Revision Capsule by ICAI

ENTERPRISE INFORMATION SYSTEMS
ENTERPRISE INFORMATION SYSTEMS – A CAPSULE FOR QUICK REVISION

The capsule on Intermediate Paper 7A: Enterprise Information Systems that covers the entire syllabus of the subject
is another step of Board of Studies in its endeavour to provide quality academic inputs to the Intermediate students
of Chartered Accountancy Course. This concise capsule of the subject intends to assist students in their quick
revision of the subject and should not be taken as a substitute for the detailed study of the subject. Students are
advised to refer to the relevant Study Material and Revision Test Paper for comprehensive study and revision.
CHAPTER 1: AUTOMATED BUSINESS PROCESSES

This chapter deals with the basic concepts of Business Process, its automation and implementation; risks and controls
associated with various business processes and provides comprehensive knowledge about the specific Regulatory and
Compliance requirements of The Companies Act and The IT Act.
An Enterprise Information System (EIS) may be defined as any kind of information system which improves the functions of an
enterprise business processes by integration. This means classically offering high quality services, dealing with large volumes of data
and capable of supporting some huge and possibly complex organization or enterprise. All parts of EIS should be usable at all levels
of an enterprise as relevant. A Business Process is an activity or set of activities that will accomplish a specific organizational goal.
Categories of Business Processes IMPROVED OPERATIONAL EFFICIENCY

Operational Supporting Management t "VUPNBUJPO SFEVDFT UIF UJNF JU UBLFT UP BDIJFWF B UBTL UIF
Processes Processes Processes effort required to undertake it and the cost of completing it
Operational or Supporting Management successfully.
Primary Processes Processes back core Processes measure, t "VUPNBUJPO OPU POMZ FOTVSFT TZTUFNT SVO TNPPUIMZ BOE
deal with the core processes and func- monitor and control efficiently, but that errors are eliminated and that best practices
business and value tions within an organ- activities related to are constantly leveraged.
chain. These pro- ization. Examples of business procedures
cesses deliver value supporting or man- and systems. Exam-
to the customer by agement processes ples of management GOVERNANCE & RELIABILITY
helping to produce include Accounting, processes include t ͳFDPOTJTUFODZPGBVUPNBUFEQSPDFTTFTNFBOTTUBLFIPMEFSTDBO
a product or service. Human Resource internal communi- rely on business processes to operate and offer reliable processes
Operational process- (HR) Management cations, governance, to customers, maintaining a competitive advantage.
es represent essential and workplace safety. strategic planning,
business activities that budgeting and infra-
accomplish business structure or capacity REDUCED TURNAROUND TIMES
objectives. management.
Example - Order to Example- HR Process Example - Budgeting
t &MJNJOBUF VOOFDFTTBSZ UBTLT BOE SFBMJHO QSPDFTT TUFQT UP
optimize the flow of information throughout production,
Cash (O2C) cycle. service, billing and collection.
%86,1(66352&(66$8720$7,21%3$ t ͳJT BEKVTUNFOU PG QSPDFTTFT EJTUJMMT PQFSBUJPOBM QFSGPSNBODF
and reduces the turnaround times for both staff and external
customers.
Business Process Automation (BPA) is the tactic a business uses
to automate processes to operate efficiently and effectively. REDUCED COSTS
CONFIDENTIALITY INTEGRITY t .BOVBM UBTLT HJWFO UIBU UIFZ BSF QFSGPSNFE POFBUBUJNF
To ensure that data is only To ensure that no and at a slower rate than an automated task, will cost more.
available to persons who Automation allows us to accomplish more by utilizing fewer
unauthorized amendments resources.
have right to see the same. can be made in data.
BPA Objectives
6WHSVLQYROYHGLQWKH,PSOHPHQWDWLRQRI%3$
AVAILABILITY TIMELINESS
To ensure that data is To ensure that data is made Step 1: Define
available when asked for. available at the right time. The answer to this question will provide
why we plan to
justification for implementing BPA.
implement BPA?
%HQHÀWVRI$XWRPDWLQJ%XVLQHVV3URFHVVHV Step 2: Understand
The underlying issue is that any BPA
rules/regulation
QUALITY & CONSISTENCY created needs to comply with applicable
under which it needs
laws and regulations.
t &OTVSFT UIBU FWFSZ BDUJPO JT QFSGPSNFE JEFOUJDBMMZ SFTVMUJOH to comply with?
in high quality, reliable results and stakeholders consistently Step 3: Document The current processes which are planned
experience the same level of service.
the process, we wish to be automated need to be correctly and
TIME SAVING to automate. completely documented at this step.
t "VUPNBUJPO SFEVDFT UIF OVNCFS PG UBTLT FNQMPZFFT XPVME Step 4: Define the This enables the developer and user to
otherwise need to do manually, thus allowing innovation and o b j e c t i v e s / g o a l s understand the reasons for going for BPA.
increasing employees’ levels of motivation. to be achieved by The goals need to be precise and clear.
implementing BPA.
VISIBILITY
t "VUPNBUFE QSPDFTTFT BSF DPOUSPMMFE BOE DPOTJTUFOUMZ PQFSBUF Once the entity has been able to define
Step 5: Engage
accurately within the defined timeline. It gives visibility of the the above, the entity needs to appoint
business process
process status to the organization. an expert, who can implement it for the
consultant.
entity.
06 June 2018 The Chartered Accountant Student

The answer to this question can be used a. Internal

Step 6: Calculate the for convincing top management to say h. Monitoring Environment b. Objective
RoI for project. ‘yes’ to the BPA exercise. Setting
Once the top management grant their g. Information & c. Event

Communication ERM Identification
approval, the right business solution
Step 7: Development has to be procured and implemented or COMPONENTS
of BPA. developed and implemented covering d. Risk
f. Control
necessary BPA. Activities Assessment
e. Risk Response
Step 8: Testing the Before making the process live, the BPA
BPA. solutions should be fully tested.
(17(535,6(5,6.0$1$*(0(17(50 Encompasses the tone of an organization,

and sets the basis for how risk is viewed and
a. Internal addressed by an entity’s people, including risk
May be defined as a process, effected by an entity’s Board of Environment management philosophy and risk appetite,
Directors, management and other personnel, applied in strategy integrity and ethical values, and the environment
setting and across the enterprise, designed to identify potential in which they operate.
events that may affect the entity, and manage risk to be within
its risk appetite, to provide reasonable assurance regarding the
achievement of entity objectives. ERM ensures that management has a process
in place to set objectives and that the chosen
b. Objective objectives support and align with the entity’s
%HQHÀWVRI(QWHUSULVH5LVN0DQDJHPHQW(50 Setting mission/vision and are consistent with the
entity’s risk appetite.
Risk appetite is degree of risk, on a broad-based
level that an enterprise is willing to accept in Event identification includes identifying
Align risk pursuit of its goals. Management considers the c. Event factors - internal and external - that influence
appetite and entity’s risk appetite first in evaluating strategic Identification how potential events may affect strategy
strategy alternatives, then in setting objectives aligned implementation and achievement of objectives.
with the selected strategy and in developing
mechanisms to manage the related risks. Identified risks are analyzed to form a basis for
Entities accept risk as part of value creation d. Risk determining how they should be managed. Risks
Link growth, Assessment are associated with related objectives that may
risk and and preservation, and they expect return
commensurate with the risk. ERM provides an be affected.
return enhanced ability to identify and assess risks,
and establish acceptable levels of risk relative to Management selects an approach or set of
growth and return objectives. e. Risk actions to align assessed risks with the entity’s
Response risk tolerance and risk appetite, in the context of
ERM provides the rigor to identify and strategy and objectives.
Enhance risk select among alternative risk responses - risk
response avoidance, reduction, sharing and acceptance.
decisions ERM provides methodologies and techniques for f. Control Policies and procedures are established and
making these decisions. Activities executed to help ensure that the risk responses
management selected, are effectively carried out.
Minimize Entities have enhanced capability to identify
operational potential events, assess risk and establish Relevant information is identified, captured and
g. Information communicated in a form and time frame that
surprises and responses, thereby reducing the occurrence of and
surprises and related costs or losses. enable people to carry out their responsibilities.
losses Communication
Identify Monitoring is accomplished through ongoing

and manage Every entity faces a myriad of risks affecting h. Monitoring management activities, separate evaluations of
cross- different parts of the enterprise. Management the ERM processes or a combination of the both.
enterprise needs to not only manage individual risks, but
also understand interrelated impacts.
risks
5,6.6$1'&21752/6
Provide Business processes carry many inherent risks,
integrated and ERM enables integrated solutions for Risk is any event that may result in a significant deviation from a
responses to managing the risks. planned objective resulting in an unwanted negative consequence.
multiple risks Risks of Business Process Types of Business Risks
Automation
Management considers potential events, rather All input transaction Risk that would prevent
Strategic
File & Data Input &
Transmission Access
Seize than just risks, and by considering a full range of data may not be accurate, an organisation from
opportunities events, management gains an understanding of complete and authorised. accomplishing its
how certain events represent opportunities. objectives.
All files and data Risk that could result in a
Financial
More robust information on an entity’s total transmitted may not be negative financial impact
Rationalize risk allows management to more effectively processed accurately to the organisation.
capital assess overall capital needs and improve capital and completely, due to
allocation. network error.
The Chartered Accountant Student June 2018 07

Risks of Business Process Types of Business Risks Masters

Automation t 3FGFSTUPUIFXBZWBSJPVTQBSBNFUFSTBSFTFUVQGPSBMMNPEVMFTPG
Is not complete Risk that could expose the TPGUXBSFMJLF1VSDIBTF 4BMFT *OWFOUPSZ 'JOBODFFUD
Reputational
and accurate due to organisation to negative t 4FU VQ mSTU UJNF EVSJOH JOTUBMMBUJPO BOE UIFTF BSF DIBOHFE
Output
program error or bugs publicity. whenever the business process rules or parameters are changed.
and is distributed to t &YBNQMFTBSF7FOEPS.BTUFS $VTUPNFS.BTUFS .BUFSJBM.BTUFS
unauthorised personnel Accounts Master, Employee Master etc.
due to weak access control.
Valid input data may Risk that could expose Transactions
(Compliance)
Regulatory
Processing
not have been processed the organization to fines

t 3FGFSTUPUIFBDUVBMUSBOTBDUJPOTFOUFSFEUISPVHINFOVTBOEGVOD-
accurately and completely and penalties from a
tions in the application software, through which all transactions for
due to program error or regulatory agency due to
specific modules are initiated, authorized or approved.
bugs. non-compliance with laws
t 'PS FYBNQMF 4BMFT USBOTBDUJPOT 1VSDIBTF USBOTBDUJPOT 4UPDL
and regulations.
transfer transactions, Journal entries and Payment transactions.
Master data and Risk that could prevent
transaction data may be the organisation from
%86,1(66352&(66(6',$*5$00$7,&
Data
changed by unauthorised operating in the most

personnel due to weak effective and efficient 5(35(6(17$7,21
Operational
access control. manner or be disruptive

to other operations. Are used in designing and documenting simple
All data & programs
Infrastructure
processes or programs. Like other types of

could be lost if there is diagrams, they help visualize what is going on
Flowcharts
no proper backup in the and thereby help understand a process, and
event of a disaster and the perhaps also find flaws, bottlenecks, and other
business could come to a less-obvious features within it.
standstill.
%'%CBTJDBMMZQSPWJEFTBOPWFSWJFXPG
Data Flow (a) What data a system processes;
Defined as policies, procedures, practices and (b) What transformations are performed;
Diagrams
organisation structure that are designed to provide (c) What data are stored; and
(DFDs)
Control reasonable assurance that business objectives are (d) What results are produced and where they
achieved and undesired events are prevented or flow.
detected and corrected.
tͳFTFBSFBTZTUFNDPOTJTUJOHPGTQFDJmDQPMJDJFT 5(*8/$725<$1'&203/,$1&(
Internal and procedures;
t%FTJHOFEUPQSPWJEFNBOBHFNFOUXJUISFBTPOBCMF
5(48,5(0(176
Controls assurance that the goals and objectives it
believes important to the entity, will be met. Section 134 of the Companies
"DU PO i'JOBODJBM TUBUFNFOU
t 'BDJMJUBUFT UIF FĉFDUJWFOFTT BOE FĊDJFODZ PG Board’s report”, etc.
The
Regulatory and Compliance Requirements
operations.
t )FMQT FOTVSF UIF SFMJBCJMJUZ PG JOUFSOBM BOE Companies
An Internal Act, 2013
external financial reporting. Section 143 of the Companies Act
Control
t "TTJTUT DPNQMJBODF XJUI BQQMJDBCMF MBXT BOE 2013, on “Powers and duties of
System regulations. auditors and auditing standards”
t )FMQTTBGFHVBSEJOHUIFBTTFUTPGUIFFOUJUZ
Components Of Internal Control Advantages of Cyber Laws

Control Set of standards, processes, and structures that
Environment provide the basis for carrying out internal control Computer Related Offences - Email
across the organisation. A/c Hacking, Credit Card fraud,
Information web defacement etc.
Risk This forms the basis for determining how risks will be Technology Act
Assessment managed. A precondition to risk assessment is estab- (IT Act)
Privacy
lishment of objectives, linked at different levels of entity.
Control Actions established through policies and procedures that Cyber Crime - Hacking, Traditional
Activities ensure management’s directives to mitigate risks to the Theft etc.
achievement of objectives are carried out.
Information and Communication is the continual, iterative process of Sensitive Personal Data Information
Communication providing, sharing & obtaining necessary information. (SPDI)
Monitoring of Ongoing evaluations, separate evaluations, or some 4FDUJPOPGUIF$PNQBOJFT"DU POi'JOBODJBMTUBUFNFOU
Controls combination of two are used to ascertain whether #PBSETSFQPSU FUDwTUBUFTJOUFSBMJBͳF%JSFDUPST3FTQPOTJCJMJUZ
each of five components of internal control, including Statement referred to in clause (c) of sub-section (3) shall state
controls are present and functioning. UIBU
The Directors had taken proper and sufficient care for the
Controls should be checked at the following three levels maintenance of adequate accounting records in accordance with
the provisions of this Act for safeguarding the assets of the company
Configuration and for preventing and detecting fraud and other irregularities;
The Directors, in the case of a listed company, had laid down
t 3FGFSTUPUIFNFUIPEJDBMQSPDFTTPGEFmOJOHPQUJPOTUIBUBSF internal financial controls to be followed by the company and that
provided. such internal financial controls are adequate and were operating
t %FmOFTIPXTPGUXBSFGVODUJPOTBOEXIBUNFOVPQUJPOTBSF
displayed. effectively.

CHAPTER 2: FINANCIAL AND ACCOUNTING SYSTEMS
This chapter provides an in-depth knowledge about the concept of Financial and Accounting Systems, Integrated
and Non-integrated Systems and further acquaint the students about Regulatory and Compliance requirements
with Financial and Accounting systems.
In accounting language, a Voucher is a documentary evidence of 'SPN B CVTJOFTT QFSTQFDUJWF B Process is a coordinated
a transaction. There may be different documentary evidences for and standardized flow of activities performed by people or
different types of transactions. machines, which can traverse functional or departmental
Voucher Types boundaries to achieve a business objective and creates value
1 Contra 'PS SFDPSEJOH PG GPVS UZQFT PG for internal or external customers.
USBOTBDUJPOTBTVOEFS
t $BTIEFQPTJUJOCBOL
t $BTIXJUIESBXBMGSPNCBOL
DATA TYPES
t $BTI USBOTGFS GSPN POF MPDBUJPO UP
another.
t 'VOE USBOTGFS GSPN PVS POF CBOL MASTER DATA NON - MASTER DATA
account to our own another bank (Relatively permanent) (Expected to change frequently)
account.
2 Payment 'PS SFDPSEJOH PG BMM UZQFT PG QBZNFOUT
Whenever the money is going out of Accounting Inventory Payroll Statutory
business by any mode (cash/bank).
3 Receipt 'PS SFDPSEJOH PG BMM UZQFT PG SFDFJQUT
Whenever money is being received into Steps involved in the Accounting Flow
business from outside by any mode
Accounting
(cash/bank) Transactions
4 Journal For recording of all non-cash/bank HUMANS
transactions. E.g. Depreciation, Provision,
Voucher Entry
Write-off, Write-back, discount given/
received, Purchase/Sale of fixed assets on
credit, etc. Posting
5 Sales For recording all types of trading sales by
any mode (cash/bank/credit). SOFTWARE
Balancing
6 Purchase 'PS SFDPSEJOH BMM UZQFT PG USBEJOH QVS-
chase by any mode (cash/bank/credit).
7 Credit 'PS NBLJOH DIBOHFT DPSSFDUJPOT Trial Balance
Note in already recorded sales / purchase
transactions.
8 Debit 'PS NBLJOH DIBOHFTDPSSFDUJPOT Profit & Loss Account Balance Sheet
Note in already recorded sales/purchase
transactions.
9 Memo- 'PS SFDPSEJOH PG USBOTBDUJPO XIJDI XJMM
randum be in the system but will not affect the
trial balance. Types of Ledgers
10 Purchase 'PSSFDPSEJOHPGBQVSDIBTFPSEFSSBJTFE
Order on a vendor.
11 Sales 'PS SFDPSEJOH PG B TBMFT PSEFS SFDFJWFE Debit Balance Credit Balance
Order from a customer.
12 Stock 'PS SFDPSEJOH PG QIZTJDBM NPWFNFOU PG
Inventory
Journal stock from one location to another. Asset Expense Income Liability
13 Physical 'PS NBLJOH DPSSFDUJPOT JO TUPDL BGUFS
Stock physical counting.
Profit & Loss Account
14 Delivery 'PS SFDPSEJOH PG QIZTJDBM EFMJWFSZ PG
Note goods sold to a customer.
15 Receipt 'PS SFDPSEJOH PG QIZTJDBM SFDFJQU PG
Balance Sheet
Note goods purchased from a vendor.
16 Attend- 'PSSFDPSEJOHPGBUUFOEBODFPG
Payroll
ance employees.
17 Payroll 'PSTBMBSZDBMDVMBUJPOT

Installed Applications Vs. Web Applications Features of an Ideal ERP System

Par- Installed Application Web Application
ticulars t Manufacturing: Some of the functions include
As software is installed on As s/w is installed on only engineering, capacity, workflow management, quali-
hard disc of the computer one computer. Hence, ty control, bills of material, manufacturing process, etc.
Installation &
Maintenance
used by user, it needs maintenance/updating of s/w t Financials: Accounts payable, accounts receivable,
to be installed on every becomes extremely easy. fixed assets, general ledger and cash management, etc.
computer one by one. t Human Resources: Benefits, train-
Maintenance & updating ing, payroll, time and attendance, etc.
of s/w may take lot time t Supply Chain Management: Inventory, sup-
and efforts. ply chain planning, supplier scheduling, claim
As software is installed on As software is not installed on processing, order entry, purchasing, etc.
t Projects:
Accessibility
the hard disc of the user’s the hard disc of user’s comput- Costing, billing, activi-
computer, user needs to er and its used through brows- ty management, time and expense, etc.
go to the computer only. er and internet, it can be used t Customer Relationship Management (CRM): CRM
It cannot be used from any from any computer in the world software is used to support processes, such as sales,
computer. 24 x 7. marketing, customer service, training, professional
Using the software through Using mobile applica- development, performance management, HR
Mobile
App.
mobile application is tion becomes very easy Development, and compensation etc., storing
difficult in this case. as data is available 24 x 7. information on current and prospective customers.
Data is physically stored in Data is not stored in the user’s t Data Warehouse: Data warehouse is a repository of
Data Storage
the premises of the user, server computer. It is stored an organization’s electronically stored data. These are
i.e. on the hard disc of the on a web server. Hence user designed to facilitate reporting and analysis. The
user’s server computer.
Thus user has full control will not have any control over process of transforming data into information and
over data. the data. making it available to the user in a timely enough man-
As the data is in physical Data security is a big ner to make a difference is known as data warehousing.
Data Security
control of the user, user challenge in case of web

shall have the full physical application as the data is
control over the data and Risks and Controls associated with ERP
he/she can ensure that it is not in control of the user or
not accessed without prop- owner of data. It is Aspect Risk Associated Control Required
er access. Data is stored centrally and Access rights need to be
Data Access
maintained on a web server.

A well written installed As data is picked from web all the departments access defined very carefully.
Perfor-
mance
application shall always be server using internet, speed central data. This creates Access to be given on
faster than web applica- of operation may be slower. a possibility of access to “Need to know” and
tion. non-relevant data. Need to do” basis only.
Installed applications shall Web applications do As there is only one set Back up arrangement
Flexibility
Safety
Data
have more flexibility and not even compare to the of data, if this data is lost, needs to be very strong.
controls as compared to flexibility of desktop whole business may come Also, strict physical control
web application. applications. to stand still. is needed for data.
As data is maintained This can be controlled by
Operation
centrally, gradually the removing redundant data,

Speed of
ENTERPRISE RESOURCE PLANNING ERP data size becomes more using techniques like data
An ERP System is based on a common database and a mod- and more and it may warehousing and updating
ular software design. The common database can allow every reduce the speed of hardware on a continuous
department of a business to store and retrieve information in operation. basis.
real-time. The information should be reliable, accessible, and As the overall system All the processes must be
Change in
easily shared. An ERP system supports most of the business is integrated, a small documents carefully in
process
system that maintains in a single database the data needed for change in process for one beginning of
a variety of business functions such as Manufacturing, Supply department may require implementation
$IBJO .BOBHFNFOU 'JOBODJBMT 1SPKFDUT )VNBO 3FTPVSDFT lot of efforts and money. itself to avoid any
and Customer Relationship Management. discomfort in future.
As the overall system is This can be controlled
Staff Turnover
Advantages of an ERP System integrated & connected and minimized with help
with each other of proper staff training
t "CJMJUZUPDVTUPNJ[FBOPSHBOJ[BUJPOTSFRVJSFNFOUT department, it becomes system, having help
t *OUFHSBUFCVTJOFTTPQFSBUJPOTXJUIBDDPVOUJOHmOBODJBM complicated and difficult manuals, having backup
reporting function; to understand. plans for staff turnover, etc.
t *ODSFBTFEEBUBTFDVSJUZBOEBQQMJDBUJPODPOUSPMT As everybody is connected This can be controlled
System Failure
t #VJMETUSPOHBDDFTTBOETFHSFHBUJPOPGEVUJFTDPOUSPMT to a single system and and minimized by having

t "VUPNBUFNBOZNBOVBMQSPDFTTFTUIVTFMJNJOBUJOHFSSPST central database, in case of proper and updated
t 1SPDFTT IVHF WPMVNFT PG EBUB XJUIJO TIPSU UJNF GSBNFT failure of system, the whole back up of data as well
and business may come to as alternate hardware /
t 4USPOHSFQPSUJOHDBQBCJMJUJFTXIJDIBJETNBOBHFNFOUBOE stand still, may get affected internet arrangements.
other stakeholders in appropriate decision making. badly.

a. Financial Management Information Systems (MIS) Report

Accounting IT is a tool that Type of Information in an MIS Report
k. CRM managers use to An MIS report for this would likely contain data
b. Controlling
evaluate business TVDIBT
j. Supply processes and t ͳFOVNCFSPGDBMMTZPVSTUBĉUBLFT
c. Sales and
Chain operations. t ͳFOVNCFSPGFNBJMTUIBUDPNFJOFBDIEBZ
Distribution
t ͳFBWFSBHFBNPVOUPGUJNFJUUBLFTUPBOTXFS
a phone call or email; and
i. Project ERP d. Human t ͳF OVNCFS PG RVFTUJPOT UIBU ZPVS TUBĉ
Systems MODULES Resource answers correctly vs. the number that are
incorrect.
h. Plant
Maintenance e. Production The information must meet following criteria to become
Planning useful for the user:
g. Quality f. Material Relevant Timely Accurate Structured
Management Management MIS reports need Managers It’s critical Try to break
to be specific to need to know that numbers long passag-
a. Financial This module is the most important module of the business area what’s hap- add up and es of infor-
Accounting the overall ERP System and it connects all the they address. pening now that dates and mation into
Module modules to each other. This is important or in the re- times are cor- more reada-
because a report cent past to SFDU 'JOBODJBM ble blocks or
that includes make deci- information is chunks and
b. Controlling This module facilitates coordinating, monitoring, unnecessary sions about often required give these
Module and optimizing all the processes in an information might the future. to be accurate chunks mean-
organization. be ignored. to the dollar. ingful head-
ings.
This is used by organizations to support sales and
c. Sales and
distribution activities of products and services, Data Analytics is the process of examining
Distribution
Module starting from enquiry to order and then ending data sets to draw conclusions about the
with delivery. Data
Analytics information they contain, increasingly with
the aid of specialized systems and software.
d. Human
This module enhances the work process and
Resource data management within HR department of
Module enterprises.
BI encompasses a wide variety of tools,
e. Production PP module is another important module that applications and methodologies that enable
Planning (PP) includes software designed specifically for organizations to collect data from internal
Module Business systems and external sources, prepare it for
production planning and management.
Intelligence analysis, develop and run queries against the
f. Material
(BI) data, and create reports, dashboards and data
MM module as the term suggests manages
Management
materials required, processed and produced in
visualizations to make the analytical results
(MM) available to corporate decision makers as well
Module enterprises.
as operational workers.
g. Quality Quality Management module helps in
Management management of quality in productions across t *UJTUIFQVCMJDSFQPSUJOHPGPQFSBUJOHBOE
Module processes in an organization financial data by a business enterprise, or
the regular provision of information to
This is a functional module which handles
h. Plant decision-makers within an organization to
the maintaining of equipment and enables
Maintenance support them in their work.
efficient planning of production and generation
Module t XBRL (eXtensible Business Reporting
schedules.
Language) is a freely available and
global standard for exchanging business
i. Project Project systems are used for planning and Business information. XBRL allows the expression
Systems managing projects. Reporting of semantic meaning commonly required
in business reporting.
t Who uses XBRL?
This module provides extensive functionality Regulators; Companies; Governments;
j. Supply Chain
Module for logistics, manufacturing, planning, and Data Providers; Analysts and investors and
analytics. Accountants.
t Important features of XBRL
Customer Relationship Management is a system Clear Definitions
k. Customer
Relationship which aims at improving the relationship with Testable Business Rules
Management existing customers, finding new prospective Multi-lingual Support
(CRM) Strong Software Support
customers, and winning back former customers.

CHAPTER 3: INFORMATION SYSTEMS AND ITS COMPONENTS
This chapter provides a deep understanding about various components of an Information system and its working,
types of threats and their mitigating controls and audit aspects of various components of Information Systems.
An Information System is a combination of people, hardware, software, communicating devices, network and data
resources that processes can be storing, retrieving, transforming information) data and information for a specific purpose.
INPUT PROCESSING OUTPUT Data are the raw bits and pieces of information with
(Business problems (Solution to no context. Data can either be quantitative which is
Data
(Software,
in form of data, Programs, people, problems in numeric (the result of a measurement, count, or some
information, equipment, the form of other mathematical calculation) or Qualitative data which
instructions, storage) reports, graphics,
opportunities) calculations, voices) is descriptive.
These consist of both physical devices and
and Communi-
cation Systems
Networking
software, links the various pieces of hardware and
CONTROL FEEDBACK transfers the data from one physical location to another.
Computers and communications equipment can be con-
(Decision Makers, nected in networks for sharing voice, data, images, sound
Auto Control)
and video.
USER
Functions of an Information System Computer System

Input Data is collected from an organization or from external
environments and converted into suitable format
required for processing. Software Hardware
Process A process is a series of steps undertaken to achieve
desired outcome or goal.
Output Then information is stored for future use or communi- Application Operating
cated to user after application of respective procedure Software System
on it. Software
Three basic activities of an Information System that are defined
above, helps enterprise in making decisions, control operations,
analyze problems and create new products or services as an output. Input Processing Data Storage Output
Apart from these activities, information systems also need feed- Devices Devices Devices Devices
back that is returned to appropriate members of the enterprises to
help them to evaluate at the input stage.
Control Unit Internal Memory
Components of Information System
ALU Primary Memory

People Computer Data Network &
System Communication
System Registers Secondary Memory
Hardware Software
Virtual Memory
Operating Systems Application

Software Software
Classification of Information Systems’ Controls
The people involved include users of the system and
People
information systems personnel, including all the people Objective of Controls

who manage, run, program, and maintain the system. t 1SFWFOUJWF
Hardware: Information Systems hardware is the part t %FUFDUJWF
of Information Systems that we can touch-the physical t $PSSFDUJWF
components of technology. Computers, keyboards, hard
Computer System
drives, iPads and flash drives are all examples of Information

Systems hardware. Nature of IS Resource
Software: Software is a set of instructions that tells the t &OWJSPONFOUBM
hardware what to do. Software is not tangible it cannot be t 1IZTJDBM"DDFTT
touched. t -PHJDBM"DDFTT
t An Operating System (OS) is a set of computer programs
that manages computer hardware resources and acts as an
interface with computer applications programs.
t Application software includes all that computer software Audit Functions
that cause a computer to perform useful tasks beyond the t Managerial
running of the computer itself. t Application

Objectives of Controls These are the controls relating to logical access to
Prevent errors, omissions, or security incidents from information resources such as operating systems
Logical Access Controls

occurring. Examples include simple data-entry edits controls, application software boundary controls,
Preventive
Controls
that block alphabetic characters from being entered in networking controls, access to database
numeric fields, access controls that protect sensitive objects, encryption controls etc. The key
data/ system resources from unauthorised people, and factors considered in designing logical access
complex and dynamic technical controls such as antivirus
controls include confidentiality and privacy
software, firewalls, and intrusion prevention systems.
requirements, authorization, authentication and
These controls are designed to detect errors, omis- incident handling, reporting and follow-up, virus
sions or malicious acts that occur and report the
Detective
Controls
prevention and detection, firewalls, centralized secu-

PDDVSSFODF 'PS FYBNQMF B EFUFDUJWF DPOUSPM NBZ
identify account numbers of inactive accounts or ac- rity administration, user training and tools for mon-
counts that have been flagged for monitoring of sus- itoring compliance, intrusion testing and reporting.
picious activities. Audit Functions
These controls correct errors, omissions, or incidents The controls over the managerial functions that
Corrective
once they have been detected. They vary from simple must be performed to ensure the development,
Controls
Managerial
Controls
correction of data-entry errors, to identifying and re- implementation, operation and maintenance of informa-
moving unauthorised users or software from systems tion systems in a planned and controlled manner in an
or networks, to recovery from incidents, disruptions, organization. The controls at this level provide a
or disasters. stable infrastructure in which information systems can
Nature of Information Systems’ Resources be built, operated and maintained on a day-to-day basis.
These are the controls relating to IT environment These include the programmatic routines
Environ-
Controls
Application Controls
mental
such as power, air-conditioning, Un-interrupted within the application program code. The objective of
Power Supply (UPS), smoke detection, fire-extin- application controls is to ensure that data remains
guishers, dehumidifiers etc. complete, accurate and valid during its input, update and
These are the controls relating to physical security of the storage. The specific controls could include form
Controls
Physical
tangible IS resources and intangible resources stored on design, source document controls, input, processing and
Access
tangible media etc. These include Access control doors, output controls, media identification, movement and
Security guards, door alarms, restricted entry to secure library management, data back-up and recovery, authen-
areas, visitor logged access, CCTV monitoring etc. tication and integrity, legal and regulatory requirements.
MANAGERIAL CONTROLS
I. Top Mgt. & IS Mgt. Controls II. Programming Mgt. Controls IV. Data Resource Mgt. Controls V. Security Mgt. Controls
'VODUJPOTQFSGPSNFECZB4FOJPS To acquire and implement high- Data must be available to users Information security
Manager quality programs when it is needed, in location administrators are
where it is needed, and in form in responsible for ensuring that
which it is needed. information systems assets
are secure.
t Planning: determining III. System Development Management
goals of information systems Controls
function and means of Has responsibility for functions t Definition Controls: To
achieving these goals; concerned with analyzing, designing, ensure that database always
t Organizing: gathering, building, implementing & maintaining IS corresponds and comply VI. Quality Assurance
allocating, & coordinating with its definition standards. Mgt. Controls
resources needed to t Existence Controls: To To achieve certain quality
accomplish goals; ensure existence of database goals and standards.
t Leading: motivating, t System Authorization Activities: by establishing backup
guiding, and communicating Systems must be properly recovery procedures.
with personnel; authorized to ensure their economic t Access Controls: Access
t Controlling: Comparing justification and feasibility. controls are designed to
actual performance with t User Specification Activities: The prevent unauthorized
VII. Operations Mgt.
planned performance user can create a detailed written individual from viewing,
Controls
description of the logical needs that retrieving, computing/
Responsible for the daily
destroying entity’s data.
t Planning: Using WBS, must be satisfied by the system.
t running of hardware
Gantt Charts, PERT; t Technical Design Activities: These Update Controls: Restrict
and software facilities.
update of database
t Control: Over software translate user specifications into a set
to authorized users.
development, acquisition, of detailed technical specifications
and implementation tasks; of system that meets user’s needs. t Concurrency Controls:
t Design: Systematic t Internal Auditor’s Participation: Provide solutions, agreed- t Computer operation;
approach to program design Auditor’s involvement should upon schedules and t Network operation;
t Coding: Using Top-down be continued throughout all strategies to overcome the t Data Preparation & Entry;
or bottom-up approach; phases of development process data integrity problems. t Production Control;
t Testing: Could be Unit and into maintenance phase. t Quality Controls: These t 'JMF -JCSBSZ
Testing, Integration t Program Testing: All modules must controls ensure the t Documentation &
be tested before they are implemented. accuracy, completeness Program Library;
Testing and Whole- t
of-Program Testing t User Test and Acceptance Procedures: and consistency of data Help Desk & Technical support;
maintained in database. t Capacity Planning
t Operation and Just before implementation,
& Performance;
Maintenance: Could be individual modules of the system
must be tested as a unified whole. t Management of
Repair Maintenance, Adaptive outsourced operations.
and Perfective Maintenance

APPLICATION CONTROLS
I. Boundary Controls II. Communication III. Processing Controls V. Database Controls VI. Output Controls
An Access control mechanism Controls Responsible for computing, Protects integrity Ensure that data
having three steps - Responsible for sorting, classifying, of a database when delivered to users is
Identification, Authentication transporting data and summarizing data. application s/w act as presented, formatted and
and Authorization. among all other an interface between delivered in a consistent
subsystems. user and the database. and secured manner.
t Cryptographic Controls: IV. Input Controls t P r o c e s s o r Update Controls and

Responsible for ensuring the Controls: Used to Report Controls: To
Transforming data into codes protect the integrity
that are meaningless for a accuracy and completeness reduce expected
of data that are input into losses from errors of a database when
non-authenticated person. application s/w acts as
t Passwords: User identification an application system. and irregularities
associated with an interface to interact
by an authentication
Central processors. between user and database.
mechanism with personal
characteristics like birth date etc. t Real Memory
t PIN: Assigned to a user Controls: Seek to
by institution based on detect and correct
the user characteristics. t Source Document errors that occur in
t Identification Cards: Used Control: Can be memory cells and t Storage and Logging of
used to remove assets to protect areas of Sensitive and Critical Forms:
to store information required
from the enterprise. memory assigned Access of pre-printed stationery
in an authentication process.
t Biometric Devices: t Data Coding Control: to a program from to only authorized persons.
Identification like thumb/ These are put in place illegal access by t Logging of output program
to reduce user error another program. executions: Output programs
finger impression.
during data feeding. t Virtual Memory to be logged and monitored.
t Batch Control: Put Controls: Maps t Spooling/Queuing: To ensure
in place at locations virtual memory that the user can continue
t Physical Component Controls: Involve
addresses into real working, while the print
where batch processing
Transmission Media - Guided or Unguided
is being used to memory addresses. operation is getting completed.
Media; Communication Lines; Port Protection
Devices; Multiplexors and Concentrators etc.
ensure accuracy t Data Processing t Controls over Printing:
and completeness Control: Perform Unauthorized disclosure
t Line Error Controls: Include Error
validation checks of info. is not printed.
of the content.
Detection & Error Correction Techniques.
t Flow Controls: Uses Stop - and
t Validation Control: to identify t Report distribution and
Used to validate the errors during Collection Controls: Deals
8BJU 'MPX $POUSPM NFDIBOJTN
accuracy of input processing of data. with secure way to avoid
t Link Controls: Uses protocols - HDLC and SDLC.
unauthorized disclosure of data.
data at different
t Channel Access Controls: Uses
t
MFWFMT MJLF o 'JFME BOE Retention Controls: Duration
Polling and Contention Method.
Record interrogation. for which outputs to be retained
t Internetworking Controls: Uses mainly
before being destroyed.
three devices - Bridge, Router & Gateway.
INFORMATION SYSTEM’S AUDITING
It is defined as the process of attesting objectives (those of the external auditor) that focus on asset safeguarding, data integrity
and management objectives (those of the internal auditor) that include effectiveness and efficiency both.
Cost of computer abuse

Value of hardware, software personnel Controlled evolution of computer use
Organizational costs of data loss High costs of computer error

ORGANIZATION
Costs of incorrect decision making Maintenance of privacy
Control and Audit of Computer-based Information Systems

Information Systems Auditing
Improved Safeguarding of assets ORGANIZATION Improved System efficiency
Improved Data Integrity Improved System effectiveness
Impact of Controls and Audit influencing an organization

Need and Control of Information Systems’ Audit Continuous and Intermittent Simulation (CIS)
Organisation- Data is a critical resource of an organisation for ͳJTJTBWBSJBUJPOPGUIF4$"3'DPOUJOVPVTBVEJUUFDIOJRVF
al Costs of its present and future process and its ability to This technique can be used to trap exceptions whenever the
Data Loss adapt and survive in a changing environment. application system uses a database management system.
Cost of Management and operational controls taken by Audit Hooks
Incorrect De- managers involve detection, investigations and
cision Making correction of the processes. There are audit routines that flag suspicious transactions.
'PS FYBNQMF JOUFSOBM BVEJUPST BU *OTVSBODF $PNQBOZ
Value of These are critical resources of an organisation, determined that their policyholder system was vulnerable
Computer which has a credible impact on its infrastructure to fraud every time a policyholder changed his or her name
Hardware, and business competitiveness. or address and then subsequently withdrew funds from the
Software and policy.
Personnel
Costs of Unauthorised access to computer systems, mal-
AUDIT TRAILS
Computer wares, unauthorised physical access to comput- Audit Trails are logs that can be designed to record activity
Abuse er facilities and unauthorised copies of sensitive at the system, application, and user level. When properly
data can lead to destruction of assets. implemented, audit trails provide an important detective control
Controlled Use of Technology and reliability of complex to help accomplish security policy objectives.
evolution of computer systems cannot be guaranteed and the tͳFAccounting Audit Trail shows the source and nature of
Computer Use consequences of using unreliable systems can be data and processes that update the database.
destructive. tͳFOperations Audit Trail maintains a record of attempted
or actual resource consumption within a system.
High Costs In a computerised enterprise environment where
of Computer
Error
many critical business processes are performed, 0DQDJHULDO&RQWUROVDQGWKHLU$XGLW7UDLOV
a data error during entry or process would cause
great damage. Managerial Scope Audit Trails
Controls
Maintenance Data collected in a business process contains pri-
of Privacy vate information about an individual that needs Discusses the top t Planning: Auditors need
to be maintained. management’s role in to evaluate whether top
Top Management and Information Systems
planning, organizing, management has formulated

Information Systems’ Audit Objectives leading and controlling a high-quality IS’s plan that is
the information appropriate to the needs of an
Asset The information system assets (hardware, soft- systems function. organization or not.
Safeguarding ware, data information etc.) must be protected by Also, provides advice t Organizing: Auditors should
Management Controls
Objectives a system of internal controls from unauthorised to top management in be concerned about how well
access. relation to long-run top management acquires and
Data Integrity Data integrity important from the business per- policy. manages staff resources.
Objectives spective of the decision maker, competition and t Leading: Auditors examine
the market environment. variables that often indicate
when motivation problems
System Effectiveness of a system is evaluated by auditing exist or suggest poor
Effectiveness the characteristics and objective of the system to leadership.
Objectives meet business and user requirements. t Controlling: Auditors
must evaluate whether top
System To optimize the use of various information sys- management’s choice to the
Efficiency tem resources along with the impact on its com- means of control over the
Objectives puting environment. users of IS services is likely to
be effective or not.
TYPES OF AUDIT TOOLS Provides a contingency t Concurrent Audit: Auditors
Snapshots perspective on models assist the team in improving
System Development Management Controls
of the information the quality of systems

Tracing a transaction is a computerized system that can systems development development for the specific
be performed with the help of snapshots or extended process that auditors system they are building and
records. The snapshot software is built into the system can use as a basis for implementing.
at those points where material processing occurs which evidence collection t P o s t - i m p l e m e n t a t i o n
takes images of the flow of any transaction as it moves and evaluation. Audit: Auditors seek to
through the application. These images can be utilized to help an organization learn
assess the authenticity, accuracy, and completeness of the from its experiences in the
processing carried out on the transaction. development of a specific
application system.
Integrated Test Facility (ITF) t General Audit: Auditors seek
to determine whether they can
ͳF *5' UFDIOJRVF JOWPMWFT UIF DSFBUJPO PG B EVNNZ reduce extent of substantive
entity in the application system files and the processing testing needed to form an audit
of audit test data against the entity as a means of verifying opinion about management’s
processing authenticity, accuracy, and completeness. This assertions relating to financial
test data would be included with the normal production statements for systems
data used as input to the application system. effectiveness and efficiency.
Discusses the t Planning: Auditors must
System Control Audit Review File (SCARF) major phases in the evaluate how well the planning
Programming
ͳF4$"3'UFDIOJRVFJOWPMWFTFNCFEEJOHBVEJUTPGUXBSF
Management
program life cycle work is being undertaken.

Controls
modules within a host application system to provide and the important t Control: Auditors must
continuous monitoring of the system’s transactions. The controls that should evaluate whether the nature of
information collected is written onto a special audit be exercised in each and extent of control activities
mMFUIF4$"3'NBTUFSmMFT"VEJUPSTUIFOFYBNJOFUIF phase. undertaken are appropriate
information contained on this file to see if some aspect of for different types of s/w that
the application system needs follow-up. are developed or acquired.

Managerial Scope Audit Trails Application Controls Accounting Audit Trail Operations Audit
Controls Trail
t Design: Auditors should find INPUT CONTROLS t ͳF JEFOUJUZ PG UIF t 5JNF UP LFZ JO B
out whether programmers person (organisation) source document
use some type of systematic This maintains the who was the source of or an instrument
approach to design. chronology of events the data; at a terminal;
t Coding: Auditors should from the time data t ͳF JEFOUJUZ PG UIF t /VNCFS PG SFBE
seek evidence to check and instructions person (organisation) errors made by an
whether programmers employ are captured and who entered the data optical scanning
automated facilities to assist entered into an into the system; device;
them with their coding work. application system t ͳFUJNFBOEEBUFXIFO t /VNCFS PG
t Testing: Auditor’s primary until the time they the data was captured; keying errors
concern is to see that unit
testing; integration testing of
are deemed valid and t ͳF JEFOUJmFS PG UIF identified during
the system testing has been passed onto other physical device used to verification;
undertaken appropriately. subsystems within enter the data into the t ' S F R V F O D Z
t Operation & Maintenance: the application system; with which an
Auditors need to ensure system. t ͳF BDDPVOU PS SFDPSE instruction in
effectively & timely to be updated by the a command
reporting of maintenance transaction; language is used;
needs that occur & t ͳF TUBOEJOH EBUB UP and
maintenance is carried out be updated by the t 5JNF UBLFO
in a well-controlled manner. transaction; to invoke an
Discusses the role of Auditors should determine t ͳF EFUBJMT PG UIF instruction using
Data Resource
Management
database administrator what controls are exercised to transaction; and a light pen versus
Controls
and the controls that maintain data integrity. They t ͳF OVNCFS PG UIF a mouse.
should be exercises in might employ test data to physical or logical batch
each phase. evaluate whether access controls to which the transaction
and update controls are working. belongs.
Discusses major Auditors might use interviews, COMMUNICATION t 6OJRVF JEFOUJmFS PG UIF t /VNCFS PG
functions that observations and reviews of CONTROLS source/sink node; messages that
Management Controls
quality assurance documentation to evaluate t 6OJRVFJEFOUJmFSPGFBDI have traversed

Quality Assurance
management should how well Quality Assurance This maintains a node in the network that each link and
perform to ensure (QA) personnel perform chronology of the traverses the message; each node;
that development, their monitoring role. events from the time Unique identifier of t 2VFVF MFOHUIT
implementation, a sender dispatches a the person or process at each node;
operation, and message to the time authorizing dispatch Number of errors
maintenance of a receiver obtains the of the message; Time occurring on each
information systems message. and date at which the link or at each
conform to quality
message was dispatched; node; Number of
standards.
t 5JNF BOE EBUF BU retransmissions
Discusses major Auditors must evaluate whether which the message was that have
Security Management Controls
functions performed security administrators are received by the sink occurred across
by operations conducting ongoing, high- node; each link; Log of
by security quality security reviews or not. t 5JNF BOE EBUF BU XIJDI errors to identify
administrators to
node in the network locations and
identify major threats
to IS functions and to was traversed by the patterns of errors;
design, implement, message; and t -PH PG TZTUFN
operate, and maintain t .FTTBHF TFRVFODF restarts; and
controls that reduce number; and the image t .FTTBHF USBOTJU
expected losses from of the message received times between
these threats to an at each node traversed in nodes and at
acceptable level. the network. nodes.
Discusses the major Auditors should pay PROCESSING t 5PUSBDFBOESFQMJDBUFUIF t " DPNQSFIFOTJWF
CONTROLS processing performed on log on hardware
Management
functions performed concern to see whether the

Operations
Controls
by operations documentation is maintained a data item. consumption

management to securely and that it is issued The audit trail t 5P GPMMPX USJHHFSFE – CPU time
ensure the day-to- maintains the
day operations of the only to authorized personnel. transactions from end to used, secondary
IS function are well chronology of end by monitoring input storage space
controlled. events from the data entry, intermediate used, and
time data is received results and output data communication
Application Controls And Their Audit Trails from the input or values. facilities used.
Application Controls Accounting Operations c o m m u n i c a t i o n t 5PDIFDLGPSFYJTUFODFPG t " DPNQSFIFOTJWF
Audit Trail Audit Trail subsystem to any data flow diagrams log on software
BOUNDARY CONTROLS Action t 3FTPVSDF the time data is or flowcharts that consumption
This maintains the chronology privileges usage from dispatched to describe data flow in – compilers
of events that occur when a user allowed/ log-on to log- the database, the transaction, and used, subroutine
attempts to gain access to and denied. out time. communication, or whether such diagrams libraries used,
employ systems resources. This t -PHPG output subsystems. or flowcharts correctly file management
includes Identity of the would-be Resource identify the flow of data. f a c i l i t i e s
user of the system; Authentication consumption. t 5P DIFDL XIFUIFS BVEJU used, and
information supplied; Resources log entries recorded the communication
requested; Action privileges changes made in the software used.
requested; Terminal Identifier; Start
data items at any time
BOE'JOJTI5JNF/VNCFSPG4JHOPO
attempts; and Resources provided/ including who made
denied. them.

Application Controls Accounting Audit Trail Operations Audit Application Controls Accounting Audit Trail Operations Audit
Trail Trail
DATABASE t 5P DPOmSN XIFUIFS BO t 5P NBJOUBJO OUTPUT t 8IBU PVUQVU XBT t 5PNBJOUBJO
CONTROLS application properly a chronology CONTROLS presented to users; the record
accepts, processes, and of resource t 8IP SFDFJWFE UIF of resources
The audit trail stores information. consumption The audit trail output; consumed –
maintains the t 5P BUUBDI B VOJRVF UJNF events that affects maintains the t 8IFO UIF PVUQVU XBT graphs, images,
chronology of events stamp to all transactions. the database chronology of events received; and report pages,
that occur either t 5P BUUBDI CFGPSFJNBHFT definition or that occur from the t 8IBUBDUJPOTXFSFUBLFO printing time
to the database and after-images of the the database. time the content with the output? and display rate
definition or the data item on which a of the output is to produce the
database itself. transaction is applied to determined until the various outputs.
the audit trail. time users complete
t "OZ .PEJmDBUJPOT PS their disposal of
corrections to audit output because it
trail transactions no longer should be
accommodating the retained.
changes that occur
within an application Segregation of Duties (SoD) ensures that single individuals do
system. not possess excess privileges that could result in unauthorized
t 5P OPU POMZ UFTU UIF activities such as fraud or the manipulation or exposure of
stated input, calculation, sensitive data. Segregation of Duties (SoD) Controls are
and output rules for data Preventive and Detective controls that should be put into place
integrity, but also should to manage segregation of duties matters. Some examples of SoD
assess the efficacy of the Controls are Transaction Authorization, Split custody of high-
rules themselves. value assets, workflow and periodic reviews.
CHAPTER 4: E-COMMERCE, M-COMMERCE AND EMERGING TECHNOLOGIES
This chapter provides an insight about meaning, components and architecture of E-Commerce, various risks and controls
associated with e-commerce and applicable laws and guidance governing e-commerce. The chapter further deals with the
emerging technologies like Cloud Computing, Mobile Computing, Green Computing etc. and their perspectives.
TRADITIONAL COMMERCE Vs. ECOMMERCE

Base For Traditional E-Commerce Base For Traditional E-Commerce
Comparison Commerce Comparison Commerce
Definition Includes all those Means carrying out Marketing One way marketing One-to-one marketing
activities which encourage commercial transactions or
exchange, in some way exchange of information, Payment Cash, cheque, credit Credit card, fund transfer,
or the other of goods / electronically on the card, etc. Cash in Delivery, Payment
services which are manual internet. Wallets, UPCI application
and non-electronic. etc.
Transaction Manual Electronically Delivery of Instantly Takes time, but now

Processing goods e-commerce websites have
created options of same day
Availability 'PS MJNJUFE UJNF ͳJT 24 × 7 × 365 delivery, or delivery within
for time may be defined by 4 hours.
commercial law. Like special stores
transactions which may run 24 hours, Layers of Reduced layers (i) I n c r e a s e s
but in general available Delivery of delivery from profit margin of
for limited time. (Profit manufacturer to manufacturers.
Impact) customers. (ii) Above (i) allow
Nature of Goods can be inspected Goods cannot be inspected manufacturers to
purchase physically before physically before purchase. give discounts to
purchase. customers.
(iii) Customers get better
Customer 'BDFUPGBDF Screen-to-face. prices.
interaction
Layers of Reduced layers (i) This helps customers get
Business Limited to particular Worldwide reach Delivery of delivery from faster product deliveries.
Scope area. (Time manufacturer to (ii) Manufacturers can
Impact) customers. have better inventory
Information No uniform platform Provides a uniform management. As they will
exchange for exchange of platform for information always know what products
information. exchange. customers are buying. They
Resource Supply side Demand side shall be able to maintain
focus inventory on JIT (Just in
Time) basis.

,OOXVWUDWLRQRI(&RPPHUFH7UDQVDFWLRQ %HQHÀWVRI(&RPPHUFH
Step 2: Select Step 3: Select the Benefits to Customer / Individual / User

Step 1: Go to
the website.
Product type you desired product from t $POWFOJFODF t 5JNFTBWJOH
wish to buy. product list. t 7BSJPVT0QUJPOT t &BTZUPmOESFWJFXT
t $PVQPOBOE%FBMT t "OZUJNF"DDFTT
Step 5: Review the Step 4: Make final

Benefits to Business / Sellers
final price and confirm choice and make
the payment. payment online. t Increased Customer Base tRecurring payments made easy
t Instant Transaction tProvides a dynamic market
t Reduction in costs tEfficiency improvement
Step 6: Payment options can Step 7: Select the payment t Creation of new markets tEasier entry into new markets
be done through COD, Net option and get directed to t Better quality of goods tElimination of Time Delays
banking, credit card etc. the payment gateway.
Benefits to Government
Step 8: Based on delivery t Instrument to fight corruption
terms, the product is t Reduction in use of ecologically damaging materials
delivered to you.
$5&+,7(&785(2)1(7:25.('6<67(06
Architecture is a term to define the style of design and method of construction used in generally for buildings and other physical
structures. In e-commerce, it denotes the way network architectures are built.
Advantages Two-Tier Architecture Disadvantages
t ͳF TZTUFN t 1 F S G P S N B O D F
performance is deteriorates
higher because if number of
business logic users increases.
and database are t ͳFSF JT SFTUSJDUFE
physically close. flexibility and
t .PSF VTFST DPVME choice of DBMS
interact with system. since data language
t *U JT FBTZ UP TFUVQ used in the server
and maintain entire tPresentation Tier (Client Application/Client Tier): This is the interface is proprietary
system smoothly. that allows user to interact with the e-commerce / m-commerce vendor. to each vendor.
tDatabase Tier (Data Tier): The product data / price data / customer
data and other related data are kept here.
Advantages Three Tier Architecture Disadvantages
t $MFBS TFQBSBUJPO t *ODSFBTFE OFFE

of user-interface- for network traffic
control and data management,
presentation from server load
application-log ic . balancing, and
t %ZOBNJD MPBE fault tolerance.
balancing possible t $VSSFOU UPPMT
if bottlenecks r e l a t i v e l y
in terms of immature and
performance occurs. more complex.
t $IBOHFNBOBHFNFOU t . B J O U F O B O D F
is easy and faster. t Presentation Tier: Occupies the top level and displays information tools currently
related to services available on a website. inadequate.
t Application Tier: Also, called the Middle Tier, Logic Tier, Business
Logic or Logic Tier; it controls application functionality by performing
detailed processing.
t Database Tier: This tier houses the database servers where information
is stored and retrieved.

(&RPPHUFH$UFKLWHFWXUH9LGH,QWHUQHW (&RPPHUFH$UFKLWHFWXUH9LGH0RELOH$SSV
M-Commerce (Mobile Commerce): M-commerce is the
buying and selling of goods and services through wireless
handheld devices such as cellular telephone and personal digital
assistants (PDAs). M-commerce enables users to access the
Internet without needing to find a place to plug in.
t Client / User Interface: This layer e-commerce connects to

help the customer and e-commerce merchant.
t Application Layer: Through these application’s customer
logs to merchant systems. This layer allows customer to
check the products available on merchant’s website.
t Database Layer: This layer is accessible to user through Digital Payment (contd..)
application layer. All the transactions in digital payments are completed
online. It is an instant and convenient way to make payment;
5LVNVDQG&RQWUROV resulting in absolute trasparency and involvement of minimal
processes.
Risk is possibility of loss. The same may be result of intentional
or un-intentional action by individuals. Risks associated with New Methods of Traditional Methods of
e-commerce transactions are high compared to general internet Digital Payment Digital Payment
BDUJWJUJFTͳFTFJODMVEFUIFGPMMPXJOH t 6OJmFE 1BZNFOU t &8BMMFU
Interface (UPI) Apps t $BSET $SFEJU $BSET
Delay in goods and
t *NNFEJBUF 1BZNFOU Debits Cards
Infrastructure Quality issues
Hidden Costs Service (IMPS) t /FU#BOLJOH
t .PCJMF "QQT
Repudiation of Security and Problem of BHIM (Bharat
contract credit card issues anonymity Interface for Money)
t .PCJMF 8BMMFUT
Lack of Needs Access to Data Loss or theft t "BEIBS &OBCMFE
authenticity of internet and lack of Payment Service(AEPS)
or duplication
transactions personal touch t 6 O T U S V D U V S F
Non-recognition Supplementary
Attack from Denial of Service Data (USSD)
of electronic
hackers Service
transactions
Lack of audit Problem of Privacy and

trails piracy Security
n Mobile Cloud
atio
ali z Computing Computing
'LJLWDO3D\PHQW Vir
tu
Digital Payment is a way of payment which is made through

digital modes. In digital payments, payer and payee both use Grid
digital modes to send and receive money. It is also called Computing
COMPUTING
electronic payment. No hard cash is involved in the digital TECHNOLOGIES Machine
Learning
payments.
Advantages of Drawbacks of Digital Web 3.0
Digital Payments Payments
t &BTZ BOE DPOWFOJFOU t %JĊDVMU GPS B /PO Art Bring Your Own
ific Device (BYOD)
t 1BZ PS TFOE NPOFZ technical person Int ial
elli Green
from anywhere t 3JTLPGEBUBUIFGU g en puting
ce Co m
t %JTDPVOUT GSPN UBYFT t 0WFSTQFOEJOH
t 8SJUUFO SFDPSE
t -FTT 3JTL

I. Virtualization
Virtualization means to create a virtual version of a device or resource, such Application Areas
as a server, storage device, network or even an operating system where the t 4FSWFS$POTPMJEBUJPO
framework divides the resource into one or more execution environments. t %JTBTUFS3FDPWFSZ
This refers to technologies designed to provide a layer of abstraction between t 5FTUJOHBOE5SBJOJOH
computer hardware systems and the software running on them. t 1PSUBCMF"QQMJDBUJPOT
t 1PSUBCMF8PSLTQBDFT
Types of Virtualization
Hardware Virtualization Network Virtualization Storage Virtualization
This refers to the creation of a virtual It is a method of combining the available It is the apparent pooling of data
machine that acts like a real computer with an resources in a network by splitting up the from multiple storage devices, even
operating system. The basic idea of Hardware available bandwidth into channels, each different types of storage devices,
virtualization is to consolidate many small of which is independent from the others, into what appears to be a single
physical servers into one large physical server and each of which can be assigned device that is managed from a
so that the processor can be used more (or reassigned) to a particular server central console. It helps the storage
FĉFDUJWFMZ 'PS FYBNQMF B DPNQVUFS UIBU JT or device in real time. It is intended to administrator perform the tasks
running Microsoft Windows may host a virtual optimize network speed, reliability, of backup, archiving, and recovery
machine that looks like a computer with the flexibility, scalability, and security. more easily and in less time by
Linux operating system; based software that disguising the actual complexity of a
can be run on the virtual machine. Storage Area Network (SAN).
II. Grid Computing: It is a computer network in which each computer’s resources are shared with every other computer in the
system. It is a distributed architecture of large numbers of computers connected to solve a complex problem. In the grid computing
model, servers or personal computers run independent tasks and are loosely linked by the Internet or low-speed networks.
Benefits Types of Resources Security
Making use of Underutilized Computation. Single Sign-on.
Resources. Storage. Protection of Credentials.
Resource Balancing. Communications. Interoperability with local security
Parallel CPU Capacity. Software and Licenses. solutions.
Access to additional resources. Special equipment, capacities, Exportability
Virtual resources and virtual architectures, and policies. Support for secure group
organizations for collaboration. communication.
Reliability. Support for multiple implementations.
Management.
III. Cloud Computing: Cloud Computing is both, a combination of software and hardware based computing resources delivered
as a networked service. This model of IT enabled services enables anytime access to a shared pool of applications and resources.
These applications and resources can be accessed using a simple front-end interface such as a Web browser, and thus enabling users
to access the resources from any client device including notebooks, desktops and mobile devices.
Characteristics Advantages
Elasticity & Scalability Achieve economies of scale
Pay-Per-Use Reduce spending on technology infrastructure
On-demand Globalize the workforce
Resiliency Streamline business processes
Multi-Tenancy Reduce capital costs
Workload Movement Pervasive accessibility
Monitor projects more effectively
Less personnel training is needed
Minimize maintenance & licensing software
Improved flexibility

Types of Cloud
Private Cloud Public Cloud Community Cloud Hybrid Cloud
It resides within the It is the cloud infrastructure It is the cloud infrastructure This is a combination of both, at
boundaries of an that is provisioned for open that is provisioned for least one private (internal) and
organization and is use by the general public. It exclusive use by a specific at least one public (external)
used exclusively for the may be owned, managed, community of consumers from cloud computing environments
organization’s benefits. and operated by a business, organizations that have shared - usually, consisting of
Private Clouds can either be academic, or government concerns (eg. mission security infrastructure, platforms and
private to the organization organizations, or some requirements, policy, and applications. The usual method
and managed by the combination of them. compliance considerations). of using the hybrid cloud is to
single organization (On- Typically, public clouds It may be owned, managed, have a private cloud initially, and
Premise Private Cloud) or are administrated by third and operated by one or more then for additional resources, the
can be managed by third parties or vendors over the of the organizations in the public cloud is used.
party (Outsourced Private Internet, and the services are community, a third party or
Cloud). offered on pay-per-use basis. some combination of them, and
it may exist on or off premises.
Characteristics of Cloud Computing
Secure Highly Scalable Collaborative & Scalable
Central Control Affordable Distributive maintenance Partially Secure
Weak Service Level Less Secure Partially secure Stringent SLAs
Agreements (SLAs) Highly available Cost effective Complex Cloud Management
Stringent SLAs
Cloud Computing Service Models
Infrastructure as a Service (IaaS) Platform as a Service (PaaS) Software as a Service (SaaS)
IaaS, a hardware-level service, provides PaaS provides the users the ability to SaaS provides ability to the end users
computing resources such as processing power, develop and deploy an application on the to access an application over the
memory, storage, and networks for cloud users development platform provided by the Internet that is hosted and managed
to run their application on-demand. service provider. by the service provider.
This allows users to maximize the utilization of PaaS changes the application development SaaS is delivered as an on-demand
computing capacities without having to own and from local machine to online. service over the Internet, there is no
manage their own resources. need to install the software to the end-
user’s devices.
Different instances are - Network as a Service PaaS providers may provide programming Different instances of SaaS include
(NaaS), Storage as a Service (STaaS), Database as languages, application frameworks, Testing as a Service (TaaS), API as a
a Service (DBaaS), Backend as a Service (BaaS), databases, and testing tools apart from Service (APIaaS), Email as a Service
and Desktop as a Service (DTaaS). some build tools, deployment tools and (EaaS), Communication as a Service
software load balancers as a service in (CaaS), Data as a Service (DaaS),
some cases. Security as a Service (SECaaS), and
Identity as a Service (IDaaS).
IV. Mobile Computing: This refers to technology that allows transmission of data via a computer without having to be connected
to a fixed physical link.
Components Limitations Benefits
Mobile Communication 3FGFST UP Insufficient Bandwidth Mobile workforce with remote access
infrastructure put in place to ensure that Security Standards to work order details.
seamless and reliable communication goes Power consumption Enables mobile sales personnel to
on. Transmission interferences update work order status in real-time.
Mobile Hardware ͳJT JODMVEFT NPCJMF Potential health hazards 'BDJMJUBUFTBDDFTTUPDPSQPSBUFTFSWJDFT
devices/device components that range from Human interface with and information at any time.
Portable laptops, Smart Phones, Tablet PCs, device. Provides remote access to the corporate
and Personal Digital Assistants (PDA). knowledge base at job location.
Mobile Software*UJTUIFBDUVBMQSPHSBNNF Enables to improve management
that runs on the mobile hardware and deals effectiveness by enhancing information
with the characteristics and requirements of quality, information flow, and ability to
mobile applications. control a mobile workforce.

IV. Green Computing: Green Computing or Green IT refers to the study and practice of environmentally sustainable computing
or IT. In other words, it is the study and practice of establishing / using computers and IT resources in a more efficient and
environmentally friendly and responsible way.
Best Practices Develop a sustainable Green Computing plan
Recycle
Make environmentally sound purchase decisions
Reduce Paper Consumption
Conserve Energy
V. BYOD (Bring Your Own Device): This refers to business policy that allows employees to use their preferred computing
devices, like smart phones and laptops for business purposes. It means employees are welcome to use personal devices (laptops,
smart phones, tablets etc.) to connect to the corporate network to access information and application.
Advantages Emerging BYOD Threats
Network Risks: It is normally exemplified and hidden in ‘Lack of Device Visibility’. As BYOD
Happy Employees permits employees to carry their own devices (smart phones, laptops for business use), the IT practice
Lower IT budgets team is unaware about the number of devices being connected to the network. As network visibility
IT reduces is of high importance, this lack of visibility can be hazardous.
s u p p o r t Device Risks: It is normally exemplified and hidden in ‘Loss of Devices’. A lost or stolen device can
requirement result in an enormous financial and reputational embarrassment to an organization as the device may
Early adoption of hold sensitive corporate information.
new Technologies Application Risks: It is normally exemplified and hidden in ‘Application Viruses and Malware’.
I n c r e a s e d Organizations are not clear in deciding that ‘who is responsible for device security – the organization
e m p l o y e e or the user’.
efficiency Implementation Risks: It is normally exemplified and hidden in ‘Weak BYOD Policy’. The effective
implementation of the BYOD program should not only cover technical issues mentioned above but
also mandate the development of a robust implementation policy.
VI. Web 3.0 Technology
Known as the Semantic Web, this describes sites wherein the computers will generate raw data on their own without direct
user interaction.
Web 3.0 standard uses semantic web technology, drag and drop mash-ups, widgets, user behaviour, user engagement, and
consolidation of dynamic web contents depending on the interest of the individual users.
Web 3.0 Technology uses the “Data Web” Technology, which features the data records that are publishable and reusable on
the web through query-able formats. The Web 3.0 standard also incorporates the latest researches in the field of artificial
intelligence.
Web 3.0 Components
Semantic Web Web Services

This provides the web user a common framework that It is a software system that supports computer -
could be used to share and reuse the data across various UP DPNQVUFS JOUFSBDUJPO PWFS UIF *OUFSOFU 'PS
example – photo sharing website.
applications, enterprises, and community boundaries.
Example: The application that uses content management systems along with artificial intelligence. This helps to achieve a more
connected open and intelligent web applications using concepts of natural language processing machine learning, machine
reasoning and autonomous agents.
System of interrelated computing devices,

mechanical and digital machines, objects, animals
or people that are provided with unique identifiers
Risks
VII. Internet of Ability to transfer data over a network
To product manufacturer
Things (IoT) without requiring human-to-human or
To user of these products human-to-computer interaction.
Technology Risk
Environmental Risk Application Areas
Home Appliances
Office Machines

VIII. Artificial Intelligence may be defined as the ability to use memory, knowledge, experience, understanding, reasoning,
imagination and judgement to solve problems and adapt to new situations. Applications Areas include Medical diagnosis; in
cancer research; Predicting the chances of an individual getting ill by a disease; Creating art such as poetry; Proving mathematical
theorems; Playing games (such as Chess or Go) and predicting the outcomes etc.
IX. Machine Learning is a type of Artificial Intelligence (AI) that provides computers with the ability to learn without being
explicitly programmed. Machine learning focuses on the development of computer programs that can change when exposed to
OFXEBUBͳFQSPDFTTPGNBDIJOFMFBSOJOHJTTJNJMBSUPUIBUPGEBUBNJOJOH'PSFYBNQMF.BDIJOFMFBSOJOHIBTCFFOVTFEGPS
image, video, and text recognition, as well as serving as the power behind recommendation engines.
CHAPTER 5: CORE BANKING SYSTEMS

This chapter deals with components and architecture of Core Banking Systems (CBS) and impact of related risks and
controls, discusses the functioning of core module of banking and business process flow. The chapter also provides
a detailed understanding on the regulatory and compliance requirements applicable to CBS such as Banking
Regulations Act, RBI regulations, Prevention of Money Laundering Act and Information Technology Act.
Banking is the engine of economic growth specifically

in a rapidly developing country like India with its diverse IV. Collections
background, practices, cultures and large geographic
Collections involve collecting proceeds on behalf of the
dispersion of citizens. The core of banking functions is customer. Customers can lodge various instruments such as
BDDFQUBODFPGEFQPTJUTBOEMFOEJOHPGNPOFZ'VSUIFS TQFDJmD cheques, drafts, pay orders, travelers’ cheques, dividend and
services such as demand drafts, bank guarantees, letter of interest warrants, tax refund orders, etc.
credits, etc. are also provided. The key features of a banking
V. Clearing
CVTJOFTTBSFBTGPMMPXT
t ͳFDVTUPEZPGMBSHFWPMVNFTPGNPOFUBSZJUFNT JODMVEJOH This involves collecting instruments on behalf of customers of
cash and negotiable instruments, whose physical security bank.
should be ensured.
t %FBMJOHJOMBSHFWPMVNF JOOVNCFS WBMVFBOEWBSJFUZ
PG VI. Letters of Credit (LC)
transactions.
It is an undertaking by a bank to the payee to pay to him, on
t 0QFSBUJOH UISPVHI B XJEF OFUXPSL PG CSBODIFT BOE behalf of the applicant any amount up to the limit specified in
departments, which are geographically dispersed. the LC, provided the terms and conditions mentioned in the LC
t *ODSFBTFE QPTTJCJMJUZ PG GSBVET BT CBOLT EJSFDUMZ EFBM are complied with.
with money making it mandatory for banks to provide
VII. Guarantees
multi-point authentication checks and the highest level
of information security. These are required by the customers of banks for submission
to the buyers of their goods/services to guarantee performance
352'8&76 6(59,&(65(1'(5('%< of contractual obligations undertaken by them or satisfactory
&200(5&,$/%$1.6 performance of goods supplied by them, or for submission to
certain departments like excise and customs, electricity boards,
I. Acceptance of Deposits or to suppliers of goods, etc. in lieu of the stipulated security
deposit.
Commercial banks accept deposits in various forms such as
term deposits, savings bank deposits, current account deposits, VIII. Credit Cards
recurring deposit, saving-cum-term deposit and various others
innovative products. Most credit cards issued by banks are linked to one of the
international credit card networks like VISA, Master etc.
II. Granting of Advances
Advances constitute a major source of lending by commercial

IX. Debit Cards
banks. The type of advances granted by commercial banks
Debit Cards facilitates customers to pay at any authorized outlet
take various forms such as cash credit, overdrafts, purchase/
as well as to withdraw money from an ATM from their account.
discounting of bills, term loans, etc.
III. Remittances X. Other Banking Services
Involves transfer of funds from one place to another. Two of These include Back operations, Retail Banking, High Net-worth
most common modes of remittance of funds are demand drafts Individuals (HNI), Risk Management and Specialized Services
& Telegraphic/ Mail Transfers (TT/ MT). such as insurance broking, claims, underwriting, life insurance,
non-life insurance, etc.

The business processes and standards adapted by Banks should
DPOTJEFSUIFTFOFXTFUPG*5SJTLTBOEDIBMMFOHFT Control refers to the policies, procedures, practices and
organization structures that are designed to provide
'SFRVFOUDIBOHFT External threats Higher impact due
to intentional or reasonable assurance that business objectives are achieved
or obsolescence of leading to cyber
technology frauds/ crime unintentional acts of and undesired events are prevented, detected or corrected.
internal employees
General Controls: Also, Application Controls:

New social eng.
Multiplicity and techniques known as Infrastructure These are implemented in
complexity of Segregation of Duties employed to
(SoD) Controls, these are pervasive an application to prevent or
systems acquire confidential
credentials
controls and apply to all detect and correct errors.
systems components, Application controls ensure
processes, and data for a that all transactions are
Different types Need for governance given enterprise or systems authorized, complete and
of controls for Vendor related processes to
different types concentration risk adequately manage environment. accurate.
of technologies/ technology and
systems information security General Controls include, Some examples of
CVUBSFOPUMJNJUFEUP Application controls are as
t *OGPSNBUJPO 4FDVSJUZ GPMMPXT
Proper alignment Need to ensure Policy t %BUB FEJUT FEJUJOH PG
with business Dependence on continuity of
vendors due to t "ENJOJTUSBUJPO "DDFTT data is allowed only for
objectives and business processes
legal/ regulatory outsourcing of IT in the event of and Authentication; permissible fields);
services
requirements major exigencies t 4FQBSBUJPO PG LFZ *5 t 4FQBSBUJPO PG CVTJOFTT
functions; functions (e.g.,
.H\0RGXOHVRI&RUH%DQNLQJ6\VWHP&%6 t .BOBHFNFOU PG 4ZTUFNT transaction initiation
Acquisition and versus authorization);
Mobile Implementation; t #BMBODJOH PG QSPDFTTJOH
Banking t $IBOHF.BOBHFNFOU totals (debit and credit
Internet ATM
Banking Switch t #BDLVQ 3FDPWFSZ of all transactions are
Business Continuity; tallied);
t 1SPQFS %FWFMPQNFOU t 5SBOTBDUJPO MPHHJOH
and Implementation of (all transactions are
Phone Back Application S/w; identified with unique id
Banking Central Office
t $POmEFOUJBMJUZ *OUFHSJUZ and logged);
Server
& Availability of Software t &SSPSSFQPSUJOH FSSPSTJO
& data files; and processing are reported);
Credit t *ODJEFOU SFTQPOTF BOE and
Card
System Branch management. t &YDFQUJPO 3FQPSUJOH BMM
Data
Warehouse exceptions are reported).
5,6.6$1'&21752/6 Planning
t Risk can be defined as “the potential harm caused if a Approval

Audit
threat exploits a particular vulnerability to cause damage
to an asset.”
t Risk Analysis is defined as the process of identifying
security risks and determining their magnitude and Updation Selection
impact on an organization.
CBS
IT Risk ManagementJTBTGPMMPXT Support WORKING Design and
Develop/Procure
t Avoid: Eliminate the risk by not taking up or avoiding
the specific business process which involves risk.
t Mitigate: Implement controls (e.g. acquire and deploy
security technology to protect the IT infrastructure). Maintenance
Testing
t Transfer: Share risk with partners or transfer to
insurance coverage.
t Accept: 'PSNBMMZ BDLOPXMFEHF UIBU UIF SJTL FYJTUT BOE
monitor it. Implementation

Planning CBS SERVERS FUNCTIONING
Implementation of CBS should be done as per strategic and Application The application software, resides in the
business objectives of bank. Server application server and is always the latest
version as accepted after adequate testing.
Approval
Database The Database Server of Bank contains
The decision to implement CBS must be approved by the Server entire data of Bank which would consist
Board of Directors as high investment and recurring costs are of various accounts of customers & master
involved. data.
Selection ATM Channel This server contains the details of ATM
Server account holders. Soon after the facility of
Bank should select the right solution considering various using the ATM is created by the Bank, the
parameters as defined by the bank to meet their specific details of such customers are loaded on to
requirements and business objectives. the ATM server.
Design/Develop or Procured Internet IBCS software stores the name and

Banking password of the entire internet banking
Currently, most of the CBS deployment are procured. Channel customers. IBCS server also contains the
Server (IBCS) details about the branch to which the
There should be appropriate controls covering the design or customer belongs.
development or procurement of CBS for the bank.
Internet The Internet Banking Software which is
Testing Banking stored in IBAS authenticates customer
Application with the login details stored in IBCS.
The testing is to be done at different phases at procurement Server (IBAS)
stage to test suitability to data migration to ensure all existing
data is correctly migrated and testing to confirm processing Web Server The Web Server is used to host all web
of various types of transactions of all modules produces the services and internet related software
Web server is a program that uses HTTP
correct results. (Hypertext Transfer Protocol) to serve
Implementation the files that form Web pages to users,
in response to their requests, which are
CBS must be implemented as per pre-defined and agreed forwarded by their computers’ HTTP clients.
plan with specific project milestones to ensure successful
Proxy Server A Proxy Server is a computer that offers a
implementation.
computer network service to allow clients
to make indirect network connections to
Maintenance other network services.
CBS must be maintained as required. E.g. program bugs Anti-Virus The Anti-Virus Server is used to host anti-
fixed, version changes implemented, etc. Software virus s/w which is deployed for ensuring
Server all the s/w deployed are first scanned to
ensure that appropriate virus/ malware
Support scans are performed.
CBS must be supported to ensure that it is working effectively.
Updation
Current
CBS modules must be updated based on requirements of & Savings
business processes, technology updates and regulatory Account
requirements. (CASA)
Internet Credit
Audit Cards
Banking
Audit of CBS must be done internally and externally as
required to ensure that controls are working as envisaged. Core
Business
Process Flow
&%6,7(19,5210(17
The CBS facilities providing banking services for branches Loans
and Trade Mortgages
of a bank which are networked and connected to common
data center. This facilitates staff to process transactions Finance
of customers of any branch. The Server is a sophisticated
computer that accepts service requests from different Treasury
machines called clients. The requests are processed by the
server and sent back to the clients. There are different types of
TFSWFSTVTFEJOEFQMPZJOH$#4XIJDIBSFBTGPMMPXT

H&RPPHUFH7UDQVDFWLRQÁRZIRUDSSURYDORISD\PHQWV
5,6.6$662&,$7(':,7+&%6 ,75HODWHG5LVNV
'SPNBCVTJOFTTQFSTQFDUJWF UIFSJTLTUIBUDBOCFDMBTTJmFECBTFE
Ownership of Data/ Process POGPMMPXJOH*OGPSNBUJPODSJUFSJBBSFBTGPMMPXT
Data resides at the Data Centre. Establish clear ownership. Efficiency
Authorization Process Response is delayed resulting in dissatisfied stakeholder.

Anybody with access to the CBS, including the customer himself,
can enter data directly. What is the authorization process? Effectiveness
Process is ineffective and multiple runs consume time.
Authentication Procedures
These may be inadequate and hence the user entering the Reliability
transaction may not be determinable or traceable. Users lose confidence in information system.
Several software interfaces across diverse networks Confidentiality

A Data Centre can have as many as 75-100 different interface and Due to loss of critical data.
application software.
Integrity
Maintaining Response Time Incomplete or inaccurate data due to errors in input or
Maintaining the interfacing software and ensuring optimum processing.
response time and up time can be challenging
Availability
User Identity Management Information system is not available when required.
This could be a serious issue. Some Banks may have more than
5000 users interacting with the CBS at once. Compliance
The information system does not comply with legal, regulatory,
Access Controls contractual or internal compliance requirements.
Designing and monitoring access control is an extremely
challenging task.
$SSOLFDEOH5HJXODWRU\DQG&RPSOLDQFH
5HTXLUHPHQWV
Incident handling procedures
These may not be adequate considering the need for real-time Negotiable Instruments Act-1881 (NI Act) Under NI Act,
risk management. Cheque includes electronic image of truncated cheque and a
cheque in the electronic form. The truncation of cheques in
Change Management clearing has been given effect to and appropriate safeguards
in this regard have been set forth in the guidelines issued by
At application level and data level – Master files, Transaction files
and Reporting software. RBI from time to time.

Information Technology (IT) Act
I. The Reserve Bank of India (RBI) was established on April
1, 1935 in accordance with the provisions of the Reserve
The Information Technology Act was passed in 2000,
Bank of India Act, 1934. The basic functions of the Reserve amended in 2008 and the Rules were passed in 2011.
#BOLBTiUPSFHVMBUFUIFJTTVFPG#BOL/PUFTBOELFFQJOHPG
reserves with a view to securing monetary stability in India i The Act provides legal recognition for transactions
and generally to operate the currency and credit system of the carried out by means of electronic data interchange and
country to its advantage.” other means of electronic communication, commonly
referred to as “electronic commerce”, which involve
II. Money Laundering is the process by which the proceeds
the use of alternatives to paper-based methods of
of the crime and the true ownership of those proceeds are
communication and storage of information, to facilitate
concealed or made opaque so that the proceeds appear to
electronic filing of documents with the Government.
come from a legitimate source.
i The Act provides the legal framework for electronic
t 1SFWFOUJPOPG.POFZ-BVOEFSJOH"DU 1.-"
governance by giving recognition to electronic records
and digital signatures. It also deals with cybercrime
t ͳSFFTUBHFTPG.POFZ-BVOEFSJOH
and facilitates electronic commerce. It also defined
Placement: Involves the Placement of proceeds derived
cyber-crimes and prescribed penalties for them.
from illegal activities – the movement of proceeds, i The Amendment Act 2008 provides stronger privacy
frequently currency, from the scene of the crime to a data protection measures as well as implementing
place, or into a form, less suspicious and more convenient reasonable information security by implementing ISO
for the criminal. 27001 or equivalent certifiable standards to protect
Layering: Involves the separation of proceeds from against cyber-crimes.
illegal source using complex transactions designed to i Cyber Crimes: Also known as computer crime, it
obscure the audit trail and hide the proceeds. JT EFmOFE BT i0ĉFODFT UIBU BSF DPNNJUUFE BHBJOTU
Integration: Involves conversion of illegal proceeds into individuals or groups of individuals with a criminal
apparently legitimate business earnings through normal motive to intentionally harm the reputation of the
victim or cause physical or mental harm, or loss,
financial or commercial operations.
to the victim directly or indirectly, using modern
t "OUJ.POFZ-BVOEFSJOH ".-
VTJOH5FDIOPMPHZ
telecommunication networks such as Internet (Chat
t 'JOBODJOHPG5FSSPSJTN rooms, emails, notice boards and groups) and mobile
phones”.
Some examples of offences in IT Act which could impact Banks
Section 43 Section 65: Section 66: Section 66-B: Section 66-C: Section 66-D: Section 66-E:
provides Tampering Computer Punishment Punishment for Punishment Punishment
for Penalty with Related for dishonestly identity theft for cheating by for violation of
and Computer Offences receiving stolen personation by privacy
compensation Source computer using computer
for damage Documents resource or resource
to computer, communication
computer device
system, etc.
Sensitive Personal Data Information (SPDI)

The IT Act has a specific category, “Sensitive Personal Data or Information,” which consists of password, financial information
(including bank account, credit card, debit card or other payment details), physical, physiological and mental health conditions,
sexual orientation, medical records, and biometric information. This legally obligates all stakeholders (i.e., any individual or
organization that collects, processes, transmits, transfers, stores or deals with sensitive personal data) to adhere to its requirements.

Revision Capsule by ICAI

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Revision Capsule by ICAI

Uploaded by

Copyright:

Available Formats

ENTERPRISE INFORMATION SYSTEMS

ENTERPRISE INFORMATION SYSTEMS – A CAPSULE FOR QUICK REVISION

CHAPTER 1: AUTOMATED BUSINESS PROCESSES

Categories of Business Processes IMPROVED OPERATIONAL EFFICIENCY

06 June 2018 The Chartered Accountant Student

The answer to this question can be used a. Internal

Once the top management grant their g. Information & c. Event

(17(535,6(5,6.0$1$*(0(17 (50 Encompasses the tone of an organization,

Identify Monitoring is accomplished through ongoing

The Chartered Accountant Student June 2018 07

Risks of Business Process Types of Business Risks Masters

not have been processed the organization to ﬁnes

changed by unauthorised operating in the most

access control. manner or be disruptive

processes or programs. Like other types of

Components Of Internal Control Advantages of Cyber Laws

08 June 2018 The Chartered Accountant Student

CHAPTER 2: FINANCIAL AND ACCOUNTING SYSTEMS

The Chartered Accountant Student June 2018 09

Installed Applications Vs. Web Applications Features of an Ideal ERP System

control of the user, user challenge in case of web

maintained on a web server.

centrally, gradually the removing redundant data,

t #VJMETUSPOHBDDFTTBOETFHSFHBUJPOPGEVUJFTDPOUSPMT to a single system and and minimized by having

10 June 2018 The Chartered Accountant Student

a. Financial Management Information Systems (MIS) Report

The Chartered Accountant Student June 2018 11

CHAPTER 3: INFORMATION SYSTEMS AND ITS COMPONENTS

Functions of an Information System Computer System

Components of Information System

ALU Primary Memory

Operating Systems Application

information systems personnel, including all the people Objective of Controls

drives, iPads and flash drives are all examples of Information

12 June 2018 The Chartered Accountant Student

Logical Access Controls

prevention and detection, ﬁrewalls, centralized secu-

The Chartered Accountant Student June 2018 13

t Cryptographic Controls: IV. Input Controls t P r o c e s s o r Update Controls and

INFORMATION SYSTEM’S AUDITING

Cost of computer abuse

Organizational costs of data loss High costs of computer error

Costs of incorrect decision making Maintenance of privacy

Control and Audit of Computer-based Information Systems

Improved Safeguarding of assets ORGANIZATION Improved System eﬃciency

Improved Data Integrity Improved System eﬀectiveness

Impact of Controls and Audit inﬂuencing an organization

14 June 2018 The Chartered Accountant Student

planning, organizing, management has formulated

of the information the quality of systems

program life cycle work is being undertaken.

The Chartered Accountant Student June 2018 15

quality assurance documentation to evaluate t 6OJRVFJEFOUJmFSPGFBDI have traversed

functions performed concern to see whether the

by operations documentation is maintained a data item. consumption

16 June 2018 The Chartered Accountant Student

CHAPTER 4: E-COMMERCE, M-COMMERCE AND EMERGING TECHNOLOGIES

TRADITIONAL COMMERCE Vs. ECOMMERCE

Transaction Manual Electronically Delivery of Instantly Takes time, but now

The Chartered Accountant Student June 2018 17

Step 2: Select Step 3: Select the Beneﬁts to Customer / Individual / User

Step 5: Review the Step 4: Make ﬁnal

Advantages Two-Tier Architecture Disadvantages

(17(535,6(5,6.0$1$*(0(17(50 Encompasses the tone of an organization,

t #VJMETUSPOHBDDFTTBOETFHSFHBUJPOPGEVUJFTDPOUSPMT to a single system and and minimized by having