. This is donebasis the credit score as per Credit Information Bureau (India) Limited (CIBIL)rating, income and expense details and Rate of Interest at which loan is offered.Once financial eligibility is determined, then along with customer documents thedetails are sent to the underwriting team for approval.

(iv) Underwriting team will verify the financial (applicant’s credit history) andemployment information of the customer. Underwriter will ensure that the loanprovided is within the lending guidelines and at this stage provide conditionalapproval along with the list of documents required.

(v) As per the property selected by the customer, loan officer will provide the propertydetails along with requisite documents (property papers etc.) to the legal andvaluation team. Legal team will carry out title search on the property which is todetermine legal owner of the property, any restrictions or any lien on the propertyetc. Valuation team will carry out valuation of property and determine its value.

(vi) Further verification of property to determine whether property is built asper the approved plan, whether builder has received requisite certificates,age of building to determine whether it will withstand the loan tenure,construction quality.

(vii) Legal and valuation team will send their report to the operations teamwhich will generate letter of offer / Offer letter to customer which entailsall details of loan such as loan amount, rate of interest, tenor, monthlyinstallment, security address, fee/charges details and term and conditions.

(viii) Customer will agree to loan agreement which is offered by signing theoffer letter. Loan officer will notarize all the loan documents and are sendback to lender operations team.


: 213 :

(ix) Once signed offer letter is received the operations team will release ordisburse fund and prepare a cashier order. Cashier order is provided tocustomer in exchange of mandatory original property documents. Onceexchange is carried out successfully, banks place a charge or lien on theproperty so that incase of default the first charge is with the bank torecover the money.

(x) Post disbursement of loan customer can carry out various loan servicingactivity by visiting the branch or via online mode amendments such asinterest rate change, change in monthly instalment, prepayment of loanamount and foreclosure of loan etc.

32. What are the risks & controls around Mortgage ProcessRisk & Controls around the Mortgage Process

S.No. Risk Key Controls1. Incorrect customer and loan

details are captured whichwill affect the over-alldownstream process.

There is secondary review performed by anindependent team member who will verify loandetails captured in core banking application withoffer letter.

2. Incorrect loan amountdisbursed.

There is secondary review performed by anindependent team member who will verify loanamount to be disbursed with the core bankingapplication to the signed offer letter,

3. Interest amount isin-correctly calculated andcharged.

Interest amount is auto calculated by the corebanking application basis loan amount, ROI andtenure.

4. Unauthorized changes madeto loan master data orcustomer data.

System enforced segregation of duties exist in thecore banking application where the inputter ofthe transaction cannot approve its owntransaction and reviewer cannot edit any detailssubmitted by inputter.

33. Explain Treasury Process & core areas of Treasury Process.Treasury Process· Investments Category are Government Securities (Gsec), shares, other investments,

such as, Commercial Papers, Certificate of Deposits, Units of Mutual Funds, VentureCapital Funds and Real Estate Funds Debentures and Bonds.

· Products in Trading category are Forex and Derivatives (Over-The-Counter (OTC) andExchange traded) the products involved are Options, Swaps, Futures, ForeignExchange (FX) forwards, Interest derivatives)


: 214 :

Core areas of Treasury Operations: The core areas of treasury operations in a bank canbe functionally divided into the following broad compartments as mentioned below:a. Dealing Room Operations (Front office operations);b. Middle Office (Market Risk department / Product Control Group); andc. Back office.

(i) Front Office:

· Front Office operations consist of dealing room operations wherein the dealers enterinto deal with the various corporate and interbank Counter-parties. Deals areentered by dealers on various trading /Communication platform such as Reuters’system, telephonic conversation, Brokers or any other private channel with therespective counter-party.

· The dealers are primarily responsible to check for counter-party credit Limits,eligibility, and other requirements of the Bank before entering into the deal with thecustomers. Dealers must ensure that all risk/credit limits are available beforeentering into a deal. Also, the deal must not contravene the current regulationsregarding dealing in INR with overseas banks/counter-parties.

· All counter-parties are required to have executed the International Swaps andDerivatives Association (‘ISDA’) agreement as well as pass a board resolution allowingit to enter into derivatives contract. As soon as the deal is struck with counter-party,£he deal details are either noted in a manual deal pad or punched in front officesystem of the Bank which gets queued in for authorization.

(ii) Middle Office:

· Middle Office includes risk management, responsibility for treasury accounting, anddocumentation of various types, producing the financial results, analysis and budgetforecasts for the treasury business unit, input into regulatory reporting.

· Risk management can manage various types of risks such as financial and market risk,currency risk, foreign exchange risk and regulatory compliance risk with objective torisk minimization or risk hedging.

· It is also responsible for monitoring of counter-party, country, dealer and market-related limits that have been set and approved in other areas of the bank such as thecredit department.

(iii) Back Office Operations:

· The mainstream role of the Back Office is in direct support of the trading room orfront office. This includes verification by confirmation, settlement, checking existenceof a valid and enforceable International Swap Dealers Association (‘ISDA’) agreement.


: 215 :

· An important development in the back office has been the advent of Straight-Through Processing (STP), also called ‘hands-off’ or exception processing. This hasbeen made possible through enhancement of system to real time on line input in thetrading room, which in turn has meant that the back office can recall deals input inthe trading room to verify from an external source.

· Back office is also involved in a number of reconciliation processes, including theagreement of traders’ overnight positions, Nostro accounts and brokerage. Thecritical one is FOBO (Front Office/ Back Office) reconciliation to ensure thecompleteness and accuracy of trades/ deals done for the day.

34. What are the process flow for bank treasury operations

Process flow for Bank Treasury Operations is provided in the Fig.

Process flow for Bank Treasury Operations

35. Explain various risk & controls around the Treasury ProcessRisk & Controls around the Treasury Process

S.No. Risk Key Controls1. Unauthorized securities setup

in systems such as Frontoffice/Back office.

Appropriate Segregation of duties and reviewcontrols around securities mastersetup/amendments.

2. Inaccurate trade is processed. Appropriate Segregation of duties and reviewcontrols to 1 ensure the accuracy andauthorization of trades.

3. Unauthorized confirmationsare processed.

Complete and accurate confirmations to beobtained from counter-party.


: 216 :

4. Insufficient Securities availablefor Settlement

Effective controls on securities and margins.

5. Incomplete and inaccuratedata flow between systems.

Inter-system reconciliations, Interfaces andbatch processing controls.

6. Insufficient funds are availablefor settlements.

Controls at CCIL/NEFT/RTGS settlements toensure the margin funds availability and thetimely funds settlements,

7. Incorrect Nostro paymentsprocessed.

Controls at Nostro reconciliation and payments.

Loans and Trade Finance ProcessThe business of lending, which is main business of the banks, carry certain inherent risksand bank cannot take more than calculated risk whenever it wants to lend. Hence,lending activity has to necessarily adhere to certain principles.The business of lending is carried on by banks offering various credit facilities to itscustomers. Basically various credit facilities offered by banks are generally repayable ondemand. A bank should ensure proper recovery of funds lent by it and acquaint itselfwith the nature of legal remedies available to it and also law affecting the credit facilitiesprovided by it.

36. Explain classification of credit facilities

Classification of Credit Facilities: These may broadly be classified as under:(i) Fund Based Credit Facilities: Fund based credit facilities involve outflow of funds

meaning thereby the money of the banker is lent to the customer. They can begenerally of following types:

i. Cash Credits/Overdraftsii. Demand Loans/Term loans

iii. Bill Discounting(ii) Non-Fund Based Credit Facilities: In this type of credit facility, the banks funds

are not lent to the customer and they include Bank Guarantees and Letter ofCredit.

37. Explain the process flow in credit facilities

(I) Customer Master Creation in Loan Disbursement System (which CBS or aseparate system which periodically interfaces with CBS)· The relationship manager across locations identifies the potential customers

and approaches them with the details of the products/facilities and thecharges/rates or the customer may directly approach the bank for availingthe facilities.


: 217 :

· Once the potential customer agrees for availing the facilities/products of thebank, the relationship manager request for the relevant documents i.e. KYCand other relevant documents of the customer depending upon thefacility/product.

· The documents received from the customers are handed over to the Creditteam of bank for sanctioning of the facilities/limits of the customers.

· Credit team verifies the document’s, assess the financial and creditworthiness of the borrowers and issues a sanction letter to the customer.

· Sanction letter details the terms of the facilities and the credit limits thecustomer is eligible e.g. how much loan can be offered to the customer.

· Once the customer agrees with the terms of the sanction letter, the creditteam prepares a Pre Disbursement Certificate (PDC) containing the details ofall the facilities & limits approved for the customer and sends it to thedisbursement team i.e. the team who is responsible for disbursing the loanamount to customer.

· The disbursement team verifies the PDC and creates customer account andmaster -in the Loan Disbursement System. The disbursement team memberalso assigns the limits for various products as per PDC.

· Once the limits are assigned to the customer, the customer can avail any ofthe facilities/products up to the assigned credit limits.

(II) Loan Disbursal / Facility Utilization and Income Accounting· Customer may approach the bank for availing the product/facility as per the

sanction letter.· The facility/product requested are offered to the customer after verifying

the customer limits in the Loan Disbursal System which normally would beCBS or may be a separate system which later interfaces with CBS on periodicbasis.

· In case of the fund based loan -Term Loan /Overdraft/Cash credits, thefunds are disbursed to the customer’s bank accounts and the correspondingasset is recorded in a loan account recoverable from the customer. Interest isgenerally accrued on a daily basis along with the principal as per the agreedterms are recovered from the customer.

· In case of bills discounting product, the customer is credited the invoiceamount excluding the interest amount as per the agreed rates. Interestincome is generally accrued on a daily basis. Receivable is booked in a loanaccount.


: 218 :

· In case of non- fund based facilities, the facilities are granted to thecustomer up to the assigned limits in the loan disbursement system.Contingent entries are posted for asset and liabilities. Commission isnormally charged to the customer account upfront on availing the facility andis accrued over the tenure of the facilities granted to the customer.

38. Explain process flow of Non Fund based loansProcess flow for Non Fund based loans

Process Flow for Non Fund based Loans


: 219 :

39. Explain risks & controls in loans & advances process

Risk & Controls in the Loans and Advances ProcessS.No. Risk Key Controls


The credit committee checks that the FinancialRatios, the Net-worth, the Risk factors and itscorresponding mitigating factors, the Credit Lineoffered and the Credit amount etc. is in line withCredit Risk Policy and that the Client can be giventhe Credit Line.


Access rights to authorize the credit limit in LoanBooking system/CBS should be restricted toauthorized personnel

3. Masters defined for thecustomer are not inaccordance with the PreDisbursement Certificate.

Access rights to authorize the customer master inLoan Booking system/CBS should be restricted toauthorized personnel.Segregation of duties exist in Loan Disbursementsystem. The system restricts the maker havingchecker rights to approve the loan/facilities bookedby self in loan disbursal system.

4. Credit Line setup can bebreached in Loandis-bursement system/CBS.

Loan disbursement system/CBS restricts booking ofloans/ facilities if the limits assigned to thecustomer is breached in Loan disbursementsystem/CBS.

5. Lower rate of interest/Commission may becharged to customer.

Loan disbursement system/CBS restricts booking ofloans/ facilities if the rate charged to the customerare not as per defined masters in system.

6. Facilities/Loan’s grantedmay be unauthorized/inappropriate

Segregation of duties exist in Loan Disbursementsystem. The system restricts the maker havingchecker rights to approve the loan/facilities bookedby self in loan disbursal system

7. Inaccurate interest / chargebeing calculated in the Loandisbursal system

Interest on fund based loans and charges for non-fund based loans are automatically calculated inthe Loan dis-bursal system as per the definedmasters

Internet Banking Process40. Explain internet banking process

· The customer applies to the bank for such a facility. The user is provided with a UserID and Password. As is the best practice the password is expected to be changed soonafter the first log on.

· Internet facility could be used only by accessing the website of the bank. Foraccessing the website, a browser like Internet Explorer, Firefox or Chrome is used.


: 220 :

· On access, user is directed to secure web server. The internet banking website ishosted on the web server. The web server is in the central data center of the bank.Access to the web server is permitted only to authorised users.

· To protect the web server from unauthorised use and abuse, the traffic is necessarilyto go past a firewall. The firewall is designed in such a fashion that only trafficaddressed to the web server through the authorised port is permitted.

· An individual who accesses the website of bank through the browser will be able toaccess the web server and there will be a display of the bank’s web page on thescreen of the client’s computer.

· The web page will also provide all information generally of interest to the public. Theweb page also will have a specified area wherein a mention of user ID and passwordwill be made.

· The password will not be displayed in plain text but will only be in an encrypted form.· The web server forwards the customer details to the internet banking applications

server which in turn accesses the IDBS. The server has already the database of allthe customers who have been provided with internet banking facility. For eachcustomer, it would be having details about user ID and password.

· The information received from the web server is verified with the data of the customerheld in the internet banking (IBAS).

· Should the information not tally, the message ‘access denied’ would appear giving thereason giving the ‘user ID/ password incorrect’. The customer realising the mistakemay rectify the mistake and make another attempt.

· Normally, three such attempts would be permitted. After three attempts, the customerwill be logged out for security reasons. If more attempts are permitted, there is apossibility of a person just trying out different combination of user ID and password tobreak into the system.

· Based on the authentication check, the Internet Banking Application Server (IBAS)sends an acknowledgement to the web server. The web server displays the message.Once the authentication process is completed correctly, the customer is providedinternet banking facility, which would include:(a) Password change(b) Balance inquiry(c) Fund transfer(d) Request for cheque book(e) Stop payment(f) Copy of statement of account; and(g) ATM/ Credit Card related queries

· The customer then chooses one of the services from the list. The service requested isdirected by the web server to the IBAS for processing. The IBAS will access theinternet banking database server for further processing.


: 221 :

· The Internet Banking Channel Server (IBCS) will retrieve the data from the centraldatabase server. The IBCS will be able to access the central database server onlythrough a middleware and firewall. The middleware is expected to convert the data tosuit the requirements of IBCS.

· Internet banking database server then forwards the customer data to the IBAS whichprocesses the transaction e.g., The statement of account from the central databaseserver is made available to the Internet Banking Database Server (IDBS). The IBCSthen sends the data to the IBAS. The IBAS then sends the same to the web browser(Internet Explorer).

· The web server generates a dynamic web page for the service requested e.g., theaccounts statement generated by the web server and presented to Internet Explorer(say) the information is then provided to the web browser in an encrypted form.

E-Commerce Transaction processing

41. Explain e-commerce transaction flow for approval of paymentsMost of the e-Commerce transactions involve advance payment either through a creditor debit card issued by a bank. The Fig. highlights flow of transaction when a customerbuys online from vendor’s e-commerce website.

E-Commerce Transaction flow for approval of payments

Risks associated with CBS42. Explain risks associated with CBSOnce the complete business is captured by technology and processes are automated inCBS, the Data Centre (DC) of the bank, and customers, management and staff arecompletely dependent on the DC. From a risk assessment and coverage point of view, it


: 222 :

is critical to ensure that the Bank can impart advanced training to its permanent staff inthe core areas of technology for effective and efficient technology management.· Ownership of Data/ process: Since the entire data resides at the Data Centre, any

authorized user may access any data sometimes beyond their access rights. Hence itis required to establish clear ownership.

· Authentication procedure: This may be inadequate and hence user entering thetransaction may not be identifiable. Hence photo or ID and password required to beprovided by the individual and it has to be verified with photo, ID & password storedin database server to check its authenticity.

· Authorization process: Once he is proved authenticated, level of access rightprovided to every user has to be verified to check up to what extent he is authorizedto access.

· Several software interfaces across diverse networks: A Data Centre can have asmany as 75-100 different interface and application software.

· Maintaining response time: Maintaining the interfacing software and ensuringoptimum response time and up time can be challenging.

· User Identity Management: This could be a serious issue. Some Banks may havemore than 5000 users interacting with the CBS at once.

· Access Controls: Designing and monitoring access control is an extremely challengingtask.

· Incident handling procedures: These may not be adequate considering the need forreal-time risk management.

IT related Risks and mitigating Controls

43. Explain the IT related risks & mitigating controls in the business perspectiveThere are multiple ways in which risks can be assessed. From a business perspective, therisks that can be classified based on following Information criteria:• Confidentiality: If critical data is lost and unauthorized disclosure happens, data

confidentiality is lost.· Integrity: If critical data is unauthorized modified and provide incomplete or

inaccurate data due to errors in input or processing, data integrity will be affected.

· Availability: Information system is not available when required.· Compliance: The information system does not comply with legal, regulatory,

contractual or internal compliance requirements.· Reliability: If system will not provide accurate financial information, users lose

confidence in information system.


: 223 :

· Effectiveness: If system is not able to meet user requirement, it will affecteffectiveness.

· Efficiency: If system is not responding within stipulated time, it will affect efficiency.

44. Explain the sub processes of data center and network operation to control ITrelated risks.• Backups and Restoring of data: To be done on regular basis as per back up policy.• Job and Batch Scheduling and Processing: Running of various types of transactions

on regular basis as per pre-defined schedules. For example: Clearing of cheques,interest computation is done at specified intervals.

• Monitoring of Applications and supporting Servers: The Servers and applicationsrunning on them are monitored to ensure that servers, network connections andapplication software along with the interfaces are working continuously.

• Value Add areas of Service Level Agreements (SLA): SLA with vendors are regularlyreviewed to ensure that the services are delivered as per specified performanceparameters.

• User training and qualification of Operations personnel: The personnel deployedhave required qualifications, competencies and skill-sets to operate and monitorthe IT environment of CBS of bank.

45. Explain risks and Controls for Data Centre and Network Operations

Risks and Controls for Data Centre and Network OperationsRisks Key IT ControlsThe transaction may not be recordedcompletely or accurately, and the relateditems will be inaccurately or incompletelyrecorded.

Batch and online processing procedures aredefined, executed and monitored forsuccessful and timely completion.Any exception is reviewed and timelyresolved.

Invalid items may be recorded or validitems may be inaccurately or incompletelyrecorded.

Access to automated job scheduling tools,and executable programs are defined torestrict to appropriate individuals as perjob requirement.

Timely and adequate technical supportmay not be available and issues may not beresolved.

Entity has written agreement(s) withoutside contractors and/ or softwarevendors to provide for technical support, asneeded.Management monitors compliance withthese agreements.


: 224 :

User queries may not be timely andadequately resolved.

Help desk function exists to providesupport on user queries regarding systems.Problems are recorded and the log fortimely resolution of all such user queries ismonitored.

Unavailability of applications and databackups in the event of a disaster. It canalso result in disclosure of sensitiveinformation.

All tapes, manuals, guides are properlylabelled and timely stored in a securedenvironmentally controlled location.

Data may be lost and systems may not berecoverable in the event of a serioussystem failure. This may result inregulatory/ legal complaints, loss ofreputation beside financial loss.

Schedule backup and storage of data isdone periodically and appropriately.Management periodically reviews backupsare done as per back up policy and meetbusiness and legal requirements.

Information SecurityInformation security is critical to mitigate the risks of Information technology. Securityrefers to ensure Confidentiality, Integrity and Availability of information.

46. Explain the sub processes of Information Security· Information Security Policies, Procedures, and practices: Refers to the processes

relating to approval and implementation of information security. The security policyis basis on which detailed procedures and practices are developed and implementedat various units/department and layers of technology, as relevant. These cover all keyareas of securing information at various layers of information processing and ensurethat information is made available safely and securely.

· User Security Administration: Refers to security for various users of informationsystems. The security administration policy documents define how users are createdand granted access as per organization structure and access matrix. It also coversthe complete administration of users right from creation to disabling of users isdefined as part of security policy.

· Application Security: Refers to how security is implemented at various aspects ofapplication right from configuration, setting of parameters and security fortransactions through various application controls.

· Database Security: Refers to various aspects of implementing security for thedatabase software.

· Operating System Security: Refers to security for operating system software whichis installed in the servers and systems which are connected to the servers.

· Network Security: Refers to how security is provided at various layers of networkand connectivity to the servers.

· Physical Security: Refers to security implemented through physical access controls.


: 225 :

47. Explain risks & controls for information security

Risks and Controls for Information SecurityRisks Key IT ControlsSignificant information resources may bemodified inappropriately, disclosed withoutauthorization, and/ or unavailable whenneeded, (e.g., they may be deleted withoutauthorization).

Super user access or administratorpasswords are changed on systeminstallation and are available withadministrator only.Password of super user or administrator isadequately protected.

Lack of management direction andcommitment to protect information assets.

Security policies are established andmanagement monitors compliance withpolicies.

Potential Loss of confidentiality, availabilityand integrity of data and system.

Vendor default passwords for applicationssystems, operating system, databases, andnetwork and communication software areappropriately modified, eliminated, ordisabled.

User accountability is not established. All users are required to have a unique userid.

It is easier for unauthorized users to guessthe password of an authorized user andaccess the system and/ or data. This mayresult in loss of confidentiality, availabilityand integrity of data and system.

The identity of users is authenticated to thesystems through passwords.The password is periodically changed, keptconfidential and complex (e.g., passwordlength, alphanumeric content, etc.)

Security breaches may go undetected. Access to sensitive data is logged and thelogs are regularly reviewed bymanagement

Inadequate preventive measure for keyserver and IT system in case ofenvironmental threat like heat, humidity,fire, flood etc.

Environmental control like smoke detector,fire extinguisher, temperaturemaintenance devices and humidity controldevices are installed and monitored in datacenter.

Application SoftwareIn chapter 3 we covered Application controls. Here we are referring to risks & controlsspecific to CBS.


: 226 :

48. Explain risks & controls for Application Software

Risks and Controls for Application ControlsRisks IT ControlsInterest may be incorrectly computedleading to incorrect recording of income/expenditure.

Interest is automatically correctlycomputed. Digits are rounded offappropriately. Interest is accuratelyaccrued.

Inappropriate reversal of charges resultingin loss of revenue.

System does not permit reversal of thecharges in excess of the original amountcharged.

Multiple liens in excess of the depositvalue may result in inability to recover theoutstanding in the event of a default.

System prevents a single lien fromexceeding the deposit value.It prevents marking of multiple liensagainst the same deposit, thus preventingthe total liens exceeding the depositaccount.

Inappropriate security or controls oversystem parameter settings resulting inunauthorized or incorrect changes tosettings.

Access for changes made to theconfiguration, parameter settings isrestricted to authorized user and requireauthorization/ verification from anotheruser.

Inappropriate set up of accounts resultingin violation of business rules.

The system parameters are set up as perbusiness process rules of the bank.

Failure to levy appropriate chargesresulting in loss of revenue. Inappropriatelevy of charges, resulting in customerdisputes.

System does not permit closing of anaccount having zero balance withoutrecovering the applicable account closurecharges.

Incorrect classification and provisioning ofNPAs, resulting in financial misstatement.

Configuration/ customization exists in theapplication to perform the NPAclassification as per relevant RBI guidelines.

Failure to levy appropriate chargesresulting in loss of revenue.Inappropriate levy of charges, resulting incustomer disputes.

The charges applicable for varioustransactions as per account types areproperly configured as per bank rules.The Charges are as in compliances with RBIand bank’s policies

Duplicate asset records may be created.Ownership of asset may not be clearlyestablished

Unique id is created for each asset.Each asset is assigned to specific businessunit and user to establish ownership.


: 227 :

49. Explain the four gateways of Application software

Application Software whether it is a high-end CBS software, ERP software or a simpleaccounting software, have primarily four gateways through which enterprise can controlfunctioning, access and use the various menus and functions of the software. These areas follows:

· Configuration:§ In CBS software, Configuration refers to the way a software system is set up for

use. Configuration is the first step after installing the software.§ This involves setting up various parameters (configuration) as per policies and

business process rules.§ The various modules of the bank such as advances, deposits, user access etc.

must be configured.§ Configuration will define how software will function and what menu options are

displayed.§ Configuration will also enable how the products and services are distinguished

from each other.§ Some examples of configuration are given here:

- Defining access rules from various devices/terminals.- Creation of User Types- Creation of Customer Type, Deposit Type, year-end process- User Access & privileges - Configuration & its management- Password Management

· Masters:§ In a CBS software, Masters refer to the setting parameters for various types of

product and service type as per software modules used in the bank. The mastersare also referred to as standing data as these are changed only when requiredand will require higher level of access.

§ The parameter settings in the masters will drive how the software will processrelevant transactions. For example, the interest parameters will be used forcomputing interest for various type of deposits/advances.

§ After configuring the software, the masters are set up first time duringinstallation and these are changed whenever the business process rules orvalues. For example: If RBI has changed the lending rates based on which bankhas decided to change the interest rates for specific type of advances, theinterest parameters are to be updated. Any changes to these data should beauthorized by appropriate personnel and these are logged and captured in


: 228 :

exception reports. Some examples of masters are as follows:

- Customer Master for advances: Credit limit, loan period, interest rate,penal interest rate, security offered, sanction terms, customer details, etc.

- Deposit Master: Interest rate, type of deposit, service charges, period ofinterest computation, Minimum balance, withdrawal limits, a/c type (NRE/NRO), etc.

- Customer Master: Customer type, details, address, PAN details,- Employee Master: Employee Name, Id, designation, level joining details,

salary, leave, etc.- Income Tax Master: Tax rates applicable, Slabs, frequency of TDS, etc.

· Transactions:§ In CBS software, Transactions refer to the actual transactions of various products

and services which can be user using menus and functions and by customerthrough internet/mobile banking.

§ The transactions are allowed based on user access and access authorizationmatrix set.

§ For example, for each user, access to specific modules, type of transactions, andwhat they can do: entry, authorize or view would be possible. Some examples oftransactions are given here:- Deposit transactions: opening of a/c, deposits, withdrawals, interest

computation, etc.- Advances transactions: opening of a/c, deposits, withdrawals, transfers,

closure, etc.- ECS transactions: Entry, upload, authorize/approve, update, etc.- General Ledger: Expense accounting, interest computation update, charges

update, etc.

· Reports:§ Users at different levels use information which is processed by the computers.

This information could be in form of reports which are periodically generated oron demand.

§ These reports could be standard or adhoc reports.§ The reports could be used for monitoring the operations as also for tracking the

performance. Some examples of reports are as follows:

- Summary of transactions of day


: 229 :

- Daily General Ledger (GL) of day- Activity Logging and reviewing- MIS report for each product or service- Reports covering performance/compliance- Reports of exceptions, etc.

APPLICABLE REGULATORY AND COMPLIANCE REQUIREMENTS

· Banking Regulation Act

· RBI regulations· Money Laundering Act

· Information technology Act

50. Write a short notes on Banking Regulation Act

· The Banking Regulation Act, 1949 is legislation in India that regulates all bankingfirms in India. Initially, the law was applicable only to banking companies. But, in1965 it was amended to make it applicable to cooperative banks and to introduceother changes.

· The Act provides a framework using which commercial banking in India is supervisedand regulated.

· The Act gives the Reserve Bank of India (RBI) the power to license banks, haveregulation over shareholding and voting rights of shareholders; supervise theappointment of the boards and management; regulate the operations of banks; laydown instructions for audits; control moratorium, mergers and liquidation; issuedirectives in the interests of public good and on banking policy, and imposepenalties.

· In 1965, the Act was amended to include cooperative banks under its purview byadding the Section 56. Cooperative banks, which operate only in one state, areformed and run by the state government. But, RBI controls the licensing andregulates the business operations. The Banking Act was a supplement to the previousacts related to banking.

· RBI has been proactive in providing periodic guidelines to banking sector on how IT isdeployed. It also facilitates banks by providing specific guidelines on technologyframeworks, standards and procedures covering various aspects of functioning andcomputerization of banks in India. RBI also provides the technology platform forNEFT/ RTGS and other centralized processing from time to time.


: 230 :

Negotiable Instruments Act-1881 (NI Act)· Under NI Act, Cheque includes electronic image of truncated cheque and a cheque in

the electronic form. The truncation of cheques in clearing has been given effect toand appropriate safeguards in this regard have been set forth in the guidelines issuedby RBI from time to time.

· A cheque in the electronic form has been defined as “a mirror image” of a papercheque. The expression ‘mirror image’ is not appropriate and was misinterpreted inmany ways considered as actual mirror image or snapshot image of paper cheque.

· As per IT ACT 2000, under s/3 signature should be digital signature but finally in 2008it was amended to include electronic signature.

51. Write short on RBI Regulations· The Reserve Bank of India (RBI) was established on April 1, 1935 in accordance with

the provisions of the Reserve Bank of India Act, 1934.

· The basic functions of the Reserve Bank as:§ to regulate the issue of Bank Notes;§ keeping of reserves with a view to securing monetary stability in India and§ to operate the currency and credit system of the country to its advantage.”

· The Primary objective of Banking & financial services is to undertake consolidatedsupervision of the financial sector comprising commercial banks, financial institutionsand non-banking finance companies.

52. Explain key functions of RBI· Monetary Authority: RBI Formulates, implements and monitors the monetary policy

with the objective of maintaining price stability and ensuring adequate flow of creditto productive sectors.

· Regulator and supervisor of the financial system:§ Prescribes broad parameters of banking operations within which the country’s

banking and financial system functions with the objective of maintaining publicconfidence in the system, protect depositors’ interest and provide cost- effectivebanking services to the public.

· Issuer of currency: Issues and exchanges or destroys currency and coins not fit forcirculation with the objective to give the public adequate quantity of supplies ofcurrency notes and coins and in good quality.


: 231 :

Impact of Technology in Banking· The key components of banking business with controls are entirely covered under

the four areas namely business process, policies and procedures, regulatoryrequirements and organization structure.

· However, in the CBS environment, technology is the encompasses all the four criticalcomponents resulting in highly effective and efficient business operations andcontrols to manage entire banking operations.

· Earlier, technology was a tool and used in specific department of the bank but nowwith CBS, Technology has become all-pervasive and has become integral for doingbanking.

· The dependence on technology in a bank is also very high. If IT fails, then none of thebusiness processes can be performed.

Technology and Business Process Components

53. Write short note on money laundering· Money Laundering is the process by which the proceeds of the crime and the true

ownership of those proceeds are concealed or made opaque so that the proceedsappear to come from a legitimate source.

· The objective in money laundering is to conceal the existence, illegal source, or illegalapplication of income to make it appear legitimate.

· Money laundering is commonly used by criminals to make “dirty” money appear“clean” or the profits of criminal activities are made to appear legitimate.

· Sec.3 of PML Act, 2002 defines ‘money laundering’ as: “whosoever directly orindirectly attempts to indulge or knowingly assists or knowingly is a party or isactually involved in any process or activity connected with the proceeds of crime andprojecting it as untainted property shall be guilty of the offence of money-laundering”.


: 232 :

Prevention of Money Laundering Act (PMLA)· Under Section 12 of PMLA, every banking company, financial institution and

intermediary, (hereinafter referred to as such entities) is required to maintain arecord of transactions as may be prescribed by rules and furnish information to theDirector within such time as may be prescribed.

· The records to be maintained by such entities are set forth in rule 3 of PMLR. Suchrecords include record of cash transactions of value more than 10 lakhs or itsequivalent in foreign currency, integrally connected cash transactions taking placewithin a month, cash transactions where forged or counterfeit notes are involvedand suspicious transactions of the nature described therein.

· Under rule 6 of PMLR, such records are to be maintained for a period of ten yearsfrom the date of transaction.

54. Explain the key aspects of PMLAThe key aspects of PMLA are as follows:§ Maintenance of record of all cash transactions above Rs. 10 lakhs. Such

information will be submitted to director every month before the 15th day ofsucceeding month.

§ All series of cash transactions of value less than Rs. 10 lakhs integrally connectedif they have taken place within a month (aggregate value above Rs.10 lakhs).Such information will be submitted to director every month before the 15th dayof succeeding month.

§ All cash transactions here forged or counterfeit notes have been used. Suchinformation will be submitted to director within 7 days of the date of occurrenceof the transaction.

§ All suspicious transactions made in cash or otherwise. Such information will besubmitted to director every month within a period of 7 working days on beingsatisfied that the transaction is suspicious.

· As per Rule 9 of PMLR, every banking company, financial institution andintermediary, as the case may be, shall, at the time of opening an account orexecuting any transaction with it, verify and maintain the record of identity andcurrent address or addresses including permanent address or addresses of the client,the nature of business of the client and his financial status.Such entities are required to formulate and implement a client identificationprogramme which incorporates the requirements of the said rule. A copy of the saididentification programme is required to be forwarded to Director.


: 233 :

· Under section 13 of PMLA, the Director is empowered (without prejudice to anyother action that may be taken under PMLA) to impose a fine which shall not be lessthan 10 thousand but which may extend to 1 lakh for each failure. Since theimposition of fine by the Director is without prejudice to any other action that maybe taken under PMLA it is possible that such entities may be exposed to penalty alsounder Section 63.

· In terms of Section 70 if the contravention is committed by such entities the officersin charge of and responsible to the conduct of the business of such entity at therelevant time are also liable to be proceeded with and punished.

It is therefore clear that such entities should have a robust system of keeping track of thetransactions of the nature referred to in Prevention of Money Laundering Act (PMLA) andPrevention of Money Laundering Rules (PMLR) and report the same within theprescribed period as aforesaid.

55. Explain the 3 stages of Money Laundering

PlacementThe first stage involves the Placement of proceeds derived from illegal activities - themovement of proceeds, frequently currency, from the scene of the crime to a place, orinto a form, less suspicious and more convenient for the criminal.

Layering· Layering involves the separation of proceeds from illegal source using complex

transactions, through several banks involved in transfer of money between differentaccounts in different accounts in different names in different countries, designed toobscure the audit trail and hide the proceeds.

· The criminals frequently use shell corporations, offshore banks or countries withloose regulation and secrecy laws for this purpose.

· It changes the form of money i.e. from black money to white money by purchasingthe assets by utilizing black money such as boats, houses, cars, diamonds etc.

Integration· Integration involves conversion of illegal proceeds into apparently legitimate

business earnings through normal financial or commercial operations.

· For e.g. false invoices for goods exported, domestic loan against a foreign deposit,purchasing of property.


: 234 :

Anti-Money laundering (AML) using Technology· Negative publicity, damage to reputation and loss of goodwill, legal and regulatory

sanctions and adverse effect on the bottom line are all possible consequences of abank’s failure to manage the risk of money laundering.

· Banks face the challenge of addressing the threat of money laundering on multiplefronts as banks can be used as primary means for transfer of money acrossgeographies. The challenge is even greater for banks using CBS as all transactions areintegrated.

· With regulators adopting stricter regulations on banks and enhancing theirenforcement efforts, banks are using special fraud and risk management software toprevent and detect fraud and integrate this as part of their internal process and dailyprocessing and reporting.

Financing of Terrorism· Money to fund terrorist activities moves through the global financial system via

electronic transfers and in and out of personal and business accounts.· It can sit in the accounts of illegitimate charities and be laundered through buying

and selling securities and other commodities.

Information Technology Act

I. Cyber CrimesCybercrime also known as computer crime is a crime that involves use of acomputer and a network.Cybercrimes is defined as: “Offences that are committed against individuals orgroups of individuals with a criminal motive to intentionally harm the reputationof the victim or cause physical or mental harm, or loss, to the victim directly orindirectly, using modern telecommunication networks such as Internet (Chatrooms, emails, notice boards and groups) and mobile phones.

56. Explain classification of cybercrimes as per United Nation’s manual· Committing of a fraud by manipulation of the input, output, or throughput of a

computer based system.· Computer forgery, which involves changing images or data stored in computers,· Deliberate damage caused to computer data or programs through virus programs or

logic bombs,· Unauthorized access to computers by ‘hacking’ into systems or stealing passwords,

and,· Unauthorized reproduction of computer programs or software piracy.· Cybercrimes have grown big with some countries promoting it to attack another

country’s security and financial health.


: 235 :

II. Computer related offences

Section 43 provides for Penalty and compensation for damage to computer,computer system, etc.If any person without permission of the owner or any other person who is in-charge of acomputer, computer system or computer network, or computer resource:· Accesses or secures access to such computer, computer system or computer

network;

· Downloads, copies or extracts any data, computer database or information fromsuch computer, computer system or computer network including information or dataheld or stored in any removable storage medium;

· Introduces or causes to be introduced any computer contaminant or computer virusinto any computer, computer system or computer network;

· Damages or causes to be damaged any computer, computer system or computernetwork, data, computer database or any other programs residing in such computer,computer system or computer network;

· Disrupts or causes disruption of any computer, computer system or computernetwork;

· Denies or causes the denial of access to any person authorized to access anycomputer, computer system or computer network by any means;

· provides any assistance to any person to facilitate access to a computer, computersystem or computer network in contravention of the provisions of this Act, rules orregulations made thereunder;

· Changes the services availed of by a person to the account of another person bytampering with or manipulating any computer, computer system, or computernetwork,

· Destroys, deletes or alters any information residing in a computer resource ordiminishes its value or utility or affects it injuriously by any means;

· Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy oralter any computer source code used for a computer resource with an intention tocause damage;

shall be liable to pay damages by way of compensation to the person so affected.

Some examples of offences in IT Act which could impact banks are as follows:


: 236 :

Section 65: Tampering with Computer Source DocumentsWhoever

- knowingly or intentionally conceals, destroys or alters or- intentionally or knowingly causes another to conceal, destroy or alter

any computer source code used for a computer, computer program, computer system orcomputer network, when the computer source code is required to be kept or maintainedby law for the time being in force, shall be punishable with

- imprisonment up to three years, or- with fine which may extend up to 2 lakh rupees, or- with both.

The explanation clarifies “Computer Source Code” means the listing of programme,Computer Commands, Design and layout and program analysis of computer resource inany form.

Section 66: Computer Related OffencesIf any person, dishonestly, or fraudulently, does any act referred to in section 43, he shallbe punishable with imprisonment for a term which may extend to three years or withfine which may extend to 5 lakh rupees or with both.

Section 66-B: Punishment for dishonestly receiving stolen computer resource orcommunication deviceWhoever dishonestly receives or retains any stolen computer resource orcommunication device knowing or having reason to believe the same to be stolencomputer resource or communication device, shall be punished with imprisonment ofeither description for a term which may extend to three years or with fine which mayextend to rupees one lakh or with both.

Section 66-C: Punishment for identity theftWhoever, fraudulently or dishonestly make use of the electronic signature, password orany other unique identification feature of any other person, shall be punished withimprisonment of either description for a term which may extend to three years and shallalso be liable to fine which may extend to rupees one lakh.

Section 66-D: Punishment for cheating by personation by using computerresourceWhoever, by means of any communication device or computer resource cheats bypersonation, shall be punished with imprisonment of either description for a term whichmay extend to three years and shall also be liable to fine which may extend to one lakhrupees.


: 237 :

Section 66-E: Punishment for violation of privacyWhoever, intentionally or knowingly captures, publishes or transmits the image of aprivate area of any person without his or her consent, under circumstances violating theprivacy of that person, shall be punished with imprisonment which may extend to threeyears or with fine not exceeding two lakh rupees, or with both

III. Sensitive Personal Data Information (SPDI)Section 43A: Compensation for failure to protect dataSection 43A of the IT Amendment Act imposes responsibility for protection ofstakeholder information by body corporate. It states as follows:“Where a body corporate, possessing, dealing or handling any sensitive personaldata or information in a computer resource, which it owns, controls or operates, isnegligent in implementing and maintaining reasonable security practices andprocedures and thereby causes wrongful loss or wrongful gain to any person, suchbody corporate shall be liable to pay damages by way of compensation, to theperson so affected”.The IT Act has a specific category, “sensitive personal data or information,” whichconsists of password, financial information (including bank account, credit card,debit card or other payment details), physical, physiological and mental healthconditions, sexual orientation, medical records, and biometric information. Thislegally obligates all stakeholders (i.e., any individual or organization that collects,processes, transmits, transfers, stores or deals with sensitive personal data) toadhere to its requirements.

IV. Privacy Policy· Every bank deals captures Personal Information of customers as per definition

of IT Act. Hence, it is mandatory to ensure security of personal information.· This information must be protected by maintaining physical, electronic, and

procedural safeguards by using appropriate security standards such as ISO27001 to ensure compliance with regulatory requirements.

· Further, the employees of banks should be trained in the proper handling ofpersonal information.

· Even when such services are outsourced, the vendor companies who providesuch services are required to protect the confidentiality of personalinformation they receive and process. This aspect must be contractuallyagreed and the compliance of this monitored.

· The specific information collected is to be confirmed with the customers. Thetype of information collected could be Non-Personal and PersonalInformation. For example, when the customer visits the website of the bank,information about the IP address of the device used to connect to the Internetis collected. The Personal Information provided by customer such as name,address, phone number, and email etc.

�

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��

��