information technology and communication
TRANSCRIPT
-
7/27/2019 Information Technology and Communication
1/59
1
Dr ThuyNguyen
Commercial University of VIETNAM
INFORMATION
TECHNOLOGY AND
COMMUNICATION
Course Information
Lecture Notes:http://www.ece.rutgers.edu/~marsic/books/SE
References: Textbooks: Bruegge & Dutoit: Object-Oriented Software
Engineering: Using UML, Patterns and Java,Third Edition,Prentice Hall, 2010. | ISBN 0-13-6061257
Web:http://www.ece.rutgers.edu/~marsic/Teaching/SE
Slide Handout
2
Course Information
Grading:Attendance: 0,1
Midterm Test: 0,3
Final Test: 0,6
3
C apter one: In ormation Tec no ogyand Communication Basic Concepts
1.1 ITC Basic concepts
1.1.1.What is ITC?
4
-
7/27/2019 Information Technology and Communication
2/59
2
ITC=ICT
5
ICT Definition
is often used as an extended synonym forinformation technology (IT), but is a morespecific term that stresses the role of unifiedcommunications[1] and the integration oftelecommunications (telephone lines andwireless signals), computers as well asnecessary enterprise software, middleware,storage, and audio-visual systems, which enableusers to access, store, transmit, andmanipulate information
6
ICT Definition
An ICT system is a set-up consisting ofhardware, software, data and the people whouse them. It commonly includes communicationstechnology, such as the Internet.
ICT Systems are used in a number ofenvironments, such as: offices
shops
factories
aircraft
ships7
The importance of ICTsystems
more productive - we can complete a greaternumber of tasks in the same time at reducedcost by using computers than we could prior totheir invention
able to deal with vast amounts of informationand process it quickly
able to transmit and receive informationrapidly
8
-
7/27/2019 Information Technology and Communication
3/59
3
Types of ICT
Information systems This type of ICT system is focused on managing data
and information. Examples of these are a sports clubmembership system or a supermarket stock system.
Control systems These ICT systems mainly control machines. They use
input, process and output, but the output may bemoving a robot arm to weld a car chassis rather thaninformation.
Communications systems
The output of these ICT systems is the successfultransport of data from one place to another.9
An ICT system diagram
A system is an assembly of parts that togethermake a whole. ICT systems are made up ofsome or all of the parts shown in the diagram.Various devices are used for input, processing,output, and communication.
10
1.2 Introduction to projectmanagement process
1.2.1 The Systems Development Life Cycle
Any product development can be expected toproceed as an organized process that usuallyincludes the following phases: Planning / Specification
Design
Implementation
Evaluation
11
The Role of Software Engg. (1)
Customer
Programmer
A bri dge from cus tomer needs to p rog rammi ng implementat ion
First law of softw are engineeringSoftware engineer is w illin g to learn the problem domain(problem cannot be solved without understanding it first) 12
-
7/27/2019 Information Technology and Communication
4/59
-
7/27/2019 Information Technology and Communication
5/59
5
Software Development Methods
Method = work strategy The Feynman Problem-Solving Algorithm:
(i) Write down the problem (ii) think very hard, and (iii) write down
the answer.
A. Waterfall Unidirectional, finish this step before moving to the next
B Iterative + Incremental Develop increment of functionality, repeat in a feedback loop
C. Agile User feedback essential; feedback loops on several levels of
granularity
17
Waterfall Method
Deployment &Maintenance
Requirements
Design
Implementation
TestingWaterfallmethod
18Unidirectional, no w ay backfinish this step before moving to the next
1. Requirements Specification
- Understanding the usage scenarios and deriving the staticdomain model
2. Design
- Assigning responsibilities to objects and specifying detaileddynamics of their interactions under different usage scenarios
3. Implementation
- Encoding the design in a programming language
4. Testing
- Individual classes/components (unit testing) and the entiresystem (integration
testing) 5. Operation and Maintenance
- Running the system; Fixing bugs and adding new features19
Benefits and Drawbacks of theWaterfall Methodology
Benefits: Disciplined process
Forces to have complete
requirements prior to start
Forces analysis and design first
Drawbacks: No early feedback (prototyping)
Slow to respond to change
High cost for missed or unclear requirements
It is optimized for hardware, thereby neglecting theessential characteristics of software .
20
-
7/27/2019 Information Technology and Communication
6/59
6
B Iterative + Incremental
Prototyping
Incremental development
The spiral methodology
RUP (Rational Unified Process)
21
Prototyping
Is the development approach of activitiesduring software development, the creation ofprototypes, i.e., incomplete versions of thesoftware program being developed.
Basic principles: Not a standalone, complete developmentmethodology,
but rather an approach to handle selected parts of alarger, more traditional development methodology (i.e.incremental, spiral, or rapid application development(RAD)).
Attempts to reduce inherent project risk by breaking aproject into smaller segments and providing moreease-of-chan e durin the develo ment rocess.
22
User is involved throughout the development process,which increases the likelihood of user acceptance ofthe final implementation.
Small-scale mock-ups of the system are developedfollowing an iterative modification process until theprototype evolves to meet the users requirements.
While most prototypes are developed with theexpectation that they will be discarded, it is possiblein some cases to evolve from prototype to workingsystem.
A basic understanding of the fundamental businessproblem is necessary to avoid solving the wrongproblem.
23 24
-
7/27/2019 Information Technology and Communication
7/59
7
25
Incremental development
Iterative and Incremental developmentapproach was developed in response to theweaknesses of the waterfall methodology . Itstarts with an initial planning and ends withdeployment with the cyclic interactions inbetween.
Incremental: Additional functionality isimplemented in each increment/release
Iterative: Repeat the cycle of design, build andtest until the desired functionality is complete
26
27 28
-
7/27/2019 Information Technology and Communication
8/59
8
29
The spiral methodology
The spiral model is an IID developed in 1988by Larry Boehm.
As originally envisioned, the iterations weretypically 6 months to 2 years long
Combines prototyping and the waterfall model.The spiral model is intended for large,expensive, and complicated projects.
The aim of this methodology was to shift theemphasis to risk evaluation and resolution.
30
The Spiral Methodology
31 32
-
7/27/2019 Information Technology and Communication
9/59
9
33 34
RUP (Rational Unified Process)
The Rational Unified Process providesguidelines, templates and tools necessary forthe entire team to take full advantage ofamong others the following best practices: Develop software iteratively and incrementally
Manage requirements using use cases
Use component based architectures
Visually model software using UML
Verify software quality
Control changes to software
35 36
-
7/27/2019 Information Technology and Communication
10/59
10
The horizontal axis represents time and showsthe dynamic aspect of the process and it isexpressed in terms of cycles phases,iterations, and milestones.
The vertical axis represents the static aspectof the process: how it is described in terms ofactivities, artefacts, workers and workflows
37
Other practices
Object-oriented development methodologies,such as Grady Booch's object-oriented design(OOD), also known as object-oriented analysisand design (OOAD). The Booch model includessix diagrams: class, object, state transition,interaction, module, and process.[7]
Top-down programming: evolved in the 1970sby IBM researcher Harlan Mills (and NiklausWirth) in developed structured programming.
38
UML Language of Symbols
interfaceBaseInterface
+ operation()
Actor
ClassName
# attribute_1 : int# attribute_2 : boolean
# attribute_3 : String
+ operation_1() : void
+ operation_2() : String+ operation_3(arg1 : int)
Software Class
Three commoncompartments:
1. C lass if ier name
2. Attri bute s
3. O pe rati ons
Comment
Class1Implement
+ o peration()
Class2Implement
+ operation()
Software Interface Implementation
Interaction Diagram
doSomething()
instance1 : Class1 instance5 : Class2 instance8 : Class3
doSomethingElse()
doSomethingYetElse()
Inheritance
relationship:BaseInterfaceis implemented
bytwo classes
Stereo type
providesadditional info/annotation/explanation
39
UML = Unified Modeling Language
Online information:
http://www.uml.org
Understanding the Problem Domain
System to be developed
Actors
Agents external to the system
Concepts/ Objects
Agents working inside the system
Use Cases
Scenarios for using the system
40
-
7/27/2019 Information Technology and Communication
11/59
-
7/27/2019 Information Technology and Communication
12/59
12
How ATM Machine Works (3)Domain Model (3)
Remotebank
Window clerk
Bookkeeper
Dispenser
Transactionrecord
Speaker phone
How may Ihelp you?
Customer
Courier
Solutionmodification
Solutionmodification
Alternativesolution
Which solution is the best or even feasible?
Actual Design
46
Rail with a belt orchain
Operator (includes motor and radio control mechanism)
Garage door
Safetyreversing sensor
Pressing of a button on the remote control transmitter (1)authenticates the device & activates the motor in the operator (2).
The motor pulls the chain (or belt) along the rail (3) and windsthe torsion spring (4).
The torsion spring winds the cable on the pulleys (or drums) (5)on both sides of the door.
The cables lift the door, pushing the different sections of the doorinto the horizontal tracks (6)At the same time, the trolley (or traveler) (7) moves along the rail (3)and controls howfar the dooropens (or closes),aswell as theforcethegarage door exerts bywayofthecurveddoor arm(8)
Remote control transmitter2
1
3
4 5
5
6
6
7
8
C. Agile Approaches
Key principles :
Customer satisfaction by rapid, continuousdelivery of useful software
Working software is delivered frequently(weeks rather than months)
Working software is the principal measure ofprogress.
Even late changes in requirements are
welcomed.
47
Close, daily, cooperation between businesspeople and developers
Face to face conversation is the best form ofcommunication.
Projects are built around motivated individuals,who should be trusted
Continuous attention to technical excellenceand good design.
Self organizing teams Regular adaptation to changing circumstances
48
-
7/27/2019 Information Technology and Communication
13/59
13
How do I know if Agile isappropriate for my project?
Consider using agile development in thefollowing situations:
Environments experiencing rapid change
Unclear/emerging requirements
High Priority / Revenue - Producing Projects
When time to market is critical
Agile was designed for on-time delivery, and ifrequired releasing early increments offunctionality
49
Project Remediation/Rescue
By focusing on immediate delivery offunctionality
Constant delivery of working, bug-freesoftware could quickly build the trust betweenthe business and the delivery team.
50
1.3. Project CharacteristicAnalysis
Size of the project team
Rate of expected change
Primary project goal
Requirement Management
Project Communication
Customer Relationship
Customer Organizational Culture
51
How to choose?
A decision tree analysis is used to comparevarious methodologies
The ranking of the seven characteristics wouldhave to be done by the project manager andarchitect with the assistance of the projectleaders
The methodology used can also depends on thecustomer request
52
-
7/27/2019 Information Technology and Communication
14/59
14
Exponential Cost of Estimation
Estimation cost
Estimationaccuracy
100%
Improving accuracy of estimation beyond a certain point requires huge
cost and effort (known as the law of dimi nishing returns)
In the beginning of the cu rve, a modest effort investment yields huge
gains in accuracy53
Estimation Error Over Time
Time
Estimationerror
CompletionStart
Thecone of uncertainty starts high and narrows down to zeroas the project approaches completion.
Requirements Design ImplementationImplementation
Case Study: Home AccessControl
Objective: Design an electronic system for: Home access control
Locks and lighting operation
Intrusion detection and warning
System
Lock Photosensor Switch
Light bulb
Alarm bell
1
2
3
4
5
X
Y
1
2
3
4
5
X
Y
55
Case Study More Details
System
Lock Photosensor Switch
Light bulb
Alarmbell
1
2
3
4
5
X
Y
1
2
3
4
5
X
Y CentralComputer
Backyard doors:External &
Internal lock
Front doors:External &
Internal lock
CentralComputer
Backyard doors:External &
Internal lock
Front doors:External &
Internal lock56
-
7/27/2019 Information Technology and Communication
15/59
15
Know Your Problem
1
9
7
8
6
2
3
54
7 Thumb-turn
1 Lock case
2 Latch bolt
3 Dead bolt
9 Left hand lever
8 Lock cylinder
6 Protective plate
5 Strike box
4 Strike plate
Mortise Lock Parts
1
2
3
4
5
X
Y
1
2
3
4
5
X
Y
57
Concept Map for Home AccessControl
tenant
key
can be prevented by enforcinglock opened
wishes
causes
enters
val id key inval id key
can be
dictionary attack
may signal
upper bound on failed attempts
b ur gl ar laun ches
58
States and Transition Rules
locked unlocked
IF validKey THEN unlock
IF pushLockButton THEN lock
IF timeAfterUnlock max{ autoLockInterval, holdOpenInterval }THEN lock
IF validKey AND holdOpenInterval THEN unlock
59 what seemed a simple problem, now is becoming complex
1.2.2 Project Management
Project management is the art of matching aproject's goals, tasks, and resources toaccomplish a goal. To accomplish a goal oneneed limited time, money, and resources(human and machinery). One can think of aproject as a process that involves inputs andoutputs.
60
-
7/27/2019 Information Technology and Communication
16/59
16
Project System
61
MANAGING A PROJECT
Stage 1: Defining the goals of the project This part of the project should end with a document
that lists the goals with a short statement providingsome detail about the success rate and a vital fewrequirements that define the goal(s) to beaccomplished
Stage 2: Define project tasks/activities This is best done by listing the goals on the left side of
a sheet of paper, then writing the tasks to their right.Thegroup should agree that the specify task willaccomplish th e goals as per required in t he
definitions for success the team laid out in theprevious stage 62
Stage 3: Determine and verify resourcerequirements
People
Time
Money
Space
Computers
Software, e.t.c.
63
Stage 4: Identify risks and developmitigation (backup) plans
A member of the group should be responsiblefor monitoring this risk throughout theproject.
64
-
7/27/2019 Information Technology and Communication
17/59
17
Stage 5: Develop a schedule
Use Pert charts and Gant charts are examplesof useful tools used in scheduling activities
65
Stage 6: Execute the schedule
Each group member should document theiractivities
Documentation is the responsibility of theteam members and will often be a saving gracefor them.
At the meetings the team should review theschedule and the status (complete or notcomplete) of the project goals. Once the goalsare accomplished, the project is complete.
66
Stage 7: Finish the project and assessingperformance
After the goals have been achieved, it is goodpractice to evaluate the performance of theproject team. This is where a good deal oflearning and experience is gained. It will helpprevent similar problems in future projects.
67
Project Requirements
Requirements Engineering Components
Requirements and User Stories
Types of Requirements
Effort Estimation (Agile Methods)
68
-
7/27/2019 Information Technology and Communication
18/59
18
69
Requirements Process
Requirementsanalysis
Requirementsgathering
Requirementsspecification
Agile DevelopmentUser Stories
Aspect-OrientedRequirements
Object-OrientedAnalysis & Design
StructuredAnalysis & Design
70
Requirements EngineeringComponents
Requirements gathering (a.k.a. requirements elicitation) helps the customer to
define what is required: what is to be accomplished,how the system will fit into the needs of the business,and how the system will be used on a day-to-day basis
Requirements analysis refining and modifying the gathered requirements
Requirements specification documenting the system requirements in a semiformal
or formal manner to ensure clarity, consistency, andcompleteness
71
Example System Requirements
Identifier Priority Requirement
REQ1 5The system shall keep the door locked at all times, unless commanded otherwise by authorized
user. When the lock is disarmed, a countdown shall be initiated at the end of which the lock shall
be automatically armed (if still disarmed).
REQ2 2 The system shall lock the door when commanded by pressing a dedicated button.
REQ3 5 The system shall, given a valid key code, unlock the door and activate other devices.
REQ4 4
The system should allow mistakes while entering the key code. However, to resist dictionary
attacks, the number of allowed failed attempts shall be small, say three, after which the system
will block and the alarm bell shall be sounded.
REQ5 2 The system shall maintain a history log of all attemp ted accesses for later review.
REQ6 2 The system should allow adding new authorized persons at runtime or removing existing ones.
REQ7 2The system shall allow configuring the preferences for device activation when the user provides a
valid key code, as well as when a burglary attempt is detecte d.
REQ8 1The system should allow searching the history log by specifying one or more of these parameters:the time frame, the actor role , the door location , or the event type (unlock, lock, power failur e, etc.).
This function shall be available o ver the Web by pointing a bro wser to a specified URL.
REQ9 1The system should allow filing inquiries about suspicious accesse s. This function shall be
available over the Web. 72
User Stories
As a tenant, I can unlock the doors to enter my apartment.
user-role(benefactor)
capabi li ty bus iness-value
Similar to systemrequirements, but focus on the user benefits, instead on systemfeatures.
Preferred tool in agile methods.
-
7/27/2019 Information Technology and Communication
19/59
19
73
Example User Stories
Identifier User Story Size
ST-1As an authorized person (tenant or landlord), I can keep the doors locked at alltimes.
4 points
ST-2 As an authorized person (tenant or landlord), I can lock the doors on demand. 3 pts
ST-3 The lock should be automatically locked after a defined period of time. 6 pts
ST-4As an authorized person (tenant or landlord), I can unlock the doors.(Test: Allow a small number of mistakes, say three.) 9 points
ST-5 As a landlord, I can at runtime manage authorized persons. 10 pts
ST-6 As an authorized person (tenant or landlord), I can view past accesses. 6 pts
ST-7 As a tenant, I can configure the preferences for activation of various devices. 6 pts
ST-8 As a tenant, I can file complaint about suspicious accesses. 6 pts
74
Types of Requirements
Functional Requirements
Non-functional requirements FURPS+
Functionality (security), Usability, Reliability,Performance , Supportability
Requirements prioritization
75
Tools for Requirements Eng.
Tools, such as user stories and use cases,used for Determining what exactly the user needs
(requirements analysis)
Writing a description of what system will do(requirements specification)
Difficult to use the same tool for differenttasks
76
Project Estimationusing User Story Points
Similar to hedge pruning points in the firstlecture
Points assigned to individual user stories Total work size estimate:
Total size = points-for-story i (i = 1..N)
Velocity (= productivity) estimated from experience
Estimate the work duration
Project duration =Path size
Travel velocity
-
7/27/2019 Information Technology and Communication
20/59
20
77
Example User Stories
Identifier User Story Size
ST-1As an authorized person (tenant or landlord), I can keep the doors locked at alltimes.
4 points
ST-2 As an authorized person (tenant or landlord), I can lock the doors on demand. 3 pts
ST-3 The lock should be automatically locked after a defined period of time. 6 pts
ST-4As an authorized person (tenant or landlord), I can unlock the doors.(Test: Allow a small number of mistakes, say three.) 9 points
ST-5 As a landlord, I can at runtime manage authorized persons. 10 pts
ST-6 As an authorized person (tenant or landlord), I can view past accesses. 6 pts
ST-7 As a tenant, I can configure the preferences for activation of various devices. 6 pts
ST-8 As a tenant, I can file complaint about suspicious accesses. 6 pts
Agile Project Effort Estimation
78
Time
2nd iteration n-th iteration
Estimated completion date
Items pulled by the team into an iteration
1) ST-4: Unlock 15 days (9pts)
Work backlog
2) ST-2: Lock 5 days (3pts)
3) ST-5: Manage Users 16 days (10pts)
4) ST-7: Preferences 10 days (6pts)
1st iteration
5) ST-6: View History 10 days (6pts)
6) ST-
Work items
21 days
5 daysList prioritized by the customer
Estimated work duration
79
How To Combine the Part Sizes?
City A
City C
City B
A
B
C
A
B
C
A
B
CA
B
C
(a)
(b)
(c)
Costs are not always additiveBut, solution (c) is not necessarily cheaper than (b)
80
Additional Costs
Highway traffic-circle interchange Traffic signs
-
7/27/2019 Information Technology and Communication
21/59
21
2pointsperday
1=4 pts(2days)
2=7 pts(3.5days)3=10pts(5 days)
4=3 pts(1.5days)5=4 pts(2days)
6=2 pts(1day)7=4 pts(2days)
8=7 pts(3.5days)
1) Prune Section 6 1day(2pts)
2) Prune Section 5 2days (4pts)
3) Prune Section 7 2days (4pts)
4) Prune Section 4 1.5days (3p)
5) Prune Section 8 3.5days (7p)
Agile Estimation of Project Effort
Time
2nd i te ra ti on n -t h i te ra ti on
Estimated completion date
Items pulled by the teaminto an i teration
1)ST -4:Unlock 15days(9pts)
Work backlog
2)ST-2: Lock 5 days(3pts)
3)ST-5: Manage Users16 days(10pts)
4) ST-7: Preferences 10days (6pts)
1stiteration
5) ST-6: ViewHistory 10days(6pts)
6)ST-
Work items
21days
5daysList prioritized bythe customer
Estimated work duration
Chapter 2: E-HRM Introduction
2.1. General Introduction
2.1.1. Introduction and notations
Definition: E-HRM is a way of implementing HRstrategies, policies, and practices inorganization through a conscious and directsupport of and/or with full use of web-technology based channels.
e-HRM is the (planning, implementation and)application of information technology for bothnetworking and supporting at least twoindividual or collective actors in their shared
82
First, technology is necessary to connectusually spatially segregated actors and enableinteractions between them irrespective oftheir working in the same room or on differentcontinents, i.e. technology serves as a mediumwith the aim of connection and integration.
Second, technology supports actors bypartially and sometimes even completely substituting for them in executing HR
activities.
83
HRM Functions
84
-
7/27/2019 Information Technology and Communication
22/59
22
E-HRM is not the same as HRIS (Humanresource information system) which refers toICT systems used within HR departments.
E-HRM is in essence the devolution of HRfunctions to management and employees. Theyaccess these functions typically via intranet orother web-technology channels.
85
OBJECTIVES: To offer an adequate, comprehensive and on-going
information system about people and jobs at areasonable cost;
To provide support for future planning and also forpolicy formulations;
To facilitate monitoring of human resources demandand supply imbalance
To automate employee related information
To enable faster response to employee relatedservices and faster HR related decisions and;
To offer data security and personal privacy.86
87
Model of an OrganizationalSystem Centered on HRIS
88
-
7/27/2019 Information Technology and Communication
23/59
23
BENEFITS OF E-HRM:
Standardization
Ease of recruitment, selection and assessment
Ease of administering employee recordsReductions to cost, time and labour
Access to ESS training enrollment and self-development
Cost and ESS
Location and timeliness
89
-HRM goals: The main goals of e-HRM are asfollowed:
Improving the strategic orientation of HRM
Cost reduction/efficiency gains
Client service improvements/ facilitatingmanagement and employees.
90
TYPES OF E-HRM
Operational HRM: e-HRM is concerned withadministrative function like payroll, employeepersonal data, etc.
Relational HRM: e-HRM is concerned withsupportive business process by the means oftraining, recruitment, performancemanagement, and so forth.
Transformational HRM: e-HRM is concernedwith strategic HR activities such as knowledgemanagement, strategic re-orientation, etc.
91
2.1.2. E-HRM functions
E- Employee Profile: The E-Employee Profileweb application provides a central point ofaccess to the employee contact informationand provides a comprehensive employeedatabase solution, simplifying HR managementand team building by providing an employeeskills, organization chart and even pictures. E-Employee profile maintenance lies with the
individual employee, the manager and thedatabase manager.
92
-
7/27/2019 Information Technology and Communication
24/59
24
E-Employee profile consist of the following:
Certification, Honor/Award, Membership,Education, Past Work Experience, AssignmentSkills, Competency, Employee AssignmentRules, Employee Availability, EmployeeException Hours, Employee Utilization,Employee tools, Job information, Sensitive jobInformation, Service Details, Calendar,Calendar Administration, Employee Locator.
93
E-Recruitment: Organizations first startedusing computers as a recruiting tool byadvertising jobs on a bulletin board servicefrom which prospective applicants wouldcontact employers. Then some companies beganto take e-applications. Today the internet hasbecome a primary means for employers tosearch for job candidates and for applicants tolook for job. As many as 100,000 recruitingweb sites are available to employers and jobcandidates and which to post jobs and reviewresumes of various types. But the explosivegrowth of internet recruiting also means theHR professionals can be overwhelmed by the
breadth and scope of internet recruiting.94
E-Recruiting Methods: Job boards,Professional/Career,websites, EmployerWebsites.
95
E-Selection: Most employers seem to beembracing Internet recruitment withenthusiasm, the penetration of on-line assessment tools such as personalityassessments or ability tests, has so far beenlimited. A survey has shown that although morethan half respondents organizations alreadyuse either psychometric or other assessmentduring the recruitment process, only few of
these companies use on-line assessments priorto interview. Fewer still include a core fitquestionnaire in the recruitment pages of their 96
-
7/27/2019 Information Technology and Communication
25/59
25
E-Learning: E-Learning refers to anyprogrammed of learning, training or educationwhere electronic devices, applications andprocesses are used for knowledge creation,management and transfer. E-Learning is a termcovering a wide-set of applications andprocesses, such as web-based learning,computer-based learning, virtual class room,and digital collaboration. It includes thedelivery of content via Internet,
intranet/extranet (LAN/WAN), audio-andvideotape, satellite broadcast, interactive 97
Classical and Virtual Learning: This classical learningmodel especially from non-reversible flow ofinformation. AT the beginning is the pedagogue, whichgoverns the course. For students, pedagogue offersinformation, knowledge, and educational materialsmostly in the representation of educational lecturenotes for lessons. For the most part the feedback isweak, inconsistent, or even missing. Virtual educationenvironment by its communications links collects thefeedback of participants, simplifies teaching andsimplifies teamwork of students with pedagogue. Thevirtual learning system enables horizontal and verticalcommunication. For required information, participantcan often gets much more information than in classicalmodel of education as here the other participant alsoshare which is not a real happening in the classical
model.98
Characteristics of E-Learning:
E-Learning outcomes extend beyond learning tostrategic outcomes.
E-Learning is much more than e-training forskill outcomes.
E-Learning involves information andcommunication technology.
E-Learning is about people learning in a given
context.
99
E-Training: Most companies start to think ofonline learning primarily as a more efficientway to distribute training inside theorganization, making it available any time,anywhere reducing direct costs (instructors,printed materials, training facilities), andindirect costs (travel time, lodging and travelexpenses, workforce downtimes). Attracted bythese significant and measurable advantages,
companies start to look for ways to make themost of their existing core training availableonline, and to manage and measure the 100
-
7/27/2019 Information Technology and Communication
26/59
26
Characteristic of E-Training:
Rich learning interface.
Personalized training programs.
Training from
work place/home
Virtual
class room.
101
E-Performance Management system: A web-based appraisal system can be defined as thesystem which uses the web(intranet andinternet) to effectively evaluate the skills,knowledge and the performance of theemployees.
102
E-Compensation: All companies whether smallor large must engage in compensation planning.Compensation planning is the process ofensuring that managers allocate salaryincreases equitably across the organizationwhile staying within budget guidelines. Asorganizations have started expanding theirboundaries, usage of intranet and internet hasbecome vital. The usage of intranet and
internet for compensation planning is called E-Compensation Management.
103
2.1.3. Implementation of E-HRM:
Here are five main phases in theimplementation of the E-HRM businesssolution.
Analysis (Infrastructure) Analyzing the existing infrastructure with regard to
quantity of data and classification of business activities.
104
-
7/27/2019 Information Technology and Communication
27/59
27
Business processes in the company
After the existing processes have beenanalyzed, the options for automating theseprocesses in the clients environment areproposed. Finally a project plan is developedbased on the model of the processesidentified.
105
Implementation After the fundamental analysis of the processes in the
work team, individual modules are deployed in theclients environment. With modular design a gradualimplementation is possible. Company-specificfunctionalities are discussed with the client and builtupon request.
Implementation and Training A complete knowledge of the components of the
solution is a key factor for successful implementation.The entire team of project managers, information
technology professionals and human resourcesspecialist are thus involved in user training and 106
Maintenance Fast technological development and development of
new modules make cooperation after theimplementation indispensable. A maintenance contracttypically includes:
Technical support experts available by phone, throughe-mail or on-site
Adaptation of existing modules or development of newones
Application software adjustment to changes in thesystem environment or
Operating system
Functionality improvement and software upgrades inthe form of new versions
Consultation about further development of the system.
107
Advantages of E-HRM
Collection and store of information regardingthe work force, which will act as the basis forstrategic decision-making
Integral support for the management of humanresources and all other basic and supportprocesses within the company.
Prompt insight into reporting and analysis
A more dynamic workflow in the business
process, productivity and employeesatisfaction
108
-
7/27/2019 Information Technology and Communication
28/59
28
A decisive step towards a paperless office
Makes the work to get over fast
Disadvantages of E-HRM
Employees and line managers mindsets need tobe changed: they have to realize and acceptthe usefulness of web-based HR tools.
They generally feel that they lack the timespace needed to work quietly and thoughtfullywith web-based HR tools and so, if there is no
need, they will not do it.109
Guaranteeing the security and confidentialityof input data is an important issue foeemployees in order that they should feel safewhen using web-based HR tools.
110
ERP (Enterprise Resource Planning)
Bio-red
SAP (System Approach & Product)
HR payroll system
Software useful for e-HRM 2.2. E-HRM Tools
2.2.1. Payroll
The payroll module automates the pay processby gathering data on employee time andattendance, calculating various deductions andtaxes, and generating periodic pay cheques andemployee tax reports. Data is generally fedfrom the human resources and time keepingmodules to calculate automatic deposit andmanual cheque writing capabilities. This module
can encompass all employee-relatedtransactions as well as integrate with existingfinancial management systems. 112
-
7/27/2019 Information Technology and Communication
29/59
29
Benefits
Payroll system to effectively manage the bankpayment system.
The bank has the Allowance ManagementSystem to manage allowance properly.
Fully automated interactive payroll system forovertime, claims and other benefits.
State-of-the art Payroll/remunerationssystem.
113
Benefits
An automated Loan Application System forstaff to apply for loans on line.
Web based employee record keeping.
Employee record keeping system (having allpersonal files in a digital form).
Computer based employee record keepingsystem.
Managing employees data by using automatedrecord keeping HR system
114
Integrated with other modules, monthly or dailypayroll process is just as easy as a single click ofa button. The whole salaries and wages calculationwill be computed automatically. However thefollowing are some of the highlights, supplied by
you, that will be included for completing themodules.
HR/Payroll System
Employee Information
Attendance Record
Leave Record
Emolument & PF Details
Generate Pay Slips
Annual Returns (TDS Forms)
Form 16
Employee Training Identifier Training & Induction Programs
Features of HR\Payroll system
-
7/27/2019 Information Technology and Communication
30/59
30
Example of Payroll
120
Salary Processing w ill create pay slips for the currently
open salary period. Only one salary period can be open at
-
7/27/2019 Information Technology and Communication
31/59
31
Payroll Functions
Integrated Payroll Software One click Salary ProcessingUser defined Salary HeadsUser defined Salary StructureUser defined FormulaeImport of Salary DetailsBonus (India)PF (India)ESI (India)Gratuity (India)Professional Tax (India)TDS, Income Tax (India)Customizable Pay SlipsPayslips with YTDCalculation History for each pays lipStatutory Reports PF, ESI and more (India)Printable Challan Reports (India)
Salary data export to ExcelBulk email of pay slips to all employees in one clickModification History for payrol l data (Who changed what and when?)
121
2.1.2. Time & Attendance
The Time & Attendance Module automatestime tracking related processes and enhancesthe organization's performance by eliminatingpaperwork and manual processes associatedwith time and attendance needs. Thesophisticated module helps to efficientlyorganize labor data, improve the workforcemanagement and minimize errors inenforcement of company's attendance policies.
122
Functions
Complete Attendance Software Graphical Attendance Views (Day, WorkWeek, Week, Month, Year views)Automated Overtime CalculationAutomated Late-In/Early-Out CalculationGrace Periods for Work Start/End TimesAttendance Data Re-processingUser defined Attendance TypesReal-time and Editable AttendanceOvertime ManagementUser-defined Leave TypesEntitlementsLate-In, Early-Out ReportsOvertime ReportsSickness Reports
Actual & Planned Work time ReportsDaily/Monthly/Yearly Attendance ReportsSettings for CustomizationModification History for attendance data (Who changed what and when?)
123
http://lenvica.in/hr-software/
s
124
-
7/27/2019 Information Technology and Communication
32/59
32
Overtime paid
125 126
http://ehr.com.vn/Upload/file/chamcong.png
127
2.1.3. Recruiting
Online recruiting has become one of the primary methodsemployed by HR departments to garner potential candidates foravailable positions within an organization. Talent Managementsystems typically encompass:
analyzing personnel usage within an organization
identifying potential applicants
recruiting through company-facing listings
recruiting through online recruiting sites or publications thatmarket to both recru iters and applicants.
The significant cost incurred in maintaining an organizedrecruitment effort, cross-posting within and across general orindustry-specific job boards and maintaining a competitive
exposure of availabilities has given rise to the development of adedicated Applicant Tracking System, or 'ATS', module.
128
-
7/27/2019 Information Technology and Communication
33/59
33
Benefits Administration
The benefits administration module provides asystem for organizations to administer andtrack employee participation in benefitsprograms. These typically encompass insurance,compensation, profit sharing and retirement.
129
Training
The training module provides a system fororganizations to administer and track employeetraining and development efforts. The system, normallycalled a Learning Management System if a stand aloneproduct, allows HR to track education, qualificationsand skills of the employees, as well as outlining whattraining courses, books, CDs, web based learning ormaterials are available to develop which skills. Coursescan then be offered in date specific sessions, withdelegates and training resources being mapped andmanaged within the same system. Sophisticated LMS
allow managers to approve training, budgets andcalendars alongside performance management and130
Chapter 3: Risks on WebTransaction
3.1. Web Risks Introduction
3.1.1. General Introduction
131Managing the business
risk of fraud
EZ-R Stats, LLC
PWC Global Survey Nov, 2009Economic crime in a downturn
Sharp rise in accounting fraudover the past 12 months
Accounting fraud had grown to38 percent of the economiccrimes in 2009
Employees face increasedpressures to : meet performance targets
keep their jobs
keep access to funding
-
7/27/2019 Information Technology and Communication
34/59
34
What is a Fraud?
Fraud is any intentional act or omissiondesigned to deceive others, resulting in thevictim suffering a loss and/or theperpetrator achieving a gain.
All organizations are subject to fraud risks.
Large frauds have led to the downfall of entireorganizations, massive investment losses, significantlegal costs, incarceration of key individuals, anderosion of confidence in capital markets.
Publicized fraudulent behavior by key executives hasnegatively impacted the reputations, brands, andimages of many organizations around the globe.
133
Key Principle prevent Fraudrisks
Principle 1: As part of an organizationsgovernance structure, a fraud riskmanagement program6 should be in place,including a written policy (or policies) toconvey the expectations of the board ofdirectors and senior management regardingmanaging fraud risk.
Principle 2: Fraud risk exposure should beassessed periodically by the organization toidentify specific potential schemes and
events that the organization needs tomitigate. 134
Key Principle prevent Fraudrisks
Principle 3: Prevention techniques to avoidpotential key fraud risk events should beestablished, where feasible, to mitigatepossible impacts on the organization.
Principle 4: Detection techniques should beestablished to uncover fraud events whenpreventive measures fail or unmitigated risksare realized.
135
Key Principle prevent Fraudrisks
Principle 5: A reporting process should be inplace to solicit input on potential fraud, anda coordinated approach to investigation andcorrective action should be used to helpensure potential fraud is addressedappropriately and timely.
136
-
7/27/2019 Information Technology and Communication
35/59
35
Fraud Risk Assessment3 Levels:
Enterprise-wide risk assessment (Todaysdiscussion) Types of fraud
Risk ownership
Likelihood, given the control environment
Impact
Business Process risk assessment (individualaudits)
Fraud Penetration risk assessment (transactionlevel)
Fraud Triangle
Types of Fraud Schemes
Asset misappropriation (most common) Embezzlement of funds
Theft of an asset
Misuse of assets
No Business Purpose
Payroll fraud
Overbilling by vendors/suppliers
Types of Fraud Schemes
Financial Misstatement (most costly) fictitious transactions
improper recognition
improper measurement (estimates, calculations,assumptions)
Improper disclosure or omission
Misapplication of GAAP
-
7/27/2019 Information Technology and Communication
36/59
36
Types of Fraud Schemes
Commercial Bribery, extortion or corruption Kickbacks
Gifts, gratuities
Diverting Business
Bid rigging
Conflicts of Interest
What is risk?
Risk is a function of the likelihood of a giventhreat- sources exercising a particularpotential vulnerability, and the resultingimpact of that adverse event on theorganization.
142
Risk management
Risk management is the process that allows ITmanagers to balance the operational andeconomic costs of protective measures andachieve gains in mission capability byprotecting the IT systems and data thatsupport their organizations missions
Encompasses three processes: risk assessment,risk mitigation, and evaluation, and assessment.
143
The risk assessmentmethodology (9 steps)
Step 1: System Characterization
Step 2: Threat Identification
Step 3: Vulnerability Identification
Step 4: Control Analysis
Step 5: Likelihood Determination
Step 6: Impact Analysis
Step 7: Risk Determination
Step 8: Control Recommendations
Step 9: Results Documentation
144
-
7/27/2019 Information Technology and Communication
37/59
37
145 146
level of risk to the IT system
To measure risk, a risk scale and a risk-levelmatrix must be developed.
The final determination of mission risk isderived by multiplying the ratings assigned forthreat likelihood (e.g., probability) and threatimpact
147
The matrix below is a 3 x 3 matrix of threatlikelihood (High, Medium, and Low) and threatimpact (High, Medium, and Low). Depending onthe sites requirements and the granularity ofrisk assessment desired, some sites may use a4 x 4 or a 5 x 5 matrix. The latter can includea Very Low /Very High threat likelihood and aVery Low/Very High threat impact to generatea Very Low/Very High risk level. A Very High
risk level may require possible systemshutdown or stopping of all IT systemintegration and testing efforts 148
-
7/27/2019 Information Technology and Communication
38/59
38
Example
The probability assigned for each threatlikelihood level is 1.0 for High, 0.5 for Medium,0.1 for Low
The value assigned for each impact level is 100for High, 50 for Medium, and 10 for Low.
149 150
Description of Risk Level(Scale)
151
RISK MITIGATIONSTRATEGY
152
-
7/27/2019 Information Technology and Communication
39/59
39
Guide
When vulnerability (or flaw, weakness) exists implement assurance techniques to reducethe likelihood of a vulnerabilitys beingexercised.
When a vulnerability can be exercised apply layered protections, architecturaldesigns, and administrative controls tominimize the risk of or prevent thisoccurrence.
153
When the attackers cost is less than thepotential gain apply protections toecrease an attackers motivation by increasingthe attackers cost (e.g., use of systemcontrols such as limiting what a system usercan access and do can significantly reduce anattackers gain).
When loss is too great apply designprinciples, architectural designs, andtechnical and nontechnical protections to limit
the extent of the attack, thereby reducing thepotential for loss. 154
CONTROL IMPLEMENTATION
Step 1Prioritize Actions
Step 2Evaluate Recommended Control Options
Step 3Conduct Cost-Benefit Analysis
Step 4Select Control
Step 5Assign Responsibility
Step 6Develop a Safeguard ImplementationPlan
Step 7Implement Selected Control(s)
155 156
-
7/27/2019 Information Technology and Communication
40/59
40
157
EVALUATION ANDASSESSMENT
The good practice and need for an ongoing riskevaluation and assessment and the factors thatwill lead to a successful risk managementprogram.
risk assessment process is usually repeated atleast every 3 years for federal agencies,However, risk management should beconducted and integrated in the SDLC for ITsystems
158
Be integrated into the SDLC
An IT systems SDLC has five phases:initiation, development or acquisition,implementation, operation or maintenance, anddisposal
159 160
-
7/27/2019 Information Technology and Communication
41/59
41
KEY ROLES (Personalresponsibilities
Senior Management. Senior management,under the standard of due care and ultimateresponsibility for mission accomplishment,must ensure that the necessary resources areeffectively applied to develop the capabilitiesneeded to accomplish the mission. They mustalso assess and incorporate results of the riskassessment activity into the decision makingprocess. An effective risk managementprogram that assesses and mitigates IT-
related mission risks requires the support andinvolvement of senior management. 161
Chief Information Officer (CIO). The CIO isresponsible for the agencys IT planning,budgeting, and performance including itsinformation security components. Decisionsmade in these areas should be based on aneffective risk management program.
162
System and Information Owners. The system andinformation owners are responsible for ensuring thatproper controls are in place to address integrity,confidentiality, and availability of the IT systems anddata they own. Typically the system and informationowners are responsible for changes to their ITsystems. Thus, they usually have to approve and signoff on changes to their IT systems (e.g., systemenhancement, major changes to the software andhardware). The system and information owners musttherefore understand their role in the riskmanagement a process and fully support this process
163
Business and Functional Managers. Themanagers responsible for business operationsand IT procurement process must take anactive role in the risk management process.These managers are the individuals with theauthority and responsibility for making thetrade-off decisions essential to missionaccomplishment.
Their involvement in the risk managementprocess enables the achievement of proper
security for the IT systems, which, if managed
properly, will provide mission effectivenesswith a minimal expenditure of resources.164
-
7/27/2019 Information Technology and Communication
42/59
42
IT Security Practitioners. IT securitypractitioners (e.g., network, system,application, and database administrators;computer specialists; security analysts;security consultants) are responsible forproper implementation of securityrequirements in their IT systems. As changesoccur in the existing IT system environment(e.g., expansion in network connectivity,changes to the existing infrastructure andorganizational policies, introduction of newtechnologies), the IT security practitionersmust support or use the risk managementprocess to identify and assess new potential
risks and implement new security controls asneeded to safeguard their IT systems. 165
Security Awareness Trainers(Security/Subject Matter Professionals).The organizations personnel are the users ofthe IT systems. Use of the IT systems anddata according to an organizations policies,guidelines, and rules of behavior is critical tomitigating risk and protecting theorganizations IT resources. To minimize riskto the IT systems, it is essential that systemand application users be provided with securityawareness training. Therefore, the IT securitytrainers or security/subject matterprofessionals must understand the riskmanagement process so that they can develop
appropriate training materials and incorporaterisk assessment into training programs to 166
SAMPLE RISK ASSESSMENTREPORT OUTLINE
EXECUTIVE SUMMARY
I. Introduction
Purpose
Scope of this risk assessment
Describe the system components, elements,users, field site locations (if any), and anyother
details about the system to be considered in
the assessment.
167
II. Risk Assessment Approach
Briefly describe the approach used to conductthe risk assessment, such as
The participants (e.g., risk assessment teammembers)
The technique used to gather information(e.g., the use of tools, questionnaires)
The development and description of risk scale
(e.g., a 3 x 3, 4 x 4 , or 5 x 5 risk-level matrix).
168
-
7/27/2019 Information Technology and Communication
43/59
43
III. System Characterization
Characterize the system, including hardware(server, router, switch), software (e.g.,application, operating system, protocol),system interfaces (e.g., communication link),data, and users.
Provide connectivity diagram or system inputand output flowchart to delineate the scope ofthis risk assessment effort.
169
IV. Threat Statement
Compile and list the potential threat-sourcesand associated threat actions applicable to thesystem assessed.
170
V. Risk Assessment Results
List the observations (vulnerability/threat pairs). Eachobservation must include:
Observation number and brief description ofobservation (e.g., Observation 1: User systempasswords can be guessed or cracked)
A discussion of the threat-source and vulnerabilitypair
Identification of existing mitigating security controls
Likelihood discussion and evaluation (e.g., High,Medium, or Low likelihood)
Impact analysis discussion and evaluation (e.g., High,Medium, or Low impact)
Risk rating based on the risk-level matrix (e.g., High,Medium, or Low risk level)
Recommended controls or alternative options forreducing the risk. 171
VI. Summary
Total the number of observations. Summarizethe observations, the associated risk levels,the recommendations, and any comments in atable format to facilitate the implementationof recommended controls during the riskmitigation process.
172
-
7/27/2019 Information Technology and Communication
44/59
44
Fraud Risk Governance While each organization needs to consider its
size and complexity when determining whattype of formal documentation is mostappropriate, the following elements should befound within a fraud risk management program Roles and responsibilities.
Commitment.
Fraud awareness.
Affirmation process.
Conflict disclosure.
Fraud risk assessment. Reporting procedures and whistleblower protection. 173
Fraud Risk Governance Investigation process.
Corrective action.
Quality assurance.
Continuous monitoring.
174
Fraud Risk Assessment A structured fraud risk assessment, tailored
to the organizations size, complexity, industry,and goals, should be performed and updatedperiodically.
The assessment may be integrated with anoverall organizational risk assessment orperformed as a stand-alone exercise, butshould, at a minimum, include riskidentification, risk likelihood and significance
assessment, and risk response.
175
Individual organizations will have different risktolerances. Fraud risks can be addressed byestablishing practices and controls to mitigate therisk, accepting the risk but monitoring actualexposure or designing ongoing or specific fraudevaluation procedures to deal with individual fraudrisks
Management and board members should ensure theorganization has the appropriate control mix in place,recognizing their oversight duties and responsibilities
in terms of the organizations sustainability and theirrole as fiduciaries to stakeholders, depending onorganizational form
176
-
7/27/2019 Information Technology and Communication
45/59
45
Management is responsible for developing andexecuting mitigating controls to address fraudrisks while ensuring controls are executedefficiently by competent and objectiveindividuals.
177
Fraud Prevention and Detection Prevention encompasses policies, procedures,
training, and communication that stop fraudfrom occurring
detection focuses on activities and techniquesthat promptly recognize timely whether fraudhas occurred or is occurring
178
One key to prevention is promoting from theboard down throughout the organization anawareness of the fraud risk managementprogram, including the types of fraud that mayoccur
one of the strongest fraud deterrents is theawareness that effective detective controlsare in place
179
Combined with preventive controls, detectivecontrols enhance the effectiveness of a fraudrisk management program by demonstratingthat preventive controls are working asintended and by identifying fraud if it doesoccur. Although detective controls may provideevidence that fraud has occurred or isoccurring, they are not intended to preventfraud.
180
-
7/27/2019 Information Technology and Communication
46/59
46
Every organization is susceptible to fraud, butnot all fraud can be prevented, nor is it cost-effective to try. An organization maydetermine it is more cost-effective to designits controls to detect, rather than prevent,certain fraud schemes. It is important thatorganizations consider both fraud preventionand fraud detection.
181
Fraud Risk Governance
Principle 1: As part of an organizationsgovernance structure, a fraud riskmanagement program should be in place,including a written policy (or policies) toconvey the expectations of the board ofdirectors and senior management regardingmanaging fraud risk.
182
To help ensure an organizations fraud riskmanagement program effective, it is importantto understand the roles and responsibilitiesthat personnel at all levels of the organizationhave with respect to fraud risk management.
Policies, job descriptions, charters, and/ordelegations of authority should define rolesand responsibilities related to fraud riskmanagement
183
Board of Directors: first should ensure thatthe board itself is governed properly. Thisencompasses all aspects of board governance,including independent-minded board memberswho exercise control over board information,agenda, and access to management and outsideadvisers, and who independently carry out theresponsibilities of the nominating/governance,compensation, audit, and other committees
184
-
7/27/2019 Information Technology and Communication
47/59
47
The board should Understand fraud risks.
Maintain oversight of the fraud risk assessment byensuring that fraud risk has been considered as partof the organizations risk assessment and strategicplans. This responsibility should be addressed under aperiodic agenda item at board meetings when generalrisks to the organization are considered.
Monitor managements reports on fraud risks,policies, and control activities, which include obtainingassurance that the controls are effective. The boardalso should establish mechanisms to ensure it isreceiving accurate and timely information frommanagement, employees, internal and external auditors,and other stakeholders re ardin otential fraud
185
Oversee the internal controls established bymanagement.
Set the appropriate tone at the top throughthe CEO job description, hiring, evaluation, andsuccession-planning processes.
Have the ability to retain and pay outsideexperts where needed.
Provide external auditors with evidenceregarding the boards active involvement andconcern about fraud risk management.
186
Audit Committee (or similaroversight body
should be composed of independent boardmembers and should have at least one financialexpert, preferably with an accountingbackground.
The committee should meet frequently enough,for long enough periods, and with sufficientpreparation to adequately assess and respondto the risk of fraud, especially managementfraud, because such fraud typically involves
override of the organizations internal controls
187
An audit committee of the board that is committed to a proactiveapproach to fraud risk management maintains an active role in theoversight of the organizations assessment of fraud risks and usesinternal auditors, or other designated personnel, to monitor fraudrisks.
At each audit committee meeting: should meet separately frommanagement with appropriate individuals, such as the chiefinternal audit executive and senior financial person.
should understand how internal and external audit strategiesaddress fraud risk.
should not only focus on what the auditors are doing to detectfraud, but more importantly on what management is doing to
prevent fraud, where possible.
188
-
7/27/2019 Information Technology and Communication
48/59
48
should be aware that the organizationsexternal auditors have a responsibility to planand perform the audit of the organizationsfinancial statements to obtain reasonableassurance about whether the financialstatements are free of material misstatement,whether caused by error or fraud .
should also seek the advice of legal counselwhenever dealing with issues of allegations offraud. Fraud allegations should be taken
seriously since there may be a legal obligationto investigate and/or report them. 189
Management Implementing adequate internal controls
including documenting fraud risk managementpolicies and procedures and evaluating theireffectiveness aligned with the organizationsfraud risk assessment.
Reporting to the board on what actions havebeen taken to manage fraud risks and regularlyreporting on the effectiveness of the fraudrisk management program. This includesreporting any remedial steps that are needed,
as well as reporting actual frauds.190
Staff Have a basic understanding of fraud and be
aware of the red flags.
Understand their roles within the internalcontrol framework. Staff members shouldunderstand how their job procedures aredesigned to manage fraud risks and whennoncompliance may create an opportunity forfraud to occur or go undetected.
Read and understand policies and procedures(e.g. the fraud policy, code of conduct, andwhistleblower policy), as well as othero erational olicies and rocedures, such as 191
As required, participate in the process ofcreating a strong control environment anddesigning and implementing fraud controlactivities, as well as participate in monitoringactivities.
Report suspicions or incidences of fraud.
Cooperate in investigations.
192
-
7/27/2019 Information Technology and Communication
49/59
49
Internal Auditing should provide objective assurance to the
board and management that fraud controls aresufficient for identified fraud risks andensure that the controls are functioningeffectively.
Internal auditors may review thecomprehensiveness and adequacy of the risksidentified by management especially withregard to management override risks
193
should interview and communicate regularlywith those conducting the organizations riskassessments, as well as others in key positionsthroughout the organization, to help themensure that all fraud risks have beenconsidered appropriately
194
3.1.2. Transaction Risks
Managerial Implications
195
Example
consumer-perceived risk is reduced with the
increase in institutional trust
196
-
7/27/2019 Information Technology and Communication
50/59
50
Transaction risk
Is the current and prospective risk to earnings andcapital arising from fraud, error, and the inability todeliver products or services, maintain a competitiveposition, and manage information.
Risk is inherent in efforts to gain strategic advantageand in the failure to keep pace with changes in thefinancial services marketplace. Transaction risk isevident in each product and service offered.
Transaction risk encompasses product development anddeliver, transaction processing, systems development,computing systems, complexity of products andservices, and the internal control environment
197
Type of Risk
Fraud,
Error,
Negligence
And the inability
198
Quantity of Transaction RiskIndicators
Low Exposure to risk from fraud, errors, or processing
disruptions is minimal given the volume of transactions,complexity of products and services, and state ofsystems development. Risk to earnings and capital isinsignificant.
Risks, including transaction processing failures, fromplanned conversions, merger integration, or newproducts and services are minimal
199
Moderate
Exposure to risk from fraud, errors, orprocessing disruptions is modest given thevolume of transactions, complexity of productsand services, and state of systemsdevelopment. Deficiencies that have potentialimpact on earnings or capital can be addressedin the normal course of business.
Risks, including transaction processingfailures, from planned conversions, mergerintegration, or new products and services aremana eable. 200
-
7/27/2019 Information Technology and Communication
51/59
51
High
Exposure to risk from fraud, errors, orprocessing disruptions is significant given thevolume of transactions, complexity of productsand services, and state of systemsdevelopment. Deficiencies exist whichrepresent significant risk to earnings andcapital.
Risks, including transaction processingfailures, from planned conversions, merger
integration, or new products and services aresubstantial. 201
Quality of Transaction RiskIndicators
Strong
Management anticipates and respondseffectively to risks associated with operationalchanges, systems development, and emergingtechnologies.
Management has implemented sound operatingprocesses, information systems, internalcontrol, and audit coverage.
Management identifies weaknesses intransaction processing and takes timely andappropriate action
202
Management information provides appropriatemonitoring of transaction volumes, error, reportingfraud, suspicious activity, security violations, etc. MISis accurate, timely, complete and reliable.
Management comprehensively provides for continuityand reliability of services, including services furnishedby outside providers.
Appropriate processes and controls exist to manageand protect data.
Risks from new products and services, plannedstrategic initiatives, or acquisitions are well controlledand understood.
Management fully understands technology risks withavailable expertise to evaluate technology-related
issues.
203
Weak
Management does not take timely and appropriate actions torespond to operational changes, systems development, oremerging technologies.
Significant weaknesses exist in operating processes, informationsystems internal control, or audit coverage related to transactionprocessing.
Management does not recognize weaknesses in transactionprocessing or make the necessary corrections.
Management information systems for transaction processingexhibit significant weaknesses or may not exist.
Management has not provided for continuity and reliability ofservices furnished by outside providers.
Processes and controls to manage and protect data are seriouslydeficient or nonexistent
204
-
7/27/2019 Information Technology and Communication
52/59
52
Inadequate planning or due diligence exposethe Bank to significant risk from activitiessuch as the introduction of new products andservices, strategic initiatives, or acquisitions.
Management does not understand, or haschosen to ignore, key aspects of transactionrisk
205
3.2. Payroll Risks
3.2.1. Introduction
206
207
3.2.2. Category payroll risks
Incorrect processing/payment of payroll bymistake or with intention (fraud)
Incorrect input by mistake or withintention (fraud) of payroll information
Incorrect processing of payroll
Payroll payment (bank transmission)
Inaccurate Taxation (computation andreporting)
Payroll Accounting
208
-
7/27/2019 Information Technology and Communication
53/59
53
Payroll related documents are not kept as perlegal requirements
Sensitive payroll information is not properlyprotected may lead to loss in reputation, lossof competitive advantage, loss of revenue, orlegal consequences
See detail: Payroll Process-Fraud and errorrisks and controls to mitigate them.docx
209 210
3.2.3. Risk Protections andManagements
Control Check list Pay Roll
Go Control Checklists_Payroll.xls
211
Payroll control objectives
The following is a listing of practical guide topayroll control objectives that help ensurerisks are properly minimized.
Reliability of Information
212
-
7/27/2019 Information Technology and Communication
54/59
54
Employee record changes are properlyauthorized and accurately recorded allrequire the employees signature or theiracknowledgement
All payroll costs are accurately calculated fromauthorized sources and recorded on a timelybasis.
Recorded payroll balances are substantiated.
Recorded payroll balances are evaluated.
All payroll disbursements are accuratelyprocessed and recorded on a timely basis.
Payroll changes, costs, and disbursements arereliably processed and reported.
Performance measures used to control andim rove the rocess are reliable. 213
Detection of unauthorized adjustments to thepayroll activity and withholding accounts afterdistribution
Detection of duplicate payments
Detection of collusion
Detection of phantom employees
Detection of manipulation of earned benefittime
214
Payroll Preparation and Security Is a payroll master file maintained which
includes all employees. The file should containall information concerning current pay rates,withholding deductions, tax codes, etc.
Are procedures established to physicallysecure and protect master file information.
Changes should be restricted to properly autho
rized additions, deletions and changes whichare supported by documentation in the
employee's personnel file. Are only authorized personnel allowed access
to the Payroll department and its records 215
Is the Payroll department promptly and formallynotified ofthe termination or transfer of any employeeor of payroll changes so that payroll records can beadjusted
Do non-exempt employees submit on a timely basis,time cards, time sheets or other authorized recordingmedia before payroll processing is performed, eitherelectronically or manually
Do department managers compare actual payroll coststo budgeted costs for reasonableness
Are all payroll disbursement accounts reconciled on amonthly basis by someone without any responsibility
for the payroll cycle
216
-
7/27/2019 Information Technology and Communication
55/59
55
10 practical steps to reduce the risk of amajor payroll fraud occurring in yourbusiness
217
Step 1: Review your bank reconciliation. Many fraudsare discovered when a review of the bankreconciliation is conducted. A bank reconciliationensures that the cash balance per the financialstatements is the same as the cash balance in thecompanys bank account. In many fraud cases, a reviewof the bank reconciliation reveals entries such asUnadjusted balance, To be reviewed, UnknownDifference, or Immaterial Adjustment. Thesedescriptions often reveal that a process in thebusiness is broken or worst case is that a fraud isbeing perpetrated. Reviewing your bank reconciliation
on a regular basis is a basic yet very important controlfor a business. 218
Step 2: How do your staff complete theirtimesheets? Do your staff use a Time &Attendance book? What is the quality ofinformation on these source documents? Ifstaff are forgetting to sign or not including allrequired information, then it makes it difficultto detect more subtle behaviours that may befraudulent in nature.
219
Step 3: Do you have any ghost employees on yourpayroll? A ghost employee is where a fictitious entryhas been created on your payroll for the purpose ofdefrauding the company of money. Some ghosts canbe detected by looking for where two or moreemployees have the same bank account, or some othercharacteristic that is the same. For example this couldinclude the same telephone number, same first, middleor last name or common address elements. Otherghosts might only be detected if the individual isphysically sighted while at the workplace. If yourcompany payroll is predominantly made up ofpermanent employees, then the risk of having a ghostemployee may be minimal. However if you employ a
large number of temporary and itinerant workers thenwe recommend that additional checks be put in place tomanage this risk.
220
-
7/27/2019 Information Technology and Communication
56/59
56
Step 4: When was the last time you reviewed your endto end payroll process? Have you or someone in yourcompany documented the payroll process and do youunderstand who performs which tasks and in whatsequence? Not understanding and documenting theprocess is like trying to build a house without anyarchitectural plans. Preventing payroll fraud (like anyother fraud) is all about understanding which checksand balances exist, are they operating effectively andare there any key controls missing from the process?Once the payroll process has been documented into itscomponents then the risks at each stage can beassessed. For example documenting your process foradministering terminated employees may reveal anability for former employees payroll details to bechanged resulting in the creation of a ghost employee.
221
Step 5: Have you divested control of yourpayroll department and have little or nooversight over the payroll function? Are yourelying on your friendship or trust in yourPayroll Manager instead of relying on propermanagement and review. If this is the case,then you need to go back to basics. Understandthe process, identify any segregation of dutyconflicts, ensure that the Payroll is approvedby someone independent from its preparation,
institute random checks to source documentsand conduct regular data mining reviews. 222
Step 6: Is your payroll manager a signatory toyour companys bank account? Clearly if this isthe case, then there is a risk that the payrollmanager can manipulate the payroll to theirown advantage with little risk of detection.This is an obvious segregation of duty issue,however also review the process and identify ifthere other conflicts that exist in the payrollfunction.
223
Step 7: What checks are conducted when a Payroll isbeing approved? What is the approver checking thereports to? If the approver is just signing what is putin front of them, then this control is clearly notworking effectively. Implement a checklist of keysteps that need to be conducted before sign offoccurs. This could include reviewing the number of Onsand Offs since the previous pay run. Scan the hoursworked or overtime for anomalies. Select an employeeat random and request supporting information. Theseare just some of the tasks that can be performedwhich can significantly improve the level of controlwith any sign off process.
224
-
7/27/2019 Information Technology and Communication
57/59
57
Step 8: Are you aware of payroll staff sharingpasswords and log in details. If this is the caseit becomes very difficult to detect suspiciousbehaviour and may result in authorised payamounts or other serious anomalies. Staffshould be provided with their own passwordand ensure that staff are aware of thecompanys Information Technology and otherkey policies.
225
Step 9:Do you have a mechanism where staff canreport suspicious, fraudulent or inappropriatebehaviour? In our experience, many frauds areonly discovered when the company is tippedoff by another employee. This type of email orphone hotline can also be particularly beneficialwhen a company has many geographicallyremote sites
226
Step 10: Do you make an employee backgroundsearch a condition of employment forindividuals working in sensitive positions forexample, payroll and accounts payable? Thiscan be another practical step you can take toimprove the internal controls in your company.
227
Control Activities
The Biggie in terms of commitment Theresponses to a threat or set of threats
Internal control activities are the policies,procedures, techniques, and mechanisms thathelp ensure that district managementsdirectives to minimize risks are carried out.
Control activities occur at all levels andfunctions of the district.
They include approvals, authorizations,verifications, reconciliations, performancereviews, and the production of records and
228
-
7/27/2019 Information Technology and Communication
58/59
58
Hiring unqualified or trouble employees Thorough background checks, review of employment
history (30% dishonest, 30% situationally dishonest,40% honest)
Verify skills and references, including college degreesearned (Data released in March 2004 indicates that50% of resumes contain false or embellishedinformation)
Check at least three references (1 out of 3 will begratuitously positive)
Threats in Employment Practices
Violation of Employment Laws Carefully document all actions related to recruiting,
hiring, and dismissal of employees.
Provide your payroll and human resource employeeswith continual training to keep them current withemployment laws.
State
Federal
Threats in Employment Practices
Unauthorized changes to the payroll master file Proper segregation of duties
HR department approval for updates
HR department should not directly participate in payroll processing ordistribution
Changes to the master file should be reviewed andapproved by someone other than the person recommendingthe change.
Restrict access to the payroll system and logic code
User IDs, passwords
Control terminals from which payroll data and programs can be accessed
Threats in Payroll Processing
Inaccurate time data Automation can reduce unintentional inaccuracies.
Data entry programs should include edit checks. Edit checks for employee numbers and hours worked
Limit checks on hours worked
Segregation of duties can reduce intentionalinaccuracies:
People who process payroll should not have access to the payrollmaster file (to the extent prac tical).
Supervisors should approve all time cards.
Threats in Payroll Processing
-
7/27/2019 Information Technology and Communication
59/59
Inaccurate processing of payroll Run and reconcile batch totals before and after
processing
Master file totals +/- changes
Use of a payroll clearing account
Imprest system with a net zero balance in the control account
On-going training for payroll employees
Threats in Payroll Processing
Theft or fraudulent distribution of paychecks Restrict access to blank payroll checks and check signing
machine.
All checks should be sequentially prenumberedandaccounted for periodically.
Someone independent of the payroll process shouldreconcile the payroll bank account.
Segregate the duties between those who authorize andrecord payroll and those who distribute checks and transferfunds.
Unclaimed checks should be returned to districtadministration for prompt investigation.
Threats in Payroll Processing
Any control system must be continually monitoredand updated in order to continue to workeffectively.
The district should emphasize to managers thatthey have responsibility for internal control andthat they should monitor the effectiveness ofcontrol activities as part of their regular duties.
Is the system re-evaluated when a breakdown incontrols is uncovered?
The completion of each payroll provides you with a
time for evaluation.
Monitoring
236