Mics New Suggested Ican

CHARTERED ACCOUNTANCY PROFESSIONAL III
(CAP-III)
Compilation of Suggested Answers
Paper 5: Management Information and Control System

(Dec 2003 - June 2019)
Education Department
The Institute of Chartered Accountants of Nepal
Publisher: The Institute of Chartered Accountants of Nepal
ICAN Marg, Satdobato, Lalitpur, P.O. Box: 5289
Tel: 977-1-5530832, 5530730, Fax: 977-1-5550774
E-mail: ican@ntc.net.np, Website: www.ican.org.np
© The Institute of Chartered Accountants of Nepal
This compilation of suggested answers is prepared by the Institute of Chartered Accountants of

Nepal. Permission of the Council of the Institute is essential for reproduction of any portion of this
paper.
All rights reserved. No part of this publication may be reproduced stored in a retrieval system, or
transmitted, in any form, or by any means, electronic, mechanical, photocopying, printing,
recording or otherwise, without prior permission, in writing, from the publisher.
The compilation of suggested answers is prepared by the Institute with a view to assist the students
of ICAN in their study. The suggested answers presented here are indicative and not exhaustive.
Students are expected to apply their knowledge and write the answer in the examinations taking the
suggested answers as guidance.
Due care has been taken to compile the suggested answers. In case students need any clarification,
creative feedbacks or suggestions for the further improvement on the material, or any error or
omission on the material, they may report to the email educationdepartment@ican.org.np at
Education Department of the Institute.
Further, printed book for the compilation of suggested answer will be available at the Institute and
the same shall be notified in website. Students willing to have the printed books may purchase from
the store of the Institute after the publication of notice.
September 2019
Education Department
The Institute of Chartered Accountants of Nepal
Table of Content
S.No Chapter Page No
1 Organizational Management and Information System 2
2 Types of Information System 47
3 Information Technology Strategy and Trends 129
4 System Development Life Cycle- Acquisition, Development,
Implementation, Maintenance and support 161
5 System Analysis and Design 256
6 E-Commerce and Inter organizational Systems 287
7 E-Business Enabling Software Package 312
8 Protection of Information Assets 348
9 Disaster Recovery and Business Continuity Planning 408
10 Auditing and Information System 418
11 Ethics and legal Issues in Information Technology 445
12 Electronic Transactions Act, 2063 452
Chapter 1:
Organizational Management and Information System

CAP III Paper- 5 Management Information and Control System
Question No 1:
Write short note on:
a. Database (June 2008)(2.5 Marks)
Answer :
Database, also called electronic database, any collection of data, or information, that is specially
organized for rapid search and retrieval by a computer. Databases are structured to facilitate the
storage, retrieval, modification, and deletion of data in conjunction with various data-processing
operations. A database management system (DBMS) extracts information from the database in
response to queries.
A database is stored as a file or a set of files on magnetic disk or tape, optical disk, or some other
secondary storage device. The information in these files may be broken down into records, each of
which consists of one or more fields. Fields are the basic units of data storage, and each field
typically contains information pertaining to one aspect or attribute of the entity described by the
database. Records are also organized into tables that include information about relationships
between its various fields. Although database is applied loosely to any collection of information in
computer files, a database in the strict sense provides cross-referencing capabilities. Using
keywords and various sorting commands, users can rapidly search, rearrange, group, and select the
fields in many records to retrieve or create reports on particular aggregates of data.
Database records and files must be organized to allow retrieval of the information. Queries are the
main way users retrieve database information. The power of a DBMS comes from its ability to
define new relationships from the basic ones given by the tables and to use them to get responses
to queries. Typically, the user provides a string of characters, and the computer searches the
database for a corresponding sequence and provides the source materials in which those characters
appear.
The many users of a large database must be able to manipulate the information within it quickly at
any given time. Moreover, large business and other organizations tend to build up many
independent files containing related and even overlapping data, and their data-processing activities
often require the linking of data from several files. Several different types of DBMS have been
developed to support these requirements: flat, hierarchical, network, relational, and object-
oriented.
Early systems were arranged sequentially (i.e., alphabetically, numerically, or chronologically);
the development of direct-access storage devices made possible random access to data via indexes.
In flat databases, records are organized according to a simple list of entities; many simple
databases for personal computers are flat in structure. The records in hierarchical databases are
organized in a treelike structure, with each level of records branching off into a set of smaller
categories. Unlike hierarchical databases, which provide single links between sets of records at
different levels, network databases create multiple linkages between sets by placing links, or
pointers, to one set of records in another; the speed and versatility of network databases have led
to their wide use within businesses and in e-commerce. Relational databases are used where
© The Institute of Chartered Accountants of Nepal 3

associations between files or records cannot be expressed by links; a simple flat list becomes one
row of a table, or ―relation,‖ and multiple relations can be mathematically associated to yield
desired information. Various iterations of SQL (Structured Query Language) are widely employed
in DBMS for relational databases. Object-oriented databases store and manipulate more complex
data structures, called ―objects,‖ which are organized into hierarchical classes that may inherit
properties from classes higher in the chain; this database structure is the most flexible and
adaptable.
The information in many databases consists of natural-language texts of documents; number-

oriented databases primarily contain information such as statistics, tables, financial data, and raw
scientific and technical data. Small databases can be maintained on personal-computer systems
and may be used by individuals at home. These and larger databases have become increasingly
important in business life, in part because they are now commonly designed to be integrated with
other office software, including spreadsheet programs.
Typical commercial database applications include airline reservations, production management
functions, medical records in hospitals, and legal records of insurance companies. The largest
databases are usually maintained by governmental agencies, business organizations, and
universities. These databases may contain texts of such materials as abstracts, reports, legal
statutes, wire services, newspapers and journals, encyclopaedias, and catalogs of various kinds.
Reference databases contain bibliographies or indexes that serve as guides to the location of
information in books, periodicals, and other published literature. Thousands of these publicly
accessible databases now exist, covering topics ranging from law, medicine, and engineering to
news and current events, games, classified advertisements, and instructional courses.
Increasingly, formerly separate databases are being combined electronically into larger collections
known as data warehouses. Businesses and government agencies then employ ―data mining‖
software to analyze multiple aspects of the data for various patterns. For example, a government
agency might flag for human investigation a company or individual that purchased a suspicious
quantity of certain equipment or materials, even though the purchases were spread around the
country or through various subsidiaries.
b. Product development and Product Planning (Old Syllabus December 2010)(5 Marks)
Answer :
SN Product Development Product Planning
1 It is the process of analyzing a possible It is the process of providing system for
opportunity for a new product and marketing management with packaging,
evaluating preferred specifications promotion, pricing and style
and probable market success recommendations throughout the life of
product

2 The product development process is It provides information to the sales activity

carried out based upon the about sales strategies, and the feedback to
information that is obtained from the sales forecasting
the customer
3 While developing the product, all the Product planning also decides what new
information will be gather form all products will be introduced and passes
concern stake holders and it will be along information about this to the new
shared among engineering and product development system
pricing departments
c. Hardware evaluation criteria

(Old syllabus, December 2011)(5 Marks) (Old Syllabus December 2012)( 5 Marks)
a) To evaluate and select hardware organizations typically:
 Require suppliers to present bids and proposals based on system specifications developed
during the design stage of systems development.
 Establish minimum acceptable physical and performance characteristics for all hardware
requirements.
 Government agencies and most large businesses use a document called an RFP (request for
proposal) or RFQ (request for quotation), which lists all the required specifications.
 When several competing proposals for hardware acquisition need to be evaluated, a scoring
system may be used, giving a numerical score for each of several evaluation factors. Each
competing proposal is assigned points for each factor, depending on how well it meets the
specifications of the computer user.
 Hardware should be demonstrated and evaluated.
 Using special benchmark test programs and test data to evaluate proposed hardware. Special
software simulators may also be available that simulate the processing of typical jobs on
several computers and evaluate their performances.
 Other users are frequently the best source of information needed to evaluate the claims of
manufacturers and suppliers. Good example: Internet newsgroups.
When evaluating computer hardware, you should investigate specific physical and performance
characteristics for each hardware component to be acquired. This is true whether you are
evaluating mainframes, microcomputers, or peripheral devices. Hardware evaluation factors
include:
 Performance
 Cost
 Reliability
 Compatibility

 Technology
 Ergonomics
 Connectivity
 Scalability
 Software
 Support
d. Snapshot Technique (June 2011)(5 Marks)

Snapshot is a technique to obtain a records flow or processing of designated transactions through
different logic paths within programs and helps in program logic verification at a particular time or
situation. It is used as a system testing tool and also as a concurrent audit tool that examines the
way the transactions are processed by marking and recording selected transactions with a special
code. An extensive knowledge of the information systems environment is required for its effective
use.
e. IT strategy planning. (December 2012)(5 Marks)

A plan is a predetermined course of action to be taken in the future. It is a document containing the
details of how the action will be executed, and it is made against a time scale. The goats and the
objectives that a plan is supposed to achieve are the pre-requisites of plan. The setting of the goals
and the objectives is the primary task of the Management without which planning cannot begin.
Planning involves a chain of decisions, one dependent on the other, since it deals with a long term
period. A successful implementation of a plan means the execution of these decisions in a right
manner one after another.
Planning, in terms of future, can be long-range or short-range. Long-range planning is for a period
of five years or more, while short-range planning is for one year at the most. The long-range
planning is more concerned about the business as a whole, and deals with subjects like the growth
and the rate of growth, the direction of business, establishing some position in the business world
by way of a corporate image, a business share and so on. On the other hand, short-range planning is
more concerned with the attainment of the business results of the year. It could also be in terms of
action by certain business tasks, such as launching of a new product, starting a manufacturing
facility, completing the project, achieving intermediate milestones on the way to the attainment of
goals. The goals relate to long-term planning and the objectives relate to the short-term planning.
There is a hierarchy of objectives which together take the company to the attainment of goals. The
plans, therefore, relate to the objectives when they are short-range and to goals when they are the
long-range.
Long-range planning deals with resource selection, its acquisition and allocation. It deals with the
technology and not with the methods or the procedures. It talks about the strategy of achieving the
goals. The right strategy improves the chances of success tremendously. At the same time, a wrong
strategy means a failure in achieving the goals.

Corporate business planning deals with the corporate business goals and objectives. The business
may be a manufacturing or a service; it may deal with the industry or trade; may operate in a public
or a private sector; may be national or international business. Corporate business planning is a
necessity in all cases. Though the corporate business planning deals with a company, its universe is
beyond the company. The corporate business plan considers the world trends in the business, the
industry, the technology, the international markets, the national priorities, the competitors, the
business plans, the corporate strengths and the weaknesses for preparing a corporate plan. Planning,
therefore, is a complex exercise of steering the company through the complexities, the difficulties,
the inhibitions and the uncertainties towards the attainment of goals and objectives.
f. Object Oriented Design (December 2012)(5 Marks)

An object contains encapsulated data and procedures grouped together to represent an entity. The
'object interface', how the object can be interacted with, is also defined. An object-oriented program
is described by the interaction of these objects. Object-oriented design is the discipline of defining
the objects and their interactions to solve a problem that was identified and documented
during object-oriented analysis.
During object-oriented design (OOD), a developer applies implementation constraints to the
conceptual model produced in object-oriented analysis. Such constraints could include not only
constraints imposed by the chosen architecture but also any non-functional – technological or
environmental – constraints, such as transaction throughput, response time, run-time platform,
development environment, or those inherent in the programming language. Concepts in the analysis
model are mapped onto implementation classes and interfaces resulting in a model of the solution
domain, i.e., a detailed description of how the system is to be built.
g. Software Reliability (December 2012)(5 Marks)

Software reliability is defined as the probability of failure-free operation of a software system for a
specified time in a specified environment.
 Key elements of the above definition
 Probability of failure-free operation
 Length of time of failure-free operation
 A given execution environment
Example
The probability that a PC in a store is up and running for eight hours without crash is 0.99.
Failure intensity is a measure of the reliability of a software system operating in a given

environment.Example: An air traffic control system fails once in two years.
The first puts emphasis on MTTF, whereas the second on count.
A user‘s perception of the reliability of software depends upon two categories of information.

 The number of faults present in the software.

 The ways users operate the system.
 This is known as the operational profile.
 The fault count in a system is influenced by the following.
 Size and complexity of code
 Characteristics of the development process used
 Education, experience, and training of development personnel
 Operational environment
h. Role of IT in business development (June 2017)(5 Marks)

Modern businesses are influenced by different factors for their smooth operation, profitability and
overall success. Having all the necessary information in a properly managed, easily accessible and
secure way is the most critical factor to have a competitive business operation. From HR
management to business transactions, from supply chain management to accounting and finance,
from decision support system to operational transaction processing automation, quick, precise and
timely availability of information is the key for success. All this can be achieved only when there is
a good deployment, management, operation of IT facilities in the organization. Modern
organizations cannot even imagine of operating without computerized system for almost every
aspect of the business activities, both internal and external to the organization. So, in short, IT has a
pivotal and critical role in modern business organization. Hence, every successful business
organization is powered by well-designed, timely and efficient use of Information Technology and
its facilities
i. Project management (December 2014)(5 Marks)

A project is a temporary sequence of unique, complex, and connected activities that have one goal
or purpose and that must be completed on time, within budget, and according to specification.
To ensure that the project meets the deadline, is developed within an acceptable budget, and fulfills
customer expectations and specifications, effective project management is necessary.
A Project management is the process of scoping, planning, estimating, scheduling, organizing,
scheduling, directing, controlling and closing the development of an acceptable system at minimum
cost within a specified time frame.
 Scoping – Scope defines the boundaries of the project. A project manager must scope
project expectations and constraints in order to plan activities, estimate cost, and manage
expectations.
 Planning – It identifies the tasks required to complete the project.
 Estimating – Each task must be estimated. The estimating issues include: cost and time
requirement, number of people needed, skills needed, priority of tasks, and overlapping
tasks.

 Scheduling – Given the project plan, the project manager is responsible for scheduling all
project activities. The project schedule should be developed with an understanding of the
required tasks, task duration, and task prerequisites.
 Organizing – The project manager should make sure that members of the project team
understand their own roles and responsibilities as well as their reporting relationship to the
project manager.
 Directing – Once the project has begun, the project manager must supervise the team‘s
activities. Every project manager must have people management skills to coordinate,
delegate, motivate, advice, appraise, and reward team members.
 Controlling – The project manager must monitor and report progress against goals,
schedule, and cost and make appropriate adjustment in case of problem.
 Closing – Project managers always assess successes and failures at the conclusion of
project. They learn from their mistakes and plan for continuous improvement of the systems
development process.
j. Economic feasibility( June 2013)(5 Marks)

Economic Feasibility: It includes an evaluation of all the incremental costs and benefits expected if
the proposed system is implemented. This is the most difficult aspect of the study. The financial
and economic questions raised by analysts during the preliminary investigation are for the purpose
of estimating the following:
a. The cost of conducting a full systems investigation.
b. The cost of hardware and software for the class of applications being considered.
c. The benefits in the form of reduced costs or fewer costly errors.
d. The cost if nothing changes (i.e., the proposed system is not developed)
e. The procedure employed is the traditional cost-benefit study.
k. Consultant level role of IT professional( June 2013)(5 Marks)

Consultant level role is perhaps the highest and most abstract role of IT professional in an
organization. Such roles are normally short term, highly focused, well-defined and limited to a
particular project or task. Because of such focused responsibility, consultants are supposed to be
top experts in that particular area and capable to provide important suggestions and counsel to the
organization in the pre-defined time frame. Consultants are normally hired at the design or
deployment stages of the information system. Consultant at the design stage normally provides
information related to the system design aspects such as feasibility, architectural layout,
development plans etc. A consultant working at the deployment phase provides inputs to the
implementation team to enable them to make timely and effective deployment while keeping in
mind the expected goals of the system. Consultant level role hence normally involves a critical
study of the process and system and presentation of constructive ideas and suggestions to the major

stakeholders of the system being designed, developed or deployed. Consultants may also be hired
in cases where a system needs to be discontinued and replaced by a new one.
Question No 2:
How system approach can be used for solving the problem? Explain briefly by taking a
hypothetical problem in a company. (December 2003)(10 Marks) (December 2006)(6 Marks)
Answer No 2:
The systems approach to problem solving used a systems orientation to define problems and
opportunities and develop solutions. Studying a problem and formulating a solution involve the
following interrelated activities:
i. Defining of the problem.
ii. Gathering and analysing data concerning the problem.
iii. Identification of alternative solutions.
iv. Evaluation of alternative solution.
v. Selection of the best alternative.
vi. Implementation of the solution.
vii. Post Implementation Review
1. Defining Problems and Opportunities

Problems and opportunities are identified in the first step of the systems approach. A problem can
be defined as a basic condition that is causing undesirable results. An opportunity is a basic
condition that presents the potential for desirable results. Symptoms must be separated from
problems. Symptoms are merely signals of an underlying cause or problem.
Example:
Symptom: Sales of a company‘s products are declining. Problem: Sales persons are losing orders
because they cannot get current information on product prices and availability. Opportunity: We
could increase sales significantly if sales persons could receive instant responses to requests for
price quotations and product availability.
Sometimes one may confuse the symptoms or the exhibition of a behavior to be a problem but
actually it may only be a symptom of a larger malaise. It may just exhibit the behavior of a larger
phenomenon. It is vital to drill deep into an issue and clearly understand the problem rather than
having a superficial understanding of the problem. One must appreciate that this in the initial stage
of problem solving and if the problem itself is not correctly diagnosed then the solution will
obviously be wrong. Systems approach is therefore used to understand the problem in granular
detail to establish requirement and objectives in-depth. By using the systems approach the problem
will be analyzed in its totality with inherent elements and their interrelationships and therefore this
detailed analysis will bring out the actual problem and separate out the symptom from it.
2. Gathering and analyzing data concerning the problem.

Systems thinking is to try to find systems, subsystems, and components of systems in any situation
your are studying. This viewpoint ensures that important factors and their interrelationships are
considered. This is also known as using a systems context, or having a systemic view of a situation.
I example, the business organization or business process in which a problem or opportunity arises
could be viewed as a system of input, processing, output, feedback, and control components. Then
to understand a problem and save it, you would determine if these basic system functions are being
properly performed.
Example:
The sales function of a business can be viewed as a system. You could then ask: Is poor sales
performance (output) caused by inadequate selling effort (input), out-of-date sales procedures
(processing), incorrect sales information (feedback), or inadequate sales management (control)?
Figure illustrates this concept.
3. Identification of alternative solutions.

There are usually several different ways to solve any problem or pursue any opportunity. Jumping
immediately from problem definition to a single solution is not a good idea. It limits your options
and robs you of the chance to consider the advantages and disadvantages of several alternatives.
You also lose the chance to combine the best points of several alternative solutions.
Where do alternative solutions come from/ experience is good source. The solutions that have
worked, or at least been considered in the past, should be considered again. Another good source of
solutions is the advice of others, including the recommendations of consultants and the suggestions
of expert systems. You should also use your intuition and ingenuity to come up with a number of
creative solutions. These could include what you think is an ideal solution. The, more realistic
alternatives that recognize the limited financial, personnel, and other resources of most
organizations could be developed. Also, decision support software packages can be used to develop
and manipulate financial, marketing, and other business operations. This simulation process can

help you generate a variety of alternative solutions. Finally, don‘t forget that ―doing nothing‖ about
a problem or opportunity is a legitimate solution, with its own advantages and disadvantages.
4. Evaluating Alternate Solutions

Once alternative solutions have been developed, they must be evaluated so that the best solution
can be identified. The goal of evaluation is to determine how well each alternative solution meets
your business and personal requirements. These requirements are key characteristics and
capabilities that you feed are necessary for your personal or business success.
Example:
If you were the sales manager of a company, you might develop very specific requirements for
solving the sales-related information problems of your salespeople. You would probably insist that
any computer-based solution for your sales force be very reliable and easy to use. You might also
require that any proposed solution have low start-up costs, or have minimal operating costs
compared to present sales processing methods.
Then you would develop evaluation criteria and determine how well each alternative solution meets
these criteria. The criteria you develop will reflect how you previously defined business and
personal requirements. For example, you will probably develop criteria for such factors as start-up
costs, operating costs, ease of use, and reliability. Criteria may be ranked or weighted, based on
their importance in meeting your requirements.
5. Selecting the Best Solution

Once all alternative solutions have been evaluated, you can being the process of selecting the best
solution. Alternative solutions can be compared to each other because they have been evaluated
using the same criteria.
Example:
Alternatives with a low accuracy evaluation (an accuracy score less than 10), or a low overall
evaluation (an overall score less than 70) should be rejected. Therefore, alternative B for sales data
entry is rejected, and alternative A, the use of laptop computers by sales reps, is selected.
6. Designing and Implementing Solution

Once a solution has been selected, it must be designed and implemented. You may have to depend
on other business end users technical staff to help you develop design specifications and an
implementation plan. Typically, design specifications might describe the detailed characteristics
and capabilities of the people, hardware, software, and data resources and information system
activities needed by a new system. An implementation plan specifies the resources, activities, and
timing needed for proper implementation. For example, the following items might be included in
the design specifications and implementation plan for a computer-based sales support system:
 Types and sources of computer hardware, and software to be acquired for the sales reps.
 Operating procedures for the new sales support system.
 Training of sales reps and other personnel.

 Conversion procedures and timetable for final implementation.
7. Post Implementation Review

The final step of the systems approach recognizes that an implemented solution can fail to solve the
problem for which it was developed. The real world has a way of confounding even the most well-
designed solutions. Therefore, the results of implementing a solution should be monitored and
evaluated. This is called a postimple-implemented. The focus of this step is to determine if the
implemented solution has indeed helped the firm and selected subsystems meet their system
objectives. If not, the systems approach assumes you will cycle back to a previous step and make
another attempt to find a workable solution.
A Systems Approach Example

Let us assume that A is the coach of the Indian cricket team. Let us also assume that the objective
that A has been entrusted with is to secure a win over the touring Australian cricket team. The
coach uses a systems approach to attain this objective. He starts by gathering information about his
own team.
Through systems approach he views his own Indian team as a system whose environment would
include the other team in the competition, umpires, regulators, crowd and media. His system, i.e.,
team itself maybe conceptualized as having two subsystems, i.e., players and supporting staff for
players. Each subsystem would have its own set of components/entities like the player subsystem
will have openers, middle order batsmen, fast bowlers, wicket keeper, etc. The supporting staff
subsystem would include bowling coach, batting coach, physiotherapist, psychologist, etc. All these
entities would indeed have a bearing on the actual outcome of the game. The coach adopts a
systems approach to determine the playing strategy that he will adopt to ensure that the Indian side
wins. He analyses the issue in a stepwise manner as given below:
Step 1: Defining the problem-In this stage the coach tries to understand the past performance of his
team and that of the other team in the competition. His objective is to defeat the competing team.
He realizes that the problem he faces is that of losing the game. This is his main problem.
Step 2: Collecting data-The coach employs his supporting staff to gather data on the skills and
physical condition of the players in the competing team by analyzing past performance data,
viewing television footage of previous games, making psychological profiles of each player. The
support staff analyses the data and comes up with the following observations:
 Both teams use an aggressive strategy during the period of power play. The competing
Australian team uses the opening players to spearhead this attack. However, recently the
openers have had a personal fight and are facing interpersonal problems.
 The game is being played in Mumbai and the local crowd support is estimated to be of some
value amounting to around fifty runs. Also the crowd has come to watch the Indian team
win. A loss here would cost the team in terms of morale.

 The umpires are neutral and are not intimidated by large crowd support but are lenient
towards sledging.
Step 3: Identifying alternatives-Based on the collected data the coach generates the following
alternate strategies:
 Play upon the minds of the opening players of the competitors by highlighting their personal
differences using sledging alone.
 Employ defensive tactics during power play when the openers are most aggressive and not
using sledging.
 Keep close in fielders who would sledge and employ the best attacking bowlers of the
Indian team during the power play.
Step 4: Evaluating alternatives-After having generated different alternatives, the coach has to select
only one. The first alternative may lead to loss of concentration on the part of openers and result in
breakthroughs. However, there is a chance that the interpersonal differences between the two
openers may have already been resolved before they come to the field and in such a case this
strategy will fail. The second strategy provides a safer option in the sense that it will neutralize the
aggressive game of the openers but there is limited chance of getting breakthroughs. The third
option of employing aggressive close in fielders to play upon the internal personal differences of
the openers and at the same time employing the best bowlers may lead to breakthroughs and may
also restrict the aggressive openers.
Step 5: Selecting the best alternative-The coach selects the third alternative as it provides him with
the opportunity of neutralizing the aggressive playing strategy of the openers as well as increases
the chances of getting breakthrough wickets.
Step 6: Implementing and monitoring-The coach communicates his strategy to his players and
support staff, instructs support staff to organize mock sessions and tactics to be employed to make
the strategy a success. The players and support staff performance is monitored by the coach on a
regular basis to ensure that the strategy is employed perfectly.
Question No 3:
Explain the four common cycles of a business activity? (June 2004)(8 Marks)
Answer No 3:
A transaction cycle is an interlocking set of business transactions. Most business transactions can
be aggregated into a relatively small number of transaction cycles related to the sale of goods,
payments to suppliers, payments to employees, and payments to lenders. We explore the nature of
these transaction cycles in the following bullet points:
1. Revenue Cycle: Events related to the distribution of goods and services to other entities and
the collection of related payments. It includes application system involving customer order entry,

billing, accounts receivable and sales reporting. A company receives an order from a customer,
examines the order for creditworthiness, ships goods or provides services to the customer, issues an
invoice, and collects payment. This set of sequential, interrelated activities is known as the sales
cycle, or revenue cycle
2. Expenditure Cycle: Events related to the acquisition of goods and services from other entities
and the settlement of related obligations. It includes application system involving vendor selection
and requisitioning, purchasing, accounts payable and payroll. A company issues a purchase order to
a supplier for goods, receives the goods, records an account payable, and pays the supplier. There
are several ancillary activities, such as the use of petty cash or procurement cards for smaller
purchases. This set of sequential, interrelated activities is known as the purchasing cycle, or
expenditure cycle.
3. Production Cycle: Events related to the transformation of resources into goods and services. It
includes application systems involving production control and reporting, product costing, inventory
control and property accounting.
4. Finance Cycle: Events related to the acquisition and management of capital funds, including
cash. It includes application systems concerned with cash management and control, debt
management and the administration of employee benefit plans. A company issues debt instruments
to lenders, followed by a series of interest payments and repayments of the debt. Also, a company
issues stock to investors, in exchange for periodic dividend payments and other payouts if the entity
is dissolved. These clusters of transactions are more diverse than the preceding transaction cycles,
but may involve substantially more money.
Question No 4:
Discuss briefly the guidelines on which the printed and visual display outputs are designed.
(June 2004)(10 Marks)
Answer No 4:
Following are the guidelines, which should be followed while preparing the printed and visual
display outputs. It will not only make the analyst's job easier, but will also ensure that users will
receive an understandable output.
i. Printer Outputs
1. Reports and documents should be designed to read from left to right and top to bottom.
2. The most important item should be easiest to find.
3. Each printed reports should include the heading or title of the report, page number, date of
preparation and column headings. The heading of title of the report orients the user to what it is
they are reading. The title should be descriptive, yet concise. Each page should be numbered so that
the user has an easy point of reference when discussing output with others or relocating important
figures. The data of report preparation should be included on each print out. Sometimes this helps

users to estimate the value of the output. Column headings serve to further orient the user as to the
report contents.
4. Each data item must have a heading, which should be short and descriptive. Data items that
are related to one another should be grouped together on the report.
5. Control breaks should be used in the report to help readability. There should be control
breaks summaries and other important information by boxing them off with special characters such
as asterisks or extra space. This makes it easier to find critical information.
6. Sufficient margin should be left on the right and left as well as top and bottom of an output
report. This enables the user to focus his attention on the material centered on the page and make/s
reading easier.
7. The detail line for variable data should be defined by indicating whether each space is to be
used for an alphabetic, special or numeric character.
8. The mock up reports should be reviewed by user and programmers for feasibility,
usefulness, readability, understandability and an esthetic appeal.
ii. Visual display output: Many of the principles of good design discussed for printed output
also apply to output that is shown on work-stations or video display terminals. However, it should
be noted that a visual display terminal offers less space to work with compared to most printed
outputs. Moreover, the system analyst is also required to give instructions to the user on how to use
the display unit.
iii. Layout of display screen: Each display page is commonly called a screen or panel. Its lay
out will ease or impede its use. Designing a layout begins with verifying the characteristics of the
display screen. These include:
(i) Physical dimensions of the screen;
(ii) Number of rows and columns of data that can be displayed;
(iii) Degree of resolution (high, medium, low);
(iv) Number of colours available (for example, monochrome, three colours, eight colours etc.);
(v) Methods of highlighting (underline, bold, blinking, alternate intensitities);
(vi) Methods of intensity control (high/low; normal inverse).
Visual display screen typically have 80 columns with 24 or 25 lines. Point-of-sale display and some
portable computers have smaller dimensions. Screen design begins with the recognition that the
screw is composed of different areas. Layout tools assist the analysed in specifying the contents of
a single or multiple design formats. It is helpful to divide the display screens into sections that are

consistently used in the same way to present information, identifications and messages to the user.
In designing output screens, we need areas for (i) headings and titles, (ii) content of the display, (iii)
messages and instructions and (iv) sometimes explanations for the information in the report. The
headings and titles are positioned as the top portion of the screen, messages and instructions at the
bottom, and explanations if needed, on the right-hand side. If only a very small amount of
information is to be presented, it can be placed in the center of the screen or in the upper left
quadrant. However, it is mainly a matter of preference of the concerned system analysts.
Question No 5:
Briefly describe the activities involved in conversion from manual to computerized system.
Answer No 5:
Basically a changeover from manual to computerized system includes all those activities, which
must be completed successfully to convert from the previous system to the new information
system. Fundamentally these activities can be classified with five broad categories as explained
below:
(1) Procedure Conversion: Operating procedure should be completely documented for the new
system. This applies to both computer operations and functional area operations. Operating
procedures must be clearly spelled out for personnel in the functional areas undergoing changes.
Information on input data files, methods, procedures, output and internal control must be presented
in clear concise and understandable terms, both in written and oral form.
(2) File Conversion: Because large files of information must be converted from one medium to
another this phase should be started long before programming and testing are completed. The cost
and related problem of file conversion are significant. Computer generated files tend to be more
accurate and consistent than manual files. The formats of one computer files may be unacceptable
for the other system. To be accurate files conversion programs must be thoroughly tested and
adequate combats must be generated. The existing computer files must be kept for some time as
back up since they may be needed for reconstruction in case bug is discovered later on.
(3) System Conversion: Now daily processing can be shifted from the existing system to a new
one. A cut off points is established so that data base and other data requirements can be updated to
the cut off point. All transactions initiated after this time are processed on the new system. If
necessary, appropriate changes are made to the new system. The old system is dropped as soon as
the data processing group is satisfied with the new system.
(4) Scheduling personnel and equipment: Schedules should be set up by the system manager in
conjunction with departmental managers of operational units The time required to assign remote

batch programs under normal operating conditions in real time is a problem which is solved by
designing a block of time each day for the operation of remote devices.
The equipment and the operating personnel must be scheduled for maximum utilization.
(5) Alternative plans in case of equipment failure: Priorities must be given to those jobs critical to
an organization such as billing, payroll and inventory. Documentation of alternative plans is the
responsibility of the computer section and should be fully covered by the organization's systems
and procedures manual.
Question No 6:
Write short note on Bench Marking problem for Vendor's Proposals.
(June 2004)(5 Marks) (Old Syllabus December 2012)( 5 Marks)
Answer No 6:
Benchmarking is a systematic process for identifying and implementing best or better practices.
Although experts break benchmarking into several types, there exist two main types; "Informal"
and "Formal" Benchmarking.
Informal Benchmarking is a type of benchmarking that most of us do unconsciously at work and in
our home life. We constantly compare and learn from the behaviour and practices of others –
whether it is how to use a software program, how to cook a better meal, or play our favourite sport.
In the context of work, most learning from informal benchmarking comes from the following:
 Talking to work colleagues and learning from their experience (coffee breaks and team
meetings are a great place to network and learn from others).
 Consulting with experts (for example, business consultants who have experience of
implementing a particular process or activity in many business environments.
 Networking with other people from other organisations at conferences, seminars, and Internet
forums.
 On-line databases/web sites, such as the BPIR, and publications that share benchmarking
information provide quick and easy ways to learn of best practices and benchmarks.
There are two types of Formal Benchmarking - Performance and Best Practice Benchmarking.
Performance benchmarking; this involves comparing the performance levels of organisations for a
specific process. This information can then be used for identifying opportunities for improvement
and/or setting performance targets. Performance levels of other organisations are normally called
benchmarks and the ideal benchmark is one that originates from an organisation recognised as
being a leader in the related area. Performance benchmarking may involve the comparison of
financial measures (such as expenditure, cost of labour, cost of buildings/equipment, cost of
energy, adherence to budget, cash flow, revenue collected) or non-financial measures (such as

absenteeism, staff turnover, the percentage of administrative staff to front-line staff, budget
processing time, complaints, environmental impact or call centre performance).
Best practice benchmarking; this is where organisations search for and study organisations that are
high performers in particular areas of interest. The processes themselves of these organisations are
studied rather than just the associated performance levels, normally through some mutually
beneficial agreement that follows a benchmarking code of conduct. Knowledge gained through
the study is taken back to the organisation and where feasible and appropriate, these high
performing or best practices are adapted and incorporated into the organisation‘s own processes.
Therefore best practice benchmarking involves the whole process of identifying, capturing,
analysing, and implementing best practices .
Benchmarking are sample programs that represent at least a part of the buyer's primary computer
work load. They include software considerations. Bench marking problems are oriented towards
testing whether a computer offered by the vendor meets the requirements of the job of the buyer.
Obviously benchmarking problems can be applied only if job mix has been clearly specified. If the
job is truly represented by the selected bench marking problems, this approach can provide a
realistic and tangible basis for comparing all Vendors' proposals. Tests should enable buyer to
efficiently evaluate cross performance of various systems in terms of hardware performance.
But these problems take considerable time and effort to select problems representative of the job
mix, which must be precisely defined. It also requires the existence of operational hardware,
software and services of systems.
However, they help the manager to extrapolate the performance of the Vendor's proposal on the
entire job mix.
Question No 7:
You are interested to access the internet facility sitting at home. What are the equipment and
facilities that may be required to satisfy your desire? (December 2005)(5 Marks)
Answer No 7:
For getting access to the internet, the requirements are as under:
 A computer with enough power and memory. To explore the various features of the internet
effectively, a Pentium processor with preferably 128 MB RAM or any currently available faster
model with multimedia features is recommended.
 A modem (internally built-in or externally connected) – The modem is a device that
converts data in binary code used by the computer to an analyze signal that can be transmitted over
the telephone network and vice versa.
 An account with a service provider to provide link between the computer and the internet.
 The software that may come with the computer or from the service provider.

Question No 8:
Describe in detail the steps involved in the selection of a computer system.
(June 2005) (10 Marks)
Answer No 8:
The section of an appropriate computer system, both hardware and application software package
demands a high level of expertise and many organizations use a consultant either to provide
guidance to their personnel or to manage this activity.
The steps involved in selection of a computer system are:

1. Prepare the design specifications.
2. Prepare and distribute an RFP (Request for proposal) to selected computer vendors.
3. On the basis of an analysis of proposals, eliminate vendors whose proposals are
inferior.
4. Have vendors present their proposals.
5. Conduct further analysis of the proposals.
6. Contact present users of the proposed systems.
7. Conduct equipment benchmark tests.
8. Select the equipment.
During feasibility study, the EDP manager will list down various requirements of the organization
based on which specifications of the computer will be laid down. These mandatory specifications
would then constitute an over-riding criterion of selection. If a vendor fails to meet them, the
manager would simply screen out the vendor without any further consideration. These
specifications would establish a desired configuration that might include for example, the required
minimum main memory size, the required characteristics of secondary memory, and general types
and capacities of input and output equipments needed, etc. Usually, design specifications should be
developed without reference to any specific models of equipment or to a particular vendor‘s
product line.
After that, a RFP (request of proposal) is prepared by the organization and given to vendors, asking
the vendors to prepare a bid and submit it to the organization. The RFP contains all details that are
necessary for a vendor to prepare a fully detailed proposal. Typically, the RFP also contains a
deadline for bidding, the length of which depends on the complexity of the project — for example,
just a few weeks for hardware, and longer periods of time for systems requiring custom
development tasks. After responses to RFP have been received, they are evaluated by the
organization. Meetings are scheduled with each vendor, whose bid is competitive in terms of price
and meeting the requirements of RFP. The participants at each meeting include representative from
the vendor, representative from the steering committee, and representatives from the design team.
The vendor‘s role is to present its proposal and to answer questions from the other participants. The
evaluation committee‘s role is to listen to the vendor proposals, provide input to the steering

committee about the pros and cons of each one, and perhaps made a recommendation for a
preferred vendor.
Frequently, vendors who survive this presentation are nevertheless asked to revise their proposal in
significant respects. The after-presentation equipment analysis is carried out in even greater details,
and it involves the proposals of only those vendors who remain in competition which may be only
one or two. At this point, the organization should be satisfied that the system still being considered
can solve its problems in a cost effective manner. If this is not the case, the drastic steps of
rewriting the design specifications and of submitting RFP to other vendors must be considered.
Question No 9:
Give four different reasons why information systems are coming to play a large role in the life of
any organization. (December 2006)(4 Marks)
Answer No 9:
Any four of the following reasons,
 need to be more efficient
 need to be more effective
 need to reduce costs
 need to improve quality
 organizations are more distributed geographically
 more employees empowered to make decisions
 new communication/computing technology
 changing management processes
 changing workflows
 changing nature of products
 interfacing with the systems of other organizations
 electronic transactions
Question No 10:
A system cannot be made secure by the effort of a single information system manager. If this
statement is true, then explain about the roles of all other stakeholders to secure the system.
Answer No 10:
Yes, it is true that an information system cannot be secured by the sole effort of the system
administrator or manager. Each and every stakeholders of the system has equal responsibilities and
duties regarding the security of the system. So, it is imperative that individual roles, responsibilities
and authority are clearly communicated and understood by all. The duties and responsibilities of
stakeholders are specified as:
 Executive manager: Assigned overall responsibility for the security of information

 Information systems security professional: responsible for the design, implantation

management and review of the organization security policy, standards measure practices
and procedures
 Data Owners: responsible for determining sensitivity or classification levels of the data as
well as maintaining accuracy and integrity of the data resident on the information system.
 Process Owners: responsible for ensuring that appropriate security, consistent with the
organizations security policy, is embedded in their information systems.
 Technology providers: responsible for assisting with the implementation of information
security
 Users: Responsible for following the procedures set out in the organization's security policy
Information system auditors: responsible for providing independent assurance to management on
the appropriateness of the security objectives and on whether the security policy, standards,
practices and procedures are appropriate and comply with the organizations security objectives.
Question No 11:
ABC Company, a PC software house, has used manual procedures to account for its receivables,
payables and inventory. The company receives most orders by telephone, billing customer's bank
charge card accounts. Some customers order by mail, enclosing cheques or money orders in
payment. ABC Company ships immediately on receiving certified cheques or money orders but
waits for personal cheques to clear the bank before shipping software.
Five sales representatives prepare order forms for telephone and walk-in customers, open mail
orders and complete those order forms as time permits. The owner suspects that ABC Company has
outgrown its accounting and inventory procedures and also believes that using manual accounting
and inventory procedures is poor advertisement for a software house. Therefore, the owner has
decided to install computer-based accounting and inventory systems.
a)The owner intends to convert from a manual to a computer-based system. Identify and briefly
explain, in your own words, the sequence of activities that should begin before conversion.
b) What do you understand by conversion or changeover from manual to computerized system?
What are the different approaches? Explain in brief.
c) Recommend an appropriate conversion approach to the company owner and state two
advantages and two disadvantages. (June 2007)(20 Marks)
Answer No 11:
A. The owner intends to convert from a manual to a computer-based system should follow
the sequence of activities as described below before conversion
 Describe the current system in writing.

 Define the required inputs, processes, and outputs for the new system.
 Research the available hardware and software to meet the requirements.
 Visit or contact other firms using candidate systems
 Prepare a request for proposal to obtain bids for the candidate system.
 Evaluate the bids and select the most cost effective system that meets the requirement.
 Prepare a conversion plan to install and implement the chosen system.
 Involve the system users in the planning, educate them as to the benefits to be obtained
from the system, and train them in the use of the system.
B. Conversion or changeover is the process of changing from the old manual system to the
new computerized system. It requires planning to establish the basic approach to be used in actual
changeover. There are five different approaches for converting from the old manual system to the
new computerized system.
i. Direct Changeover
On the specified date the old manual system is dropped and the new computerized system is put
into use.
ii. Parallel Conversion
This refers to running the old manual system and the new computerized system at the same time in
parallel.
iii. Gradual Conversion
Gradual Conversion attempts to combine the best features of the Direct Changeover and the
Parallel Conversion, without incurring the risk.
iv. Modular Prototype Conversion
This approach uses the building of modular, operational prototypes to change from old system to
new system in a gradual manner.
v. Distributed Conversion
This refers to a situation in which many installations of the same system are contemplated, such as
in banking or franchises like restaurants or clothing stores.
C. Recommend parallel operation

Advantages:
i. Provide a backup copy in case new system corrupted.
ii. User satisfaction not affected – no sudden changeover to new system.
Disadvantage:
i. It requires all operations are performed twice, thus it doubles the employee workloads
ii. It is difficult to make comparisons between output of the new system and the old system.

Question No 12:
An airline is replacing its current reservation and ticketing system with a new system that will use
more powerful computers (manufactured by a different company from the one that supplied the
computers for the old system) and new software that stores and processes data in a different way
from that of the old system. All files in the current system are stored on computer media and are
highly accurate. The files include the following.
 Airline flight schedules: each flight is identified by a unique number.
 Airline personnel file: each individual is identified by an employee identification number.
 Airline reservation file: each entry contains the passenger name flight data, flight number,
ticket cost and class of service.
 Travel agent file: each entry contains the identification number, name commission rate, and
current account balance for each travel agent registered with the airline.
a. What are the different approaches for converting from the old manual system to the new
computerized system? Explain with advantages and disadvantages.
b. Two alternatives have been suggested for the conversion: parallel conversion and direct
cutover. Which approach would you choose? Justify your answer.(December 2007)(20 Marks)
Answer No 12:
a) There are five different approaches for converting from the old system to the new
computerized system.
i. Direct Changeover
The newer system is changed over from the older system on a specified (cut-off) date and time.
The older system s discontinued once the changeover to the newer system takes place. This
approach can only be successful if an extensive system testing, user training and arrangement for
technical supports is completed before the changeover. An advantage is that users cannot use the
old system, except the new. Adoption is a necessity. Disadvantage is that users may resent being
forced into using an unfamiliar system without recourse.
ii. Parallel Conversion

This refers to running the old system and the new system at the same time in a parallel mode. This
is one of the most frequently used conversion approach. Advantages of running both systems is that
it minimizes the risk of running the newer system and helps in identifying problems, and issues
that the users comes across in the newer system. Disadvantage includes the cost of running two
systems at the same time and the burden on employees of virtually doubling their workload.
iii. Gradual Conversion

Gradual Conversion attempts to combine the best features of the Direct Changeover and the
Parallel Conversion to reduce the risks of conversion. In this plan, a portion of the transactions is
processed in the new system and the balance transactions are processed in the old system. The
volume in the new system is gradually increased and eventually all transactions are processed in the

new system and the old system is closed. Advantages include allowing users to get involved with
the new system gradually and with a possibility of detecting and recovering from the errors without
incurring significant downtime. Disadvantages include taking too long to get the new system fully
operational and older system phasing out.
iv. Modular Prototype Conversion

In this approach, the newer system is broken down into deliverable modules. The operational
modules are replaced from old system to the new system in a gradual manner. Initially, the first
module of the older system is phased out using a module of the newer system. Then, the second
module of the older system is replaced with the newer module and so forth until the last module is
reached. Advantages include that each module is thoroughly tested before being used and the users
are familiar with each module as it becomes operational. Disadvantages include that many times
break-down into modules is not feasible. Secondly, special attention is required to the interfaces so
that different modules actually work as a system.
v. Distributed Conversion
This approach is applied in organizations with several branches at different locations, such as bank
branches, restaurant franchises. One entire conversion is completed at one location and then the
conversion at another location is started. Advantage is that, system problems can be detected at an
earlier stage before the whole system of the organization is converted. Disadvantage is that even
when one conversion is successful; different types of problems might arise at other sites having its
own peculiarity to work through.
b) Direct change-over
The Direct Changeover is selected. The risk of direct changeover is reduced by providing
extensive testing and debugging of the new system, adequate training to staff and ensuring
availability of technical manpower to provide supports and trouble shooting unexpected events.
Parallel conversion requires operation of the two systems simultaneously, which is very difficult in
this particular nature of application. Although it is feasible, deciding on which record to use for
planning flight or selling tickets will also be difficult.
Question No 13:
Differentiate between
a. Structured decisions and unstructured decisions. (December 2007)(2 Marks)
Answer
Structured decisions are those that are made comparatively easily from a given set of inputs, for
example decision to issue a reminder to an overdue bill. Unstructured decisions are decisions for
which information obtained from a system is only a portion of the knowledge and information
required to make a decision. Such decision requires a significant amount of judgment, evaluation,
and no agreed upon procedure exists for unstructured decisions.

b. E conomic Feasibility and Operational Feasibility (June 2008)(4 Marks)
Answer
Economic Feasibility includes an evaluation of all incremental costs and benefits expected from the
implementation of a proposed system.
Operational Feasibility is concerned with the views of workers, employees, customers and suppliers
on the use of a new computer facility. The support or lack of support of employees and other users
to a proposed system is a critical aspect of the feasibility.
Question No 14:
How do you evaluate and select hardware and software in computer using organizations?
(December 2009)(15
Marks)
Answer No 14:
To evaluate and select hardware and software, computer-using organizations typically:
 Require suppliers to present bids and proposals based on system specifications developed
during the design stage of systems development.
 Establish minimum acceptable physical and performance characteristics for all hardware and
software requirements.
 Government agencies and most large businesses use a document called an RFP (request for
proposal) or RFQ (request for quotation), which lists all the required specifications.
 When several competing proposals for hardware or software acquisition need to be evaluated, a
scoring system may be used, giving a numerical score for each of several evaluation factors. Each
competing proposal is assigned points for each factor, depending on how well it meets the
specifications of the computer user.
 Hardware and software should be demonstrated and evaluated.
 Using special benchmark test programs and test data to evaluate proposed hardware and
software. Special software simulators may also be available that simulate the processing of typical
jobs on several computers and evaluate their performances.
 Other users are frequently the best source of information needed to evaluate the claims of
manufacturers and suppliers. Good example: Internet newsgroups.
Hardware Evaluation Factors: When evaluating computer hardware, you should investigate
specific physical and performance characteristics for each hardware component to be acquired.
This is true whether you are evaluating mainframes, microcomputers, or peripheral devices.
Hardware evaluation factors include:
 Performance
 Cost

 Reliability
 Compatibility
 Technology
 Ergonomics
 Connectivity
 Scalability
 Software
 Support
Software Evaluation Factors: You should evaluate software according to many factors that are
similar to those used for hardware evaluation. Thus, the factors of performance, cost, reliability,
availability, compatibility, modularity, technology, ergonomics, and support should be used to
evaluate proposed software acquisition. In addition, however, software evaluation factors should
also include evaluating:
 Quality
 Efficiency
 Flexibility
 Security
 Connectivity
 Language
 Documentation
 Hardware
 Other factors (performance, cost, reliability etc.)
Question No 15:
What do you mean by Information and Communication Technology? Discuss about the bright and
dark side of Information Communication Technology to the modern business organization.
Answer No 15:
The combination of hardware, software and communication devices so that the raw data can be
processed to give the relevant information and can be transmitted to the target places is called as
the Information and Communication Technology (ICT). Thus the Information and Communication
Technology involves the use of computer devices, various types of software programs and
communication system to facilitate the quick processing of data and its transmission to the
destination at the right time.
Nowadays modern businesses are highly reliant on ICT to enhance the business. The bright side of
use of ICT can be summarized as:

 Use of ICT in the banking system to facilitate the data storage, online transaction and
operate automatic teller machine
 Use of email and chat application system for the quick and effective communication among
the staffs, business houses and for the quick delivery of the information
 Use of application software for the specific task e.g. Banking system, college examination,
airlines ticketing, departmental stores management, inventory management etc
 Software helps to reduce the cost of operation, manpower and time and processing which
ultimately increase the business efficiency.
 The computer networking system helps to quicken delivery of huge amount data and
information from any part of the world to another part in no time.
 Voice over Internet Protocol allows to use same channel simultaneously for transmission of
data as well as voice.
 ICT creates large number of new job opportunities as well.
As every coin has two sides ICT also have some dark side. Some unwanted effect that arises
because of use of ICT can be summarized as:
 Virus and worms are developed which intrude on other‘s network to destroy the software
application and network performance
 People are using the chat application and social networking websites during the office hours
which reduces the employees performance and efficiency
 Hackers are developing various application to steal the confidential information of bank
account holders, credit card holders and creating the fake documents
 Ironically it brought the problem of unemployment to the old people who could not get
computer education
 Needs technically strong manpower and need extra investment to deploy the system
 Some unethical employee can steal the organization's confidential information
 Harassing people by stealing their passwords and user accounts
These are some unwanted things which pertain with the use of ICT in business. However the ICT
engineers and managers are working to reduce these unethical practices by various means.
Question No 16:
Explain how Information Technology is changing the scenario of marketing in modern days
business. (December 2011)(10 Marks)
Answer No 16:
The business function of marketing is concerned with the planning, promotion and sale of existing
products in existing markets and the development of new product and new markets to better attract
and serve present and potential customers. Business firms have increasingly turned to information

technology to help them perform vital marketing function in the face of the rapid changes of
today‘s environment.
Business firms are using information technology in the form of Internet/intranet and websites to
promote and extend their business opportunities. These tools help the marketing activities in
following ways which are different than marketing without use of information technologies tools:
 Interactive marketing
 Target marketing
 Sales force automation
 Customer relationship management
 Marketing research and forecasting
 Advertising promotion
 Product management
With the use of various tools of information technologies the marketing can be focused to the
specific groups of the people with common fields from the prospects of the behavior, purchasing
capacity, demography and geography etc. This enables the marketing to be more particular and
customer centric. Emails and instant messaging helps receive the customer feedback immediately
and to provide the answer to their queries. The sales person‘s activities can be increased and
enhanced by providing the real time customized data of the probable customers. The relationship of
the customer can be enhanced by retaining the potential customer and by attracting the new
customer with the help websites and internet and intranet technologies.
Similarly advertising and promotion can be done in the relevant websites by personalizing home
pages. The marketing research can be done effectively with the use of websites and taking the
online feedbacks.
These are some of the activities which are carried out with the use of information technologies in
the sales and marketing which are not possible by other means. Use of information technology
assists business firms to make marketing more focused, customer oriented and it breaks the
geographical boundaries. On top of this information technology created marketing process to be
interactive between business firms and customer.
Question No 17:
Explain about the factors which influence the information technology.
(December 2011)(5 Marks)
Answer No 17:
The factors which influence the information technology can be listed as:

 The organization internal flexibility and acceptance of the changes in technology and
business
 Budget available in the organization
 Speed and access to the market
 The governing rules and regulations of the regulatory organization of the country
 International norms and practices about the technology
 Personnel self interest and motivations towards the use of technology
 The functional business units of the organization
 Knowledge and qualifications of the personnel
Question No 18:
How Information Technology can be used to implement the basic competitive strategies? Explain
minimum five strategies with an example.
(Old Syllabus June 2011)( 10 Marks)
Answer No 18:
Businesses today really need to know how to implement information technology into their
business to keep up with the competition. There are many aspects to information technology, and
unless a business does work specifically in this area, they may need to hire an IT manager who
knows about the field. They can implement an information technology strategy that specifically
suits the goals of a company.
The target of the strategy can be either the forms of technology being used or the people who are
using it. There is a principle from a business expert that an IT strategy has to focus on the strategy
by creating and measuring the value of the business from the perspective of the investment put
into the Businesses today really need to know how to implement information technology into their
business to keep up with the competition. There are many aspects to information technology, and
unless a business does work specifically in this area, they may need to hire an IT manager who
knows about the field. They can implement an information technology strategy that specifically
suits the goals of a company.
The target of the strategy can be either the forms of technology being used or the people who are
using it. There is a principle from a business expert that an IT strategy has to focus on the strategy
by creating and measuring the value of the business from the perspective of the investment put
into the employment of IT.
The minimum five strategies with example are as follows:

a. Lower costs: use IT to substantially reduce the cost of business processes and to lower the
costs of customers or suppliers e.g Priceline.com where Online bidding where buyer sets
the prices.
b. Differentiate: develop new IT features to differentiate products and services, use of IT
features to reduce the differentiation advantages of competitors, and to focus products at

selected market niches e.g. DHL, customer online shipment tracking results increase in
market share.
c. Innovate: create new products and services that include IT components, develop unique
new markets or market niches with the help of IT, make radical changes to business
processes with IT that dramatically cut costs, improve quality, efficiency, or customer
service or shorten time to market eg. Amazon.com, online full service customer system
which had market leadership
d. Promote Growth: Use IT to manage regional and global business expansion and diversity
and integrate into other products and services e.g. Wal Mart Merchandise the ordering by
global satellite network which makes it market leader
e. Develop alliances: Use IT to create virtual organizations of business partners and develop
inter-enterprise systems linked by the Internet and extranets that support strategic business
relationships with customers, suppliers, subcontractors and others e.g. Cisco system
developed virtual manufacturing alliances to become agile market leadership.
Question No 19:
Explain how different hierarchy of management will be benefitted with the computer based
Information System. (December 2012)(10 Marks)
Answer No 19:
Computer based information system is the integrated form Information Technology which collects
the data from different sources, process those data to generate the information and thus obtained
information optimizes the organizational procedures. It provides customized information to
different hierarchy of management as and when required.
There are three level of management hierarchy which uses information system to enhance their
efficiency. Those levels are:
 Top Level Management
 Middle Level Management
 Operational Level Management
Top Level Management:

Tope level management is defined as a set of management position which is concerned with the
overall task designing, directing and managing the organization in an integrated manner. In
broader sense the job of top level management can be categorized in two ways: external and
internal.
Computer based information provides following types of information to the top level management.
 analysis of the competitive activities related with the rivalry
 analysis of customer preferences
 analysis economic trends, legal rulings and technological changes
 analysis of historical sales, costs and other relevant parameters

 analysis profit, cash flow, divisional income, sales, expenses

 analysis financial ratios, interests; credit outstanding etc
Middle Level Management (Tactical Level):

Middle management is defined as group of management position which trend to overlap the top
and operational management level. Middle level management is mainly focused on supervision
and monitoring of the operations and the administrative work in the sense that it is responsible for
the elaboration, classification and maintaining operation of organization goals. Following
information are provided the IS to the middle level management to enhance their performance.
 Information about the price changes, shortages of products and raw materials,
 Information about the demand and supply, credit conditions
 Organizational performance indicators, over-under budgets
 Information about the sales, incomes, profits/loss etc.
Operational Level Management:

The operational level of management is defined as the group of those management staffs which are
responsible to carry out the day to day works and the execution of the actual operation of office.
The operational level management mainly concerned with the implementing operational plans,
policies and procedures for the purposes of conversion of inputs and outputs. IS provides
following information to the operational level management.
 Customer details, staffs details, products details.
 Units sales, expenses, stocks, staffs attendances.
 Current performances, operational level efficiencies and inefficiencies, input-output ratios,
maintenance reports. Etc.
Question No 20
Bhat-Bhateni departmental store wants to build the computerized information system to keep track
of its inventory and sales. You are hired as the system analyst for the project. Based upon above
scenario, answer the following questions:
Which model of system analysis and design will you propose and why?
What are the other systems which have correlation with sales? How are they correlated?
Make a sample output report format for the sales. (Old Syllabus December 2012)(20 Marks)
Answer No 20:
In this particular case, the spiral model of system development process is appropriate. It is
continuous process of development which is combination of elements of both design and
prototyping-in-stages, in an effort to combine advantages of top-down and bottom-up concepts.
This model of development combines the features of the prototyping model and the waterfall
model. This involves the continuous process of system development. As it combines the prototype
and water fall model most of the activity would be covered. Here the stages of determining actual

objectives of system: which is used to know the requirements, identifying and resolving the risks,
developing the system with specific programming language, testing it and again planning next
stage of development reducing the risk goes repeatedly till the complete system is developed.
Other system which are interconnected with the Sales Forecasting are as follows:
 Human Resource Information System.
 Accounting and Finance Information System
 Procurement and Production Information System
 Marketing Information System.
Human Resource Information System:

HRIS is mainly concerned about the recruitment, training, promotion and record keeping of the
office personnel. Personnel effort is one of the major factors for the growth of next year sales.
Reverse perspective, if next year sales increases highly obviously the workers are eligible for the
incentive according to their effort.
BhatBhateni Departmental Store, Maharajgunj

Sales Report for the Month of Janaury
Date 01-01- Date 02-01- Date 03-01- Date 04-01-
2013 2013 2013 2013
Prd Prod
ID Name Prices Qty Total Qty Total Qty Total Qty Total
Nike
111 Shoes 4,000.00 6 24,000.00 2 8,000.00 - 7 28,000.00
212 Jeans 1,000.00 6 6,000.00 7 7,000.00 4 4,000.00 3 3,000.00

323 T-shirts - 1 -

700.00 2 1,400.00 3 2,100.00
100 Caps 400.00 1 400.00 1 400.00 - 1 400.00
511 Jackets 2,500.00 3 7,500.00 - 2 - 3 7,500.00
618 Belt 300.00 4 1,200.00 5 1,500.00 - 2 600.00

Total 8,900.00 40,500.00 16,900.00 4,000.00 41,600.00
As a sample only that of 4 days is shown and only that of 5 products. Similar type of sample report or
Note: any amendment can be accepted as the student answer.
Accounting and Finance Information System:
This is responsible for keeping the record of all monetary transaction related with procurement,
salary, marketing etc. Moreover financial information system helps to analyze the investment,
profit and loss related with the sales for the year 2008.
Procurement and Production Information System:

Procurement Information System provides the information regarding the purchase of the raw
materials to meet the required target of sales. They also give the information regarding the
delivery of the materials purchased. Whereas production information system supply the
information related with the machinery, fuels, workers scheduling etc.
Marketing Information System:

It provides the information related with the product promotion ideas, identification of new
customer to meet the required target of the sales.
Question No 21:
What is IT infrastructure? Briefly explain the concept of grid computing.
Answer No.21:
IT infrastructure is the shared technology resources that provide the platform for the firm‘s
specific information system applications. IT infrastructure includes hardware, software and
services that are shared across the entire firm. Major IT infrastructure components include
computer hardware platforms, operating system platform, enterprise software platforms,
networking and telecommunications platforms, database management software, internet platforms,
and consulting services and systems integrators.
Grid computing is a term referring to the federation of computer resources from multiple
administrative domains to reach a common goal. The grid can be thought of as a distributed

system with non-interactive workloads that involve a large number of files. What distinguishes
grid computing from conventional high performance computing systems such as cluster
computing is that grids tend to be more loosely coupled, heterogeneous, and geographically
dispersed. Although a grid can be dedicated to a specialized application, it is more common that a
single grid will be used for a variety of different purposes. Grids are often constructed with the aid
of general-purpose grid software libraries known as middleware.
Grid size can vary by a considerable amount. Grids are a form of distributed computing whereby a
“super virtual computer” is composed of many networked loosely coupled computers acting
together to perform very large tasks. For certain applications, ―distributed‖ or ―grid‖ computing,
can be seen as a special type of parallel computing that relies on complete computers (with
onboard CPUs, storage, power supplies, network interfaces, etc.) connected to a network (private,
public or the Internet) by a conventional network interface, such as Ethernet. This is in contrast to
the traditional notion of a supercomputer, which has many processors connected by a local high-
speed computer bus
Question No 22:
What are the different roles of IT professionals in modern organization? Explain the tasks related
to manager level roles and designer level roles in detail. (Old Syllabus, June 2012)(10 Marks)
Answer No 22:
The different roles of IT professionals in modern organization can be divided into the following
major categories:
a. User level role
b. Manager level role
c. Designer level role
d. Evaluator/auditor level role
e. Advisor/consultant level role
The main tasks related to manager level roles are:
 Leadership role – for leading the team of employees, users, developers etc during design,
implementation and use of the system. Coordinating the team effort, logistics, integrating and
interacting with other teams within and without the organization are also part of managerial
roles.
 Facilitator role – to facilitate communication, interaction and coordination among developers,
users, designers of the system for continued customization, modification, updates in the system
with feedback from users even after the first phase of development and deployment.
 Policy making and planning role – for making long term, short term plans for the IT objectives
of the organization, for arranging budgetary provisions for the timely implementation of the
planned ventures and for regular evaluation of the ongoing projects and other activities related
to IT.

 Monitoring and follow-up role – to continuously monitor the IT related activities in the
organization, regular follow-up on the ongoing activities and projects and frequent orientation
of the staff and other organization machinery to achieve IT related goals in time.
 Similarly, the major tasks related to designer level roles are:
 Designing roles – to carry out the designing and related activities to come up with a design of
the system that should be optimum in terms of performance, cost, time, effort and other
resources. Designing role may involve extensive interaction with the potential users from
management to the worker level, detailed study of the existing and past systems used for the
similar purpose and other technical studies to garner knowledge needed for being a good
system designer.
 Analysis and evaluation – to carry out the analysis of the IT requirements in terms of
hardware, software or services. This also involves detailed analysis of the system being
developed or procured, evaluation of different alternatives, evaluation of risks and
opportunities etc.
 Project planning – involves planning of the IT project of both development and
implementation. Project planning generally includes planning project implementation stages,
manpower, expenditures, reporting and follow-up framework etc.
Question No 23
Explain the business perspective of information system in an organization.(June 2013)(10 Marks)
Answer No 23
Information system has become an integrated part of our daily business activities such as
accounting, finance, operations management, marketing, human resource management, or any
other business function. Information systems and technologies are vital components of successful
business and organization—some would say they are business imperatives. They thus constitute an
essential field of study in business administration and management, which is why most business
majors include a course in information systems. Since you probably intend to be a manager,
entrepreneur, or business professional, it is just as important to have a basic understanding of
information systems as it is essential as any other functional area in business.
Information technologies, including Internet-based information systems, are playing vital and
expanding roles in business. Information technology can help all kinds of business improve the
efficiency and effectiveness of their business processes, managerial decision making, and
workgroup collaboration, which strengths their competitive positions in rapidly changing
marketplaces. This benefit occurs whether the information technology is used to support product
development teams, customer support processes, e-commerce transactions, or any other business
activity. Information technologies and systems are, quite simply, an essential ingredient for
business success in today‘s dynamic global environment.

While there are seemingly endless numbers of software applications, there are three fundamental
reasons for all business applications of information technology. They are found in the three vital
roles that information systems can perform for a business enterprise:
 Support of business processes and operations
 Support of business decision making
 Help provide competitive advantages.
Support of business processes and operations: involves dealing with information systems that
support the business processes and operations in a business. For example, most retail stores now
use computer based information system help their employees record customer purchases, keep
track of inventory, pay employees, buy new merchandise, and evaluate sales trends. Store
operations would grind to a halt without the support of such information systems.
Support of Business decision making: Information systems also help store managers and other
business professionals make better decisions. For example, decisions about what lines of
merchandise need to be added or discontinued and what kind of investments they require are
typically made after an analysis provided by computer-based information systems. This function
not only supports the decision making of store managers, buyers and others, but it also helps them
look for ways to gain an advantage over other retailers in the competition for customers.
Support Competitive Advantage: For decision makers to gain a strategic advantage over
competitors innovative use of information technology is required. For example, store management
might make a decision to install to touch–screen kiosks in all stores, with links to the e-commerce
web site for online shopping. This offering might attract new customers and build customer
loyalty because of the ease of shopping and buying merchandise provided by such information
systems. Thus, strategic information systems can help provide products and services that give a
business a comparative advantage over its competitors.
Question No 24
How can you plan information system strategy with the business strategy of your organization?
Answer No 24
Information system and organization influence one another. Information system is build by
managers to serve the interest of the business organization and at the same time organization
should be open to the influences of information systems to benefit from new technologies.
A business form has specific strategy plans for specific periods of time to achieve some specific
goals. Information system of the organization is that integrated computerized tool which provides
right information at the right time on a click. Thus the development and deployment of
information should be in line with the strategy of the firm. Information system manager should

understand how it can change the social and work life in the form. So Information system
manager should have clear idea what type of system needs to be built, what it will do and how it
will be implemented.
While planning the information system strategy other things to be considered are the consequences
that might be brought out after the implementation e.g. reduction of human resources, cutting of
jobs, need of expert manpower and need of new equipment.
Points to be considered while planning information system strategy with the business strategy are
thus:
a. Business Environment
b. Organizational Culture
c. Organizational Structure
d. Business Process
e. Internal Politics
f. Management Decision Making process
Question No 25
What are the moral dimensions of Information Technology? Describe in brief.
Answer No 25
Moral Dimension of Information Technology can be summarized as:
 Information rights and obligations: What information rights do individuals and
organizations possess with respect to information about themselves? What can they
protect? What obligation do individuals and organization have concerning this
information?
 Property rights: How will traditional intellectual property rights be protected in a digital
society in which tracing and accounting for ownership is difficult, and ignoring such
property rights is so easy?
 Accountability and Control: Who can and will be held accountable and liable for the harm
done to individual and collective information and property rights?
 System Quality: What standards of data and system quality should we demand to protect
individual rights and the safety of society?
 Quality of Life: What values should be preserved in information and knowledge based
society? What institutions should we protect form violation? What cultural values and
practices are supported by the new information technology?
Question No 26
Explain the types of Information System according to organizational hierarchy. (June 2015)(10
Marks)

Answer No 26
The types of Information system according to organization hierarchy are operation level systems,
knowledge level systems, management level systems and strategic level systems. Operational-
level systems support operational managers by keeping track of the elementary activities and
transactions of the organization, such as sales, receipts, cash deposits, payroll, credit decisions,
and the flow of materials in a factory. Examples of operational-level systems include a system to
record bank deposits from automatic teller machines or one that tracks the number of hours
worked each day by employees on a factory floor. Management-level systems serve the
monitoring, controlling, decision-making, and administrative activities of middle managers. The
principal question addressed by such systems is this: Are things working well? Management-level
systems typically provide periodic reports rather than instant information on operations. An
example is a relocation control system that reports on the total moving, house-hunting, and home
financing costs for employees in all company divisions, noting wherever actual costs exceed
budgets. Some management-level systems support non-routine decision making. They tend to
focus on less-structured decisions for which information requirements are not always clear. These
systems often answer ―what-if‖ questions: What would be the impact on production schedules if
we were to double sales in the month of December? What would happen to our return on
investment if a factory schedule were delayed for six months? Answers to these questions
frequently require new data from outside the organization, as well as data from inside that cannot
be easily drawn from existing operational-level systems.
Strategic-level systems help senior management tackle and address strategic issues and long-term
trends, both in the firm and in the external environment. Their principal concern is matching
changes in the external environment with existing organizational capability. What will
employment levels be in five years? What are the long-term industry cost trends, and where does
our firm fit in? What products should we be making in five years?
Information systems also serve the major business functions, such as sales and marketing,
manufacturing and production, finance and accounting, and human resources. A typical
organization has operational-, management-, and strategic-level systems for each functional area.
For example, the sales function generally has a sales system on the operational level to record
daily sales figures and to process orders. A management-level system tracks monthly sales figures
by sales territory and reports on territories where sales exceed or fall below anticipated levels. A
system to forecast sales trends over a five-year period serves the strategic level. We first describe
the specific categories of systems serving each organizational level and their value to the
organization. Then we show how organizations use these systems for each major business
function.
Question No 27
Explain the five dimensions of corporate business plan. (June 2015)(5 Marks)

Answer No 27
These are time, entity, organization, elements and characteristics.
Time
The plan may either be long-range or short-range, but the execution of the plan is, year after year.
The plan is made on a rolling basis where every year it is extended by one year, keeping the plan
period as the next five years. The rolling plan provides an opportunity to correct or revise the plan
in the light of any new information the planner may receive. Duration of plan is expressed in units
of time, a year.
Entity
The plan entity is the thing on which the plan is focused. The entity could be the production in
terms of quantity or it could be a new product. It could be about the finance, the marketing, the
capacity, the manpower or the research and development. The goals, and the objectives would be
stated in terms of these entities. A corporate plan may have several entities. Entity, such as
Growth, Product, Sales, is a subject for which corporate plan is made.
Organization
The corporate plan would deal with the company as a whole, but it has to be taken down for its
subsidiaries, if any, such as the functional groups, the divisions, the product groups and the
projects. The breaking of the corporate business plan into smaller organizational units helps to fix
the responsibility for execution. The corporate plan, therefore, would be a master plan and it
would comprise several subsidiary plans.
Elements
The plan is made out of several elements. The plan begins with the mission and goal which the
organization would like to achieve. It may provide a vision statement for all to understand as also
the purpose, focus, and direction the organization would like to move towards. It would, at the
outset, place certain policy statements emerging out of management's business philosophy, culture
and style of functioning, followed by policy statements. Next it would declare the strategies in
various business functions, which would enable the organization to achieve the business objectives
and targets. It would spell out a programme of execution of plan and achievements. It provides
support on rules, procedures and methods of plan implementation, wherever necessary. One
important element of the plan is a budget stipulated for achieving certain goals and business
targets. The budgets are provided for sales, production, stocks, resources, expenses which are
monitored against the time in execution period. The budgets and performance provide meaningful
measure about success and failure of the plan designed to achieve certain goals.
Characteristics
There are no definite characteristics of a corporate plan. The choice of characteristics is a matter of
convenience helping to communicate to everybody concerned in the organization and for an easy

understanding in execution. The features of a plan could be several and could have several parts.
The plan is a confidential written document subject to change, and known to a limited few in the
organization. It is described in the quantitative and qualitative terms. The long-term plan is
normally flexible while the short-term one is generally not. The plan is based on the rational
assumptions about the future and gives weightage to the past achievements, and corporate strength
and weaknesses. The typical characteristics of a corporate plan are the goals, the resources, the
important milestones, the investment details and a variety of schedules.
Question No 28
What are the security features of information systems? Explain. (December 2015)(5 Marks)
Answer No 28
A secure system accomplishes its task with no unintended side effects. Using the analogy of a
house to represent the system, you decide to carve out a piece of your front door to give your pets'
easy access to the outdoors. However, the hole is too large, giving access to burglars. You have
created an unintended implication and therefore, an insecure system.
While security features do not guarantee a secure system, they are necessary to build a secure
system. Security features have four categories:
 Authentication: Verifies who you say you are. It enforces that you are the only one allowed
to logon to your Internet banking account.
 Authorization: Allows only you to manipulate your resources in specific ways. This
prevents you from increasing the balance of your account or deleting a bill.
 Encryption: Deals with information hiding. It ensures you cannot spy on others during
Internet banking transactions.
 Auditing: Keeps a record of operations. Merchants use auditing to prove that you bought
specific merchandise.
Question No 29
Assume that you are Chief Information Officer (CIO) of a multinational manufacturing company.
Your company is planning to replace current system and develop a new in-house software to
manage its sales employees‘ attendance who are always in the field. What will you do in following
situations?
1. As CIO what are the strategies (strategies for system design, input design and output design)
you will consider most appropriate in designing a new system?
2. What control mechanisms (logical access control and application control) will you look for in
this new software? (December 2016)(20 Marks)
Answer No 29:
a) There are many strategies or techniques for performing system design. They include
modern structured analysis, information engineering, prototyping, JAD, RAD and object-oriented

design. These designs are often viewed as competing alternative approaches to systems design. In
reality, certain combinations complement one another.
1. Modern structured design is a process oriented technique of breaking of large program into
hierarchy of modules that result in computer program that is easier to implement and
design. Synonyms are top down design and structured programming. Structured design has
lost some of its popularity with many of today‘s applications that call for newer techniques
that focus on event driven and object oriented programming techniques. However, it is still
a popular technique for the design of mainframe-based application software and to address
coupling and cohesion issues at the system level.
2. Information engineering is a data centered technique. IE involves conducting a business
area requirements analysis from which information system application are carved out and
prioritized.
3. Prototyping approach is an iterative process involving a close working relationship
between designer and users. The main advantage of using it is that encourages the active
participation of end-users and its disadvantage is that since users may not exactly know
what they want so too much interaction with end user may result in delay or overrun of
project because of additional requirements creeping in.
4. Joint Application Development (JAD) was introduced as technique that complement other
system analysis and design techniques by emphasizing participative development among
system owners, users, designer and builders. Thus JAD is frequently used in conjunction
with the above design technique.
5. Rapid Application Development (RAD) is the merger of various structured techniques with
Prototyping techniques and Joint Application Development techniques to accelerate system
development. RAD calls for the interactive use of structured techniques and prototyping to
define the user‘s requirements and design the final system.
6. Object-Oriented Design (OOD) is the newest up and coming design strategy. The
technique is an extension of the object oriented analysis strategy. OOD techniques are used
to refine the object requirements definitions identified earlier during the analysis and to
define design specific process.
Citing upon all the above techniques I will consider use of any one or more than one techniques to
develop the new system depending upon several factors like budget, time constraints, urgency on
need of new software, size and level of skill of IT team and end users knowledge on system
requirements.
b) The main security features that I would be interested more in new software would be:
Application controls

 Application controls are built into each application (payroll, accounts payable, inventory
management, etc.).
 Application controls are designed to ensure that only correct, authorized data enter the
system and that the data are processed and reported properly
 Application Control are divided into input control, processing control and output control
a) Input controls provide reasonable assurance that data submitted for processing are (1)
authorized, (2) complete, and (3) accurate. These controls vary depending on whether input is
entered in online or batch mode. The most basic input control is thus authorization.
b) Processing controls provide reasonable assurance that (1) all data submitted for processing
are processed and (2) only approved data are processed. These controls are built into the
application code by programmers during the systems development Process.
c) Output controls provide assurance that the processing result (such as account listings or
displays, reports, files, invoices, or disbursement checks) is accurate and that only authorized
personnel receive the output.
Question No 30:
Assume you are assigned to do major hardware maintenance of the information system in a
commercial bank. What are the major challenges? How would you minimize them?
Answer No 30:
Hardware maintenance of the Information system is a critical activity because it involves actual
physical activity on the hardware and can cause major system downtime if high availability
provisions are not available.
In this context, the major challenges for me to do hardware maintenance of a commercial bank are:
 Since banking systems involve financial transaction and critical data, the level of preparation
and care needed is very high.
 The downtime has to be minimized.
 The maintenance activity has to be planned in such a way that the disruptions are minimum.
 Convincing of the bank management about the plan of maintenance and the impact it can
make on system operations.
 Creating a fallback plan if the maintenance activity does not go as planned.
 The steps I would take to minimize the challenges and risks are:
 Check the high-availability and redundancy provisions of the system. If there is redundancy
provisions, risks are lower.
 If redundancy provisions are not there, system downtime cannot be eliminated. Detailed, step-
by-step plan shall be made so that the downtime is minimized.
 Arrangement of power and network team shall be made prior to the activity to make sure
those necessary components are working smoothly.

 Take full data backup of the system so that in case the maintenance leads to data corruption,
the latest good data can be restored.
 Keep in close contact with the system suppliers and software developers to handle any
unforeseen problem during maintenance and system restoration.
 Make the management and users aware of the detailed activity, risks and steps taken to
minimize those.
 Keep all the activities documented for record and future references.
Question No 31
Discuss about the practical factors which influence the working of Information Technology.
Answer No 31:
The practical influencing factors which affect the Information technology are summarized as:
Flexibility of changes in business and technology:
There should be sufficient room in any business and its involved technology for the improvement.
This can lead to the use of information technology in broader sense. If business and the involved
technology are confined within a small boundary new ideas and concept cannot be groomed.
Budget:
Budget is major influencing factor of any process or system. The size of the budget determines the
level of integration, reliability and efficiency of technology to the business. Budget also
determines the quality of Information Technology related work.
Speed to the market:
How fast system is brought to the market determine the life of the technology. If the technology is
brought when its time value expires, then the success of the technology will not be as expected.
Now days it is convinced that the life of technology last not more than one year. Moreover the
right timing is very important.
Legal and Regulatory Body:
The regulatory and legal authorities are the major entity about the deployment of any technology.
If any technology is banned by the legal authority its faith will sink.
Other factors which influence the information technology are:
 International norms and practices about the technology
 Personnel self-interest and motivations towards the use of technology
 The functional business units of the organization
 Knowledge and qualifications of the personnel
So while introducing any technology organization should be clear about the government rules and
regulations.

Question No 32
Illustrate the importance of good knowledge of the business process to develop an effective IT
system for the business organization. Also give an example. (June 2018)(8 Marks)
Answer No 32 :
An effective IT system for a business organization is supposed to help carry out the business
processes in efficient and effective manner. A system becomes effective for a business
organization if it is designed and developed with the specific requirements of the organization in
mind. A custom-build system is always better than a general purpose off-the-shelf system.
However, to make such custom-built systems effective, the design and development process
should be based on good understanding of the nature of the business and the activities, processes
and transactions involved in the business activities. Proper tailoring of the system for the business
process requirement needs a thorough understanding of the business processes being automated.
For example, if the need is to design a IT system for an accounting consultancy firm, the
development process should be taking input from the actual users of the system and the persons
that carry out the daily business activities. A system designed for a marketing agency or an
advertisement company shall not be a perfect match for the accounting consultancy firm whose
business activities and processes are significantly different from the other two.
Question No 33
Explain Customer Relationship Management system in detail along with benefits. What is
sales force automation? (June 2019)(8 Marks)
Answer No 33
First part: Customer Relationship Management (CRM) is a strategy for managing an
organization‘s relationships and interactions with customers and potential customers. A CRM
system helps companies stay connected to customers, streamline processes, and improve
profitability.
Customer relationship management focuses on managing all of the ways that a firm deals with
its existing and potential customers. It uses information systems that integrate all of the
business processes that interact with customers in sales, marketing, and service. The ideal
CRM system provides end-to-end customer care from receipt of an order through product
delivery.
CRM software records customer contact information such as email, telephone, website social
media profile, and more. It can also automatically pull in other information, such as recent
news about the company's activity, and it can store details such as a client's personal
preferences on communications. The CRM system organizes this information to give a
complete record of individuals and companies. CRM software improves customer relationship
management by creating a 360° view of the customer, capturing their interactions with the

business, and by surfacing the information needed to have better conversations with
customers. The benefits of customer relationship management system include:
 Better client relationships – Good and accurate information about client enables the
service provider to better serve the clients. This makes the clients feel that the
organization cares for them, thereby enhancing loyalty.
 Improved ability to cross-sell – Better knowledge about customer needs enables the
organization to provide a better solution to their next problem.
 Increased team collaboration – A good CRM gives better information to better align
teams and their activities to enhance customer experience.
 Improved efficiency in serving clients – If related team is using the CRM to record
their customer interactions, EVERY client interaction, then they are able to serve
the client with the knowledge of what has been previously discussed with the client.
 Greater staff satisfaction – The more knowledge the employees have the more
empowered and engaged they are. Having an accurate and up-to-date CRM that
everyone uses and accesses helps employees solve client problems. Doing so makes
employees and clients happy.
 Increased revenue and profitability – Once everyone learns, and uses, the CRM
productivity increases, sales cycles decrease, the organization has the ability to
provide additional products and services to clients and client satisfaction increases.
 Cost savings – While the implementation of CRM software is expensive and time-
consuming, over time the benefits far outweigh the costs. Members of the sales
team are able to better schedule meetings with prospects in the same geographic
area. Client-service reps are better able to resolve a client's concern. There is a
central client and prospect database that everyone can access rather than everyone
keeping a separate spread sheet or contact database on their computer.
 Less client attrition – When a client is engaged with only one member of a
professional services firm, the risk of attrition is 40%. When five or more partners
are involved in a client relationship, the risk of attrition falls to less than 5%.
Second Part: Abbreviated SFA, sales force automation is a technique of using software to
automate the business tasks of sales, including order processing, contact management,
information sharing, inventory monitoring and control, order tracking, customer management,
sales forecast analysis and employee performance evaluation. SFA is often used
interchangeably with CRM; however, CRM does not necessarily imply automation of sales
tasks.

Chapter 2:
Types of Information System

Question No 1:
Write short notes on the following
a) Transaction Processing Systems
(December 2004)( 5 Marks) (June 2008)(2.5 Marks) (December 2009)(4 Marks) (Old
Syllabus December 2010)(5 Marks) (June 2010)(5 Marks) (December 2011)(5 Marks)
(Old syllabus, December 2011)(5 Marks)
The most fundamental computer-based system in an organisation pertains to the processing of
business transactions. Transaction processing systems are aimed at expediting and improving the
routine business activities that all organizations engage. Standard operating procedures, which
facilitate handling of transactions, are often embedded in computer programs that control the entry
of data, processing of details and search and presentation of data and information. The high
volume of well-understood transactions associated with the operating level of an organisation, as
well as the ability for management to develop specific procedures for handling them often trigger
the need for computer assistance. Transaction processing systems, if computerised, provide speed
and accuracy and can be programmed to follow routines without any variance. Systems Analysts
design the systems and processes to handle various activities.
Transaction processing systems (TPS) are cross-functional information systems that process data
resulting from the occurrence of business transactions. Transactions are events that occur as part
of doing business, such as sales, purchases, deposits, withdrawals, refunds, and payments.
Transaction processing activities are needed to capture and process data, or the operations of a
business would grind to a halt. Transaction processing systems capture and process data
describing business transactions. Then they update organizational files and databases, and
produce a variety of information products for internal and external use.
Online transaction processing systems play a strategic role in electronic commerce.
 Many firms are using the Internet, extranets, and other networks that tie them electronically to
their customers or suppliers for online transaction processing (OLTP).
 These real-time systems, which capture and process transactions immediately, can help them
provide superior service to customers and other trading partners.
 OLTP systems add value to a company‘s products and services, and thus give them an
important way to differentiate themselves from their competitors.
A transaction processing cycle consists of several basic activities, which involve:

 Data entry activities
 Transaction processing activities
 Database maintenance activities
 Document and report generation
 Inquiry processing activities.
Data Entry activities

The input activity in TPS involves a data entry process. In this process, data is captured or
collected by recording, coding, and editing activities.
Transaction Processingv activities
Transaction processing systems process data in two basic ways:
 Batch Processing - transaction data are accumulated over a period of time and processed
periodically.
 Real-time Processing - (also called online processing), where data are processed immediately
after a transaction occurs. All online transaction processing systems incorporate real-time
processing capabilities. Many online systems also depend on the capabilities of fault tolerant
systems that can continue to operate even if parts of the system fail.
Database Maintenance activities

An organization‘s data must be maintained by its transaction processing systems so that they are
always correct and up-to-date. Therefore, transaction processing systems update the corporate
database of any organization to reflect changes resulting from day-to-day business transactions.
Document and Report Generation:

Transaction processing systems produce a variety of documents and reports. Examples of
transaction documents include purchase orders, paychecks, sales receipts, invoices, and customer
statements. Transaction reports might take the form of a transaction listing such as a payroll
register, or edit reports that describe errors detected during processing.
Inquiry Processing: activities

Many transaction processing systems allow you to use the Internet, intranets, extranets, and web
browsers or database management query languages to make inquiries and receive responses
concerning the results of transaction processing activity. Typically, responses are displayed in a
variety of prespecified formats or screens. Examples of queries include:
 Checking on the status of a sales order
 Checking on the balance in an account
 Checking on the amount of stock in inventory
b) Strategic Decision Making (June 2005) (5 Marks)

Strategic level management is concerned with developing of organizational mission, objectives
and strategies. Decisions made at this level of organization to handle problems, which are critical
to the survival and success of the organization, are called strategic decisions. They have a vital
impact on the direction and functioning of the organization as, for example decisions on plant
location, introduction of new products, making major new fund raising and investment operations,
adoption of new technology, acquisition of outside enterprises and so on. Much analysis and
judgment go into making strategic decisions.

In a way, strategic decisions are comparable to non-programmed decisions and they share some of
their characteristics. Strategic decisions are made under conditions of partial knowledge or
ignorance.
c) Management Information System (MIS).

(June 2007)(5 Marks) (December 2007)(2 Marks) (December 2006)(3 Marks)
Management Information System can be defined as-
(i) collection of interrelated components working together to collect, and process, store and
disseminate information, supporting decision making, coordination and control, analysis
and visualization.
(ii) An approach that visualize the business organization as a single entity composed of
various inter-related and inter-dependent sub-systems working together to provide timely
and accurate information for management decision making which leads to optimization of
overall enterprise goals and resources,
(iii) A system of people, equipment, procedures documents and communication that collects,
validates, operates on transfer, stores, retrieves, and present data for use in planning,
budgeting, accounting, controlling and other management processes.
Firstly information is defined as those things which reduces the level of uncertainty or increases
the knowledge of those who receive it. A collection of interrelated components working together
to collect and process the raw data, store and disseminate information for the effective operation of
the organization with the optimization of the resource to achieve the goal within the specified
time. Management information system thus is interrelation of human resource and of knowledge
of organization and employee. MIS in an organization helps in every level of organizational
hierarchy starting from operation level, supervisory level and executive level. Specifically MIS
helps in decision making, coordination and controlling, analysis and visualization.
d) Executive Information System

(December 2008)(5 Marks) (June 2010)(5 Marks) (December 2003)(2 Marks) (Old Syllabus
December 2012)( 5 Marks)
An Executive Information System can be defined as a specialized Decision Support System. This
type of the system generally includes the various hardware, software, data, procedures and the
people. With the help of all this, the top level executives get a great support in taking and
performing the various types of the decisions. The executive information system plays a very
important role in obtaining the data from the different sources, then help in the integration and the
aggregation of this data. After performing these steps the resulting information is displayed in such
a pattern that is very easy to understand.
Executive information system is ‗a computer based system that serves the information that is
needed by the various top executives. It provides very rapid access to the timely information and
also offers the direct access to the different management reports.‘

Executive Information System is very user friendly in the nature. It is supported at a large extent by
the graphics.
Executive support system can be defined as the comprehensive executive support system that goes
beyond the Executive Information System and also includes communications, office automation,
analysis support etc.
According to Watson, Executive Information System / executive support system depends on some
of the factors that can be summarized as the follows
1. Internal factors
i. Need for the timely information.
ii. Need for the improved communications.
iii. Need for the access to the operational data.
iv. Need for the rapid status updates on the various business activities.
v. Need for the access to the corporate database.
vi. Need for very accurate information.
vii. Need for the ability to identify the various historical trends.
2. External Factors
i. Increasing and intensifying the global competition.
ii. Rapidly changing the business environment.
iii. Need to be more pro active.
iv. Need to access the external database.
v. Increasing the various government regulations.
Characteristics of the Executive support system/ Executive Information System

1. Informational characteristics
i. Flexibility and ease of use.
ii. Provides the timely information with the short response time and also with the quick retrieval.
iii. Produces the correct information.
iv. Produces the relevant information.
v. Produces the validated information.
2. User interface/orientation characteristics

i. Consists of the sophisticated self help.
ii. Contains the user friendly interfaces consisting of the graphic user.
iii. Can be used from many places.
iv. Offers secure reliable, confidential access along with the access procedure.
v. Is very much customized.
vi. Suites the management style of the individual executives.

3. Managerial / executive characteristics

i. Supports the over all vision, mission and the strategy.
ii. Provides the support for the strategic management.
iii. Sometimes helps to deal with the situations that have a high degree of risk.
iv. Is linked to the value added business processes.
v. Supports the need/ access for/ to the external data/ databases.
vi. Is very much result oriented in the nature.
Executive Information System / Executive Support System capabilities
1. Helps in accessing the aggregated or macro or global information.
2. Provides the user with an option to use the external data extensively.
3. Enables analysis of the address and the hoc queries.
4. Shows the trends, the ratios and the various deviations.
5. Helps in incorporating the graphic and the text in the same display, which helps to have a better
view.
6. It helps in the assessment of the historical as also the latest data.
7. Problem indicators can be highlighted with the help of the Executive Information System /
executive support system.
8. Open ended problem explanation with the written interpretations can be done with the help of the
Executive Information System / executive support system.
9. Offers management by the exception reports.
10. Utilizes the hyper text and the hyper media.
11. Offers generalized computing.
12. Offers telecommunications capacity.
Executive Information System / Executive Support System benefits

1. Achievement of the various organizational objectives.
2. Facilitates access to the information by integrating many sources of the data.
3. Facilitates broad, aggregated perspective and the context.
4. Offers broad highly aggregated information.
5. User‘s productivity is also improved to a large extent.
6. Communication capability and the quality are increased.
7. Provides with the better strategic planning and the control.
8. Facilitates pro active rather than a reactive response.
9. Provides the competitive advantage.
10. Encourages the development of a more open and active information culture.
11. The cause of a particular problem can be founded.

e) Decision support systems (December 2009)(4 Marks) (June 2010)(5 Marks) (Old
syllabus, December 2011)(5 Marks) (Old Syllabus June 2011)( 5 Marks) (December
2012)(5 Marks) (Old Syllabus, June 2012)(5 Marks) (December 2014)(5 Marks)
Decision support systems are computer-based information systems that provide interactive
information support to managers and business professionals during the decision-making process.
Decision support systems use:
 Analytical models
 Specialized databases
 Decision maker‘s own insights and judgments
 Interactive, computer-based modeling process to support the making of semistructured and
unstructured business decisions
Decision support systems rely on model bases as well as databases as vital system resources. A
DSS model base is a software component that consists of models used in computational and
analytical routines that mathematically express relationships among variables. Examples include:
 Spreadsheet models
 Linear programming models
 Multiple regression forecasting models
 Capital budgeting present value models
Typically, a manager uses a DSS software package at his workstation to make inquiries, responses
and to issue commands. This differs from the demand responses of information reporting systems,
since managers are not demanding pre-specified information. Rather, they are exploring possible
alternatives. They do not have to specify their information needs in advance. Instead they use the
DSS to find the information they need to help them make a decision.
Using a DSS involves four basic types of analytical modelling activities:

 What-If Analysis: - In what-if analysis, an end user makes changes to variables, or
relationships among variables, and observes the resulting changes in the values of other
variables.
 Sensitivity Analysis: - Is a special case of what-if analysis. Typically, the value of only one
variable is changed repeatedly, and the resulting changes on other variables are observed. So
sensitivity analysis is really a case of what-if analysis involving repeated changes to only one
variable at a time. Typically, sensitivity analysis is used when decision-makers are uncertain
about the assumptions made in estimating the value of certain key variables.
 Goal-Seeking Analysis: - Reverses the direction of the analysis done in what-if and sensitivity
analysis. Instead of observing how changes in a variable affect other variables, goal-seeking
analysis sets a target value for a variable and then repeatedly changes other variables until the
target value is achieved.

 Optimization Analysis: - Is a more complex extension of goal-seeking analysis. Instead of

setting a specific target value for a variable, the goal is to find the optimum value for one or
more target variables, given certain constraints. Then one or more other variables are
changed repeatedly, subject to the specified constraints, until the best values for the target
variables are discovered.
f) Artificial Intelligence. (December 2010)(5 Marks)

Artificial Intelligence is the branch of computer science that deals with writing computer programs
that can solve problems creatively. AI to imitate or duplicate human intelligence in computers and
robots. This is the area of computer science focusing on creating machines that can engage on
behaviors that humans consider intelligent. In recent years, AI programming techniques to make
smart machines is becoming a reality. Researchers are creating systems which can mimic human
thought, understand speech, beat the best human chess player, and countless other feats never
before possible.
AI is computer software designed to perceive, reason, and understand.
(a) Historically, computer software works through a series of if/then conditions in which every
operation has exactly two possible outcomes (yes/no, on/off, true/false, one/zero).
(b) Human reasoning, on the other hand, is extremely complex, based on deduction, induction,
intuition, emotion, and biochemistry, resulting in a range of possible outcomes.
AI attempts to imitate human decision making, which hinges on this combination of knowledge
and intuition (i.e., remembering relationships between variables based on experience). The
advantage of AI in a business environment is that IT systems
(a) Can work 24 hours a day
(b) Will not become ill, die, or be hired away
(c) Are extremely fast processors of data, especially if numerous rules (procedures) must be
evaluated
There are several types of AI:
1) Neural networks
2) Case-based reasoning systems
3) Rule-based expert systems
4) Intelligent agents
5) An expert system
Two of the most important and most used branches of AI are neural networks and expert systems.
Neural networks are made of artificial neurons, connected by weights, which are indicative of the
strengths of the connections. The neurons are arranged in layers, and depending on the complexity
of the application, there could hundreds or thousands of neurons. Iterative propagation of input
from one layer of neurons to the next (training) is what enables the neural network to learn from
experience. Unlike humans, when a neural is fully trained, it can classify and identify patterns in
massive amounts of complex data, at high speeds that cannot be duplicated by humans.

An expert system can solve real-world problems using human knowledge and following human
reasoning skills. Knowledge and thinking processes of experts are collected and encoded into a
knowledge base. From that point on, the expert system could replace or assist the human experts in
making complex decisions by integrating all the knowledge it has in its knowledge base.
g) Executive Support System(June 2017)(5 Marks)

Senior managers use Executive Support systems (ESS) to help them make decisions. ESS serves
the strategic level of the organization. They address nonroutine decisions requiring judgment,
evaluation, and insight because there is no agreed-on procedure for arriving at a solution. ESS is
designed to incorporate data about external events, such as new tax laws or competitors, but they
also draw summarized information from internal MIS and DSS. They filter, compress, and track
critical data, displaying the data of greatest importance to senior managers. ESS employs the most
advanced graphics software and can present graphs and data from many sources. Often the
information is delivered to senior executives through a portal, which uses a web interface to
present integrated personalized business content from a variety of sources.
Unlike the other types of information systems, ESS is not designed primarily to solve specific
problems. Instead, ESS provides a generalized computing and communications capacity that can
be applied to a changing array of problems. Although many DSS are designed to be highly
analytical, ESS tends to make less use of analytical models.
h) Customer Relationship Management(December 2017)(5 Marks)

Customer Relationship Management (CRM) systems help firms in managing their relationships
with their customers. CRM systems provide information to coordinate all of the business processes
that deal with customers in sales, marketing, and service to optimize revenue, customer
satisfaction, and customer retention. CRM systems provide information to help firms identify,
attract, and retain the most profitable customers; provide better service to existing customers; and
increase sales. CRM systems consolidate and integrate customer information from multiple
communication channels – telephone, e-mail, wireless devices, retail outlets, or the Web. Detailed
and accurate knowledge of customers and their preferences helps firms increase the effectiveness
of their marketing campaigns and provide higher-quality customer service and support.
i) Limitations of Management Information System. (June 2010)(5 Marks)

The main limitation of management information system is as follows:
 The quality of output of MIS is basically governed by the quality of input and processes
 MIS itself is not complete management process rather it is just a tool for effective management
 MIS effectiveness may be decrease due to frequent change of top level management
 MIS effectiveness may be decreased if the organizational staff has the information hoarding
nature

 It accounts the quantitative parameters and ignores the qualitative parameters though they are
very important in management process
 MIS may not have flexibility to quickly adapt according to changing needs of time
j) Customer relationship management system with merits and challenges. (December 2011)(5
Marks)
CRM is described as a cross-functional e-business application that integrates and automates many
customer-serving processes in sales, direct marketing, accounting and order management, and
customer service and support. CRM systems create an IT framework that integrates all the
functional processes with the rest of a company‘s business operations. CRM systems consist of a
family of software modules that perform the business activities involved in such front office
processes. CRM software provides the tools that enable a business and its employees to provide
fast, convenient, dependable, and consistent service to its customers.
Merits of CRM are
 CRM allows a business to identify and target their best customers; those who are the most
profitable to the business, so they can be retained as lifelong customers for greater and more
profitable services.
 CRM enables real-time customization and personalization of products and services based on
customer wants, needs, buying habits, and life cycles.
 CRM can keep track of when a customer contacts the company, regardless of the contact point.
 CRM enables a company to provide a consistent customer experience and superior service and
support across all the contact points a customer chooses.
Challenges of CRM
 Business managers and IT professionals underestimate the complexity of the planning,
development, and training that are needed to prepare for a new CRM system
 Failure to involve affected employees in the planning and development phases and change
management programs
 Trying to do too much too fast in the conversion process.
 Insufficient training in the new work tasks required by the CRM system.
 Failure to do enough data conversion and testing.
 Overreliance by company or IT management on claims of CRM software vendors or the
assistance of prestigious consulting firms hired to lead the implementation.
k) Sales and marketing information system(December 2018)(5 Marks)

Sales and marketing function is responsible for selling the organization‘s products or services.
Marketing is concerned with identifying the customers for the firm‘s products or services,
determining what they need or want, planning and developing products and services to meet their
needs, and advertising and promoting these products and services. Sales is concerned with

contacting customers, selling the products and services, taking orders, and following up on sales.
Sales and marketing information systems support sales and marketing activities.
These information systems are arranged by organizational level. At strategic level, these systems
monitor trends affecting new products and sales opportunities, support planning for new products
and services, and monitor the performance of competitors. At the management level, these systems
support market research, advertising and promotional campaigns, and pricing decisions; they also
analyze sales performance and the performance of the sales staff. At the knowledge level, these
systems support market analysis activities. At the operational level, these systems assist in locating
and contacting prospective customers, tracking sales, processing orders, and providing customer
service support.
l) Working principle of Payment Gateway(December 2011)(5 Marks)
A payment gateway facilitates the transfer of information between a payment portal (such as a
website, mobile phone or IVR service) and the Front End Processor or acquiring bank. When a
customer orders a product from a payment gateway-enabled merchant, the payment gateway
performs a variety of tasks to process the transaction:
 A customer places order on website by pressing the 'Submit Order' or equivalent button, or
perhaps enters their card details using an automatic phone answering service.
 If the order is via a website, the customer's web browser encrypts the information to be sent
between the browser and the merchant's web-server. This is done via SSL (Secure Socket
Layer) encryption.
 The merchant then forwards the transaction details to their payment gateway. This is another
SSL encrypted connection to the payment server hosted by the payment gateway.
 The payment gateway forwards the transaction information to the payment processor used by
the merchant's acquiring bank.
 The payment processor forwards the transaction information to the card association (e.g.,
Visa/MasterCard)
o If an American Express or Visa Card was used, then the processor acts as the issuing
bank and directly provides a response of approved or declined to the payment
gateway.
o Otherwise, the card association routes the transaction to the correct card issuing
bank.
 The credit card issuing bank receives the authorization request and sends a response back to
the processor (via the same process as the request for authorization) with a response code. In
addition to determining the fate of the payment, (i.e. approved or declined) the response code
is used to define the reason why the transaction failed (such as insufficient funds, or bank link
not available)
 The processor forwards the response to the payment gateway.

 The payment gateway receives the response, and forwards it on to the website (or whatever
interface was used to process the payment) where it is interpreted as a relevant response then
relayed back to the cardholder and the merchant.
 The entire process typically takes 2–3 seconds.
 The merchant submits all their approved authorizations, in a "batch", to their acquiring bank
for settlement via their processor.
 The acquiring bank deposits the total of the approved funds in to the merchant's nominated
account. This could be an account with the acquiring bank if the merchant does their banking
with the same bank, or an account with another bank.
Many payment gateways also provide tools to automatically screen orders for fraud and calculate
tax in real time prior to the authorization request being sent to the processor. Tools to detect fraud
include geo-location, velocity pattern analysis, delivery address verification, computer finger
printing technology, identity morphing detection, and basic AVS checks.
m) Expert system(December 2011)(5 Marks) (June 2012)(5 Marks) (December 2018)(5

Marks)
A computer-based information system that uses its knowledge about a specific complex
application area to act as an expert consultant to users. ES provide answers to questions in a very
specific problem area by making humanlike inferences about knowledge contained in a specialized
knowledge base. They must also be able to explain their reasoning process and conclusions to a
user.
The components of an expert system include a knowledge base and software modules that perform
inferences on the knowledge and communicate answers to a user‘s question. The interrelated
components of an expert system include:
1) Knowledge base: - the knowledge base of an ES contains:
 Facts about a specific subject area
 Heuristics (rule of thumb) that express the reasoning procedures of an expert on the subject.
2) Software resources: - An ES software package contains:

 Inference engine that processes the knowledge related to a specific problem.
 User interface program that communicates with end users.
 Explanation program to explain the reasoning process to the user.
 Software tools for developing expert systems include knowledge acquisition programs and
expert system shells.
3) Hardware resources: - These include:

 Stand alone microcomputer systems
 Microcomputer workstations and terminals connected to minicomputers or mainframes in a

telecommunications network.
 Special-purpose computers.
4) People resources: - People resources include:

 Knowledge engineers
 End-users
Using an expert system involves an interactive computer-based session, in which:

 The solution to a problem is explored with the expert system acting as a consultant.
 Expert system asks questions of the user, searches its knowledge base for facts and rules or
other knowledge.
 Explains its reasoning process when asked.
 Gives expert advice to the user in the subject area being explored. Examples include: credit
management, customer service, and productivity management.
Expert systems typically accomplish one or more generic uses. Six activities include:
 Decision Management
 Diagnostic/troubleshooting
 Maintenance Scheduling
 Design/configuration
 Selection/classification
 Process monitoring/control
n) Supply Chain Management(December 2011)(5 Marks) (Old Syllabus, June 2012)(5

Marks) (June 2012)(5 Marks) ( June 2010)(5 Marks)
Supply Chain Management (SCM) is a cross functional inter-enterprises system that uses
information technology to help support and manage the links between some of a companies key
business processes and those of its suppliers, customers and business partners. The goal of SCM is
to create a fast, efficient and low-cost network of business relationships or supply chain to get a
company‘s products from concept to market. Thus a SCM is interconnected information system of
business organizations which helps in easy flow and tracking of the raw materials, intermediate
products and finished goods. It minimizes the material warehousing cost and product delivery
cost.
Supply chain management (SCM) is the oversight of materials, information, and finances as they
move in a process from supplier to manufacturer to wholesaler to retailer to consumer. Supply
chain management involves coordinating and integrating these flows both within and among
companies. One can say that the ultimate goal of any effective supply chain management system is
to reduce inventory (with the assumption that products are available when needed).
Supply chain management flows can be divided into three main flows:

 The product flow

 The information flow
 The finances flow
The product flow includes the movement of goods from a supplier to a customer, as well as
any customer returns or service needs. The information flow involves transmitting orders and
updating the status of delivery. The financial flow consists of credit terms, payment
schedules, and consignment and title ownership arrangements
o) Marketing Information System (Old Syllabus June 2011)( 5 Marks)

The business function of marketing is concerned with the planning, promotion, and sale of existing
products in existing markets, and the development of new products and new markets to better
serve present and potential customers.
Marketing information systems integrate the information flow required by many marketing
activities. Marketing information systems provide information for:
 Internet/intranet web sites and services make an interactive marketing process possible where
customers can become partners in creating, marketing, purchasing, and improving products
and services.
 Sales force automation systems use mobile computing and Internet technologies to automate
many information processing activities for sales support and management.
 Other marketing systems assist marketing managers in product planning, pricing, and other
product management decisions, advertising and sales promotion strategies, and market
research and forecasting.
p) Computer Based MIS (December 2012)(5 Marks)

Computer Based Management Information Systems (MIS) is the computer-based organizational
system that offers and consolidates information for management-related activities, functions and
decisions. It is a complex system composed of computer hardware and software that work
together. MIS enables collection, transmission, processing and storing information. It organizes
huge volumes of seemingly unmanageable data and turns them into reports. Decision makers can
study such reports and distinguish trends and patterns that are made highly noticeable by the
system.
Good computer-based management information should be accurate, current and not require too
much time to retrieve. Information must be relevant so it can improve decision-making. It also
must reaffirm and evaluate decisions made in the past. For example, information on how many
people buy a certain toy brand in the market can help the manufacturers decide whether to increase
production. Managed information is accurate when it reflects actual events and facts. In some
cases, information needs to be exact, especially in dealing with numbers such as a store's revenue
for a certain month.

q) Computer based financial information system(Old Syllabus December 2012)( 5 Marks)

Computer-based financial management systems support financial managers in decisions
concerning:
 The financing of a business.
 The allocation and control of financial resources within a business.
Major financial information system categories include:

 Cash and investment management.
 Capital budgeting
 Financial forecasting
 Financial planning
Cash management systems collect information on all cash receipts and disbursements within a
company on a real time or periodic basis. Cash management systems:
 Allow businesses to deposit or invest excess funds more quickly, and thus increase the
income generated by deposited or invested funds.
 Produce daily, weekly, or monthly forecasts of cash receipts or disbursements (cash flow
forecast) that are used to spot future cash deficits or surpluses.
 Mathematical models frequently can determine optimal cash collection programs and
determine alternative financing or investment strategies for dealing with forecasted cash
deficits or surpluses.
Online Investment Management:

Many businesses invest their excess cash in short-term low-risk marketable securities or in higher
return/higher risk alternatives, so that investment income may be earned until the funds are
required. Portfolio of securities can be managed with the help of portfolio management
software packages. Online investment management services:
 Are available from hundreds of online sources on the Internet and other networks.
 Help a financial manager make buying, selling, or holding decisions for each type of security
so that an optimum mix of securities is developed that minimizes risk and maximizes
investment income for the business.
Capital Budgeting:
The capital budgeting process involves evaluating the profitability and financial impact of
proposed capital expenditures.
 Long term expenditure proposals for plants and equipment can be analyzed suing a variety of
techniques. This application makes heavy use of spreadsheet models that incorporate present

value analysis of expected cash flows and probability analysis of risk to determine the
optimum mix of capital projects for a business.
Financial Forecasting and Planning:

A variety of financial forecasting packages provide analytical techniques that result in economic or
financial forecasts of national and local economic conditions, wage levels, price levels, and
interest rates. Financial Planning systems use financial planning models to evaluate the present
and projected financial performance of a business or of one of its divisions or subsidiaries.
Financial planning systems:
 Help determine the financial needs of a business and analyze alternative methods of financing
the business.
 Use financial forecasts concerning the economic situation, business operations, and types of
financing available, interest rates, and stock and bond prices to develop an optimal financing
plan for the business.
 Frequently use electronic spreadsheet packages and DSS generators to build and manipulate
models.
 Are used to answer what-if and goal-seeking questions in order to evaluate financial and
investment alternatives.
r) computer based management information system and business perspective of

information system. (June 2012)(10 Marks)
As long as organizations are small and have limited operational goals manual information systems
are satisfactory. Many trends in the development of industry and commerce have made computer-
based information systems essential to efficiently run organizations. These are:
 The size of organizations is becoming larger. This is particularly true in India due to increase
in population and rapid rate of industrial development.
 Computer-based processing enables the same data to be processed in many ways. Based on
needs, thereby allowing managers to look at the performance of an organization from
different angles.
 As the volume of data has increased and the variety of information and their timeliness is
now of great importance, computer-based information processing has now become essential
for efficiently managing organizations.
 Organizations are now distributed with many branches.
 Markets are becoming competitive. To maintain favorable balance of payments in a country,
organizations have to be internationally competitive.
 The general socio-economic environment demands more up to date and accurate information.
Human society is changing faster than ever before. Governmental regulations have become
complex. Organizations have to interact with many other interested parties such as

consumer groups, environmental protection groups, financial institutions, etc., which did
not exist before.
Information system has become an integrated into our daily business activities as accounting,
finance, operations management, marketing, human resource management, or any other business
function. Information systems and technologies are vital components of successful business and
organization—some would say they are business imperatives. They thus constitute an essential
field of study in business administration and management, which is why most business majors
include a course in information systems. Since you probably intend to be a manager, entrepreneur,
or business professional, it is just as important to have a basic understanding of information
systems as it is to understand any other functional area in business.
Information technologies, including Internet-based information systems, are playing vital and
expanding roles in business. Information technology can help all kinds of business improve the
efficiency and effectiveness of their business processes, managerial decision making, and
workgroup collaboration, which strengths their competitive positions in rapidly changing
marketplaces. This benefit occurs whether the information technology is used to support product
development teams, customer support processes, e-commerce transactions, or any other business
activity. Information technologies and systems are, quite simply, an essential ingredient for
business success in today‘s dynamic global environment.
While there are seemingly endless numbers of software applications, there are three fundamental
reasons for all business applications of information technology. They are found in the three vital
roles that information systems can perform for a business enterprise:
 Support of business processes and operations
 Support of business decision making
 Support competitive advantages.
Support of business processes and operations: involves dealing with information systems that
support the business processes and operations in a business. . For example, most retail stores now
use computer based information system help their employees record customer purchases, keep
track of inventory, pay employees, buy new merchandise, and evaluate sales trends. Store
operations would grind to a halt without the support of such information systems.
Support of Business decision making: Information systems also help store managers and other
business professionals make better decisions. For example, decisions about what lines of
merchandise need to be added or discontinued and what kind of investments they require are
typically made after an analysis provided by computer-based information systems. This function
not only supports the decision making of store managers, buyers and others, but it also helps them
look for ways to gain an advantage over other retailers in the competition for customers.

Support Competitive Advantage – help decision makers to gain a strategic advantage over
competitors requires innovative use of information technology. For example, store management
might make a decision to install to touch –screen kiosks in all stores, with links to the e-commerce
web site for online shopping. This offering might attract new customers and build customer
loyalty because of the ease of shopping and buying merchandise provided by such information
systems. Thus, strategic information systems can help provide products and services that give a
business a comparative advantage over its competitors.
s) Fuzzy logic(December 2017)(5 Marks)

Fuzzy logic is a form of many-valued logic in which the truth values of variables may be any real
number between 0 and 1. It is employed to handle the concept of partial truth, where the truth
value may range between completely true and completely false. By contrast, in Boolean logic, the
truth values of variables may only be the integer values 0 or 1. Furthermore,
when linguistic variables are used, these degrees may be managed by specific (membership)
functions. Fuzzy logic has been applied to many fields, from control theory to artificial
intelligence.
Fuzzy logic has two different meanings. In a narrow sense, fuzzy logic is a logical system, which
is an extension of multi-valued logic. However, in a wider sense fuzzy logic is almost synonymous
with the theory of fuzzy sets, a theory which relates to classes of objects with unsharp boundaries
in which membership is a matter of degree. Some general observations about fuzzy logic are:
 Fuzzy logic is conceptually easy to understand – The mathematical concepts behind fuzzy
reasoning are very simple. Fuzzy logic is a more intuitive approach without the far-reaching
complexity.
 Fuzzy logic is flexible – With any given system, it is easy to layer on more functionality
without starting again from scratch.
 Fuzzy logic is tolerant of imprecise data – Everything is imprecise if you look closely enough,
but more than that, most things are imprecise even on careful inspection. Fuzzy reasoning
builds this understanding into the process rather than tacking it onto the end.
 Fuzzy logic can model nonlinear functions of arbitrary complexity – a Fuzzy system can be
created to match any set of input-output data. This process is made particularly easy by
adaptive techniques like Adaptive Neuro-Fuzzy Inference Systems (ANFIS), which are
available in Fuzzy Logic Toolbox software.
 Fuzzy logic can be built on top of the experience of experts – In direct contrast to neural
networks, which take training data and generate opaque, impenetrable models, fuzzy logic lets
user rely on the experience of people who already understand the system.

 Fuzzy logic can be blended with conventional control techniques – Fuzzy systems don't
necessarily replace conventional control methods. In many cases fuzzy systems augment them
and simplify their implementation.
 Fuzzy logic is based on natural language – The basis for fuzzy logic is the basis for human
communication. This observation underpins many of the other statements about fuzzy logic.
Because fuzzy logic is built on the structures of qualitative description used in everyday
language, fuzzy logic is easy to use.
Question No 2:
Mention the purposes of Executive Information System. (December 2003)(6 Marks)
Answer No 2:
Purpose of EIS: These are stated below:
i. The primary purpose of an Executive Information System is to support managerial learning
about an organization, its work processes, and its interaction with the external environment.
Informed managers can ask better questions and make better decisions.
ii. A secondary purpose for an EIS is to allow timely access to information. All of the
informatiSon contained in an EIS can typically be obtained by a manager through traditional
methods. However, the resources and time required to manually compile information in a
wide variety of formats, and in response to ever changing and ever more specific questions
usually inhibit managers from obtaining this information. Often, by the time a useful report
can be compiled, the strategic issues facing the manager have changed, and the report is never
fully utilized. Timely access also influences learning. When a manager obtains the answer to
a question, that answer typically sparks other related questions in the manager's mind. If those
questions can be posed immediately and the next answer retrieved, the learning cycle
continues unbroken. Using traditional methods, by the time the answer is produced, the
context of the question may be lost, and the learning cycle will not continue.
iii. A third purpose of an EIS is commonly misperceived. An EIS has a powerful ability to direct
management attention to specific areas of the organization or specific business problems.
Some managers see this as an opportunity to discipline subordinates. Some subordinates fear
the directive nature of the system and spend a great deal of time trying to outwit or discredit
it. Neither of these behaviours is appropriate or productive. Rather, managers and
subordinates can work together to determine the root causes of issues.
Question No 3
What is a management information system? Briefly describe its limitations.
(December 2003)(10 Marks) (Old Syllabus, June 2012)(5 Marks)

Answer No 3:
MIS is generally defined as an integrated, user-machine system for providing information to
support operations, management and decision-making function in an organisation. The system
utilises computer hardware and software, manual procedure, models for analysis. Information is
viewed as a resource like land, labour and capital. It is not a free good. It must be obtained,
processed, stored, retrieved, manipulated and analysed. The objective of an MIS is to provide
needed information to each manager at the right time, in right form and relevant one, which aids
his understanding and stimulates his action. It supports the planning, control and operational
functions of an organisation by furnishing correct and uniform information in proper time frame to
assist the decision making process.
The main limitations of MIS are as follows:

1. The quality of output of MIS is basically governed by the quantity of input and processes.
2. MIS is not a substitute for effective management. It is merely an important tool in the
hands of management executives for decision making and problem solving.
3. MIS may not have proper flexibility to quickly update itself with the changing needs of
time, especially in fast changing and complete environment.
4. MIS takes into account mainly quantitative factors, thus it ignores the non-quantitative
factors like morale and attitude of staff members of the organisation who have an
important bearing on the decision making process of executives.
5. MIS is less useful for making non-programmed decisions.
6. Effectiveness of MIS is reduced in such organisations, where the management executives
are in the habit of boarding information and not interested in sharing with others.
7. Frequent changes in top management, organisational structure and operation team also
effects adversely the effectiveness of MIS.
8. MIS can not provide tailor made information package for every type of decisions made by
executives.
Question No 4:
Define Decision Support System (DSS). Discuss in brief the properties possessed by DSS.
(December 2004) (8 Marks)
Answer No 4
The following are the properties possesses by DSS:
(i) Ability to adapt to changing needs: Semi-structured and unstructured decisions often don‘t
conform to a predefined set of decision-making rules. Because of this, their decision support
systems must provide for enough flexibility to enable users to model their own information
needs. They should also be capable of adopting to changing information needs.

(ii) Flexibility: Flexibility in a DSS is of paramount importance: Information requests mode to a

DSS will often be relatively unsystematic and distinct. Manager can make many requests
without being sure where the search for information will lead him. He often needs a variety of
tools to satisfy such requests. The output from a DSS may also be used to prepare customised
output to be examined by other people.
(iii) Ease of learning & use: Since DSS is often built and operated by users rather than by
computer professionals, the tools that accompany them should be relatively easy to learn &
use. Such software tools employ user-oriented interfaces such as grids, graphics, non-
procedural 4GL, natural English. These interfaces make it easier for user to conceptualize and
perform the decision-making process.
Question No 5:
How does Executive Information System (EIS) differ from traditional Information System?
Write any seven points. (December 2004)(7 Marks)
Answer No 5:
EIS (Executive Information System) differs from traditional system in the following ways:
i) They are specifically tailored to executive‘s information needs.
ii) They are able to access data about specific issues and problems as well as aggregate reports.
iii) They provide intensive on-line analysis tools including trend analysis, inception reporting.
iv) They can access a broad range of internal and external data.
v) They are particularly easy to use.
vi) They are used directly by executives without assistance.
vii) Screen-based – All EISs are delivered through terminals.
viii) Information tends to be presented by pictorial or graphical means.
ix) Information is presented in summary format.
Question No 6:
What are the major constraints in operating a MIS? (June 2004)(6 Marks)
Answer No 6:
The following are the major constraints in operating a MIS:
(1) Non-availability of experts, who can diagnose the objectives of the organisation and provide a
desired direction for installing and operating system. This problem may be overcome by
grooming internal staff, which should be preceded by proper selection and training.
(2) Experts usually face the problem of selecting the sub-system of MIS to be installed and
operated upon. The criteria may be the need and importance of a function for which MIS can
be installed first.
(3) Due to varied objectives of business concerns, the approach adopted by experts for designing
and implementing M.I.S. is a non-standardized one.

(4) Non-availability of cooperation from staff is a crucial problem. By organising lecturers,

showing films and explaining the utility of the system, they can be educated. Some persons
can be involved in the development and implementation of the system.
(5) There is high turnover of experts. It can be reduced by creating better working conditions.
(6) Difficulty in quantifying the benefits of MIS so that it is comparable with cost.
Question No 7:
Discuss the purpose of an Executive Information System? (June 2004)(6 Marks)
Answer No 7:
Purpose of EIS:
1. To support managerial learning about an organisation its work processes, and its interaction
with the external environment so that managers can make better decisions.
2. To allow timely access to information. Often by the time a useful report can be complied by
traditional methods the strategic issues facing the manager have changed and the report is
never fully utilized.
3. To direct managements attention to specific areas of the organization of specific business
problems. Managers and sub ordinates can work together to determine the root cause of issues
highlighted by EIS.
4. Managers are particularly attentive to concrete information about their performance when it is
available to their superiors. This focus is very valuable if the information reported is actually
important and represents a balanced view of the organisation's objectives.
Question No 8:
What are the five characteristics of the types of information used in executive decision making?
( December 2005)(5 Marks)
Answer No 8:
Five characteristics of the types of information used in executive decision-making are lack of
structure, high degree of uncertainty, future orientation, informal source and low level of detail.
i) Lack of structure:
Many of the decisions made by executives are relatively unstructured. These type of decision
are not as clear-cut as deciding how to debug a computer program or how to deal with an
overdue account balance. Also, it is not always obvious, which data are required or how to
weigh available data when reaching a decision.
ii) High degree of uncertainty:
Executives work in a decision space that is often characterized by a lack of precedent.
Executives also work in a decision space where results are not scientifically predictable from
actions.
iii) Future orientation:

Strategic-planning decisions are made in order to shape future events. As conditions change,
organizations must change also. It is the executive‘s responsibility to make sure that the
organization keeps pointed toward the future.
iv) Informal source:
Executives, more than other types of managers, rely heavily on informal sources for key
information. Informal sources such as television might also feature news of momentous
concern to executive – news that he or she would probably never encounter in the company‘s
database or in scheduled computer reports.
v) Low level of detail:
Most important executive decisions are made by observing broad trends. This requires the
executive to be more aware of the large overview than the tiny items. Even so, many
executives insist that the answers to some questions can only be found by mucking through
details.
Question No 9:
Discuss the impact of computers on Management Information System. (December 2005)(10
Marks)
Answer No 9:
i) Speed of processing and retrieval of data increases:
Modern business situations are characterized by high degree of complexity, keen competition and
high risk and reward factors. This invariably calls for systems capable for providing relevant
information with minimum loss of time. Computer with its unbelievably fast computational
capability and systematic storage of information with random access facility has emerged as an
answer to the problems faced in modern day‘s management. Processing of data in relevant form
and design and retrieval of them when needed in fact requires considerably less time and facilities
the management action and decision making.
ii) Scope of use of information system has expanded:

The importance and utility of information system in business organizations was realized by most
of the concerns, especially after the induction of computers for MIS development. Systems experts
in business organisations developed areas and functions were computerized MIS could be used to
improve the working of the concern.
iii) Scope of analysis widened:

The use of computer can provide multiple type of information accurately and in no time to
decision makers. Such information equips an executive to carry out a thorough analysis of the
problems and to arrive at the final decision. Computer is capable of providing various types of
sales reports. These reports are quite useful in analyzing the sales department working and to
ascertain their weaknesses so that adequate measures may be taken in time. In this way, the use of
computer has widened the scope of analysis.

iv) Complexity of system design and operation increased:

The need for highly processed and sophisticated information based on multitudes of variables has
made the designing of the system quite complex. During the initial stage for MIS development,
systems experts faced problems in system designing and their operations. Now, the computer
manufacturers have developed some important programs to help their users. Besides, some private
agencies are also there who can perform the task of developing programs to cater to the
specialized needs of their customers, either on consultancy basis or on contact.
v) Integrates the working of different information sub-systems:

A suitable structure of management information system may be federation of information systems,
viz., production, material, marketing, finance, engineering and personnel. Each of these
subsystems is required to provide information to support operational control, management control
and strategic planning. Such information may be made available from a common database. This
common database may meet the information requirements of different information subsystems by
utilizing the services of computers for storing, processing, analyzing and providing such
information as and when required.
vi) Increases the effectiveness of Information System:

Information received in time is of immense value and importance to a concern. Prior to the use of
computer technology for information purposes, it was difficult to provide the relevant information
to business executives in time even after incurring high expenses. The use of computer technology
has overcome this problem.
vii) More comprehensive information:

The use of computer for MIS enabled systems expert to provide more comprehensive information
to executives on business matters.
Question No 10:
Mention the various components of a transaction processing systems and discuss in detail one of
its components ‗computer processing‘. (June 2005) (10 Marks)
Answer No 10:
The principal components of a transaction processing system include inputs, processing, storage,
and outputs. These components or elements are part of both manual and computerized systems.
Processing: Processing involves the use of journals and registers to provide a permanent and
chronological record of inputs. The entries are done either by hand in simple manual systems
(journalized) or by a data entry operator using a PC. Journals are used to record financial
accounting transacts, and registers are used to record other types of data not directly related to
accounting.

Journals are used to provide a chronological record of financial transactions. It is, theoretically
possible, but not often practicable, to use the two column general ledger as the only book of
original entry. However, to effect a division and saving of labour, special journals with special
analysis columns are used to record similar and recurring transactions. Some of the more common
special journals that may be kept are as follows:
 Sales Journal used to summarize sales made on account
 Purchase Journal used to summarize purchase made on account
 Cash Receipts Journal used to summarize receipt of cash
 Cash Disbursements Journal used to summarize disbursements of cash
These four journals are often used in conjunction with a separate general ledger to provide a
complete bookkeeping system. Special columns can be used in these books of original entry to
facilitate recording transactions or for classification of data.
The design of special-purposes journals is one of the most important steps in the design of an
accounting system. Journals must be carefully designed if they are truly to economize clerical
effort and at the same time function as true posting media in routing debits and credits to the
ledger. Properly designed journals eliminate numerous postings and at the same time enable one to
obtain quickly the total for all major transactions.
Computer Processing: When computers are used for processing, two different modes of processing
accounting transactions are possible. These modes are batch processing and direct processing.
Batch processing is conceptually very similar to a traditional manual accounting system. Batches
of transactions are accumulated as transaction file. Transaction files are printed to provide
documentation of inputs to the accounting system. Transaction files are subsequently posted to
ledgers by computer programs. The ledgers are then periodically processed to generate financial
statements. The flow of processing in a batch processing computer system is essentially same as in
a traditional manual system - source documents to journals (transaction files), journal to ledgers,
and ledgers to financial statements.
Processing converts data into information. Management is more interested in summary data such
as total sales and total account balance than in the details of a particular sales transaction.
Management thus has a permanent interest in the information that is contained in the accounts
receivable master file. In contrast, management‘s interest in transaction files is temporary. Once
the data have been processed to update master files, they are no longer of direct interest to
management. Transaction files must be saved, of course, to maintain an audit trail.
A reference or table file contains data that are necessary to support data processing. Common
examples of reference files used in data processing are payroll tax tables and master price lists.

Question No 11:
Discuss the source and nature of accounting/financial information which a personnel department
would require in an organization. (June 2005) (12 Marks)
Answer No 11:
Bulk of personnel information is generated by the accounting department and within the personnel
department itself. Besides, other departments and the external environment also make their
contribution. This information can be generated both internally and externally. Apart from internal
generation, the external information sources for the personnel function would include employment
agencies, labour unions, various governmental agencies, university placement offices, etc.
The Accounting Information System: Payroll processing is the traditional channel of personnel
information. The human resource accounting, through hardly prevailing in the Indian industry, can
be another new channel. Finally, cost estimation for wage negotiations is another accounting
information for the personnel function.
Payroll Processing: The inputs to payroll processing are the job tickets and the clock cards. The
latter indicates the total number of hours an employee spends at work each day. This document
serves as the basic input to the payroll calculation and pay slip preparation function. The job ticket
is used to reconcile the timing on the clock card and to compute various job statistics discussed
below. For payroll of clerical, salaries and sales employees, the job time card is not used as the
related expenses are not charged to production in process. However, where it is desired to charges
expenses to such specific project as sales promotion, a job time card may used. For salaried
employees, the monthly gross pay is a known constant and for salesmen paid on commission
basis, sales data are required for payroll processing. Besides, such adjustments as additions,
deletions, amendments, etc. constitute another class of input data for payroll processing.
The basic output of payroll processing is pay slip and pay cheques. Reports of statistical nature are
also compiled. Take a production operation for example. The average time spent by each
employee on it may be computed and the grand average derived there from. This is comparison to
the standard time derived by yield - the efficiency with the operation is being performed.
Likewise, the efficiency of an individual employee can be established. This would be a weighted
average of his efficiency in all of the various operations he has performed. Such statistics when
aggregated over a department provides the departmental efficiencies. These measures can be used
to evaluate the performance of the departmental foreman. If a standard cost system is in use then
labour cost variances can also be computed. Other types of possible reports and analysis are listed
below:
a) Reports on absenteeism
b) Analysis of indirect labour by the cost of inspection, material handling, maintenance, etc.
c) Reports on actual standard costs by department.
d) Analysis of overtime pays by departments, fringe benefits, salesmen commission, etc.

e) Such statistical measures as total number of employees, total hours worked, total labour cost,
average wage rate, rate of absenteeism, turnover and total fringe benefit costs. These may be
statically analysed for trends and correlation etc.
Cost Estimating/or Wage Negotiations: The management has the choice of trade-offs on the
following variables during negations with the labour unions.
 Wage raise
 Paid holiday
 Contribution to employees, insurance and pension plan
 Overtime premiums etc.
 Cost accounts/payroll accountants would be in the best position to make various estimates for
the cost implications of trade-off.
The Personnel Department itself generates a great deal of information in the form of personnel
files and job specifications. The former would include such data about each employee as below:
 Physical characteristics
 Educational background and experience
 Payroll information
 Quantitative and qualitative evaluations of his past performance
 State of health and medical history
 Result of tests of ability fund aptitude, etc.
Such information is quite useful for placement of employees for various positions, promotions etc.
The job specification, details of the training and experience for each job. Other information
generated within the personnel may include aggregate safety and accident statistics, forecasts of
manpower requirements by job category within the organization, records and statistics of training
programmes, health services, etc.
The departmental supervisors provide useful information about their employees in their merit
evaluations, as also information about manpower requirements of their departments. The merit
evaluations would throw light on personality, initiative, attitude, judgement, character etc. of the
employees.
Question No 12:
Mention the factors on which information requirements depend. Discuss the information
requirements at top, middle and lower levels of management. (December 2006)(9 Marks)
Answer No 12:
Factors on which information requirements depends are:
(i) Operational function:
The operational functions comprise the actual task to be done. E.g. Cash issuing when check is
submitted

(ii) Types of decision making:

The decision to be done. This type of information requirement is generally applicable in decision
making system for the supervisory level and executive level.
(iii) Level of management activity:
Different hierarchy of management has different task to do. For this the information needs are also
differ. E.g teller needs information of customer whereas supervisor needs the information of total
deposit and total collection.
Information needs of the top level management are:

External needs: Competitive activities, customer preferences technological changes, legal rulings,
economic trends, etc.
Internal needs: Historical sales, costs, profit, cash flow, divisional income, expenses, interests,
long term debt, cost updates, etc.
Information needs of the middle management (tactical level) are:

External: Price changes, shortage demand or supply, credit conditions etc.
Internal: Descriptive information, current performance indictors, over under budgets historical
profit, sales, income, etc.
Information needs of Lower level management Operational Level:

External: material supplies and sales and their changes.
Internal: Unit sales and expenses, current performance, shortages and bottlenecks, input output
ratio, maintenance report, operating efficiencies and inefficiencies, etc.
Question No 13:
Organizational and information systems can be divided into four levels:
i. Strategic
ii. Management
iii. Knowledge
iv. Operational
At each level, explain the purpose of the system and the kind of employee expected to use it.
Answer No 13:
i. Strategic Level:
The purpose of the system in strategic level is; to match capability to changes in environment; to
support strategic decision making; to help with long-term planning. This type of information
systems are used by senior managers, executive board etc.
ii. Management Level:
This information system provides periodic reports, may support non-routine decision making and
help managers to control. It is used by middle managers.

iii. Knowledge Level:

It helps in design; control paperwork; distribute information; possibly marketing; integrate new
knowledge. This is more technical information system. It is purely specific. It is used by
knowledge/ data workers e.g Engineers, salesperson/managers etc.
iv. Operational Level:
It is mainly used for answering routine questions; monitoring operations; monitor/ control day-to-
day activities; tracking flow of transactions etc. It is purely applicable to operations managers;
other employees etc.
Question No 14:
What is an Executive Information System (EIS)? Distinguish EIS with traditional information
system. (December 2006)(5 Marks)
Answer No 14:
Executive Support System is also called as a decision support system designed to meet the special
needs of top level managers. This tool is capable of dealing with needs of strategic planning,
tactical planning as well as fighting decisions. This type of information system consist summary
report from all other department.
Its advantages over traditional information systems
 EIS are specifically developed and maintained for senior managers needs.
 EIS are able to access data about specific issues and problems as well as aggregate reports.
 EIS has the ability of exception reporting, trend analysis, etc.
 EIS can access broad range of data both internal and external.
 EIS are generally easy to use.
 EIS are used by executives without assistance
 Information is presented in lucid manner.
 Information is presented in summary format.
 EIS has the ability to manipulate data.
Question No 15:
Mention the components of Transaction Processing System (TPS). (December 2006)(5
Marks)
Answer No 15:
A transaction processing system is that which keep records the input and process the data resulting
from business transactions and provides relevant information to increase the efficiency of the
business process. The business transaction can be online or batch processing.
The components of TPS can be summarized as

Inputs
Customer orders, sales slips, invoices, purchases orders and employee time cards are the physical
evidence of inputs into the transaction processing system. They help in capturing data, facilitate
operations by communicating data, standardize operations and provide permanent storage for
future reference.
Processing
Processing involves the use of journals and registers to the permanent and chronological storage of
the input data and for the analysis of thus recorded data. Various types of journals used might be
cash journals, purchase journals, cash receipts and cash disbursements journals.
Storage
This is the permanent recording of the directly entered and processed data in manual and
computerized format. The general ledger, the accounts/vouchers payable ledger and the accounts
receivable ledger are the example of the financial accounting transaction processing system.
Outputs
Any document generated by TPS to increase the level of certainty is an output. Sometimes output
of one system can be input to another system, which act as the intermediate report. Customer
Invoice is an intermediate report, where as financial reports, operational reports are the examples
of the outputs.
Question No 16:
The success of an organization depends upon its ability to gather, produce, maintain, and
disseminate knowledge. Explain, with the aid of examples, how each of the following types of
information system can promote this ability, and thus contribute to the success of an organization.
i. Office automation systems
ii. Knowledge work systems
iii. Group collaboration and support systems
iv. Artificial intelligence systems (December 2006)(8 Marks)
Answer No 16:
a. Office automation systems help coordinate information flow disseminate information,
create and manage documentation, publish schedules; distribute knowledge examples: word
processing, online diary system, shared databases.
b. Knowledge work system allows the creation and storage of designs and products in
electronic form, easier to maintain and distribute; integration of knowledge examples:
design workstations, simulation and visualization tools, investment workstations.
c. Group collaboration and support systems provide access to knowledge repositories, shared
information stores; they assist in the production and maintenance of knowledge in group

working situations examples: workflow management, discussion tacking, security systems,

publishing systems, bug tracking.
d. Artificial intelligence in the form of voice recognition systems/ language processing, expert
systems, or intelligent can: assist with knowledge gathering and process and present
relevant information for decision making examples: expert systems, decision support
systems, web agents, speech recognition systems.
Question No 17
What is a knowledge base? What different kinds of knowledge would you expect to find there?
Answer No 17
A database and associated functionality; holding information concerning or of relevance to an
organization; containing structured internal knowledge; external knowledge; tacit or informal
knowledge.
Question No 18
Differentiate between Management Information System (MIS) and Decision Support System
(DSS). (Old Syllabus December 2010)(3 Marks)
Answer No .18
Management information systems (MIS) as the study of information systems in business and
management. The term management information systems (MIS) also designates a specific
category of information systems serving management-level functions. Management information
systems (MIS) serve the management level of the organization, providing managers with reports
and often online access to the organization‘s current performance and historical records. Typically,
MIS are oriented almost exclusively to internal, not environmental or external, events. MIS
primarily serve the functions of planning, controlling, and decision making at the management
level. Generally, they depend on underlying transaction processing systems for their data.
MIS usually serve managers primarily interested in weekly, monthly, and yearly results, although
some MIS enable managers to drill down to see daily or hourly data if required. MIS generally
provide answers to routine questions that have been specified in advance and have a predefined
procedure for answering them. Most MIS use simple routines such as summaries and comparisons,
as opposed to sophisticated mathematical models or statistical techniques.
Decision-support systems (DSS) also serve the management level of the organization. DSS help
managers make decisions that are unique, rapidly changing, and not easily specified in advance.
They address problems where the procedure for arriving at a solution may not be fully predefined
in advance. Although DSS use internal information from TPS and MIS, they often bring in
information from external sources, such as current stock prices or product prices of competitors.
Clearly, by design, DSS have more analytical power than other systems. They use a variety of
models to analyze data, or they condense large amounts of data into a form in which they can be
analyzed by decision makers. DSS are designed so that users can work with them directly; these

systems explicitly include user-friendly software. DSS are interactive; the user can change
assumptions, ask new questions, and include new data.
Question No 19:
What do you understand by Transaction Processing System (TPS)? Explain the different business
cycles of TPS? (June 2006)(5 Marks)
Answer No 19
A transaction processing system is that which keep records and processing the data resulting from
business transactions. The business transaction can be online or batch processing.
The nature and types of transaction processing cycles vary depending on the information needs of
a specific organization. Nevertheless, most business organizations have in common,
transactions that may be grouped according to four common cycles of business activity.
 Revenue cycle: Events related to the distribution of goods and services to other entities and
the collection of related payments.
 Expenditure cycle: Events related to he acquisition of goods and service from other entities
and the settlement of related obligations.
 Production cycle: Events related to the transformation of resources into goods and services.
 Finance cycle: Events related to the acquisition and management of capital funds, including
cash.
Question No 20:
List the characteristics of an effective MIS. (June 2007)(8 Marks)
Answer No 20:
Important characteristics for an effective MIS as follows:
i. Management Oriented
It means that effort for the development of the information system should start from an appraisal
of management needs and overall business objectives.
ii. Management Directed
Because of Management Orientation of MIS, it is necessary that management should actively
direct the system‘s development efforts.
iii. Integrated
Development of information should be an integrated meaning that all the functional and
operational information sub-system should be tied together into one entity.
iv. Common data flows
It means the use of common input, processing and output procedures and media whenever possible
is desirable.
v. Heavy planning element
Usually an MIS takes 3 to 5 years and sometimes longer period to get established firmly within a
company, therefore a heavy planning element must be present in MIS development.

vi. Sub-system concept

Even though the information system is viewed as a single entity, it must be broken down into
digestible sub-system which can be implemented one at a time by developing a phase plan.
vii. Common Database
Database holds functional systems together. The organization of a database allows it to be
accessed by several information sub-systems and thus eliminates the necessity of duplication in
data storage, updating, deletion and protection.
viii. Computerized
It is possible to have MIS without sing a computer, but use of computers increases the
effectiveness of the system.
Question No 21:
What are the different categories of Information Systems? List out and explain.
Answer No 21:
System Analysts develop several different types of information systems to meet a variety of
business needs.
i. Transaction Processing Systems (TPS)

Processing of the business transaction is the primary function of a computer-based system.
Computerized Transaction Processing Systems provide speed, accuracy and can be programmed to
follow routines without any deviations. Transaction Processing
Systems expedite and improve the routine business activities that of all organization.
Organization‘s standard operating procedures that facilitate transaction handling are programmed
into the computer software. The system controls the data entry, processes transactions, provides
search facilities and produces data and information. High volume of clearly understood
transactions of the operating level of an organization and need to enhance the ability of managers
to develop more efficient approach for information handling indicates the requirement for
computer system's assistance.
ii. Management Information Systems (MIS)

Transaction processing systems are operation oriented, whereas, Management Information
Systems assist managers in decision making and problem solving. They primarily use results
produced by the Transaction Processing Systems, however other information are also used. In
most of the organization, recurring decision must be made on several issues regularly and they
require a limited amount of information. Since the decision making process and inputs are well
understood, the manager can identify the information required for a decision. A computer based
information system can be developed to produce specified reports to address and support recurring
decisions.

iii. Decision Support Systems (DSS)

Decision Support Systems are aimed at assisting higher level managers faced with unique non-
recurring decision problems. DSS is more applicable when the decisions are of unstructured or
semi-structured nature. DSS can be used at the tactical level. It can be best used at the strategic
level. A decision Support System is an interactive system that provides the user with easy access
to decision models and data from a wide range of sources, to support semi-structured decision-
making tasks. It is an informational application that is designed to assist an organization in
making decisions through data provided by business intelligence tools. Typical information that a
decision support applications gathers and present are: (a) comparative sales figures, (b) projected
revenues, and (c) consequences of different decision alternatives.
iv. Executive Information System (EIS)

Executive Information systems are designed primarily for the strategic level of management. They
enable executives to extract summary data from the database and model complex problems
without the need to learn complex query languages, to enter formulae, to use complex statistics or
have computing skills. High level summary data and trend analysis is provided at the touch of a
button. EIS are more externally focused, strategically based systems using both internal and
external data.
v. Expert Systems
Expert Systems are designed to replace the need for a human expert. They are particularly
important where expertise is scarce and are expensive. This system is in an area of artificial
intelligence that is becoming increasingly popular. They perform specific function or in a
specified industry. An expert system allows the users to specify certain basic assumption or
formulas and then uses these assumptions or formulas to analyze arbitrary events. Based on the
information used as input to the system, a conclusion is produced by the system. This system
attempts to replace certain extent of subjective decisions of senior managers.
Question No 22:
What are the main limitations of MIS? (December 2007)(8 Marks)
Answer No 22:
The quality of the outputs of MIS is basically governed by the quality of inputs and process.
i. MIS is not a substitute for effective management. It can not replace managerial judgment in
making decisions in different functional areas. It is merely an important tool in the hands of
executives for decision making and problem solving.
ii. MIS may not have requisite flexibility to quickly update itself with the changing needs of
time, especially in the fast changing and complex environment.
iii. MIS cannot provide tailor made information packages suitable for the purpose of every type
of decision made by executives.

iv. MIS takes into account mainly quantitative factors, thus it ignores the non-quantitative factors
like morale and attitude of members of the organizations, which have an important bearing on
the executive decision making process.
v. MIS is less useful for making non-programmed decisions. Such types of decisions are not of
routine type and thus require information, which may not be available from existing MIS to
executives.
vi. The effectiveness of MIS is reduced in organizations, where the culture of hoarding
information and not sharing with others exists.
vii. MIS effectiveness decreases due to frequent changes in top management, organizational
structure and operational team.
Question No 23
Differentiate between Batch processing and Direct processing. (December 2007)(3 Marks)
Answer No 23:
Batch processing is the processing of a cumulated number of transactions at one time. Transactions
are collected and processed against the master files at a specified time, for example one work day‘s
transactions of the inventory is processed with the database at the end of the day or on a periodic
basis. Direct processing is the sequential processing of the transaction in a real time. Under this,
transactions are processed in the system as the transaction happens, such as bank and airlines
ticketing transaction.
Question No 24:
What are the components of DSS? Explain them in brief. (June 2008)(5 Marks)
Answer No 24:
There are four basic components of DSS and they are as follows:
i) The user: The user of DSS is generally the manager with an unstructured or semi-structured
problem to solve. The user of DSS can be at any level of authority and generally he/she does
not require computer background to use a DSS system for problem solution.
ii) Databases: DSS includes one or more databases. These databases contain routine as well as
non-routine data from both external and internal sources.
iii) Planning languages: Two types of planning languages are commonly used. They are: (i)
general purpose planning languages that are used for performing many routine tasks like
statistical analysis of data, retrieval of data etc. This language applies to broad area. (ii)
Special purpose planning languages are limited in what they can do, but they usually do
certain jobs better than the General-purpose planning languages.

iv) Model Base: Model base is the center of DSS that performs data manipulations and
computations with the data provided by the user. There are various types of model like
mathematical model, statistical model etc.
Question No 25
What are the purposes of executive information system (EIS)? Explain them in brief.
Answer No 25:
There are various reasons behind the use of EIS. Some of the reasons are:
To support managerial learning about the organization, its work processes, and its interaction with
the external environment. This reason is the primary one since the decision can be made better if
the mangers are well informed.
To allow timely access to the information so that the information can be used by the needful
employee in time. This timely access also puts impact on the learning process. To direct
management attention to specific problem area of the business
Question No 26
How do internet and other information technologies support business processes within the
business function of marketing and finance? (December 2009)(15 Marks)
Answer No 26
Marketing information systems integrate the information flow required by many marketing
activities. Marketing information systems provide information for:
Interactive Marketing:
The explosive growth of Internet technologies has had a major impact on the marketing function.
The term interactive marketing has been coined to describe a type of marketing that is based on
using the Internet, intranets, and extranets to establish two-way interaction between a business and
its customers or potential customers. The goal of interactive marketing is to enable a company to
profitably use those networks to attract and keep customers who will become partners with the
business in creating, purchasing, and improving products and services.
 Customers are not passive participants, but are actively engaged in a network-enabled
proactive and interactive process.
 Encourages customers to become involved in product development, delivery, and service
issues.
 Enabled by various Internet technologies, including chat and discussion groups, web forms
and questionnaires, and e-mail correspondence.
 Expected outcomes are a rich mixture of vital marketing data, new product ideas, volume
sales and strong customer relationships.

Targeted Marketing:
Targeted marketing has become an important tool in developing advertising and promotion
strategies for a company‘s electronic commerce websites. Target marketing is an advertising and
promotion management concept that includes five targeting components:
 Community – companies can customize their web advertising messages and promotion
methods to appeal to people in specific communities. These can be communities of interest,
such as virtual communities of online sporting enthusiasts or arts and crafts hobbyists, or
geographic communities formed by the websites of a city or local newspaper.
 Content – advertising such as electronic billboards or banners can be placed on various
website pages, in addition to a company‘s home page. These messages reach the targeted
audience.
 Context – advertising appears only in web pages that are relevant to the content of a product
or service. So advertising is targeted only at people who are already looking for information
about a subject matter that is related to a company‘s products.
 Demographic/Psychographic – marketing efforts can be aimed only at specific types or
classes of people: unmarried, twenty-something, middle income, and male college graduates.
 Online Behavior – advertising and promotion efforts can be tailored to each visit to a site by
an individual. This strategy is based on ―web cookie‖ files recorded on the visitor‘s disk
drive from previous visits. Cookie files enable a company to track a person‘s online
behaviour at a website so marketing efforts can be instantly developed and targeted to that
individual at each visit to their website.
Sales Force Automation:

Increasingly, computers and networks are providing the basis for sales force automation. In many
companies, the sales force is being outfitted with notebook computers that connect them to Web
browsers, and sales contact management software that connect them to marketing websites on the
Internet, extranets, and their company intranets. Characteristics of sales force automation include:
 Increases the personal productivity of salespeople.
 Dramatically speeds up the capture and analysis of sales data from the field to marketing
managers at company headquarters.
 Allows marketing and sales management to improve the delivery of information and the
support they provide to their salespeople.
 Many companies view sales force automation as a way to gain a strategic advantage in sales
productivity and marketing responsiveness.
For finance system

Computer-based financial management systems support financial managers in decisions
concerning:

 The financing of a business.

 The allocation and control of financial resources within a business.
Major financial information system categories include:

 Cash and investment management.
 Capital budgeting
 Financial forecasting
Cash Management:
Cash management systems collect information on all cash receipts and disbursements within a
company on a realtime or periodic basis. Cash management systems:
 Allow businesses to deposit or invest excess funds more quickly, and thus increase the
income generated by deposited or invested funds.
 Produce daily, weekly, or monthly forecasts of cash receipts or disbursements (cash flow
forecast) that are used to spot future cash deficits or surpluses.
 Mathematical models frequently can determine optimal cash collection programs and
determine alternative financing or investment strategies for dealing with forecasted cash
deficits or surpluses.
Online Investment Management:

Many businesses invest their excess cash in short-term low-risk marketable securities or in higher
return/higher risk alternatives, so that investment income may be earned until the funds are
required. Portfolio of securities can be managed with the help of portfolio management software
packages. Online investment management services:
 Are available from hundreds of online sources on the Internet and other networks.
 Help a financial manager make buying, selling, or holding decisions for each type of security
so that an optimum mix of securities is developed that minimizes risk and maximizes
investment income for the business.
Capital Budgeting:
The capital budgeting process involves evaluating the profitability and financial impact of
proposed capital expenditures.
 Long term expenditure proposals for plants and equipment can be analyzed suing a variety of
techniques. This application makes heavy use of spreadsheet models that incorporate present
value analysis of expected cash flows and probability analysis of risk to determine the
optimum mix of capital projects for a business.
Financial Forecasting and Planning:

A variety of financial forecasting packages provide analytical techniques that result in economic or
financial forecasts of national and local economic conditions, wage levels, price levels, and
interest rates.
Financial Planning systems use financial planning models to evaluate the present and projected
financial performance of a business or of one of its divisions or subsidiaries. Financial planning
systems:
 Help determine the financial needs of a business and analyze alternative methods of financing
the business.
 Use financial forecasts concerning the economic situation, business operations, types of
financing available, interest rates, and stock and bond prices to develop an optimal financing
plan for the business.
 Frequently use electronic spreadsheet packages and DSS generators to build and manipulate
models.
Question No 27
What is the role of system maintenance in MIS? (December 2009)(5 Marks)
Answer No 27
In the early days, home computers were largely self-referential; people used them because they
were interested in them. Now, computers are usually used for real-world tasks, yet they still need
some navel-gazing attention at times!
The basic routine maintenance tasks are:
 Data backup
 Malware management
 File system maintenance
Backup
To backup is to create a redundant copy, so that if anything should happen to the original file, you
have recourse to the backup. The process can be as simple as copying files to diskettes, but this
soon becomes a problem where files are too big for diskette, where there are too many files, or
where too many diskettes are required. For large data sets, you may need to use a bulk storage
medium such as tape, Zip disk, CDR or similar. These are generally faster and more reliable than
diskettes.
Malware management
There's more on safe computing and malware. Malware includes viruses, worms, trojans, and
increasingly invasive commercial applications, and management has several parts:
 Risk avoidance and evaluation - choice of applications and system setup
 Risk avoidance and evaluation - user education and safe computing practice

 Risk detection and destruction - choice and use of antivirus software

 Keeping abreast of malware - antivirus updates and ongoing user education
Updating an antivirus generally involves these steps:
 Go to antivirus vendor's web site via (say) Internet Explorer
 Navigate to the download section of the site
 Download any updates that are relevant, noting where these are saved
 Extract files from downloaded archive to the antivirus program directory
OR Select the update option within antivirus software.
File system maintenance

Much can be done during system setup to improve the survivability, maintainability and
recoverability of the file system and its data, as discussed on the data management page. Thereafter,
there are three tasks required on a regular basis:
 Check that sufficient free space is available;
 Check the file system for errors, and manage these
 Defragment the file system once it is known to be error-free
Question No 28
What do you mean by Information system? Explain the transaction process system and decision
support system. (December 2010)((5+5=10 Marks)
Answer No 28
An information system is an arrangement of people, data, processes, interfaces, networks, and
technology that interact for the purpose of supporting and improving both day-to-day operations in
a business (sometimes called data processing), as well as supporting the problem solving and
decision making needs of management (sometimes called information services).
Transaction processing systems (TPS) are the basic business systems that serve the operational
level of an organization. This refers to computerized system that performs and records the daily
routine transactions necessary to conduct business. Examples are sales order entry, hotel
reservation systems, payroll, employee record keeping, and shipping.
At the operational level, tasks, resources, and goals are predefined and highly structured. The
decision to grant credit to a customer, for instance, is made by a lower-level supervisor according to
predefined criteria. All that must be determined is whether the customer meets the criteria.
A payroll system is a typical accounting TPS that processes transactions such as employee time
cards and changes in employee salaries and deductions. It keeps track of money paid to
employees, withholding tax, and paychecks.

There are mainly five functional categories of TPS: sales/marketing, manufacturing/production,

finance/accounting, human resources, and other types of systems specific to a particular industry.
Within each of these major functions are sub functions. For each of these sub functions (e.g., sales
management) there is a major application system.
Transaction processing systems are often so central to a business that TPS failure for a few hours
can lead to a firm‘s demise and loose business edge. Managers need TPS to monitor the status of
internal operations and the firm‘s relations with the external environment. TPS are also major
producers of information for the other types of systems. (For example, the payroll system
illustrated here, along with other accounting TPS, supplies data to the company‘s general ledger
system, which is responsible for maintaining records of the firm‘s income and expenses and for
producing reports such as income statements and balance sheets.
Decision-support systems (DSS) also serve the management level of the organization. DSS help
managers make decisions that are unique, rapidly changing, and not easily specified in advance.
This supports semi structured and unstructured problem analysis. They address problems where
the solution procedures may not be available. Although DSS use internal information from TPS
and MIS, they often bring in information from external sources, such as current stock prices or
product prices of competitors.DSS are a specialized class of computerized information system that
supports business and organizational decision making activities. An ideal DSS is an interactive
software-based system intended to help decision makers compile useful information from the raw
data, documents, personal knowledge, and/or business models to identify and solve problems and
make decisions..
Normally, DSS have more analytical power than other systems. They use a variety of models to
analyze data and condense large amounts of data into an appropriate form for decision makers.
DSS are designed in such a way that that users can work with them directly. This systems
explicitly include user-friendly software. DSS are interactive; the user can change assumptions,
ask new questions, and include new data.
Question No 29
Why computer based management system is required in an organization? Explain (December
2010)(10 Marks)
Answer No 29:
As long as organizations are small and have limited operational goals, manual information systems
are satisfactory. However, when the organization grows big and operations are in large numbers,
manual system may not be adequate to manage it. Developments in industry and commerce have
proved that computer-based information system is essential to efficiently run organizations. This is
due to the following reasons.
 The size of organizations is becoming larger and complex to manage them.

 Computer-based processing enables the same data to be processed in many ways. Based on
needs, thereby allowing managers to look at the performance of an organization from
different angles.
 As the volume of data has increased and the variety of information and their timeliness is
now of great importance, computer-based information processing has now become essential
for efficiently managing organizations.
 Organizations have many branches in widespread geographical area.
 Markets are becoming more competitive and to maintain competitive edge, organizations
have to opt for the computer based system.
 The general socio-economic environment demands more up-to-date and accurate
information. Human society is changing faster than ever before. Governmental regulations
have become complex. Organizations have to interact with many other interested parties
such as consumer groups, environmental protection groups, financial institutions, etc.,
which did not exist before.
Question No 30
What is expert system? Where is it used? (June 2010)(10 Marks)
Answers No 30
Expert systems are intelligent systems used to get specialized information in a very specific and
limited domain of human expertise. An expert system captures the knowledge of skilled employees
and experts in the form of a set of rules in a software system that can later be used by others.
Expert system can use a wide variety of methods to simulate the performance of the expert. Most
common of these methods are 1) the creation of a knowledge base which uses some knowledge
representation formalism to capture the Subject Matter Expert's (SME) knowledge and 2) a process
of gathering that knowledge from the SME and codifying it according to the formalism, which is
called knowledge engineering. Expert systems may or may not have learning components (or
artificial intelligence) but a third common element is that once the system is developed it is proven
by being placed in the same real world problem solving situation as the human SME, typically as
an aid to human workers or a supplement to some information system.
In actual decision making in the context of difficult and new problems, expert system may be of
little use but for well-defined problems with well-defined solutions, expert systems can give quick
answers based on the already existing knowledge base.
Question No 31
Draw the simple diagram for typical financial accounting system flow. Mention the advantages of
computerized financial accounting system and also describe meaning and objective of financial
reporting. (June 2010)(15 Marks)
Answer No 31

Financial accounting system essentially takes input from all other application in the form of
journal vouchers. At the end of payroll processing, the payroll register is sent to the financial
accounting system. The inventory system sends the stock consumption report to the financial
accounting system. The production planning and control system sends a production expenses
statement to financial accounting. These statements include details of maintenance cost of
machines, power, water, electricity consumed etc. Fig 1 show typical financial accounting system
flow diagram
Fig1. Financial and accounting system flow diagram
Financial Accounting system using PCs gives the ability of applying the tools to review the
financial records to the professional accountant, thus reducing the time spent by the accountant in
collecting basic documents and allows him/her to spend more time to do more sophisticated
analysis. A strong and comprehensive financial accounting system is the basis for strong
management.
The main advantage of computerized accounting system is that it saves time for the company. It
also Provide accuracy and timely availability of financial information.
Financial reporting refers to general purpose, external financial reporting by business enterprise.
As such financial reporting includes not only financial statements but also other means of
communicating information that relates directly or indirectly to the information provided by the
accounting system i.e. information about organization resources, obligations, earning etc.
Financial reporting is not an end in itself but is intended to provide information that is useful in
making business and economic decisions.
The objectives of financial reporting are as follows
 To provide information useful for investment decisions
 To provide information useful in assessing cash flow prospects
 To provide information about economic resources, obligations and owner‘s equity to identify
organizations financial strength and weakness
 To provide information about enterprise performance and earning

 To provide information about liquidity, solvency and funds flow

 To provide information about management performance
 To include management explanation and interpretations
Question No 32
―Transaction Processing System is the building block of any information system.‖Justify this
statement with the relevant examples. (December 2011)(10 Marks)
Answer No. 32
Transaction processing systems are cross-functional information systems that process data resulting
from the occurrence of business transaction whereas transactions are events that occur as part of
doing business such as sales, purchases, deposits, with draws, refunds and payment. Initial data of
every information system arises due to the processing business transaction. Thus the transaction
processing system is the building block of most of the information system.
Let‘s take an example that data generated whenever a business sells something to a customer on
credit, whether in a retail store or at an e-commerce site on the web. In this case, there are data
about the customer who purchase the product, about the sales person, about the product, stores etc
will be generated. These are the first stage data generated for the information system. These data
will be useful for the accounting information system, sales and marketing information system,
production information system, human resource information system. Further data generated during
certain interval of time can be utilized to develop the business intelligence.
Moreover as the payment is done through the credit card it additionally generates the data like
credit card numbers, credit checks, customer billing, inventory changes, increase in account
receivable balances which in turn generates further data. This example shows that transaction
processing activities are needed to capture and process such data, or the operations of a business.
Therefore transaction processing system plays a vital role in supporting operations of e-business
and definitely is the building block of the most of the information system.
Question No 33
Discuss how top level management is benefitted with the use of Information Technology to achieve
its strategic vision. (December 2011)(5 Marks)
Answer No. 33
Top level management is defined as a set of management positions which are concerned with the
overall task of designing, directing and managing the organization in an integrated manner. In
internal.

The top level management can use the tools and services of information technology for these
external affairs of the business:
 To analyze of the competitive activities related with the rivalry and new competitors
 To analyze customer preferences, historical behaviors of customers, the changes in business
in different time frames
 To analyze economic trends, legal rulings and technological changes which impacts the
business and its profits
Beside this top level management also get benefitted with the use of information technology for
following internal business activities
 To analyze historical sales and costs of the products
 To analyze profit, cash flow, divisional income, expenses
 To analyze financial ratios, interests; credit outstanding
The information related with these activities are available with the use of information technology.
This is how the top level management is benefitted with the use of IT to achieve its strategic vision.
Question No 34
What do you understand by MIS? What are the main characteristics of an effective MIS?
Distinguish between the information needs of top level management and middle level management.
( June 2011)(15 Marks)
Answer No.34
Management Information System (MIS) is a network established to timely obtain useful internal
and external information to make a decision in an organization. The network consists of people,
data, processes, interfaces, and technology that interact with each other to store information and
timely extract information for the management to make decision to improve day-to-day
operations, solve problem, and to develop strategies. This may be both manual and computer-
based system. This covers proper management nd use of resources for effective and timely
achievement of the organizational objectives. Modern MIS are mostly based on computer systems.
The main characteristics of an effective MIS can be outlined as:
a) The system should be management-oriented. That is, it has to be designed keeping in mind
the management needs and overall organizational objectives.
b) It should be management directed. The MIS development should actively involve the
managers and incorporate their inputs and directions. Since MIS is intended for managers, the
development of MIS without involvement of managers can become out of touch.
c) The system should be integrated. That is, all the operational and functional modules of the
system should be closely tied together to make a single integrated entity. This integration
generally means incorporation of all the functional requirements of the organization into a
single operational system entity.
d) It should have common data flows for input, processing and output so that there is no need to
input, process or output same set of data separately.

e) Since MIS is intended to help in proper management and decision making, a serious planning
phase should precede the actual development/acquisition of the system.
f) The system should be integrated but should also be subdivided into different subsystems or
modules to be used/handled by different functional sub-entities in the organization.
g) It should have a centralized, common database or information repository so that everyone
using the system gets the same information.
h) It is better to have MIS fully computerized though it is possible to have MIS without
computers. However, nowadays, an MIS without computerization can barely be imagined.
Information needs of top level management and middle level management are different in many
respects since the role of top level managers‘ role is different from the middle level managers‘ role.
Main differences between the information needs of top level management and middle level
management are:
SN Top Level Management Middle Level Management
Internal information requirements
1 Concise and to-the-point reports Detailed report of the sales, costs, profit, cash
regarding sales, costs, profit, flow etc of the related functional groups.
cash flow etc of the whole
organization and functional
units
2 Financial ratios, trend analyses, Current performance indicators with details on
competitive scenarios specific functional groups.
3 Long term debt, outstanding credits Group-wise debt, credit reports, budgeting details
4 Concise project reports, balance Details, group-wise project reports, financial
sheets statistics.
External information
1 Competitive activities Product-wise pricing, competitive analysis
2 Customer preferences, market Price changes, shortages of products
trends, changing economic
trends, fashion etc.
3 Economic trends, technological Demand-supply situation, credit conditions,
changes, legal group-wise health of organization and its
rulings/legislations transactions.
Question No 35
What do you mean by Transaction Processing System? What are its components?
Old Syllabus June 2011)( 7 Marks)
Answer No 35
A transaction processing system is that which keep records of the input and process the data
resulting from business transactions and provides relevant information to increase the efficiency of

the business process. The business transaction can be online or batch processing. Transaction
processing system is very helpful in the case of sales, purchase and production.
The components of TPS can be summarized as:
Inputs:
Customer orders, sales slips, invoices, purchases orders and employee time cards are the physical
evidence of inputs into the transaction processing system. They help in capturing data, facilitate
operations by communicating data, standardize operations and provide permanent storage for
future reference.
Processing:
Processing involves the use of journals and registers to the permanent and chronological storage of
the input data and for the analysis of thus recorded data. Various types of journals used might be
cash journals, purchase journals, cash receipts and cash disbursements journals.
Storage:
This is the permanent recording of the directly entered and processed data in manual and
computerized format. The general ledger, the accounts/vouchers payable ledger and the accounts
receivable ledger are the example of the financial accounting transaction processing system.
Outputs:
Any document generated by TPS to increase the level of certainty is an output. Sometimes output
of one system can be input to another system, which act as the intermediate report. Customer
Invoice is an intermediate report, where as financial reports, operational reports are the examples
of the outputs.
Question No 36
Compare modern days organizations MIS with that of traditional organizations MIS. Explain how
Decision Support system helps the top level management. Old Syllabus June 2011)( 8 Marks)
Answer No 36:
Traditional MIS Modern MIS
Traditional Management Information In the modern MIS, the computer hardware and
System uses the paper based data software are used to input process and display the
storage mechanism and essential information.
extracting the essential
information manually whenever
needed.
There was no proper methodology to The data and information can be back up at anywhere
keep the back up the data to in the world instantly and can be retrieved
protect from accident. instantly.
It was simple and normal staff can It is more technical and specialized knowledge and
handle it properly. expertise are essential

It is cost effective Initially it looks to be costly affair however in long run

it is cost effective
It is mainly centralized It can be centralized or distributed. However in both
cases two or more users can access it
simultaneously
Transmitting to other parts involves It is fully automatic and can be transmitted to
purely manual process anywhere instantly.
A top level management of any organization is mainly responsible to oversee all the task of
theorganization. Top level management has to coordinate and establish cordial relationship among
the department of the organization. They should be able to analyze the various indicators and
should be able to take the even radical decision for the benefit of the organization. Thus top level
management should be dynamic, far sighted and quick and correct while making decision.
A decision support system DSS is that part of the information system which provides a tool to
managers/executives of an organization to assist them in solving semi –structured and unstructured
problems in their own, somewhat personalized way. Some time, the modeling environment can be
done in s spread sheet.
Thus, a decision support system does not itself make any decision rather it provides lots of
information which assists the top level management to make the right decision at the right time.
DSS provides provide the alternatives mechanism and process to the top level management which
will be helpful in many ways in organization execution.
Question No 37
What do you mean by Decision Support System (DSS)? Describe DSS with a relevant example of
its application to sales and marketing. (December 2012)(10 Marks)
Answer No 37
Decision support system is a computer-based information systems that provide interactive
information support to managers and business professionals during the decision-making process
using the following to make semi structured business decisions
– Analytical models
– Specialized databases
– A decision maker‘s own insights and judgments
– An interactive, computer-based modeling process
Decision support system itself is not a decision maker nordoes it replace human managers from
decision making. It provides the analysis about the problem from various prospects and it‘s the
duty of the human managers to choose the decision based upon all those. Thus, DSS is that type of
system which supports managers while solving the semi-structured problems by providing the

options from different prospects. DSS gives the analysis based upon the mathematical/ statistical
model.
Here is an example of use of DSS in sales and marketing.
The total units of sales are assumed to be the function of following parameters (not only this):
 Incentives to the sales persons
 Promotion
 Rivalry
 Quality of product
 Customer economic status
These parameters do not have equal weightage while determining the sales. Thus the total units
sales will be the products of the weightage and the variables. The product of weightage factors and
variable will be the mathematical model for the DSS. Now the analysis can be done based upon
this model.
Now decision maker can make the analysis with the help of DSS by changing the cost of
promotion on sales. Similarly the effect of sales can be analyzed with the change in the incentives
to the sales persons. At the same time, the effect of more than one parameters also can be checked.
Question No 38
Define Supply Chain Management system. Why SCM strategy is important for an organization?
Answer No 38
As per definition SCM is the management of a network of all business processes and activities
involving procurement of raw materials, manufacturing and distribution management of Finished
Goods. SCM is also called the art of management of providing the Right Product, At the Right
Time, Right Place and at the Right Cost to the Customer.
Supply Chain Strategies are the critical backbone to Business Organizations today. Effective
Market coverage, Availability of Products at locations which hold the key to revenue recognition
depends upon the effectiveness of Supply Chain Strategy rolled out. Very simply stated, when a
product is introduced in the market and advertised, the entire market in the country and all the
sales counters need to have the product where the customer is able to buy and take delivery. Any
glitch in product not being available at the right time can result in drop in customer interest and
demand which can be disastrous. Transportation network design and management assume
importance to support sales and marketing strategy.
Inventory control and inventory visibility are two very critical elements in any operations for these
are the cost drivers and directly impact the bottom lines in the balance sheet. Inventory means
value and is an asset of the company. Every business has a standard for inventory turnaround that
is optimum for the business. Inventory turnaround refers to the number of times the inventory is

sold and replaced in a period of twelve months. The health of the inventory turn relates to the
health of business.
In a global scenario, the finished goods inventory is held at many locations and distribution
centers, managed by third parties. A lot of inventory would also be in the pipeline in
transportation, besides the inventory with distributors and retail stocking points. Since any loss of
inventory anywhere in the supply chain would result in loss of value, effective control of inventory
and visibility of inventory gains importance as a key factor of Supply Chain Management
function.
Question No 39
What is the purpose of transaction processing system? Differentiate between master data and
transaction data. (June 2012)(10 Marks)
Answer No 39
Transaction processing system processes transactions and produces reports. Business transactions
occur when a company produces a product or provides a service. The transaction processing
system supports the monitoring, collection, storage, processing and dissemination of the
organization's basic business transactions. Transaction processing systems are those business
systems which process day-to-day transactions of an organization to carry out its business
operations. Every transaction may generate additional transactions. For example, when transaction
of a purpose takes place, it would change the inventory level, accounts payable etc. The
information system that supports these transaction processes is the transaction processing system.
Transaction processing system is the backbone of an organization's information system.
Transaction processing systems provide the base for all other internal information support.
Master data is generally permanent data that remains with the system as long as the system is in
use. Master data is the main data used by the system. For example, an inventory control system
could have an inventory master file with one record for each item in inventory .Each record
contains fields for the item number, item description, unit cost, unit price and quantity on hand.
Transaction data is data about transactions that have occurred. Transaction data is data about
transactions that have occurred. For example, in an inventory control system, an inventory
transaction file could be used to store data about additions to and removals from stock. Each
record contains fields for item number, the additions to stock and issues from stock. Transaction
data generally with the system only until the transactions are processed. The transaction data is
then replaced with other transaction data for new transactions. Master and transaction data may be
stored in data files or databases; which would form the stored data component of the system.
Question No 40:
How could sales force automation affect sales person productivity, marketing management and
competitive advantage? (June 2012)(8 Marks)

Answer No 40:
Sales force automation is the use of computers to automate sales recording and reporting by sales
people as well as communications and sales support. It improves productivity by saving time
otherwise spent on manual creation of records, reports, and presentations; it improves
communications and accessibility to information to support sales activities; and it may help in
planning sales tactics.
companies, the sales force is being outfitted with notebook computers that connect them to Web
browsers, and sales contact management software that connect them to marketing websites on the
Internet, extranets, and their company intranets. Sales force automation has resulted in increasing
the personal productivity of salespeople, dramatically speed up the capture and analysis of sales
data from the field to marketing managers at company headquarters, allows marketing and sales
management to improve the delivery of information and the support they provide to their
salespeople. Many companies view sales force automation as a way to gain a strategic advantage
in sales productivity and marketing responsiveness.
Question No 41
What are the factors that contribute the vulnerability of the information system? (Old Syllabus,
June 2012)(5 Marks)
Answer No. 41
An information system is the integrated form of data, user, communication lines, software
application packages, data base and hardware for storing and executions. This shows that a system
a nice piece of statue made of delicate jewels. So in every points and interface there are chances of
unauthorized entry, execution of malicious programs, data stealing and destroying. Besides that
there are also physical challenges in every step, like power outage, physical devastations and
disruptions of the services at any points. Other thing is that the each part of the system will be
operated by human, which is also very vulnerable factor
Thus the factors which contribute to the vulnerability of the information system can be
summarized point wise as:
a. Point of interconnections of the system
b. Unauthorized entry to the system
c. Passing of data from one point to another point
d. Failure and outage of the power to the hardware
e. Numerous user of a single system
f. Students tendency to intrude other system as a hobby and fun
g. Human resources turn over
h. Connection of the system to the internet

Question No 42
Define the model of marketing information system for Bhatbhateni Superstore. Identify the
important input and output parameters of such a system.( December 2013)(10 Marks))
Answer No 42
Philip Kotler gives the summarized model of marketing information system as show below:
This model is applicable for any marketing information system with the inputs and output defined
according to the functional area and objective of the specific organization.
The main inputs for the marketing information system of Bhatbhateni Superstore can be enlisted
as:
i. Information about the market status. This can be the market research data analyzing customer
needs, demands and perceptions. This can be done by conducting in-store customer surveys
or doing overall market research with expert team.
ii. Information about competition and impact of competition on the market.
iii. Information about the economic status of the society and consumers. The type and quality of
goods to be put on sale is directly related to the living standard and purchase power.
iv. The information about the recent development in trends and technologies. This is more useful
for products and services that are constantly evolving in terms of technology and trend.
v. Information about seasonal demands for festivals, special occasions, seasons (summer,
winter), major school and college academic sessions etc to promote seasonal products.
Similarly, the output of the marketing information system can be:

i. Current market status in reports.
ii. Impact of marketing and market research data on sales. This needs input from the inventory
and sales system as well.
iii. Information about the competitors and their impact on the business output of the superstore.

iv. Reports about ongoing, past and planned marketing activities.

v. Reports and data about the impact of seasonal and targeted marketing on sales and turnover.
vi. Reports about customer perception and level of satisfaction with respect to the products and
services from Bhatbhateni superstore.
vii. Other information for the middle and top management of the Superstore to take immediate,
short and long term marketing decisions.
The input and output items mentioned above are a few major items. A lot more can be added on to
the list depending upon the scenario and the specific model of the system.
Question No 43
Explain an expert system with its benefit and limitation. ( June 2013)(10 Marks)
Answer No 43
One of the most practical and widely implemented applications of artificial intelligence in business
is the development of expert systems and other knowledge-based information systems. A
knowledge based information system (KBIS) adds a knowledge base to the major components
found in other types of computer based information systems. An expert system (ES) is a
knowledge-based information system that uses its knowledge about a specific, complex application
area to act as expert consultant to its users. Expert systems provide answers to questions in a very
specific problem area by making human like inferences about knowledge contained in a specialized
knowledge base. They must also be able to explain their reasoning process and conclusions to a
user, so expert systems can provide decision support to end users in the form of advice from an
expert consultant in a specific problem area.
Benefits of Expert Systems
An expert system captures the expertise of an expert or group of experts in a computer-based
information system. Thus, it can outperform a single human expert in many problem situations.
That's because an expert system is faster and more consistent, can have the knowledge of several
experts, and does not get tired or distracted by overwork or stress. Expert systems also help
preserve and reproduce the knowledge of experts. They allow a company to preserve the expertise
of an expert before she/he leaves the organization. This expertise can then be shared by
reproducing the software and knowledge base of the expert system.
Limitations of Expert Systems

The major limitations of expert systems arise from their limited focus, inability to learn,
maintenance and developmental cost. Expert systems excel only in solving specific types of
problems in a limited domain of knowledge. They fail miserably in solving problems requiring a
broad knowledge base and subjective problem solving. They do well with specific types of
operational or analytical tasks but falter at subjective managerial decision making.

Expert systems may also be difficult and costly to develop and maintain. The costs of knowledge
engineers, lost expert time, and hardware and software resources may be too high to offset the
benefits expected from some applications. Also, expert systems can't maintain themselves; that is,
they can't learn from experience but instead must be taught new knowledge and modified as new
expertise is needed to match developments in their subject areas.
Although there are practical applications for expert systems, applications have been limited and
specific because, as discussed, expert systems are narrow in their domain of knowledge. An
amusing example of this is the user who used an expert system designed to diagnose skin diseases
to conclude that his rusty old car had likely developed measles. Additionally, once some of the
novelty had worn off, most programmers and developers realized that common expert systems
were just more elaborate versions of the same decision logic used in most computer programs.
Today, many of the techniques used to develop expert systems can now be found in most complex
programs without any fuss about them.
Question No 44
Write short notes on Need of flexibility to change in business information system
Answer No 44
An information system is a system that manages information and data critical to the business
organization or any other corporate. In the modern computerized world, almost all the
organizational activities revolve around computerized information system. Such system need to be
able to fulfill all the information needs of the organization in a continued manner. Since the type,
nature, importance and usability of the information and its delivery mechanism changes with time,
the system that manages and delivers information needs also to be flexible to absorb all or most of
those changes. Otherwise, the information system itself becomes less and less useful, finally
becoming obsolete and replaced by a new system. However, replacing existing system with the
new one needs a lot of investment and effort. So, to avoid this, the information system must be
designed and developed with a lot of foresight and planning so that it is flexible enough to absorb
necessary changes and prolong its own viability for the organization. This saves money, ensures
long continuation and avoids unnecessary effort to change systems frequently.
Question No 45
Identify and explain the functional model of information system for a car retail business house in
Nepal. (June 2014)(10 Marks)
Answer No 45
The functional model of the information system for a car retail business house in Nepal can be
illustrated as shown below:

PROCESSING
INPUTS (Classify OUTPUTS
Arrange
Calculate)
Feedback
The major inputs for the retail business house can be outlined as:
1. Retail outlet information
2. Stock of items
3. Sales of items
4. Dealer and retailer details
5. Revenue collection
The major outputs for the information system in a retail house could include the following:
1. Detailed stock report
2. Sales related report and information
3. Revenue reports
4. Dues and payables to the dealers, manufacturers and other parties.
5. VAT report
6. Other tax report
7. On-demand details about items, prices and stock based on user query.
A schematic architecture of the information system for Inland Revenue Department can be shown
as follows:

> DSS
External > MIS
Database
system > ERP
> GL and financials
Link to Other
systems
Information
Inputs Outputs
Processing
> Tax information > Tax information

> Taxpayer > Taxpayer
> Organizations > Organizations
> Individuals > Individuals
> Tax rules / tariff > Collection reports
> Revenue > Due reports
> Expenditures > Outstanding / fraud
> Data queries Users > Income
> Report Queries > Liabilities
> Financial summary
The major components of the operational level information system for Inland Revenue
Department can be outlines as follows:
1. Data entry and input module to facilitate entry of data such as tax collections, new
registrations for VAT, PAN etc. Also includes the entry module for the users to feed data into
the system.
2. Database system to store all the data related to the operational and other level of information
system.
3. Network application and interfaces to connect with other information systems in the
department. These systems can include human resource management system, accounting and
ledger systems, audit systems, enterprise resource planning system, decision support system
etc.
4. Users of the system, both internal users from the department and external users such as the
taxpayers, government agencies, businesses etc.
5. External systems that take information from or provide data for the system. Such external
systems can include the ERP, HRMS, GL/Financials, DSS etc.
Question No 46
Prepare sample transaction report which shows the sales of two products in five regions of the
country for the month of May. Assume any other parameters you may find necessary. (June
2014)(5 Marks)

Answer No 46
The transaction processing report is as shown below. Here the ratio of the planned versus actual
sales is also calculated. This ratio can be useful to make the marketing strategy in different region
to increase the sales for the next month.
Actual
Product Sales Actual
Product Versus
Co Regio Sal Planned
Description Planne
de n es
d
112 Tam-Tam Central 450123 400124 1.124958763
Noodles Mid-
Weste
rn 340045 334400 1.016880981
Western 451112 550000 0.820203636
Central 400000 350000 1.142857143
Eastern 331122 400001 0.82780293
Total
(Av
g) 1972402 2034525 0.986540691
212 Baba Biscuit Central 250001 271122 0.922097801

Mid-
Weste
rn 223311 221100 1.01
Western 200000 150000 1.333333333
Central 331125 350000 0.946071429
Eastern 355000 450000 0.788888889
Total
(Av
g) 1359437 1442222 1.00007829
Question No 47
Describe in brief the Supply Chain Management (SCM) and Reverse Logistic. (June 2014)(6
Marks)
Answer No 47
Today, many organizations are expending effort on enterprise applications that extend support
beyond their core business functions. Companies are extending their core business applications to

interoperate with their suppliers and distributors to more efficiently manage the flow of raw
materials and products between their respective organizations. These supply chain management
(SCM) applications utilize the Internet as a means for integration and communications.
SCM applications are significant to systems analysts for the same reasons as stated for ERP
applications. As an analyst, you may be involved in the evaluation and selection of an SCM
package. Or you may be expected to implement and perhaps customize such packages to meet the
organization‘s needs. And again, you may expect to participate in redesigning existing business
processes to work appropriately with the SCM solution.
Reverse logistics is "the process of planning, implementing, and controlling the efficient, cost
effective flow of raw materials, in-process inventory, finished goods and related information from
the point of consumption to the point of origin for the purpose of recapturing value or proper
disposal. More precisely, reverse logistics is the process of moving goods from their typical final
destination for the purpose of capturing value, or proper disposal. Remanufacturing and
refurbishing activities also may be included in the definition of reverse logistics."
The evolution of reverse logistics for manufactured products is developing in direct proportion to
the rapid advancements in technology and the subsequent price erosion of products as new and
improved products enter the supply chain at a faster pace. With such thin margins and so much
competition, mismanagement of the supply chain can be devastating.
Those organizations with the infrastructure to capture and compare the composite value of
components with real time intelligent analysis and disposition based on changes in refurbishment
cost, resale value, spare parts, repair and overall demand will not only become more profitable, but
such flexibility and scalability will allow them to outmaneuver and eliminate the competition.
This is a case of modern Darwinism. It is survival of the fittest. It requires collaboration and
integration within Supply Chain Logistics, or appears on the endangered species list. Even the
mighty predator, the Tyrannosaurus Rex, was doomed to extinction by the constant progress of
evolution.
Today, technology drives evolution at an astounding pace. The ability to capture, migrate,
integrate and facilitate the intelligent analysis of data is akin to the invention of fire. This is what
will separate the companies who can walk upright from the ones that will be stuck in the tar pits of
slow response.
Question No 48
Why are the information system needs for higher management different from the information
system needs of the operational team? Explain with examples. (December 2014)(5 Marks)
Answer No 48
The information system needs for higher management is different from operational level because
there is a marked difference between the functions, perspectives, responsibilities, scopes and roles
of the operational team and higher management.

While operational team is concerned with their specific, well-defined, structural operational
responsibilities, the management team has to deal mostly with the unstructured, strategic and often
unplanned & unforeseen situations. They have to take decisions and solve problems that might be
entirely new whereas the operational team has to rarely face such issues.
Hence, the information system needs of the management team are more strategic, less structured
and less predictable whereas the needs of operational team are more routine, more predictable and
more structured. Hence, the system functions, facilities, outputs etc have to be different for
managerial and operational teams.
Question No 49
Write short notes on Sales and marketing information system (December 2014)(5 Marks)
Answer No 49
Sales and marketing function is responsible for selling the organization‘s products or services.
determining what they need or want, planning and developing products and services to meet their
needs, and advertising and promoting these products and services. Sales is concerned with
Sales and marketing information systems support sales and marketing activities.
These information systems are arranged by organizational level. At strategic level, these systems
monitor trends affecting new products and sales opportunities, support planning for new products
and services, and monitor the performance of competitors. At the management level, these systems
support market research, advertising and promotional campaigns, and pricing decisions; they also
analyze sales performance and the performance of the sales staff. At the knowledge level, these
systems support market analysis activities. At the operational level, these systems assist in locating
and contacting prospective customers, tracking sales, processing orders, and providing customer
service support.
Question No 50
Explain the relevance of manufacturing Information System in current scenario of industrialization.
What are the areas in which this Information System contributes? ( June 2015)(10 Marks)
Answer No 50
The manufacturing information system is that form of the computer integrated production system
which helps to provide the relevant data at the real time required for the efficient production of the
quality product with the optimum utilization of the man, machine, material with the just in time
delivery. The manufacturing information system ranges from the Computer Aided Design to just
in time inventory management to robotics control of the machineries to the shop floor planning to
schedule of the human resources. Manufacturing information systems contribute an organization
in various levels.

The cost of production increases due to the need of large area of warehouse, storing products in
those warehouses for longer duration as the space and time are very expensive. Just in time
inventory, just in time delivery system help in the reduction of need of warehouse and storage of
products. Use of computer aided design helps in the development of highly precise product to
meet the challenge of need of high quality product. The manufacturing information system
optimally utilized the machine, man and materials. Thus, manufacturing information system is
highly relevant in today‘s competitive business environment.
Some examples of the manufacturing information system are:
SN System Description Organization Level
1 Machine Control Control the action of Operational Level
machines and Equipment
2 Computer Aided Design Design new products using Knowledge level
the computer
3 Production planning Decide when and how many Management Level
products should be
produced
4 Facilities Location Decide where to locate new Strategic
production facilities
Thus the specific areas in which the manufacturing information system contributes can be
summarised as:
1. Production Planning
2. Designing of the product
3. Development and Maintenance of production facilities
4. Acquisition of the production materials and just in time inventory management
5. Scheduling of the equipment and production facilities
6. Controlling of the equipment used and shop floor planning
7. Monitoring of the production and controlling various engineering process involve.
Question No 51
Discuss how different levels of management will be benefitted by the use of software.
Answer No 51
Usually a commercial bank will have three level of management hierarchy named as:
1. Operational level
2. Middle Level and
3. Executive Level
These levels of management hierarchy have different level of duty and responsibility. To do their
job more effectively they need various types of information. Here is the description how different
level of management will be benefitted by the use of newly developed software package.

Operational Level:
Operational level management does not set long term goals however they have everyday goals and
objective. They need information like personal details of customer, customers‘ transactions, daily
amount of deposition, daily amount of withdraw etc. Such type of information will be available on
single click of computer. The main beauty of new softwarewill bethat such type of information can
simultaneously be accessed by large number of user from all branches.
Middle Level Management:

Supervisory levels are the bridges between executive level and operational level. Supervising
managers get implemented the work by the operational level staffs. With the help of the computer
based information system, the supervisors can track the progress of the operation, they know who
is responsible to which work, and what should be done to achieve the goal set by the executive
level management. In case of bank, they can get the information regarding the weekly/monthly
transaction of money: deposit and lending, interest etc. They can track the valuable customers.
They can track in which areas there is lending. They can get the information in which areas the
loan to be minimized or in which areas the loan to be increased. Besides this, with the
implementation of new software the middle level management can get the information accounting
and finance, pay roll and human resources etc.
Executive level Management:

Executive level management mainly responsible to make the long term effective decision, they are
responsible to set the long term goal of the organization and to make the policy level decision to
achieve such goal. For example, they set the goals like the profit of 5 years, position of the bank in
10 years, expansion of the bank in various geographical areas and national and international
collaborations. To do such type of decision they need the information like: last 5 years
performance of the bank, comparative performance of other banks, supports of the employees etc.
These types of information will be provided by software on click.
Question No 52
Compare Decision Support System with Executive Information System. (December 2015)(5
Marks)
Answer No 52
Decision Support System (DSS) Executive Information System (EIS)
1. Decision Support system can be defined as 1. Executive information system is a tool
ainformation system that provides tools to provided to the executive body, which
mangers to assist them in solving semi- provides direct and online access to
structured and unstructured problems in the timely, accurate and relevant
their own. information in a useful and navigable

format.
2. DSS itself does not make any decision rather 2. Executive Information systems get the
it provides analysis and all the possible input from the reports of supervisory
results so that managers can make the level system. EIS also can have access
decision on his own. to other decision support system.
3. Thus DSS is a support to the human decision 3. EIS can be helpful for decision making,
making process instead of being a decision analysis, policy and strategy
maker. formulation.
4.DSS can be made access to the limited 4. EIS is mainly accessible to top level
person in the organization. It is accessible management of the organization.
to only those persons who are in decision
making position.
Question No 53
Discuss the steps involved in the Payment Process using credit cards.
Answer No 53
The process steps involved in the payment process using credit cards are listed as below:
1. The consumer contacts an issuing card bank and opens a credit card account. They are issued a
credit card with a unique account number and a credit line (which is how much they are
allowed to spend on the account).
2. Consumer provides the credit card information to pay for the transaction whenever s/he wants
to purchase any goods or services from a merchant.
3. The merchant takes the credit card information provided by the consumer and attempts to
validate it through tests and checks and sends it to the acquiring bank to find out if the
consumer has money available on the credit card to make the purchase. There should be some
communication mechanisms between the POS of merchant and acquiring bank.
4. The acquiring bank routes a request through the card association physical network to the issuing
bank to see if funds are available on the consumer‘s credit card.
5. The issuing bank checks the consumer‘s credit line and if funds are available they will set aside
the amount of money that the order requires for payment. This money is ―reserved‖ only — it
has not changed hands, and is not the merchant‘s money yet. At this point a reply is sent back
through the card association network to the acquiring bank, then back to the merchant to let
them know the status of the request for funds.

Question No 54
What do you mean by Decision Support System (DSS)? Describe DSS with a relevant example of
its use in marketing and sales. (December 2016)(8 Marks)
Answer No 54
Decisions Support System is a computer-based information system that provides interactive
information support to managers and business professionals during the decision-making process.
Thus, DSS itself is not the decision maker rather it is a support to manager to make the good
decision in case of semi-structured issues. DSS normally works with following models:
– Analytical models
– Specialized databases
– A decision maker‘s own insights and judgments
– An interactive, computer-based modeling process
DSS is that type of system which supports managers while solving the semi-structured problems
by providing the options from different prospects. DSS gives the analysis based upon the
mathematical/statistical model.
Here is an example of use of DSS in sales and marketing.
The total units of sales are assumed to be the function of following parameters (not only this):
 Incentives to the sales persons
 Promotion
 Rivalry
 Quality of product
 Customer economic status
These parameters do not have equal weightage while determining the sales. Thus the total units
sales will be the sum of products of the weightage and the variables. The sum of the product of
weightage factors and variable will be the mathematical model for the DSS. This model can be
linear of non-linear equation. Hence the sales forecasting analysis can be done by changing the
parameters involved. It also helps in reverse tracking. That is in order to get particulars amounts of
product sold, how much incentives is to be given to sales persons, how much amount to be
invested in promotion, what should be the quality of the product etc.
Now decision maker can make the analysis with the help of DSS by changing the cost of
promotion on sales. Similarly the effect of sales can be analyzed with the change in the incentives
to the sales persons. At the same time, the effect of more than one parameters also can be checked.
Question No 55
Distinguish between: Online processing and batch processing (December 2016)(5 Marks)
Answer No 55
Batch Processing

In this mode, transactions are accumulated and submitted to the computer as a single ―batch.‖ In
the early days of computers, this was the only way a set of transactions could be processed.
Inherent in batch processing is a time delay between the batching of the transactions and the
updating of the records. Sometimes this delay can be as long as overnight. Thus, errors in a batch
processing system caused by incorrect programs or data may not be detected immediately.
Online Processing
In this mode, the computer processes each transaction individually as the user enters it. The user is
in direct communication with the computer and gets immediate processing/feedback on whether
the transaction was accepted or not. In online systems, having the latest information available at
all times is crucial so that users can make immediate decisions. These are called real-time systems
Question No 56
Assume that you are working as the Chief Executive Officer for the Nepal Door Sanchar Company
Limited (NDCL). You want to have an Executive Information System (EIS) to support your work.
In this context answer following question;
a) Why do you want to have EIS?
b) Compare EIS with other information system. (June 2016)(20 Marks)
Answer No 56
Nepal Door Sanchar Company Limited Nepal (NDCL) is the leading telecom operate for in Neal
which provides the services of voice and data. It operates voice and data services through the
public service telephone network (PSTN) and mobile phone network. The services are almost to
the all part of the country. It has very high financial transaction. NDCL is one of the highest tax
payer companies in Nepal. The technical and administrative staffs are around 5 thousand in the
country. It has fixed assets in the form of buildings and land as well along with the
telecommunication infrastructure. These are the basic back ground of the company.
The operation of NDCL is highly distributed ranging from switching of voice channels, data
transmission, maintenance and optimization of the networks maintaining the quality of services.
Another very important area of business of NDCL is the sales of mobile SIM/telephone lines and
customer care. To handle these businesses NDCL is having different types of ICT system. And
the concern head of the departments and functional units are responsible to supervise their
subordinates.
Being the CEO, I want to know the summary of status of all business activities going on in my
office. It is really time consuming affair for me to check each and every system to have relevant
information. So, I want to have the summary of the all system in the as Executive Information
System. This system should help me to go in detail of every system whenever needed. It should be
able to provide the graphical summary (charts, graphs etc.) of the status/progress of the work
going in my organization in finance, sales and customer support, operation and maintenance,
human resource and procurement etc. The system should be able to indicate peculiarities in all

areas with distinct features. This executive system should run in the internet so that i can track
the status from any places. This executive information system should have the features of making
analysis, should give the comparative information, trends and ideas about business opportunities
and problems.
If I can have EIS my work will be highly precise and effective. Generally unstructured type
decision has to be made from my place. In this case this EIS will help me to take the right decision
at right time. Thus, EIS will help me to make the good decisions and overall the efficiency of the
NDCL can be increased as I can access the right information in right time without hassles.
b)
SN Executive Information Management Information Decision Support
System (EIS) System (MIS) System (DSS)
1 EIS is the summary of the MIS is generally a DSS is that system
all type of system sophisticated reporting which helps to
which is helpful more system built on existing support semi-
towards unstructured transaction processing. structured decision
decision making making process.
process.
2 EIS support the executive Often used to support DSS problems are often
level of management, structured decision characterized by
often used to formulate making. incomplete or
high level strategic uncertain
decisions impacting on knowledge, or the
the direction of the use of qualitative
organization data.
3 These systems will usually Typically will also support DSS will often include
have the ability to tactical level management, modeling tools in
extract summary data but sometimes are used at them, where various
from internal systems, other levels. alternative
along with external scenarios can be
data that provides modeled and
intelligence on the compared.
environment of the
organization
4 Generally these systems Examples of structured Investment decisions are

work by providing a decisions supported by examples of those

user friendly interface MIS might include that might be

into other systems, deciding on stock levels or supported by DSS.
both internal and the pricing of products
external to the
organization
Question No 57
Explain about the CRM system with its application areas in business. (June 2016)(8 Marks)
Answer No 57
The perception of business house in viewing of customer is changing these days. Customers are
treated as the long term assets instead of one time exploitable source of income. To nurture
customers as the long term assets the customer relationship management (CRM) system through
the use of information technology has been adapted. CRM is both a business and technology
discipline that uses information systems to integrate all of the business processes surrounding the
forms interactions with its customers in sales, marketing and service. The ideal CRM system
provides end to end customer care from receipt of an order through product delivery. A good CRM
system consolidate customer data from multiple sources and provides the analytical tools for
answering question such as: What is the value of particular customer to the firm over his or her life
time? Who is the most loyal customer? How can organization reach to those customers?
Customer relationship management system is a software suit which provides a complete window of
customer to all the member of the organization dealing with the customer in clicks to provide them
support and information to enhance the long term relationship between potential and existing
customer and organization. At the same time CRM also provides the complete window view of the
organization to the customer on clicks. Thus CRM is a cross functional information system that
integrates and automates many of customer oriented business activities such as sales, marketing and
customer services with the help of web based IT frame work.
The major application area of CRM can be listed as:
 Contact and Account Management
 Sales
 Marketing
 Customer Support
 Retention
Contract and account management:

This area mainly helps marketing and service professional to capture and track the customer
relevant data. The customer data can be captured from the websites, telephones, fax and email etc.
Sales:

A CRM software suite provides the sales representatives the tools to enhance their activities. It can
help them for the cross-selling and up-selling of the products.
Marketing:
CRM system help marketing professional accomplish direct marketing campaigns by automating
such tasks as qualifying leads for targeted marketing and scheduling and tracking direct marketing
mailings. It also helps marketing professional to analyze the data of prospecting customers.
Customer Support:
CRM software provides the service representative with the software tools and real time access to
the common customer database shared by sales and marketing professionals. CRM helps
customers service managers create, assign and manage requests for service by customers.
Retention:
It helps to retain the most valuable and potential customer by enhancing the relationship. It helps
to identify such customer and reward them in kind.
Question No 58
How will you integrate the Sales Information System with the Sales Force Automation System?
Answer No 58
Sales information system is normally used in marketing and sales management system. This system
starts from the points of sale of a product and finish after sending the invoice to the customer. Sales
information system is all about the record keeping of the products and services sold to the
customer. It contains the information related with the product sold, geographical areas, period, and
types of customer etc. Thus for the ABC Company, the sales information system will provide
customer data according to their needs. These data can further be used to generate analytical
information. e.g. trend and patterns of the sales according to geography, demography, period etc.
Moreover, behavioral analysis of the customer can also be made based upon the history of the
purchase by the customer.
A Sales Force Automation System (SFA), typically a part of ABC company‘s Customer
Relationship Management system, is a system that automatically records all the stages in a sales
process. SFA includes a contact management system which tracks all contact that has been made
with a given customer, the purpose of the contact, and any follow up that might be required. This
ensures that sales efforts are not duplicated, reducing the risk of irritating customers. SFA also
includes a sales lead tracking system, which lists potential customers through paid phone lists, or
customers of related products. Other elements of an SFA system can include sales forecasting,
order management and product knowledge. More developed SFA systems have features where

customers can actually model the product to meet their required needs through online product
building systems.
Thus, the output of the sales information system will be the input data for the sales force
automation. The analytical information of the customer and their behavior will be highly useful to
concentrate on the probable sales and resulting the increment of the revenue. Moreover, based on
the sales information, the potential customer identification can be done, which will be the good
information for the push sale.
Question No 59
What do you mean by Expert System? Explain it with applications and its benefits.
Answer No 59
Using an expert system involves an interactive computer-based session in which the solution to a
problem is explored, with the expert system acting as a consultant to an end user. The expert
system asks questions of the user, searches its knowledge base for facts and rules or other
knowledge, explains its reasoning process when asked, and gives expert advice to the user in the
subject area being explored.
Expert systems are being used for many different types of applications, and the variety of
applications is expected to continue to increase. It should be realized, however, that expert systems
typically accomplish one or more generic uses. Expert systems are being used in many different
fields, including medicine, engineering, the physical sciences, and business. Expert systems now
help diagnose illnesses, search for minerals, analyze compounds, recommend repairs, and do
financial planning. So from a strategic businesses and point, expert systems can be and are being
used to improve every step of the product cycle of a business, from finding customers to shipping
products to providing customer service.
Benefits of Expert Systems

An expert system captures the expertise of an expert or group of experts in a computer-based
information system. Thus, it can outperform a single human expert in many problem situations.
That's because an expert system is faster and more consistent, can have the knowledge of several
experts, and does not get tired or distracted by overwork or stress. Expert systems also help
preserve and reproduce the knowledge of experts. They allow a company to preserve the expertise
of an expert before she leaves the organization. This expertise can then be shared by reproducing
the software and knowledge base of the expert system.
Question No 60
Discuss about the use of Information System at different levels of hierarchy of organization.

Answer No 60
Computer based information system is the integrated form Information Technology which collects
the data from different sources, process those data to generate the information and thus obtained
information optimizes the organizational procedures. It provides customized information to
different hierarchy of management as and when required.
There are three level of management hierarchy, which uses information system to enhance their
efficiency. Those levels are:
a.) Top Level Management
b.) Middle Level Management
c.) Operational Level Management
Top Level Management:
Top level management is defined as a set of management position, which is concerned with the
overall task designing, directing and managing the organization in an integrated manner. In
internal.
Computer based information provides following types of information to the top level management.
 Long term Policy and strategy formulation,
 Unstructured decision making process
 analysis of the competitive activities related with the rivalry
 analysis of customer preferences
 analysis economic trends, legal rulings and technological changes
 analysis of historical datas of the organization.
 analysis profit, cash flow, divisional income, sales, expenses
 analysis financial ratios, interests; credit outstanding etc
Middle Level Management (Tactical Level):
Middle management is defined as group of management position which trend to overlap the top
and operational management level. Middle level management is mainly focused on supervision
and monitoring of the operations and the administrative work in the sense that it is responsible for
the elaboration, classification and maintaining operation of organization goals. Following
information are provided the IS to the middle level management to enhance their performance.
 Semi-structured decision making process,
 Supervisor roles,
 Short term policy strategy formulation
 Information about the price changes, shortages of products and raw materials,
 Information about the demand and supply, credit conditions
 Organizational performance indicators, over-under budgets
 Information about the sales, incomes, profits/loss etc.
Operational Level Management:

The operational level of management is defined as the group of those management staffs which are
responsible to carry out the day to day works and the execution of the actual operation of office.
The operational level management mainly concerned with the implementing operational plans,
policies and procedures for the purposes of conversion of inputs and outputs. IS provides
following information to the operational level management.
 Structured decision-making process.
 Customer details, staffs details, products details.
 Units sales, expenses, stocks, staffs attendances.
Current performances, operational level efficiencies and inefficiencies, input-output ratios,
maintenance reports etc.
Question No 61
XYZ Ltd., in the business of manufacturing and sales of Packaged Edible Oil, is contemplating
conversion to computerized system from present manual system for recording of production, sales,
inventory and accounting transactions. Your company has been hired by XYZ Ltd. for development
of computerized system. Answer the following questions assuming that you have been assigned for
system analysis.
Describe any five functional areas of a system which needs to be analyzed by system analyst for
detailed investigation of the present manual system of the organization.
Based on the functional area of XYZ Ltd., design a template of report to show summary of the
production, sales and inventory information of the Edible Oil products produced by the company.
Answer No 61
Analysis of the Present System - Detailed investigation of the present system involves collecting,
organizing and evaluating facts about the system and the environment in which it operates. Survey
of existing methods, procedures, data flow, outputs, files, input and internal controls should be
intensive in order to fully understand the present system and its related problems. There are several
functional areas, which should be studied in depth. We have discussed the following five major
functional areas:
(i) Analyze Inputs – Source documents are used to capture the originating data for any type of
the system. The system analyst should be aware of the various sources from where the data
are initially captured. He must keep in view the fact that outputs for one area may serve as an
input for another area. He must understand the nature of each form, what is contained in it,
who prepared it, from where the form is initiated, where it is completed, the distribution of the
form and other similar considerations to determine how these inputs fit into the framework of
the present system.

(ii) Review data files – The analyst should investigate the data files maintained by each
department noting their number and size, where they are located, who uses them and the
number of times per given time interval these are used. This information may be contained in
the system and procedures manuals. He should also review all online and off-line files which
are maintained in the organization as it will reveal information about data that are not
contained in any output. The related cost of retrieving and processing the data is another
important feature to be considered by the system analyst.
(iii) Review methods, procedures and data communication – Methods and procedures
transform input data into useful output. A procedure review is an intensive survey of the
methods by which each job is accomplished, the equipment utilized and the actual location of
the operations. Its basic objective is to eliminate unnecessary tasks or to perceive
improvement opportunities in the present information system. The analyst must review the
types of data communication equipment including data interface, data link, modems, dial-up
and leased lines and multiplexers. He must understand how the data communication network
is used in the present system so as to identify the need to revamp the network when the new
system is installed.
(iv) Analyze Outputs - The outputs or reports should be scrutinized carefully by the system
analyst in order to determine how well they will meet the organization‘s need. The analyst
must understand what information is needed and why, who needs it and when and where it is
needed. Additional questions concerning the sequence of the data, how often the form
reporting it is used, how long it is kept on file etc. must be investigated. Often many reports
are a carry-over from earlier days and have little relevance to current operations. Attempts
should be made to eliminate all such reports in the new systems.
(v) Review internal controls - A detailed investigation of the present information system is not
complete until internal controls are reviewed. Locating the control points helps the analyst to
visualize the essential parts and framework of a system. An examination of internal controls
may indicate weaknesses that should be removed in the new system. The adoption of
advanced methods, procedures and equipment‘s might allow much greater control over the
data.
b.
Based on the functional area of XYZ Co., design a template of report to show summary of the
production, sales and inventory information of the Edible Oil products produced by the company.
A sample template can be as shown below (the answer need not be exactly similar to this but
should show relevant information)
ABC Company Ltd.
Address 1, Address 2, City, Country

Production, Sales and Inventory Summary Report
Date:
Report of Month:
All quantity in thousands of jars.

Qty.
Produc Previous This Month's Closing
SN Item ed Stock Sale Stock Remarks
1 Oil 1 100 40 120 20
2 Oil 2 200 50 190 60
3 Oil 3 150 80 200 30
4 Oil 4 90 100 180 10
5 Oil 5 30 200 230 0 Zero stock
6 Oil 5 280 30 300 10
Note:
1 Check sales report for detailed sales record.
2 Check inventory report for detailed inventory record including batches, dates and age.
Question no 62
What are the Information Systems classified by the specific organizational functions they serve?
Briefly describe each of the functional information systems. (December 2018)(8 Marks)
Answer No 62
Information systems can be classified by the specific organizational function they serve as well as
by organizational level. The following are the typical information systems that support each of the
major business functions and provide examples of functional applications for each organizational
level.
i) Sales and marketing information system
The sales and marketing function is responsible for selling the organization‘s products of services.
determining what customers need or want, planning and developing products and services to meet
their needs, and advertising and promoting these products and services. Sales are concerned with
Sales and marketing information systems support these activities.
At the strategic level, sales and marketing systems monitor trends affecting new products and sales
opportunities, support planning for new products and services, and monitor the performance of

competitors. At the management level, sales and marketing systems support market research,
advertising and promotional campaigns and pricing decisions. They analyze sales and marketing
systems, assist in locating and contacting prospective customers, tracking sales, processing orders,
and providing customer service support.
ii) Manufacturing and production systems

The manufacturing and production function is responsible for actually producing the firm‘s goods
and services. Manufacturing and production systems deal with the planning, development, and
maintenance of production facilities; the establishment of production goals; the acquisition,
storage, and availability of production materials; and the scheduling of equipment, facilities,
materials, and labor required to fashion finished products. Manufacturing and production
information systems support these activities. Information systems can guide the actions of
machines and equipment to help pharmaceutical and other types of firms monitor and control the
manufacturing process.
Strategic-level manufacturing systems deal with the firm‘s long-term manufacturing goals, such as
where to locate new plants or whether to invest in new manufacturing technology. At the
management level, manufacturing and production systems analyze and monitor manufacturing and
production costs and resources. Operational manufacturing and production systems deal with the
status of production tasks.
Most manufacturing and production systems use sort of inventory system. Data about each item in
inventory, such as the number of units depleted because of a shipment or purchase or the number
of units replenished by reordering or returns, are either scanned or keyed into the system. The
inventory master file contains basic data about each item, including the unique identification code
for each item, a description of the item, the number of units on hand, the number of units on order,
and the reorder point (the number of units in inventory that triggers a decision to reorder to
prevent a stockout). Companies can estimate the number of items to reorder or they can use a
formula for calculating the least expensive quantity to reorder called the economic order quantity.
The system produces reports that give information about such things as the number of each item
available in inventory, the number of units of each item to reorder, or items in inventory that must
be replenished.
Product life cycle management (PLM) systems are one type of manufacturing and production
system that has become increasingly valuable in the automotive, aerospace, and consumer
products industries. PLM systems are based on a data repository that organizes every piece of
information that goes into making a particular product, such as formula cards, packaging
information, shipping specifications, and patent data. Once all these data are available, companies
can select and combine the data they need to serve specific factions. The software enables users to
create a digital model of a part, a product, or a structure and make changes to the design on the
computer without having to build physical prototypes.
iii) Finance and accounting information systems

The finance function is responsible for managing the firm‘s financial assets, such as cash, stocks,
bonds, and other investments, to maximize the return on these financial assets. The finance
function is also in charge of managing the capitalization of the firm (finding new financial assets
in stocks, bonds, or other forms of debt). To determine whether the firm is getting the best return
on its investments, the finance function must obtain a considerable amount of information from
sources external to the firm.
The accounting function is responsible for maintaining and managing the firm‘s financial records-
receipts, disbursements, depreciation, and payroll-to account for the flow of funds in a firm.
Strategic level systems for the finance and accounting function establish long-term investment
goals for the firm and provide long- range forecasts of the firm‘s financial performance. At the
management level, information systems help managers oversee and control the firm‘s financial
resources. Operational systems in finance and accounting keep track of a firm‘s finances through
transactions such as paychecks, payments to vendors, securities reports, and receipts.
iv) Human Resources Information Systems

The human resources function is responsible for attracting, developing, and maintaining the firm‘s
workforce. Human resources information systems support activities, such as identifying potential
employees, maintaining complete records on existing employees, and creating programs to
develop employees‘ talents and skills. Human resources information systems reduce
administrative costs, provide faster service to employees, and help firms manage their workforce.
Question No 63
What do you mean by a Transaction Processing System (TPS)? Explain important features of a
TPS. (December 2018)(7 Marks)
Answer No 63
Transaction Processing System (TPS): TPS at the lowest level of management is an information
system that manipulates data from business transactions. Any business activity such as sales,
purchase, production, delivery, payments or receipts involves transactions and these transactions
are to be organized and manipulated to generate various information products for external use.
Transaction processing system records and manipulates transaction data into usable information.
Some of the important features of a TPS are given as follows:
1. Large volume of data: As TPS is transaction–oriented, it generally consists of large volumes
of data and thus, requires greater storage capacity. Their major concern is to ensure that the
data regarding the transaction in the organizations are captured quickly and correctly.
2. Automation of basic operations: Any TPS aims at automating the basic operations of a
business enterprise and plays a critical role in the day-to-day functioning of the enterprise.
Any failure in the TPS for a short period of time can cause havoc in the functioning of the
enterprise. Thus, TPS is an important source of up-to-date information regarding the
operations in the enterprise.

3. Benefits are easily measurable: TPS reduces the workload of the people associated with the
operations and improves their efficiency by automating some of the operations. Most of these
benefits of the TPS are tangible and easily measurable. Therefore, cost benefit analysis
regarding the desirability of TPS is easy to conduct. As the benefits from TPS are mainly
tangible, the user acceptance is easy to obtain.
4. Source of input for other systems: TPS is the basic source of internal information for other
information systems. Heavy reliance by other information systems on TPS for this purpose
makes TPS important for tactical and strategic decisions as well.
Question No 64
Assume you are working as IT officer for a reputed college. You have been assigned to prepare
detailed project plan including acquisition, implementation and maintenance of an automated
student management system. Answer the following questions in this context.
a) Present a strong case to college management to move from current traditional system to the
new system by highlighting major aspects of cost-benefit analysis.
b) What are the major external systems that your new system needs to interact to enable
electronic payment for the students‘ dues to the college?
c) Present your detailed plan to ensure high availability and disaster recovery of the new system.
Answer No 64
A reputed college needs to manage a lot of students and their transactions with the college. A
manual or traditional paper-based system poses a lot of challenges in efficient handling of the
student activities, academic transactions, admissions etc. As the number of students rises, the
challenge level also increases accordingly. The following are the major points that make the
transition to computer-based system necessary:
 College education depends upon the attraction of students towards the college facilities and
services. That include the efficient processing of the student data, student services and
transactions. To make those transactions and student management efficient, computer based
system is mandatory.
 Computer based system is also good for college management as the system can generate real-
time reports, performance statistics, information about the student activities, financial
transactions etc.
 The transactions become more transparent and easier to control with computer based system.
 Since the computer based system is more efficient, the same task can be managed by much
less number of dedicated staff.
 Because of the increase in efficiency, transparency and cost saving in terms of reduced
manpower and operational cost, the benefits of the computer-based student management
system far outweigh the cost.

a) To enable electronic payment for the students‘ dues to college, the student management
system shall have to interact with the following external systems:
 The public website of the college to push notices, fees, payment modes etc. This is not
directly related to financial management but is related to the flow of information related to the
financial transactions.
 The online payment system of a bank or similar financial service provider that can carry out
financial transactions (such as taking in payment from students) for the college.
 The clearing house (if there is such in the market) to clear payment cheques issued by
colleges for students services such as scholarships and other payments. This is also needed to
make payment for different student activities, events and programs organized by the college.
 Communication medium such as SMS, email systems to send notifications to students or
guardians about the transactions, dues etc.
b) My detailed plan for ensuring high availability and disaster recovery of the system include
the following activities and arrangements:
 Use of two servers for the purpose, one in active operation and one with identical
configuration acting as standby.
 An external system component (load balancer or switch) to automatically transfer regular load
to standby machine if the active machine is in problem.
 Regular backup of data and configurations in online (hard disks or storage devices) and
offline (tape drives or CDs) mode to recover data in case of data corruption or problem in
both servers.
 Network redundancy for public access. Internet connectivity shall be taken from at least two
different service providers.
 One replica of the student management system shall also be maintained in the local or
international cloud based datacenters. Such backup shall keep regular operational data and
application without long time archiving to conserve space and same operational cost.
 Dedicated system administration staff for 24 hours. For this, 3 shifts of work shall be arranged
with additional shifts for morning and night time in addition to the regular working hours.
 A detailed and step-by-step data and service recovery plan shall be prepared and approved by
college administration. This plan shall be tested with regular drill activities so that when
actual disaster happens, the team has proper understanding and experience of the activities to
be done and processes to be followed.
Question No 65
Discuss supply chain management system in detail. Why do businesses need this system?

Answer No 65
Supply chain management is the close linkage and coordination of activities in buying, making, and
moving a product. It integrates supplier, manufacturer, distributor, and customer logistics processes
to reduce time, redundant effort, and inventory cost. The supply chain is a network of organizations
and business processes for procuring materials, transforming raw materials into intermediate and
finished products, and distributing the finished products to customers. It links suppliers,
manufacturing plants, distribution centers, conveyances, retail outlets, people and information
through processes such as procurement, inventory control, distribution, and delivery to supply
goods and services from source through consumption. Supply chain also includes reverse logistics
in which returned items flow in the reverse direction from buyer back to the seller.
The manufacturer also manages internal supply chain process for transforming the materials,
components, and services furnished by suppliers into finished goods and for merging materials and
inventory.
Information systems make supply chain management more efficient by helping companies
coordinate, schedule, and control procurement, production, inventory management, and delivery
of products and services. Supply chain management systems can be operated using intranets,
extranets, and special supply chain management software.
Inaccurate or untimely information in the supply chain causes inefficiencies such as parts
shortages, underutilized plant capacity, excessive finished goods inventory, or runaway
transportation costs. One recurring problem in supply chain management is the bullwhip effect, in
which information about the demand for a product gets distorted as it passes from one entity to
next across the supply chain.Supply chain management uses systems for supply chain planning
(SCP) and supply chain execution (SCE). Supply chain planning systems enable the firm to
generate demand forecasts for a product and to develop sourcing and manufacturing plans for that
product. Supply chain execution systems manage the flow of products through distribution centers
and warehouses to ensure that products are delivered to the right locations in the most efficient
manner.
Second Part: Information systems for supply chain management can help participants in the
supply chain in the following activities:
 Decide when and what to produce, store, and move
 Rapidly communicate orders
 Track the status of orders
 Check inventory availability and monitor inventory levels
 Reduce inventory, transportation, and warehousing costs
 Track shipments
 Plan production based on actual customer demand
 Rapidly communicate changes in product design

Question No 66
What is the significance of artificial intelligence in expert support system? What are the effects of
change in technology on business IT environment? (June 2018)(7 Marks)
Answer No 66
Artificial intelligence is a sophisticated computer based cognitive system that uses complex and
human-like intelligent logic to process data and draw structured and unstructured conclusions.
Modern systems such as self-driving vehicles, computer-based cognitive games such as chess,
intelligent package routing in warehouses and delivery channels etc use artificial intelligence.
These systems try to mimic the logical reasoning and judgement processes to process complex data
sets such as marketing, consumer data, weather data, scientific research data etc. Expert support
systems are designed to support decision makers make structured and unstructured decisions based
on data and information from internal and external sources. Since such information is not only
based on pre-defined processing of specific data but also expert reasoning and analysis based on the
data as well as other factors such as the context, environment and other processes, artificial
intelligence has a significant scope in processing the information and arriving at logical
conclusions or recommendations.
The effect of change in technology on business IT environment can be outlined as follows:
 Need to change the system to be up to date with new technology.
 Changes in business processes to adopt and adapt to the new technologies.
 For example, a traditional HR management system may need change to handle new, biometric
based attendance system or a financial accounting system may need to be customized to
support electronic payment mechanism.
 Change in technology also creates need for HR management challenges such as re-training,
recruitment, support contracts etc.
Question No 67
Describe the main pre-requisites of a Management Information System, which make it an
effective tool. Explain the major constraints in operating it. (June 2019)(8 Marks)
Answer No 67
Pre-requisites of an MIS: The following are pre-requisites of an effective MIS:
(i) Database: It is a super file which consolidates data records formerly stored in many
data files. The data in database is organized in such a way that access to the data is
improved and redundancy is reduced. Normally, the database is subdivided into major
information sub-sets needed to run. The database should be user-oriented, capable of
being used as a common data source, available to authorized persons only and should
be controlled by a separate authority such as DBMS. Such a database is capable of
meeting information requirements of its executives, which is necessary for planning,
organizing and controlling the operations of the business.

(ii) Qualified System and Management Staff: MIS should be manned by qualified officers.
These officers who are experts in the field should understand clearly the views of their
fellow officers. The organizational management base should comprise of two categories
of officers (i) System and Computer experts and (ii) Management experts. Management
experts should clearly understand the concepts and operations of a computer. Their
whole hearted support and cooperation will help in making MIS an effective one.
(iii)Support of Top Management: An MIS becomes effective only if it receives the full
support of top management. To gain the support of top management, the officer should
place before them all the supporting facts and state clearly the benefits which will
accrue from it to the concerned. This step will certainly enlighten the management and
will change their attitude towards MIS.
(iv) Control and Maintenance of MIS: Control of the MIS means the operation of the
system as it was designed to operate. Sometimes users develop their own procedures or
shortcut methods to use the system, which reduces its effectiveness. To check such
habits of users, the management at each level in the organization should devise checks
for the information system control.
Maintenance is closely related to control. There are times when the need for
improvements to the system will be discovered. Formal methods for changing and
documenting changes must be provided.
(v) Evaluation of MIS: An effective MIS should be capable of meeting the information
requirements of its executives in future as well. The capability can be maintained by
evaluating the MIS and taking appropriate timely action. The evaluation of MIS should
take into account the following points:
 Examining the flexibility to cope with future requirements;
 Ascertaining the view of the users and designers about the capabilities and
deficiencies of the system ; and
 Guiding the appropriate authority about the steps to be taken to maintain
effectiveness of MIS.
Constraints in operating MIS:
Major constraints which come in the way of operating an information system are:
 Non-availability of experts, who can diagnose the objectives of the organization and
provide a desired direction for installing a system.
 Experts usually face the problem of selecting the sub-system of MIS to be installed and
operated upon.
 Due to varied objectives of business concerns, the approach adopted by experts for
designing and implementing MIS is a non-standardized one.
 Non-availability of cooperation from staff in fact is a crucial problem. It should be
handled tactfully. Educating the staff by organizing lectures, showing films, training on
system and utility of the system may solve this problem.

 There is high turnover of experts in MIS. Turnover in fact arises due to several factors
like pay, promotion chances, future prospects, behavior of top ranking managers etc.
 Difficulty in quantifying the benefits of MIS, so that it is easily comparable with cost.
Question No 68
Explain Executive Information System (EIS). What purpose does it serve and what are the
characteristics of Executive Information System? (June 2019)(7 Marks)
Answer No 68
An Executive Information System (EIS) – sometimes referred to as an Executive Support System
(ESS) is a DSS that is designed to meet the special needs of top-level managers. Some people use
the terms ―EIS‖ and ―ESS‖ inter changeably, but others do not. Any distinction between the two
usually is because Executive Support Systems are likely to incorporate additional capabilities such
as electronic mail. An Executive Information System (EIS) is a tool that provides direct on-line
access to relevant information in a useful and navigable format. The relevant information is timely,
accurate, and actionable information about aspects of a business that are of particular interest to the
senior manager. An EIS is easy to navigate so that managers can identify broad strategic issues, and
then explore the information to find the root causes of those issues.
EIS serves the following major purposes:
 The primary purpose of an Executive Information System is to support managerial
learning about an organization, its work processes, and its interaction with the external
environment.
 A secondary purpose is to allow timely access to information so that based on the
answers to questions, strategic decisions could be taken by a manger in time.
 It directs the attention of the management to specific areas of the organization or
specific business problems. It makes managers and subordinates to work together to
determine the root causes of issues highlighted by EIS.
Major characteristics of an Executive Information System (EIS) are given as follows:

 EIS is a computer-based-information system that serves the information need of top
executives.
 EIS enables users to extract summary data and model complex problems without the
need to learn query languages, statistical formulae or high computing skills.
 EIS provides rapid access for timely information and direct access to the management
reports.
 EIS is capable of accessing both internal and external data.
 EIS provides extensive online analysis tools like trend analysis, market conditions etc.
 EIS can easily be given a DSS support for decision making.

Question No 69
Assume an IT consultant company is working on a MIS for a commercial bank. Explain why it is
important for the two organizations to enter into a non-disclosure agreement. Explain the
importance of copyright protection in the software industry. (June 2019)(7 Marks)
Answer No 69
A commercial bank is a business entity in a highly competitive sector. Similarly IT consultancy and
software development are also very competitive sectors. Because of the tough competition and need
to do well to survive, the companies do their utmost to make sure their business secrets, strategies,
software source codes, system access privileges etc are protected and do not get leaked to the
people who should not have them. In the modern digital age, the data and information are the
biggest asset. A single page of information can divulge critical business strategy or an important
system design. Such breach of confidentiality can be extremely harmful to the organization and its
business prospects. Though there are many ways such information can be released, it is normally
assumed that the internal staff members do not release them. At least they may have sworn to
protect that. However, the scenario is tricky when two separate entities work on a common project
such as MIS deployment. This involves close collaboration and sharing of the important assets such
as system access, design topologies, personnel and privilege information etc. To make sure that
these critical information of one entity are not compromised by the other, it is customary to sign a
non-disclosure agreement (NDA) between the two. This creates a legal obligation for each entity to
safeguard the information and data of the other. In case of any breach, the NDA also gives a strong
legal case for the entity whose data is breached.
Copyright protection scheme is designed to promote innovation and reward & acknowledge the
innovators. The new products, services, tools etc developed or created by an innovator finds good
use among a lot of people but at the same time, the innovation can be copied by some rogue person
and promoted by his or her own. In such a case, the original creator of the product does not get due
credit, both material and immaterial. This makes true innovators discouraged to further work on
such creative projects. As a result, the pace of innovation, creation and ideation slows down leading
to the disadvantage for all. To make sure this does not happen, the innovators, creators, artists,
designers etc need to get both financial and non-financial credit for their creation. This is ensured
by the copyright regime which protects the original creator against unlawful copying, distribution
and monetization of the products or services without the consent of the original creator. Such
copyright protects the innovators, ensures benefits (if applicable) for them in terms of direct sales
or shares, and above all, makes sure that the name of the creator is associated with the creation.
This protects the intellectual property, discourages illegal copying and encourages innovation.
Hence, copyright protection regime is of great importance in all modern industry including IT

industry. It is even more relevant in computer and IT industry because in this field there are many
means and mechanisms by which the intellectual property can be stolen and breached.

Chapter 3:
Information Technology Strategy and Trends

Question No 1
Write short notes on:
a) Strategic Decision Making (June 2007)(5 Marks)
Strategic level of management is concerned with the development of organizational mission,
objectives and strategies. Decisions are made at this level of organization to handle problems
critical to the survival and success of the organization is called strategic decisions. They have vital
impact on the direction and functioning of the organization – decision of plant location, functioning
of the organization, adoption of new technology, acquisition of outside enterprises, etc. Significant
amount of analysis and judgment go into making strategic decisions. This is comparable to non-
programmed decisions. This is made under condition of partial knowledge or lack of information.
b) Data Dictionary(December 2007)(5 Marks) (June 2008)(4 Marks) (December 2009)(5

Marks) (December 2004)( 5 Marks)
A data dictionary is a database file that contains the name, type, range of values, source, and
authorization for access for each data element in a database. It also indicates which
application programs use that data so that when a data structure is contemplated, a list of
affected programs can be generated. The data dictionary may be a stand-alone information
system used for management or documentation purposes, or it may control the oper ation of a
database.
This information may include:
i. Codes describing the data item‘s length, data type and range.
ii. Identification of the source documents used to create the data item.
iii. Names of the computer files that store the data item.
iv. Names of the computer programs that modify the data item.
v. The identity of the computer programs or individuals permitted to access the data item for the
purpose of file maintenance, upkeep or inquiry.
vi. The identity of the computer programs or individuals not permitted to access the data item.
A data dictionary is a computer file that contains descriptive information about the data items in
the files of a business information system. Thus, a data dictionary is a computer file about data.
Each computer record of a data dictionary contains information about a single data item used in a
business information system. This information may include:
1. Codes describing the data item‘s length (in characters), data type (alphabetic, numeric,
alphanumeric, etc) and range (e.g. values from 1 to 99 for a department code)
2. The identity of the source document(s) used to create the data item.
3. The names of the computer files that store the data item.
4. The names of the computer programs that modify the data item.

5. The identity of the computer programs or individuals permitted to access the data item for the
purpose of file maintenance, upkeep, or inquiry.
6. The identity of the computer programs or individuals not permitted to access the data item.
As new data fields are added to the record structure of a business file (e.g., adding a ‗reorder
quantity‘ filed to the inventory record), information about each new data item is used to create a
new computer record in the data dictionary. Similarly, when new computer programs are created
those access data items in existing files, the data dictionary is updated to indicate the data item
these new programs access. Finally, when data filed are deleted from the structure of file records,
their corresponding records in the data dictionary are dropped.
Data dictionaries have a variety of uses. One is as a documentation aid to programmers and system
analysts, who study, correct, or enhance either the database or the computer programs that access
it. A data dictionary is also useful for file security – i.e., to prohibit certain employees from
gaining access to sensitive payroll data.
Figure: A sample record from a data dictionary
Size
Name of data File in which Source
in Type
field stored document Data
bytes
Inventory From Dictionary
Inventory
quantity on number 4 Numeric
master file
hand ABC 123
Accountants and auditors can also make good use of data dictionary. For example, a data
dictionary can help establish an audit trail because it can identify the input sources of data items,
the computer programs that modify particular data items, and the managerial reports on which the
data items are output. When an accountant is participating in the design of a new system, a data
dictionary can also be used to plan the flow of transaction data through the system.
Finally, a data dictionary can serve as an important aid when investigating or documenting internal
control procedures. This is because the details about edit tests, method of file security, and similar
information can be stored in the dictionary.
c) Snapshot Technique (December 2007)(5 Marks)

This is applied as a system testing tool and also as a concurrent audit tool that examines the way the
transactions are processed by marking and recording selected transactions with a special code. This

also records flow of designated transactions through different logic paths within programs and
helps in program logic verification. An extensive knowledge of the information systems
environment is required for its effective use.
d) Client / Server (June 2008)(4 Marks)

Client / Server (C/S) refers to computing technologies in which the hardware and software
components are distributed across a network. This technology intelligently divides the processing
work between the server and the workstation. The server handles all global tasks while workstation
handles all local tasks. The server sends only those records to the workstation that are needed to
satisfy the information request. Network traffic is significantly reduced. This results a fast, secure,
reliable, efficient, inexpensive, and easy to use system.
e) Reference or table file (June 2008)(4 Marks)

The business object relationships contain only table references that make up the object. Often parts
of the object definition are linked through relationships to other data in other tables that expand on
some of the information of the data elements of the table. This is very common, linking customer-
id to expanded customer information, part-number to expanded product description, personnel-id
to identify the actual person involved. The tables linked to are not part of the business object; they
merely provide expanded information. These are referred to as reference tables.
There are two distinct cases for reference information. The first case is where the referenced
information is not part of the application. The second case is where the application structure is
divided into multiple streams to archive transactions earlier than master information would be
archived. In this case some of the master information might be designated as a reference for a
subordinate table.
f) RAID (December 2010)(7 Marks)

RAID is an acronym for redundant array of independent disks, also known as redundant array of
inexpensive disks. This is a technology that allows high levels of storage reliability from low-cost
and less reliable PC-class disk-drive components, via the technique of arranging the devices into
arrays for redundancy.
RAID is now used as an umbrella term for computer data storage schemes that can divide and
replicate data among multiple hard disk drives. The different schemes/architectures are named by
the word RAID followed by a number, as in RAID 0, RAID 1, etc. RAID's various designs
involve two key design goals: increase data reliability and/or increase input/output performance.
When multiple physical disks are set up to use RAID technology, they are said to be in a RAID
array. This array distributes data across multiple disks, but the array is seen by the computer user
and operating system as one single disk. RAID can be set up to serve several different purposes.

RAID combines two or more physical hard disks into a single logical unit using special hardware
or software. Hardware solutions are often designed to present themselves to the attached system as
a single hard drive, so that the operating system would be unaware of the technical workings. For
example, if one were to configure a hardware-based RAID-5 volume using three 250 GB hard
drives (two drives for data, and one for parity) the operating system would be presented with a
single 500 GB volume. Software solutions are typically implemented in the operating system and
would present the RAID volume as a single drive to applications running within the operating
system.
There are three key concepts in RAID: mirroring, the writing of identical data to more than one
disk; striping, the splitting of data across more than one disk; and error correction, where
redundant parity data is stored to allow problems to be detected and possibly repaired (known as
fault tolerance). Different RAID schemes use one or more of these techniques, depending on the
system requirements. The purpose of using RAID is to improve reliability and availability of data,
ensuring that important data is not harmed in case of hardware failure, and/or to increase the speed
of file input/output.
Each RAID scheme affects reliability and performance in different ways. Every additional disk
included in an array increases the likelihood that one will fail, but by using error checking and/or
mirroring, the array as a whole can be made more reliable by the ability to survive and recover
from a failure. Basic mirroring can speed up the reading of data, as a system can read different
data from multiple disks at the same time, but it may be slow for writing if the configuration
requires that all disks must confirm that the data is correctly written. Striping, often used for
increasing performance, writes each bit to a different disk, allowing the data to be reconstructed
from multiple disks faster than a single disk could send the same data. Error checking typically
will slow down performance as data needs to be read from multiple places and then compared. The
design of any RAID scheme is often a compromise in one or more respects, and understanding the
requirements of a system is important. Modern disk arrays typically provide the facility to select
an appropriate RAID configuration.There are differ levels of RAID which are termed as RAID 0,
RAID 1, RAD 2, RAID 10, etc.
g) Data Flow Diagram (June 2010)(5 Marks)

A data flow diagram (DFD) graphically described the flow of data within an organization. It is
used to document existing system and to plan and design new ones. There is no one ideal way to
develop a DFD: different problems call for different methods.
A DFD is composed of four basic elements: data sources and destination, data flows
transformation processes, and data stores, and data stores. Each is represented on a DFD by one of
the symbols shown in figure 2.

System Development Process

Data Store
(H)
Data flow Data flow Data flow

(B) (D) (i)
Data Source
(A) Proces Proces Data Destination
s (c) s (f) (K)
Data destination
(J)
These four symbols are combined to show how data are processed. For example, the DFD in
Figure 3 shows that the input to process C is data flow B, which comes from data source A. The
output of process C are data flows D and E. Data flow E is sent to data destination J. process F
uses data flows D and G as input and produces data flow I and G as output . Data flow G comes
from and returns to data store H. Data flow I is sent to data destination K.
h) Sale Force Automation ( June 2010)(5 Marks)

companies, the sales force is being outfitted with internet based notebook computers that connect
them to Web browsers, and sales contact management software that connect them to marketing
websites on the Internet, extranets, and their company intranets. Characteristics of sales force
automation include:
 Increases the personal productivity of salespeople.
 Dramatically speeds up the capture and analysis of sales data from the field to marketing
managers at company headquarters.
 Allows marketing and sales management to improve the delivery of information and the
support they provide to their salespeople.
 Many companies view sales force automation as a way to gain a strategic advantage in sales
productivity and marketing responsiveness.
i) Information System Controls ( June 2010)(5 Marks)

Information systems controls are methods and devices that attempt to ensure the accuracy,
validity, and propriety of information system activities. Information System (IS) controls must be
developed to ensure correct data entry, processing, storage, and information output. IS controls
are designed to monitor and maintain the quality and security of the input, processing, output, and
storage activities of any information system.
j) Batch Processing (June 2010)(5 Marks)

Batch Processing is a technique of processing data in which the data to be processed are first
collected in a batch or group and then processed. The batches can be prepared based on volume of
data or interval of time between the successive processing instances. Since data are first collected
and then processed, there is a definite time difference between the occurrence of the data event and
its processing. Hence, this is different from online processing in which data are processed while
they are created or as the transaction/event related to that data occurs. Batch processing is used in
cases where data volume is large but there is no need of live and instantaneous results. Examples
are payroll processing, bill processing (phone, electricity, utilities etc), periodic data reports etc.
On the other hand, the online processing is used when instantaneous results or feedback are
needed such as airlines ticketing, ATM transactions, electronic payments etc.
k) IT strategy planning. (December 2011)(5 Marks)

details of how the action will be executed, and it is made against a time scale. The goals and the
Planning means taking a deep look into the future and assessing the likely events in the total
business environment and taking a suitable action to meet any eventuality. It further means
generating the courses of actions to meet the most likely eventuality. Planning is a dynamic
process. As the future becomes the present reality, the course of action decided earlier may require
a change. Planning, therefore, calls for a continuous assessment of the predetermined course of
action versus the current requirements of the environment. The essence of planning is to see the
opportunities and the threats in the future and predetermine the course of action to convert the
opportunity into a business again, and to meet the threat to avoid any business loss.
by way of a corporate image, a business share and so on. On the other hand, short-range planning

is more concerned with the attainment of the business results of the year. It could also be in terms
of action by certain business tasks, such as launching of a new product, starting a manufacturing
long-range.
goals. The right strategy improves the chances of success tremendously. At the same time, a
wrong strategy means a failure in achieving the goals.
may be a manufacturing or a service; it may deal with the industry or trade; may operate in a
public or a private sector; may be national or international business. Corporate business planning
is a necessity in all cases. Though the corporate business planning deals with a company, its
universe is beyond the company. The corporate business plan considers the world trends in the
business, the industry, the technology, the international markets, the national priorities, the
competitors, the business plans, the corporate strengths and the weaknesses for preparing a
corporate plan. Planning, therefore, is a complex exercise of steering the company through the
complexities, the difficulties, the inhibitions and the uncertainties towards the attainment of goals
and objectives.
l) Electronic fund transfer (December 2011)(5 Marks)

Electronic Funds Transfer (EFT) is a system of transferring money from one bank account directly
to another without any paper money changing hands. One of the most widely-used EFT programs is
Direct Deposit, in which payroll is deposited straight into an employee's bank account, although
EFT refers to any transfer of funds initiated through an electronic terminal, including credit card,
ATM, and point-of-sale (POS) transactions. It is used for both credit transfers, such as payroll
payments, and for debit transfers, such as mortgage payments.
The growing popularity of EFT for online bill payment is paving the way for a paperless universe
where checks, stamps, envelopes, and paper bills are obsolete. The benefits of EFT include
reduced administrative costs, increased efficiency, simplified bookkeeping, and greater security.
However, the number of companies who send and receive bills through the Internet is still
relatively small.
m) Business strategy (June 2014)(5 Marks)

Business strategy is a set of activities and decisions firms make that determine the following:
 Products and services the firm produces
 Industries in which the firm competes

 Competitors, suppliers, and customers of the firm

 Long-term goals of the firm
Strategies often result from a conscious strategic planning process in which nearly all small to
large firms engage at least once a year. This process produces a document called the strategic plan,
and the managers of the firm are given the task of achieving the goals of the strategic plan. But
firms have to adapt these plans to changing environments. Where firms end up is not necessarily
where they planned to be. Nevertheless, strategic plans are useful interim tools for defining what
the firm will do until the business environment changes.
Thinking about strategy usually takes place at three different levels:

 Business. A single firm producing a set of related products and services
 Firm. A collection of businesses that make up a single, multidivisional firm
 Industry. A collection of firms that make up an industrial environment or ecosystem
Information systems and technologies play a crucial role in corporate strategy and strategic
planning at each of these three different levels. Just about any substantial information system—a
supply chain system, customer relationship system, or enterprise management system—can have
strategic implications for a firm. What the firm wants to do in the next five years will be shaped in
large part by what its information systems enable it to do. IT and the ability to use IT effectively
will shape what the firm makes or provides customers, how it makes the product/service, how it
competes with others in its industry, and how it cooperates with other firms and logistic partners.
To understand how IT fits into the strategic thinking process, it is useful to consider the three
levels of business strategy (the business, the firm, and the industry level). At each level of strategy
IT plays an important role.
n) Information system maintenance (June 2014)(5 Marks)

Most information systems require at least some modification after development. The need for
modification arises from a failure to anticipate all requirements during system design and/or from
changing organizational requirements. Hence periodic system maintenance is required for most
Information Systems. Systems maintenance involves adding new data elements, modifying reports,
adding new reports, changing calculations, etc. Maintenance can be categorized in the following
two ways:
1. Scheduled maintenance is anticipated and can be planned for. For example, the
implementation of a new inventory coding scheme can be planned in advance.
2. Rescue maintenance refers to previously undetected malfunctions that were not anticipated
but require immediate solution. A system that is properly developed and tested should have
few occasions of rescue maintenance.

One problem that occurs in systems development and maintenance is that as more and more
systems are developed, a greater portion of systems analyst and programmer time is spent on
maintenance. An information system may remain in an operational and maintenance mode for
several years. The system should be evaluated periodically to ensure that it is operating properly
and is still workable for the organization. When a system becomes obsolete i.e. new opportunities
in terms of new technology are available or it no longer satisfies the organization‘s needs, the
information system may be replaced by a new one generated from a fresh system development
process.
o) IT strategy planning. (December 2015)(5 Marks)

manner one after another. Planning, in terms of future, can be long-range or short-range. Long-
range planning is for a period of five years or more, while short-range planning is for one year at
the most. The long-range planning is more concerned about the business as a whole, and deals
with subjects like the growth and the rate of growth, the direction of business, establishing some
position in the business world by way of a corporate image, a business share and so on. On the
other hand, short-range planning is more concerned with the attainment of the business results of
the year. It could also be in terms of action by certain business tasks, such as launching of a new
product, starting a manufacturing facility, completing the project, achieving intermediate
milestones on the way to the attainment of goals. The goals relate to long-term planning and the
objectives relate to the short-term planning. There is a hierarchy of objectives which together take
the company to the attainment of goals. The plans, therefore, relate to the objectives when they are
short-range and to goals when they are the long-range. Long-range planning deals with resource
selection, its acquisition and allocation. It deals with the technology and not with the methods or
the procedures. It talks about the strategy of achieving the goals. The right strategy improves the
chances of success tremendously. At the same time, a wrong strategy means a failure in achieving
the goals. Corporate business planning deals with the corporate business goals and objectives. The
business may be a manufacturing or a service; it may deal with the industry or trade; may operate
in a public or a private sector; may be national or international business. Corporate business
planning is a necessity in all cases. Though the corporate business planning deals with a company,
its universe is beyond the company. The corporate business plan considers the world trends in the

and objectives.
p) High availability ( June 2013)(5 Marks)

High availability computing is a mechanism to implement a computing platform to make sure that
the data and application are available in normal network and power outage scenarios. To make this
happen, the system is replicated into two or more identical installation, probably at different
geographical regions. It also involves redundancy of networks and power systems. Apart from
that, another major technique is server replication and clustering within a site or between two
distant sites so that the system continues to perform with automatic switchover from one unit to
another in the event of unavailability of the first node. Simply put, high availability computing
technique tries to ensure that the services and data are available in normally disruptive situations
such as power outages, network disconnections or other disaster.
Question No 2:
Discuss the impact of client/server technology to the users of mainframe systems.
Answer No 2:
Client/server systems have been hailed as bringing tremendous benefits to the new user, especially
the users of mainframe systems. Consequently, many businesses are currently in the process of
changing or in the near future will change from mainframe (or pc) to client/server systems. Client
server technology will have great impact on main frame users due to following reasons:
i. People in the field of information system can use client/server computing to make their job
easier.
ii. Reduce the total cost of ownership.
iii. Increased productivity
iv. End user productivity
v. Developer productivity
vi. Takes less people to maintain a client/server application than a mainframe.
vii. The expenses of hardware and network in the client/server environment are less than those in
the mainframe environment.
viii. Users are more productive today because they have easy access to data and because
applications can be divided among many different users so efficiency is at its highest.
ix. Client/server applications make organisations more effective by allowing them to past
applications simply and efficiently.
x. Reduce the cost of the client's computer.
xi. Reduce the cost of purchasing installing and upgrading software programs and application on
each client's machine, delivery and maintenance would be from one central point, the server.
xii. The management control over the organisation would be increased.

xiii. Many times easier to implement client/server than change a legacy application.
xiv. Leads to new technology and to move to rapid application development such as object
oriented technology.
xv. Long term cost benefits for development and support.
xvi. Easy to add new hardware to support new system.
xvii. Can implement multiple - vender software tools for each application.
Question No 3:
Bring out the advantages of a pre-written/pre-packaged application software.
Answer No 3:
Pre-packaged/pre-written application software or package have become increasingly popular for
many business functions, including accounting (payroll and personnel accounting) general ledger,
manufacturing financial planning and numerous other applications. Many of these packages
consist of several pograms and a complete set of documentations tools. Vendors providing these
software packages even import training about how to use the software to its full potential.
The four important advantages of using pre-written application packages are:
i. Rapid implementation
ii. Low risk
iii. Quality
iv. Cost
Each of these is briefly discussed below:

i. Application packages are readily available to implement after they are purchased. In contrast-
software developed in house may take months or even years until it is ready for
implementation.
ii. Since the application package is available in the finalised from, the organisation knows what
it is going to get for the price it has paid within house developed software, the long
development time breeds uncertainty with regards to both the quality of the final product and
its final cost.
iii. The firms engaged in application package developments are typically specialist in their
products niche area. Generally they have a lot of experience in their specialised application
field and hence can provide better software.
iv. Software vendors can leverage the cost of developing a product by selling the product to
several other firms, there by realising a lower cost from each application user. Thus, an
application package generally costs less than an in house developed package.
Question No 4:
Mention a few characteristics of a client-server technology.
( December 2005)(10 Marks) (June 2004)(10 Marks)

Answer No 4:
There are ten characteristics that reflect the key features of a client/server system. These ten
characteristics are as follows:
1. Client/server architecture consists of a client process and a server process that can be
distinguished from each other.
2. The client portion and the server portions can operate on separate computer platforms.
3. Either the client platform or the server platform can be upgraded without having to upgrade
the other platform.
4. The server is able to service multiple clients concurrently; in some client/server systems,
clients can access multiple servers.
5. The client/server system includes some sort of networking capability.
6. A significant portion of the application logic resides at the client end.
7. Action is usually initiated at the client end, not the server end.
8. A user-friendly graphical user interface (GUI) generally resides at the client end.
9. A structure query language (SQL) capability is characteristic of the majority of client/server
systems.
10. The database server should provide data protection and security.
Question no 5:
What are the security risks associated with personal computers? What are the security measures
exercised to prevent them. ( December 2005)(5 Marks)
Answer No 5
Security risks associated with PCs:
i) PCs are likely to be shifted from one location to another or even taken outside the
organization.
ii) Decentralized purchasing of PCs can result in hardware/software incompatibility in the long
run.
iii) Floppies can be very conveniently transported from one place to another, as a result of which
data corruption may occur. Mishandling, improper storage, etc. can also cause damage.
iv) The inherent data security provided is rather poor.
v) There is a chance that application software is not thoroughly tested.
vi) Segregation of duties is not possible, owing to limited number of staff.
vii) The operating staff may not be adequately trained.
viii) Computer viruses can slow down the system, corrupt data and so on.
The security measures that could be exercised are as follows:

i) Physically locking the keyboard or the PC itself must be enforced.
ii) Proper logging of equipment shifting must be done.

iii) The PC purchases must be centrally coordinated and company-wide standards established for
spreadsheets, word-processors, application software, etc.
iv) Floppies must be stored in secured places and their issues duly authorized. They must be
adequately packed before any shipment.
v) Data and programs on hard disks must be secured using hardware/software mechanisms.
Backups must be taken regularly.
vi) Minimum standards must be set for developing, testing and documenting applications.
vii) Properly organized training programs must be periodically conducted. More than once user
should be trained on each application.
viii) Virus prevention and detection software obtained from reliable sources must be used. Write-
protect tabs should be used on diskettes that do not require any alteration. Pirated software
should be strictly avoided.
ix) The PCs and their peripherals must be maintained regularly.
x) While the proliferation of powerful PCs in recent years has its own plus points, the associated
risks must not be ignored. Thus implementing effective controls is of prime importance.
Question No 6:
Describe briefly the four risks involved in the transition from mainframe (or PC) to client/server.
(Old syllabus, December 2011)(7 Marks) (June 2005) (10 Marks)
Answer No 6:
The benefits from client/server are truly praiseworthy but there are also risks involved in the
transition from mainframe (or PC) to client/server. We can classify these risks into four categories:
technological, operational, economic and political.
Technological Risks: The technological risk is quite simple - Will the new system work? The
short-term aspect of this question is - will it literally work? But more important is the risk that in
the long run the system may grow obsolete. That it will become obsolete is probably inevitable
thus the question becomes - how soon will it become obsolete. To resolve this issue, the firm and
the IT consultant/division should understand system standards and market trends and use them in
their decision making processes while deciding what system to incorporate into their organization.
Operational Risks: These risks parallel the technological risks in both the short and long run.
Respectively, they are: will you achieve the performance you need from the new technology and
will the software that you chose be able to grow or adapt to the changing needs of the business.
Once again sound planning and keeping an eye to the future are the only remedies for these risks.
Economic Risks: In the short run, firms are susceptible to hidden costs associated with the initial
implementation of the new client/server system. Cost will rise in the short term since one needs to

maintain the old system (mainframe) and the new client server architecture development. In the
long run, the concern centres around the support costs of the new system.
Political Risks: Finally, political (people) risks involved in this transition are addressed. Here, the
short-term question is - will end-users and management be satisfied? The answer to this is
definitely not, if the system is difficult to use or is plagued with problems.
The long run question concerns costs. ―Unless the mainframe is completely replaced within the
larger organization, the total cost of transaction processing for the corporation as a whole goes up
when one division creates its own independent system and moves off the mainframe. They may
have reduced their local cost of transaction processing, but they have increased the cost of
processing for divisions remaining on the mainframe, and this creates political problems.‖
 There are many layers of complexity and compatibility issues between the client and server.
 Capabilities of the software such as security and management tools are not as mature as
mainframe counterparts.
 Takes time to become proficient with these tools.
 Information system departments may balk at giving up control of a centralized computing
environment.
One of the drawbacks of client/server computing is security. Client/server computing did not
originate with the security that is needed for organizations to operate in today‘s environment. But
as client/server computing grows into the 21st century, its security is definitely improving and
client/server computing is getting significantly closer to its ultimate goal, which is to ―allow every
network node to be accessible, as needed by an application and to allow all software components
to work together.‖
Question No 7:
Define client server technology along with its benefits. (December 2006)(5 Marks)
Answer No 7:
It is a technology where hardware and software are distributed across a network. It has client
process and server processes that can be distinguished. Client request for the service and the server
responds to the client's request. Generally the number of server process is far less then the number
of client process running in the same system.
Benefits
 Jobs are easier.
 Total cost reduction.
 Increased end user and developer productivity.
 Maintenance is easier and requires less man power.
 Management efficiency is increased.

 More scalable.
 Can be designed according to load on the services.
Question No 8:
Chaudhary Group of Industries wants to build a computerized sales forecasting system for Wai Wai
Noodle. The objective of the system is to forecast the sales for the coming year 2010.
a) Which model of system analysis and design will you propose and why?
b) What are other systems which have correlation with sales forecasting system? How are they
correlated?
c) Make a sample output report format for the sales forecast. (December 2009)
(7+7+6=20 Marks)
Answer No 8
The main objective of this type of question is to check the student‘s analytical ideas and problem
solving techniques. So there might be various types‘ concepts and design can be expected from
students. However for the evaluation following points should be taken into consideration.
Any one method of system development life cycle with relevant figure like Water fall model or
Spiral model can be accepted. But students should clearly specify which method is being used and
the reason of using that particular development process. During each steps of development process
the task carried out should be clearly be specified. E.g Here spiral model of system development is
proposed.
The spiral model is a software development process combining elements of both design and
Also known as the spiral lifecycle model (or spiral development), it is a systems development
method (SDM) used in information technology (IT). This model of development combines the
features of the prototyping model and the waterfall model. This involves the continuous process of
system development. As it combines the prototype and water fall model most of the activity would
be covered.

Figure: Spiral Model of System Development
a) Other system which are interconnected with the Sales Forecasting for the Wai Wai noodles
are as follows:
i) Human Resource Information System.
ii) Accounting and Finance Information System
iii) Procurement and Production Information System
iv) Marketing Information System.

HRIS is mainly concern about the recruitment, training, promotion and record keeping of the
office personnel. Personnel effort is one of the major factors for the growth of next year sales.
Reverse perspective, if next year sales increases highly obviously the workers are eligible for the
incentive according to their effort.

This is responsible for keeping the record of all monetary transaction related with procurement,
salary, marketing etc. Moreover financial information system helps to analyze the investment,
profit and loss related with the sales for the year 2008.
Procurement and Production Information System:

Procurement Information System provides the information regarding the purchase of the raw
materials to meet the required target of sales. They also give the information regarding the
delivery of the materials purchased. Where as production information system supply the
information related with the machinery, fuels, workers scheduling etc.


It provides the information related with the product promotion ideas, identification of new
customer to meet the required target of the sales.
Organization Name
Address
Date:
Sales forecast for the year 20010
Choose Country: Nepal
Month Regions Sales Volume (In thousands packets)

Eastern Middle Western Mid- Far-
wete West
rn ern
Janaury
Febraury
March
April
May
June
July
August
September
October
November
December
Total: Region Wise:
Month Wise:
Total: Country Wise:

Question No 9
Why data backup is necessary? (June 2010)(5 Marks)
Answers No 9
To backup is to create a redundant copy, so that if anything the original is damaged, it can be
recovered from the backup. The process can be as simple as copying files to diskettes.
Data backup and recovery process is very important in Information Technology area as this
ensures integrity and security of data in cases of disasters, system outages, data corruption,
security breaches and other threats. Without good data backup and recovery plan, any data lost
because of system failures such as power, network, hardware etc cannot be recovered. In the
modern computerized society, all corporate activities and operations are based on computer-based
systems for which data are of main importance. All the transactions related to sales, human
resource, procurement, management, inventory, customer management etc are computerized and
dependent on large centralized or distributed data centers. If the data in these systems are lost,
corrupted or compromised, whole operation of the organization can be hampered. If there is a
well-planned data backup and recovery, the system can easily go back to the recent healthy data by
restoring data from backed-up archives. In case there is no data backup and disaster recovery
culture, data once lost and corrupted cannot be recovered.
Disaster recovery plan is also a measure of data recovery. Disaster recovery can be done in
different ways including data recovery from the archived backups or also by having the actual
system installed in more than one location so that if one location has problem, the services and
system can be operational from the other locations. These additional system locations are also very
properly called disaster recovery sites. At normal times, these sites can also share the load and in
case of disasters, the operations can be shifted to the working sites. Such distributed installations
are very widely used in all major data centers and other computerized information systems.
Question No 10
Explain some of the fault tolerance capabilities used in computer systems and networks.
Answer No 10
Fault tolerant computer systems contain redundant hardware, software, and power supply
components that create an environment that provide continuous, un-interrupted service. Fault
tolerant computers contain extra memory chips, processors, and disk storage devices to back up a
system and keep it running to prevent failure. They use special software routine or self checking
logic built in to their circuitry to detect hardware failure and automatically switch to backup
devices. Table 1 outlines some of the fault tolerant capabilities used in many computer system and
networks.
Layer Threats Fault tolerance methods
Applications Environment, Hardware Application specific redundancies and rollback to

and software faults previous check points

Systems Outages System isolation, data security, system integrity
Databases Data errors Separation of transactions and safe updates,
complete transactions histories, backup files
Networks Transmission error Reliable controllers, safe asynchrony and
handshaking, alternative routing, error
detection and error correction codes
Processes Hardware and software Alternative computations, rollback to checkpoints
faults
Files Media errors Replication of critical data on different media and
sites, archiving, backup, retrieval
Processors Hardware faults Instruction entry, error correcting codes in memory
and processing, replication, multiple
processors and memories
Question No 11
What are the control techniques ensured to be checked to ensure security for client/ server
technology? (Old syllabus, December 2011)(6 Marks)
Answer No 11
To increase the security for the client / server technology, an IS auditor should ensure that the
following control techniques are in places;
 Access to data and application is secured by disabling the floppy disk drive.
 Risk less work station prevents unauthorized access.
 Unauthorized users may be prevented from overriding login scripts and access by securing
automatic boot or start up batch files.
 Network monitoring can be done to know about the client so that it will be helpful for later
investigation. Various monitoring devices are used for this purpose. Since this is a detective
control technique, the network administrator must continuously monitor the activities and
maintain the devices, otherwise these tools become useless.
 Data encryption techniques are used to protect data from unauthorized access.
 Authentication systems can be provided to a client so that they can enter into system only by
entering login name and password.
 Smart cards can be used. It uses intelligent hand held devices and encryption techniques to
decipher random codes provided by the client server based operating systems.
 Application controls may be used and users will be limited to access only those functions in
the system that is required to perform their duties.
Question No 12

Why is IT strategy planning important in modern organization? Explain. (December 2017)(7

Marks)
Answer No 12
by way of a corporate image, a business share and so on. On the other hand, short-range planning
is more concerned with the attainment of the business results of the year. It could also be in terms
of action by certain business tasks, such as launching of a new product, starting a manufacturing
long-range.
goals. The right strategy improves the chances of success tremendously. At the same time, a
wrong strategy means a failure in achieving the goals.
may be a manufacturing or a service; it may deal with the industry or trade; may operate in a
public or a private sector; may be national or international business. Corporate business planning
is a necessity in all cases. Though the corporate business planning deals with a company, its
universe is beyond the company. The corporate business plan considers the world trends in the

and objectives.
Question No 13
Explain how enterprise application promote business process integration and improve organization
performance and also assess the challenges posed by information systems in the enterprise and
management solution. (Old Syllabus June 2011)( 15 Marks)
Answer No.13
Enterprise applications such as enterprise resource planning systems, supply chain management
systems, customer relationship management systems and knowledge management systems are
designed to support organization wide process co-ordination and integration so that the
organization can operate more efficiently. They span multiple functions and business processes
and may be tied to the business processes of other organizations. Enterprise system integrates the
key internal business processes of a firm into a single software system so that information can be
flow throughout the organization, improving co-ordination, efficiency, and decision making.
Supply chain management systems help the firm manage its relationship with suppliers to
optimize the planning, sourcing, manufacturing, and delivery of products and services. Customer
relationship management uses information systems to co-ordinate all of the business processes
surrounding the firm‘s interaction with customers to optimize firm revenue and customer
satisfaction. Knowledge management systems enable firms to optimize the creation, shearing,
distribution and application of knowledge to improve business processes and management
decisions.
The array of application systems available to businesses can help businesses achieve higher levels
of productivity and financial worth. Management challenges include the tension between building
systems that both serve specific interest in the firm but that also can be integrated to provide
organization wide information, the need for management and employee training to use system
properly and the need to establish priorities on which systems most merit corporate attention and
finding. Solution include inventorying the firm‘s information systems to establish organization
wide information needs, employees and management training and establishing a system for
accounting for the costs of information systems and managing demand of them.
Question No 14
What are the some of the toughest management challenges in developing IT solution to solve
business problems and meet business opportunities?(Old Syllabus December 2012)( 5 Marks)
Answer No 14:
Developing IT Solutions:
Developing successful information system solutions to business problems is a major challenge for
business managers and professionals today. As a business professional, you will be responsible
for proposing or developing new or improved use of information systems for your company. As a

business manager, you will also frequently manage the development efforts of information
systems specialists and other business end users.
Most computer-based information systems are conceived, designed, and implemented using some
form of systematic development process.
Several major activities must be accomplished and managed in a complete IS development cycle.
 In the development process, end users and information specialists design information system
applications based on an analysis of the business requirements of an organization.
 Investigating the economic or technical feasibility of a proposed application.
 Acquiring and learning how to use the software required to implement the new system, and
make improvements to maintain the business value of a system.
Challenges of Ethics and IT:

As a prospective managerial end user and knowledge worker in a global society, you should also
become aware of the ethical responsibilities generated by the use of information technology.
A major challenge for our global information society is to manage its information resources to
benefit all members of society while at the same time meeting the strategic goals of organizations
and nations. For example, we must use information systems to find more efficient, profitable and
socially responsible ways of using the world‘s limited supplies of material, energy, and other
resources.
Challenges of IT Careers:
Information technology and its uses in information systems have created interesting, highly paid,
and challenging career opportunities. Employment opportunities in the field of information
systems are excellent, as organizations continue to expand their use of information technology.
Employment surveys continually forecast shortages of qualified information systems personnel in
a variety of job categories. Job requirements in information systems are continually changing due
to dynamic developments in business and information technology.
Information system investment challenge:

It is obvious that one of the greatest challenges facing managers today is ensuring that their
companies do indeed obtain meaningful returns to the money they spend on the information
system.
The strategic business challenge:

Despite heavy information technology investment‘s, many organizations are not realizing
significant business value from their system, because they lack or fail to appreciate the
complementary assets required to make their technology assets work. The power of computer
hardware and software has grown much more rapidly than the ability of organizations to apply and
use their technology. To benefit fully from information technology, realize genuine productivity,

and become competitive and effective, many organizations actually need to re-design. They will
have to make fundamental change in employee and management behavior, develop new business
models, retire obsolete work rules and eliminate the inefficiencies of outmoded business processes
and organizational structures. New technology alone will not produce meaningful business
benefits.
The global Challenge:

The rapid growth in international trade and the emergence of a global economy call for
information systems that can support both producing and selling goods in many different
countries. In the past, each regional office of a multinational corporation focused on solving its
own unique information problems. Given language, cultural and political differences among
countries, this focus frequently resulted in chaos and the failure of central management controls.
To develop integrated, multinational, information systems, business must develop global
hardware. Software and communication standards create cross cultural and reporting structures
and design translation business process.
Question No 15
Identify and describe the stages of IT infrastructure evolution. (June 2012)(5 Marks)
Answer No 15
There are five stages of IT infrastructure evolution. IT infrastructure in the earliest edge consisted
of specialized electronic accounting machines that were primitive computers used for accounting
tasks. IT infrastructure in the mainframe era consist of a mainframe performing centralized
processing that could be networked to thousands of terminal and eventually some decentralized
and departmental computing using networked minicomputers. The personal computer era in IT
infrastructure has been dominated by the widespread use of standalone desktop computers with
office productivity tools. The predominant infrastructure in the client server era consists of
desktop or laptop clients network to more powerful server computers that handle most of the data
management and processing. The enterprise internet computing era is defined by large numbers of
PCS linked into local area networks and growing use of standards and software to link disparate
networks and devices into an enterprise wide networks so that information can flow freely across
the organization.
Question No 16
What is system quality assurance? What are the various activities of quality assurance? Explain.
(Old Syllabus, June 2012)(8 Marks)
Answer No. 16
We can define software quality assurance as process of checking that whether the product or
service which is being developed is meeting the requirements of the customer or not.SQA plan

must be prepared beforehand. Quality assurance covers all the aspects influencing the product or
service quality, either individually or collectively. Quality assurance activity in system
development involves the following activities
 Verification
 Validation
 Testing
 Certification
Verification: The process of evaluating software to determine whether the products of a given
development phase satisfy the conditions imposed at the start of that phase. Verification is
ensuring that the product has been built according to the requirements and design specifications.
Verification ensures that "you built it right"
Validation: The process of evaluating software during or at the end of the development process to
determine whether it satisfies specified requirements. In other words, validation ensures that the
product actually meets the user's needs, and that the specifications were correct in the first place,
Validation ensures that "you built the right thing‖. Validation confirms that the product, as
provided, will fulfill its intended use.
Testing:System testing represents the ultimate review of specification, design and coding. This
review may be based on the feedbacks obtained from the users
Certification:Certification is the conformation of the correctness of the program. Hence

certification is for providing the authenticity of the system design that is whether the system is
according to what was aimed.
Question No 17
Discuss about the factors which influence the deployment of Information Technology. ( December
2013)(5 Marks)
Answer No 17
The factors which effect the efficient deployment of Information Technology can be summarized
as:
 Human behavior: The existing personnel are generally reluctant to the change in the system
and its operation.
 Cost: The cost of deployment may be higher in the initial stage so management may be
unwilling.

 Need of expert manpower: For the efficient deployment of Information Technology there will
be need of the technical manpower which can handle and execute the system. Sometimes such
manpower would not available.
 Dependency on machine: The use of IT in organization means depending on it for each and
every operation of the organization with the technology. Power failure disrupts overall
operation of the organization.
 Change management: During the stage of transition from the existing system to new IT
system there might be problem deciding which system to operate and how to manage if it
fails. Moreover migrating existing system and data to the new system is another big
challenge.
 Organizational strategic plan: This is the critical things which effect the efficient deployment.
If the organization is not clear about the strategic vision, the deployment will not be as
expected.
Question No 18
Mention the Five Moral Dimensions of the Information Age and explain each in brief.
Answer No 18
The five moral dimensions are as follows:
 Information rights and obligations. What information rights do individuals and organizations
possess with respect to information about themselves? What can they protect? What
obligations do individuals and organizations have concerning this information?
 Property rights and obligations. How will traditional intellectual property rights be protected
in a digital society in which tracing and accounting for ownership is difficult and ignoring
such property rights is so easy?
 Accountability and control. Who can and will be held accountable and liable for the harm
 System quality. What standards of data and system quality should we demand to protect
 Quality of life. What values should be preserved in an information-and knowledge-based
society? Which institutions should we protect from violation? Which cultural values and
practices are supported by the new information technology?
Question No 19
What are the challenges and opportunities associated with the information technology?

Answer No 19
Information technology brings lots of opportunities for the modern business from the prospects of
the optimization of resources, communication and decision-making. However it is not free of
severe challenges during the process of deployment and operations. Some of the challenges that
Information Technology encounters during the process of implementation and operation can be
listed as:
 As the new technology it needs to have the trained manpower for the operation and
maintenance
 People expect it as the complete solution and they fully rely on IT as the solution to their
problem. They couldn‘t think that it is just a tool to make the analysis and its us human beings
who need to make the decision with its help.
 Unclear government rules and regulations about the legalities and securities of the data and
electronics transactions.
 High investment cost on infrastructures, data migration and trainings.
 Employees‘ reluctances to migrate from their manual working procedures to the computerized
procedures.
Similarly the opportunities that Information Technology brings in the modern business can be
listed as:
 It provides the relevant information on click, which help in overall operation, managerial
activities and formulation strategy of the organization.
 It can reduce the number of working staff.
 Provides the quick means of communications among all the personnel located in different
places.
 Although the initial investment would be higher however operation cost is lower which
ultimately lead to return on the overall investment.
 Provides easy and quick access to the huge amount of data for future references and analysis.
Question No 20
How does the factor of changes in technology affect IT strategy of a business organization?
Illustrate with an example. (June 2014)(5 Marks
Answer No 20
Changes in the business process, changes in technology, changes in the market trend all have
significant impact on the different strategies of a business organization. IT strategy is also affected,
even more so since it is the most closely attached to technology. IT strategy mainly involves
planning the deployments of systems and services for the betterment of business processes. If the
strategy is made without rigorous study of the technological and other changes, the system or
service planned can be obsolete or of little use by the time it is deployed and ready for

organizational use. For example, let‘s assume a financial audit system is planned to integrate with
existing old accounting platform. All the dimensioning, designing, testing is done with the old
accounting system. However, suddenly the management decides to deploy a new accounting
platform. However, the audit system is not tested with the new system. It might not integrate or
create more delays in testing and customizing again. Hence, overall strategy should consider all
possible aspects of current and future changes in the whole organizational ecosystem in terms of
technologies and trends.
Question No 21
What is client/server? What are benefits of client/server computing? (December 2015)(5 Marks)
Answer No 21
The terms server refers to running program on networked computer that accepts requests from the
programs running on other computers to perform a service and respond appropriately. The
requesting processes are referred to as client.
Benefits of client/server computing

 Client/server computing provides easier access to corporate's internal and external data.
 It reduces costs of processing dramatically
 The maintenance cost of program is low
 It provides an infrastructure that enables business processes to be reengineered for strategic
benefit
 It gives control to users of their own applications at their own locations.
 It reduces the operating costs of information system department.
Question No 22
How can you plan Information System strategy with the business strategy of your Organization?
Answer No 22
Information system and organization influence one another. Information system is built by
managers to serve the interest of the business organization and at the same time organization should
be open to the influences of information systems to benefit from new technologies.
A business form has specific strategy plans for specific periods of time to achieve some specific
goals. Information system of the organization is that integrated computerized tool which provides
right information at the right time in a span of a click. Thus the development and deployment of
information should be in line with the strategy of the firm. Information system manager should
understand how it can change the social and work life in the firm. So Information system manager
should have clear idea what type of system is to be build, what it will do and how it will be
implemented.

Moreover Information Systems have the better competitive strategic advantages over other things.
It can have significant impact on cost leadership, product differentiation, innovation, customer
growth and creating virtual alliance with others. Taking due care of these advantages of the IS, it
has to be aligned with the business strategy of the organization so that significant progress can be
achieved.
While planning the information system strategy other things to be considered are the consequences
that might be brought out after the implementation e.g. reduction of human resources, cutting of
other jobs, need of expert manpower and need of new equipment etc.
Points to be considered while planning information system strategy with the business strategy are
thus:
a. Business environment
b. Organizational culture
c. Organizational structure
d. Business process
e. Internal politics
f. Management decision making process
Question No 23
Distinguish between:
a) Intranet and extranet ( December 2016)(5 Marks)
Permits sharing of information throughout an organization by applying Internet connectivity
standards and Web software (e.g.,browsers) to the organization‘s internal network. An intranet
addresses the connectivity problems faced by organizations that have many types of computers. Its
use is restricted to those within the organization.
Consists of the linked intranets of two or more organizations, for example, of a supplier and its
customers. It typically uses the public Internet as transmission medium but requires a password for
access
b) LAN and WAN ( December 2016)(5 Marks)

A local area network (LAN)
Connects devices within a single office or home or among buildings in an office park. The key
aspect here is that a LAN is owned entirely by a single organization.
The LAN is the network familiar to office workers all over the world. In its simplest conception, it
can consist of a few personal computers and other periferals such as a printer.
A wide area network (WAN)

Consists of a connectivity between LANs over widely separated locations. The key aspect here is
that a WAN can be either publicly or privately owned.

One advantage of a WAN is the possibility of spreading the cost of ownership among multiple
organizations.
WANs come in many configurations. In its simplest conception, it can consist of a lone personal
computer using a slow dial-up line to connect to an Internet service provider.
c) Cold site and warm site (December 2016)(5 Marks)

warm site Is a compromise between a cold and hot site, combining features of both.
 Resources are available at the site but may need to be configured to support the production
system.
 Some data may need to be restored.
 Typical recovery time ranges from 2 days to 2 weeks.
A cold site Is a shell facility with sufficient electrical power, environmental controls, and
communications lines to permit the organization to install its own newly acquired equipment.
 On an ongoing basis, this solution is much less expensive.
 However, the time to procure replacement equipment can be weeks or months. Also,
emergency procurement from equipment vendors can be very expensive.
d) Structured decision & unstructured decision.

Structured decisions are made from a given set of inputs, such as deciding to issue a reminder
notice if a bill is overdue or deciding to tell a stock under a given set of market conditions. They are
generally repetitive in nature; therefore they can be fairly easily programmed. However,
unstructured decisions and semi-structured decisions are generally not repetitive in nature. It
involves different inputs and is subjective in nature. Thus, normally they are not programmable and
need human intervention. Decision Support System (DSS) can help in making those decisions.
DSS is an interactive system that provides a user with easy access to decision models and data from
a wide range of sources, to support unstructured and semi-structured decision making tasks
typically for business purpose.
e) Top Down Approach and Bottom Up Approach to System Development

Top Down Approach to system development assumes a high degree of top management
involvement in the planning process and focuses on organizational goals, objectives and strategies.
The organization goal drives the development of computer system. Using Top Down approach, we
begin by analysing organizational objectives and goals and end by specifying application programs
and modules that need to be developed to support those goals.

Bottom Up approach to system development starts from the identification of life stream systems.
Life stream systems are those systems, which are essential for the day to day business activities.
Development of information system in Bottom Up approach starts after identifying their basic
transactions, information file requirements and information processing programs. After
ascertaining the data / information requirement, file requirements and processing programs for
each life stream system the information system for each is developed.
Question No 24
What do you mean by business strategy and its levels? Explain (June 2016)(20 Marks)
Answer No 24
Business strategy is a set of activities and decisions firms make that determine the following:
 Products and services the firm produces
 Industries in which the firm competes
 Competitors, suppliers, and customers of the firm
 Long-term goals of the firm
Strategies often result from a conscious strategic planning process in which nearly all small to
large firms engage at least once a year. This process produces a document called the strategic plan,
and the managers of the firm are given the task of achieving the goals of the strategic plan. But
firms have to adapt these plans to changing environments. Where firms end up is not necessarily
where they planned to be. Nevertheless, strategic plans are useful interim tools for defining what
the firm will do until the business environment changes.
Thinking about strategy usually takes place at three different levels:
 Business. A single firm producing a set of related products and services
 Firm. A collection of businesses that make up a single, multidivisional firm
 Industry. A collection of firms that make up an industrial environment or ecosystem
Information systems and technologies play a crucial role in corporate strategy and strategic
planning at each of these three different levels. Just about any substantial information system—a
supply chain system, customer relationship system, or enterprise management system—can have
strategic implications for a firm. What the firm wants to do in the next five years will be shaped in
large part by what its information systems enable it to do. IT and the ability to use IT effectively
will shape what the firm makes or provides customers, how it makes the product/service, how it
competes with others in its industry, and how it cooperates with other firms and logistic partners.
Question No 25
Explain the three types of cloud computing service models . What are key features of PaaS
(Platform as a Service)? (June 2019)(8 Marks)

Answer No 25:
The three Types of Cloud Computing Service Models are:
Software as a Service (SaaS)
The capability provided to the consumer is to use the provider‘s applications running on a cloud
infrastructure. The applications are accessible from various client devices through either a thin
client interface, such as a web browser (e.g., web-based email), or a program interface. The
consumer does not manage or control the underlying cloud infrastructure including network,
servers, operating systems, storage, or even individual application capabilities, with the possible
exception of limited user-specific application configuration settings.
Platform as a Service (PaaS)
The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-
created or acquired applications created using programming languages, libraries, services, and
tools supported by the provider. The consumer does not manage or control the underlying cloud
infrastructure including network, servers, operating systems, or storage, but has control over the
deployed applications and possibly configuration settings for the application-hosting
environment.
Infrastructure as a Service (IaaS)
The capability provided to the consumer is to provision processing, storage, networks, and other
fundamental computing resources where the consumer is able to deploy and run arbitrary
software, which can include operating systems and applications. The consumer does not manage
or control the underlying cloud infrastructure but has control over operating systems, storage,
and deployed applications; and possibly limited control of select networking components (e.g.,
host firewalls).
The key features of PaaS are as follows:
 Multi-tenant architecture
 Customizable /Programmable User Interface
 Unlimited Database Customization
 Robust Workflow engine/capabilities
 Granular control over security/sharing (permissions model)
 Flexible ―services-enabled‖ integration model

Chapter 4:
System Development Life Cycle

Question No 1
Write short answer to
a) Prototype modeling (Old syllabus, December 2011)(5 Marks)
This is one of the approaches of software development system. This is used to develop a system
quickly more than the traditional method. The goal of prototyping approach is, initially, to develop
a small or pilot version called a prototype of part or all of a system. This is a usable system or
system component that is built quickly and at a lesser cost with intention of modifying and
replacing it by a full scale and fully operational system. As users work with the prototype, they
make suggestions about the ways to improve it. These suggestions are then incorporated into
another prototype which is also used and evaluated and this process is repeated until a satisfactory
system is developed. Finally, when a prototype is developed that satisfies all user requirements,
either it is refined and turned in to the final system or it is scrapped. If it is scrapped, the
knowledge gained from building the earlier prototype is used to develop the real system.
Experimenting with prototype helps users to identify additional requirements and needs that they
might have overlooked or forgotten to mention. The users will also have a clearer visual picture of
what the final version will look like.
b) Software Tools for Decision Support Systems (June 2005) (5 Marks)

The tools of decision support include a variety of software supporting database query, modelling,
data analysis, and display. A comprehensive tool kit for DSS would include software supporting
these application areas. Examples of software tools falling into these four categories are given in
Table 1.
Data Based Model Based Statistical Display Based

Software Software Software Software
Dbase IV Foresight SAS ChartMaster
FOCUS IFPS SPSS SASGRAPH
NOMAD II Lotus 1-2-3 TSAM TELLAGRAF
RAMIS Model
R: base 5000 Multiplan
SQL Omnicalc
Table 1: Software tools for decision support systems.
c) Database Languages (June 2005) (5 Marks)

Tools supporting database query and report generation use mainframe, minicomputer and
microcomputer-based databases. FOCUS, RAMIS, and NOMAD II, for example, are mainframe-

based languages supporting database query, report generation, and simple analysis. FOCUS and
RAMIS are also available in PC versions. Ingres, Oracle and Informix are database languages on
mainframes, minicomputers and microcomputers. Managers frequently use microcomputer-based
database tools such as MS-Access and R: base 5000.
d) Normalization (December 2009)(5 Marks)

Normalization is the process of efficiently organizing data in a database. There are two goals of
the normalization process: reduce redundant data (for example, storing the same data in more than
one table) and ensuring data dependencies make sense (only storing related data in a table). Both
of these are worthy goals as they reduce the amount of space a database consumes and ensure that
data is logically stored.
Normalization Avoids
1. Duplication of Data- The same data is listed in multiple lines of the database.
2. Insert Anomaly- A record about an entity cannot be inserted into the table without first
inserting information about another entity – Cannot enter a customer without a sales order.
3. Delete Anomaly- A record cannot be deleted without deleting a record about a related entity.
Cannot delete a sales order without deleting all of the customer's information.
4. Update Anomaly- Cannot update information without changing information in many places.
To update customer information, it must be updated for each sales order the customer has
placed.
Normalization is a three stage process –After the first stage, the data is said to be in first normal
form, after the second, it is in second normal form, after the third, it is in third normal form.
Before Normalization
1. Begin with a list of all of the fields that must appear in the database. Think of this as one big
table.
2. Do not include computed fields
3. One place to begin getting this information is from a printed document used by the system.
4. Additional attributes besides those for the entities described on the document can be added to
the database.
e) 2 tier and a 3 tier architecture (Old syllabus, December 2011)(2 Marks)

2 tier refers to fat clients and 3 tier refers to fat servers in a client / server architecture. Fat client
serve as vivid descriptions of the type of client/server systems in place. In a client system, more of
the processing takes place in the client, like with a file server or database server . Fat servers place
more emphasis on the server and try to minimize the processing done by the clients. Example of fat
servers is transaction, groupware and the web servers.

a) Computer Aided Software Engineering (CASE). (Old Syllabus June 2011)(5

Marks) (June 2006)(5 Marks) (December 2012)(5 Marks) (June 2010)(5 Marks)
(December 2010)(7 Marks) (December 2015)(5 Marks) (December 2015)(5 Marks)
(June 2007)(5 Marks) (December 2008)(5 Marks)
Computer-aided software engineering (CASE)—sometimes called computer-aided systems
engineering—provides software tools to automate the methodologies we have just described to
reduce the amount of repetitive work the developer needs to do. CASE tools also facilitate the
creation of clear documentation and the coordination of team development efforts. Team members
can share their work easily by accessing each other‘s files to review or modify what has been
done. Modest productivity benefits can also be achieved if the tools are used properly. Many
CASE tools are PC-based, with powerful graphical capabilities.
Computer-aided software engineering (CASE), also called, computer-aided systems engineering
provides software tools to automate the system development process by reducing the amount of
repetitive work developer normally needed. CASE tools also facilitate the creation of necessary
documentation and the coordination of development team. Team members can share their work
easily by accessing each other‘s files to review or modify what has been done. Significant
productivity can be achieved if the tools are used properly. Generally, CASE tools are PC-based,
with powerful graphical capabilities.
CASE tools automatically tie data elements to the processes where they are used. If a data flow
diagram is changed from one process to another, the elements in the data dictionary would be
altered automatically to reflect the change in the diagram. CASE tools also contain features for
validating design diagrams and specifications. CASE tools thus support iterative design by
automating revisions and changes and providing prototyping facilities. A CASE information
repository stores all the information defined by the analysts during the project. The repository
includes data flow diagrams, structure charts, entity-relationship diagrams, UML diagrams, data
definitions, process specifications, screen and report formats, notes and comments and test results.
It also tools provides automated graphics facilities for producing charts and diagrams, screen and
report generators, data dictionaries, extensive reporting facilities, analysis and checking tools, code
generators, and documentation generators. In general, CASE tools increases productivity and
quality by doing the following:
 Enforce a standard development methodology and design discipline

 Improve communication between users and technical specialists
 Organize and correlate design components and provide rapid access to them using a design
repository
 Automate tedious and error-prone portions of analysis and design
 Automate code generation and testing and control rollout

Many CASE tools have been classified in terms of whether they support activities at the front end
or the back end of the systems development process. Front-end CASE tools focus on capturing
analysis and design information in the early stages of systems development, whereas back-end
CASE tools address coding, testing, and maintenance activities. Back-end tools help convert
specifications automatically into program code.
CASE tools provide automated graphics facilities for producing charts and diagrams, screen and
report generators, data dictionaries, extensive reporting facilities, analysis and checking tools, code
generators, and documentation generators. In general, CASE tools try to increase productivity and
quality by doing the following:
 Enforce a standard development methodology and design discipline
 Improve communication between users and technical specialists
 Organize and correlate design components and provide rapid access to them using a design
repository
 Automate tedious and error-prone portions of analysis and design
 Automate code generation and testing and control rollout
CASE tools automatically tie data elements to the processes where they are used. If a data flow
diagram is changed from one process to another, the elements in the data dictionary would be
altered automatically to reflect the change in the diagram. CASE tools also contain features for
validating design diagrams and specifications. CASE tools thus support iterative design by
automating revisions and changes and providing prototyping facilities. A CASE information
repository stores all the information defined by the analysts during the project. The repository
includes data flow diagrams, structure charts, entity-relationship diagrams, UML diagrams, data
definitions, process specifications, screen and report formats, notes and comments and test results.
CASE tools provide some of the following facilities:

 Diagramming tools are used to draw the system models required or recommended in most
methodologies.
 Description tools are used to record, delete, edit, and output non-graphical documentation and
specifications.
 Prototyping tools are used construct system components including inputs, outputs, and
programs.
 Inquiry and reporting tools are used to extract models, descriptions, and specifications from
the repository.
 Quality management tools analyze models, descriptions, and prototypes for consistency,
completeness, or conformance to accepted ‗rules‘ of the methodologies that the CASE tools
support.
 Decision support tools provide information for various decisions that occur during systems
development.

 Documentation organization tools are used to assemble, organize, and report repository
information that can be reviewed by system owners, users, designers, and builders.
 Design generation tools automatically generate first-draft designs for various system
components based on the business requirements recorded in the repository, and technology
standards provided by the system designer.
 Code generator tools automatically generate application programs, or significant portions of
those programs.
 Testing tools help the system designers and builders test databases and application programs.
 Data sharing tools provide for import and export of repository information to and from other
software tools that cannot directly access the repository.
 Version control tools maintain the integrity of the repository by preventing unauthorized or
inadvertent changes, and saving prior versions of various information stored in the repository.
 Housekeeping tools establish user accounts, privileges, repository subsets, tool defaults,
backup and recovery, and other essential facilities.
f) Spiral model of software development. (June 2012)(5 Marks) ( December 2013)(5 Marks)
The spiral model, also known as the spiral lifecycle model, is a systems development method
(SDM) used in information technology (IT). This model of development combines the features of
the prototyping model and the waterfall model. The spiral model is intended for large, expensive,
and complicated projects.
be covered.

The steps in the spiral model can be generalized as follows:
1. The new system requirements are defined in as much detail as possible. This usually involves
interviewing a number of users representing all the external or internal users and other aspects
of the existing system.
2. A preliminary design is created for the new system.
3. A first prototype of the new system is constructed from the preliminary design. This is usually
a scaled-down system, and represents an approximation of the characteristics of the final
product.
4. A second prototype is evolved by a fourfold procedure: (1) evaluating the first prototype in
terms of its strengths, weaknesses, and risks; (2) defining the requirements of the second
prototype; (3) planning and designing the second prototype; (4) constructing and testing the
second prototype.
5. At the customer's option, the entire project can be aborted if the risk is deemed too great. Risk
factors might involve development cost overruns, operating-cost miscalculation, or any other
factor that could, in the customer's judgment, result in a less-than-satisfactory final product.
6. The existing prototype is evaluated in the same manner as was the previous prototype, and, if
necessary, another prototype is developed from it according to the fourfold procedure outlined
above.
7. The preceding steps are iterated until the customer is satisfied that the refined prototype
represents the final product desired.

8. The final system is constructed, based on the refined prototype.

9. The final system is thoroughly evaluated and tested. Routine maintenance is carried out on a
continuing basis to prevent large-scale failures and to minimize downtime
g) Joint Application Development (JAD)? ( June 2015)(5 Marks) (June 2012)(5 Marks)
1. Joint application development (JAD) uses highly organized and intensive workshops to bring
together system owners, users, analysts, designers, and builders to jointly define and design
systems. Synonyms include joint application design and joint requirements planning.
2. A JAD-trained systems analyst usually plays the role of facilitator for a workshop that will
typically run from three to five full working days. This workshop may replace months of
traditional interviews and follow-up meetings.
3. JAD provides a working environment in which to accelerate methodology activities and
deliverables. It promotes enhanced system owner and user participation in system development.
But it also requires a facilitator with superior mediation and negotiation skills to ensure that all
parties receive appropriate opportunities to contribute to the system's development.
4. One of the most interesting contemporary applications of systems analysis methods is business
process redesign.
h) Top down approach of system development (June 2014)(5 Marks)

The top down approach assumes a high degree of top management involvement in the planning
process and focuses on organizational goals, objectives and strategies. The logic here is that, above
all, an information system needs to be responsive to and supportive of an organization‘s basic
reasons for being. Hence the organization‘s goals should be the driving force behind development
of all the computer systems. Thus, using top down approach, we begin analyzing objectives and
goals of the organization and end by specifying application programs and modules that are needed
to be developed.
Various steps in top-down approach are as follows:
i. Analyze the objectives and goals of the organization in terms of profit, growth, diversification
etc.
ii. Identify the functions of the organization and explain how they support the entire
organization.
iii. Ascertain major activities, decisions and functions at various levels of hierarchy. It should be
analyzed what decisions are made and what need to be made.
iv. Identify models that guide managerial decision process and find the information requirements
for activities and decisions.
Prepare specific information processing programs in detail and modules within these programs.
Also identify files and database for applications.

i) Open system and Closed system (June 2016)(5 Marks)

Open System: An Open System interacts with other systems in its environment. For example -
Information system is an open system because it takes input from the environment and produces
output to the environment, which changes as per the changes in the environment.
Closed System: Closed System does not interact with the environment and does not change with
the changes in environment. Consider a ‗throw-away‘ type sealed digital watch, which is a system,
composed of a number of components that work in a cooperative fashion designed to perform
some specific task. This watch is a closed system as it is completely isolated from its environment
for its operation.
j) System Manual ( June 2015)(5 Marks)

The basic output of the system design is a description of the task to be performed, complete with
layouts and flowcharts. This is called the job specifications manual or system manual. It contains:
(i) General description of the existing system.
(ii) Flow of the existing system.
(iii) Outputs of the existing system - the documents produced by existing system are listed and
briefly described, including distribution of copies.
(iv) General description of the new system - its purposes and functions and major differences
from the existing system are stated together with a brief justification for the change.
(v) Flow of the new system - this shows the flow of the system from and to the computer
operation and the flow within the computer department.
k) Object-oriented development (December 2017)(5 Marks)

Object-oriented development follows system development approach that uses the object as the
basic unit of systems analysis and design. An object is the combination of data and the actions or
processes that can be performed on the data into a single object. In this approach, the system is
modeled as a collection of objects and the relationships between them.
Object-oriented modeling is based on the concepts of class and inheritance. Objects belonging to
a certain class have the features of that class. Classes of objects in turn can inherit all the structure
and behaviors of a more general class and then add variables and behaviors unique to each object.
New classes of objects are created by choosing an existing class and specifying how the new class
differs from the existing class, instead of starting from scratch each time.
The phases of object-oriented development are similar to those of conventional systems
development, consisting of analysis, design, and implementation. However, object-oriented
development is more iterative and incremental than traditional structured development.
During analysis, systems builders document the functional requirements of the system, specifying
its most important properties and what the proposed system must do; Interactions between the
system and its users are analyzed to identify objects, which include both data and processes.

The object-oriented design phase describes how the objects will behave and how they will interact
with one other; Similar objects are grouped together to form a class, and classes are grouped into
hierarchies in which a subclass inherits the attributes and methods from its superclass.
The information system is implemented by translating the design into program code, reusing
classes that are already available in a library and adding new ones; Implementation may also
involve the creation of an object-oriented database. The resulting system must be thoroughly
tested and evaluated.
Because objects are reusable, object-oriented development could potentially reduce the time and
cost of writing software because organizations can reuse software objects that have already been
created as building blocks for other applications.
l) Business Process Reengineering (BPR) ( December 2013)(5 Marks) (June 2012)(5 Marks)
Business Process Reengineering (BPR): ERP is a result of a modern Enterprise‘s concept of how
the Information System is to be configured to the challenging environments of new business
opportunities. However, merely putting in place an information system is not enough. Every
company that intends to implement ERP has to re-engineer its processes in one form or the other.
This process is known as Business Process Reengineering (BPR). BPR is the fundamental
rethinking and radical redesign of processes to achieve dramatic improvement in critical,
contemporary measure of performance such as cost, quality, service and speed.
Radical Redesign means BPR is reinventing and not enhancing or improving. According to BPR
philosophy, whatever was being done in past, it was all wrong, so one has to reassemble the new
system to redesign it afresh. There is no point in simplifying or automating a business process,
which does not add any value to the customer; such business processes should be eliminated
altogether.
BPR aims at major transformation of the business processes to achieve dramatic improvement.
Here, the business objectives of the enterprise such as profits, customer– satisfaction through
optimal cost, quality, deliveries etc. are achieved by transformation of the business processes which
may, or may not, require the use of IT.
The concept of BPR when merges with the concept of IT, the business reengineering emerges,
which is the rethinking of Business Processes to improve speed, quality and output of materials or
services. In other words, business reengineering is the method of development of business
processes according to changing requirements
Many companies are trying to optimize their business activity with the proper utilization of the
Information Technology. But it is not guaranteed that with the use of IT only optimizes the
business activities. There might be redundant procedures in the organizational business. If such
redundant procedures prevail in the business activity the use of IT does not improve performance as

expected. Thus the business process reengineering is the radical restructuring of the organizational
business process without effecting overall target with possible reduction of the redundant
procedures. Thus if an organization rethink and radically redesign their business process before
applying the computing power, they can potentially obtain very large payoffs from their investment
in Information Technology.
Steps involve in effective reengineering are:
 Development of broader strategic vision by the senior management for the redesign of the
business process
 Measuring and understanding the performance of existing process as baseline
 Using tools of IT for the work flow management and parallel documentation
 The IT facilities should able to support the changes recommended
m) Waterfall model of software development. (December 2012)(5

Marks) (June 2014)(5 Marks) (Old Syllabus, June 2012)(5 Marks) ( June 2015)(5
Marks)
The first published model of the software development process was derived from other
engineering processes (Royce, 1970). Because of the cascade from one phase to another,
this model is known as the `waterfall model' or software life cycle. The principal stages of the
model map onto fundamental development activities:
 Requirements analysis and definition: The system's services, constraints and goals are
established by consultation with system users. They are then defined in detail and serve as a
system specification.
 System and software design: The systems design process partitions the requirements to either
hardware or software systems. It establishes overall system architecture. Software design
involves identifying and describing the fundamental software system abstractions and their
relationships.
 Implementation and unit testing: During this stage, the software design is realized as a set of
programs or program units. Unit testing involves verifying that each unit meets its
specification.
 Integration and system testing: The individual program units or programs are integrated
and tested as a complete system to ensure that the software requirements have been met.
After testing, the software system is delivered to the customer.
 Operation and maintenance: Normally (although not necessarily) this is the longest life-
cycle phase. The system is installed and put into practical use. Maintenance involves
correcting errors which were not discovered in earlier stages of the life cycle, improving the
implementation of system units and enhancing the system's services as new requirements are
discovered.

 In principle, the result of each phase is one or more documents which approved (`signed are
off'). The following phase should not start until the previous phase has finished. In practice,
these stages overlap and feed information to each other. During design, problems with
requirements are identified, during coding design problems are found and so on. The software
process is not a simple linear model but involves a sequence of iterations of the development
activities.
 Because of the costs of producing and approving documents, iterations are costly and involve
significant rework. Therefore, after a small number of iterations, it is normal to freeze parts of
the development, such as the specification, and to continue with the later development stages.
Problems are left for later resolution, ignored or are programmed around. This premature
freezing of requirements may mean that the system won't do what the user wants. It may also
lead to badly structured systems as design problems are circumvented by implementation
tricks.
 During the final life-cycle phase (operation and maintenance) the software is put into use.
Errors and omissions in the original software requirements are discovered. Program and
design errors emerge and the need for new functionality is identified. The system must
therefore evolve to remain useful. Making these changes (software maintenance) may involve
repeating some or all previous process stages.
 The problem with the waterfall model is its inflexible partitioning of the project into these
distinct stages. Commitments must be made at an early stage in the process and this means
that it is difficult to respond to changing customer requirements. Therefore, the waterfall
model should only be used when the requirements are well understood. However, the
waterfall model reflects engineering practice. Consequently, software processes based on this
approach are still used for software development, particularly when this is part of a larger
systems engineering project.

n) Advantages of Pre-written Application Packages for Information System.

The four most compelling advantages of using pre written application packages are:
(i) Rapid implementation: Application packages are readily available to implement after they are
purchased. In contrast, software developed in-house may take months or even years until it is
ready for implementation.
(ii) Low risk: Since the application package is available in the finished form, the organization
knows what it is going to get for the price it has paid. With in-house developed software, the
long development time breeds uncertainty with regard to both the quality of the final product
and its final cost.
(iii) Quality: The firms engaged in application package developments are typically specialists in
their products' niche area. Generally, they have a lot of experience in their specialized
application field and hence can provide better software. In contrast, in-house programs often
have to work over a wide range of application areas; they may not be possessing expertise for
undertaking proposed software development.
(iv) Cost: Software cost can be leveraged as copies are generated and sold. Application packages,
sometimes, turn out to be cheaper compared to in-house developed software.
o) Integrated CASE tools. (December 2004)(10 Marks)

Specialized CASE tools can be combined together to provide a wider support to software process
activities. An effective integration for framework makes evolution possible as new systems ate
added without disturbing the existing system. In system engineering environment, there are five
different levels of integration of case tools as discussed below.
i) Platform integration: Platform integration means that the tools or work benches to be
implemented run on the same platform where platform means either a single
computer/operating system or a network of systems.
ii) Data integration: Data integration is the process of exchange of data by CASE tools. The
result from one tool can be passed as input to another tool.
There are a number of different levels of data integration such as shared files, shared data structure
and shared repository.
iii) Presentation integration: Presentation or user interface integration means that the tools in the
system use a common metaphor or style and a set of common standards for interaction.
There are three different levels of presentation integration such as window system integration,
tools which are integrated, interaction etc.
iv) Control Integration: Control integration is the mechanism of one tool in a workbench or
environment to control the activation of other tools in the CASE system. The tool is able to

start and stop other tools. The tool can also call the sources of another tool in the system.
These services are accessed through program interfaces.
v) Process integration: Process Integration means that the CASE system has embedded
knowledge about the process activities, their phasing, their constraints and the tools needed to
support their activities. The CASE system participates in the scheduling of these activities and
in checking that the required activity reference is maintained.
Process integration requires that the case system maintains a mould of the software process and
use this mould to drive the process activities. In a sense, activities and deliverables are identified, a
coordination strategy defined and the tools required to support activities are specified. All of this is
embedded in the mould and a process interpreter then extracts this mould to drive the software
process.
p) System Maintenance: (December 2004)( 5 Marks)

System Maintenance: Most information systems required at least some modification after
development. The need for modification arises from a failure to anticipate all requirements during
system design and/or from changing organisational requirements. The changing organizational
requirements continue to impact most information systems as long as they are in operation.
Consequently periodic systems maintenance is required for most of the information systems.
Systems maintenance involves adding new data elements, modifying reports, adding new reports,
changing calculations, etc.
Maintenance can be categorised in the following two ways:

1. Scheduled maintenance is anticipated and can be planned for. For example, the
implementation of a new inventory coding scheme can be planned in advance.
2. Rescue maintenance refers to previously undetected malfunctions that were not anticipated
but require immediate solution. A system that is properly developed and tested should have
few occasions of rescue maintenance.
One problem that occurs in systems development and maintenance is that as more and more
systems are developed, a greater portion of systems analyst and programmer time is spent on
maintenance. An information system may remain in as operational and maintenance mode for
several years. The system should be evaluated periodically to ensure that it is operating properly
and is still workable for the organization. When a system becomes obsolete, i.e., new opportunities
in terms of new technology are available or it no longer satisfies the organization‘s needs, the
information system may be replaced by a new one generated from a fresh system development
process.

q) Risks involved in the End User Development approach. (June 2004)( 5 Marks)
Here the end user is responsible for system development activities. The end user is allowed to
develop systems. The number and nature of systems development activities followed often differ
from those found in formal approaches.
There are many advantages but a number of risks also are there. They are:
(1) A decline in standards and controls. When an analyst is in-charge of developments walk
through will be done and standards and policies will be enforced which are unlikely in this
approach.
(2) Inaccuracy of specification requirements as the end user may not have much experience.
(3) Due to the lack of adequate specifications, there would be reduction in the quality assurance
and stability of the system.
(4) An increase in unrelated and incompatible systems. Hence management would have difficulty
in obtaining full corporate data.
(5) Difficulties in accessing could arise for users trying to access a central system such as the
corporate database, with a proliferation of different systems and applications.
r) Business Engineering. (June 2004)(5 Marks)

Business engineering focuses on challenges arising from the transformation of the industrial society
into an information society that is the digitization of enterprises, economy, administration and
society. Through the ongoing consumerization digital services for individuals have also become a
crucial part of research Because of the major importance of information technology, business
engineering is often held to be a subfield of Business Informatics, although it is also sometimes
regarded as a form of Organization Development for its emphasis on Change Management.
Engineering Management is a very close discipline which overlaps significantly with Business
Engineering; the main differences are that Industrial Engineering focuses primarily on the goods
sector (less on services), on technical systems and the interface between those systems as well as
the users from a production point of view.
Characteristic of business engineering are as follows:

Beside the technical design, business engineering includes the political and cultural dimensions of a
new business solution. The political and cultural dimensions and change management are crucial
factors for the success or failure of a transformation. Therefore, business engineering is an
interdisciplinary approach. It divides the design levels of a company.
Business engineering distinguishes between a strategic, an organizational and a technological
design level. Contemplating different design objects on different levels enables a focused view of
the individual dimensions of transformation. Segmenting task at hand into different levels provides
for security and helps reducing the complexity of the transformation process.

Business engineering ensures a holistic view of all dimensions. It supports not only the design of
new business models, business processes and information systems, but also their implementation.
Therefore, it contemplates all dimensions of the transformation.
Business engineering refers to the method and model-based design theory for companies in the
information age. Business transformations along with their technical and socio-economic aspects
are far too important and complex to be realized without applying methods and models. Methods
and models not only provide for transparency during the process of transformation, they also
specify the division of labor, create a foundation for communication and enable the documentation
of the company‘s systematic reorientation. The division of labor and application of engineering
principles differentiate the "construction" in accordance with business engineering from
individualistic "creation" .
Business engineering focuses on the consumer from a business perspective. As of now, this also
holds true for the deep penetration of all spheres of private life with information technology
(consumerization), which is equally being treated from a business and not an individual point of
view.
s) Data Flow Diagram (DFD) (December 2004)( 5 Marks)

Data Flow Diagram (DFD): DFD graphically describes the flow of data within an organization. It
is used to document existing systems and to plan and design new ones. DFDs are subdivided into
successively lower levels in order to provide ever-increasing amounts of detail, because few
systems can be fully diagrammed on one sheet of paper. Since users have differing need at variety
of levels can better satisfy these requirements.The highest-level DFD is referred to as a context
diagram. A context diagram provides the reader with a summary-level view of a system. It depicts
a data processing system as well as the external entities that are the sources and destinations of the
system‘ inputs and outputs.
Question No 2:
List down the typical components of a CASE work bench. Explain any two work bench in detail?
Answer No 2:
CASE WORK BENCHES: Case work benches are available to support most software process
activities. There are many types of CASE work benches.
i) Software development work bench: These work benches are used for analysis and design,
programming and program testing.
ii) Cross development work bench: These are work benches which support host target working
where software is developed on one machine for execution on some other system.
iii) Configuration management work bench: Supports configuration management.
iv) Documentation work bench: Supports production of high quality documents.
v) Project management work benches: Supports project management activities.

Students can discuss any of the two work benches discussed below:
1. Programming work bench: Programming work bench is made up of a set of tools to support
the process of program development. Some of these tools which are part of a programming
work bench are:
a) Language compiler: Translates host programs to object code. As part of a translation process,
an abstract syntax tree and a symbol table is created.
b) Structured editor: Incorporates embedded programming language knowledge and edits the
syntax representation of the program in the AST rather than its source code text.
c) Linker: Links the object code program with components which have already been compiled.
d) Loader: Loads the executable program into the computer memory prior to execution.
e) Cross referencer: Produce a cross reference listing showing where all program names are
declared and used.
f) Pretty Printer: Scans the AST and prints the source program according to embedded
formatting rules.
g) Static analyser: Analyses the source code to discover anomalies such as uninitialized
variables, unreachable code, uncalled function and procedures, etc.
h) Dynamic analyser: Produces a source code listing annotated with the number of times each
statement was executed when the program was run. It may also generate information on
program branches and loops and statistics of processor usage.
i) Interactive debugger: Allows the user to control the execution sequence and view the
program state as execution progresses. Figure 2 shows the diagram of a programming work
bench.
4GL work benches:

4GL work benches are geared towards producing interactive application which relay on
abstracting information from an organizational data base presenting it to end users on their
terminal or work station and then updating the database with changes made by users. The user
interface usually consists of a set of standard forms or a spread-sheet. The tools which may be
included in a work bench are:
a) A database query language such as SQL which may either be input directly or generated
automatically from forms filled in by end-users.
b) A form design tool which is used to create forms for data input and display.
c) A spread-sheet which is used for the analysis and manipulation of numeric information.
d) A report generator which is used to define and create reports from information in the
database.

Analysis and design work benches:

Analysis and design work benches are designed to support the analysis and design stages of the
software process where models of the system are created. The components of this model are:
j) Diagram editors to create data flow diagrams, structured charts, entity relationship diagram,
and so on.
k) Design analysis and checking tools which process the design and report on errors and
anomalies. These are integrated with editing system so that user errors are trapped at an early
stage in the process.
l) Repository query languages which allow the designer to find the designs and associate design
information in the repository.
m) A data dictionary which maintains information about the entities used in a system design.
n) Report definition and generation tools which take information from the central store and
automatically generate system documentation.
o) Forms definition tools which allow screen and document formats to be specified.
p) Import-export facilities which allow the interchange of information from the central
repository with other development tools.
q) Code generators which generate code or code skeletons automatically from the design
captured in the central store.
Testing work benches:

Testing work benches are open systems which evolve to suit the needs of the system being tested.
The tools which might be included in a testing workbench are:
r) Test manager: Manages the running and reporting of program tests. This involves keeping
track of test data, expected results, program facilities tested and so on.
s) Test data generator: Generates test data for the program to be tested. This may be
accomplished by selecting data from a database or by using patterns to generate random data
of the correct form.
t) Oracle: Generates predictions of expected results.
u) File Compactor: Compares the result of program tests with previous test results and reports
differences between them.
v) Report generator: Provides report definition and generation facilities for test results.
w) Dynamic Analyser: Adds code to a program to count the number of times each statement has
been executed.
x) Simulators: Different kinds of simulators such as Target simulators, User Interface simulators,
I/O simulators are available for simulation.
Meta-CASE workbenches:
Meta-CASE work benches are CASE tools which are used to generate other CASE tools. They are
usually based on a description of the rules and notations of design or analysis methods. The
general principle will be based on the diagram shown in fig. 9.

There are 5 different aspects which are to be considered in Meta-CASE workbench.

y) A data model for data capture and output generation
z) A frame model which defines the views of the data model to be generated. Each possible view
of the data model is termed a frame. Links between frames which allows navigation frame
from one representation to another are defined in this model.
aa) Diagrammatic notation for each diagram frame.
bb) Textual presentation for each text frame.
cc) Report structures.
Question No 3:
What system costs are estimated during the feasibility study for various alternate solutions?
Answer No 3:
Costs are classified as follows:
1. Development Cost:
 Salaries of system development staff.
 Cost of conversion of data files.
 Cost of testing the system.
 Cost of new or expanded computer facilities.
2. Operating Cost:
 Hardware/Software rent or depreciation.
 Salaries of computer staff.
 Cost of input data preparation & control.
 Cost of data processing supplier.
 Maintenance costs.
 Other overheads.
3. Intangible Cost:
These can not be easily measured is terms of money, e.g. : loss in employees productivity due to
loss of morale, loss of goodwill due to initial system errors.
Question No 4:
Name different systems development approaches within an organization. Give the merits and
demerits of the approach ideal for Expert system. (December 2004)(10 Marks)
Answer No 4:
The following are different systems development approaches:
i) Traditional approach
ii) Prototyping approach

iii) End user development approach

iv) Top down approach
v) Bottom up approach
vi) Systematic approach for development in small organisations.
The approach deal for Expert system is prototyping approach.
Advantages of prototyping approach:

i) Prototyping requires intensive involvement by the system users. Hence users needs and
requirement are better defined under this approach.
ii) A very short time period is normally required to develop and start experimenting with a
prototype.
iii) Since system users experiment with each version of the prototype through an interactive
process, errors are hopefully detected and eliminated early in the development process.
Disadvantages:
i) Prototyping can only be successful if the system users are willing to devote significant time
experimenting with the prototype and provide the system developers change suggestions.
ii) The interactive process of prototyping causes the prototype to be experimented with quit
intensively. Inadequate testing can make the approval system error-prone.
iii) Prototyping may cause behavioural problem with system users.
Question No 5:
Describe the different stage of software development process. (December 2004)(10 Marks)
Answer No 5:
The development of application software has to undergo a life cycle. An in-house creation of
programs commonly involves the following six stages:
i) Program analysis: In this stage, the programmer ascertains for a particular application the
output s required, the inputs available and the processing. The programmer then determines
whether the proposed application can be or should be programmed at all.
ii) Program design: In this stage, the programmer develops the general organisation of the
program as it relates to the main functions to be performed. Out of several other tools
available to him, input, output and file layouts and flowcharts are quite useful at this stage.
iii) Program coding: The logic of the program outline in the flowcharts is converted into program
state mate of instructions at this stage. Programmers broadly pursue three objectives;
Simplicity, efficient utilisation of storage and least processing time. Further the program,
upon implementation, may require frequent modifications to suit the changing systems
environment.

iv) Debug the program: The process of debugging a program refers to correcting programming
language syntax and diagnostic errors so that the program ―Compiles cleanly‖. Once the
programmer achieves a clean compile, the program is ready for structured walk the rough.
v) Program documentation: The writing of narrative procedure and instructions for people who
will use software is done the roughout the program life cycle. Managers and users should
carefully review documentation in order to ensure that the software and system behave as the
documentation indicates.
vi) Program maintenance: The requirements of business data processing applications are subject
to continual change. The calls for modification of the various program. This work will be
entrusted to a separate categories of programmers called maintenance programmers.
Question No 6:
For a production scheduling system, draw the systems flow chart and explain the following:
i. System interfaces
ii. Files and inputs
iii. Report
Answer No 6:
PRODUCTION SCHEDULING
Production scheduling is the nerve centre of the production management system. It produces no
general ledger journal entries, but is schedules production and monitoring all physical flows.
Figure 1 shows the information flow involving the production scheduling system.
From Finished Goods Inventory Control From Cost Estimation

Shipping Reports Standard Costs
Files
1. Resource
Utilisation
Output
Productio
Reports:
n
Schedulin
Queries
1. Pr
od

To job Order Control

Production Authorisation and standard
From Job-Order Control

Job Status Reports
From Marketing analysis

Request for Estimated Delivery Date
To Making Analysis
Estimated Delivery Dates
From Materials Inventory

Quantities Available and Expected
Delivery Dates
To Materials Inventory Control

Quantities Required for Production
From Order Processing

Production Authorisation
System Interface:
The production scheduling system and various other accounting systems interact frequently. The
sales order processing system authorises production scheduling to start work on a job. Production
scheduling then provides with estimated delivery dates and receives shipping reports from the
finished goods inventory control system. Thus, all job scheduling information is kept in one
system.

Within the production management system, the production scheduling and materials inventory
control systems interface frequently. Production scheduling informs materials inventory control of
the items and quantities required to schedule production, and inventory control indicates the
quantities available. Work-in-process control receives production authorisation from the
scheduling system. This authorisation creates a new record for a job, and production costs can be
charged to the job. At the same time, the work-in-process control system receives the standard cost
for the job and provides status reports to the scheduling system. Cost estimation provides
production scheduling with budgeted standard costs for all jobs production.
Files and Inputs:

Three files are required in the production scheduling system. The resource utilisation file contains
a record for each machine and production process in the factory and maintains work schedules for
them. The employee data file contains data concerning employee skills and scheduled work
assignments. The production order file maintains completion dates and schedule information for
each job.
Reports:
The scheduling system produces periodic production planning reports. They indicate the available
capacity and scheduled future utilisation of labour and machinery. A sample reports is shown in
Figure 2. Such reports are useful to management because they indicate where excess capacity
exists for the planning period. Sales and pricing strategies can be considered to alleviate the
situation. On the other hand, if frequent scheduling problems are encountered, then an adjustment
in capacity may be necessary.
Production Planning Report
Capacity Date: 3.12.2001

Utilisatio
A & B Capacity Dece
n Planned Use
Corporation YDT mbe
YTD December
r
Labour (hours)
Welders 16,500 15,790 1,500 1,450
Machinists 24,750 25,050 2,250 2,300
Electricians 4,950 4,870 450 375
Painters 8,250 7,680 750 680
Total hours 54,450 53,390 4,950 4,805
Machine (hours)

Drill press 15,360 6,870 1,280 265

Automatic screw
machine 11,520 11,460 960 1040
Lathe 9,600 30 800 490
Planner 1,920 680 160 45
Automatic Cutter 5,760 6,010 480 460
Total hours 44,160 25,050 3,680 2,300
Job status reports concern the status of jobs in the production process. They compare scheduled
and actual completion times in the production process. A sample job status report is shown in
Figure 3. This report emphasises scheduled times whereas the job-order control report emphasises
costs.
A & B Corporation Job Status Report Date: 3.12.2001

Job Number 3893 Customer: Pradeep Estimated Completion
Tandon & Co.
Date: 2.04.2002
Source
Materials Invento Purch Shipped Receive Delay (Day
ry as d s
e )
½ Plate Y – – – –
6" WF 20 – Y Y Y –
2" Bearings – Y N N Y 20
2" Shaft Y – – – –
Estimated
Actual Differen
Labour Budgeted Hours Hours to
Hours ce
Complete
Welding 384 412 (28) 0
Machinery 524 319 205 240
Electrical 40 0 40 40
Painting and
Prepara 80 0 80 80

tion
Total hours 1,028 731 297 360
Question No 7:
Explain and compare "top down" and "bottom up" approaches used for system development.
(June 2004)(10 Markss)
Answer No 7:
The top down approach assumes and focuses on organizational goals, objectives and strategies. The
logic here is that, above all, an information system needs to be responsive to and supportive of an
organization's basic reasons for being. Hence the organization's goals should be the driving force
behind development of all the computer systems.
Using top down approach, we begin by analyzing organizational objectives and goals and end by
specifying application programs, and modules that need to be developed to support those ion's
goals. The various stages in top down approach are as follows:
(a) Analyze the objectives and goals of the organization to determine where it is going and what
management wants to accomplish. The analysis may be stated in terms of profits, growth,
expansion of product line or services, diversification, increased market share and so on. It is
also determined what resources are available in terms of capital, equipments and raw
materials.
(b) Identify the functions of the organization (for example, marketing production, research and
development) and explain how they support the entire organisation.
(c) Based on the functions identified above, ascertain the major activities, decisions and functions
of the managers at various levels of hierarchy. It should also be analysed what decision are
made as well as what decision need to be made and when they should be made.
(d) What activities and decisions identified, we must now identify models that guide managerial
decision processes and find out the information requirements for activities and decisions. An
insight should be provided into what information is needed when it is needed and what form
is most useful. These factors provide many of the design specifications for the application
system.
(e) Prepare specific information processing in detail and modules within these programmes. We
may also identify files and data base for applications.
The development of information system under this approach starts from the identification of life
stream system. Life stream systems are those systems, which are essential for the day-to-day
business activities. The examples of life stream systems include payroll, sales order, inventory
control and purchasing etc. The development of information system, for each life stream system

starts after identifying their basic transactions, information file requirements and information
processing programs.
After ascertaining the data/information requirements, files requirements and processing programs
for each life stream systems the information system for each is developed. The next step is towards
the integration of data kept in different data files of each information system. The data is integrated
only after thoroughly examining various applications, files and records. The integrated data
enhances the share-ability and evolability of the database. It also ensures that uniform data are
being used by all programs. Integrated data also provides added capability for inquiry processing
and adhoc requests for reports.
The next step under bottom up approach may be the addition of decision models and various
planning models for supporting the planning activities involved in management control. Further,
these models are integrated to evolve model base. The models in the model base facilities and
support higher management activities. They are useful for analysing different factors, to understand
difficult situations and to formulate alternative strategies and options to deal them.
A comparison of top down and bottom up approaches reveals the following points:
1. Top management takes the main initiative in formulating major objectives strategies and
policies, for developing MIS under top-down approach. In the bottom up, approach it is the
supervisory management who identifies the life stream systems for which MIS may be
development.
2. Middle and supervise management levels have a little role in the development of system
under top down approached. Under bottom up approach management refrains from guiding
the development of system developed by supervisory level.
3. The information system development under top down approach is more consistent with the
systems approach and is also viewed as a total system, which is fully integrated. The
information system developed under bottom up approach is developed through an orderly
process of transition, building upon transaction processing sub-system. This system may not
be integrated.
Question No 8:
Enumerate various important factors to be kept in mind while designing an output from an
information system. (June 2004)(10 Marks)
Answer No 8:
Important factors in output design: There are six important factors which should be considered by
the system analyst while designing user outputs.
(i) Content: Content refers to the actual pieces of data included among the out puts provided to
users. It is to be noted here that systems designers generally put too much content into
managerial reports instead of too little. Too much content can cause managers to waste time
in isolating the information that they need: it also diminishes the impact of truly important
information. Hence, only the required information should be include in various outputs.

(ii) Form: Form refers to the way that content is presented to users. Content can be presented in
various forms: quantitative, non-quantitative, text, graphics, video and audio. For example,
information on distribution channels may be more understandable to the concerned manager
if it is presented in the form of a map, with dots representing individual outlets for stores.
Sometimes, converting absolute values to relative values such as percentages often help
managers to comprehended the data easily and make better decisions. Hence, the form of the
output should be decided keeping in view the requirements for the concerned user.
(iii) Output volume: The amount of data output required at any one time is known as output
volume. It is better to use high-speed printer or a rapid-retrieval display unit, which are fast
and frequently used output devices in case the volume is heavy. Unusually heavy output
volume normally causes concern about paper cost. In such a case, alternative methods of
output display such as COM (Computer Output Microfiche) may be considered.
(iv) Timelines: Timeliness refer to when users need outputs. Some outputs are required on a
regular basis - perhaps daily, weekly, monthly, at the end of a quarter or annually. Other types
of outputs are generated on request.
(v) Media: Input-output medium refers to the physical device used for input, storage or output. A
variety of output media are available in the market these days, which include paper, video
display, microfilm, magnetic tape/ disk and voice output. Many of these media are available
in different forms. The system designer can select a medium, which is best suited to the user
requirements.
(vi) Format: The manner in which data are physically arranged is referred to as format. The real
issue in designing computer output is not how much can be provided, but how little is needed
to make important information available. The major concern of the user in the system design
effort is properly designed output, that is, intelligent and decision impelling.
Question No 9:
What is a programming CASE work-bench? Give some tools which are part of a programming
work-bench. ( June 2004)(10 Marks)
Answer No 9:
Programming work bench is made up of a set of tools to support the process of program
development.
1. Language compiler: Translates host programs to object code. As part of a translation process,
an abstract syntax free and a symbol table is created.
2. Structured editor: Incorporates embedded programming language knowledge and edits the
syntax representation of the program in the AST rather than is source code text.

3. Linker: Links the object code program with components which have already been compiled.
4. Loader: Loads the executable program into the computer memory prior to execution.
5. Cross referencer: Produces a cross reference listing showing where all program names are
declared and used.
6. Petty printer: Scans the AST and prints the source program according to embedded formatting
rules.
7. Static analyser: Analyses the source code to discover a anomoly such as uninitialised
variables, unreachable code etc.
8. Dynamic analyser: Produces a source code listing annulated with the number of times each
statement was executed when the program was run & generates information on program
benches and loops and statistics of processor usage.
9. Interaction debugger: Allows the user to control the execution sequence and view the program
state as execution processes.
Question No 10:
Discuss the reasons as to why organizations fail to achieve their system development objectives.
Answer No 10
These are many reasons why organizations fail to achieve their systems development objectives:
i) Lack of senior management support for and involvement in information systems
development:
Developers and users of information systems will watch senior management to determine, which
systems development projects are important and will act accordingly by shifting their efforts away
from any project not receiving management attention. In addition, management can see that
adequate resources, as well as budgetary control over use of those resources, are dedicated to the
project.
ii) Shifting user needs:

User requirements for information technology are constantly changing. As these changes
accelerate, there will be more requests for systems development and more development projects.
When these changes occur during a development process, the development team may be faced
with the challenge of developing systems whose very purposes have changed since the
development process began.
iii) Development of strategic systems:

Because strategic decision making is unstructured, the requirements, specification and objectives
for such development projects are difficult to define and determining ‗successful‘ development
will be elusive.
iv) New technology:

When an organization tries to create a competitive advantage by applying advanced information

technology, it generally finds that attaining systems development objectives is more difficult
because personnel are not as familiar with the technology.
v) Lack of standard project management and systems development methodologies:

Some organizations do not formalise their project management and systems development
methodologies, thereby making it very difficult to consistently complete projects on time or within
budget.
vi) Overworked or under-trained development staff:

In addition to being overworked, system developers often lack sufficient education background.
Furthermore, many companies do little to help their development personnel to stay technically
updated in these organizations; a training plan and training budget do not exist.
vii) Resistance to change:

People have a natural tendency to resist change, and information systems development projects
signal changes often radical in the workplace. Business process reengineering is often the catalyst
for the systems development project. When personal perceive that the project will result in
personnel cutbacks, threatened personnel will dig in their heels and the development project is
doomed to failure. Personnel cutbacks often result when reengineering projects really attempt at
downsizing.
viii) Lack of user participation:

Users must participate in the development effort to define their requirements, feel ownership for
project success and work to resolve development problems. User participation also helps reduce
user resistance to change.
ix) Inadequate testing and user training:

New systems must be tested before installation to determine that they will operate correctly. Users
must be trained to effectively utilize the new system.
Question No 11:
Explain the various activities of System Development Life Cycle Model.
Answer No 11:
The system development life cycle model consists of the following activities:
i) Preliminary investigation:
It is undertaken when users come across a problem or opportunity and submit a formal request for
a new system to the MIS department. This activity consists of three parts: request clarification,
feasibility study and request approval. Generally the requests, which are submitted to the MIS

department, are not clearly stated. Hence, before any system investigations can be considered, the
system request must be examined to determine precisely what the originator wants. Thereafter, the
analyst tries to determine whether the system requested is feasible or not. Aspects of technical,
economic and operational feasibility of the system are covered in the feasibility study. The third
part of investigation relates to approval of the request. Not all requested systems are desirable or
feasible. Based on the observations of the analyst, the management decides, which system should
be taken up for development.
ii) Requirements analysis or system analysis:

If, after studying the result of preliminary investigation management decides to continue the
development process, the needs of the users are studied. Analysts work closely with employees
and managers of the organization for determining information requirements of the users. Several
fact-finding techniques and tools are used for understanding the requirements. As details are
gathered, the analysts study the present system to identify its problems and shortcomings and
identify the features, which the new system should include to satisfy the new or changed user
application environment. This step is also referred to as ‗‗system analysis‘‘.
iii) Design of the system:

During system design, the user requirements that arose from analyzing the user application
environment are incorporated into a new systems design. The design of an information system
produces the details that state how a system will meet the requirements identified above. The
analysts design various reports/outputs, data entry procedures, inputs, files and database. He also
selects file structures and data storage devices. These details design specification are then passed
on to the programming staff so that software development can begin.
iv) Acquisition and development of software:

After the system design details are resolved, such resources need as specific type of hardware,
software and services are determined. Subsequently, choices are made regarding, which products
to buy or lease from which vendors. Software developers may install purchased software or they
may write new, custom-designed programs. The choice depends on many factors such as time,
cost and availability of programmers. The analyst works closely with the programmers if the
software is to be developed in-house. During the phase, the analyst also works with users to
develop worthwhile documentation for software, including various procedure manuals.
v) Systems testing:
Before the information system can be used, it must be tested. System testing is done
experimentally to ensure that the software does not fail, i.e., it will run according to its
specifications and in the way user expect. Special test data are input for processing, and results
examined. If it is found satisfactory, it is eventually tested with actual data from the current
system.

vi) Implementation and maintenance:

After the system is found to be fit, it is implemented with the actual data. Hardware is installed
and users are then trained on the new system and eventually work on it is carried out
independently. The results of the development efforts are reviewed to ensure that the new system
satisfies user requirements. After implementation, the system is maintained, it is modified to adapt
to changing users and business needs so that the system can be useful to the organization as long
as possible.
Question No 12 (December 2006)(5 Marks)

Assume that you are hired in an organization for the purpose of developing computerized
accounting system and upgrading the manual system to the newly developed system. Explain the
steps in brief with suitable examples you would follow in the development of the system.
Answer No 12
As the real system has to be build, development process has to undergo following phases. In broad
sense the phases can be comprised as:
1. Preliminary Investigation
2. Requirement analysis
3. System Design
4. System Development
5. System testing, Implementation and Maintenance
Preliminary Investigation
This is the first phases of the system development. In this phase firstly feasibility of the project is
carried out in-terms of cost, technology and behavior of the personnel. For example, the total cost
of the software to build, training cost, accountants and others stake holder‘s interest etc.
Requirement analysis
Requirement analysis process consists of the study of problems in the current manual system. This
is also called as the system analysis phases. In this phase inputs, outputs of the systems are also
analyzed. This phase can be done with the fact finding techniques like interviews, questionnaires,
observations, etc. are performed. For example, different accounting terminologies (Debit, Credit,
Balance Sheet, types of Reports, problems of current payroll etc)
System Design
Once the problems of current system are found and requirements for the new system are analyzed,
it is subjected to the design of the database, input/output layout, and report generations. Moreover
system design phase also includes the hardware and networking resources design as well. Different
tools can be implemented for the same. ER diagram, OO diagram etc can be implemented.

System Development
This is the real system coding phase. In this phase according to the design actual computer
programming of the system is done. The system development phases are in strict compliance with
design. For example, visual basic or java, data base: oracle, MS access etc.
System testing, Implementation and Maintenance

In order to ensure the reliability of the software it needs the testing. Testing is done according to the
need of accountants and actual users. While testing software input, process and reports all should
be tested in random orders. E.g. while giving data for ledger, while generating, balance sheet etc.
The fit system is implemented with actual, hardware installation is done, users are trained, system
is reviewed for requirement conformity and system is adapted to meet business needs.
Question No 13
Five approaches to systems building are:
 traditional systems lifecycle
 prototyping
 application software package
 end user development
 outsourcing
Describe one advantage and disadvantage of each approach. (December 2006)(10 Marks)
Answer No 13
Traditional systems lifecycle
Advantage
Useful for large projects that need formal specifications and tight management control over each
stage
Disadvantage
Rigid and costly, not well suited for unstructured, decision oriented applications
Prototyping
Advantage
Encourages end user involvement in development and iteration of system
Disadvantage
Rapid creation can result in systems that have not been properly tested or documented
Application software package

Advantage
Eliminated need for writing software cuts down on design, testing, installation and maintenance
Disadvantage

Software may not meet precise specifications, software may not be changed easily
End user development

Advantage
Improved requirements determination, increased end-user participation in development
Disadvantage
Quality of software quality not easily controlled
Outsourcing
Advantage
Save development costs, no need for internal information systems staff
Disadvantage
Less control over information systems, dependency on external vendors
Question No 14
Assume that you are appointed as Account and Finance Information System consultant for its
development and implementation for XYZ Pvt. Ltd. Company whose major products are noodles,
juices and biscuits. Different branches of XYZ Pvt. Ltd. are located in Biratnagar, Pokhara,
Hetauda and the central office is located in Kathmandu. Based on the above information answer
the following questions.
a) What will be your information system development procedure?
b) What are the inputs of the system?
c) What types of report do you want to generate for different hierarchy of management?
Answer No 14
There will not be any specific answer in this type of conceptual question. The main objective of
this type of question is to check the student's analytical ideas and problem solving techniques. So
there might be various types' concepts and design can be expected from students. However for the
evaluation following points should be taken into consider.
a) Anyone method of system development life cycle with relevant figure like Water fall model
or Spiral model can be accepted. But students should clearly specify which method is being
used and the reason of using that particular development process. During each steps of
development process the task carried out should be clearly be specified.
b) The account and finance information system can be divided into two parts. One is about book
keeping and another about the analysis of different types of financial statements. Purely
accounting information system can also be subdivide into sale order transaction processing
system, cash receipt/ distribution transaction processing system, general ledger processing
and reporting system, purchasing transaction processing system and payroll system.

Inputs to Sales TPS : Product ID, Product Name, Product amount, Product price, discount.
Input to Cash Receipt/ Distribution TPS : The bill from Sale TPS and receipt obtained from
the vendor will be input for the case of cash distribution TPS.
Input to general ledger processing and reporting system: The bill from sales TPS, cash receipt
information, cash distributed information, the output from pay roll system and information
from purchase TPS.
Input purchasing transaction processing system: Purchasing order, receipt obtained from the
supplier to maintain the inventory.
Payroll TPS : Employee name, employee working hour, rate, leave, allowances, etc.
c) Financial Report: The output from all these report can be used to generate various types of
financial report.
Operation level manager: Monthly Purchase Report, Daily Sales volume of specific product,
Cost on various types of raw material specific to product. E.g. for noodles, for juices and
biscuits ingredients.
Middle level manager: Total cost on purchase, Total sales, Profit and loss, Salary and
allowances, leave and working hour.
Top level manager: Comparison of sales with last year, Profit and loss ratio, 5- 10 years
projections of cost, remunerations and sales etc.
Question No 15
"The implementation part of a system is more difficult than its development", justify the statement.
Answer No 15
The statement is true that the implementation part of any system is more difficult than its
development because the development part is merely a technical job. The development process can
be accomplished with perfection if the staked holders involved clearly know their duties and
responsibility and if they can solve the programming and mathematical hassles. Where as the
system implementation embraces of various fields, various steps and moreover it involve the rigid
human factor. Here is the few points which brings difficulties while implementing any system
 System implementation needs the resources (hardware), which should meet all the technical
requirements.
 The developed system should be error free. To make the system error free it should be tested
in the real case.
 The existing user become already used to with manual system or previously used system. So
they resist migrating to new system.

 High dependency of the system with other technical factor like power, engineers or technical
managers etc.
 Problems faced for long period in case of any system bug
Question No 16:
Explain the advantages and disadvantages of prototype method of system development?
Answer No 16:
Advantages of Prototyping method of system development are:
 It requires intensive involvement of all system users in comparison to traditional system
development so it results better definition of user requirements and needs.
 Within a very short period of time the prototype is developed so that users can provide
necessary feedback and comment for the betterment of the system.
 As system user can do experiment with each version of the prototype through an interactive
process, errors are hopefully detected and eliminated early in developmental process. As a
result, the information system ultimately implemented should be more reliable and less costly
to develop than when the traditional systems development approach is employed.
Disadvantages of Prototyping method of system development are:

 Prototype method will be successful if the user of the system devoted the significant time
while experimenting with the system. The user may not to be able to give required time to the
experiment of the prototype.
 The interactive process of prototyping causes the prototype to be experimented with quite
extensively. Because of this, the system developers are frequently tempted to minimize the
testing and documentation process of the ultimately approvers information system. Inadequate
testing can make the approved system error-prone, and inadequate documentation makes this
system difficult to maintain.
 Prototype may cause behavioral problems with system users. These problems include
dissatisfaction by users if system developers are unable to meet all user demands for
improvements as well as dissatisfaction and impatience by users when they have to go
through too many interactions of the prototype.
Question No 17:
"Periodic maintenance of the information system is essential". Do you agree with this statement?
Explain. (June 2006)(5 Marks)
Answer No 17:
Yes, it's true that periodic maintenance of system is essential for its smooth operation. Here are
some points, which describe why periodic maintenance of system is essential.

 Periodic maintenance of the system helps in the troubleshooting of the system.

 Periodic maintenance protects from possible huge disaster.
 Periodic maintenance reduces the cost as same system can be operated for long time just by
some upgrade instead of purchasing or developing new system.
 Periodic maintenance also provides the feedback when the system will be absolute and when
new system needs to be installed.
Question No 18:
"System – Level testing must be conducted prior to installation of an information system". Briefly
describe various steps involved in the system testing. (June 2006)(10 Marks)
Answer No 18:
System-level testing must be conducted prior to installation of an information system. It involves:
(a) Preparation of realistic test data in accordance with the system test plan, (b) processing the test
data using the new equipment, (c) thorough checking of the results of all system tests, and (d)
reviewing the results with future users, operators and support personnel. System level testing is an
excellent time for training employees in the operation of the IS as well as maintaining it.
Typically, it requires 25 to 35 percent of the total implementation effort.
One of the most effective ways to perform system-level testing is to perform parallel operations
with the existing system. Parallel operations consist of feeding both systems the same input data
and comparing data files and output results. Despite the fact that the individual programs were
tested, related conditions and combinations of conditions that were not envisioned are likely to
occur. Last minute changes to computer programs are necessary to accommodate these new
conditions.
For an interactive information system project, the process of running dual operations for both new
and old system is more difficult than it is for a bath-processing system, because the new system
has no true counterpart in the old system. One procedure for testing the new interactive system is
to have several remote input terminals connected on line, which are operated by supervisory
personnel backed up by other personnel operating on the old system. The outputs are checked for
compatibility and appropriate corrections are made to the online computer programs. Once this
segment of the new system has proved satisfactory, the entire terminal network can be placed into
operation for this one work. Additional sections of the system can be added by testing in this
manner until all programs are operational.
During the parallel operations, the mistakes detected are often not those of the new system, but of
the old. These differences should be reconciled as far as it is feasible economically. Those
responsible for comparing the two systems should clearly establish that the remaining deficiencies
are caused by the old systems. A poor checking job at this point can result in complaints later from
customers, top management, salespersons, and others. Again, it is the responsibility of the system

developers and analysts to satisfy themselves that adequate time for dual operation has been
undertaken for each functional area changed.
Question No 19
Explain the different activities that are essential while controlling new system development
process. (June 2006)(5 Marks)
Answer No 19:
System development controlling activities mainly related with authorization, development and
implementation of the original system.
System authorization: To ensure the economical justification and feasibility all systems needed to
be properly authorized. To authorize the system officially it is essential to initiate any request of
the system in written form by the users to the system professionals who have both the expertise
and authority to evaluate and approve.
User specification activities: The best understanding of the system are the users so its essential to
participate the system user while developing and evaluating the system.
Technical design activity: The technical design activity in the process of SDLC is the process of
converting user specification into technical specification from the development perspective. The
adequacy and sufficiency of this design will be revealed by the quality of the documentation
emerges from each phases.
Internal audit participation: The role of Internal audit participation is very important in such
organization where there lacks the internal technical expertise. Here the auditor is concerned about
the inception of all the activity of SDLC to make the conceptual suggestion regarding system
requirements and controls.
Program testing: All program modules must be thoroughly tested before they are implanted. The
results of tests are then compared against predetermined results to identify programming and
logical errors.
User Test and acceptance procedures: Before the implementation of any system it is essential to test
every module of the system as a while. A test team comprising of personnel, systems professionals
and internal audit personnel subjects the system to rigorous testing.
Question No 20
a) Prototyping approach of software system development (June 2007)(5 Marks) (December
2009)(4 Marks)
quickly than the traditional method. The goal of prototyping approach is, initially, to develop a
small or pilot version called a prototype of part or all of a system. This is a usable system or

system component that is built quickly and at a lesser cost with intention of being modifying and
replacing it by a full scale and fully operational system. As users work with the prototype, they
make suggestions about the ways to improve it. These suggestions are then incorporated into
another prototype which is also used and evaluated and this process is repeated until a satisfactory
system is developed.. Finally, when a prototype is developed that satisfies all user requirements,
either it is refined and turned in to the final system or it is scrapped. If it is scrapped, the
knowledge gained from building the earlier prototype is used to develop the real system.
Experimenting with prototype helps users to identify additional requirements and needs that they
might have overlooked or forgotten to mention. The users will also have a clearer visual picture of
what the final version will look like.
b. List out different approaches to System Development.(December 2007)(5 Marks)

i. Traditional Approach
In Traditional Approach of the System Development, activities are performed in sequence/phase.
An activity/phase is undertaken only when the prior activity/phase is fully completed. The phases
are: Feasibility Study, Requirement Analysis, Design or selection, Development /configuration,
Implementation, and Post Implementation reviews.
ii. Prototyping Approach

The Traditional approach which is very formal may take very long time to analyze, design and
implement a system. In order to avoid such a longtime, organizations are increasingly using
Prototyping techniques to develop smaller systems. Prototyping, also known as evolutionary
development, is the process of creating a system through controlled trial and error procedures to
reduce level of risks in developing a system. This approach enables developers and users to
understand and react to risks at each evolutionary level. Prototyping generally reduces the time to
deploy systems by using faster development tools. The goal of Prototyping approach is to
develop a small or pilot version called a prototype of some parts or the whole system. A prototype
is a usable system or system component that is built quickly at a lesser cost and with an intention
to eventually modify or replace it by a full scale and fully operational system.
iii. End User Development Approach

In this approach, the end user is responsible for the systems development activities, instead of the
computer professionals. Generally, this approach is followed in a relatively small office or
department having relatively inexpensive micro computers or office information systems. The
number and the nature of system development activities followed by the end users often differ
from those found in the formal approaches such as the traditional approach. Therefore there is a
possibility of development of inadequate specification requirements, adoption of inadequate
standards and controls, lack of adequate specification and inadequate system testing.

iv. Top Down Approach

The Top Down approach assumes a high degree of top management involvement in the planning
process and focuses on organizational goals, objectives and strategies. The logic here is that an
information system needs to be responsive to and supportive to the organization‘s goal and
objective. Therefore the development starts from the top to down.
v. Bottom Up Approach
This approach starts from the identification of the basic systems which is essential for the day to
day business activities. The system such as payroll, sales order, inventory control, purchasing, etc.
are developed first by identifying their basic transactions, information file requirements and
information processing programs.
vi. Systematic Approach

In this approach, information processing requirements are determined first and a search for
suitable software and its evaluation is made. Once the software is identified, hardware is selected
and then the information system is developed. Finally, the hardware and software are acquired or
developed and the system is implemented.
Question No 21
Prototyping can be viewed as a series of steps. What are they? Explain.
Answer No 21
i. Identify Information System Requirements
In prototyping approach, the design team obtains the very basic system requirements to build an
initial prototype. A detailed requirement is prepared after obtaining users‘ feedback on the
prototype.
ii. Develop the Initial Prototype

In this step, the designers develop an initial base model with goals of ‗rapid development‘ and
‗low cost‘. Thus the designers give little or no consideration to internal controls and emphasize on
system characteristics as ‗simplicity‘, ‗flexibility‘ and ‗ease of use‘.
iii. Test and modify

After finishing the initial prototype, the designers demonstrate the model to the users and then ask
them to operate/experiment it. The designers ask users to record their likes and dislikes about the
system and recommend changes. Using this feedback, the design team modifies the prototype as
necessary and then resubmits the revised model to the system users for re-evaluation. This
iterative process of modification and re-evaluation continues until the users are fully satisfied.
iv. Obtain User Signoff

After users are fully satisfied with the modified prototype, they formally approve the final version
of the prototype, which commits them to the modified design and establishes a contractual
obligation on the system and agrees on what the system can do and can not do.
Question No 22
What are the advantages of Prototyping? (December 2007)(3 Marks)
Answer No 22
The following are the advantages of Prototyping.
i. Prototyping requires intensive involvement by the system users, resulting in a better definition
of users' needs and requirements.
ii. A very short time period is normally required to develop and to start experiment the first
prototype. This short time period allows system users to immediately evaluate proposed
system changes.
iii. Since the system users experiment with each version of the prototype through an interactive
process, errors are expected to be detected and eliminated early in the development process.
As a result, the information system ultimately implemented is expected to be more reliable
and less costly to develop and is acceptable to the users.
Question No 23
What are the disadvantages of Prototyping? (December 2007)(3 Marks)
Answer No 23
The following are the disadvantages of Prototyping
i. Prototyping can only be successful if the system users are willing to devote significant time in
experimenting with the prototype and provide the system developers with useful change
suggestions.
ii. The interactive process of prototyping requires prototype to be experimented extensively.
Due to this reason, system developers are frequently tempted to minimize the testing and
document the process of the final system. Inadequate testing can make the approved system
error-prone and inadequate documentation makes this system difficult to maintain.
iii. Prototyping may cause behavioral problems with system users. These problems include
dissatisfied users if the system developers are unable to meet all demands of the users for
improvements and also dissatisfaction and impatience by users for going through the several
iterations of the prototype evaluation.
iv. This approach often leads to addition of functions or extras eventually making it functionally
rich but inefficient.
v. A potential risk is that the finished system will have poor controls due too much focus on
what the users want and what the users see. System developers may miss some of the
controls that come out of the traditional system development approach.
Question No 24

Answer the following questions considering that you are developing a computerized student
information system for the ICAN:
a) Explain the System Development Life Cycle method. (June 2008)(10 Marks)
b) Explain the levels of system users and their information requirements.
Answer No 24
The design methodology can be summarized as the point wise as follows.
Problem Analysis:
This is the first phase of the system development. In this phase system analyst and end users
discuss together to find out what actually need to be done by the system. In case of ICAN, I as a
system analyst and different levels of users would analyses the process of enrolling, documents
required, record maintaining etc.
System Design:
In this phase, the manual system would be represented by different types of diagram so that
computer experts can understand the administrative process undergoing there in ICAN. Then the
database design, networking and hardware specification would be done. This process continues
towards the design of the input, output etc as well.
Acquisition and Development of the System:

System development is a team work. Actual programming process requires different computer
expertise. Single person cannot completely develop whole information system so I rather suggest
acquiring the system from the team of expert.
System Testing:
Once we receive the system developed by the team of expert, we will test to ensure that it is bug-
free. Testing of the system can be done by entering known data and checking the known results.
Different testing mechanism like alpha, beta testing can be implemented.
Implementation and Maintenance:

After system is found to be fit, it will be implemented with the actual data. The results of the
development efforts are reviewed to ensure that the new system satisfies user requirements. After
implementation, the system is maintained; it is modified to adapt to changing users and business
needs so that the system can be useful to the organization as long as possible.
The system user will be classified according to the priority and type of information that they do
need to access. Classification of the system users will also depends upon the system security and
data accessibility.

Executive level user:

This type of user will access summary and exclusive reports. These users are mainly focus in long
term policy making. They can access information like: past history, student enrollment trend,
student placement status, etc.
Supervisor level user:

This type of user access the information generated by operational level. They are mainly focused
about the short term strategy formation to meet the policy formulated by the supervisory level. So
they access the information like student pass/fail record, subject wise marks distribution,
foundation, intermediate and final pass ratio, hall test/Postal examination performance etc.
Operational level:
They are mainly concern about the day to day operation. They also act as the data entry level
users. They provide student personal and academic information to the system. They can also
access the information like student‘s registry, exam marks and attendance.
Student:
Student can access their own information only. They can access information such their profile,
examination results etc.
Question No 25
Everest Coat Factory Warehouse Corporation operates over 310 clothing retail stores, five
subsidiaries, and two distribution centers in 75 districts of Nepal. In addition to being the largest
retailer of coats in Nepal, Everest sells clothes, linens, luggage, jewelry, and baby furniture. The
competition in all these lines is extremely strong. Everest‘s major strategy is to offer a large
selection of these world‘s leading manufacturers, at savings up to 60 percent off department store
prices.
Everest must receive daily sales information, by item sold, from its stores, so that it can order
merchandise from its suppliers and its own factories, in rapid response to sales. The company must
communicate with store managers, suppliers, and customers quickly and effectively. Everest looks
to IT to reduce expenses, improve operations, and boost customer spending.
a) What are different approaches to system development?

b) Which approach do you think is the best for the above system? Justify your answer with the
sequence of activities that should be followed. (December 2008)(20 Marks)
Answer No 25
a)
vii. Traditional Approach

In Traditional Approach of the System Development, activities are performed in sequence/phase.

An activity/phase is undertaken only when the prior activity/phase is fully completed. The phases
are: Feasibility Study, Requirement Analysis, Design or selection, Development /configuration,
Implementation, and Post Implementation reviews.
viii. Prototyping Approach

The Traditional approach which is very formal may take very long time to analyze, design and
implement a system. In order to avoid such a longtime, organizations are increasingly using
Prototyping techniques to develop smaller systems. Prototyping, also known as evolutionary
development, is the process of creating a system through controlled trial and error procedures to
reduce level of risks in developing a system. This approach enables developers and users to
understand and react to risks at each evolutionary level. Prototyping generally reduces the time to
deploy systems by using faster development tools. The goal of Prototyping approach is to
develop a small or pilot version called a prototype of some parts or the whole system. A prototype
is a usable system or system component that is built quickly at a lesser cost and with an intention
to eventually modify or replace it by a full scale and fully operational system.
ix. End User Development Approach

In this approach, the end user is responsible for the systems development activities, instead of the
computer professionals. Generally, this approach is followed in a relatively small office or
department having relatively inexpensive micro computers or office information systems. The
number and the nature of system development activities followed by the end users often differ
from those found in the formal approaches such as the traditional approach. Therefore there is a
possibility of development of inadequate specification requirements, adoption of inadequate
standards and controls, lack of adequate specification and inadequate system testing.
x. Top Down Approach

The Top Down approach assumes a high degree of top management involvement in the planning
process and focuses on organizational goals, objectives and strategies. The logic here is that an
information system needs to be responsive to and supportive to the organization‘s goal and
objective. Therefore the development starts from the top to down.
xi. Bottom Up Approach

This approach starts from the identification of the basic systems which is essential for the day to
day business activities. The system such as payroll, sales order, inventory control, purchasing, etc.
are developed first by identifying their basic transactions, information file requirements and
information processing programs.
xii. Systematic Approach

In this approach, information processing requirements are determined first and a search for
suitable software and its evaluation is made. Once the software is identified, hardware is selected
and then the information system is developed. Finally, the hardware and software are acquired or
developed and the system is implemented. For this system, top down approach would be the best
option because it assumes a high degree of top management involvement in the planning process
and focuses on organizational goals, objectives and strategies.
b. The above information system should use web based architecture. The point of sale terminals
and other PCs in each store are connected to a central server in the Everest Head Quarters
through internet network. All computer terminals will have real-time access to the central
database for information. The system collects and stores customer information in a central
repository. Everest representatives can access to the stored data to respond to their customers‘
queries with the real-time information. For this system, top down approach would be the best
option because it assumes a high degree of top management involvement in the planning
process and focuses on organizational goals, objectives and strategies.
Question No 26
Discuss the different phases of system development life cycle. (December 2010)(20 Marks)
Answer No.26:
The phases of system development life cycles are:The Systems Development Life Cycle (SDLC)
is a conceptual model used in project management that describes the stages involved in an
information system development project from an initial feasibility study through maintenance of
the completed application. Various SDLC methodologies have been developed to guide the
processes involved including the waterfall model (the original SDLC method), rapid application
development (RAD), joint application development (JAD), the fountain model and the spiral
model. Mostly, several models are combined into some sort of hybrid methodology.
Documentation is crucial regardless of the type of model chosen or devised for any application,
and is usually done in parallel with the development process. Some methods work better for
specific types of projects, but in the final analysis, the most important factor for the success of a
project may be how closely particular plan was followed.
The image below is the classic Waterfall model methodology, which is the first SDLC method and
it describes the various phases involved in development. However, the following steps may be
combined or broken further as per the need of the development.

Generally the Phases are :
Requirement Analysis:
This is the preliminary stage in which system analyst tries to find what exactly has to be done by
the system. Basically, the management or the system owner lists out what is required. Based on
the requirement, System Analyst studies the existing manual system of the organization and
conceptualizes new system to address issues and problems faced by the organization.
Feasibility
In this stage, various types of feasibility of the system are examined. Major parameters of the
feasibility study are cost, technology, complexity of the operation, staff behavior, etc. The
feasibility study is used to determine if the project should go-ahead. If the project is to proceed, the
feasibility study will produce a project plan and budget estimates for the future stages of
development.
System Analysis and Design

System design starts, once the system is found to be feasible from all the aspect. System design
consists of design of network, database, input and output forms, etc. Various tools are available to
assist the designing the system. This stage includes a detailed study of the business needs of the
organization. Options for changing the business process may be considered. Design focuses on high
level design like, what programs are needed and how are they going to interact, low-level design
(how the individual programs are going to work), interface design (what are the interfaces going to
look like) and data design (what data will be required). During these phases, the software's overall
structure is defined. Analysis and Design are very crucial in the whole development cycle. Any
glitch in the design phase could be very expensive to solve in the later stage of the software

development. Much care is taken during this phase. The logical system of the software/system is
developed in this phase.
System Development:
This is actual development of the system. In this stage the programming and coding of the system
is done to produce the exact shape of the system that was planned. The development processing is
based on the system designed in the previous phase.
In this phase the designs are translated into code. Computer programs are written using a
conventional programming language or an application generator. Programming tools like
Compilers, Interpreters, and Debuggers are used to generate the code. Different high level
programming languages like C, C++, Pascal, and Java are used for coding. With respect to the type
of application, the right programming language is chosen.
Testing:
In this phase the system is tested to ensure that the system is bug proof and it produces the desired
output. Any bugs or system deficiencies are rectified in this phase. Normally programs are written
as a series of individual modules, this subject to separate and detailed test. The system is then tested
as a whole. Separate modules are brought together and tested as a complete system to ensure that
interfaces between modules work (integration testing), the system works on the intended platform
and with the expected volume of data (volume testing) and that the system does what the user
requires (acceptance/beta testing). Various testing tools are available to assist the tester.
Implementation
This is the actual implementation of the system to be operated by the end users. For this, users are
trained and necessary procedures are set.
System Maintenance and Support:

The system developed and deployed may still have some problem which may be identified after
the system is implemented requiring a corrective actions or de-bugging. Further, it might require
some update and fine tuning to make the system more efficient. System will require maintenance.
Softwares normally require change as it goes to the customer. Change could also happen due to
unexpected input values into the system. In addition, the changes in the system could directly
affect the software operations. The software should be developed to accommodate changes that
could happen during the post implementation period.
Question No 27
What are the advantages of acquiring a pre-written application (off-the-self) package? (December
2010)(5 Marks)

Answer No.27
The advantages of acquiring the pre-written application packages can be summarized as:
Rapid Implementation: The application packages are readily available to implement after they are
purchased, whereas the in-house development process will take few months for the development.
Low Risk: Since the application package is available in the finished form, the organizations know
what it is going to get for the price it has paid. With in-house developed software, the long
development time breeds uncertainty with regard to both quality of the final product and its final
cost.
Quality: The firms engaged in application package developments are typically specialist in their
products niche area. They have huge experiences in the development of specialize software so
getting pre-written software from the expert will be a quality product.
Cost: As the vendor sells same or similar application to many clients, the cost of the product
decreases. Thus, a prewritten application package generally cost less than that of in-house
developed software.
Question No 28
Assume that you are hired as the system analyst by F and B Company Nepal which is a
manufacturing and Distribution Company specialized in food and beverages; to develop the
computer based information system. The company has been using the manual system since last 20
years. This is the transition period. In this regard, answer the following questions.
a. What are the possible approaches of the system development? Which approach you will adapt
for F and B Company Nepal and why?
b. What are the prominent areas of the organizations which needed to be computerized and how
those areas are related?
c. Show a sample report of Inventory on hand.
(Old Syllabus December 2010)(20 Marks)
Answer No.28
The possible approaches which can be used for the system development to F and B Company
Nepal are:
1. Traditional approach
2. Prototype approach
3. End user development approach
4. Top down approach
5. Bottom up approach
6. Systematic approach for development in small organization
In this case the prototype approach is use for the system development. The prototype approach is
that in which the small and minimum useable version of the system is developed at minimum cost
and at less time. This type of system is called as the prototype. The end user checks this prototype

as if they are using the real system. The system developer can immediately get the feedback from
the end user. If the end user gives positive complete system development will be done. If they feel
changes new system will be redesign according to their suggestion.
Thus prototype approaches provides the real feeling of the complete system within very low time
in comparison to the time taken to develop the complete system. Prototype approach can be views
as a series of four steps:
1. Identify information system requirements.
2. Develop the initial prototype
3. Test and revise
4. Obtain user signoff of the approved approach
5. The main advantage of the prototype approach is that there will be direct involvement of the
end user so once the real systems develop they own it perfectly. So there is very less chances
of failure of the system. It is because F and B Company have staffs that are using manual
system since last 20 years so that we want to involve them in every steps of system
development.
After a complete study of the overall operation of the organization we came to conclude that these
are the areas where the companies immediately need to develop the computerized information
system.
1. Financial and Accounting Information System: This area includes following areas
a. Working capital management
b. Capital budgeting
c. Profit planning
d. Tax Management
e. Payroll
f. Receivables
g. Payables
2. Production Information System: This includes following detail areas
a. Inventory Control
b. Process Control
c. Research and Development
d. Production Planning
3. Sales and Marketing Information System: This includes following detail points
a. Sales Management
b. Market Management
c. Order processing
d. Market forecasting
e. Promotion Management
4. Personnel and Human Resource Management System: This includes following detail areas

a. Personnel record keeping

b. Compensation
c. Selection and retirement
d. Labour analysis
e. Training and Development
f. Personnel retention
While developing the system it is to be noted that each system are co-related. The output or the
information that is gathered from one system will be data for further analysis to another system.
For example the information that are obtained from the personnel and human resource information
system will be the input while generating the salary sheet from the accounting and finance
information system. Similarly the productions records obtained will be information for the sales
and marketing of the product. The target of the sales will determine the amount the raw material to
be purchased for the production. This is how each areas of the company are related with another.
c) Inventory on Hand Report
Item Description Unit Stock Min On Amount Amount On

Nu Cl Ba H Allo on B
mb as lan a cate Or ac
er s ce n d der k
d O
rd
er
Question No 29
A deluxe restaurant in Darbar Marg function as follows:
When customer walks in to the restaurant, the customer is asked whether he made reservation or
not. The people with reservation are seated as quickly as possible. Those who have not reservation
are made to wait in a well furnished waiting room. Before the waiting customer‘s turn comes or the
reservation customer arrives, the table is cleaned and neatly set by a busser. When the table is
ready, the customers walk to their table and call for a waiter.
The waiter shows them a menu card and asks whether they want to order a drink while they decide
what to order. If someone orders a drink, the waiter goes and gets it. The waiter allows the
customers five or ten minutes for making selection from the menu. After some time, the waiter
comes back to take the orders. Each waiter is allotted an area that consists of number of tables.

Waiters are rotated through all the different areas. The selections made by customer are noted down
on a form which the waiter gives to the Chef. The form consists of table number, selection and
time. The time is mentioned for the Chef to prioritize his efforts in terms of when an order has
arrived.
The Chef cooks the food and the waiter picks up and brings to the table. The people then eat their
meals. When the people finish their meals, the waiter comes by and asks whether they want
anything else. If they do, the waiter takes their order. If they don‘t want anything more, he goes and
brings the bill. After a few minutes, he comes by and collects the cash or credit card. Then after
some time the waiter bring the change or credit card receipts. The customer leaves a tip and goes
out.
The restaurant management has now decided to provide a technological back bone to the restaurant,
so that customers are treated better and served in time. That is they purpose to computerized the
restaurant functioning.
Answer the following

Draw an activity diagram for the restaurant.
Suggest lactations where terminals would be required and other optional locations. Also mention
how your suggestion would improve the functioning of restaurant. Draw a deployment diagram.
Answer No.29
Activity diagram for the restaurant is shown if figure 1.

Figure 1
A local area network should be set up in the restaurant. A wireless network is preferable because in
a wired network, the waiters would be jumping over wires to get to the terminals and sometimes
may entangle with the laid down wires.
The network will improve communication between the waiter, chef and the busser. For example,
communicating order from customer to chef, enquiring about the status of the meal preparation
from kitchen etc. Also the waiter can send a message to the busser to come and clean table when a
customer leaves.

Each busser and waiter will carry a terminal on his palm (palmtops). One desktop PC will be
installed in the kitchen and another one in the manager‘s office. The chicken PC will store the
databases namely the order database and the recipe database. Kitchen will have one or more screens
for easy viewing by all the chefs working there
When customer makes an order, the waiter could enter them into his palmtop and the order would
go to the kitchen PC. This eliminates the time required to walk from the serving area to the kitchen
to communicate orders. Also the waiter can ensure about the status of a meal by pressing a button
on the palmtop. The chef can reply to it by providing an estimate of time required for the meal get
ready.
When order is prepared, the chef can send a message to the waiter‘s palmtop. The waiter can then
come and collect the meals. This eliminates the time required for repeatedly coming to the kitchen
to check whether the order is ready or not
The kitchen and manager‘s PC are connected to a printer. Each serving area will have a printer so
that the waiters can print bills without having to walk to the cash collecting counters
Since the kitchen is away from the Manager‘s office, a repeater is placed between so that the
signals do not get attenuated with distance.
The deployment diagram is shown in figure 2.

Question No 30
Write short notes on following
Development Evaluation and Operational Evaluation of System
Answer No 30
SN Development Evaluation Operational Evaluation

1. The evaluation of the system during the It is the process of evaluation of information
overall process of development is systems operation pertains to whether the
called development evaluation hardware, software and personnel are
capable to perform their duties and they
do actually perform them so
2. It is primarily concerned with whether It is mainly concern about the processing time
the system was developed on and computational accuracy
schedule and within budget
3. Due to the uncertainty and mystique It is also related with the storage capacity for
associated with system data and terminal response time within
development, they are not subjected acceptable limits
to traditional management control
procedures
Question No 31
What is discovery prototyping? Mention the three advantages of discovery prototyping. (Old
Syllabus December 2010)(5 Marks)
Answer No.31
a) Discovery prototyping is the act of building a small-scale, representative or working model of
the user‘s requirements to discover or verify those requirements. Discovery prototyping is
frequently applied to systems development projects, especially when the development team is
having problems defining system requirement. The philosophy is that users will recognize
their requirements when they see them.
Advantages of discovery prototyping

 Allows users and developers to experiment with the software and develop an understanding of
how the system might work.
 Aids in determining the feasibility and usefulness of the system before high development cost
are incurred.
 Serves as a training mechanism for users

 Aids in building system test plans and scenarios to be used last in the system testing process
 May minimize the time spent for fact finding and help define more stable and reliable
requirements
Question No 32
Differentiate between logical and physical models. Give three reasons why logical models are
superior for structuring business requirement. (Old Syllabus December 2010)(5 Marks)
Answer No 32
Logical models show what a system is or does. They are implementation independent; that is they
depict the system independent of any technical implementation. As such, logical models illustrate
the essence of the system. Popular synonyms include essential model, conceptual model and
business model.
Physical models: show not only what a system is or does, but also how the system is physically
and technically implemented. They are implementation dependent because they reflect technology
choices and the limitations of those technology choices. Synonyms include implementation model
and technical model.
Due to the following reasons logical models are superior for structuring business requirement
 Logical models remove biases that are the result of the way the current system is implemented
or the way any one person thinks the system might be implemented. Logical models
encourage creativity.
 Logical models reduce the risk of missing business requirements because we are too
preoccupied with technical details. Such error are almost always much more costly to correct
after the system implementation. By separating what the system must do from how the system
will do it, we can better analyze the requirements for completeness, accuracy and consistency.
 Logical models allow us to communicate with end users in nontechnical or less technical
languages. Thus we don‘t lose ―business‖ requirements in the technical jargon of the
computing discipline
Question No 33
What are the tasks for completing the procurement and decision analysis of software and services
needed for a project involving a buy solution? (Old Syllabus December 2010)(5 Marks)
Answer No 33
System design for solutions that involve acquiring a commercial off the shelf (COTS) software
product include a procurement and decision analysis phase that addresses software and
services. Completion of that phase involves the following tasks:
 Research technical criteria and options
 Solicits proposals (or quotes) from vendors
 Validate vendor claims and performances

 Evaluate and rank vendor proposal

 Award (or let) contract and debrief vendors
Research technical criteria and options: This task identifies specifications that are important to the
software/hardware that is to be selected. The task involves focusing on the software/hardware
requirements established in the requirement analysis phase. These requirement specify the
functionality, features and critical performance parameters for our new software/hardware
Solicits Proposals: This task requires the preparation of one of two documents: a request for
proposals (RFP) or request for quotations (RFQ).The request for quotation is used when you have
already decided on the specific product but that product can be acquired from several distributors.
Its primary intent is to solicit specific configurations, prices, maintenance agreements condition
regarding changes made by buyers and servicing. The request for proposal is used when several
different vendors and products are candidates and you want to solicit competitive proposals and
quotes. The primary purpose of the RFP is to communicate requirements and desired features to
prospective vendors. Requirements and desired featured must be categorized as mandatory,
extremely important or desirable.
Validate vendor claims and performances: Soon after the RFPs or RFQs are sent to prospective
vendors, you will begin receiving proposal(s)/quotation(s). Because proposals cannot and should
not be taken at face value, claims and performance must be validated. This task is performed
independently for each proposal; proposals are not compared with one another.
Evaluate and rank vendor proposals: The validated proposals can now be evaluated and ranked.
The evaluation and ranking is, in reality, another cost-benefit analysis performed during systems
development. The evaluation criteria and scoring system should be established before the actual
evaluation occurs so as not to bias the criteria and scoring to subconsciously favor any one
proposal
Award (or Let) and contract and debrief vendors: Having ranked the vendor proposals the next
activity usually includes presenting a recommendation to management for final approval. Once
again, communication skills, especially salesmanship are important if the analyst is to persuade
management to follow the recommendations. The purpose of this activity is to negotiate a contract
with the vendor who supplied the winning proposal and debrief those vendors that submitted
losing proposals.
Question No 34
What is the difference between feasibility and feasibility analysis? What are the four tests for
project feasibility? (Old Syllabus December 2010)(5 Marks)
Answer No 34

Feasibility is measure of how beneficial the development of an information system would be to an

organization. Feasibility analysis is the process by which we measure feasibility. It is an ongoing
evaluation of feasibility at various checkpoints in the life cycle. At any of these checkpoints the
project may be canceled, revised or continued. There are four feasibility tests: operational,
technical, schedule and economic.
Operational feasibility: it is a measure of problem urgency or solution acceptability. It includes
measure of how the end- users and managers feel about the problems or solutions.
Technical feasibility: it is a measure of how practical solutions are and whether the technology is
already available within organization. If technology is not available to the firm, technical
feasibility also looks at whether it can be acquired.
Scheduler feasibility: it is a measure of how reasonable the project schedule or deadline is.
Economic feasibility: it is a measure of whether the solution will pay for itself or how profitable a
solution will be for management, economic feasibility is the most important for four measures.
Question No 35
What is a CASE? Mention various types of CASE tools. Why CASE tools are used in software
development? ( June 2010)(10 Marks)
Answer No 35
CASE is a software tool that helps software designers and developers specify, generate and
maintain some or all of the software components of an application. Many popular CASE tools
provide functions to allow developers to draw database schemas and to generate the corresponding
code in a data description language (DDL). Other CASE tools support the analysis and design
phases of software development, for example by allowing the software developer to draw different
types of UML diagrams. The objective of CASE tool is to help system analyst and designer in
developing good quality systems within the specified time and budget constraints.
The various types of CASE tools are:

 Analytical tools
 Diagrammatic tools
 Display and report generator tools
 Code generator tools
 Documentation generator tools
 Testing and debugging tools
Automated CASE tools are used

 To improve productivity
 To improve quality through checks for completeness, consistency and contradictions
 Better and more consistent documentation

 Reduce lifetime maintenance
Question No 36
What is system development methodology? Explain the underlying principles
for software development . ( June 2010)(10 Marks)
Answers No 36
A system development methodology is very formal and precise system development processes that
define a set of activities, methods, best practices, deliverables, and automated tools that system
developer and managers use to develop and maintain information system and software.
Underlying principles for system developments are:
Principle 1: Get the owners and users involved: System owner and user involvement is necessary
for successful system development. The individuals responsible for systems development must
take time for owners and users insist on their participation and seek agreement from them on all
decisions that may affect them. Miscommunication and misunderstanding continue to be
significant problem in system development. However, owner and user involvement and education
minimize such problems and help in win acceptance of new ideas and technological change.
Because people tend to resist change, information technology is often viewed as a threat. The best
way to counter that threat is through constant and through communication with owners and users.
Principle 2: Problem Solving Approach: systems analysts should approach all projects using a
problem solving approach. The classical problem solving approach is as follows
 Study and understand the problem and its context
 Define the requirements of suitable solutions
 Identify candidate solutions and select the best solution
 Design and implement the solution
 Observe and evaluate the solution‘s impact, and refine the solution accordingly
Inexperienced problem solvers tend to eliminate or abbreviates one or more of the above steps.
The result can range from solving the wrong problem, to incorrectly solving the problem to
picking the wrong solution. A methodology‘s problem solving orientation can reduce or eliminate
the above risks.
Principle 3: Establish Phases: The phases are
 Preliminary Investigation
 Problem analysis
 Requirement analysis
 Decision analysis
 Design
 Construction
 Implementation

Each phase serves a role in the problem solving process. Some phases identify problems while
others evaluate design and implement solutions.
Principle 4: Establish Standards: An organization should embrace standards for both
information system and the process used to develop those systems. Standards should minimally
encompass the following
 Documentation
 Quality
 Automated tools
 Information Technology
These standards will be documented and embraced within the context of the chosen system
development process or methodology.
Documentation reveals strengths and weakness of the system to multiple stakeholders before the
system build. It stimulates user involvement and reassures management about progress.
Principle 5: Justify Systems as Capital Investments: Information systems are capital
investments, just as a fleet of trucks and a new building are. When considering a capital
investment, two issues must be addressed
Cost effectiveness
Risk Management
Cost effectiveness is measured using a technique called cost benefit analysis.
Principle 6: Don’t Be Afraid to Cancel or Revise Scope: A significant advantage of the phased
approach to system development is that it provides several opportunities to reevaluate cost-
effectiveness and feasibility. There is often temptation to continue with a project only because of
the investment already made. In the long run, canceled project are less costly than implemented
disasters. This is extremely important for young analysts to remember.
At each check point, the analyst should consider the following options
 Cancel the project if it is no longer feasible
 Reevaluate and adjust the costs and schedule is project scope is to be increased
 Reduce the scope is the project budget and schedule are frozen and not sufficient to cover all
project objectives

Principle 7: Divide and Conquer: ―If you want to learn anything, you must not try to learn
everything- at least not all at once‖. For this reason, we divide a system into subsystems and
components to more easily conquer the system and build the larger system. By dividing the large
problem into more easily managed pieces, the analyst can simplify the problem solving process.
This divide and conquer approach also complements communication and project management by
allowing different pieces of the system to be delegated to different stakeholders.
Principle 8: Design system for growth and change: Many analysts develop systems to meet only
today‘s user requirement because of the pressure to develop the system as quickly as possible.

Although this may seem to be necessary short term strategy, it frequently leads to long term
problems.
Now a day‘s tools and techniques make it possible to design systems that can grow and change as
requirement grow and change. Flexibility and adaptability do not happen by accident thy must be
build into system.
Question No 37
What are merits and demerits of Rapid Application Development model? ( June 2010)(5 Marks)
Answer No 37
Rapid application development (RAD) techniques emphasize extensive user involvement in the
rapid and evolutionary construction of working prototypes of a system to accelerate the system
It has the following merits and demerits.
Merits
 As customer is involved at all stages of development it leads to a product achieving customer
satisfaction.
 Feedback from the customer/user is available at the initial stages
 Development time of the product may be reduced due to use of powerful development tools.
 Quick initial views of the product are possible
 It reuses existing program components
 It makes the effective use of off-the-shelf tools and frameworks.
Demerits
 Highly specialized and skilled developers are required and such developers may not be
available very easily
 Model is ineffective if system cannot be properly modularized.
 Absence of reusable components can lead to failure of the project.
 There is a risk of never achieving closure. The project manager must work closely with both
the development team and customer to avoid an infinite loop.
Question No 38
Describe the parallel, plunge, pilot and phase conversion. Which conversion technique is the best?
Answer No 38
Parallel conversion operates both the old and the new system for a limited time. Phased conversion
changes to the new system in phases, introducing some of the new applications while still using
some of the old applications, or converting some departments or locations at a time. Pilot
conversion lets one department or location try out the new system, while the rest of the

organization continues with the old system for a while. Plunge converts the whole organization to
the complete new system at one time.
Which conversion strategy is best depends on the specific application and environment. Parallel
conversion poses the least risk, but is also very expensive. Plunge may be the cheapest, but entails
the greatest risk.
Question No 39
Describe the methods for the fraud detection. . (June 2010)(5 Marks)
Answer No 39
The methods of fraud detection are:
Conduct frequent audits:
The periodical internal and external audit should be done to detect fraud and compute abuses.
Auditors should regularly test system controls and periodically browse data files looking for
suspicious activities.
Use of Computer Security officer:
Sometime fraud cannot be detected using only auditors so own computer security officer is
essential. Security officer keeps on monitoring different security threats to reduce the fraudulent
activity.
Fraud Detection Computer software:
The spying software for the detection of fraudulent activity can be used to reduce the threats. These
will be dedicated software application to analyze the pattern of the data access, log files and
services used to detect the fraud.
Question No 40
Explain about the various steps in system development life cycle. (December 2011)(5 Marks)
Answer NO 40
The various steps involved in system development life cycle can be summarized as:
 Preliminary Investigation
 Requirement analysis
 System Design
 System Development
 System Testing
 Implementation and Maintenance
Preliminary Investigation:

This stage of system development consists of clearly identifying what is the requirement of
originator. After defining originator needs it will further examine if the proposed system will be
feasible from various prospects of economy, operation and technology. Another part of this stage
is the approval from the investor.
Requirement Analysis:
During this stage the detail requirement of the user is analyzed. In this stage the comparison of
proposed system is made with the existing system. Several fact findings tools and methodologies
are adopted in this stage for better understanding of the requirements and problems. This stage is
also called as the system analysis.
System Design:
In this method the computerized design of hardware, data base, front/back ends and networking is
done to facilitate basic working operations of the business. Various tools may be used to model
the design of the system.
Acquisition or Development of the system:
In this stage new system according to the design is physically developed or acquired from the
external sources. This stage comprises of actual physical development or integration of the
hardware and networking and coding of the software.
System Testing:
In this stage the developed system or acquired system is tested in the real time to ensure that the
system will function properly in the real life. Various testing mechanisms can also be adopted.
The data, operations, results etc can be verified as if the real life working is done.
Implementation and Maintenance:
This is the final and real life working of the system. The developed and tested system is deployed
in the real business operation to the end users. In this stage the working of the newly developed
system is also evaluated eventually. The maintenance of the system is also done in case of its
failure or pop-up problems.
Question No 41

What is Data Flow Diagram (DFD)? Explain the various components of DFD. (December 2011)(5
Marks)
Answer No 41
A data flow diagram (DFD) is a graphical representation of the "flow" of data through an
information system. DFDs can also be used for the visualization of data processing (structured
design).
On a DFD, data items flow from an external data source or an internal data store to an internal data
store or an external data sink, via an internal process.
A DFD provides no information about the timing of processes, or about whether processes will
operate in sequence or in parallel. It is therefore quite different from a flowchart, which shows the
flow of control through an algorithm, allowing a reader to determine what operations will be
performed, in what order, and under what circumstances, but not what kinds of data will be input to
and output from the system, nor where the data will come from and go to, nor where the data will
be stored (all of which are shown on a DFD).
A DFD usually comprises of four components. These four components can be represented by four
simple symbols. These symbols can be explained in detail as follows: External entities
(source/destination of data) are represented by squares; Processes (input-processing-output) are
represented by rectangles with rounded corners; Data Flows (physical or electronic data) are
represented by arrows; and finally, Data Stores (physical or electronic like XML files) are
represented by open-ended rectangles.
External Entity
An external entity is a source or destination of a data flow which is outside the area of study. Only
those entities which originate or receive data are represented on a business process diagram. The
symbol used is an rectangle containing a meaningful and unique identifier.
Process
A process shows a transformation or manipulation of data flows within the system. The symbol
used is a rectangular box:
Process

Data Flow
A data flow shows the flow of information from its source to its destination. A data flow is
represented by a line, with arrowheads showing the direction of flow. Information always flows to
or from a process and may be written, verbal or electronic. Each data flow may be referenced by
the processes or data stores at its head and tail, or by a description of its contents.
Data Store
A data store is a holding place for information within the system:
It is represented by an open ended narrow rectangle. Data stores may be long-term files such as
sales ledgers, or may be short-term accumulations: for example batches of documents that are
waiting to be processed. Each data store should be given a reference followed by an arbitrary
number.
Question No 42
In order to determine the amount of raw material to be purchased to the Dabar Nepal for its food
and beverage items, it needs to analyze the customer demand. You are appointed as the system
analyst to develop computer based system for customer demand analysis of Dabar Nepal food and
beverage items. Based upon your approach, answer the following specific questions.
a. Which will be the appropriate model and why?
b. What are other systems which have correlation with customer demand analysis?
Explain.
c. Make a sample demand form to acquire the raw material to produce the noodles.
(Old syllabus, December 2011)(20 Marks)
Answer No. 42
a) In this particular analysis of the food and beverage item of Dabar Nepal, the spiral model
for the system development is appropriate.

be covered.
b)
Other systems which are interconnected with the customer demand analysis for the Food and
Beverage of Dabar Nepal are as follows:
v) Human Resource Information System.
vi) Accounting and Finance Information System
vii) Production Information System
viii) Marketing Information System.
HRIS is mainly concerned about the recruitment, training, promotion and record keeping of the
office personnel. Personnel effort is one of the major factors which can increase the customer
demand of the product related with the food and beverages. On the other hand, if customer
demand increases it may result in increase in sales. The increases in sales may lead to the workers
eligibility for the incentive according to their effort.
This system mainly focuses in keeping the record of all monetary transaction related with
procurement, salary, marketing etc. Moreover financial information system helps to analyze the

investment, capital budgeting, internal rate of return, profit and loss. Though accounting
information system only keeps the records of the monetary transaction, the information of this
system is useful in the financial analysis.
Production Information System:
Production information system is mainly related with the logistics planning, acquisition of the raw
materials, production execution, process control and machine control. The production/
manufacturing information system provides the overall information related with the material,
machine, man power and time which has to be optimally utilized to deliver the product on time.
The marketing information system is mainly focused with the planning, promotion and sale of
existing products in the existing market and development of the new products and new market to
better attract and serve present and potential customers.
All above system should extensively utilize the tools provided by the Information Technology to
achieve the objective at the best cost.
c)
Dabar Nepal Pvt Ltd
Address
Date:
Demand form
S Material Specification Quantit Expected Remarks

N y Rate
Requested by: Recommended by: Approved by:

Signature: Signature: Signature:
Name: Name: Name:

Post: Post: Post:

Date: Date: Date:
Question No 43
What do you understand by feasibility study of System Development Life Cycle? Explain with
different area of feasibility. (Old syllabus, December 2011)(7 Marks)
Answer No. 43
Feasibility study is process of evaluating viability of the project from various prospects of the
operation, technology and economy. The project will be subjected to the real development only
after confirming its positive feasibility test. The process of determining the feasibility is done after
defining the requirements of the project.
The various areas of determining the feasibility can be listed as:

 Operational Feasibility
 Technical Feasibility
 Economical Feasibility
Operational Feasibility:
The operational feasibility of system development is all about ascertaining the views of workers,
employees, customers and suppliers about the use of new system. The operational feasibility will
determine the support from management and users. It will check whether new system will cause
any difficulties or harm to any functioning unit of the organization.
Technical Feasibility:
Technical feasibility is about the evaluation of hardware and software viability for the system. The
system analyst will ascertain whether the proposed system runs on the existing technical
infrastructure or not. It will also give idea what upgrade need to be done on the existing system to
meet the requirements.
Economical Feasibility:
The economical feasibility will evaluate the cost of the project during its development and
operational phase. It will determine what will be the increment in the cost and what benefit it will
provide after its implementation. The financial and economic questions raised by analysis during
preliminary investigation for the purpose of estimating may be: cost of conducting a full system
investigation, cost of hardware and software and benefit.

Question No 44
Discuss with its strategies about the system conversion process. (Old syllabus, December 2011)(8
Marks)
Answer No 44
Conversion or changeover from old or manual system to the new system requires careful planning
to establish the sustainable change. There is no single best way to proceed with conversion. It may
be noted that adequate planning and scheduling of conversion as well as adequate security are more
important for a successful changeover.
There are five strategies for conversion from old system to new system.
 Direct Changeover
 Parallel Conversion
 Gradual Conversion
 Modular Prototype Conversion
 Distributed Conversion
Direct Changeover:
Conversion by direct changeover means that on a specified date the old system is dropped and the
new system is put into use. Direct changeover can only be successful if extensive testing is done
beforehand. An advantage of the direct changeover is that users have no possibility of using the old
system other than the new.
Parallel Conversion:
This refers to running the old system and the new system at the same time, in parallel. This is the
most frequently used conversion approach but its popularity may be in decline because it works
best when a computerized system replaces a manual one. Both systems are run simultaneously for a
specified period of time and the reliability of results is examined. When the same results are gained
over time, the new system is put into use and the old one is stopped.
Gradual Conversion:
Gradual conversion attempts to combine the best features of both direct changeover and parallel
conversion without incurring the risks. In this plan the volume of transactions is gradually
increased as the system is phased in.
Modular Prototype Conversion:

This approach to conversion uses the building of modular, operational prototypes to change from
old system to new in a gradual manner. As each module is modified and accepted, it is put into use.

Distributed Conversion:
This refers to a situation in which many installations of the same systems are contemplated such as
in banking or in franchises such as restaurants or clothing stores. One entire conversion is done at
one site. When that conversion is successfully completed other conversion are done for other sites
Question No 45
Write short notes on CASE tools(Old syllabus, December 2011)(5 Marks)CASE Tools are the
Answer No 45
programs that provide support in one or more stages of system development process. The objective
of CASE tool is to help system analyst and designer in developing good quality systems within the
specified time and budget constraints.
The various types of CASE tools are
 To improve productivity
 To improve quality through checks for completeness, consistency and contradictions
 Better and more consistent documentation
Question No 46
Explain about the role of system designer and system developer in the context of system
development. (December 2012)(5 Marks)
Answer No 46
System Designer and System Developer have different responsibilities from the prospect of the
system development. Their roles in the process of system development are explained in the tabular
form below:
SN System Designer System Developer

1. System designer mainly responsible for System Developer is mainly responsible to
making the pictorial representation of the build or write the program codes.
system before it is built.
2. System Designer makes the design based upon The system developer or programmer writes
the detail requirement analysis. the codes based upon the design given
by the system designer

3. The designing process of may be iterative till During the development process the re-writing
the finalization of requirement analysis. of the codes can be done to remove the
bug.
4. System designer can use various CASE tools. System developer can also use the CASE tools
while writing the program codes
Question no 47
Describe Prototyping approach of system development
(Old Syllabus December 2012)( 5 Marks)
Answer No 47
Prototyping is the rapid development and testing of working models, or prototypes, of new
applications in an interactive, iterative process involving both IS specialists and business
professionals.
 Prototyping makes the development process faster and easier for IS specialists and business
professionals.
 Prototyping makes the development process faster and easier, especially for projects where
end user requirements are hard to define. Thus, prototyping is sometimes called rapid
application design (RAD).
 Prototyping has also opened up the application development process to end-users because it
simplifies and accelerates systems design. These developments are changing the roles of end
users and information systems specialists in systems development.

5) Figure: Prototyping approach of software development

Advantages:
 Prototyping is most useful when there is some uncertainty about requirements or design
solutions.
 Prototyping is especially useful in designing an information system‘s end user interface (the
part of the system that end users interact with, such as online display and data entry screens,
reports, or Web pages).
 Since prototyping encourages intense end user involvement throughout systems development,
it is more likely to produce systems that fulfil user requirements.
Disadvantage:
 Rapid prototyping can gloss over essential steps in systems development. If the completed
prototype works reasonably well, management may not see the need for reprogramming,
redesign, or full documentation and testing to build a polished production system.
 Hastily constructed systems may not easily accommodate large quantities of data or a large
number of users in a production environment.
 Prototyping may not have necessary security controls built in.Users may become dissatisfied
when months pass between approving the prototype and delivery of the finished system.
Question no 48
What is software development life cycle? List out the phases of software development life cycle
and explain the maintenance phase of software development life cycle. (June 2012)(5 Marks)

Answer No 48
The entire process from the need of the system being felt till the system is used and ultimately
declared absolutely reliable forms the life cycle of the system
The period of time that begins when a system is conceived and ends when a system is fully
operational for use and gets maintained is called the software ware development life cycle of a
system.
The various phases of software development life cycle are
 System investigation
 System analysis
 System design
 System implementation
 Systems maintenance
System maintenance
Once a system is fully implemented and is being used in business operations, the maintenance
function begins. System maintenance is the monitoring, evaluating, and modifying of operational
e-business systems to make desirable or necessary improvements. The maintenance function
includes:
 A post-implementation review process to ensure that newly implemented systems meet the e-
business objectives established for them.
 Correcting errors in the development or use of the system. This includes a periodic review or
audit of a system to ensure that it is operating properly and meeting its objectives.
 Making modifications to an e-business system due to changes in the business organization or
the business environment.
Question no 49
The resident of Padmashree Colony in Budhanilkantha Kathmandu has a membership of 25,000
families. The purpose of the organization is to provide welfare to the residents of the colony. They
take care of security services, utility help in terms of electrician, plumber, sweeper etc and some
financial support to the families who are in need. The association keeps organizing the educational
cum cultural workshops from time to time. During festive season, the association also organizes the
get-to-gethers. Members of the association are supposed to pay an annual membership fee of Rs.
10,000. Association also receives additional funds from government schemes and also from
business peoples. The book –keeping work for the association is handled by the elected treasurer
Mr. Suman Thapa.
The members of the welfare association are elected every year on the basis of open polls. But Mr.
Thapa win the position unopposed every year as no one wants to take over the tedious and time-
consuming job of managing money and tracking memberships. Each governing body member of

the association is paid a stipend of Rs. 10000 per month. The colony members however are not
very happy with the Mr. Thapa's performance.
Association already has a computer system based solution to track the billing and receipt funds. But
this system was developed in 1990 and it is based on FoxPro-based data management system. Since
FoxPro has become outdated, because of which no one is able to maintain the system properly.
The existing system takes lot of time to process the data. Member queries are not answered easily.
Sometimes it takes a couple of hours to find the information needed to answer the question. Often
they have to perform calculations manually since the system was not programmed to handle certain
types of queries. When member information is entered into the system, each field is presented one
at a time. This makes it very difficult to return to a field and correct a value that was entered.
Sometimes a new member is entered but disappears from the records. The report of membership
used in the workshops and other events are generated in different formats.
Association has decided to upgrade the system rather develop the new system which is scalable.
They hire you to do this project.
a. Explain how will you carry out the requirement analysis of the new system.
b. What are the data attributes that should be collected to maintain the updated system?
c. How will you migrate from old system to new system?
Answer No. 49
a) For the requirement analysis of the new system, as a system analyst i will take following
steps;
1. Study of Existing system operations and report that it generates.
2. Study of normal events and activity procedures in the colony so that to understand the
activities, data attributes and report needed in during the development of the system.
3. Finding gap between normal events and activity procedures and facility that existing system
provides. This will help to find the new things to be incorporated in the proposed system and
things that can be extracted from the existing system.
4. Making interaction with stake holders: selected individuals of the colony and member of the
welfare community and system users. This will be to find out what they want from the new
system. This will be multiple times to detail the requirement.
5. Building a prototype version of the new system according to discussion from 1 to 4 and then
again taking the feedback from the stake holders. This is how all type of requirement will be
collected to build the new system.
b) The different attributes that should be analyzed and collected to maintain updated system are
as follows:
1. Member: First_Name, Middle_Name, Sir_name, Registration_ID, Street Number, Telephone
number, Mobile Number

2. Vechile:Vechile_Type, Vechile_Number
3. House: House_Number, House Owner_registration_ID
4. Event: Event_Name,Participating _members, date, Event_fee
5. Member of welfare organization: Registration_ID, Joining_Date, remueration_rate
6. Funds Collection: Annual_member_fee, Donars, donated amounts,
7. Support from Welfare organization: Receiving person_ID, area of support, amounts, dates
c) The approach towards the migration to the new system from the old system will be the
parallel conversion process. For a certain time period both the system will be in used and the
performance and verification of the new system can be done parallel. Once we are assured
about the performance of the new system, old system will be stopped and only new system
will be run. But during the period of the evaluation both system will work.
Question No 50
Illustrate the role of CASE tools in system analysis and design.
Answer No 50
The objective of CASE tools is to add the system analysts and designers to construct high quality
systems on time and within budget which can be maintained economically and changed rapidly.
CASE tools empower the system analysis and designers by freeing them to concentrate upon the
truly creative aspects of analysis and design. There are some things that these tools can do and
some things that they cannot do. For example, when we use an object program to show a scenario
with a message being passed from one object to another, a tool can ensure that the message is in
fact part of the object‘s protocol. This is, a tool can perform consistency checking. For example, if
we say that there are no more than three instances of this class, a tool can enforce this statement.
Similarly a tool can tell us if certain classes or methods are never used.
Some sophisticated tools can also tell us how long it takes to complete a certain operation, or
whether or not a certain state in a state transition diagrams is reachable. But a tool cannot tell us
that we need to invent a new class so as to simplify our class structure, which requires human
intellect.
Visual development tools allow system developers to build user interfaces, reports and other
features in a fraction of time. Development tools like Visual Basic, Power Builder, and Delphi etc.
allow development of new systems by piecing together predefined visual objects rather than by
typing crude programming commands. As a result more powerful systems could be developed in a
fraction of the time previously required.
Question No 51
Feasibility study is one of the decisive stages of system development life cycle. Justify your
opinion. ( December 2013)(5 Marks)

Answer No 51
Feasibility study is mainly concerned with the evaluation of the sustainability of proposed system
from the prospects of economy, technology, operation and human resource. Feasibility study of any
project is done before the official start detail study of the project.
The feasibility of system is tested best upon following points:
 Technical
 Economical
 Operational
 Time frame
 Legal aspects
If system is found to be viable based upon above points, then only the project will further
enhanced. Otherwise next option will be tested or the scope of the project will be changed. This is
how feasibility study determines the viability of system from various aspects. Feasibility study
will check whether technology being involved is available or not. Various types of financial
analyses like: cost benefit ratio, IRR, break even analysis are done, which help to check the
financial or economical viability of the system. Similarly the time frame and legal aspects of the
system will assessed. The system will be cleared for further development or implementation only
when it passes above assessment. Thus feasibility study is the one of the most decisive stages of
system development life cycle.
Question No 52
Mention the steps involved in prototyping development. What are the advantages of prototyping
development? ( December 2013)(5 Marks)
Answer No 52
The steps involved in prototyping development are as follows:
 Working in manageable modules
 Build the initial prototype rapidly
 Modifying the prototype successive iterations.
 Stress and user Interface
Advantages of prototyping
 Prototyping makes the development process faster and easier for system analysts, especially
where end users requirements are hard to define.
 It is used for both small and large applications.
 It provides the potential for changing the system early in its development.
 Prototype systems provide opportunity to observe and jointly examine information use.
 Prototype systems may, by being experimental, create a culture of change, adaption and
learning.

Question No 53
Explain the various dimensions of the feasibility during the process of system development.
Answer No 53
 Various dimensions of feasibility can be summarized as:
 Technical feasibility
 Economic feasibility
 Operational feasibility
 Schedule feasibility
 Legal feasibility
Technical feasibility:
Technical feasibility is concerned with the hardware and software system involved. The technical
feasibility issues are as follows:
 Is the essential technology available to do the task?
 Does the proposed equipment have the technical capacity to hold the data?
 Does the proposed system provide adequate responses to the inquiries regardless of the
number of users?
 Does the system have scalability feature?
 Does the system provide the data security, reliability and ease of access?
Economic feasibility:
Economical feasibility is concerned about the incremental costs and benefits expected if the
proposed system is implemented. Various financial and economical concerns during the system
analysis and development phases are:
 Cost of conducting full system.
 Cost of technology.
 Benefits in terms of reduced costs.
Schedule Feasibility:
Schedule feasibility focus itself on the time frame for needed for the development of new system
and make it operational. It also evaluates the promptness of the service provided after the
implementation of the new system.
Legal Feasibility:
Analysis of any possible conflict between newly proposed system and the legal obligations of the
organizations existing system is the main concern of the legal feasibility. For example, the new
system should comply with all applicable federal and state statutes about financial reporting
requirements as well as the company‘s contractual obligations.
Question No 54
Why do you think that a complete and systematic life cycle should be followed while developing
an information system? What are the phases of SDLC? ( June 2013)(5 Marks)

Answer No 54
An Information system developed for an organization is for all the members of the organization
and it is for long run of the organization. It should be able to cater the need of staff of all levels. If
proper process is not followed some part of the system will lack essential features which results in
the deficiency in operation or people may not own it. Sometimes if the complete process is not
followed it may lack the essential report generating process or generated report would miss
essential part. Moreover, the rework of the system would be financially very costly. Thus to avoid
such deficiency, the design and development phase of system should take complete and should
follow the systematic life cycle.
The essential phases of system development life cycle:
a. Requirement Analysis
b. Feasibility Study
c. System Design
d. System Development
e. Testing
f. System Deployment
g. System Maintenance and Support
Question No 55
Describe about the prototyping method of system development. ( June 2013)(5 Marks)
Answer No 55
more quickly than the traditional method. The goal of prototyping approach is, initially, to
develop a small or pilot version called a prototype of part or all of a system. This is a usable
system or system component that is built quickly and at a lesser cost with intention of being
modified and replaced by a full scale and fully operational system. As users work with the
prototype, they make suggestions about the ways to improve it. These suggestions are then
incorporated into another prototype, which is also used and evaluated, and this process is repeated
until a satisfactory system is developed. Finally, when a prototype is developed that satisfies all
user requirements, either it is refined and turned into the final system or it is scrapped. If it is
scrapped, the knowledge gained from building the earlier prototype is used to develop the real
system. Experimenting with prototype helps users to identify additional requirements and needs
that they might have overlooked or forgotten to mention. The users will also have a clearer visual
picture of what the final version will look like.
Question No 56
Explain the importance of feasibility study in system development. (June 2014)(5 Marks)

Answer No 56
Feasibility is the measure of how beneficial or practical the development of the Life cycle an
information system will be to an organization. Feasibility analysis is the process by which
feasibility is measured.
Feasibility should be measured throughout the life cycle. In earlier chapters we called this a
creeping commitment approach to feasibility. The scope and complexity of an apparently feasible
project can change after the initial problems and opportunities are fully analyzed or after the system
has been designed. Thus, a project that is feasible at one point may become infeasible later. Let‘s
study some checkpoints for our systems development life cycle.
If you study your company‘s project standards or systems development life cycle (SDLC), you`ll
probably see a feasibility study phase or deliverable, but not an explicit ongoing process. These
checkpoints and reviews identify specific times during the life cycle when feasibility is reevaluated.
A project can be canceled or revised in scope, schedule, or budget at any of these checkpoints.
Thus, an explicit feasibility analysis phase in any life cycle should be considered to be only an
initial feasibility assessment.
Feasibility checkpoints can be installed into any SDLC that you are using. The checkpoints are
represented by red diamonds. The diamonds indicate that a feasibility reassessment and
management review should be conducted at the end of the prior phase (before the next phase). A
project may be canceled or revised at any checkpoint, despite whatever resources have been spent.
This idea may bother you at first. Your natural inclination may be to justify continuing a project
based on the time and money you‘ve already spent. A fundamental principle of management is
never to throw good money after bad—cut your losses and move on to a more feasible project. That
doesn‘t mean the costs already spent are not important. Costs must eventually be recovered if the
investment is ever to be considered a success.
Question No 57
Compare between Joint Application Development and Rapid Application Development.
Answer No 57
The comparison between Joint Application Development and Rapid Application Development is
summarized in the table as below:
S.N Joint Application Development Rapid Application Development
1. Joint Application Development is Rapid Application Development refers
one method of fact finding to a type of software development
and system designing in methodology by prototyping
which all users work together which involves minimal planning.
intensely.
2. Its key objective is to bring the The key objective of RAD is for fast
idea of all users in the system development and quick delivery of

development so that all stake high quality system.

holders have the feeling of
ownership.
3. It is slightly costlier process of It is economical in comparison JAD.
development but have high
reliability.
4. The rapid change in system is rare The changes in system and its
as it needs consensus of large parameter can be accommodated
number of people easily.
5. It emphasizes on all technical or It mainly emphasizes on fulfilling
engineering process of the business needs instead of
system development following technical or engineering
procedures.
Question No 58
What is object oriented programming? What are the benefits of such programming language
compared to traditional programming languages? (December 2014)(5 Marks)
Answer No 58
Object oriented programming is a modern approach of programming wherein the overall
programming activities are divided into specific, re-usable, functional program modules which are
integrated together to accomplish the overall task. Each of such modules can be reused and can also
be modified to create more variants of the same module. Different such modules can exchange data
amongst themselves to create the overall functional program unit.
The major benefits of such programming over traditional programming are:
 The data within an object are not visible outside it and can only be manipulated inside it. So,
activity of one module or object can be isolated from others.
 Reusability of the objects means the effort and time in creating the whole complicated
program is reduced.
 Even future software development activities can draw from the library objects developed for
different program.
 Object oriented programming with visual interface can help create the overall structure and
interface of the program quickly with little coding effort.
Question No 59
Why is establishment of standards important for system development? What are the minimal
factors that such standard should encompass?

Why is establishment of standards important for system development? What are the minimal
factors that such standard should encompass? (December 2014)(5 Marks)
Answer No 59
Establishment of standards and following them is critical for system development. This is
specially so in large organizations because:
 The people involved with system such as users, developers, administrators may change but
the system should continue to operate.
 Following a clear standard in designing and development is needed to make sure that the
system development and operation is not hampered by changes in the workforce.
 Standard norms such as documentation, quality norms, proven technology use etc tend to
make sure that he system has long and quality life despite change in the stakeholders.
The minimal factors that should be under standardization are:
 Documentation
 Quality norms
 Tools used for development, especially automated tools such as database tools, programming
languages, reporting tools etc.
 Information technology standard such as operating systems, DBMS, network layouts, user
interface technologies etc.
Question No 60
Why is usability analysis important for a system being developed? Mention the major criteria that
help measure the usability of a system. (December 2014)(5 Marks)
Answer No 60
Usability analysis helps determine the user-friendliness of the system being developed. This is
important because it is the user-friendliness of a system that defines how much the actual users love
or hate a system. However sophisticated, comprehensive and powerful a system be, if the users
cannot use it with ease and are annoyed by it, the system‘s purpose shall not be met.
Because of this many large organizations have special arrangement to test usability of the systems
by the users who are not aware of the other details or developmental activities but are just supposed
to try to use the system and find its shortcomings.
The major criteria that help measure the usability of a system are:
 Ease of learning: how much time and effort it takes for a new person to learn to use the
system with ease.
 Ease of use: how quickly a particular activity can be performed. If there are too many steps,
too many clicks or too many screens, the system will not be user-friendly. Moreover, proper
use of input tools such as keyboard, mouse and others along with output tools is necessary for
ease of use.

 Overall satisfaction: it is always desirable to have the users favorably pleased and happy with
the system.
Question No 61
Assume you have to quickly develop a new information system for end-users of a traditionally
non-computer based organization. Which approach of system development would you undertake?
Justify your choice with explanation. (December 2014)(5 Marks)
Answer No 61
A prototype-based development model is recommended because of the following factors:
 Since the organization is non-computer based, the users are new to the system and have to be
trained for even basic use of computer. So, everything should start small.
 The initial prototype model will be based on the current manual activity and try to emulate the
steps and processes.
 After having user experience with the system, next level of enhancement shall be done and
tested.
 Such changes shall be gradually introduced so as not to frighten the users with complexity
while making them increasingly comfortable with the new features.
 This approach shall make sure that the users are almost fully familiar with the system by the
time final prototype is made.
 Moreover, users have greater sense of ownership as they are continually involved in the
evolution of the system from initial prototype to the final functional system.
Question No 62
Write short notes on Consultant level role of IT professional in determining system architecture
Answer No 62
Consultant level role is perhaps the highest and most abstract role of IT professional in an
organization. Such roles are normally short term, highly focused, well-defined and limited to a
particular project or task. Because of such focused responsibility, consultants are supposed to be
top experts in that particular area and capable to provide important suggestions and counsel to the
organization in the pre-defined time frame. Consultants are normally hired at the design or
deployment stages of the information. Consultant at the design stage normally provides information
related to the system design aspects such as feasibility, architectural layout, development plans etc.
System designing is a critical stage of development lifecycle. Improper or erroneous design leads to
improper system architecture that cannot fulfill its objectives. This can lead to another cycle of
design and development, thereby raising cost and time needed. A good consultation during system
architecture design can help avoid design mistakes, bugs and other flaws. A consultant with
designing level role has to develop a clear understanding of the system requirements and
constraints. S/he also has to study the system architecture design closely as it is developed. Then

the consultant has to clearly point out the good areas as well as shortcomings with suggested
solutions so that good design architecture is developed within shortest possible time.
Question No 63
Explain the various dimensions of the feasibility during the process of system development.
June 2015)(5 Marks)
Answer No 63
Various dimensions of feasibility can be summarized as:
 Technical feasibility
 Economic feasibility
 Operational feasibility
 Schedule feasibility
 Legal feasibility
Technical feasibility:
Technical feasibility is concerned with the hardware and software system involved. The technical
feasibility issues are as follows:
 Does the essential technology is available to do the task?
 Do the proposed equipment have the technical capacity to hold the data?
 Does the proposed system provide adequate responses to the inquiries regardless of the
number of users?
 Do the system has scalability feature?
 Does the system provide the data security, reliability and ease of access?
Economic feasibility:
Economic feasibility is concern about the incremental costs and benefits expected if the proposed
system is implemented. Various financial and economic concerns during the system analysis and
development phases are:
 Cost of conducting full system.
 Cost of technology.
 Benefits in terms of reduced costs.
Practical feasibility
It is assessment of how practical and communicate is the operation of system given the external
and internal environment.
Schedule Feasibility:
Schedule feasibility focus itself on the time frame for needed for the development of new system
and make it operational. It also evaluates the promptness of the service provided after the
implementation of the new system.
Legal Feasibility:

Analysis of any possible conflict between newly proposed system and the legal obligations of the
organizations existing system is the main concern of the legal feasibility. For example, the new
system should comply with all applicable federal and state statutes about financial reporting
requirements as well as the company‘s contractual obligations.
Question No 64
Assume that you are appointed as the system analyst for the development of generalized complete
software package for a commercial bank.
Describe 5 functional areas of banks which should be addressed by the software and why?
Answer No 64
One of the key jobs of system analyst is to understand the requirement clearly. While developing a
generalized complete software package for the commercial banks, system analyst should know the
functional areas of commercial banks. Here are few general functional areas of commercial banks.
Deposit Collection
The most important function of commercial banks is to accept deposits from the public and
organization. Various sections of society, according to their needs and economic condition,
deposit their savings with the banks. The software should be able to handle the information related
with the personal details of depositor, amount collected on different time frame, interest given.
Deposit collection simultaneously connected to withdrawal. So the information related with
withdrawal should also be handled by software.
Giving Loans
The second important function of commercial banks is to advance loans to its customers. Banks
charge interest from the borrowers and this is the main source of their income. So information of
borrowers, collateral amount borrowed, interest rate, interest amount, payment installment,
penalties etc on time basis are the essential features that should be available with the information
system.
Investment of Funds
The banks invest their surplus funds in three types of securities—Government securities, other
approved securities and other securities. Government securities include both, central and state
governments, such as treasury bills, national savings certificate etc. The information management
of such things will be another crucial area that software should be able to address.
Human Resource Management

Human resource management of the bank is another important part of the commercial banks.
Hiring right man, placing on appropriate job, his/her remuneration and capacity building are the
key areas of human resource management. Moreover, information system is mainly concerned
with recruitment to retirement of human resource this included keeping personal, academic and

professional records of staffs. The software should be able to track the performance of human
resources so that it can be utilized in incentives and career growth.
Customer Relationship Management

This is a novel concept in the field commercial banks to get connected with the customer regularly
even in the personal event of the customer so that they feel honored. CRM in generally segregate
the customer based on some criteria e.g. high business customer, most loyal customer, new
customer etc. This helps in the long term association of banks with its client. By keeping personal
date‘s e.g birthday, marriage anniversary bank can send some gifts to the valuable customer to
attract them. Simple wishes can also be made by email or phone to let them know that bank is
always with them.
Question No 65
Explain the steps involved in prototyping development and also discuss the advantages of
prototyping development. (December 2015)(5 Marks)
Answer No 65
 Modifying the prototype successive iterations.
 Stress and user Interface
Advantages of prototyping
 Prototyping makes the development process faster and easier for system analysts, especially
where end users requirements are hard to define.
 It is used for both small and large applications.
 It provides the potential for changing the system early in its development.
 Prototype systems afford opportunity to observe and jointly examine information use.
 Prototype systems may, by being experimental, create a culture of change, adaption and
learning.
Question No 66
B-B departmental store wants to build a computerized system to facilitate the online sales. You are
hired as the consultant for the project. Based upon above scenario, answer the following question:
Which model of system development will you propose and why? B-B is planning for the e-
commerce as well. What do you think are the basic features needed in its e-commerce web portal?
What will be your disaster recovery plan for B-B? (December 2016)(20 Marks)
Answer No 66

I will be suggesting the spiral model of system development process. It is continuous process of
development which is combination of elements of both design and prototyping-in-stages, in an
effort to combine advantages of top-down and bottom-up concepts. This model of development
combines the features of the prototyping model and the waterfall model. This involves the
continuous process of system development. As it combines the prototype and water fall model most
of the activity would be covered. Here the stages of determining actual objectives of system: which
is used to know the requirements, identifying and resolving the risks, developing the system with
specific programming language, testing it and again planning next stage of development reducing
the risk goes repeatedly till the complete system is developed. In every iteration the system gets
amended according to the feedbacks received from the prototype developed based on previous
information.
Note: However other models of system development can be accepted as the answer provided that
it is substantially justified.
a) Some features that should be available in an e-commerce website of B_B for its effective
operations are:
 Login and authorization
 Searching of the Products
 Product details
 Payment mechanism

 Profiling and personalization

 Event notifications
 Navigation
 News, events and social media
Login and Authorization:
This feature allows to login into the system with the validation of the user name and password.
People without valid username and password can see just the basic information about the e-
commerce website but once having the system user name password they can initiate transaction in
the system. System also facilitates the creation of new username and password.
Searching of the Product:

As the virtual web front lists the large varieties of the product people might be unable to find the
product of their choice so in this case the effective searching mechanism of the product should be
available in the website. Conditioning can be deployed in the searching.
Product Details and Catalogue:

Once the client finds any product, then website should give the details information about product
with possible 2D/3D or video view along with all essential information and procedures.
Payment Mechanism:
The payment mechanism and procedures should be clear to every user. It might be electronics
payment procedures or the cash on delivery. It should be documented properly.
Profiling and Personalization:

The personal behavior of the selling / buying product or accessing product catalogue should be
tracked to personalize in future. This will be helpful for the promotion of the new or related
product to that user in the future.
Event Notifications:
It is the procedure of informing the client about the completion of any event. This helps in the
ensuring the completion of the process. It can be done in email or phone etc.
Navigation:
Good navigation helps users/customers to access various sections of the e-commerce easily
without devoting much time. Navigation should care about quick link to the shopping carts,
payment mechanism, product display and zooms etc.
News, Events and Social media:

News and events and connection to the social medias keeps on updating the customers about the
arrivals of new products, offers, occurrence of various events and functions, networking with the
companies and other clients. Social Medias helps to have the online connection of the customers
for support and communications. Social media also helps in the branding of the website.
b) The term Disaster Recovery describes the contingency measures that organizations have to
adopt at key computing sites to recover from or to prevent any monumentally bad event or
disaster. The primary objective of a disaster recovery plan is to assure the management that
normal operation of system would be restored in a set time after any disaster thereby
minimizing losses to the organization.
For B-B store I will be recommending following three plans as the disaster recovery plan:
Backup Plan:
The backup plan will outline the way to restore the same data on different location. However the
cost factor will be another major issue connected with the backup plan. It will describe following
points:
 Making copy of data regularly

 Automation of data backup process
 Saving of backed-up data on different medium
 Saving of backed-up data on different location
Emergency Plan:
This part of the disaster recovery plan outlines the actions to be undertaken immediately after a
disaster occurs. Following points clarify the emergency plan:
 Personnel to be notified in case of disaster
 Equipment to be operated or shutdown
 Procedures to be followed
Recovery Plan:
Recovery plan mainly focuses on how the full capabilities of the system will be restored and
service will be resumed. Following points clarify the recovery plans:
 Formation of recovery committee
 Prioritizing the applications and systems to be recovered
 Replacement of hardware and network
Question No 67
Distinguish between:System software and application software( December 2016)(5 Marks)

Answer No 67
Systems Software
Performs the fundamental tasks needed to manage computer resources. The two most common
pieces of systems software are
1) The operating systems such as Linux, OS X, and Windows.
2) Utility programs such as file management, notepads, browsers, command prompts etc.
Application Software
Consists of programs that enable the computer to carry out specific tasks or functions. They can be
general purpose or custom-built. It may be purchased from vendors or developed internally.
1) Examples of applications found on personal computers include word processors,
spreadsheets, graphics, and small databases.
2) Applications found on dedicated servers are payroll, human resources, purchasing, accounts
payable, general ledger, treasury, etc.
Question No 68
Explain the main features of problem solving approach in system development.
Answer No 68
A methodology is a problem-solving approach to building systems. The term problem is used to
include real problems, opportunities for improvement, and directives from management. The
classic problem-solving approach is as follows:
1. Study and understand the problem and its context.
2. Define the requirements of a suitable solution.
3. Identify candidate solutions and select the "best" solution.
4. Design and/or implement the solution.
5. Observe and evaluate the solution's impact, and refine the solution accordingly.
Systems analysts should approach all projects using a problem-solving approach.
Inexperienced problem solvers tend to eliminate or abbreviate one or more of the above steps. The
result can range from (1) solving the wrong problem, to (2) incorrectly solving the problem, to (3)
picking the wrong solution. A methodology's problem-solving orientation can reduce or eliminate
the above risks.
Question No 69
What are the main differences between spiral model and waterfall model of system development?
Answer No 69
The major differences between the spiral model and waterfall model of system development are as
follows:

SN Spiral Model Waterfall Model

1 Based on the concept of enhancement of Based on a well-structured, sequential flow
the initial prototype in a repetitive of steps from beginning to end.
process. Relatively rigid structure.
2 Can handle errors and bugs more easily Difficult because the development has to
since the prototype is evaluated after go back to the beginning if a error or
each cycle. bug needs to be rectified.
3 Process is iterative and repetitive Process is based on a sequential flow where
a step is started only after the
preceding step ends.
4 Easier to accommodate sudden changes in Difficult to incorporate such sudden
the requirements. changes in the requirement.
5 Suitable for complex projects which may Suitable for large projects with large
need changes in the middle of the development teams.
Question No 70
Explain the key steps of prototyping development and its limitations. (June 2016)(20 Marks)
Answer No 70
 Modifying the prototype in successive iterations.
 Stress test and user Interface optimization.
Limitations of prototyping
 Based on some kind of hit and trial.
 Practically, this methodology may increase the complexity of the system as scope of the
system may expand beyond original plans.
 Incomplete application may result if the users cannot give full picture or feedback.
 Can lead to entirely different end system compared to the one originally planned.
Question No 71
ABC Company Ltd. is developing the information system to track the record of sales of various
types of electronics items that they manufacture. Their products are being sold in almost all
countries of Asia. Answer the following questions assuming that your team is assigned for the
system development:
Which approach of the system development will you adopt? (December 2017)(10 Marks)

Answer No 71
The system analysis and design is all about clearly identifying the functional needs of client and
identifying the means to achieve those requirements. However, people cannot reveal all their
functional needs at once. The iterative process helps them to identify their needs properly once they
see the product. Therefore the spiral model of the system development will be adopted here. It will
help ABC company to identify their needs seeing the prototype in various stages of iteration. Spiral
Model of System Development is a continuous process of development, which is combination of
elements of both design and prototyping-in-stages, in an effort to combine advantages of top-down
and bottom-up concepts.
Four main stages of Spiral Model of system development are:
1. Determine objective, alternatives and constraints
2. Evaluate alternatives, identify and resolve risks
3. Develop and verify next level
4. Plan for next phase
This model of development combines the features of the prototyping model and the waterfall
model. This involves the continuous process of system development. As it combines the prototype
and waterfall model most of the activity would be covered. Here the stages of determining actual
objectives of system: which is used to know the requirements that might be Business Requirement
Specifications (BRS) and System Requirement Specifications (SRS). The requirements are listed
taking feedbacks from the executives, sales manager and sales agent of the ABC Company Ltd.
Based upon the SRS and BRS the alternatives designs will be proposed. The development team
will be in constant touch with the above stakeholders of the ABC Company Ltd.
The second stage will be the evaluation of alternatives, risk analysis, resolving risk and identifying
the best alternative. Risks are possible conditions and events that prevent development team from
achieving its goals. The primary task for the development team is to enumerate all the possible
risks and prioritize them according to importance. The next step is to determine the potential
strategies that can help to overcome the risks. Evaluation of these parameters can cause changes at
the next steps.
Third stage will be the development of the first prototype. This is the stage where planned product
is developed along with further testing. During the first spiral, the overall requirements are not so
clear, so-called Proof Of Concept (POC) is created to get the customer‘s feedback. In subsequent
spiral, the final product will be developed accordingly.
And the fourth stage is the phase of evaluation of the output of the existing spiral. This phase
allows evaluating the output of the online system to date before the project continues to the next
spiral.

Determine objective, Evaluate Alternatives,

Alternatives and Constraints Identify and Resolve
Risks
P1 P2 P3
Plan for next phase Develop and Verify next

level
Note: P1: Prototype 1, P2: Prototype 2, Prototype 3

Figure: Spiral Model
Question No 72
What is the significance of feasibility study in System Development Life Cycle? List out various
types of feasibility study. (June 2017)(7 Marks)
Answers No 72
Feasibility study is about process of evaluating viability of the project from various prospects of the
operation, technology and economy. The project will be subjected for the real development only
after confirming its positive feasibility test. Thus, the feasibility stage is that which determine the
viability of the project from the different aspects of technicalities, operations, human resources,

economy. During the feasibility study, some recommendations can be given to make the system
feasible from the prospects of technology, economy, operation etc. If the feasibility test of the
system is not done, the system may fail after the development.

 Economic Feasibility
 Human Resource Feasibility
Operational Feasibility:
The operational feasibility of system development is all about ascertaining the views of workers,
employees, customers and suppliers about the use of Information Technology. The operational
feasibility will determine the support from management and users. It will check whether new
system will cause any difficulties or harm to any functioning unit of the organization.
Technical Feasibility:
Technical feasibility is about the evaluation of hardware and software viability for the system. The
system analyst will ascertain whether the proposed system runs on the existing technical
infrastructure or not. It will also give idea what upgrade or change need to be done on the existing
Information Technology to meet the requirement of the system.
Economical Feasibility:
The economical feasibility will evaluate the cost of the project during its development and
operational phase. It will determine what will be the increment in the cost and what benefit it will
provide after its implementation. The financial and economic questions raised by analysis during
preliminary investigation are for the purpose of estimating may be: cost of conducting a full
system investigation, cost of hardware and software and benefit.
Human Resource Feasibility:
Human Resource Feasibility analyses the sufficiency, skill level and efficiency of existing and
future (if any) human resource to carry out the system development and other tasks related to the
life cycle. Lack of proper skilled and sufficient number of personnel can greatly affect the timely
implementation of the project over static makes the system less feasible financially. So, proper HR
feasibility is needed.
Question No 73:
Assume that you are working as a software project manager in a software development company.
Your company assigned you a project to develop an information system for a bank and you chose
object-oriented methodology to develop the system. Based on this scenario, answer the following
questions.

a) What are the reasons for choosing object-oriented development approach for this project?
How is object-oriented development different from structured development approach?
b) Why do you incorporate controls into the design and implementation of information
systems? Explain general controls and application controls that are used to control
information system. What is the role of auditing in the control process?
Answer No 73
First part: Object-oriented development uses the object as the basic unit of systems analysis and
design. An object combines data and the specific processes that operate on those data. Data
encapsulated in an object can be accessed and modified only by the operations, or methods,
associated with that object. Instead of passing data to procedures, programs send a message for an
object to perform an operation that is already embedded in it. The system is modeled as a collection
of objects and the relationships among them. Because processing logic resides within objects rather
than in separate software programs, objects must collaborate with each other to make the system
work.
Object-oriented developments make the promise of reduced maintenance, code reusability, real
world modelling, and improved reliability and flexibility. Since my company is a software
development company, the software objects developed for one project can be easily ported to
another project. Moreover, in object oriented approach, each distinct function or feature can be
developed by a separate developer or team and integrated into the main project later. These are the
principal motivators for me to choose this approach. Here are some of the major benefits of the
object-oriented approach:
 Reduced Maintenance: The primary goal of object-oriented development is the
assurance that the system will enjoy a longer life while having far smaller maintenance
costs. Because most of the processes within the system are encapsulated, the behaviour
may be reused and incorporated into new behaviour.
 Real-World Modelling: Object-oriented systems tend to model the real world in a more
complete fashion than do traditional methods. Objects are organized into classes of
objects, and objects are associated with behaviour. The model is based on objects, rather
than on data and processing.
 Improved Reliability and Flexibility: Object-oriented system promise to be far more
reliable than traditional systems, primarily because new behaviors can be "built" from
existing objects. Because objects can be dynamically called and accessed, new objects
may be created at any time. The new objects may inherit data attributes from one, or
many other objects. Behaviors may be inherited from super-classes, and novel behaviors
may be added without effecting existing systems functions.
 High Code Reusability: When a new object is created, it will automatically inherit the
data attributes and characteristics of the class from which it was spawned. The new

object will also inherit the data and behaviour from all super classes in which it
participates. When a user creates a new type of a widget, the new object behaves
"wigitty", while having new behaviour which are defined to the system.
Second part: Structured methodologies have been used to document, analyze, and design
information systems since the 1970s. Structured refers to the fact that the techniques are step by
step, with each step building on the previous one. These methodologies are top-down, progressing
from the highest, most abstract level to the lowest level of detail from the general to the specific.
These methods are process-oriented, focusing primarily on modeling the processes, or actions that
capture, store, manipulate, and distribute data as the data flow through a system. These methods
separate data from processes whereas object oriented development combine both data and process
in a single object. Object oriented development uses modeling tools (class diagram, object diagram,
sequence diagram etc.) that are different from structured development.
The primary modeling tool in structured development for representing a system‘s component
processes and the flow of data between them is the data flow diagram (DFD). DFD offers a logical
graphic model of information flow, partitioning a system into modules that show manageable levels
of detail. DFD rigorously specifies the processes or transformations that occur within each module
and the interfaces that exist between them. DFDs can be used to depict higher-level processes as
well as lower- level details. Through leveled data flow diagrams, a complex process can be broken
down into successive levels of detail. Using DFD, an entire system can be divided into subsystems
with a high level data flow diagram. Each subsystem, in turn, can be divided into additional
subsystems with second-level data flow diagrams, and the lower-level subsystems can be broken
down again until the lowest level of detail has been reached.
Another tool for structured analysis is a data dictionary, which contains information about
individual pieces of data and data groupings within a system. The data dictionary defines the
contents of data flows and data stores so that systems builders understand exactly what pieces of
data they contain. Another tool is process specification that describes the transformation occurring
within the lowest level of the data flow diagrams. Process specifications express the logic for each
process. Another tool is structure chart where software design is modeled using hierarchical
structure charts. It is a top-down chart, showing each level of design, its relationship to other levels,
and its place in the overall design structure; The design first considers the main function of a
program or system, then breaks this function into sub-functions, and decomposes each sub-function
until the lowest level of detail has been reached; The chart may document one program, one system
(a set of programs), or part of one program
First Part: To minimize errors, disasters, interruptions of service, computer crimes, and breaches of
security, controls must be incorporated into the design and implementation of information systems.
The combination of manual and automated measures that safeguard information systems and ensure
that they perform according to management standards is termed controls. Controls consist of all the

methods, policies, and procedures that ensure protection of the organization‘s assets, the accuracy
and reliability of its records, and operational adherence to management standards.
In the past, the control of information system was addressed only toward the end of
implementation, just before the system was installed. Today, Organizations must identify
vulnerability and control issues as early as possible. The control of an information system must be
an integral part of its design. Users and builders must pay close attention to controls throughout the
system‘s life span.
Second Part: Computer systems are controlled by a combination of general controls and application
controls. General controls establish the framework for controlling design, security, and use of
computer programs and the security of data files in general throughout an organization. Application
controls, on the other hand, are specific controls unique to each computerized application.
 General Controls and Data Security: General controls include software controls, physical
hardware controls, computer operations controls, data security controls, controls over the
systems implementation process, and administrative controls. Although most of these
controls are designed and maintained by information systems specialists, data security
controls and administrative controls require input and oversight from end users and
business managers.
Software controls monitor the use of software and prevent unauthorized access of software
programs, system software, and computer programs. Hardware controls ensure that computer
hardware is physically secure, and check for equipment malfunction. Computer operations controls
oversee the work of the computer department to ensure that programmed procedures are
consistently and correctly applied to the storage and processing of data. Data security controls
ensure that valuable business data file on either disk or tape are not subject to unauthorized access,
change, or destruction while they are in use or in storage. Implementation controls audit the systems
development process at various points to ensure that the process is properly controlled and
managed. Administrative controls formalize standards, rules, procedures, and control disciplines to
ensure that the organization‘s general and application controls are properly executed and enforced.
 Application Controls: Application controls include both automated and manual
procedures that ensure that only authorized data are completely and accurately processed
by an application. These are unique to each computerized application. Application
controls include input controls, processing controls, and output controls.
Input controls check data for accuracy and completeness when they enter the system.
These are specific input controls for input authorization, data conversion, data editing,
and error handling. Processing controls establish that data are complete and accurate
during processing. Output controls ensure that the results of computer processing are
accurate, complete, and properly distributed.

Third Part: To know that information systems controls are effective, organizations must conduct
comprehensive and systematic audits. An MIS audit identifies all the controls that govern individual
information systems and assess their effectiveness. To accomplish this, the auditor must acquire a
thorough understanding of operations, physical facilities, telecommunications, control systems, data
security objectives, organizational structure, personnel, manual procedures, and individual
applications.
For this audit, the auditor usually interviews key individuals who use and operate a specific
information system concerning their activities and procedures. Application controls, overall
integrity controls, and control disciplines are examined. The auditor should trace the flow of sample
transactions through the system and perform tests, using, if appropriate, automated audit software.

Chapter 5:
System Analysis and Design

Question No 1:
"System-level testing must be conducted prior to installation of an Information system".

Briefly describe various steps involved in the system testing.( December 2004)(10 Marks)
Answer No 1:
a) Preparation of realistic test data in accordance with the system test plan.
b) Processing the test data using the new equipment.
c) Thorough checking of the results of all system tests, and
d) Reviewing the results with future users, operators and support personnel.
System level testing is an excellent time for training employees in the operation of the IS as well
as maintaining it. Typically, it requires 25 to 35 percent of the total implementation effort.
conditions.
and old system is more difficult than it is for a batch processing system, because the new system
has no true counterpart in the old system. One procedure for testing the new interactive system is
to have several remote input terminals connected on line are operated by supervisory personnel
backed up by other personnel operating on the old system. The outputs are checked for
compatibility, and appropriate corrections are made to the on-line computer programs. Once this
During parallel operations, the mistakes detected are often not those of the new system, but of the
old. These differences should be reconciled as far as it is feasible economically. Those responsible
for comparing the two systems should clearly establish that the remaining deficiencies are caused
by the old system. A poor checking job at this point can result in complaints later from customers,
top management, salespersons, and others. Again, it is the responsibility of the system developers
and analysts to satisfy themselves that adequate time for dual operation has been undertaken for
each functional area changed.
Question No 2:
What are CASE tools? Describe in depth the categories of CASE tools with examples/figures.

Answer:
CASE tools are automated software tools. CASE stands for ‗Computer Aided Software
Engineering‘. Software Engineering is concerned with creation of software systems. Software
systems are produced by teams of people using sound engineering principles. They use computing
techniques and the aim is to produce automated tools to solve specific problems of users in the
domain of their function such as finance, production, sales, etc. and also develop and produce
software for such applications. There are three categories of CASE tools:
i) Tools that support individual process tasks such as checking the consistency of a design,
completing a program, comparing test results and so on.
ii) Work benches to support process phases such as specification, design, etc. They consist of set
of tools with variable degrees of integration.
iii) Environment support for all or part of software process. Includes several different work
benches, which are integrated in some way.
CASE
Technology
Tools Workbenches Environment
Integrated
Editors Environment
Process Centred
Compilers Environment
File Compactors
Analysis and
Design Programming Testing
Multi method General purpose

workbenches workbenches
Single method Large specific

workbenches workbenches
Figure 1: Tools, workbenches and environments.
The table given below lists a number of different types of CASE tools and gives specific examples
of each tool.
Tool type Example

Management tools PERT tools, estimation tools.
Editing tools Text editors, diagram editors, word processors.
Configuration Version management system, change management
management system.
tools
Prototyping tools High level language tools, user interface generators.
Method support Design editors, data dictionaries, code generators.
tools
Language Compliers, Interpreters
processing
tools
Program analysis Cross reference generators, static analyzers, dynamic
tools analyzers.
Testing tools Test data generators, file compactors.
Debugging tools Interactive debugging system
Documentation Page layout program, image editors.
tools
Reengineering tools Cross reference systems, program restructuring systems.
Question No 3:
What is a system manual? What information is included in it? (June 2005) (10 Marks)
Answer No 3
The basic output of the system design is a description of the task to be performed, complete with
layouts and flowcharts. This is called the job specifications manual or system manual.
It contains:
i) General description of the existing system.

ii) Flow of the existing system.

iii) Outputs of the existing system – the documents produced by existing system are listed and
briefly described, including distribution of copies.
iv) General description of the new system – its purposes and functions and major differences
from the existing system are stated together with a brief justification for the change.
v) Flow of the new system – this shows the flow of the system from and to the computer
operation and the flow within the computer department.
vi) Output layouts.
vii) Output distribution – the distribution of the new output document is indicated and the number
of copies, routing and purpose in each department shown. The output distribution is
summarized to show what each department will receive as a part of the proposed system.
viii) Input layouts – the inputs to the new system are described and complete layouts of the input
documents and input disks or tapes provided.
ix) Input responsibility – the source of each input document is indicated as also the user
department responsible for each item on the input documents.
x) Marco-logic – the overall logic of the internal flows will be briefly described by the systems
analyst, wherever useful.
xi) Files to be maintained – the specifications will contain a listing of the tape, disk or other
permanent record files to be maintained, and the item of information to be included in each
file. There must be complete layouts for intermediate or work file; these may be prepared
later by the programmer.
xii) List of programs – a list of the programs to be written shall be a part of the systems
specifications.
xiii) Timing estimates – a summary of approximate computer timing is provided by the systems
analyst.
xiv) Controls – this shall include type of controls, and the method in which it will be operated.
xv) Audit trial – a separate section of the systems specifications shows the audit trial for all
financial information. It indicates the methods with which errors and defalcation will be
prevented or eliminated.
xvi) Glossary of terms used.
Question No 4:
Why is personnel training important for the success of systems implementation? What type of
training should be imparted to (i) system operators and (ii) users? (June 2005) (10 Marks)

Answer No 4:
A system can succeed or fail depending on the way it is operated and used. Therefore, the quality
of training received by the personnel involved with the system in various capacities helps or
hinders the successful implementation of information system. Thus, training is becoming a major
component of systems implementation. When a new system is acquired which often involves new
hardware and software, both users and computer professionals generally need some type of
training. Often this is imparted through classes, which are organized by vendor, and through
hands-on learning techniques.
Training System Operators: Many systems depend on the computer-centre personnel who are
responsible for keeping the equipment running as well as for providing the necessary support
services. Their training must ensure that they are able to handle all possible operations, both
routine and extra-ordinary. Operator training must also involve the data entry personnel. If the
system calls for the installation of new equipment, such as a new computer system, special
terminals or data-entry equipments, the operators training should include such fundamentals as
how to turn equipment on and use it, and knowledge of what constitute normal operation and use.
The operators should also be instructed in what common malfunctioning may occur, how to
recognize them, and what steps to take when they arise. As part of their training, operators should
be given both a trouble shooting list that identifies possible problems and remedies for them, as
well as the names and telephone numbers of individuals to contact when unexpected or unusual
problems arise. Training also involves familiarization with run procedures, which involve working
through the sequence of activities needed to use a new system on an on-going basis.
Under Training: User training may involve equipment use, particularly, in the case where a
microcomputer is in use and the individual involved is both operator and user. In these cases, users
must be instructed first how to operate the equipment. User training must also instruct individuals
involved in trouble shooting of the system, determining whether the problem is caused by the
equipment or software or by something they have done in using the system. Most user training
deals with the operation of the system itself. Training in data coding emphasizes the methods to be
followed in capturing data from transactions or preparing data for decision support activities.
Users should be trained on data handling activities such as editing data, formulating inquiries
(finding specific records or getting responses to questions) and deleting records of data. From time
to time, users will have to prepare disks, load paper into printers, or change ribbons on printers.
Some training time should be devoted to such system maintenance activities. If a microcomputer
or data entry system uses disks, users should be instructed in formatting and testing disks.
Training is often seen as a necessary evil by managers. While recognizing its importance, many
mangers have to release employees from their regular job activities so that they can be trained.
When managers are activity involved in determining training needs, they are usually more
supportive of training efforts. It is generally wise to have managers directly involved in evaluating

the effectiveness of training activities because training deficiencies can translate into reduced user
productivity level.
Question No 5:
Write short notes on
Systems Design Phases (June 2005) (5 Marks)
Answer No 5
After the completion of requirements analysis for a system, System design activity takes place for
the alternative, which is selected by management. The system design phase usually consists of
following three activities:
i) Reviewing the system‘s informational and functional requirements;

ii) Developing a model of the new system, including logical and physical specifications of
outputs, inputs, processing, storage, procedures and personnel;
iii) Reporting results to management.
The system‘s design must conform to the purpose, scale and general concepts of the system that
management approved during the requirements analysis phase. Therefore, users and system
analysts must review each of these matters again before starting the design because they establish
both the direction and the constraints that system developers must follow during rest of the
activities.
As mentioned above, system design involves first logical design and then physical construction of
a system. When analysts formulate a logical design, they write the detailed specifications for the
new system, they describe its features; the outputs, input files, databases and procedures, all in a
manner.
Question No 6:
Why do you think that information system needs to be evaluated before implementation? What are
the different dimensions of evaluation? (June 2006)(5 Marks)
Answer No 6
The reasons of information system evaluation before its implementation are:
 It provides the feedback necessary to assess the value of information and the performance of
personnel and technology included in the newly designed system.
 The feedback helps in the readjustment of the part of the system if needed.
 The feedback helps in the adjustment of the future information systems development projects.
The dimensions of system evaluation are: one is concerned about whether system is operating
properly or not and another is concerned with satisfaction of user.

Question No 7:
Answer the following questions:
List the factors affecting output design. (June 2007)(5 Marks)
Answer No 7
a)Content: Only require information should be provided to the user. Content refers to the actually
information printed or provide so unnecessary information and data should be avoided in the output
report.
Form: Form refers to the way the contents are presented. There is always a systematic procedure
to represent any things which should be followed while designing the output. E.g Text, pictures,
video, tables, titles, summary etc should be presented appropriately at appropriate position.
Output volume: It refers to the amount of the data or information being printed or presented in the
report. If large volume of the data should be printed or presented in these cases high-speed
accessories and equipments should be used to meet the demand.
Timeliness: It refers to the time when user needs the out put. Some times the out put needed only at
once or some time periodic reports are also essential. System should accommodate such timely
needs.
Media: It refers to the physical devices at which the output should be presented. Paper, picture,
audio-video any type of the media can be used for the purspose of the presentation depending upon
the cost, time, user and place.
Question No 8:
―System –Level testing must be conducted prior to installation of an information system‖. Briefly
describe various steps involved in the system testing. (Old Syllabus December 2010)(10 Marks)
Answer No.8
(a) Preparation of realistic test data in accordance with the system test plan, (b) processing the
test data using the new equipment, (c) thorough checking of the results of all systems tests, and (d)
reviewing the results with future users, operators and support personnel System level testing is an
excellent time for training employees in the operation of the IS as well as maintaining it. Typically,
it requires 25 to 35 per cent of the total implementation effort.
conditions.

and old system is more difficult than it is for a bath-processing system, because the new system has
no true counterpart in the old system. One procedure for testing the new interactive system is to
have several remote input terminals connected on line, which are operated by supervisory personnel
backed up by other personnel operating on the old system. The out puts are checked for
by the old systems. A poor checking job at this point can result in complaints later from customers,
top management, salespersons, and others. Again it is the responsibility of the system developers
and analysts to satisfy themselves that adequate time for dual operation has been undertaken for
each functional area changed.
Question No 9:
Differentiate between object oriented analysis and structural analysis technique. (December
2011)(5 Marks)
Answer No. 9
Object Oriented Analysis Approach Module Oriented Analysis Approach
System is seen as collection of objects, each with a System is seen as a set of functions, data,
functional purpose process and their inter-relationship
Easy maintenance of system and at low cost Maintenance is costlier. Proper and detailed
documentation is needed
Since Object can be reused in different Reuse of code is limited and infrequent
applications, it promote reuse of code in large
system
Simpler to implement in Distributed system Difficult to implement in distributed system
Leads to system that are more flexible to change Lead to less flexible system
Ideal for large system Ideal for small systems
Question No 10:
Explain System Analyst role of IT professional. Mention various skills and attributes required to
become a successful system analyst. (December 2011)(5 Marks)

Answer No 10:
System analysts are people who understand both business and computing. They study business
problem and opportunities and then transform business and information requirements into the
computer based information systems that are implemented by various technical specialists,
including computer programmer.
System analyst studies the problems and needs of the organization to determine how people, data,
process, communications and information technology can best accomplish improvement for the
business.
The analyst is responsible for the efficient capture of data from its business source, the flow of that
data to the computer, the processing and storage of that data by the computer, and the flow of
useful and timely information back to the business and its people.
System analyst sell business management and computer users the services of information
technology.
Various skills and attributes required to become a successful system analyst are
 Working knowledge of current information technologies
 Computer programming experience and expertise
 General business knowledge
 Interpersonal communication skills
 Interpersonal relations skills
 Flexibility and adaptability
 Character and ethics
 System analysis and design skills
Question No 11:
Define the following terms: Feasibility Study(December 2011)(5 Marks)
Answer No 11
Feasibility study is about process of evaluating viability of the project from various prospects of the
operation, technology and economy. The project will be subjected for the real development only
after confirming its positive feasibility test. The process of determining the feasibility is done after
defining the requirements of the project.

 Economical Feasibility

Question No 12:
System–level testing must be conducted prior to installation of an information system‖. Briefly
describe various steps involved in the system testing. (Old syllabus, December 2011)(10 Marks
Answer No. 12
(a) Preparation of realistic test data in accordance with the system test plan, (b) processing the test
data using the new equipment, (c) thorough checking of the results of all systems tests, and (d)
reviewing the results with future users, operators and support personnel System level testing is an
excellent time for training employees in the operation of the IS as well as maintaining it. Typically,
it requires 25 to 35 per cent of the total implementation effort.
conditions.
and old system is more difficult than it is for a bath-processing system, because the new system has
no true counterpart in the old system. One procedure for testing the new interactive system is to
have several remote input terminals connected on line, which are operated by supervisory personnel
backed up by other personnel operating on the old system. The out puts are checked for
by the old systems. A poor checking job at this point can result in complaints later from customers,
top management, salespersons, and others. Again it is the responsibility of the system developers
and analysts to satisfy themselves that adequate time for dual operation has been taken for each
functional area changed.
Question No 13:
Answer the following questions ER diagram(Old syllabus, December 2011)(5 Marks)

Answer No 13
An entity-relationship (ER) diagram is a specialized graphical representation that illustrates the
interrelationships between entities in a database. ER diagram shows the picture how the database
works with all the interactions and data flows.
ER diagrams often use symbols to represent three different types of information. Boxes are
commonly used to represent entities. Diamonds are normally used to represent relationships and
ovals are used to represent attributes.
ER-diagram example.
Question No 14:
What is RAID? List out and define types of RAID. ( June 2011)(8 Marks)
Answer No.14
RAID is an acronym for redundant array of independent disks, also known as redundant array of
inexpensive disks. This is a technology that provides increased storage functions and reliability
through redundancy from low-cost and less reliable PC-class disk-drive components. It uses the
technique of arranging the devices into arrays for redundancy.

RAID combines two or more physical hard disks into a single logical unit using special hardware or
software. Hardware solutions are often designed to present themselves to the attached system as a
single hard drive, so that the operating system would be unaware of the technical workings.
There are three key concepts in RAID: mirroring, the writing of identical data to more than one
disk; striping, the splitting of data across more than one disk; and error correction, where redundant
parity data is stored to allow problems to be detected and possibly repaired (known as fault
tolerance).
RAID is now used as an umbrella term for computer data storage schemes that can divide and
replicate data among multiple hard disk drives. The different schemes/architectures are named by
the word RAID followed by a number, as in RAID 0, RAID 1, etc.
Types or Level of RAID
RAID 0: It has block-level striping without parity or mirroring and has no redundancy. It provides
improved performance and additional storage but no fault tolerance. Any disk failure destroys the
array, and the likelihood of failure increases with more disks in the array.
RAID 1: It has mirroring without parity or striping. Data is written identically to multiple disks.
Any number of disks may be used; normally only two are used. Array provides fault tolerance
from disk errors or failures and continues to operate as long as at least one drive in the mirrored set
is functioning.
RAID 2: It has bit-level striping with dedicated parity. All disk spindle rotation is synchronized,
and data is striped such that each sequential bit is on a different disk. Parity is calculated across
corresponding bits on disks and stored on at least one parity disk.
RAID 3: It has byte-level striping with dedicated parity. All disk spindle rotation is synchronized,
and data is striped so each sequential byte is on a different disk. Parity is calculated across
corresponding bytes on disks and stored on a dedicated parity disk.
RAID 4: It has block-level striping with dedicated parity. It is identical to RAID 5, but confines all
parity data to a single disk, which can create a performance bottleneck. In this setup, files can be
distributed between multiple disks. Each disk operates independently which allows Input/Output
requests to be performed in parallel, though data transfer speeds can suffer due to the type of parity.
The error detection is achieved through dedicated parity and is stored in a separate, single disk unit.
RAID 5: It has block-level striping with distributed parity. It distributes parity along with the data
and requires all drives but one to be present to operate; drive failure requires replacement, but the
array is not destroyed by a single drive failure. Upon drive failure, any subsequent reads can be
calculated from the distributed parity such that the drive failure is masked from the end user.
RAID 6: It has block-level striping with double distributed parity. It provides fault tolerance from
two drive failures; array continues to operate with up to two failed drives. This makes larger RAID
groups more practical, especially for high-availability systems. This becomes increasingly
important as large-capacity drives lengthen the time needed to recover from the failure of a single
drive.

Question No 15:
Explain the system analysis phase of the system development life cycle. ( June 2011)(15 Marks)
Answer No.15
The development of a computer-based information system includes a systems analysis phase which
produces or enhances the data model which itself is a precursor to creating or enhancing a database.
There are a number of different approaches to system analysis. When a computer-based
information system is developed, systems analysis (according to the Waterfall model) would
constitute the following steps:
* The development of a feasibility study, involving determining whether a project is economically,
socially, technologically and organizationally feasible.
* Conducting fact-finding measures, designed to ascertain the requirements of the system's end-
users. These typically span interviews, questionnaires, or visual observations of work on the
existing system.
* Gauging how the end-users would operate the system (in terms of general experience in using
computer hardware or software), what the system would be used for etc.
Another view outlines a phased approach to the process. This approach breaks systems analysis
into 5 phases:
* Scope definition
* Problem analysis
* Requirements analysis
* Logical design
* Decision analysis
Basically, this is conducted to find out:

* The information needs of the company and the end users.
* The activities, resources, and products of any present information systems being used.
* The information systems capabilities required to meet the information needs of end users, and
those of other e-business stakeholders that may use the system.
Depending upon the size and nature of the system being developed, the following analysis are done
in detail:
Organisational Analysis
Organisational analysis involves evaluating the organizational and environmental systems and
subsystems involved in any situation. Systems analysis traditionally involves a detailed study of
the organizations:
* Environment
* Management structure
* People

* Business activities
* Environmental systems it deals with
* Current information systems
Analysis of the Present System

Before designing a new system, a detailed analysis of the current system (manual or automated)
must be completed. An analysis of the present system involves analyzing activities, resources, and
the products. You must analyze how the present system uses:
* Hardware, software, people resources to convert data resources into information products, such
as reports and displays.
* Document how the information activities of input, processing, output, storage, and control are
being accomplished.
Functional Requirements Analysis

This step of systems analysis is one of the most difficult. Steps involve:
* Working as a team with IS analysts and end users to determine specific business information
needs.
* Determining the information processing capabilities required for each system activity (input,
processing, output, storage, and control) to meet the information needs. Goal is to identify WHAT
should be done NOT how to do it.
* Develop functional requirements (information requirements that are not tied to the hardware,
software, network, data, and people resources that end users presently use or might use in the new
system).
Question No 16
Define Data Dictionary( June 2011)(5 Marks)
Answer No 16
Data Dictionary is a centralized repository of information about data such as meaning, relationships
to other data, origin, usage, and format. The term may have one of several closely related meanings
pertaining to databases and database management systems (DBMS). Data dictionary helps define
the details of a data stored in a field. Database users and application developers can benefit from
an authoritative data dictionary document that catalogs the organization, contents, and conventions
of one or more databases. This typically includes the names and descriptions of
various tables and fields in each database, plus additional details, like the type and length of
each data element. There is no universal standard as to the level of detail in such a document.
Question No 17
Write short answer to System testing (Old Syllabus June 2011)( 5 Marks)

Answer No 17
System testing of software or hardware is testing conducted on a complete, integrated system to
evaluate the system's compliance with its specified requirements. System testing falls within the
scope of black box testing, and as such, should require no knowledge of the inner design of the
code or logic.
As a rule, system testing takes, as its input, all of the "integrated" software components that have
successfully passed integration testing and also the software system itself integrated with any
applicable hardware system(s). The purpose of integration testing is to detect any inconsistencies
between the software units that are integrated together (called assemblages) or between any of the
assemblages and the hardware. System testing is a more limited type of testing; it seeks to detect
defects both within the "inter-assemblages" and also within the system as a whole.
System testing is performed on the entire system in the context of a Functional Requirement
Specification(s) (FRS) and/or a System Requirement Specification (SRS). System testing tests not
only the design, but also the behavior and even the believed expectations of the customer. It is also
intended to test up to and beyond the bounds defined in the software/hardware requirements
specification(s).
The following examples are different types of testing that should be considered during System
testing:
GUI software testing, Usability testing, Performance testing, Compatibility testing, Error handling
testing, Load testing, Volume testing, Stress testing, Security testing, Scalability testing, Sanity
testing, Smoke testing, Exploratory testing, Ad hoc testing, Regression testing, Reliability testing,
Installation testing, Maintenance testing
Question No 18
Write short answer to System maintenance(Old Syllabus June 2011)( 5 Marks)
Answer No 18
System maintenance is one of the important phases of the implementation. The system may
undergo some changes or new type of need may arise from the users. Due to day-to-day operations,
there may arise strength or weaknesses which need the modifications. This is what about the
maintenance of the system. Now the question arises does it needed periodically. The periodical
maintenance of the system reduces the chances of failure of the system as the possible problems
can be forecasted. In the period maintenance the anticipated shortcomings may be short out in
planned way. During this process the changes can be done with the hardware, software and
documentation to support its operational effectiveness. This includes making changes to improve a
systems performance, correct problems, enhance security or address user requirements. While
carrying out the maintenance it has to be ensuring that it doesn‘t disrupt the operation or degrade
the performance.

Question No 19
Explain feasibility study. (December 2012)(5 Marks)
Answer No 19
Feasibility is the measure of how beneficial or practical the development of the Life cycle an
information system will be to an organization.
Feasibility analysis is the process by which feasibility is measured.
Feasibility should be measured throughout the life cycle. In earlier chapters we called this a
creeping commitment approach to feasibility. The scope and complexity of an apparently feasible
project can change after the initial problems and opportunities are fully analyzed or after the system
has been designed. Thus, a project that is feasible at one point may become infeasible later. Let‘s
study some checkpoints for our systems development life cycle.
probably see a feasibility study phase or deliverable, but not an explicit ongoing process. But look
more closely! On deeper examination, you‘ll probably identify various go/no-go checkpoints or
management reviews. These checkpoints and reviews identify specific times during the life cycle
when feasibility is reevaluated. A project can be canceled or revised in scope, schedule, or budget
at any of these checkpoints. Thus, an explicit feasibility analysis phase in any life cycle should be
considered to be only an initial feasibility assessment.
Feasibility checkpoints can be installed into any SDLC that you are using. The checkpoints are
represented by red diamonds. The diamonds indicate that a feasibility reassessment and
management review should be conducted at the end of the prior phase (before the next phase). A
project may be canceled or revised at any checkpoint, despite whatever resources have been spent.
Question No 20
Write short notes on Information system maintenance(Old Syllabus December 2012)( 5 Marks)
Answer No 20
Information System maintenance is an important aspect of System Development Life Cycle. Most
information systems require at least some modification after development. The need for
modification arises from a failure to anticipate all requirements during system design and or from
changing organizational requirement. Maintenance can be categories in the following ways;
 Scheduled maintenance
 Rescue maintenance
 Corrective maintenance

 Adaptive maintenance
 Perfective maintenance
 Preventive maintenance
Question No 21
Describe CASE tools(Old Syllabus December 2012)( 5 Marks)
Answer No 21
CASE Tools are the programs that provide support in one or more stages of system development
process. The objective of CASE tool is to help system analyst and designer in developing good
quality systems within the specified time and budget constraints.
The various types of CASE tools are
 To improve
productivity
 To improve
quality through checks for completeness, consistency and contradictions
 Better and more
consistent documentation
Question No 22
Explain about the symbols used in data flow diagram (DFD).(Old Syllabus, June 2012)(5 Marks)
Answer No 22
A data flow diagram graphically describes the flow of data within an organization. It is used to
document existing system and to plan and to design new ones. A DFD is composed of four basics
elements: data sources and destinations, data flows, transformation processes and data stores.
Symbol Name Description
Data source and The people and organization that send
Destination data to and receive data from the system
are represented by this type of square

box. Data destination are also called as

the Data sink
Data Flow The flow of data into or out of a process

is represented by curved or straight line
with arrows
Transformation The processes that transform data from

Process inputs to outputs are represented by
circles. Hey are often referred to as
bubbles
Data stores The storage of data is represented by

two horizontal lines
Question No 23
Software evaluation criteria(Old Syllabus, June 2012)(5 Marks)
Answer No 23
You should evaluate software according to many factors that are similar to those used for hardware
evaluation. Thus, the factors of performance, cost, reliability, availability, compatibility,
modularity, technology, ergonomics, and support should be used to evaluate proposed software
acquisition. In addition, however, software evaluation factors should also include evaluating:
 Quality
 Efficiency
 Flexibility
 Security
 Connectivity
 Language
 Documentation

 Hardware
 Other factors (performance, cost, reliability etc.)
Question No 24
High availability computing (Old Syllabus, June 2012)(5 Marks)
Answer No 24
High Availability is a computing deployment model in which the main data center or server
equipment are installed with power backup, network backup and even whole installation site
backup. As the name suggests, the aim is to increase availability of the system for its end users.
High availability infrastructure is deployed mainly in corporate platform for service providers,
large businesses, government agencies and any other organization for which access to the system is
very important and which cannot risk any significant loss or corruption of the data. The major
characteristics of a high availability system are:
(a) Multi-site deployment – system installed in more than one site
(b) Network redundancy – more than one paths to connect to the system.
(c) Power backup – dedicated source, multiple city source, backup power generators, UPS etc.
(d) Round the clock presence of operations and maintenance team to monitor the system.
Question No 25
Imagine you are assigned to design a computerized system for the regular services of land reform
offices. How would you outline the advantages and implementation challenges of the system to the
management? ( December 2013)(10 Marks))
Answer No 25
The major advantages of such a system for the land reform offices are:
i. Fast operation and delivery of service.
ii. Up-to-date data available readily for every concerned person.
iii. Control of access to different types of data to different users such as customers, working
level staff and management.
iv. Accuracy and integrity of data.
v. Control of under-the-table deals and corruption through transparency resulting from
computerized system.
The major implementation challenges are:

i. Change resistance among staff and management.
ii. Negative moves from personnel who are benefiting from existing traditional working style.
iii. Budget for the new system.
iv. Training of staff for the new system.

v. Possible redundancy of staff due to efficiency of the new system.

vi. Migrating data from existing paper based system to the new computerized system.
Question No 26
Explain the Rapid Application Development (RAD). ( December 2013)(5 Marks) (June
2014)(5 Marks)
Answer No 26
Rapid application development (RAD) is the merger of various structured techniques (especially
the data—driven information engineering) with prototyping techniques and joint application
development techniques to accelerate systems development.
RAD calls for the interactive use of structured techniques and prototyping to define the users‘
requirements and design the final system. Using structured techniques, the developer first builds
preliminary data and process models of the business requirements. Prototypes then help the analyst
and users to verify those requirements and to formally refine the data and process models. The
cycle of models, then prototypes, then models, then prototypes, and so forth ultimately results in a
combined business requirements and technical design statement to be used for constructing the new
system.
RAID, an acronym for Redundant Array of Independent Disks or also known as Redundant Array
of Inexpensive Disks, is a technology that allows high levels of storage reliability from low-cost
and less reliable PC-class disk-drive components, via the technique of arranging the devices into
arrays for redundancy. The basic idea behind RAID is to combine multiple small, inexpensive disk
drives into an array which yields performance exceeding that of one large and expensive drive.
This array of drives will appear to the computer as a single logical storage unit or drive. RAID is a
method in which information is spread across several disks, using techniques such as disk striping
(RAID Level 0) and disk mirroring (RAID level 1), memory-style-error-correcting-code(EEC)
(RAID level 2), bit-interleaved parity (RAID level 3), block-interleaved parity ( RAID level 4) ,
block-interleaved distributed parity (RAID level 5) to achieve redundancy, lower latency and/or
higher bandwidth for reading and/or writing to disks, and maximize recoverability from hard-disk
crashes. The underlying concept in RAID is that data may be distributed across each drive in the
array in a consistent manner. To do this, the data much first be broken into consistently-sized
"chunks" (often 32K or 64K in size, although different sizes can be used). Each chunk is then
written to each drive in turn. When the data is to be read, the process is reversed, giving the
illusion that multiple drives are actually one large drive.
Question No 27
Explain the steps of building of E-R diagram. ( June 2013)(5 Marks)

Answer No 27
The Steps of building of E-R diagram are as follows:
 Determine the data entities.
 Generate a list of potential entity relationships or pairings.
 Determine the relationship between the entity and pairings.
 Analyze the significant entity relationships.
 Develop an integrated E-R diagram.
 Define and group the attributes for each data entity.
Question No 28
Explain the parameters which should be considered seriously while designing the output or
generating the report of an information system. ( June 2013)(5 Marks)
Answer No 28
The essential parameters to be considered while designing the output of a system are as follows:
 Content
 Timeliness
 Format
 Media
 Form
 Volume
Content:
It refers to the actual information to be given to the user of the system. The content should be
according to the hierarchical user of management. The content should be very precise and free of
unessential information.
Timeliness:
Information arrived after the required time has no use. So time is very essential factor of output. It
is related with the time/interval at which the required information to be dissipated to the user.
Format:
It is the arrangement of information on the report. The tabular or graphical is some example of
presenting information to the user.
Media:
It refers to the actual physical accessories at which the output information is presented. For the
output design the media are the monitor, printed documents, tapes.
Form:
Form in output design is related with way the information is presented. Sometime people may
confuse with the format. Format may be the voice, video or text by which the information is
dissipated.

Question No 29
How can you ensure that the computer system outputs are simple and easy to understand by the
users? Mention some of the guidelines. (December 2014)(5 Marks)
Answer No 29
a) This can be ensured by following some specific norms that are intended to make the system
as much human friendly as possible. Those norms or guidelines are:
 Make sure that each report or output screen is having a concise, easily understandable title.
 The data and information in reports and output screens should be arranged such that each
section consists of related data and is identified by clear section heads.
 Information in tabular form should have row and column heads or labels.
 Information in charts, graphs should have proper and clear legend to identify each dataset.
 Things such as special characters, computer jargon, program codes should be avoided on the
output screens and reports.
 Messages should be clear and brief.
 Long reports should be summarized in the beginning and segmented with proper labeling.
Question No 30
What are the steps for data modeling through E-R diagram? ( June 2015)(4 Marks)
Answer No 30
Steps for data modeling through E-R diagram are as under

Determine the data entities.
• Generate a list of potential entity relationships or pairings.
• Determine the relationship between the entity and pairings.
• Analyze the significant entity relationships.
• Develop an integrated E-R diagram.
• Define and group the attributes for each data entity.
Question No 31
Explain briefly the designer level and the consultant level role and function of an IT professional.
Answer No 31
1. Designer Level Role
System designers translate system users' business requirements and constraints into technical
solutions. They design the computer files, databases, inputs, outputs, screens, networks, and
programs that will meet the system users' requirements. System designers are interested in
information technology choices and the design of systems within the constraints of the chosen

technology. Today's system designers tend to focus on technical specialties such as databases,
networks, user interfaces, or software. System builders represent another category of information
system development roles. System builders construct the information system components based on
the design specifications from the system designers. In many cases, the system designer and
builder for a component are one and the same. The applications programmer is the classic example
of a system builder. However, other technical specialists may also be involved, such as systems
programmers, database programmers, network administrators, and microcomputer software
specialists. One knowledge worker plays a special role in information systems development, the
systems analyst.
2. Consultant Level Role
Another significant trend in information systems development is the use of consultants. Consulting
is the act of contracting with an outside vendor to assume responsibility for or participate in one or
more IT projects. This differs from outsourcing in that the consulting engagement typically ends
when the project is completed. It is a shorter-term obligation. Also, the consultants work directly
with their client's IT staff on the project. The IT staff members continue to be employees of the
client organization, unlike in outsourcing. Well-known management and systems consulting firms
build information systems and applications for other organizations. Why wouldn't an organization
build all systems through its own information systems unit? Perhaps the information systems unit
is understaffed. Perhaps the unit's management is looking for technical expertise that its own staff
doesn't (yet) possess. Perhaps management is looking for an unbiased opinion and fresh ideas. The
list of reasons is endless. Systems analysts employed by consulting firms are usually called
systems consultants. They are lent (for a fee) to the client for engagements (a consulting term that
means "project") that result in a new system for the client. Once the engagement is completed,
they are reassigned to a new engagement, usually for a different organization. IT consulting firms
represent an attractive employment option for aspiring systems analysts. The engagements tend to
be very challenging and provide a wide variety of exposure and experiences. Also, consulting
firms tend to keep their consultants on the cutting edge of technology and techniques to better
compete for business. For college graduates who are particularly well schooled in the latest
systems analysis and design methods, consulting firms represent an interesting and challenging
employment alternative
Question No 32
Explain the storage virtualization and its benefits. (December 2016)(5+3=8 Marks)
Answer No 32
Storage virtualization refers to the process of abstracting logical storage from physical storage.
While RAID at the basic level provides this functionality, the term storage virtualization typically
includes additional concepts such as data migration and caching. Storage virtualization is hard to
define in a fixed manner due to the variety of ways in which the functionality can be provided.
Typically, it is provided as a feature of:

 Host Based with Special Device Drivers

 Array Controllers
 Network Switches
 Stand Alone Network Appliances
Each vendor has a different approach in this regard. Another primary way that storage
virtualization is classified is whether it is in-band or out-of-band. In-band (often called symmetric)
virtualization sits between the host and the storage device allowing caching. Out-of-band (often
called asymmetric) virtualization makes use of special host based device drivers that first lookup
the meta data (indicating where a file resides) and then allows the host to directly retrieve the file
from the storage location. Caching at the virtualization level is not possible with this approach.
General benefits of storage virtualization include:
 Migration– Data can be easily migrated between storage locations without interrupting live
access to the virtual partition with most technologies.
 Utilization– Similar to server virtualization, utilization of storage devices can be balanced to
address over and under utilitization.
 Management– Many hosts can leverage storage on one physical device that can be centrally
managed.
Some of the disadvantages include:

 Lack of Standards and Interoperability– Storage virtualization is a concept and not a standard.
As a result vendors frequently do not easily interoperate.
 Metadata– Since there is a mapping between logical and physical location, the storage
metadata and its management becomes key to a working reliable system.
 Backout– The mapping between local and physical locations also makes the backout of
virtualization technology from a system a complicated process.
Question No 33
What do you mean by feasibility analysis? (June 2016)(5 Marks)
Answer No 33
Feasibility is the measure of how beneficial or practical the development of an information system
will be to an organization.
Feasibility analysis is the process by which feasibility is measured.
Feasibility should be measured throughout the life cycle. The scope and complexity of an
apparently feasible project can change after the initial problems and opportunities are fully
analyzed or after the system has been designed. Thus, a project that is feasible at one point may
become infeasible later. Some check points for our systems development life cycle are.
probably see a feasibility study phase or deliverable, but not an explicit ongoing process. But look

more closely! there may be various go/no-go checkpoints or management reviews. These
checkpoints and reviews identify specific times during the life cycle when feasibility is reevaluated.
A project can be canceled or revised in scope, schedule, or budget at any of these checkpoints.
Thus, an explicit feasibility analysis phase in any life cycle should be considered to be only an
initial feasibility assessment.
Feasibility checkpoints can be installed into any SDLC being used. The checkpoints are represented
by red diamonds. The diamonds indicate that a feasibility reassessment and management review
should be conducted at the end of the prior phase (before the next phase). A project may be
canceled or revised at any checkpoint, despite whatever resources have been spent.
Question No 34
Explain the phases of RAD model. (June 2016)(20 Marks)
Answer No 34
Business modeling: The information flow is identified between various business functions.
Data modeling: Information gathered from business modeling is used to define data objects that
are needed for the business.
Process modeling: Data objects defined in data modeling are converted to achieve the business
information flow to achieve some specific business objective. Description are identified and created
for CRUD? of data objects.
Application generation: Automated tools are used to convert process models into code and the
actual system.
Testing and turnover: Test new components and all the interfaces
Question No 35
What are the major considerations while designing high availability mechanism of the
information system? Explain in brief. (June 2016)(5 Marks)
Answer No 35
The major considerations while designing high availability mechanism of an information system
are:
i. Hardware Redundancy: use of replicated hardware such as servers, storage devices,
network devices so that system continues functioning even if one complete hardware
set fails.

ii. Power Redundancy: power is a major cause of failures, especially in situations like
ours where power supply is very unreliable. So, dual power for each equipment from
dual power sources (battery banks, UPS, generators, city supply) is critical.
iii. Network Redundancy: Since systems are accessed by end users over network, network
redundancy is also equally important. More than one connectivity to the system
servers from the organizational network is critical to make sure the network
connectivity to the systems are always available.
iv. Software Capability: The system application or software should also be capable of
high availability. For example, the back-end database of one system should be
synchronized in live with the redundant system. The database management software
should have this data synchronization capability. Other software components should
also have such capability.
v. Geographical Redundancy: It is highly recommended to install the two sets of system
in a geographically diverse mechanism, preferably in different seismic zones. This
makes system less vulnerable to natural or manmade disasters such as earthquakes,
floods, building collapses, power grid failures, vandalism etc.
Question No 36
Write short notes on Entity relationship diagram (June 2016)(5 Marks)
Answer No 36
An entity-relationship diagram is a data modeling technique that creates an illustration of an
information system's entities and the relationships between those entities.
As noted above, there are 3 ingredients in a standard entity-relationship diagram:
 Entities, which represent people, places, items, events, or concepts.

 Attributes, which represent properties or descriptive qualities of an entity. These are also
known as data elements.
 Relationships, which represent the link between different entities.
Entities, attributes, and relationships can be represented in one of three ways: with a
conceptual model, logical model, or physical model. These models increase in complexity as
you move from conceptual to logical to physical. It's usually best to start with a conceptual
ERD model, so you can understand—at the highest level—the entities in your data and how
they relate to each other. As you transform a conceptual ERD to a physical model, you'll learn
exactly how to implement modeled information into the database of your choice. See our
Entity-relationship diagram tutorial page for more information.
Question No 37
Write short notes on Final acceptance testing (June 2016)(5 Marks)

Answer No 37
Final Acceptance Testing is conducted when the system is just ready for implementation.
During this testing, it is ensured that the new system satisfies the quality standards adopted by
the business and the system satisfies the users. Thus, the final acceptance testing has two
major parts:
a. Quality Assurance Testing: It ensures that the new system satisfies the prescribed
quality standards and the development process is as per the organization‘s quality assurance
methodology.
b. User Acceptance Testing: It ensures that the functional aspects expected by the users
have been well addressed in the new system. There are two types of the user acceptance
testing :
o Alpha Testing: This is the first stage, often performed by the users within the organization.
o Beta Testing: This is the second stage, generally performed by the external users. This is the
last stage of testing, and normally involves sending the product outside the development
environment for real world exposure.
Question No 38
Write short notes on Benefits of RAID (June 2016)(5 Marks)
Answer No 38
The major benefits of RAID technology are:
 RAID can combine small disks to create a large virtual disks. This makes it possible
to create large storage space using small disks without investing much on new high capacity
disks.
 RAID can also create redundancy. Different levels of redundancy can be achieved.
Simple concatenation with parity can create a volume where any one disk can be removed
without losing data.
 In higher level of redundancy, disk mirroring RAID level can be used. In this level,
whole disk volumes are replicated in separate disks. Failure of one whole set does not result
in loss of data.
 Based on the necessity, different RAID levels can be configured to achieve high
capacity, high reliability or a combination of both using available, inexpensive disks.
Question No 39
What are the essential parameters to be considered while designing the output of an
information system? (December 2017)(7 Marks)
Answer No 39
The essential parameters to be considered while designing the output of a system are as
follows:

 Content
 Timeliness
 Format
 Media
 Form
 Volume
Content:
It refers to the actual information to be given to the user of the system. The content should be
according to the hierarchical user of management. The content should be very precise and free
of unessential information.
Timeliness:
Information arrived after the required time has no use. So time is very essential factor of
output. It is related with the time/interval at which the required information to be dissipated to
the user.
Format:
It is the arrangement of information on the report. The tabular or graphical is some example
of presenting information to the user.
Media:
It refers to the actual physical accessories at which the output information is presented. For
the output design the media are the monitor, printed documents, tapes.
Form:
Form in output design is related with way the information is presented. Sometime people may
confuse with the format. Format may be the voice, video or text by which the information is
dissipated.
Volume:
Question No 40
Election commission hired you as the Information System consultant for the analysis of
election processes. Various types of report have to be generated for different type of user.
Describe the important factors that have to be considered while designing the report.
Answer No 340
The report to be generated for the election process are highly sensitive. The accuracy and
timing of the report are very crucial. The essential factors to be considered while designing
the report of the election commission are listed as below:
 Content

 Timeliness
 Format
 Media
 Volume
Content:
It refers to the actual information to be given to the general public as well as the various level
of officials in Election commission. The content should be very precise and free of
unessential information. The type of content to be disseminated to the public and Election
Commission official varies. The general public is more concerned about the result of election
whereas the election commission official need analytical type of reports as well.
Timeliness:
Information arrived after the required time has no use even in general case. In the case of
election, the timing of the information is highly crucial. The periodicity of the result and
information has to be confirmed and it has to be carried accordingly.
Format:
It is the arrangement of information of election process on the report. The tabular and
graphical are some example of presenting information to the user. Sometime the text report is
also equally important. So it depends upon to which type of user the report is targeted.
Media:
It refers to the actual physical accessories at which the output information is presented. For
the output design the media are the monitor, printed documents, internet, digital display,
mobile, radio television, social media are some of the medias through which the information
can be disseminated. For general public, the display of result might be sufficient but for the
EC officials the printed or softcopy of report would be better.
Volume: The amount of information to be released is associated with volume. For the instant
dissemination of the election process, the less and precise volume is better. However during
the process of analysis or managerial purpose the full content is better. Volume of content
also depends upon the media through which the information are released and the target users
of the information. So while disseminating the information the amount of content has to be
checked precisely without distorting essential content.
Question No 41
Write short notes on:Mirroring(June 2018)(5 Marks)
Answer No 41
In data storage, disk mirroring or RAID1 is the replication of logical disk volumes onto
separate physical hard disks in real time to ensure continuous availability. A mirrored volume
is a complete logical representation of separate volume copies. In a Disaster Recovery

context, mirroring data over long distance is referred to as storage replication. Depending on
the technologies used, replication can be performed synchronously, asynchronously, semi-
synchronously, or point-in-time. Replication is enabled via microcode on the disk array
controller or via serversoftware. It is typically a proprietary solution, not compatible between
various storage vendors. Mirroring is typically only synchronous. Synchronous writing
typically achieves a Recovery Point Objective (RPO) of zero lost data. Asynchronous
replication can achieve an RPO of just a few seconds while the other methodologies provide
an RPO of a few minutes to perhaps several hours. In addition to providing an additional copy
of the data for the purpose of redundancy in case of hardware failure, disk mirroring can
allow each disk to be accessed separately for reading purposes. Under certain circumstances,
this can significantly improve performance as the system can choose for each read which disk
can reach most quickly to the required data. This is especially significant where there are
several tasks competing for data on the same disk, and thrashing (where the switching
between tasks takes up more time than the task itself) can be reduced. This is an important
consideration in hardware configurations that frequently access the data on the disk.
Question No 42
Write short notes on:Artificial Neural Network(June 2018)(5 Marks)
Answer No 42
Artificial neural networks are one of the main tools used in machine learning. As the ―neural‖ part
of their name suggests, they are brain-inspired systems which are intended to replicate the way that
we humans learn. Neural networks consist of input and output layers, as well as (in most cases) a
hidden layer consisting of units that transform the input into something that the output layer can
use. They are excellent tools for finding patterns which are far too complex or numerous for a
human programmer to extract and teach the machine to recognize.
While neural networks (also called ―perceptrons‖) have been around since the 1940s, it is only in
the last several decades that they have become a major part of artificial intelligence. This is due to
the arrival of a technique called ―backpropagation,‖ which allows networks to adjust their hidden
layers of neurons in situations where the outcome doesn‘t match what the creator is hoping for –
likea network designed to recognize dogs, which misidentifies a cat, for example.
Another important advance has been the arrival of deep learning neural networks, in which
different layers of a multilayer network extract different features until it can recognize what it is
looking for.

Chapter 6:
E-Commerce and Inter organizational Systems

Question No 1:
Write short note on
Digital Technology for the analysis of economic activity
Answer No 1:
Various types of computer aided tools and information system can be incorporated together for the
analysis of different types of financial activity, which are applicable to almost all functional
departments of an enterprises. Moreover they can capture the pertinent data and dissipate to
relevant person and department for the purpose of analysis to generate the constructive report.
Digital technology can be used in following cases for the analysis of economical activity.
 Ratio analysis: Profitability ration, liquidity ratio, efficiency ratio
While doing these things the generalize formulate can be programmed and they can be used
whenever needed by entering the numerical values. For example the analysis can be done for each
year, 5-10 years projections etc.
Question No 2:
What is e-commerce? Explain various categories of e-commerce. (December 2011) (5 Marks) .
Answer No 2:
E-commerce is the use of the internet and the web to transact business. More formally, digitally
enabled commercial transactions between and among organization and individuals is e-commerce.
E-commerce is more than just buying, selling products online. It encompasses the entire online
process of developing , marketing, selling, delivering, servicing and paying for goods or services
transacted on internetworked, global marketplace of customers with the support of a worldwide
network of business partners.
Basic categories of electronic commerce applications:
 Business-to-Consumer (B2C) e-Commerce
In this form of electronic commerce, businesses must develop attractive electronic marketplaces to
entice and sell products and services to customers. Companies may offer:
1. e-commerce websites that provide virtual storefronts and multimedia catalogs.
2. Interactive order processing
3. Secure electronic payment systems
4. Online customer support
Amazon.com is an example of B2C e-commerce site
 Business-to-Business (B2B) e-Commerce:

This category of electronic commerce involves both electronic business marketplaces and direct
market links between businesses. Companies may offer:
1. Secure Internet or extranet e-commerce websites for their business customers and suppliers.
2. Electronic data interchange (EDI) via the Internet or extranets for computer-to-computer
exchange of e-commerce documents with their larger business customers and suppliers.
3. B2B e-commerce portals that provide auction and exchange markets for businesses.
esteel.com is an example of B2B e-commerece
 Consumer-to-Consumer (C2C) e-Commerce:
C2C e-commerce provides a way for consumers to sell and buy to each other. In C2C e-commerce
the consumer prepares the product for market, place the product for auction or sale and relies on
the market maker to provide catalog, search engine and transaction clearing capabilities so that
product can be easily displayed, discovered and paid for. Successes of online auctions like e-Bay
allow consumers (and businesses) to buy and sell with each other in an auction process at an
auction website.
 P2P: peer to peer technology enables internet users to share files and computer resources
directly without having go through a central web server.Napster.com which was established
to aid internet users in finding and sharing online music files known as MP3 files is an
example of Peer to Peer e-commerce.
 M-Commerce: Mobile commerce refers to the use of wireless digital devices to enable
transaction on the web.
Question No 3:
Answer the following questions C2C (Old syllabus, December 2011)(5 Marks)
Answer No 3:
C2C which is the abbreviated form of consumer to consumer is a model of the e-commerce. In this
type of e-commerce one consumer can sell his product which may be new or used to another
consumer located at any part of the globe. The payment mechanism in this system can be any
electronics process using third party system.
Online auction is the best example of C2C. www.ebay.com is the example of online auction in
which people can keep their product for auction. Any person who is interested to the product can
purchase or bid the product. The site owner will be benefitted in this system by charging
commission to the seller.
Question No 4:
Define e-commerce. Explain the secure electronic payment system with many payment
alternatives. (December 2012)(7 Marks)
Answer No 4:

enabled commercial transactions between and among organization and individuals.
process of developing, marketing, selling, delivering, servicing and paying for goods or services
network of business partner.
Fig below shows the secure electronic payment system with many payment alternatives
A payment gateway server facilitates the transfer of information between a payment portal (such
as a website, mobile phone or IVR service) and the Front End Processor or acquiring bank.
When a customer orders a product from a payment gateway-enabled merchant, the payment
gateway performs a variety of tasks to process the transaction
 A customer places order on website by pressing the 'Submit Order' or equivalent button, or
perhaps enters their card details using an automatic phone answering service.
 If the order is via a website, the customer's web browser encrypts the information to be sent
between the browser and the merchant's web server. This is done via SSL (Secure Socket
Layer) encryption.

 The merchant then forwards the transaction details to their payment gateway. This is
another SSL encrypted connection to the payment server hosted by the payment gateway.
 The payment gateway forwards the transaction information to the payment processor used by
the merchant's acquiring bank.
 The payment processor forwards the transaction information to the card association (e.g.,
Visa/MasterCard)
 The credit card issuing bank receives the authorization request and does fraud and credit or
debit checks and then sends a response back to the processor (via the same process as the
request for authorization) with a response code [eg: approved, denied]. In addition to
communicating the fate of the authorization request, the response code is used to define the
reason why the transaction failed (such as insufficient funds, or bank link not available).
Meanwhile, the credit card issuer holds an authorization associated with that merchant and
consumer for the approved amount. This can impact the consumer's ability to further spend
(eg: because it reduces the line of credit available or because it puts a hold on a portion of the
funds in a debit account).
 The processor forwards the authorization response to the payment gateway.
 The payment gateway receives the response, and forwards it on to the website (or whatever
interface was used to process the payment) where it is interpreted as a relevant response then
relayed back to the merchant and cardholder. This is known as the Authorization or "Auth"
 The merchant then fulfills the order and the above process is repeated but this time to "Clear"
the authorization by consummating the transaction. Typically the "Clear" is initiated only
after the merchant has fulfilled the transaction (eg: shipped the order). These results in the
issuing bank 'clearing' the 'auth' (ie: moves auth-hold to a debit) and prepares them to settle
with the merchant acquiring bank.
 The merchant submits all their approved authorizations, in a "batch" (eg: end of day), to
their acquiring bank for settlement via its processor.
 The acquiring bank makes the batch settlement request of the credit card issuer.
 The credit card issuer makes a settlement payment to the acquiring bank (eg: the next day)
The acquiring bank subsequently deposits the total of the approved funds in to the merchant's
nominated account (eg: the day after). This could be an account with the acquiring bank if the
merchant does their banking with the same bank, or an account with another bank.
Question No 5
Write short notes on Electronic fund transfer (June 2012)(5 Marks)
Answer No 5
Electronic Funds Transfer (EFT) is a system of transferring money from one bank account directly
to another without any paper money changing hands. One of the most widely-used EFT programs
is Direct Deposit, in which payroll is deposited straight into an employee's bank account, although

EFT refers to any transfer of funds initiated through an electronic terminal, including credit card,
ATM, and point-of-sale (POS) transactions. It is used for both credit transfers, such as payroll
payments, and for debit transfers, such as mortgage payments.
The growing popularity of EFT for online bill payment is paving the way for a paperless universe
where checks, stamps, envelopes, and paper bills are obsolete. The benefits of EFT include
reduced administrative costs, increased efficiency, simplified bookkeeping, and greater security.
However, the number of companies who send and receive bills through the Internet is still
relatively small.
Question No 6
What are the major categories of electronic commerce? Explain each in brief.
Answer No. 6
The major categories of e-commerce are:
1. Business to Business (B2B) – this involves transactions between two businesses or
corporate. The two businesses could be business partners or have any other business
relation.
2. Business to Customers (B2C) – this involves transactions between business and end users.
This is perhaps the most widely used form of e-commerce in terms of number of users and
number of transactions. Amazon is one of the pioneering examples of this type of
electronic commerce.
3. Customers to Customers (C2C) – this is concerned with electronic transactions and trade
among end-users or person-to-person commerce. E-bay is a fine example of a platform
supporting this modality.
Question NO 7
Why is e-commerce gaining popularity nowadays? List out the payment mechanisms commonly
used in e-commerce. ( December 2013)(7 Marks)
Answer No 7
E-commerce or electronic commerce is defined as the exchanging of the commodities between
consumer and seller with the help of electronic media instead of traditional channel of business.
Use of digital technology in the purchasing and selling of the product and services by bringing the
consumer and trader together is the main philosophy of e-commerce. As e-commerce facilitates

the trading between people or organization of any part of globe together with the click of computer
it is being very popular.
One of the major concerns of the e-commerce is the way payment is done during the course of
business. The payment mechanism in the e-commerce can be any one of followings:
Digital Credit Card:
It is the extension of credit card into the internet so that it can be use for the online payment. The
information dissipated through the Internet is protected for merchant, consumer and processing
bank by authorizing and authenticating.
Digital wallet:
Digital wallet makes paying for purchase over web more efficient by eliminating the need for
shoppers to repeatedly enter their address and credit card information each time they buy
something. A digital wallet securely stores credit card and owner identification information and
provides that information at an electronic commerce sites. The digital wallet enters the shoppers
name, credit card number and shipping information automatically when invoked to complete the
purchase.
Micropayment:
It is developed to make the payment of less than 10$ as such payment will be too small to pay
through the credit cards. Accumulate balance payment system facilitates such type of small
payment in the web by accumulating it into the debit card or in credit card.
Stored value payment systems;
It enables consumer to make the instant online payment to merchants and other individuals based
on valued store in digital account. Online value systems rely on the value stored in consumers‘
bank, checking or credit card account and some of this system requires the use of digital wallet.
Digital cash:
Digital cash which is also known as e-cash can also be used for micropayment or larger purchase.
It is the currency represented in electronics form that moves outside the normal network of money.
Users are supplied with the client software and can exchange money with another e-cash user over
the internet or with retailer accepting e-cash.
Question NO 8
Write in brief about the features of e-commerce in terms of Ubiquity, Global Reach and
Information Density. (June 2014)(9 Marks)
Answer No 8
Ubiquity
In traditional commerce, a marketplace is a physical place you visit in order to transact. For
example, television and radio typically motivate the consumer to go some- place to make a
purchase. E-commerce, in contrast, is characterized by its ubiquity: it is available just about
everywhere, at all times. It liberates the market from being restricted to a physical space and
makes it possible to shop from your desktop, at home, at work, or even from your car, using

mobile commerce. The result is called a market-space a marketplace extended beyond traditional
boundaries and removed from a temporal and geographic location. From a consumer point of
view, ubiquity reduces transaction costs—the costs of participating in a market. It is no longer
necessary that you spend time and money traveling to a market. At a broader level, the ubiquity of
e-commerce lowers the cognitive energy required to transact in a marketspace. Cognitive energy
refers to the mental effort required to complete a task. Humans generally seek to reduce cognitive
energy outlays.
Global Reach
E-commerce technology permits commercial transactions to cross cultural and national boundaries
far more conveniently and cost-effectively than is true in traditional commerce. The total number
of users or customers an e-commerce business can obtain is a measure of its reach.
In contrast, most traditional commerce is local or regional—it involves local merchants or national
merchants with local outlets. Television and radio stations, and newspapers, for instance, are
primarily local and regional institutions with limited but powerful national networks that can
attract a national audience. In contrast to e-commerce technology, these older commerce
technologies do not easily cross national boundaries to a global audience.
Information Density
The Internet and the Web vastly increase information density—the total amount and quality of
information available to all market participants, consumers, and merchants alike. E-commerce
technologies reduce information collection, storage, processing, and communication costs. At the
same time, these technologies increase greatly the currency, accuracy, and timeliness of
information—making information more useful and important than ever. As a result, information
becomes more plentiful, less expensive, and of higher quality. A number of business consequences
result from the growth in information density. In e-commerce markets, prices and costs become
more transparent. Price transparency refers to the ease with which consumers can find out the
variety of prices in a market; cost transparency refers to the ability of consumers to discover the
actual costs merchants pay. But there are advantages for merchants as well. Online merchants can
discover much more about consumers; this allows merchants to segment the market into groups
willing to pay different prices and permits them to engage in price discrimination—selling the
same goods, or nearly the same goods, to different targeted groups at different prices. For instance,
an online merchant can discover a consumer‘s avid interest in expensive exotic vacations, and then
pitch expensive exotic vacation plans to that consumer at a premium price, knowing this person is
willing to pay extra for such a vacation. At the same time, the online merchant can pitch the same
vacation plan at a lower price to more price-sensitive consumers (Shapiro and Varian, 1999).
Merchants also have enhanced abilities to differentiate their products in terms of cost, brand, and
quality.
Question NO 9
Write short notes on Comparison between B2B and B2C (June 2014)(5 Marks)

Answer No 9
S.N B2B C2C
1. B2B is the process of selling goods and C2C is the process of selling goods and
services though the internet among the services through the electronics
businesses. through the internet directly from
consumer to consumer.
2. It reduces the cost of distributor and other It enables the selling of the used product
middle party while selling of one consumer to another
commodities to the business consumer at comparatively lower
price
3. The company‘s own website can be one Third party web portals can be used for
selling spot. the selling and purchase of the
commodities
4. Payment mechanism can be any one of: Normally credit card system is used as
digital credit card, digital cash, the payment mechanism
accumulated balance digital payment
system.
5. e.g www.milpro.com, www.alibaba.com e.g www.ebay.com,www.monster.com
Question No 10
Write short notes on Secure electronic payments (June 2014)(5 Marks)
Answer No 10
When you make an online purchase on the Internet, your credit card information is vulnerable to
interception by network sniffers, software that easily recognizes credit card number formats.
Several basic security measures are being used to solve this security problem: (1) encrypt (code and
scramble) the data passing between the customer and merchant, (2) encrypt the data passing
between the customer and the company authorizing the credit card transaction, or (3) take sensitive
information off-line.
For example, many companies use the Secure Socket Layer (SSL) security method developed by
Netscape Communications that automatically encrypts data passing between your Web browser and
a merchant's server. However, sensitive information is still vulnerable to misuse once it's decrypted
(decoded and unscrambled) and stored on a merchant's server, so a digital wallet payment system
was developed. In this method, you add security software add-on modules to your Web browser.
That enables your browser to encrypt your credit card data in such a way that only the bank that
authorizes credit card transactions for the merchant gets to see it. All the merchant is told is

whether your credit card transaction is approved or not. The Secure Electronic Transaction (SET)
standard for electronic payment security extends this digital wallet approach. In this method,
software encrypts a digital envelope of digital certificates specifying the payment details for each
transaction. VISA, MasterCard, IBM, Microsoft, Netscape, and most other industry players have
agreed to SET. Therefore, a system like SET may become the standard for secure electronic
payments on the Internet.
Question No 11
Explain e-commerce with its advantages. (December 2014)(5 Marks)
Answer No 11
E-commerce (electronic commerce or EC) is the buying and selling of goods and services, or the
transmitting of funds or data, over an electronic network, primarily the Internet. These business
transactions occur business-to-business, business-to-consumer, consumer-to-consumer or
consumer-to-business.
E-commerce is conducted using a variety of applications, such as email, fax, online catalogs and
shopping carts, Electronic Data Interchange (EDI), File Transfer Protocol, and Web services. Most
of this is business-to-business, with some companies attempting to use email and fax.
The benefits of e-commerce include its around-the-clock availability, the speed of access, a wider
selection of goods and services, accessibility, and international reach. Its perceived downsides
include sometimes-limited customer service, not being able to see or touch a product prior to
purchase, and the necessitated wait time for product shipping.
The advantages of e-commerce allow a business of virtually any size that is located virtually
anywhere on the planet to conduct business with just about anyone, anywhere. Imagine a small
olive oil manufacturer in a remote village in Italy selling its wares to major department stores and
specialty food shops in New York, London, Tokyo, and other large metropolitan markets. The
power of e-commerce allows geophysical barriers to disappear, making all consumers and
businesses on Earth potential customers and suppliers.
Question No 12
Describe about the various payment mechanisms of e-commerce. ( June 2015)(7 Marks)
Answer No 12
E-commerce or electronic 12ommerce is defined as the exchanging of the commodities between
consumer and seller with the help of electronic media instead of traditional channel of business.
The payment mechanism in the e-commerce can be any one of followings:
information dissipated through the internet is protected for merchant, consumer and processing

Digital wallet:
shoppers to repeatedly entering their address and credit card information each time they buy
purchase.
Micropayment:
Stored value payment systems:
Digital cash:
Question NO 13
Write short notes on Disk Mirroring( June 2015)(5 Marks)
Answer No 13
In data storage, disk mirroring or RAID1 is the replication of logical disk volumes onto separate
physical hard disks in real time to ensure continuous availability. A mirrored volume is a complete
logical representation of separate volume copies. In a Disaster Recovery context, mirroring data
over long distance is referred to as storage replication. Depending on the technologies used,
replication can be performed synchronously, asynchronously, semi-synchronously, or point-in-
time. Replication is enabled via microcode on the disk array controller or via server software. It is
typically a proprietary solution, not compatible between various storage vendors.
Mirroring is typically only synchronous. Synchronous writing typically achieves a Recovery Point
Objective (RPO) of zero lost data. Asynchronous replication can achieve an RPO of just a few
seconds while the remaining methodologies provide an RPO of a few minutes to perhaps several
hours. In addition to providing an additional copy of the data for the purpose of redundancy in
case of hardware failure, disk mirroring can allow each disk to be accessed separately for reading
purposes. Under certain circumstances, this can significantly improve performance as the system
can choose for each read which disk can seek most quickly to the required data. This is especially
significant where there are several tasks competing for data on the same disk, and thrashing
(where the switching between tasks takes up more time than the task itself) can be reduced. This is

an important consideration in hardware configurations that frequently access the data on the disk.
In some implementations, the mirrored disk can be split off and used for data backup, allowing the
first disk to remain active. However merging the two disks then may require a synchronization
period if any write I/O activity has occurred to the mirrored disk.
Question No 14
Explain about the essential features of a good e-commerce website. (December 2015)(7 Marks)
Answer No 14
Some features that should be available in a e-commerce website for its effective operations are:
 Login and authorization
 Searching of the Products
 Product Details
 Payment Mechanism
 Profiling and Personalization
 Event Notifications
Login and Authorization:

This feature allows to login in into the system with the validation of the user name and password.
People without valid username and password can see just the basic information about the e-
commerce website but once having the system user name password they can initiate any process in
the system. System also facilitates the creation of new username and password.
Searching of the Product:
As the virtual web front lists the large varieties of the product people might be unable to find the
product of their choice so in this case the effective searching mechanism of the product should be
available in the website. Conditioning can be deployed in the searching.
Product Details and Catalogue:
Once the client finds any product, then website should give the details information about product
with possible 2D/3D or video view along with all essential information and procedures.
Payment Mechanism:
The payment mechanism and procedures should be clear to every user. It might be electronics
payment procedures or the cash on delivery it should be documented properly.
Profiling and Personalization:
The personal behavior of the selling / buying product or accessing product catalogue should be
tracked to personalize in future. This will be helpful for the promotion of the new or related
product to that user in the future.
Event Notifications;
It is the procedure of informing the client about the completion of any event. This helps in the
ensuring the completion of the process. It can be done in email or phone etc.

Question No 15
Write short notes on Risk Assessment (December 2015)(5 Marks)
Answer of Q.N.15
Risk Assessment: A risk assessment activity can provide an effective approach, which acts as the
foundation for avoiding the disasters. Risk assessment is also termed as a critical step in disaster
and business continuity planning. Risk assessment is necessary for developing a well-tested
contingency plan. In addition, Risk assessment is the analysis of threats to resources (assets) and
the determination of the amount of protection necessary to adequately safeguard the resources, so
that vital systems, operations, and services can be resumed to normal status in the minimum time in
case of a disaster. Disasters may lead to vulnerable data and crucial information suddenly becoming
unavailable. The unavailability of data may be due to the non-existence or inadequate testing of the
existing plan.
Risk assessment is a useful technique to assess the risks involved in the event of unavailability of
information, to prioritize applications, identify exposures and develop recovery scenarios.
Question No 16
Write short notes on Types of System Testing (December 2015)(5 Marks)
Answer No 16
Types of System Testing: System testing is a process in which software and other system elements
are tested as a whole. Major types of system testing that might be carried out, are given as follows:
Recovery Testing: This is the activity of testing ‗how well the application is able to recover from
crashes, hardware failures and other problems‘. Similar Recovery testing is the forced failure
of the software in a variety of ways to verify that recovery is properly performed.
Security Testing: This is the process to determine that an Information System protects data and
maintains functionality as intended or not. The six basic security concepts that need to be covered
by security testing are: confidentiality, integrity, availability, authentication, authorization and
non-repudiation. This testing technique also ensures the existence and proper execution of access
controls in the new system.
Stress or Volume Testing: Stress testing is a form of testing that is used to determine the stability
of a given system or entity. It involves testing beyond normal operational capacity, often to a
breaking point, in order to observe the results. Stress testing may be performed by testing the
application with large quantity of data during peak hours to test its performance.

Performance Testing: Software performance testing is used to determine the speed or effectiveness
of a computer, network, software program or device. This testing technique compares the new
system's performance with that of similar systems using well defined benchmarks.
Question No 17
Explain why e-commerce is getting popular day by day. (June 2016)(7 Marks)
Answer No 17
E-commerce is the entire process of developing, marketing, selling and purchasing, delivering,
servicing and paying for the products and services which are transacted on internet among the
global customers. Simply business activities carried out through the internet.
E-commerce has some of the unique features in comparison to the conventional way of doing
business that‘s why they are getting popular day by day.
The reasons of e-commerce gaining popularity can be summarized as below:
• Ubiquitous and global reach- Business can be done from any place. Doing business through e-
commerce doesn‘t mean that it has to be in the downtown of the city. It can be from the any
part of the country. Moreover, the selling and buying of the product is associated around the
globe. Products can be buy or sell from any rural part of Asia to core city of Europe or
America.
• Selection and Value – attractive product selections, competitive prices, satisfaction
guarantees, and customer support after the sale
• Performance and Service – fast, easy navigation, shopping, and purchasing, and prompt
shipping and delivery
• Look and Feel – attractive web storefront, website shipping areas, multimedia product catalog
pages, and shopping features
• Payment Mechanism- Another reason of the spreading of e-commerce is its facility to pay the
bill through the electronic media. It is not necessary to carry cash or cheque whenever the
transaction is done from e-commerce.
• Advertising and Incentives – targeted web page advertising and e-mail promotions, discounts
and special offers, including advertising at affiliate sites
• Personal Attention – personal web pages, personalized product recommendations, Web
advertising and e-mail notices, and interactive support for all customers
• Community Relationships – virtual communities of customers, suppliers, company
representatives, and others via newsgroups, chat rooms, and links to related sites
Question No 18

Suppose that a retail store wants to build an e-commerce website to sell its products online and you
are given the responsibility to develop this website. Based on this scenario, answer the following
questions:
a) How do you find the requirements to develop this website? Discuss any one requirements
finding technique in detail.
b) Why do we need online payment systems? Discuss any three payment systems that are
suitable for this website.
c) Discuss high availability planning to continue the operations of this website.
Answer No 18
a) To develop a website, we first must be able to correctly identify, analyze, and understand
what the users‘ requirements are or what the user wants the system to do. To know users‘
requirements, we use information gathering techniques. Information gathering techniques are
also called requirements discovery techniques or fact finding techniques or data
collection techniques. Information gathering includes those techniques to be used by system
analysts to identify or extract system problems and solution requirements from the user
community. Systems analysts need an organized method for information gathering. Interview
is one of the most important information gathering techniques used in information system
development.
The personal interview is generally recognized as the most often used fact-finding technique.
Interviews are the fact-finding techniques whereby the systems analysts collect information from
individuals through face-to-face interaction.
There are two roles assumed in an interview. The systems analyst is the interviewer, responsible
for organizing and conducting the interview. The system user or system owner is the interviewee,
who is asked to respond to a series of questions.
There are two types of interviews: unstructured and structured. Unstructured interviews are
conducted with only a general goal or subject in mind and with few, if any, specific questions.
Structured interviews on the other hand are conducted with a set of specific questions to ask the
interviewee.
There are two types of questions in interview: open-ended and closed-ended. Open-ended
questions allow the interviewee to respond in any way that seems appropriate. But, closed-ended
questions restrict answers to either specific choices or short, direct responses.
b) First Part: The emergence of e-commerce has created new financial needs that in some cases
cannot be effectively fulfilled by traditional payment systems. E-commerce payment systems
make it easy and smooth for customers to pay while buying online. Offering online payments
does not need to be a worry or expensive: numerous payment service providers now offer
comprehensive, cost-effective and easy-to-implement outsourced solutions to get your

business accepting online payments quickly. E-commerce technology offers a number of

possibilities for creating new payment systems that substitute for existing systems, as well as
for creating enhancements to existing systems.
Second Part: The most common online payment systems are online credit card payment, digital
wallet and digital cash.
 Online credit card payment: It is the dominant form of online payment system. This
payment system is processed in much the same way that in-store purchases are, with the
major differences being that online merchants never see the actual credit card being used, no
card impression is taken, and no signature is available. These types of purchases are also
called CNP (Cardholder Not Present) transactions. These payments most closely resemble
MOTO (Mail Order-Telephone Order) transactions. There are five parties involved in an
online credit card purchase: consumer, merchant, clearing house, merchant bank (sometimes
also called the ―acquiring bank‖), and the consumer‘s card issuing bank. In order to accept
payments, online merchants must have a merchant account established with a bank or
financial institution. A merchant account is simply a bank account that allows companies to
process credit card payments and receive funds from those transactions.
 Digital Wallets: Digital wallets (sometimes called e-wallets) are small electronic packages
that automatically supply information such as credit card numbers and shipping addresses for
use in conducting e-commerce transactions. They provide a means by which customers may
order products and services online without ever entering sensitive information and submitting
it via e-mail or the World Wide Web, where it is vulnerable to theft by hackers and other
cyber-criminals. They allow consumers to make online purchases easily and securely.
Traditionally, digital wallets were stored on the desktops of personal computers; new digital
wallets are compatible with wireless and other mobile devices, and are more often stored on a
central server owned by a digital wallet vendor or Internet Service Provider (ISP). Digital
wallet vendors maintain relationships with online merchants.
 Digital Cash: Digital cash (e-cash) is an alternate payment system developed for e-commerce
in which unique, authenticated tokens representing cash value are transmitted from consumers
to merchants. Banks issue digital tokens (unique encrypted numbers) for various dimensions
of cash, and consumers can spend these at merchants‘ site. Merchants in turn deposit these
electronic tokens in banks some examples are DigiCash, First Virtual, and Millicent.
c) Firms using online transaction processing (transactions entered online are immediately
processed by the computer) have traditionally used fault-tolerant computer systems to ensure
100 percent availability. Fault-tolerant computer systems contain redundant hardware,
software, and power supply components that create an environment that provides continuous,
uninterrupted services. These systems completely eliminate the need of recovery from crash.
High-availability computing includes tools and technologies, including backup hardware
resources, to enable a system to recover quickly from crash. High-availability computing requires

an assortment of tools and technologies to ensure maximum performance of computer systems and
networks, including redundant servers, mirroring, load balancing, clustering, storage area
networks, and a good disaster recovery plan.
Disaster recovery plan is the plan for the restoration of computing and communication services
after they have been disrupted by an event such as an earthquake, flood, or terrorist attack. Load
balancing distributes large number of requests for access among multiple servers so that no single
device is overwhelmed. Mirroring uses a backup server that duplicates all the processes and
transactions of the primary server. If primary server fails, the backup server can immediately take
its place without any interruption in service. Clustering links two computers together so that the
second computer can act as backup to primary computer. If the primary computer fails, the second
computer picks up its processing without any pause in the system.
Many companies lack the resources to provide a high-availability computing environment on their
own. In this case, management service providers (MSPs) provide network, systems, storage, and
security management for subscribing clients.
Question No 19
Information system developed once is not for always. It has to be changed or modified or upgraded
in due course of time. An organization named as ABC Ltd is going to upgrade its Information
System.
a) What are the conditions that have to be analyzed while recommending such change of the
system?
b) What are the possible online payment mechanisms that can be introduced while upgrading the
system to facilitate e-Commerce?
c) How can they ensure the continuity of the business? (June 2017)(20 Marks)
Answers No 19
a) Yes, it is very true that no system is for all time. Either it has to be upgraded or modified or
changed during the course of implementation based upon various conditions. Before making
the decision of the change or upgrade or modification of the system, following points has to
be analyzed properly:
1. The operational outcome of the system. Sometime due to the changing organizational
environment and growth of the organization, the output of the system becomes insufficient
and ineffective. So there needs modification.
2. Technology saturation or need of new technology. The programing language, frameworks and
architecture of the development of the system might be outdated so there needs the
upgradation of the new system. Sometimes the system should be upgraded due to changing
need of hardware‘s as well.

3. The technical support from the vendor. Some time, the system would be so old that the
vendor would be unable to provide the technical support to keep it running. So in this case
there arises the need of upgrading of the existing system.
4. The existing capacity of the database may become insufficient to hold the growing needs of
the data. So in order to hold the increased demand of the capacity of the database sometimes
the upgrading of the system is recommended.
5. Sometimes the system needs to be upgraded to eradicate the errors and bugs and vulnerability
in the existing system.
b) The payment mechanism in the e-commerce can be any one of following: (It is to be noted
that all these listed payment mechanisms are not in practice in Nepal.)
Online Banking:
This is all about the transferring of money from one bank account to another bank account with
the help of the third party payment gateway interconnected between payer bank and payee bank
having internet as the channel among them.
Credit Card:
With the use of unique identification and verification authority among payer, merchant and
commercial banks (payer and payee banks) this system is used. All the stakeholders are in
electronic channel connection during the process of payment. Here the verification and
authentication mechanisms are very important.
information dissipated through the internet is protected for merchant, consumer and processing
Digital wallet:
shoppers to repeatedly entering their address and credit card information each time they buy
purchase.
Micropayment:
Stored value payment systems:

Digital cash:
c) Business continuity is all about ensuring of the normal operation of the system in a set of
predefined time even in case of huge disaster thereby minimizing the losses to the
organization. The continuity of the business can be ensured with the following process:
 Back up Plan
 Emergency Plan
 Proper Recovery Plan
Backup Plan:
The backup plan will outline the way to restore the same data on different location. Backup plan
describe the process and timing of replicating the same data in different media in redundant
location. The redundancy of location is done to ensure the recovery of data even in the failure of
some location. Backup plan describe following points:
 Making copy of data regularly
 Automation of data backup process
 Saving of backed-up data on different medium
 Saving of backed-up data on different location
Emergency Plan:
Emergency plan is all about the immediate action to be taken in case of catastrophe. This part of
the disaster recovery plan outlines the actions to be undertaken immediately after a disaster occurs.
Following points clarify the emergency plan:
 Personnel to be notified in case of disaster
 Equipment to be operated or shutdown
 Procedures to be followed
Proper Recovery Plan:
Recovery plan mainly focuses on how the full capabilities of the system will be restored and
service will be resumed. Following points clarify the recovery plans:
 Formation of recovery committee
 Prioritizing the applications and systems to be recovered
 Replacement of hardware and network
Question No 20
Write short Notes on: Business to Consumer (B2C) E-Commerce (June 2017)(5 Marks)

Answer No 20
B2C is one of the fastest growing segments of the economy. Consumers can order a vast array of
merchandise from the comfort of their homes or from mobile devices.
1) B2C is almost exclusively conducted via the Internet.

2) Traditional retailers have expanded their reach with B2C, and some firms, notably
Amazon.com, use the Internet as their sole communication channel with customers.
Benefits accrue to businesses is with reduced costs and increased efficiency. Such as reduced
purchasing cost, increased marketing efficiency, greater market intelligence, decreased inventory
levels
Some security issues, such as authorization apply, but on a smaller scale. Also, the vendor need
not concern itself with the IT infrastructure on the customer‘s end.
Question No 21
Suppose you are hired to develop an e-commerce website of a retail shop to sell different items
online to its customers. Based on this scenario, answer the following questions.
1. What different e-commerce features do you consider to develop this website?
2. Do you have any plan for disaster recovery? Discuss.
3. Which e-commerce category will you suggest? Why?
Answer No 21
The different features of e-commerce considered to develop e-commerce website are as follows:
1. Ubiquity: The traditional business market is a physical place, access to treatment by means of
document circulation. For example, clothes and shoes are usually directed to encourage
customers to go somewhere to buy. E-commerce is ubiquitous meaning that it is available
everywhere.
2. Global Reach: E-commerce allows business transactions across national boundaries to be
more convenient and more effective as compared with the traditional commerce. On the e-
commerce businesses potential market scale is roughly equivalent to the reach of the network.
The whole world can be a potential market.
3. Richness: Advertising and branding are an important part of commerce. E-commerce can
deliver video, audio, animation, billboards, signs and etc. It can use rich set of media &
technologies to provide information & service.
4. Interactivity: Twentieth Century electronic commerce business technology is interactive, as
they allow two-way communication between businesses and consumers.

5. Personalization: E-commerce technology allows for personalization. Business can be adjusted

for a name, a person's interests and past purchase history, personalized marketing message
can be sent to a specific individual. The technology also allows for customization. Merchants
can change the product or service based on user preferences, or previous behavior.
A Disaster Recovery Plan (DRP) is a business plan that describes how work can be resumed
quickly and effectively after a disaster. Disaster recovery planning is just part of business
continuity planning and applied to aspects of an organization that rely on an IT infrastructure to
function.
The overall idea is to develop a plan that will allow the IT department to recover enough data and
system functionality to allow a business or organization to operate - even possibly at a minimal
level.
The creation of a DRP begins with a DRP proposal to achieve upper level management support.
Then a business impact analysis (BIA) is needed to determine which business functions are the
most critical and the requirements to get the IT components of those functions operational again
after a disaster, either on-site or off-site.
Every employee must be made aware of the DRP and when implemented, effective
communication is essential. The DRP must include a comprehensive off-site data backup and an
on/off-site recovery plan.
The biggest issue may be the sourcing of an alternate location with adequate equipment, but there
are many places where data center time and bandwidth can be rented so these arrangements could
also be included in a DRP. Some companies can operate from just a single server so a backup
machine can be kept at a remote location and kept up to date with a regular backup of the essential
data required to operate. This would suit a small organization, but where there are more computers
and a data center involved there needs to be a more extensive plan made.
A DRP may require employees to relocate to a hot-site to resume work, if work cannot be
conducted at the normal business site. This hot-site is an off-site location supplied with the
computer equipment and data necessary to continue an organization's normal work.
It is imperative that organizations not only develop a DRP but also test it, train personnel and
document it properly before a real disaster occurs. This is one reason why off-site hosting of all IT
services can be a good choice for the protection they provide; in disaster situations personnel can
access data easily from a new location, whereas relocating a terminally damaged data center and
getting it operational again is not an easy job.
Often a specialized disaster recovery planning consultant is hired to assist organizations in
attending to the many details that can arise during such contingency planning.
First Part: I suggest B2C (business to consumer) e-commerce. B2C (Business-to-Customer)

ecommerce is the exchange of goods or services over the internet between online stores and
individual customers. Consumer preference for the convenience of online shopping - coupled with

the ease of starting an online store - has made ecommerce among the fastest growing sectors of the
economy.
Second Part: In today‘s technology-based world, business owners have started understanding that
the old and traditional B2C business has gone down due to the entry of ecommerce. So, all the
businesses have now started adapting the modern ways to sell through the Internet directly to the
customers. B2C e-commerce offers following benefits for both businesses and consumers.
 Direct Communication - With the help of this business, you can directly connect with your
consumers through a website. This shows the consumers that you care for them and ultimately
they would appreciate you with the fact that you provide a good customer service.
 Business Expansion - With the help of great B2C e-commerce, you can easily expand your
business to different portions of the world. In traditional B2C business, you can‘t reach every
place due to lack of funds, approach, etc. But, here things will reach to such a level that you
could have never achieved so fast and easily with traditional business like shops.
 Scope of Niche Marketing - In traditional business, we have got niche marketing but here you
can expand that idea. You can have more opportunities to strike and there are more chances of
succeeding in your seasonal businesses on the internet
 Cheaper Than Normal Businesses: If you plan to go and set up a shop, it‘s going to involve
quite a few expenses but in case of online business, you don‘t require a lot of stuff. The
investment is a lot less compared to any other physical retail store. Plus, it‘s easier to set up
and gain access by the consumers.
 Not only the businesses, a B2C e-commerce also carries advantages to the customers. As a
consumer, you can shop at your own convenience and time which is the best part about B2C
E-commerce business. There‘s no place or time restriction as such. You also get to have a
better customer service. Big companies give customer satisfaction its first priority. The
consumers connect directly to the merchant who makes sure that at the end of the day you are
happy as then only you would spread the word and become a returning customer in future.
With an array of purchasing options, the prices are also less compared to the physical stores in
the conventional market.
Question No 22
Explain the characteristics and advantages of SAAS model of cloud computing. (June 2018)(8
Marks)
Answer No 22
a) The SAAS characteristics are as follows:
 Network-based access to, and management of, commercially available software.
 Activities managed from central locations rather than at each customer's site, enabling
customers to access applications remotely via the Web.

 Application delivery typically closer to a one-to-many model (single instance, multi-tenant

architecture) than to a one-to-one model, including architecture, pricing, partnering, and
management characteristics.
 Centralized feature updating, which obviates the need for end-users to download patches and
upgrades.
Advantages of SaaS are as follows:

 Pay per use
 Anytime, anywhere accessibility
 Pay as you go
 Instant scalability
 Security
 Reliability
 APIs.
Question No 23
Write short notes on Business and IT alignment (June 2019)(5 Marks)
Answer No 23
a) Business and IT alignment
MEDIATING FACTORS:
Environment
Culture
Structure
ORGANIZATIONS Standard Procedures INFORMATION
Politics TECHNOLOGY
Management Decisions
Chance
There exists two-way relationship between information systems and organizations.

Information systems must be aligned with the organization to provide useful information to
important groups within the organization. Similarly, organizations must be aware of and be
open to the influences of information systems in order to take benefit from new information
technologies.

This two-way relationship is very complex and is influenced by many mediating factors,
including the organization‘s structure, standard operating procedures, politics, culture,
surrounding environment, and management decisions.
Question No 24
Write short notes on Secure electronic payments (June 2019)(5 Marks)
Answer No 24
When an online purchase is made, the credit card information is vulnerable to interception by
network sniffers, software that easily recognize credit card number formats. Several basic security
measures are being used to solve this security problem: (1) encrypt (code and scramble) the data
passing between the customer and merchant, (2) encrypt the data passing between the customer and
the company authorizing the credit card transaction. For example, many companies use the Secure
Socket Layer (SSL) that automatically encrypts data passing between your web browser and a
merchant's server. However, sensitive information is still vulnerable to misuse once it's decrypted
(decoded and unscrambled) and stored on a merchant's server, so a digital wallet payment system
was developed. In this method, security software add-on modules are added to web browser. That
enables the browser to encrypt credit card data in such a way that only the bank that authorizes
credit card transactions for the merchant gets to see it. All the merchant is told is whether the credit
card transaction is approved or not. The Secure Electronic Transaction (SET) standard for
electronic payment security extends this digital wallet approach. In this method, software encrypts a
digital envelope of digital certificates specifying the payment details for each transaction.
Question No 25
Write short notes on Artificial intelligence (June 2019)(5 Marks)
Answer No 25
Artificial intelligence (AI) based technologies are being used in a variety of ways to improve the
decision support provided to managers and business professionals in many companies. Al-enabled
applications are at work in information distribution and retrieval, database mining, product design,
manufacturing, inspection, training, user support, surgical planning, resource scheduling, and
resource management. Indeed, for anyone who schedules, plans, allocates resources, designs new
products, uses the Internet, develops software as well as for anyone responsible for product quality,
an investment professional, heads IT team or uses of IT, or operates in any of a score of other
capacities and arenas, Al technologies already may be in place and providing competitive
advantage.


Chapter 7:
E-Business Enabling Software Package

Question No 1:
Describe any five benefits that will accrue to any business enterprise by implementing an ERP
package. (December 2003)(10 Marks)
Answer No 1:
Following are some of the benefits achieved by implementing the ERP packages.
i. Give accounts payable personnel increased. Control of invoicing and payment processing and
thereby boosting their productivity and, eliminating their reliance on computer personnel for
these operations.
ii. Reduce paper documents by providing on-line formats for quickly, entering and retrieving
information.
iii. Improves timelines of information by permitting posting daily instead of monthly.
iv. Greater accuracy of information with detailed. Content, better presentations, satisfactory for
the auditors.
v. Improved cost control.
vi. Faster response and follow-up on customers.
vii. More efficient cash collection, say, material reduction in delay in payments by customers.
viii. Better monitoring and quicker resolution of queries.
ix. Enables quick response to change in business operations and market conditions.
x. Helps to achieve competitive advantage by improving its business process.
xi. Improves supply-demand linkage with remote locations and branches in different countries.
xii. Provides a unified customer database usable by all applications.
xiii. Improves International operations by supporting a variety of tax structures, invoicing
schemes, multiple currencies, multiple period accounting and languages.
xiv. Improves information access and management throughout the enterprise.
xv. Provides solution for problems like Y2K and Single Monetary Unit (SMU) or EWO currency.
Question No 2:
Write short notes on the following: (December 2003)(5 Marks)
4 GL work benches.
Answer No 2:
4GL work benches are general towards producing interactive application which rely on extracting
information from an organisational data base, presenting it to end users on their terminal or work
stations and then updating the data base with changes made by users. The user interface usually
commits of a set of standard forms or a spread-sheet. The tools which may be included in a work
bench are:
i. a database query language such as SQL. which may either be import directly or generated
automatically from forms filled in by end users
ii. a form design tool which is based to create forms for data input and display.
iii. a spread-sheet which is used for the analysis and manipulation of numeric information.

iv. a report generator which is based to define and create reports from information in the
database.
Question No 3
Explain the need of Enterprise Resource Planning (ERP) system and give its general model.
Enumerate different characteristics of an ERP system. (December 2004)(10 Marks)
Answer No 3:
NEED OF ENTERPRISE RESOURCE PLANNING (ERP)
In the competitive business environment of today, there has too much great interaction between
the customers and manufacturers. This means, in order to produce goods tailored to customers‘
requirements and provide faster deliveries, the enterprise must be closely linked to both suppliers
and customers. In order to achieve the improved delivery performance, decreased lead times
within the enterprise an improved efficiency and effectiveness, manufacturers need to have
efficient planning and control systems that enable very good synchronization and planning in all
the processes of the organization.
In addition to above, there is a need of strong integration across the value chain. Hence there is a
need for a standard software package, which equips the enterprise with the necessary capabilities
to integrate and synchronize the isolated functions into streamlined business process in order to
gain a competitive edge in the volatile business environment. Therefore rather than having a
customer-designed software package, an integrated software solution to all the functions of an
organisation may be designed and prepared. ERP is the step towards this need.
A general model of ERP is shown in Fig. 1

1. Business planning - CENTRAL 3. Business Planning

Materials
DATABASE Resources
 Organisation
 New Product
 Payroll/Employee  Intelligent resource
 Existing product
 Job/Project Management planning
 Bill of Materials
 Cost Accounting  Human Resource
 Product Pricing
 Accounts receivable Planning
 Long term forecasting
 Account payable  Quality Management
 Capacity planning
 General Ledger
 Engineering change
 Fixed Assets Facilities Maintenance,
management
 Budgetary Planning &
 Inventory implementation
 Logistics/Distribution of
 Order management materials
 Distribution management 4. Operational Planning &
Execution Resources
2. Operation Planning
Cross Functionalities  Recruitment
& Execution Materials
 Multi-Platform  Payroll
 Inventory  Multi-facility  Job evaluation &
 Order processing  Multi-mode manufacturing performance appraisal
 Supplier management  Multi currency  Costing and
 Inventory/warehouse  Multi Lingual Budgeting
management  Imaging  Quality control and
 Forecasting  Database creation planning
 Distribution  Electronic mail  Maintenance
Management  Work flow Automation Engineering &
 Scheduling  Electronic Data Interchange Scheduling
 Fixed Assets
 Resource MIS
ERP is the latest high end solution. It has given to the business applications. This software
integrated operation process and information flows in the company to synergise the resource of an
organization namely men, material, money and machine through information.
ERP has filled the need of industry as it has integrated functional areas of an enterprise like
logistics, production, finance, accounting and human resources. ERP has one database, one
application and one user interface for the entire enterprise.
DIFFERENT ERP CHARACTERISTICS:

An ERP system is not only the integration of various organization process, but has following
additional characteristics:

Flexibility:
An ERP system should be flexible to respond to the changing needs of an enterprise. The client-
server technology enables ERP to run across various database back ends through Open Database
Connectivity (ODBC).
Modular and Open:

ERP system has to have an open system architecture. This means that any module can be
interfaced or detached whenever required without affecting the other modules. It should support
multiple hardware platforms for the companies having heterogeneous collection of systems. It
must support some third party add-ons also.
Comprehensive:
It should be able to support variety of organizational functions and must be suitable for a wide
range of business organizations.
Beyond the Company:

It should not be confined to the organizational boundaries, rather support the on-line connectivity
to the other business entities of the organization.
Best Business Practices:

It must have a collection of the best business process applicable world wide. An ERP package
imposes its own logic on a company strategy, culture and organization.
Question No 4:
Discuss the controlling costs pertaining to ERP-Enterprise Resource Planning? (June 2004)(10 Marks)
Answer No 4:
The controlling costs related to ERP are as follows:
(1) Overhead Cost Control: This focuses on monitoring and allocation of overheads. This cost
cannot be directly assigned to the products manufactured or services given. This needs a
transparent method of allocation.
(2) Cost center accounting: This analysis where overhead occurs within an organization. Costs
are assigned to the sub areas of the organization where they are originated. Costs are allocated
to products based on cost resources.
(3) Overhead orders: This collects and analyses costs based on individual internal measures. It
can monitor and check budgets assigned to each measure.
(4) Activity based costing: It is developed as the response to the need for monitoring and
controlling cross departmental business processes in addition to functions and products.

(5) Product cost control: This determines the costs arising from the manufacture of a product or
providing a service. A control plan and standard values serve in evaluating warehouse stock
and for comparing revenues received with costs. The values are crucial for determining the
lowered price limit for which a product is profitable.
(6) Cost object controlling: This helps in monitoring manufacturing orders. Calculations
determine and analyze the variances between the actual manufacturing costs and plan costs
resulting from product cost planning.
(7) Profitability analysis: This examines sources of returns. As part of sales control, this is the
last step in cost based settlement.
Question No 5:
What are the benefits derived from a successful Material Requirement Planning (MRP) system?
Answer No 5
The benefits of a successful MRP system are:
i) Significantly decreased inventory levels and corresponding decreases in inventory carrying
costs.
ii) Fewer stock shortages, which cause production interruption and time-consuming schedule
juggling by managers.
iii) Increased effectiveness of production supervisors and less production chaos.
iv) Better customer service – an increased ability to meet delivery schedules and to set delivery
dates earlier and more reliably.
v) Greater responsiveness to change – MRP gives manufacturing a better feel for the effects of
economic swings and changes in product demand can be translated into schedule changes
quickly.
vi) Closer coordination of the marketing, engineering and finance activities with the
manufacturing activities.
Question No 6:
What are the steps involved in the implementation of a typical ERP package?
Answer No 6
Several steps are involved in the implementation of a typical ERP package. These are:
i) Identifying the needs for implementing an ERP package.
ii) Evaluating the ‗As is‘ situation of the business, i.e., to understand the strengths and
weaknesses prevailing under the existing system.
iii) Deciding the would-be situation for the business, i.e., the changes expected after the
implementation.

iv) Reengineering the business process to achieve the desired results in the existing processes.
v) Evaluating the various available ERP packages to assess suitability.
vi) Finalizing the most suitable ERP package for implementation.
vii) Installing the required hardware and networks for the selected ERP package.
viii) Finalizing the implementation consultants who will assist in implementation.
ix) Implementing the ERP package.
Question No 7
Describe the characteristics of Enterprise Resource Planning. (June 2007)(5 Marks)
Answer No 7
a) Flexibility: ERP system should be flexible enough to accommodate the changing needs of the
organization on the need bases.
b) Modular and Open: It should have open system architecture so that if new module is needed it
can be interfaced to the existing system without new task and effecting the running system.
c) Comprehensive: ERP system should be able to support different types of the organization. It
shouldn‘t be organizational specific.
d) Beyond the Company: With rapid growth of IT ERP should be able to extend itself to the
internet. It shouldn‘t be confined within organizational territory.
e) Best Business practices: ERP should collect the best models of the business practice through
out the world so that it can update itself to meet the changing needs.
Question No 8
Define ERP system. What are the steps involved in ERP implementation?
Answer No 8
Enterprise Resource Planning System is a fully integrated business management system covering
functional areas of an enterprise Logistics, Production, Finance, Accounting, Human Resources,
etc. It organizes and integrates operation processes and information flows in the organization to
make optimum use of resources such as men, material, money and machine. Simply stated, ERP
promises one database, one application and one user interface for the entire enterprise. This helps
in planning, monitoring and controlling the entire business.
The challenges involved in ERP implementation are:
i. Consultants, vendors and users have to work together to achieve the overall objectives of the
organization. The consultants have to clearly understand the user needs and the prevailing
business realities and design the business solutions keeping in mind all these factors.
ii. Proper customization/configuration of package to the organization has to be in tune with the
users' needs and business objectives.

iii. Roles and responsibilities of the employees have to be clearly identified, understood and
configured in the system.
iv. Acceptance by employees of the new processes and procedures is critical for the success of
the package.
v. Package to be implemented in totality to achieve the maximum benefit.
vi. Defining the implementation methodology to be followed – identifying needs, evaluation of
the current situation, predicting the future situation, reengineering the business process,
selection of correct package.
vii. Installation of Hardware, Software required for the package.
viii. Selection of right kind of consultants.
ix. Preparing the implementation guidelines – training users, effective leadership, adapting the
new systems and making changes in the working environment etc.
x. Post implementation monitoring of Key Performance indicators, Critical success factors etc.
Question No 9
Write short notes on :
a. Implementation Guidelines for ERP (June 2005) (5 Marks) (June 2006)(5 Marks)
There are certain general guidelines, which are to be followed before starting the implementation
of an ERP package.
i) Understanding the corporate needs and culture of the organization and then adopt the
implementation technique to match these factors.
ii) Doing a business process redesign exercise prior to starting the implementation.
iii) Establishing a good communication network across the organization.
iv) Providing a strong and effective leadership so that people down the line are well motivated.
v) Finding an efficient and capable project manager.
vi) Creating a balanced term of implementation consultants who can work together as a team.
vii) Selecting a good implementation methodology with minimum customization.
viii) Training end users.
ix) Adapting the new system and making the required changes in the working environment to
make effective use of the system in future.
b. General Model available on Enterprises Resource Planning (June 2006)(5 Marks)

General module available are:
 Financials: General ledgers, accounts receivable and payable, fixed asset accounting
 Controlling Cost: Cost centre accounting, overhead orders, activity based costing, product
cost control, cost object controlling, profitability analysis
 Investment Management: Appropriation requests, investment measures, automatic settlement
to fixed assets, Depreciation Forecast

 Treasury: Cash Management, Treasury management, market risk management, Funds

management
 Enterprises Controlling: EC-CS, EC-PCA, EC-EIS
 Product data management
 Sales and distribution
 Shipping management system: transport module, foreign trade processing
 Product planning and control: Production planning, production control modules, quality
management, project system, project information system.
 Materials management: Purchasing, inventory management, warehouse management, invoice
verification, inventory control using purchase information system, quality management, plant
maintenance, service management
 Human Resource management: Personnel administration, employee master data, recruitment
management, open positions, selection and hiring, travel management, benefits
administration, personnel cost planning
 Payroll accounting: Payroll processing, integration, global solutions, time management, time
data, time evaluation, time management review, integration and interfaces, shift planning.
c. Business Process Re-engineering (December 2008)(5 Marks)

BPR is the fundamental rethinking and the radical redesign of processes to achieve improvement
in performance like cost, quality, services and speed and some suitable discussion.
The main principle of BPR is to re-evaluate and analyze all existing business processes,
procedures and tasks from the basics and remodel, reinvent or replace them with new processes as
and when needed without any bias for and against the existing processes and procedures. It starts
with the question ―why do you do what you do‖ and eliminates all the processes that do not add
any value to the customer/business.
d. Enterprise Resource Planning (ERP) (December 2008)(6 Marks) ( June 2010)(5 Marks)
An Enterprise Resource Planning (ERP) system is a fully integrated business management system
covering functional areas of an enterprise like Logistics, Production, Finance, Accounting and
Human Resources. It organizes and integrates operation process and information flows to make
optimum use of resources such as men, material, money and machine. ERP is a global, tightly
integrated closed loop business solution package and is multifaceted. Simply stated, ERP provides
one database, one application and one user interface for the entire enterprise. This helps in
planning, monitoring and controlling the entire business.
Enterprise resource planning is a cross-functional enterprise system that integrates and automates
many of the internal business processes of a company, particularly those within the manufacturing,
logistics, distribution, accounting, finance, and human resource functions of the business. In the
ERP system a data is required to be entered only once in the system; the data flows to other

modules automatically. Thus, ERP serves as the vital backbone information system of the
enterprise, helping a company achieve the efficiency, agility, and responsiveness required to
succeed in a dynamic business environment. ERP software typically consists of integrated modules
that give a company a real-time cross-functional view of its core business processes, such as
production, order processing, and sales, and its resources, such as cash, raw materials, production
capacity, and people. However, properly implementing ERP systems is a difficult and costly
process. Continuing developments in ERP software, including Web-enabled modules and e-
business software suites, have made ERP more flexible and user-friendly, as well as extending it
outward to a company‘s business partners.
e. Artificial Intelligence (December 2008)(6 Marks)

Artificial Intelligence is an advance computer system that can simulate human capabilities, such as
analysis, based on predetermined set rules. Artificial Intelligence is the study and application of
the principals by which knowledge is acquired and used, information is communicated, etc. This
field includes: voice recognition, pattern recognition, problem solving machine translation of
foreign languages, intelligent text management, expert system, decision support system, etc.
f. Worms (June 2008)(2.5 Marks)

A computer worm is a self-replicating computer program. It uses a network to send
copies of itself to other nodes (computer terminals on the network) and it may do so
without any user intervention. Unlike a virus, it does not need to attach itself to an existing
program. Worms almost always cause harm to the network, by consuming bandwidth,
whereas viruses almost always corrupt or modify files on a targeted computer
g. Characteristics and benefits of Enterprise Resource Planning (ERP) (Old Syllabus

December 2010)(5 Marks)
SN Characteristics of ERP Benefits of ERP

1. An ERP system is able to respond to the It reduces the paper documents by providing
changing needs of an enterprise online formats for quickly entering and
retrieving information
2. ERP systems have open system Improves timeliness of information by
architecture which means to say permitting posting daily instead of
that any module can be attached or monthly
detached from it.
3. It is able to support variety of Greater accuracy of information with detailed
organizational functions and must content and better presentations
be suitable for a wide range of
business organization

4. It is not confined to the organizational Improved cost control, better monitoring and
boundaries quicker resolution of queries
5. It have a collection of the best business Faster response and follow-up on customers
processes applicable worldwide
Question No 10
What do you understand by Enterprises Resource Planning (ERP)? List out the prominent features
of ERP. (June 2008)(15 Marks)
Answer No 10
An enterprises resource planning system is an integrated business management system covering
functional areas of an enterprise like Logistics, Production, Finance, Account and Human
Resources. It organizes and integrates operation processes and information flows to make optimum
use of resources such as men, material, money and machine. Taking information from every
function it is a tool that assists employees and manager to plan, monitor and control the entire
business.
Features of ERP
 ERP provides multi-platform, multi-mode manufacturing, multi-currency, multi-lingual
facilities.
 It supports strategic and business planning activities, operational planning and is effectively
integrated for flow and update of information immediately upon entry of any information.
 Has end to end supply chain management to optimize the overall demand and supply data.
 ERP bridges the information gap across organizations.
 ERP is the solution of better project management.
 ERP facilitates company-wide integrated information system concerning all functional areas
like manufacturing selling and distribution, payables, receivables, inventory, accounts, human
resources, purchase etc.
 ERP performs core activities and increases customer service, thereby augmenting the
corporate image.
 ERP provides complete integration of system not only across department but also across
companies under the same management.
ERP allows introduction of latest technologies like Electronics Fund Transfer (EFT), Electronic
Data interchange (EDI), internet, intranet, video conferencing, E-commerce, etc.
.Question No 11
Explain the Enterprise Resource Planning (ERP) System and its modules.

Answer No 11
Enterprise resource planning (ERP) software is a group of programs and functions integrating
corporate accounting and resource management with production schedules and customer orders.
ERP may not be a direct focus of operations and design engineers; however, ERP is one of the most
critical technological shifts an organization can make.
The resulting impact of the corporate information management system is profound, such that the
entire organization, even plant-floor process control, for example, must adapt to it. ERP replaces
manufacturing resource planning (MRP II), which was unable to meet the ever-changing challenges
provided by the international manufacturing world. ERP is proactive (i.e., ―if we get this order,
which plant has the skills/capacity to handle it‖) while MRP II is typically reactive (i.e., ―the order
rate has changed - what do we need to do to respond?‖).
The term ―enterprise resource planning‖ was coined to demonstrate the fact that these systems have
evolved well beyond their origins as inventory-transaction and cost accounting systems. The
software now acts as the means to support and expedite the entire order fulfillment process. ERP
can also lead to business-process reengineering. By removing barriers between functional
departments and reducing duplication of effort, the systems increase flexibility and responsiveness.
The vision of ERP is evolving to include the extended enterprise. Extended ERP is an inter-
enterprise vision that includes balancing and optimization of not just the enterprise, but the value
network, or the entire set of supply and demand business processes that drive the enterprise‘s
delivery of goods and services. Extended ERP is customer focused and dynamically balanced
through asset optimization and real-time transaction processing.
ERP Production Planning Module

This module is used in production planning optimizes the utilization of manufacturing capacity,
parts, components and material resources using historical production data and sales forecasting.
ERP Purchasing Module

Purchase module streamlines procurement of required raw materials. It automates the processes of
identifying potential suppliers, negotiating price, awarding purchase order to the supplier, and
billing processes. Purchase module is tightly integrated with the inventory control and production
planning modules. Purchasing module is often integrated with supply chain management software.
ERP Inventory Control Module

Inventory module facilitates processes of maintaining the appropriate level of stock in a
warehouse. The activities of inventory control involves in identifying inventory requirements,
setting targets, providing replenishment techniques and options, monitoring item usages,
reconciling the inventory balances, and reporting inventory status. Integration of inventory control

module with sales, purchase, finance modules allows ERP systems to generate vigilant executive
level reports.
ERP Sales Module

Revenues from sales are live blood for commercial organizations. Sales module implements
functions of order placement, order scheduling, shipping and invoicing. Sales module is closely
integrated with organizations' ecommerce websites. Many ERP vendors offer online storefront as
part of the sales module.
ERP Market in Module

ERP marketing module supports lead generation, direct mailing campaign and more.
ERP Financial Module

Both for-profit organizations and non-profit organizations benefit from the implementation of ERP
financial module. The financial module is the core of many ERP software systems. It can gather
financial data from various functional departments, and generates valuable financial reports such
balance sheet, general ledger, trail balance, and quarterly financial statements.
ERP HR Module
HR (Human Resources) is another widely implemented ERP module. HR module streamlines the
management of human resources and human capitals. HR modules routinely maintain a complete
employee database including contact information, salary details, attendance, performance
evaluation and promotion of all employees. Advanced HR module is integrated with knowledge
management systems to optimally utilize the expertise of all employees.
Question No 12
What do you mean by Enterprises Resource Planning system? Explain about the features and
characteristics of ERP. (June 2010)(15 Marks)
Answer No 12
corporate accounting and resource management with production schedules and customer orders.
ERP may not be a direct focus of operations and design engineers; however, ERP is one of the
most critical technological shifts an organization can make. ERP solutions seek to streamline and
integrate the operation process and information flows in the company to synergize the resources of
an organization namely men, material, money and machine through information.
The resulting impact of the corporate information management system is profound, such that the
entire organization, even plant-floor process control, for example, must adapt to it. ERP replaces
manufacturing resource planning (MRP II), which was unable to meet the ever-changing
challenges provided by the international manufacturing world. ERP is proactive (i.e., ―if we get

this order, which plant has the skills/capacity to handle it‖) while MRP II is typically reactive (i.e.,
―the order rate has changed - what do we need to do to respond?‖).
The term ―enterprise resource planning‖ was coined to demonstrate the fact that these systems
have evolved well beyond their origins as inventory-transaction and cost accounting systems. The
software now acts as the means to support and expedite the entire order fulfillment process. ERP
can also lead to business-process reengineering. By removing barriers between functional
departments and reducing duplication of effort, the systems increase flexibility and
responsiveness.
The vision of ERP is evolving to include the extended enterprise. Extended ERP is an inter-
enterprise vision that includes balancing and optimization of not just the enterprise, but the value
network, or the entire set of supply and demand business processes that drive the enterprise‘s
delivery of goods and services. Extended ERP is customer focused and dynamically balanced
through asset optimization and real-time transaction processing.
Some prominent features of ERP are:

 ERP provide multi-platform, multi-facility, multi-mode manufacturing, multi-currency, multi-
lingual facilities
 It supports the strategic and business planning activities, operational planning and execution
activities, creation of materials and resources. All these functions are effectively integrated
for flow and update of information immediately upon entry of any information
 Has end to end supply chain management to optimize the overall demand and supply data
 ERP facilitates company-wide integrated information system covering all functional areas
like manufacturing, selling and distribution, payable, receivable, inventory, accounts, human
resources, purchases etc
 ERP perform core activities and increase customer service, thereby augmenting the corporate
image
The characteristics of ERP can be summarized as:

Flexibility: ERP system should be flexible enough to meet the changing need of the enterprise.
Modular and Open: ERP system should have open system architecture. This means that any
module can be interfaced or detached whenever required without affecting the other modules.
Comprehensive: It should be able to support variety of organizational functions and must be
suitable for a wide range of business organizations.
Beyond the Company: It should not be confined within organizational boundaries, rather should
support the online connectivity to the other business entities of the organization.
Best Business Practices: It must have a collection of the best business processes applicable
worldwide. An ERP package imposes its own logic on a company‘s strategy, culture and
organization.

Question No 13
What is Enterprises Resource Planning (ERP)? What are its advantages/benefits?(June 2011)(10
Marks)
Answer No.13
An ERP solution provides the core information system functions for the entire business. But
usually an organization must redesign its business processes to fully exploit and use an ERP
solution. Most organizations must still supplement the ERP solution with custom software
applications to fulfill business requirements that are unique to the industry or business. For most
organizations, an ERP implementation and integration represents the single largest information
system project ever undertaken by the organization. It can cost tens of millions of dollars and
require a small army of managers, users, analysts, technical specialists, programmers, and
consultants.
ERP applications are significant to systems analysts for several reasons. First, systems analysts
may be involved in the decision to select and purchase an ERP solution. Second, and more
common, systems analysts are frequently involved in the customization of the ERP solution, as
well as the redesign of business processes to use the ERP solution. Third, if custom-built
applications are to be developed within an organization that uses an ERP core solution, the ERP
system‘s architecture significantly impacts the analysis and design of the custom application that
must coexist and interoperate with the ERP system.
Major ERP advantages/Benefits are:
• Reduced Planning cycle time
• Reduced manufacturing cycle time
• Reduced inventory
• Reduced error in ordering
• Reduced requirement of manpower
• Enables faster response to changing market situations
• Better utilization of resources
• Increased customer satisfaction
• Enables global outreach
Question No 14
ABC Telecom Company limited, a leading Information Communication Technologies service
provider in Nepal, is introducing Enterprises Resource Planning system from 2011. After getting
employment in ABC Telecom Company, how can you use ERP for the improvement of the overall
systems of company? What are the challenges for the implementation of this project? Explain.
(Old Syllabus June 2011)( 20 Marks)

Answer No. 14
ERP is a cross functional enterprise system driven by an integrated suite of software modules that
supports the basic internal business processes of ABC Telecom. The major applications of ERP at
the Telecom company are shown in the following diagram:
HRM
Customer/ Sales/
Inventory Employee Distribution/
Keeping Service
Finance
ERP gives a company an integrated real time view of its core business processes such as service
delivery to its customers, inventory management, tied together by the ERP application software
and a common database maintained by a database management system. ERP systems track
business resources such as cash, payrolls, HR and stock of SIM/RIM and the status of customer‘s
commitments and accounting, no matter which department has entered the data into the system.
ERP software suites typically consist of integrated modules of customer supports, sales and
distribution of the services, accounting and HR applications. The distribution of the
telecommunications services to its customers depends upon the planning, procurement planning,
capacity planning, sales and marketing planning, logistic planning etc. ERP system support many
vital human resource processes, from personnel requirements planning to salary and benefits
administration and accomplish most required financial record keeping and managerial account
keeping and managerial accounting applications.
ABC Telecom can get following improvements after implementations of the ERP:
a) Improvement in Quality and Efficiency
b) Decreased cost
c) Decision supports
d) Enterprise agility
e) Timely auditing
f) Up to date database preparation of the company
g) Centralized database
h) No duplication on purchasing of goods
i) Proper use of resources within the company
j) Fraud management
k) Improves the accountability
l) Reduced manpower
m) Centralized payroll
n) Improves on decision making process

Challenges on Implementations:
ERP systems vary widely in their functionality, scope, price and ease of use. Many companies do
not perform thorough due diligence before selecting an ERP system. Key things to consider when
selecting an ERP system include system scalability, supplier management, service and availability,
system reliability, system functionality and vendor customer support. Companies that fail to
address these issues during the ERP selection process may face multiple challenges before, during
and after system purchase.
Implementation
ERP implementations typically last longer than initially expected and end up costing more than
budgeted. Companies that fail to create a proper project plan prior to implementation run into
numerous obstacles during implementation, including underestimating project resources, under
evaluation of the software prior to implementation and not creating new business processes that
suit the ERP system. Other implementation challenges include not managing the changes that
occur during the implementation time frame and understanding the full impact implementation has
on the company.
Information Overload
ERP systems manage millions of bits of information. Companies often fall into two data
management traps using the ERP system to extract more data than required simply because it is
available or not venturing past the system's standard reports for fear of messing up the system. The
challenge for ERP users comes in optimizing the system to generate the data that give
management the best view of the company's operations. Many ERP users get overwhelmed by the
size of their company's data warehouse and often avoid using the ERP system to generate data.
Once that happens, management can no longer rely on the accuracy of the data received.
Training
A majority of ERP errors result from improper user training. Many companies consider training in
hindsight and thus begin late in the ERP implementation cycle or do not provide adequate time to
thoroughly train users. Companies that do not plan ERP training often find themselves struggling
to get satisfactory instructors, an adequate training budget or proper training materials. Typically,
ERP users need to relearn processes and tasks they may have performed for many years. The
required amount of time needed to properly train an ERP user largely depends on the user's skill
set, how critical a role the user plays in the system and the training program itself.
Cost:
The cost of ERP software is very expensive till this date.

Human Resource:
Finding a trained manpower is another challenge for the implementation and operation of the ERP
in a telecom company.
Integration of ERP Modules

Packaged ERP software consists of many functional modules (production planning, inventory
control, financial and HR). Organizations tend to install modules from the same ERP vendors in
the initial ERP implementation. Not all companies will purchase all ERP modules from a single
ERP vendor (SAP, Oracle, PeopleSoft etc.). The implementation of ERP systems could last many
years. The integration of ERP modules could be either the integration of modules from different
vendors, or the different versions of the modules from the same vendor.
Integration of E-Business Applications

E-business practice is the combination of strategies, technologies and processes to electronically
coordinate both internal and external business processes, and manage enterprise-wide resources.
E-business software systems generally fall into four categories: Enterprise Resource Planning
(ERP), Customer Relationship Management (CRM), Supply Chain Management (SCM) and
Knowledge Management (KM). To get the most out of ERP systems, ERP should be tightly
integrated with other e-business software - Supply Chain systems, CRM, knowledge management,
B2B exchange and ecommerce storefront on the Internet.
Integration with Legacy Systems

Over the years, legacy systems have accumulated vast amount of data vital to the survival,
operations, and expansion of corporations and non-profit organizations. Integration of ERP
systems with legacy systems is more complex than the integration of ERP modules and Integration
of e-business Applications. It routinely requires the installation of third-party interface software
for the communication between ERP software systems and legacy systems. Second generation
ERP systems use relational database management systems (RDBMS) to store enterprise data. Data
conversion from legacy systems to RDBMS is a often a time-consuming and tedious process.
While most interface software provides API for ERP to access legacy systems, some vendors offer
integration module that automates or accelerates the transformation of legacy application logic and
data into reusable components with XML, SOAP, J2EE and .NET interfaces.
Project Planning
ERP implementation starts with project planning - setting project goals, identifying high level
business requirements, establishing project teams and estimating the project costs. The project
planning offers the opportunity to re-evaluate the project at great details. If the ERP project is not
justified at the planning phase, organizations shouldn't hesitate to cancel the project. For every
successful ERP projects, there're projects that are canceled before implementation.

Architectural Design
While high level architectural decision is made in the process of ERP vendor selection, it remains
a critical successful factor in integrating ERP with other e-business applications, ecommerce
applications or legacy systems. Choice of middleware, interface software or programming
languages drastically impact the implementation cost and release date.
Data Requirements
Unlike in-house e-business applications, much of the packaged ERP implementation involves the
integration of ERP systems with existing e-business software and legacy information systems.
Appropriate level of data requirements is critical for an ERP to interact with other applications.
Data requirements usually reflect details of business requirements. It costs ten times to correct a
mistake at later phase of ERP implementation than the effort to correctly define requirements at
analysis and design phase.
Phased Approach
It is important to break an ERP project down to manageable pieces by setting up pilot programs
and short-term milestones. Dependent on the IT experience, some organizations choose the easiest
piece as the pilot project, while others may implement a mission-critical application first. The pilot
project can both demonstrate the benefits of ERP and help gain hands-on ERP implementation
experience.
Data Conversion
Second generation ERP systems use relational database management systems (RDBMS) to store
enterprise data. If large amounts of data are stored in other database systems or in different data
formats, data conversion is a daunting task which is often underestimated in ERP
implementations. A two-hour data conversion task could be turned into to two-month efforts as the
result of DBA group's lack of technical experience and management's incompetency or ignorance.
Organization Commitments
The involvement of ERP implementation goes far beyond IT department to many other functional
departments. The commitment and smooth coordination from all parties is the key to the success
of ERP project. The commitments come from the understanding of how ERP can benefit each
functional department. For example, if the warehouse staff isn't completely sold on the inventory
control module's benefits, they may not input the kind of usage data that is essential to the project's
success.
Question No 15
What is ERP? Explain its development process and reason for its growth.

Answer No 15
―ERP is a solution which facilitates company-wide integrated information systems, covering all
functional areas, performs core corporate activities and increases customer service augmenting
Corporate Image‖
―Software solution that addresses the Enterprise needs, taking a process view of the overall
organization to meet the goals, by tightly integrating all functions and under a common software
platform‖
―ERP is a cross function enterprise system which integrates internal business process and
automates the process of activities of manufacturing, sales and distributions, finance and
accounting, and human resource etc. It helps the organization to achieve the efficiency, agility and
responsiveness which are required to face dynamic business environment‖
Development process
ERP system offers persistent business functionality; the application covers virtually all aspects of
business functions. Understanding and managing their persistence will result in a business and
productive business platform. Otherwise, the system we selected may be possible to failure are
resulted a poor return on investment. Therefore, systematic process for developing ERP system is
necessary for delivering results and managing the risks of implementation
ERP development process consists of key elements which form into series of steps. As a first step
in the process it must identify the key personnel including supervisors, team leaders and
empowered members. The responsibility of the project success mainly depends on these team
members. Second step in the process of ERP developing is defining of business vision and
objectives. The project team must articulate the vision and mission of the organization along with
its identifiable critical objectives. To achieve maximum benefit from ERP system, the enterprise
objective, goals, vision and mission must be encompasses and taken to consideration. The third
step of ERP process is defining requirements to build an ERP system. The requirement and
objectives of the organization should match each other because of every ERP system supports to
the organizational goals and mission. Therefore, the requirement for building an ERP system is
mandatory to all. Fourth stage of ERP development is very lengthy and plays key role in the
process. It is simply developing and alternative of ERP system. There are three kind of alternative
available to the ERP implementers that are integrated system, best of brand and custom
development and feasible system. While selecting the best ERP system, there are three kind of
decision should be taken by the selection team of ERP. That is, is it enough to develop; to develop
an ERP system with an integrated system? If yes, lit can build with narrow choice, configure or
extended configure adding and refined with evaluation. If no, look for another alternative, that is,
is it functionalize properly? If yes, then select the best of brand ERP and standard ERP; otherwise
look for tired alternative, that is, can it customized? If yes build a customized ERP system. It is to
develop customized built in ERP system, otherwise the proposal of project will be withdrawn or
loop for develop EPR requirements with added objectives and vision.

After identifying the best alternative of ERP system, the process continue to fifth step that is
finalize the plans and implementation. It is import to make a smooth and deliberated transition to
the implementation of developed ERP system.
Reason for growth of ERP

ERP is an important software related component of the organization to achieve their goals and
objectives. IT improves the enterprises manufacturing process, customer orders process and
revenue generation. That‘s why ERP is often referred as back office and front office software,
because it is shot as a road map to the management in and outside of the organization. The ERP
systems transforming the way organizations do business more effectively. Also this happens due
to many reasons, some of them are
 Affects organizational activities
 ERP is change agent
 ERP helps to become more competitive
 ERP is a tool for BPR
 ERP enforces an organization‘s business process
The above reasons are most influence factors for the today‘s organization to attract towards
implementation of ERP system.
Question No 16
Why there arises the need of enterprises system although there is individual functional system?
What are the challenges of implementing enterprises system? (Old Syllabus December 2012)( 8
Marks)
Answer No 16
There is already individual functional application in the business. These systems perform well in
individual application areas of human resource management, sales and marketing, production and
service, account and finance etc. They provide all the information appropriately in their respective
areas whenever needed. However these systems have limitations. Once the relation of one system is
needed with another they cannot function. e.g. if the organization needed the information of
production to the human resource, it should be done manually or data has to be converted from one
form to another form, similarly the information of sales and inventory is not directly available with
the account and finance. Thus the integrated information is lacking in the individual functional
business application. Beside this there exist the technical difficulties of operation and maintenance
of individual system as they might have different software and database platforms.
The enterprise system is not free of challenges. It has some challenges of implementation. They
can be summarized as:
 People think that enterprise system solves all the problems. So human resource can make very
little effort. But the thing is that enterprise system itself cannot do anything without proper
support from the human staff.

 Proper training to the human resources is needed. People are reluctant to move from one
application to another.
 Migration of data format is big challenge. The new enterprise system may need the input data
in different format.
 Business process re-engineering to match the functionalities of the enterprise system.
Question No 17
What are several e-business applications that you might recommend to small company to help it
service and succeed in challenging economic time? Why? (Old Syllabus December 2012)( 10
Marks)
Answer No 17
E-business applications may take on many forms. In a recent survey of manufacturing executives,
92% of respondents feel eBusiness is important, and 84% (and growing) believe that eBusiness is
essential to the long-term success of their companies, and that they will be less competitive if they
do not conduct business online. These manufacturers consider their Website to be their most
powerful and cost-effective marketing tool, and that eBusiness will make/is making a measurable
positive impact on their business. If your goals include reducing costs, improving operational
efficiency, and increasing profits via the Internet, we have helped many companies attain those
benefits. Over time we have developed tools and methods for:
 Developing a thorough understanding of your business goals and processes;
 Encapsulating and adapting specific business processes for automated Web-based
applications;
 Integrating your current Enterprise applications (e.g. ERP) and IT infrastructure with Web-
based applications;
 Designing, building, deploying, enhancing, maintaining, even hosting and managing (if
desired) Web-based applications
While developing Web-based applications for clients we have built many hundreds of
configurable, reusable components which enable us develop powerful custom Web-based
applications for you very quickly, and at surprisingly low cost. Web-based applications we have
developed are enabling our clients to:
 Empower customers with Web-based applications to manage their own accounts with B2B
customer service, environmental inquiries, process returns, check order status, place orders,
check inventory status and availability, product configuration and engineering, and much
more.
 Improve employee productivity with an Intranet where employees can manage their
customers, leads, and opportunities(CRM), access competitor profiles and product
comparisons, access HR applications, submit and manage IT requests, manage appropriation
requests, and much more.

 Facilitate information exchange with supplier networks, to improve productivity and reduce
cost by enabling vendor-managed inventory, and more.
For example data conferencing, digital information services, distance learning, facsimile, intranets,
teleconferencing, videoconferencing, voice mail systems etc. It may also take on the form of
applications dealing with procurement, marketing, manufacturing, financial, logistics, human
resources, supplier and vendor integration applications and a multitude of other applications.
What is important in the question is that a small company can use e-business applications to
survive and succeed in challenging economic times by allowing it to carry out many functions
more effectively. As well, as large corporations restructure and go back to concentrating on their
core business there are a number of opportunities for small businesses to provide services to the
larger companies.
Question No 18
Define e-commerce. Discuss on the legal and ethical issues in electronic commerce
. (June 2012)(7 Marks)
Answer No.18
enabled commercial transactions between and among organization and individuals.
process of developing, marketing, selling, delivering, servicing and paying for goods or services
network of business partner.
Major legal and ethical issues in e-commerce are
 Privacy
 Intellectual property
 Free speech
 Taxation
 Computer crimes
 Consumer protection
 Electronic contracts
 Online gambling
 Validity of electronic documents
 Time and date on documents across borders
 Which country has jurisdiction over E-commerce transaction?
 Can website link to another without permission? Example Ticket master Vs Microsoft,

Question No 19
What are the major challenges in successful implementation of enterprise resource planning (ERP)
system in an organization? Describe in brief. (Old Syllabus, June 2012)(5 Marks)
Answer No 19
The main challenges in successful implementation of enterprise resource planning (ERP) system
in an organization can be outlined as follows:
i. Awareness – the users are generally not aware of the functionality and features of the ERP
system. Extensive training and user participation is needed to minimize this problem.
Moreover, most employees do not know about the benefits of using a comprehensive ERP
solution and they tend to stick to the same old ways of doing things as they are more
comfortable doing that.
ii. Resistance to change – as described above, especially long-term employees doing same kind
of job for years using the traditional method have little liking for the ERP system which is
likely to change everything. Moreover, there is a high level of resistance against putting
personal effort in learning new technologies and facilities provided by packages such as the
ERP.
iii. Business process re-engineering – an effective implementation of ERP requires through re-
engineering and re-modeling of major aspects of business process such as sales, inventory,
accounting, human resource management, procurement, customer relationships management,
financial management etc. For organizations with long history of operations with traditional
and non-ERP based methods, this re-engineering process is the most challenging and time-
consuming process of implementing a full-fledged ERP system. This involves restructuring
the way different things are done, probable change in organization structure, re-training and
orientation of the manpower for different tasks as per the norms of the new system etc.
iv. Integration – integration with other critical business applications such as billing, CRM,
accounting, supply chain management, MIS, OSS etc of the ERP system for exchange of
relevant data and information is another major challenge. Problems such as incompatibility,
non-standard interfaces, data model differences etc can be encountered during this activity.
Question No 20
Describe the importance of ERP along with its functional working modules.
Answer No 20
corporate accounting and resource management with production schedules and customer orders. It

deploys integrated approach of information system of all the functional areas of the organization.
ERP helps all level of organizational staffs in proper utilization of man, machine and money.
Its functional areas of implementations are as:
Production Planning
This module is used in production planning to optimize the utilization of manufacturing capacity,
Purchasing:
billing processes.
Inventory Control:
Inventory module facilitates processes of maintaining the appropriate level of stock in a warehouse.
The activities of inventory control involves in identifying inventory requirements, setting targets,
providing replenishment techniques and options, monitoring item usages, reconciling the inventory
balances, and reporting inventory status. Integration of inventory control module with sales,
purchase, finance modules allows ERP systems to generate vigilant executive level reports.
ERP Sales Module

Revenues from sales are lifeblood for commercial organizations. Sales module implements
ERP Market in Module

ERP marketing module supports lead generation, direct mailing campaign and other marketing
activities.

The financial module is the core of many ERP software systems. It can gather financial data from
various functional departments, and generates valuable financial reports such balance sheet, general
ledger, trail balance, and quarterly financial statements.
ERP HR Module
HR module streamlines the management of human resources and human capitals. HR modules
routinely maintain a complete employee database including contact information, salary details,
attendance, performance evaluation and promotion of all employees.

Question No 21
What do you understand by E-commerce? Explain how Sales Force Automation changes the sales
process. ( June 2013)(7 Marks)
Answer No 21
e-Commerce is the process of trading the service and product with the help of internet. Internet
provides an easier way to link businesses and individuals at a very low cost. With the development
of e-commerce trading partners can directly communicate with each other, bypassing intermediate
and inefficient multilayered procedures.
With the wide range of use of Internet people can use it to sell its service and product making it
available at any part of the world by sitting at their home. Websites (e.g. www.amazon.com,
www.ebay.com, www.munchahouse.com) are available to the seller or consumer 24 hours a day,
thus the business is possible throughout the day.
Sales force management systems are information systems used in marketing and management that
help to automate some sales and sales force management functions. They are frequently combined
with a Marketing Information System, in which case they are often called Customer Relationship
Management (CRM) systems.
A Sales Force Automation System (SFA), typically a part of a company‘s customer relationship
management system, is a system that automatically records all the stages in a sales process. SFA
includes a contact management system which tracks all contact that has been made with a given
customer, the purpose of the contact, and any follow up that might be required. This ensures that
sales efforts are not duplicated, reducing the risk of irritating customers. SFA also includes a sales
lead tracking system, which lists potential customers through paid phone lists, or customers of
related products. Other elements of an SFA system can include sales forecasting, order
management and product knowledge. More developed SFA systems have features where customers
can actually model the product to meet their required needs through online product building
systems. This is becoming more and more popular in the automobile industry, where patrons can
customize various features such as color and interior features such as leather vs. upholstered seats.
An integral part of any SFA system is companywide integration among different departments. If
SFA systems aren‘t adopted and properly integrated to all departments, there might be a lack of
communication that could result in different departments contacting the same customer for the
same purpose. In order to mitigate this risk, SFA must be fully integrated in all departments that
deal with customer service management.
Question No 22
What do you mean by ERP? What are its functional areas? ( June 2013)(8 Marks)
Answer No 22
Enterprise resource planning (ERP) software is a group of programs and functions integrating all
the functional business information modules into one system. ERP is thus a cross-functional
enterprise system, which the data information is exchanged among various departments without

any hindrances. For example, it integrates corporate accounting and resource management with
production schedules and customer orders. It deploys integrated approach of information system
of all the functional areas of the organization. ERP helps all level of organizational staffs in proper
utilization of man, machine and money.
Its functional areas of implementations are as:
Production Planning
This module is used in production planning optimizes the utilization of manufacturing capacity,
Purchasing:
billing processes.
Inventory Control:
Inventory module facilitates processes of maintaining the appropriate level of stock in a

warehouse. The activity of inventory control involves identifying inventory requirements, setting
targets, providing replenishment techniques and options, monitoring item usages, reconciling the
inventory balances, and reporting inventory status. Integration of inventory control module with
sales, purchase, finance modules allows ERP systems to generate vigilant executive level reports.
ERP Sales Module

Revenues from sales are lifeblood for commercial organizations. Sales module implements
ERP Marketing Module
ERP marketing module supports lead generation, direct mailing campaign and more.
The financial module is the core of many ERP software systems. It can gather financial data from
various functional departments, and generates valuable financial reports such balance sheet,
general ledger, trail balance, and quarterly financial statements.

ERP HR Module
HR module streamlines the management of human resources and human capitals. HR modules
routinely maintain a complete employee database including contact information, salary details,
attendance, performance evaluation and promotion of all employees.
Question No 23
Explain the Enterprise Resource planning (ERP) and its benefits. (December 2014)(10 Marks)
Answer No 23
An ERP solution provides the core information system functions for the entire business. But
applications to fulfill business requirements that are unique to the industry or business. For most
organizations, an ERP implementation and integration represents the single largest information
system project ever undertaken by the organization. It can cost tens of millions of dollars and
require a small army of managers, users, analysts, technical specialists, programmers, and
consultants.
ERP applications are important tool for systems operators, managers and analysts alike for several
reasons. First, systems analysts may be involved in the decision to select and purchase an ERP
solution. Second, and more common, systems analysts are frequently involved in the customization
of the ERP solution, as well as the redesign of business processes to use the ERP solution. Third, if
custom-built applications are to be developed within an organization that uses an ERP core
solution, the ERP system‘s architecture significantly impacts the analysis and design of the custom
application that must coexist and interoperate with the ERP system.
ERP Benefits
Some of the key benefits are listed below.
• Reduced Planning cycle time
• Reduced manufacturing cycle time
• Reduced inventory
• Reduced error in ordering
• Reduced requirement of manpower
• Enables faster response to changing market situations
• Better utilization of resources
• Increased customer satisfaction
• Enables global outreach
Question No 24
What are the steps involved in the implementation of an ERP package?

Answer No 24
Steps of ERP Implementation:
These steps are given as follows:
(i) Identifying the needs for implementing an ERP package.
(ii) Evaluating the ―As Is‖ situation of the business i.e. to understand the strength and weakness
prevailing under the existing circumstances.
(iii) Deciding the ‗would be‘ situation for the business i.e. the changes expected after the
implementation of ERP.
(iv) Re-engineering the Business Process to achieve the desired results in the existing processes.
(v) Evaluating the various available ERP packages to assess suitability.
(vi) Finalizing of the most suitable ERP package for implementation.
(vii) Installing the required hardware and networks for the selected ERP package.
(viii) Finalizing the implementation consultants who will assist in implementation.
(ix) Implementing the ERP package.
Question No 25
a. CAPTCHA ( June 2015)(5 Marks)
A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is
a type of challenge-response test used in a wide variety of computing applications to determine
that the user is really a human and not a computer posing as one. A CAPTCHA is sometimes
described as a reverse Turing test because it is administered by a machine and targeted to a
layman, in contrast to the standard Turing test that is typically administered by a human and
targeted to a machine. The process involves one computer (such as a server for a retail Web site)
asking a user to complete a simple test that the computer is able to generate and grade. Because
other computers are unable to solve the CAPTCHA, any user entering a correct solution is
presumed to be human. A common type of CAPTCHA requires that the user type the letters of a
distorted image, sometimes the addition of an obscured sequence of letters or digits that appears
on the screen. Examples of these are seen when registering for a new account with a merchant,
web site or checking out from an online store.
b. Digital Signatures and Certificates (June 2015)(5 Marks)

Digital signatures meet the need for authentication and integrity. To vastly simplify matters, a
plain text message is run through a hash function and so given a value: the message digest. This
digest, the hash function and the plain text encrypted with the recipient's public key is sent to the
recipient. The recipient decodes the message with their private key, and runs the message through
the supplied hash function to that the message digest value remains unchanged (message has not
been tampered with). Very often, the message is also time stamped by a third party agency, which

provides non-repudiation. To authenticate that the website receiving sensitive information is not
set up by some other party posing as the e-merchant, the browsers check the digital certificate.
This is a digital document issued by the CA (certification authority: Verisign, Thawte, etc.) that
uniquely identifies the merchant. Digital certificates are sold for emails, e-merchants and web-
servers.
c. Social media (December 2017)(5 Marks)

Social media is the platform that facilitates interaction among people in virtual communities where
they can share information and ideas. People access these virtual communities via platforms, apps,
and websites that facilitate user interaction. Examples include Twitter, Facebook, and LinkedIn.
The sharing and advancement of personal information over a virtual platform allows people to
remain in contact, even if they are not physically close to each other. The spread and advancement
of mobile technology has allowed people to stay regularly connected to their social networks. By
embracing social media, many companies have been able to connect with their customers and the
market on a more personal basis, increasing the rate of growth of B2C (Business to Consumer).
This can be done in the form of special coupons, promotional videos, etc. Social media has also
facilitated the growth of C2C (Consumer-to-Consumer) e-commerce. Laws and customs regarding
privacy and ownership of material posted on social media websites are developing.
d. Mobile Computing (June 2018)(5 Marks)

Mobile Computing is a technology that allows transmission of data, voice and video via a
computer or any other wireless enabled device without having to be connected to a fixed physical
link.
Mobile may also refer to access in a fixed location via equipment that users can relocate as
required, but is stationary while in operation. This mode of operation is often called nomadic
computing.
The applications of mobile computing today have become ubiquitous and pervasive in business,
consumer, industrial, entertainment and many specialized vertical-market activities. Desktop, or
nonmobile, computers allow for a higher degree of hardware configurability or higher
computational performance, but a mobile computing device is the vehicle of choice for almost
every end user today. The key advantage of mobile computing is convenience, allowing users
anytime, anywhere access to information and computational resources.
e. Virtual Organization (June 2018)(5 Marks)

A virtual organization is that entity or business firm whose employees / resource person are
geographically located at different parts of the world and are connected by means of tools of
information technology (emails, social media, networks, groupware) to connect to each other but

they seem to be a single unified organization from a single location. Thus the organization set-up
of virtual organization is slightly different the traditional one. These organizations can be formed
for long-term objective to do the commercial activities or they can be formed for a certain period
of time to achieve a particular goal.
It is the IT that coordinates the activities, combines the workers‘ skills and resources with an
objective to achieve the common goal set by a virtual organization. Managers in these
organizations coordinate and control external relations with the help of computer network links.
The virtual form of organization is increasing globally. The main advantages of the virtual
organization are the flexibility: flexi-time, part-time work, job sharing, home based work etc.
Question No 26
Why ERP is a popular in modern business? How an organization can benefit with its use?
Answer No 26
Enterprises Resource planning is a cross functional enterprises system driven by an integrated
suite of software modules that supports the basic internal business process of a company. ERP
gives a company an integrated real-time view of its core business processes such as production,
order processing, an inventory management, accounting and finance, marketing and sales and
human resource. Thus instead of using separate modules the ERP gives the integrated view of all
business activity in real time which help in enhancing quality and efficiency of the organization,
decreased operating costs, helps in decision making and provides the business agility. Thus ERP is
a popular in the modern business these days.
The benefit of the ERP can be summarized as:
 Provides the real time view of all business activity of the organization and its
interconnections.
 Reduce paper documents by providing the computer online formats.
 Improves timeliness of information by permitting posting daily instead of monthly.
 Provides the greater accuracy of information.
 Improved cost control.
 Better monitoring and quicker resolution of queries.
 Enable quick response to change in business operations and market conditions.
 Helps to achieve competitive advantage by improving its business process.
 Provides a unified customer database usable by all applications.
 Improves information access and management throughout the enterprise.
Question No 27
Discuss the opportunities and challenges of implementing Enterprise Resource Planning Package.


Answer No 27
An Enterprise Resource Planning system is a fully integrated business management system
covering functional areas of an enterprise like logistics, production, finance, accounting and human
resources etc.
The benefits of using ERP are:
 It provides the control of invoicing and payments process to the account payable personnel.
 It reduces the paper documents by providing online formats for quickly entering and
retrieving information.
 Improves timeliness of information by permitting posting daily instead of monthly
 Greater accuracy of information with detailed content, better presentation, satisfactory for the
auditors.
 Improved cost control.
 Faster response and follow-up on customers.
 Better monitoring and quicker resolutions of queries.
 Enables quick response to change in business operations and market conditions.
 Helps to achieve competitive advantage by improving its business process.
The challenges of implementing ERP can be listed as:

 Not proper understanding of the complexity of planning, development and training that are
needed to properly implement ERP package.
 Human reluctance to use new system.
 Cost of acquiring or developing the system.
 Cost factors associated with the system reengineering and data conversions.
 High dependency in the Information Technology by completely giving up the existing system.
Question No 28
How can a modern business organization benefit from cloud computing and software as a service to
quickly rollout its computerized information system? (June 2017)(7 Marks)
Answer No 28
Cloud computing is a growing trend in global IT landscape. It commoditizes the computing

resources such as processing power, storage capacity and application features as sellable units
without involving the sale of actual physical devices. As a result, businesses can quickly avail of
the necessary features and computing resources delivered to them by a cloud service provider.
Among different flavors of cloud computing, Software as a Service or SaaS is the most
straightforward and quick option for business, especially small businesses. This is because the
cloud provider does everything and sells the necessary features and as a software deliverable to the

business organization. Thus the businesses in need of the features and resources do not have to
spend time and effort in designing the system, procuring the hardware & software, installing them,
commissioning & testing them and finally making use of them. All this is done by the cloud service
provider that takes care of all the preparations and provides the business organization the needed
software features, functions, resources and their manageability. The main requirement is the robust
and reliable network connectivity with sufficient capacity from the business organization to the
cloud service provider‘s data center where the actual system is located.
This also gives the business organization option of scalability. If the business transaction grows
and there is need of more features, functions and computing resources, it can easily get those from
the cloud service provider by paying the extra cost. On the operational side, the business
organization does not have to worry about the management of the system, allocation of manpower,
maintenance of the facility and so on. From small to big business who want to roll out information
systems and computerized functions easily and quickly, cloud computing is a There are other
flavors of the cloud computing apart from Software as a Service but for businesses with clear
outline of their needs and a short timeline of deployment, SaaS is probably the quickest and most
straightforward option.
Question No 29
ABC Pvt. Ltd. has recently migrated to real-time integrated ERP System. As an IS Auditor, advise
the company as to what kinds of businesses risks it can face. (December 2018)(8 Marks)
Answer No 29
The company, ABC Pvt. Ltd. may face several new business risks when they migrate to real-time,
integrated ERP systems. These risks include the following:
1. Single point of failure – All input data of an organization and transaction processing is within
one application system.
2. Structural Changes - Significant personnel and organizational structural changes associate
with reengineering or redesigning business processes.
3. Job Role Changes - Traditional roles of users are changed to empowered-based role. They
have more chances to access enterprise information in real-time. This point of control shifts
from the back-end financial processes to the front-end point of creation.
4. Online Real-Time – This environment requires a continuous business interaction. This
warrants the capabilities of utilizing the ERP application and responds quickly to any problem
that requires a re-entry of information (e.g., if field personnel are unable to transmit orders
from handheld terminals, customer service staff may need the skills to enter orders into the
ERP system correctly so the production and distribution operations will not be adversely
impacted).

5. Change Management - It is challenging to bring together a highly integrated environment

when different business processes have existed among business units for long. The level of
user acceptance of the system has a significant influence on its success. Training and
awareness of users is mandatory, to understand that their actions or inaction have a direct
impact upon other users and in the performance of their day-to-day duties.
6. Distributed Computing Experience - Inexperience with implementing and managing this kind
of environment may pose significant challenges.
7. Broad System Accessibility – Increased remote access by users and outsiders and high
integration among application functions allow increased access to the application and data.
8. Dependency on External Assistance – Organization accustomed to in-house legacy systems
may find that they have to rely on external help. Unless such external assistance is properly
managed, it could introduce an element of security and resource management risk that may
expose the organizations to a greater risk.
9. Program Interfaces and Data Conversions–Extensive interfaces and data conversions from
legacy systems and other commercial software are necessary. The exposures of data integrity,
security and capacity requirements for ERP are much higher.
10. Audit Expertise – Specialist expertise is required to effectively audit and control an ERP
environment. The relative complexity of ERP systems has created specialization such that
each specialist may know only a relatively small fraction of the entire ERP‘s functionality in a
particular core module, e.g. FI auditors, who are required to audit the entire organization‘s
business processes, have to maintain a good grasp of all the core modules to function
effectively.
11. Single sign on - It reduces the security administration efforts associated with administrating
web-based access to multiple systems, but simultaneously introduces additional risks in that
an incorrect assignment of access may result in inappropriate access to multiple systems.
12. Data content quality - As enterprise applications are opened to external suppliers and
customers, the need for integrity in enterprise data becomes paramount.
13. Privacy and confidentiality - Regularity and governance issues surrounding the increased
capture and visibility of personal information, i.e. spending habits.
Question No 30
Commercial Bank is going to implement e-Banking system with 24×7 service. The bank needs to
develop and implement information technology infrastructure mainly focusing on data center and
disaster recovery center. It is also planning to implement ERP system. You are hired as the ICT
expert for this project. Based on the above scenario, answer the following questions.
a) Discuss the recovery plan for new information system of this Bank.
b) How to implement an ERP in this Bank? What are the characteristics of ERP?

c) What are the key points to be taken into account while conducting a disaster recovery testing
policy for disaster recovery center of this Bank?
Answers No 30
a) Disaster Recovery Plan (DRP) is to restore the operability of systems that support mission-
critical and critical business processes. The objective is for the organization to return to normal
operations as soon as possible. Since many mission-critical and critical business processes
depend on a technology infrastructure consisting of applications, data, and IT hardware, the
DRP should be an IT focused plan. Every organization should develop a Disaster Recovery
Plan for all applications. Restoration of systems does not necessarily imply technology
redundancy. The DRP may call for some procedures to be completed manually. The decision to
revert to manual procedures, rather than to build and maintain an IT infrastructure is a cost-
driven decision made by the organization. Having a DRP in place reduces the risk that the
duration of disruption in a business process does not go beyond what has been determined to be
acceptable by management in the organization. During the recovery phase, the focus is on
establishing controls over occurring events to limit the risk of any additional losses.
This DRP is common to all systems and utilizes the following six steps:
 Develop the Business Contingency Planning Policy and Business Process
 Conduct a Risk Assessment
 Conduct the Business Impact Analysis (BIA)
 Develop Business Continuity and Recovery Strategies
 Conduct awareness, testing, and training of the DRP
 Conduct Disaster Recovery Plan maintenance and exercise
b) An ERP solution provides the core information system functions for the entire business. But
applications to fulfill business requirements that are unique to the industry or business. For
most organizations, an ERP implementation and integration represents the single largest
information system project ever undertaken by the organization. It can cost tens of millions of
dollars and require a small army of managers, users, analysts, technical specialists,
programmers, and consultants.
ERP applications are significant to systems analysts for several reasons. First, systems analysts
may be involved in the decision to select and purchase an ERP solution. Second, and more
common, systems analysts are frequently involved in the customization of the ERP solution, as
well as the redesign of business processes to use the ERP solution. Third, if custom-built
applications are to be developed within an organization that uses an ERP core solution, the ERP
system‘s architecture significantly impacts the analysis and design of the custom application
that must coexist and interoperate with the ERP system

ERP systems have following characteristics:

 ERP systems integrate the various processes in the organization.
 ERP systems use an enterprise-wide database which stores each data only once
 ERP systems allow access to the data in real time
 ERP systems support multiple currencies and languages.
 ERP system are flexible to accommodate the changing needs of an enterprise
 ERP has many features like security, authorization, referencing, responsibility and
implementation of the business rules.
 ERP usage can be controlled at all levels such as the data, transaction, information and
analysis level.
 In ERP systems, information is often recorded in a form that cannot be read without the use of
computer.
 It is difficult to make changes after an ERP system has been implemented.
c) The key points of disaster recovery testing policy are as follows:

1. Secure management approval and funding for the test.
2. Provide detailed information about the test.
3. Make sure the entire test team is available on the planned test date.
4. Ensure the test does not conflict with other scheduled tests or activities.
5. Confirm test scripts are correct.
6. Verify that the test environment is ready.
7. Schedule a dry run of the test.
8. Be ready to halt the test if needed.
9. Have a scribe take notes.
10. Complete an after-action report about what worked and what failed.
11. Use the results from the test to update the DR plan.

Chapter 8:
Protection of Information Assets

Question No 1:
Bring out the various measures that can significantly decrease the potential for fraud and protect
the information systems. (December 2003)(10 Marks)
Answer No 1:
Preventing Computer Frauds:
The different measures that significantly reduce the computer frauds are:
i. Make fraud less likely to occur.
ii. Use proper hiring and firing practices.
iii. Manage disgruntled employees
iv. Train employees in security and fraud prevention measures.
These are briefly discussed below:

i. Computer consultants are of the opinion that the most effective method for system security is
to rely on the integrity of company employees. organisation should take steps to increase
employee integrity and reduce the likelihood of employees committing a fraud.
ii. A manager's most important responsibility is to hire and retain honest people. Similarly the
company should be very careful when fixing employees. To prevent sabotage or copying
confidential data dismissed employees should be removed from sensitive job immediately and
denied access to computer system.
iii. Many employees who commit fraud are seeking revenge or justice for some wrong they
perceive has been done to them. Hence company's should have some procedures to identify
them and help them.
iv. Employees training and education is the most important element of any security program and
fraud is much less likely to occur in an environment where employees believe that security is
every one's business. To develop this type of culture, a company should educate and train
their employees in the following areas.
(a) The employees should be taught the importance of security measures and made them to take
seriously.
(b) Employees should be taught that they should not leak out confidential information over phone
without knowing for sure who is calling.
(c) Employees should be made aware of fraud, its prevalence, and its dangers. They should be
taught why people commit fraud and how to deter and detect it.
(d) The company should promote its ethical standards in its practices and through company
literature such as employee handouts Acceptable and unacceptable behaviour should be
defined so that employees are aware of a company's ethical position.
(e) Employees should be informed of the consequences of unethical behaviour (reprimands,
dismissal, prosecution, etc). For example, employees should be informed that using a
computer to steal or commit fraud is a federal crime and anyone so doing faces in mediate
dismissal and/or prosecution.

(f) Educating employees in security issues, fraud awareness, ethical consideration and the
consequences of choosing to act unethically can make a tremendous difference.
(g) Software license is an important point that the management should have in mind. They should
make sure that there are enough licenses to meet user demands and that there are not more
users than licenses. This protects them from software piracy lawsuits.
(h) All employees, vendors and contractors should be required to sign and abide by a
confidentially agreement.
Question No 2:
Write short note on
a) Holistic protection ( December 2003)(5 Marks)
Protecting corporate information from harm or loss is not an easy task. Protection must be done
holistically and give the organisation the appropriate level of security at a cost that is acceptable to
the business. One must plan for the unexpected and unknown, expect the worst events to happen
and recover from these events is and when they occur, as though nothing even happened. Such
events cannot be planned and they always seen to happen at the most inopportune times.
Organisations that want until the last minute to decide on or protection plan and recovery process
will suffer.
b) Trojan horse. ( June 2011)(5 Marks) (December 2007)(5 Marks) ( December 2003)(5
Marks) (December 2008)(5 Marks)
A Trojan horse is a program whose purpose is to capture Ids and passwords from unsuspecting
users. The program is designed to mimic the normal log-on procedures of the operating system.
When the user enters his or her ID and password, the Trojan horse stores a copy of them in a
secret file. At some later date, the author of the Trojan horse uses these Ids and passwords to
access the system and masquerade as an authorized user.
Threats from destructive programs can be substantially reduced through a combination of
technology controls and administrative procedures. The following examples are relevant to most
operating systems.
 Purchase software only from reputable vendors and accept only those products that are in
their original, factory-sealed packages.
 Examine all upgrades to vendor software for viruses before they are implemented.
 Establish an educational program to raise user awareness regarding threats from viruses and
malicious programs.
 Install all new applications on a stand-alone computer and thoroughly test them with antiviral
software prior to implementing them on the mainframe or LAN server.
 Routinely make back copies of key files stored on mainframes, servers, and workstations.
 Use antiviral software (also called vaccines) to examine application and operating system
programs for the presence of a virus and remove it from the affected program Antiviral

programs are used to safeguard mainframes, network servers, and personal computers. Most
antiviral programs run in the background on the host computer and automatically test all files
that are uploaded to the host. However, the software works only on known viruses. If a virus
has been modified slightly (mutated), there is no guarantee that the vaccine will work. It is
therefore important to maintain the current version of the vaccine.
c) Hacking (December 2015)(5 Marks)

Hacking: It is an act of penetrating computer systems to gain knowledge about the system and how
it works. Technically, a hacker is someone who is enthusiastic about computer programming and
all things relating to the technical workings of a computer.
Crackers are people who try to gain unauthorized access to computers. This is normally done
through the use of a ―backdoor‖ program installed on the machine. A lot of crackers also try to gain
access to resources through the use of password cracking software, which tries billions of
passwords to find the correct one for accessing a computer.
There are many ways in which a hacker can hack. These are:
 Net BIOS
 ICMP Ping
 FTP
 RPC. Statd
 HTTP.
d) Data encryption and its importance. (June 2016)(5 Marks)

Data encryption is all about the conversion of the important data to the format which is not
understandable to the unwanted receiver even though they have access it. Thus encryption is the
combination of the computer science and mathematics to disguise the data. Data encryption ensures
confidentiality of the data. For the desired receiver they will have the key to recover the original
data from the encrypted version. The process of recovering the original data is called as the
decryption and the key which is used to recover the original data is decryption key.
Government data, financial data, personal data, tax information, credit card details and airlines
data are very sensitive. If they go in wrong hand it may be counter- productive. But, theses data
keep on moving internet and internet is prone to unwanted access. So encryption helps in the
transmission of these valuable data in other form which is not understandable to the unwanted
users. Normally two types of encryption techniques are used to secure the data. They are private
key encryption and public key encryption.
e) Piggybacking ( June 2011)(5 Marks) (December 2007)(5 Marks)

Piggybacking is the act of following an authorized person through a secured door or electronically
attacking to an authorized telecommunications link to intercept and possibly alter transmission and
data. More precisely, this is gaining access to a restricted communications channel by using a

session established by another user without the subscriber's explicit permission or knowledge.
Piggybacking can be defeated by logging out before walking away from a workstation or terminal
or by initiating a screensaver that requires re-authentication when resuming.
f) Data encryption (June 2008)( 2.5 Mrks)

It is the process of converting information from one form to some other unreadable form using
algorithm called cipher with the help of secret message called key. The converting text is called
plaintext and the converted text is called cipher-text. There is also the reverse process that converts
unreadable message to the readable message called decryption. Here in the decryption process also
the use of the key is important.
g) Computer Fraud Detection (December 2009)(4 Marks)

Computer fraud means the unauthorized, unauthenticated access of the data, changes of data and
information from the computer, networks and servers of an organization with the wrong intention.
Computer frauds also include installation of unauthorized programs, spyware and application with
malicious purpose to others computers and network.
Different activity or techniques can be adapted in order to detect the computer fraud. Some of the
common techniques are:
 Firewall: Firewall protects other unauthenticated access of data and unauthorized entry to
organizational networks and systems. Firewall is most widely used techniques to secure the
network and systems from the computer frauds. Hardware and software firewall can be used
to protect from the computer frauds.
 Use of Anti-viruses: Antivirus scans the computers system to detect, remove and/or
quarantine the malicious applications. It prevents the spreading of such program from one
computer to other and also protects the corruption of the data. Regular scanning of the
individual systems and servers can protect the computers from viruses and worms. Antivirus
needs to be updated with the virus definitions to track the new virus
 Intrusion detection: This application helps to scan the large numbers of the users who are
entering into the system. Now days intrusion detection applications are in-build on firewall.
h) Information System Control (December 2009)(4 Marks)

Information systems controls are methods and devices that attempt to ensure the accuracy,
validity, and propriety of information system activities. Information System (IS) controls must be
developed to ensure proper data entry, processing techniques, storage methods, and information
output. IS controls are designed to monitor and maintain the quality and security of the input,
processing, output, and storage activities of any information system.

i) Computer fraud (Old syllabus, December 2011)(5 Marks)

Computer frauds is any unauthorized and/or illegal activities like - modification of data,
modification of software, destruction of hardware, unauthorized access, etc. This is performed
with the knowledge of computer technology and this results-in theft, unauthorized use of
resources, modification of data, destruction of data/system, etc. Perpetrator can commit a fraud
without leaving any evidence, therefore, computer fraud is often very difficult to detect compared
to other frauds.
Computer fraud is to use the computer or internet to harm others. People might use your personal
information in a wrong way which can harm you in one way or the other. This can take the form
of computer hacking, sending virus mails to the other people, sending spam mails, stealing critical
information like account number and using it in a wrong way. There can be numerous ways by
which the dishonest people can harm other people. So you need to be extra cautious while using
computer and internet in order not to become the prey of these computer frauds. Computer frauds
can be of the following types:
i) Theft of data
ii) Inappropriate use of data
iii) Theft of mainframe computer time
iv) Theft of equipment and /or software
v) Destruction from viruses and similar attacks
vi) Deliberate manipulation in handling, entering, processing transferring or programming data
vii) Theft of money by altering computer records
viii) Damage to the computer resources
j) Risk, threat, vulnerability and exposure. (June 2011)(16 Marks)

A risk is the likehood that an organization would face a vulnerability being exploited or a threat
becoming harmful. Information system can generate many direct and indirect risks. These risk
lead to a gap between the need to protect systems and the degree of protection applied.
A threat is an entity or event with potential to cause harm to a computer system. This may arise
from technical conditions (program bugs, disk crash), natural disaster (fires, floods) environmental
conditions (electric surges), human factors (lack of training, errors and omission), unauthorized
access (hacking) or viruses. Threats may arise from both intentional and unintentional acts and
may come from internal and external sources. Threats should be identified and analyzed to
determine the likelihood of their occurrence and potential to harm computer assets.
Vulnerability is the weakness in the system safeguards that exposes the system to threats. It may
be a weakness in an information system, cryptographic system or other components. For example,
system security procedures, hardware designs, internal controls that could be exploited by a threat.
Vulnerabilities potentially ‗allow‘ a threat to harm or exploit the system.

Exposure is the extent of loss an organization has to face when a risk materializes. It is not just
the immediate impact, but the real harm may occur in a long run. For example: loss of business,
failure to perform the system‘s mission, loss of reputation, privacy violation, and loss of resources.
k) Internal Threats and Software Vulnerability (December 2015)(5 Marks)

Internal threats mean we tend to think the security threats to a business originate outside the
organization. In fact, the largest financial threats to business institutions come from insiders. Some
of the largest disruptions to service, destruction of e-commerce sites, and diversion of customer
credit data and personal information have come from insiders—once trusted employees.
Employees have access to privileged information, and in the presence of sloppy internal security
procedures, they are often able to roam throughout an organization‘s systems without leaving a
trace.
Studies have found that users‘ lack of knowledge is the single greatest cause of network security
breaches. Many employees forget their passwords to access computer systems or allow other
coworkers to use them, which compromises the system. Malicious intruders seeking system access
sometimes trick employees into revealing their passwords by pretending to be legitimate members
of the company in need of information. This practice is called social engineering.
Employees—both end users and information systems specialists—are also a major source of errors
introduced into an information system. Employees can introduce errors by entering faulty data or
by not following the proper instructions for processing data and using computer equipment.
Information systems specialists can also create software errors as they design and develop new
software or maintain existing programs.
Software Vulnerability means the Software errors also pose a constant threat to information
systems, causing untold losses in productivity
A major problem with software is the presence of hidden bugs, or program code defects. Studies
have shown that it is virtually impossible to eliminate all bugs from large programs. The main
source of bugs is the complexity of decision-making code. Important programs within most
corporations may contain tens of thousands or even millions of lines of code, each with many
alternative decision paths. Such complexity is difficult to document and design—designers may
document some reactions incorrectly or may fail to consider some possibilities. Even after
rigorous testing, developers do not know for sure that a piece of software is dependable until the
product proves itself after much operational use.
l) Intrusion Detection System (Old Syllabus June 2011)( 5 Marks)

Intrusion detection systems feature full time monitoring tools placed at the most vulnerable points
or ―hot spots‖ of corporate networks to detect and deter intruder continually. The system generates
an alarm if it finds a suspicious or anomalous event. Scanning software looks for patterns
indicative of known methods of computer attacks, such as bad password, checks to see if
important files have been removed or modified and sends warning of vandalism or system

administration errors. Monitoring software examines events as they are happening to discover
security attacks in progress. The intrusion detection tool can also be customized to shut down a
particularly sensitive part of a network if it receives unauthorized traffic.
m) Load Balancing and mirroring (Old Syllabus June 2011)( 5 Marks)

Load balancing distributes large numbers of access requests across multiple servers. The requests
are directed to the most available server so that no single device is overwhelmed. If one server
starts to get swamped, requests are forwarded to another server with more capacity.
Mirroring uses a backup server that duplicates all the processes and transactions of the primary
server. If the primary server fails, the backup server can immediately take its place without any
interruption in service. However, server mirroring is very expensive because each server must be
mirrored by an identical server whose only purpose is to be available in the event of a failure.
n) Assess the causes of information system failure (Old Syllabus June 2011)( 5 Marks)
A very large percentage of information systems fail to deliver benefits or solve the problems for
which they were intended because the process of organizational change surrounding system
building was not properly addressed. The principal causes of information system failure are
 Insufficient or improper user participation in the system development process
 Lack of management support
 High levels of complexity and risk in the systems development process.
 Poor management of the implementation process
There is a very high failure rate among business process reengineering and enterprise application
projects because they require extensive organizational change that is often resisted by members of
the organization. Enterprise applications as well as system changes resulting from mergers and
acquisitions are also difficult to implement successfully because they usually require far reaching
changes to business processes.
o) Detection of computer fraud (Old Syllabus June 2011)( 5 Marks)

The definition of what constitutes computer fraud becomes ever more complex with the ingenuity
of people who intend to deceive, misrepresent, destroy, steal information, or cause harm to others
by accessing information through deceptive and illegal means. Computer frauds are related with
the unauthorized entry into others network, unauthorized access of others data, changing of others
data or destroying of the data. The types of computer frauds vary from simpler to complex. Here
are some examples of computer frauds:
 Sending hoax emails intended to scare people
 Using illegally other computers or identity into the internet
 Using spyware to gather other information
 User of viruses and spam
Detection of computer fraud are as follows:

Conduct Frequent Audits: One way to increase the likelihood of detecting fraud and computer
abuses is to conduct periodic external and internal audits as well as special network security
audits. Auditors should regularly test system controls and periodically browse data files looking
for suspicious activities. However, care must be exercised to make sure employees‘ privacy rights
are not violated.
(ii) Use a Computer Security Officer: Most frauds are not detected by internal or external auditors.
The study shows that assigning responsibility for fraud deterrence and detection to a computer
security officer has a significant deterrent effect. This person should be independent of the
information system function. The security officer can monitor the system and disseminate
information about improper system uses and their consequences.
(iii) Use Computer Consultants: Many companies use outside computer consultants or in-house
teams to test and evaluate their security procedures. The security weakness is detected by them is
closely evaluated, and corresponding protective measures are implemented. Some companies
dislike this approach, because neither they want their weaknesses to be exposed nor do they want
their employees to know that the system can indeed be broken into.
(iv) Monitor System Activities: All system transactions and activities should be recorded in a log.
The log should indicate who accessed what data, when, and from which terminal. These logs
should be reviewed frequently to monitor system activity and trace any problems to their source.
There are a number of risk analysis and management software packages that can review computer
system and networks. These systems evaluate security measures already in place and test for
weaknesses and vulnerabilities. A series of reports is then generated that explain the weaknesses
found and suggest improvements.
(v) Use Fraud Detection Software: People who commit fraud tend to follow certain patterns and
leave behind telltale clues, such as things that do not make sense. Software has been developed to
search out these fraud symptoms.
p) Computer frauds (December 2017)(5 Marks)

Computer fraud is defined as any act using computers, the Internet, Internet devices, and Internet
services to defraud people, companies, or government agencies of money, revenue, or Internet
access. There are many methods used to perform these illegal activities. Phishing, social
engineering, viruses, and DDoS (Distributed Denial of Service) attacks are fairly well known
tactics used to disrupt service or gain access to another's funds, but this list is not inclusive.
Some examples of computer fraud are:
 Theft of data
 Inappropriate use of data
 Destruction from viruses and similar attacks
 Damage to computer resources

q) Internet Vulnerability (June 2018)(5 Marks)

Large public networks such as the Internet are more vulnerable than internal networks because they
are virtually open to anyone. The Internet is so huge that when abuses do occur, they can have an
enormously widespread impact. When the Internet becomes part of the corporate network, the
organization‘s information systems are even more vulnerable to actions from the outsiders.
Computers that are constantly connected to the Internet by cable modems or Digital Subscriber
Line (DSL) are more open to penetration by outsiders because they use fixed Internet addresses
where they can be easily identified. (With dial-up service, a temporary Internet address is assigned
for each session.) A fixed Internet address creates a fixed target for hackers.
Telephone service based on Internet technology can be more vulnerable than the switched voice
network if it does not run over a secure private network. Most Voice over IP (VoIP) traffic over the
public Internet is not encrypted, so anyone linked to a network can listen in on conversations.
Hackers can intercept conversations to obtain credit card and other confidential personal
information or shut down voice service by flooding servers supporting VoIP with bogus traffic.
Vulnerability has also increased from widespread use of e-mail and instant messaging (IM). E-mail
can contain attachments that serve as springboards for malicious software or unauthorized access to
internal corporate systems. Employees may use e-mail messages to transmit valuable trade secrets,
financial data, or confidential customer information to unauthorized recipients. Popular instant
messaging applications for consumers do not use a secure layer for text messages, so they can be
intercepted and read by outsiders during transmission over the public Internet.
r) Firewalls (December 2015)(5 Marks) ( December 2013)(5 Marks)

(December 2007)(5 Marks) ( June 2011)(5 Marks)
Firewall: A firewall is a collection of components (computers, routers, and software) that mediate
access between different security domains. All traffic between the security domains must pass
through the firewall, regardless of the direction of the flow. Since the firewall serves as an access
control point for traffic between security domains, they are ideally situated to inspect and block
traffic and coordinate activities with network intrusion detection system (IDSs).
There are four primary firewall types from which to choose: packet filtering, stateful inspection,
proxy servers, and application-level firewalls. Any product may have characteristics of one or more
firewall types. The selection of firewall type is dependent on many characteristics of the security
zone, such as the amount of traffic, the sensitivity of the systems and data, and applications.
Additionally, consideration should be given to the ease of firewall administration, degree of
firewall monitoring support through automated logging and log analysis, and the capability to
provide alerts for abnormal activity.

Typically, firewalls block or allow traffic based on rules configured by the administrator. Rule sets
can be static or dynamic. A static rule set is an unchanging statement to be applied to packet
header, such as blocking all incoming traffic with certain source addresses. A dynamic rule set
often is the result of coordinating a firewall and an IDS.
For example, an IDS that alerts on malicious activity may send a message to the firewall to block
the incoming IP address. The firewall, after ensuring that the IP is not on a "white list", creates a
rule to block the IP. After a specified period of time the rule expires and traffic is once again
allowed from that IP.
Firewalls are subject to failure. When firewalls fail, they typically should fail closed, blocking all
traffic, rather than failing open and allowing all traffic to pass. Firewalls provide some additional
services such as network address translation, dynamic host configuration protocols and virtual
private network gateways
s) Preventive controls ( June 2013)(5 Marks) ( December 2013)(5 Marks)

Preventive Controls: Preventive controls are those inputs, which are designed to prevent an error,
omission or malicious act occurring. An example of a preventive control is the use of passwords to
gain access to a financial system. The broad characteristics of preventive controls are:
(i) A clear-cut understanding about the vulnerabilities of the asset
(ii) Understanding probable threats
(iii) Provision of necessary controls for probable threats from materializing
Any control can be implemented in both a manual and computerized environment for the same
purpose. Only, the implementation methodology may differ from one to another case. The major
features of such control are:
♦ Employ qualified personnel
♦ Segregation of duties
♦ Access control
♦ Documentation
♦ Prescribing appropriate books for a course
♦ Training and retraining of staff
♦ Authorization of transaction
♦ Validation, edit checks in the application
♦ Firewalls
♦ Anti-virus software (sometimes this acts like a corrective control also), etc
♦ Passwords
t) Residual Risk ( December 2013)(5 Marks)

Residual Risk: Any risk still remaining after the counter measures are analyzed and implemented is
called Residual Risk. An organization‘s management of risk should consider these two areas:

acceptance of residual risk and selection of safeguards. Even when safeguards are applied, there is
probably going to be some residual risk. The risk can be minimized, but it can seldom be
eliminated. Residual risk must be kept at a minimal, acceptable level. As long as it is kept at an
acceptable level, (i.e. the likelihood of the event occurring or the severity of the consequence is
sufficiently reduced) the risk can be considered as managed.
u) Internet security (June 2012)(5 Marks)

Internet security is a branch of computer security specifically related to the Internet. Its objective is
to establish rules and measures to use against attacks over the Internet. The Internet represents an
insecure channel for exchanging information leading to a high risk of intrusion or fraud, such as
phishing. Different methods have been used to protect the transfer of data, including encryption.
When a computer connects to a network and begins communicating with other computers, it is
essentially taking a risk. Internet security involves the protection of a computer's Internet account
and files from intrusion of an unknown user. Basic security measures involve protection by well
selected passwords, change of file permissions and back up of computer's data.
Security concerns are in some ways peripheral to normal business working, but serve to highlight
just how important it is that business users feel confident when using IT systems. Security will
probably always be high on the IT agenda simply because cyber criminals know that a successful
attack can be very profitable. This means they will always strive to find new ways to circumvent IT
security, and users will consequently need to be continually vigilant. Whenever decisions need to
be made about how to enhance a system, security will need to be held uppermost among its
requirements.
v) public key encryption. (June 2012)(5 Marks)

Public key encryption, also known as asymmetric encryption, is based on a public/private key pair.
The keys are mathematically linked, so that data encrypted with the public key can only be
decrypted with the corresponding private key.
With public key encryption, the sender converts the plaintext message into cipher text by
encrypting it with the public key in the message recipient's X.509 certificate. The message
recipient converts the cipher text back into the plaintext message by decrypting it with the
corresponding private key.
Figure 1 illustrates how public key encryption and decryption take place.

Figure 1. Public key data encryption and decryption

By using public key encryption, a message sender has assurance that only the recipient will be
able to read the message.
w) Information security control (Old Syllabus December 2012)( 5 Marks)

Information system is completely technology related process in today‘s business organization.
There is huge scope to create problems, frauds and destruction of information system by the
external and internal people of the organization. Therefore the effective information system
controls can minimize the errors, frauds and destructions in the information system of
organization. The information system are divided in to four types
 System control
 Procedural control
 Facility control
 Other control
System control attempt to ensure the accuracy, validity and propriety of information system
activities. It ensure that proper data entry, processing techniques, storage methods and out system.
It include input control, output control and storage control
Procedural control includes standard procedures and documentation, authorization requirement,
disaster recovery etc.
Facility control includes network control, encryption, firewall, physical protection control,
Biometric control etc
Other control include programs of preventive maintenance of hardware and software updates and
maintenance, adequate electrical power supply, air conditioning, humidity control, fire prevention
standards, highly trained data entry personnel etc.

Question No 3:
Explain the following techniques which are used to commit computer frauds.
i. Cracking vi. Salami technique
ii Hacking vii. Spamming

.
ii Logic time bomb viii. Trojan horse

i
.
i Password cracking ix. Virus

v
.
v Piggy backing x. Worm

.
Answer No 3:
i) Cracking
The cracking technique is unauthorized access to and use of computer system, usually by means of
a personal computer and a telecommunication network. Crackers are hackers with malicious
intentions.
ii) Hacking
Hacking is unauthorized access to and use of computer systems, usually by means of a personal
computer and telecommunication network. Hackers do not intend to cause any damage.
iii) Logic time bomb

Program that lies idle until some specified circumstance or a particular time trigger it. Once
triggered, the bomb sabotages the system by destroying programs, data or both.
iv) Password cracking

Intruder penetrates a system‘s defence, steals the file containing valid passwords, decrypts them,
and then uses them to gain access to system resources such as programs, files, and data.
v) Piggy backing

Tapping into a telecommunication line and latching on to a legitimate user before he logs into the
system; legitimate user unknowingly carries perpetrator into the system.
vi) Salami technique

Ting slices of money are stolen over a period of time (expenses are increased by a fraction of
percent; increments are placed in a dummy account and later pocketed by the perpetrator)
vii) Spamming
E-mailing the same message to every one on one or move use net news groups or LISTSERV lists.
viii) Trojan horse

Unauthorized computer instructions in an authorized and properly functioning program.
ix) Virus
Segment of executable code that attaches itself to software, replicates itself, and spreads to other
systems or files. Triggered by a predefined event, a virus damages system resources or displays a
message on the monitor.
x) Worm
Similar to a virus, except that it is a program rather than a code segment hidden in a host program.
A worm also copies and actively transmits itself directly to other systems. It usually does not live
long, but it is quite destructive while it is alive.
Question No 4:
What are the threats to operating system integrity? (June 2005) (8 Marks)
Answer No 4
Threats to Operating System Integrity:
Operating system control objectives are sometimes not achieved because of flaws in the operating
system that are exploited either accidentally or intentionally.
Accidental threats include hardware failures that cause the operating system to crash. Operating
system failures are also caused by errors in user application programs that the operating system
cannot interpret. Accidental system failures may cause whole segments of memory to be ‗dumped‘
to disks and printers, resulting in the unintentional disclosure of confidential information.
Intentional threats to the operating system are most commonly attempts to illegally access data or
violate user privacy for financial gain. However, a growing form of threat is from destructive
programs from which there is no apparent gain. These exposures come from three sources:

i) Privileged personnel who abuse their authority. Systems administrators and systems
programmers required unlimited access to the operating system to perform maintenance and
to recover from system failures. Such individuals may use this authority to access users‘
programs and data files.
ii) Individuals, both internal and external to the organization, who browse the operating system
to identify and exploit security flaws,
iii) An individual who intentionally (or accidentally) inserts a computer virus or other form of
destructive program into the operating system.
Question No 5.
Discuss the role of a security administrator. ( December 2004)(10 Marks)
Answer No 5:
A security administrator is a person who is solely responsible for controlling and coordinating the
activities pertaining all security aspects of the organisation.
 A security administrator attempts to ensure that the facilities in which systems are developed,
implemented, maintained and operated are safe from threats that affect the continuity of
installation and or result in loss of security.
 The security administrator sets policy, subject to board approval.
 He also investigates, monitors, advises employees, counsels management on matters
pertaining to security.
 The security administrator is responsible for establishing the minimal fixed requirements for
classification of information based on the physical, procedural and logical security elements.
The need to protect these securities is also stressed, he assigns responsibilities to job
classifications and formulates what to be done in case of exceptions.
 The security administrator guides other information security administrators and users on the
selection and application of security measures, he trains them for how to mark and handle
processes, train security coordinators, select software security packages and solve problems.
The Security administrator also does the following:
 Investigates all security violations.
 Advises senior management on matters of information resource control.
 Consults on matters of information security.
 A security administrator also has the responsibility of conducting a security program, which is
a series of ongoing, regular, periodic evaluations of the facilities available.
 A security administrator has to consider an extensive list of possible threats to the
organisation, prepare an inventory of assets, evaluate the existing controls, implement new
control, etc.
The security administrator requires the assistance of many individuals because of their expertise in
that particular field. The auditor should see to that these steps are preformed on a regular basis, the

results of the reviews are analyzed and documented, and advises the management on appropriate
action in light of the result
Question No 6:
Give an elaborate account on computer fraud and abuse techniques. (June 2004)(10 Marks)
Answer No 6:
Computer fraud and abuse techniques:
Some of the techniques are briefly discussed below:
Technique Description
Cracking Unauthorized access to and use of computer systems, usually by means
of a personal computer and a telecommunications network.
Crackers are hackers with malicious intentions.
Data didling Changing data before, during or, after it is entered into the system in
order to delete, alter, or add key system data.
Data leakage Unauthorized copying of company data such as computer files.
Denial of service Attacker sends e-mail bombs (hundreds of messages per second) from
attack randomly generated false addresses; Internet service provider's e-
mail is overloaded and shout down.
Eavesdropping Listening to private voice or data transmissions, often using a wiretap.
E-mail forgery Sending an e-mail message that looks as if it was sent by some ones
else
E-mail threats Sending a threatening message to try and get recipient to do something
that would make it possible to defraud him
Hacking Unauthorised access to and use of computer systems, usually by means
of a personal computer and a telecommunications network.
Hackers do not intend to cause any damage.
Internet Using the internet to spread false or misleading information about
misinformation companies
Internet terrorism Using the internet to disrupt electronic commerce and to destroy
company and individual communications.
Logic time bomb Program that lies idle until some specified circumstances or a particular
time triggers it. Once triggered, the bomb sabotages the system by
destroying programs, data, or both.
Masquerading or Perpetrator gains access to the system by pretending to be an
impersonation authorised user. Enjoys same privileges as the legitimate user
Password cracking Intruder penetrates a system's defenses, steals the file containing valid
passwords, decrypts them, and then users them to gain access to
system resources such as programs, files, and data.

Piggybacking Taping into a telecommunications line and latching on to a legitimate

user before he logs into the system
Round-down Computer rounds down all interest calculations to two decimal places.
Remaining fraction of a percent; increments are placed in a
dummy account controlled by perpetrator.
Salami technique Tiny slices of money are stolen over a period of time. (Expenses are
increased by a fraction of a percent; increments are placed in a
dummy account and later pocketed by the perpetrator.)
Scavenging Gaining access to confidential information by searching corporate
records. Scavenging methods range from searching trashcans for
printouts or carbon copies of confidential information to scanning
the contents of computer memory.
Social engineering Perpetrator tricks an employee into giving out the information needed
to get into a system.
Software piracy Copying computer software without the publisher's permission
Spamming E-mailing the same message to everyone on one or more Usenet news
groups or LISTSERV lists.
Superzapping Unauthorised use of special system programs to bypass regular system
controls and perform illegal acts.
Trap door Perpetrator enters the system using a back door that bypasses normal
system controls and perpetrates fraud.
Trojan horse Unauthorised computer instructions in an authorised and properly
functioning program.
Virus Segment of executable code that attaches itself to software, replicates
itself, and spreads to other systems or files, Triggered by a
predefined event, a virus damages system resources or displays a
message on the monitor.
N.B. Student are required to briefly discuss any 10 of these points.
Question No 7:
Detail the principles of Information Security. (June 2004)(10 Marks)
Answer No 7:
The eight core principles of information Security are discussed below:
1. Accountability: Security of information requires timely apportionment of responsibility and
accountability among data owners, process owners, technology providers and users. This
accountability should be formalized and communicated. Issues relating to specification of
ownership of data and information, identification of users and others who access the system,

recording of activities and assignment of responsibility for maintenance of data and

information etc. should be considered.
2. Awareness: In order to foster confidence data owners, process owners, technology providers
and users must be able to gain knowledge of the existence and general extent of the risks
facing the organization and its system and the organization's security initiatives and
requirements. Security measures are only effective if all involved are aware of their proper
functioning and of the risks they address.
3. Multidisciplinary: Security covers technological, administrative, organizational, operational
and legal issues. Technical standards should be developed with and enforced by codes of
practice, audit, legislative, legal and regulatory requirements and awareness, education and
training.
4. Cost effectiveness: Different levels and types of security may be required to address the risks
to information. Security level and associated costs must be compatible with the value of the
information. Following issues must be considered:
 Value to and dependance of the organization on particular information assets.
 Value of the data or information itself, based on a pre-defined level of confidentially or
sensitivity.
 Threats to the information, including the severity and probability of such threats.
 Safeguards that will minimize or eliminate the threats, including the costs of implementing
the safeguards.
 Costs and benefits of incremental increases to the level of security.
 Safeguards that will provide an optimum balance between the harm arising from a security
breach and the costs associated with the safeguards.
 Where available and appropriate, the benefit of adopting established minimum-security
safeguards as a cost-effective alternative to balancing costs and risks.
5. Integration: Measures, practices and procedures for security must be coordinated and
integrated with each other and with other measures, practices, and procedures of the
organization, so as to create a coherent system of security. This requires that all levels of the
information cycle are covered.
6. Reassessment: The security of information system should be reassessed periodically, as
information systems and the requirements for their security vary over time.
7. Timeliness: Security procedures must provide for monitoring and timely response to real or
attempted breaches in security in proportion with the risk. Following issues must be
considered:
 Instantaneous and irrevocable character of business transactions.
 Volume of information generated from the increasingly interconnected and complex
information systems.
 Automated tools to support real-time and after-the-fact monitoring and

 Expediency of escalating breaches to the appropriate decision making level.

8. Social factors: Information and the security of information should be provided and used in
such a manner that the rights and interests of others are respected. Level of security must be
consistent with the use and flow of information.
Question No 8:
Write short note on
Access controls in EDP set up. ( June 2004)(5 Marks)
Answer No 8:
In a shared database environment access control risks include corruption, theft, misuse and
destruction of data. Several database control features are as follows:
(1) User View: It is a subset of the total database that defines the user's data domain and provides
access to the database. Although user views can restrict user access to a limited set of data,
they do not define task privileges such as read, delete or write.
(2) Database Authorization table: This contains rules that limits the actions a user can take.
This is similar to access list used in operating system. Each user is granted certain privileges
that are coded in the authority table, which is used to verify the user's action requests.
(3) User Defined Procedures: This allows the user to create a personal security program to
provide more positive user identification than a single password can e.g. a series of personal
questions which only the legitimate user knows.
(4) Data Encryption: Highly sensitive data like product formulas, password files etc. are
protected by this. It uses an algorithm to scramble selected data and makes it unreadable to
others. Also it protects data that are transmitted through networks.
(5) Biometric Devices: This measures various personal characteristics such as fingerprints, voice
prints, signature etc. which are digitized and stored permanently in a database security file or
on an identification card of the user.
Question No 9:
―While computerization has an array of advantages, it also exposes the company to a number of
hazards‖. List some of these hazards and some measures to avoid them.
Answer No 9:
Some hazards of computerization are:
i) Machine breakdown (due to some hardware parts problem)
ii) Due to virus infection data can even be destroyed.
iii) Due to incompetence of staff the software can be erased from the machine and the data can be
corrupted.

iv) Purposefully anybody can damage the system or data can be tampered. Some of the measures
to avoid these hazards are:
 Regular backup of the extra company data.

 The computer should be protected from unauthorized user by restrictions on physical entry
and it should be password protected so that the system can not be started by any unauthorized
person.
 Data encryption
 Regular virus scanning & virus removal.
 Proper method of data recovery and database recreation.
 Contingent planning.
 The second level of password checking should be done by the software itself.
Question No 10
Why is information security important? ( December 2005)(4 Marks)

Answer No 10:
In a global information society, where information travels through cyberspace on a routine basis,
the significance of information is widely accepted. In addition, information and the information
systems and communications that deliver the information are truly pervasive throughout
organization – from the user‘s platform to local wide area networks to servers to mainframe
computers. Organizations depend on timely, accurate, complete, valid, consistent, relevant and
reliable information. Accordingly, executive management has a responsibility to ensure that the
organization provides all users with a secure information systems environment.
Now, it is clear that there are not only many direct and indirect benefits from the use of
information systems, there are also many direct and indirect risks relating to the information
systems. These risks have let to a gap between the need to protect systems and the degree of
protection applied. Security failures many result in both financial losses and/or intangible losses
such as unauthorized disclosure of competitive or sensitive information. Threats to information
systems may arise from intentional and unintentional acts and may come from internal or external
sources.
Adequate measures for information security help to ensure the smooth functioning of information
systems and protect the organization from loss or embarrassment caused by security failures.

Question No 11
What are the fundamental control objectives an operating system must achieve to perform its tasks
consistently and reliably? ( December 2005)(5 Marks)
Answer No 11:
Control objectives of an operating system:
i) The operating system must protect itself from users. User applications must not be able to
gain control of, or damage in any way, the operating system, thus causing it to cease running
or destroy data.
ii) The operating system must protect users from each other. One user must not be able to access,
destroy or corrupt the data or programs of another user.
iii) The operating systems must protect users from themselves. A user‘s application may consist
of several modules stored in separate memory locations, each with its own data. One module
must not be allowed to destroy or corrupt another module.
iv) The operating system must be protected from itself. The operating system is also made up of
individual modules. No module should be allowed to destroy or corrupt another module.
v) The operating system must be protected from its environment. In the event of a power failure
or other disaster, the operating system should be able to achieve a controlled termination of
activities from which it can later recover.
Question No 12
Define a computer fraud. Discuss various types of computer frauds .(June 2005) (10 Marks)
Answer No 12
The definition of computer fraud is as follows:
―Using a computer to cause prejudice, in the sense of financial and/or reputation damage, to a
business‖ may be called a computer fraud. Computer frauds have been defined as any illegal act
for which knowledge of computer technology is essential for its preparation, investigation or
prosecution. Various types of computer frauds:
i) Clearly recognizable frauds such as investment frauds, secret market frauds and pyramid
schemes where a computer (usually via the internet) is used as a new medium to convey an
old message and the hapless victim is persuaded to part with money or credit card details.
Most of the frauds that are prevalent on the internet involve the offering of unrealistically
high returns on investment. Secret market frauds are a variation on this theme. Victims are
persuaded that there is a confidential and exclusive market for a particular kind of financial
instrument, a ―prime bank guarantee‖ which offers a high rate of return. Pyramid schemes
again offer high returns for small contributions and invariably collapse leaving the last to join
without prospect of recovering any funds.

ii) Hacking in the generally recognized sense of unauthorized access and unauthorized
modification to computers. This includes the malicious introduction of a virus, the malicious
modification of email or the vandalism of web pages. This is now a popular activity amongst
hackers and considered to be a real problem for anyone doing business on the internet.
iii) Manipulation of computer system to obtain money from an employer or a third party.
Examples of this are diversion of payments and creation of false employees/suppliers. These
frauds may require access to a system or part of a system from which the perpetrator is (or is
supposed to be) excluded. As we know that businesses often fail to implement even the most
basic password and access controls. They thus allow access to their systems, which could
easily be denied.
iv) Theft and/or destruction of confidential and sensitive information. This is an area where
huge damage can be caused by employees and third parties who are to gain access to
confidential and sensitive information and pass it on to competitors or simply destroy it.
v) Abuse of computer systems by employees. This involves an employee using the computer
system for his or her purposes. Employees can write personal letters or run businesses from
their employer‘s computers. Employees can use email systems and the internet for private
purposes. Of particular concern to business must be the explosive growth of and ready access
to internet pornography combined with the increasing tendency of employers to allow staff
unrestricted internet access. An equally serious risk is the increased possibility of virus
infection from unauthorized files downloaded from the internet.
vi) Software piracy by either using counterfeit or unlicensed software or by distributing
counterfeit software by disk, CD or through the internet.
Question No 13
What kind of controls can be incorporated to make frauds increasingly difficult to perpetrate?
Answer No 13
Increase the difficulty of committing fraud
One way to deter fraud is to design a system with sufficient controls to make fraud difficult to
perpetrate. These controls help ensure the accuracy, integrity and safety of system resources.
i) Develop a Strong System of Internal Controls: The overall responsibility for a secure and
adequately controlled system lies with top management. Managers typically delegate the
design of adequate control systems to systems analysis, designers, and end users. The
corporate information security officer and the operations staff are typically responsible for
ensuring that control procedures are followed.

It is especially important to make sure that internal controls are in place during the end-of-the-year
holiday season. Research shows that a disproportionate amount of computer fraud and security
break-ins takes place during the holidays.
ii) Segregate Duties: There must be an adequate segregation of duties to prevent individuals
from stealing assets and covering up their tracks.
iii) Require vacations and Rotate Duties: Many fraud schemes, such as lapping and kiting,
require the ongoing attention of the perpetrator. If mandatory vacations are coupled with a
temporary rotation of duties, such ongoing fraud schemes would fall apart.
iv) Restrict Access to Computer Equipment and Data Files: Computer frauds can be reduced
significantly if access to computer equipment and data files is restricted. Physically access to
computer equipment should be restricted, and legitimate users should be authenticated before
they are allowed to use the system. Unfortunately, companies often fail to delete or change ID
codes and passwords when employees leave or are transferred to another department.
v) Encrypt Data and Programs: Another way to protect data is to translate it into a secret code,
thereby making it meaningless to anyone without the means to decipher it.
vi) Protect Telephone Lines: Computers hackers (called phreakers when they attack telephone
systems) using telephone lines to transmit viruses and to access, steal, and destroy data.
One effective method to protect telephone lines is to attach an electronic lock and key to them.
When a new system is installed, never use the default passwords as they are all published on the
internet. On established systems, change the password frequently.
vii) Protect the System from Virus: There are hundreds of thousands of virus attacks every year,
and an estimated 90% of the PCs that suffer a virus attack are re-infected within 30 days by
the same virus or some other virus. A system can be protected from viruses.
Fortunately, some very good virus protection programs are available. Virus protection programs
are designed to remain in computer memory and search for viruses trying to infiltrate the system.
The intrusion is usually detected when there is an unauthorized attempt to access an executable
program. When an infection attempt is detected, the software freezes the system and flashes a
message to the user. The user can then instruct the program to remove the virus. Virus detection
program, which spots an infection soon after it starts, is more reliable than virus protection
programs. Virus identification programs scan all executable programs to find the removed all
known viruses from the system. These programs work by scanning the system for specific
characteristics of known virus strains.
Make sure that the latest versions of the anti-virus programs are used.
viii) Control Sensitive Data: To protect its sensitive data, a company should classify all of its
data according to its importance and confidentially and then apply and enforce appropriate

access restrictions. It should shred discarded paper documents. Controls can be placed over
data files to prevent or discourage copying. Employees should be informed of the
consequences of using illegal copies of software, and the company should institute controls to
see that illegal copies are not in use. Sensitive and confidential information, backup tapes, and
system documentation should be locked up at night and should be left out on desks. Servers
and PCs should also be locked when not in use. Companies should never store all of their data
in one place or give an employee access to all of it. Local area networks can use dedicated
servers that allow data to be downloaded but never uploaded to avoid infection by a network
computer. Closed-circuit televisions can be used to monitor areas where sensitive data or
easily stolen assets are handled.
Some organizations with particularly sensitive data are installing diskless PCs or workstations. All
data are stored centrally in a network and users download the data they need to work on each day.
At the end of the day all data to be saved must be stored in the network.
Since users can delete or destroy only the data on their screens, the company‘s data is secure; the
system is virtually immune to disasters a user might intentionally or unintentionally cause. In
addition, without disks, users cannot introduce viruses into the system with contaminated
diskettes. Nor does the company lose valuable data, because employees cannot copy company data
on diskettes and remove them from the premises.
ix) Control Laptop Computers: Special care should be given to laptops because thieves are
increasingly breaking into cars and hotel rooms to steal laptops for the confidential
information they contain. To control laptops, companies should take following measures:
 Establish laptop security policies to require employees to back up data before travelling and
to separate source when on the road, and to never leave a laptop unattended.
 Install software that makes it impossible for the computer to boot up without a password.
 Password-protect and encrypt data on the hard disk so that if a laptop is stolen, the data can
not be used.
 Employees should be asked to store confidential data on a disk, rather than the hard drive, and
always keep the diskette in their possession.
Question No 14
What are the principles of Information Security? (December 2007)(8 Marks)
Answer No 14
Eight core principles of information Security are discussed below:
i. Accountability:
Security of information requires timely allotment of responsibility and accountability to data
owners, process owners, technology providers and users. This accountability should be formalized

and communicated. Issues relating to specification of ownership of data and information,

identification of users and others who access the system, recording of activities and assignment of
responsibility for maintenance of data and information etc. should be considered and clarified.
ii. Awareness:
In order to foster confidence in information, data owners, process owners, technology providers
and users must be provided with the information of the system requirements for security, its
applications, risk to the organization and the organization‘s security initiatives and future
requirements. Security measures are only effective if all involved are aware of their
responsibilities for the proper functioning of the system, risk involved and the security measures
taken by the organization.
iii. Multidisciplinary:
Security measure covers technological, administrative, organizational, operational and legal
issues. Technical standards should be developed with and enforced by codes of practice,
audit, legislative, legal and regulatory requirements, awareness, education and training.
iv. Cost effectiveness:

Different levels and types of security may be required to address the risks to information. Security
level and associated costs must be compatible with the value of the information. Following issues
must be considered:
 Value to and dependence of the organization on particular information assets.
 Value of the data or information itself, based on a pre-defined level of confidentiality or
sensitivity.
 Threats to the information, including the severity and probability of such threats. ·
Safeguards that will minimize or eliminate the threats, including the costs of implementing
the safeguards.
 Where available and appropriate, the benefit of adopting established minimum security
v. Integration:
Measures, practices and procedures for security must be coordinated and integrated with each
other and with other measures, practices, and procedures of the organization, so as to create a
coherent system of security. This requires that all levels of the information cycle are covered.

vi. Reassessment:
The security of information system should be reassessed periodically, as information systems and
the requirements for their security vary over time.
vii. Timeliness:
Security procedures must provide for monitoring and timely response to real or attempted
breaches in security in proportion with the risk. Following issues must be considered:
 Instantaneous and irrevocable character of business transactions.
 Volume of information generated from the increasingly interconnected and complex
 Automated tools to support real-time and after-the –fact monitoring
 Expediency of escalating breaches to the appropriate decision making level.
viii. Social factors:

Information and the security of information should be provided and used in such a manner that the
rights and interests of others are respected. Level of security must be consistent with the use
and flow of information.
Question No 15:
Give a detailed description on general controls of computer, highlighting personal computer
controls. (June 2005) (10 Marks)
Answer No 15
General Control: These controls apply to a wide range of exposures that systematically threaten
the integrity of all applications processed within the Computer Based Information System (CBIS)
environment. General controls can be further subdivided under following headings:
i) Operating system controls,
ii) Data management controls,
iii) Organizational structure controls,
iv) Systems development controls,
v) Systems maintenance controls,
vi) Computer centre security and controls,
vii) Internet and Internet control,
viii) Personal computer control.
Personal Computer Controls

The capabilities, adaptability and user friendliness of Personal Computers (PCs) are posing a
serious challenge to auditors as stated below:

 PCs are likely to be shifted from one location to another or even taken outside the
organization.
 Decentralised purchasing of PCs can result in hardware/software incompatibility in the long
run.
 Floppies can be very conveniently transported from one place to another, as a result of which
data corruption may occur. Mishandling, improper storage etc. can also cause damage.
 The inherent data security provided is rather poor.
 There is a chance that application software is not thoroughly tested.
 Segregation of duties is not possible owing to limited number of staff.
 The operating staff may not be adequately trained.
 Computer viruses can slow down the system, corrupt data and so on.
The security measures that could be exercised are as follows:
 Physically locking the keyboard or the PC itself must be enforced.

 Proper logging of equipment shifting must be done.
 The PC purchase must be centrally coordinated and company-wide standards established for
spreadsheets, word-processors, applications software etc.
 Floppies must be stored in secured places and their issues duly authorized. They must be
adequately packed before any shipment.
 Data and programs on hard-disks must be secured using hardware/software mechanisms.
Backups must be taken regularly.
 Minimum standards must be set for developing, testing and documenting applications.
 Properly organized training programs must be periodically conducted. More than one user
should be trained on each application.
 Virus prevention and detection software obtained from reliable sources must be used. Write-
protect tabs should be used on diskettes that do not require any alteration. Pirated software
should be strictly avoided.
 The PCs and their peripherals must be maintained regularly.
 While the proliferation of powerful PCs in recent years has its own plus points, the associated
risks must not be ignored. Thus, implementing effective controls is of prime importance.
Some other inherent problems of personal computers and the controls to be exercised are
discussed below:

Weak Access Control: Security software that provides log-on procedures is available for PCs.
Most of these programs, however, become active only when the computer is booted from the hard
drive. A computer criminal attempting to circumvent the log-on procedure may do so by forcing
the computer to boot from the A: drive, where by an uncontrolled operating system can be loaded
into the computer‘s memory. Having bypassed the computer‘s stored operating system and
security package, the criminal has unrestricted access to data and programs on the hard disk.
Disk locks are devices that prevent unauthorized that prevent unauthorized individuals from
accessing the floppy disk drive of a computer. One form of disk lock is a memory-resident
program that prevents the computer from being booted from the A: dive. The lock will also
prevent the A: drive from being used to run programs, upload data and programs to the hard disk,
or download from the hard disk. This form of disk lock is password controlled so it can be
disabled as needed by an authorized user.
Multilevel Password Control: It is used to restrict employees who are sharing the same
computers to specific directories, programs, and data files. This technique uses stored
authorization tables to further limit an individual‘s access to read-only, data input, data
modification, and data deletion capability. Multilevel password control can greatly enhance the
small organization‘s control environment.
Inadequate Backup Procedures: To preserve the integrity of mission-critical data and programs,
organizations need formal backup procedures. Computer failure, usually disk failure, is the
primary cause of significant data loss in the PC environment. If the hard drive of the
microcomputer fails, it may be impossible to recover the data stored on the disk. Formal
procedures for making backup copies of critical data (and program) files can reduce this threat
considerably. There are a number of options available for dealing with this problem.
Floppy Disk Backup: Files can be backed up to floppy disks at routine periods during processing
and stored away from the computer. In the event of a microcomputer failure, the data file can be
reconstructed from the backup disks.
Dual Internal Hard Drives: Microcomputers can be configured with two physical internal hard
disks. One disk can be used to store production data while the other stores the backup files.
External Hard Drives: A popular backup option is the external hard drive with removable disk
cartridge, which can store more than a gigabyte of data per cartridge. When a cartridge is filled,
the user can remove it and insert a new one. External hard drives can be used as an effective and
simple backup technique.
Question No 16:
What is the role of a security administrator? (June 2005) (10 Marks)

Answer No 16
A security administrator is a person who is solely responsible for controlling and coordination the
activities pertaining to all security aspects of the organization.
 A security administrator attempts to ensure that the facilities in which systems are developed,
installation and/or result in loss of security.
 The security administrator sets policy, subject to board approval.
 He also investigates, monitors, advise employees, counsels management on matters pertaining
to security.
 The security administrator is responsible for establishing the minimal fixed requirements for
classification of information based on the physical, procedural, and logical security elements.
The needs to protect these securities are also stressed. He assigns responsibilities to job
classifications and formulates what to be done in case of exceptions.
 The security administrator guides other information security administrators and users on the
selection and application of security measures, he trains them of how mark and handle
The security administrator also does the following:

 Investigates all security violations.
 Advises senior management on matters of information resource control.
 Consults on matters of information security.
 A security administrator also has the responsibility of conducting a security program, which is
 A security administrator has to consider an extensive list of possible threats to the
organization, prepare an inventory of assets, evaluate the existing controls, implement new
controls etc.
The security administrator requires the assistance of many individuals because of their expertise in
that particular field. The auditor should see to that these steps are performed on a regular basis, the
results of the reviews are analyzed and documented, and advises the management on appropriate
action in light of the results.
Question No 17:
What are the issues to be considered for Awareness reassessment of information security?

Answer No 17
To use information the user must be well informed and must be aware of the risks and security
initiatives. Security measures are effective if the user is aware of the functioning and the possible
risks. Some of the issues regarding awareness are:
 Level of detail disclosed must not compromise security.
 Appropriate knowledge is available to all parties involved and have right to be informed, not
just the users.
 Awareness must be propagated to the new workers in the organization.
 Recognition and maintenance of awareness must be continuous.
Since the varying nature of the information system, it must be reassessed periodically. Some
of the issues regarding reassessment are:
 Increase in dependence on the information systems requiring an upgrade to the business
continuity plans and arrangements.
 Changes to the information systems and their infrastructures.
 New threats to the information system requiring better safeguards.
 Emerging security technologies providing more cost effective safeguards than were possible
earlier.
 Different business focus, or organizational structure, or legislation necessitating a change in
existing level of security.
Question No 18:
Discuss potential risks involving computer frauds. (December 2006)(5 Marks)
Answer No 18
The potential risks involved with the computer frauds are:
 Data leakage: Unauthorized copying of company data such as computer files

 Data diddling: Changing data before, during or after it is entered into the system in order to
delete, alter or add key system data
 Denial of service: Attacker sends email bombs (hundred of messages per second) from
randomly generated false addresses: internet service providers email is overloaded and shuts
down
 Email forgery: sending email message that looks as it it were sent by someone else.
 Viruses: Segment of executable code that attaches itself to software, replicates itself and
spread to other systems of files. Triggered by a predefine event a virus damages system
resources or displays a message on the monitor.

 Password cracking: Intruder penetrates a system‘s defenses, steals the file containing valid
passwords, decrypts them and then uses them to gain access to system resources such
program files and data.
 Social engineering: Perpetrator tricks an employee into giving out the information needed to
get into a system.
 Spamming: Emailing the same message to everyone one or more.
Question No 19:
What are the control techniques ensured to be checked to ensure security for client/ server
technology? (June 2006)(5 Marks)
Answer No 19
To increase the security for the client/ server technology, an IS auditor should ensure that the
following control techniques are in place;
 Disk less workstation prevents unauthorized access.
investigation, if it is monitored properly. Various monitoring devices are used for this
purpose. Since, this is a detective control technique, the network administrator must
continuously monitor the activities and maintain the devices, otherwise these tools become
useless.
Question No 20
The access control of features in EDP set up. (June 2006)(5 Marks)
Answer No 20
In a shared database environment access control risks include corruption, theft, misuse and
destruction of data. Several database control features are as follows:

 User view: It is a subset of the total database that defines the user's data domain and provides
access to the database. Although user views can restrict user access to a limited set of data,
they do not define task privileges such as read delete or write.
 Database Authorization table: This contains rules that limits the actions a user can take.
that are coded in the authority table, which is used to verify the user's action requests.
 User defined procedures: This allows the user to create a personal security program to
provide more positive user identification than a single password can e.g. a series of personal
questions, which only the legitimate user knows.
 Data Encryptions: Highly sensitive data like product formulas, password files etc. are
others. Also, it protects data that are transmitted through networks.
 Biometric Devices: This measures various personal characteristics. Such as fingerprints,
voice record, signature etc. that are digitized and stored permanently in a database security
file or on an identification card of the user.
Question No 21
Discuss the various techniques of computer fraud and abuse. (June 2006)(5 Marks)
Answer No 21
Various techniques of computer fraud and abuse are:
Cracking: Unauthorized access to and use of computer systems with malicious intentions
Data diddling: Changing of data before or after entering into others system
Data leakage: Unauthorized copying of the company data
Eavesdropping: Listening to private voice or data communications
Email forgery: Sending email messages that look as if it is send by somebody else
Email threats: Sending a threatening email
Hacking: Unauthorized access to and use others computers with or without malicious intention.
Virus: Segment of self executable program that is attached with other programs and software so
that it can run on other system and replicate it self for further spreading, etc.
Question No 22
Why do you think that information security is a major concern in this IT era?
Answer No 22
Now a day's information system security is a major concern as information is equally valuable as
money, other physical assets and ultimately as human life. Now a day, records of bank, insurance,
airlines, universities, policies, armies, government, private offices and research are kept on
computer based system. These records may comprise of many confidential and important data.
Every stakeholders of these data wants to preserve and wants to maintain the severity of leakage.

Moreover any unethical job of doctor may destroy the life a single people but any unethical and
malicious job of information system may destroy uncountable life. Thus it is essential to secure the
information system.
Question No 23
One of the major components of risk is threat. Risks to business from the computer fraud in terms
of threats are: (i) internal threats and (ii) external threats
a. What is threat?
b. What is/are internal threats? Discuss common types of frauds committed.
c. What is/are external threats? Discuss common types of frauds committed.
d. What are the measures that prevent or reduce the potential of risk from fraud?
Answer No 23
a. A threat is an entity or event with potential to cause harm to a computer system. This may
be intentional or unintentional. Threats should be identified and analyzed to determine the
likelihood of their occurrence and potential to harm computer assets. Threats may arise from both
intentional and unintentional acts and may come from internal and external sources. The threat
may arise from technical conditions (program bugs, disk crash), natural disaster (fires, floods)
environmental conditions (electric surges), human factors , lack of training, errors and omission,
unauthorized access (hacking) or viruses.
b. Internal threats are those threats that originate from inside the organization, mostly by
employees. There is evidence that majority of frauds are originated by the organization staff
since they have easy access to the organization‘s system. This may be intentional or
unintentional. Many times destructions are done by disgruntled employees who have access
that far exceeds what an outsider can do. The common techniques used are:
 Data entry error
 Alteration of the data during input
 Equipment or software failure
 Unauthorized computer use for personal gain including financial gain, personal entertainment
on company time
 Alteration of software instructions or functions.
 Alteration or destruction or defacement of stored data in the system by the employee.
 Theft or misutilization of stored data.
 Data destruction

 Sudden shut down of the system
c. External threats are those that originate from outside the Organizations system. This
originates from outside the system when it is connected thru internet to external networks.
This may arise from technical condition, man-made reasons, natural disaster, environmental
condition, unauthorized access, malicious acts, etc.
 Removal of information during transmission through internet
 Transmission of virus, worm, etc.
 Interception of emails
 Interception of electronic payment during transmission
 Natural disaster like earthquake, flood, riot, etc.
 Electric voltage surge
 Hacking
d. Prevention measures are:

i. Make fraud less likely to occur by password control, access control etc.
ii Use proper hiring and firing practices
iii Manage disgruntled employees by properly addressing the issue.
iv Train employees in security and fraud prevention measures
v Develop strong system of internal controls
vi Adequate segregation of duties
vii Require mandatory vacation and jobs rotation
viii Restrict access to computer equipment and data files
ix Encrypt data and programs in storage and during transmission.
x Protect telephone lines for misuse
xi. Protect the system from viruses
xii Control access to system and stored data
xiii. Control laptop computers
xiv. Fire and earthquake proof building
xv. Install surge protector
Question No 24
What are the types of controls in a computer based systems? (June 2007)(5 Marks)
Answer No 24
General Controls: It is applicable with wide range of areas which systematically threatens the
integrity of the application processed within the computer information system. They can be
summarized as:
 Operating system controls
 Data management controls

 Internet and intranet controls

 Organizational structure Controls
 System development Controls
 Computer Centre security Controls
 Personal computer Controls
Application Controls:
 They are focused with specific application systems which are developed for the specific
purpose within the department or branch. Such as: Payroll system, Account Receivable
system
Question No 25
What are the principles of information security? Briefly describe the role of security administrator.
Answer No 25
Eight core principles of information Security are discussed below:
i. Accountability: Security of information requires timely allotment of responsibility and

accountability to data owners, process owners, technology providers and users. This
accountability should be formalized and communicated. Issues relating to specification
of ownership of data and information, identification of users and others who access the
system, recording of activities and assignment of responsibility for maintenance of
data and information etc. should be considered and clarified.
ii. Awareness: In order to foster confidence in information, data owners, process owners,
technology providers and users must be provided with the information of the system
requirements for security, its applications, risk to the organization and the organization‘s
security initiatives and future requirements. Security measures are only effective if all
involved are aware of their responsibilities for the proper functioning of the system, risk
involved and the security measures taken by the organization..
iii. Multidisciplinary: Security measure covers technological, administrative, organizational,
operational and legal issues. Technical standards should be developed with and enforced by
codes of practice, audit, legislative, legal and regulatory requirements, awareness, education
and training.
iv. Cost effectiveness: Different levels and types of security may be required to address the risks
to information. Security level and associated costs must be compatible with the value of the
information. Following issues must be considered:
 Value to and dependence of the organization on particular information assets.
 Value of the data or information itself, based on a pre-defined level of confidentiality or
sensitivity.

 Threats to the information, including the severity and probability of such threats. ·
Safeguards that will minimize or eliminate the threats, including the costs of implementing
the safeguards.
 Where available and appropriate, the benefit of adopting established minimum security
v. Integration: Measures, practices and procedures for security must be coordinated and
integrated with each other and with other measures, practices, and procedures of the
organization, so as to create a coherent system of security. This requires that all levels of the
information cycle are covered.
vi. Reassessment: The security of information system should be reassessed periodically, as
information systems and the requirements for their security vary over time.
vii. Timeliness: Security procedures must provide for monitoring and timely response to real or
attempted breaches in security in proportion with the risk. Following issues must be
considered:
 Instantaneous and irrevocable character of business transactions.
 Volume of information generated from the increasingly interconnected and complex
 Automated tools to support real-time and after-the –fact monitoring
 Expediency of escalating breaches to the appropriate decision making level.
viii. Social factors: Information and the security of information should be provided and used in
such a manner that the rights and interests of others are respected. Level of security must be
consistent with the use and flow of information.
The main roles of a security administrator are:
a. To ensure that the environment and the facilities for system development, implementation,
maintenance and operation are safe and secure.
b. To set security policy, subject to approval from management.
c. To guide other security administrators and users on the selection and application of the
security measures.
d. To investigate all security violations.
e. To advise senior management on matters of information resource control.
f. To provide consultations on the information security matters.
g. To conduct a security program that involves a series of ongoing, regular and periodic
evaluations of the facilities.
h. To consider all possible threats to the information of the organization and develop an
inventory of the threats, existing control mechanisms, new controls and security measures etc.

Question No 26
One of the major components of risk is threat. Risk to business from the computer fraud in
terms of threats are: (i) internal threats and (ii) external threats
a) What is threat?
b) What are internal threats? Discuss common types of frauds committed.
c) What are external threats? Discuss common types of frauds committed.
d) What are the measures that prevent or reduce the potential of risk from fraud?
Answer No 26
a. A threat is an entity or event with potential to cause harm to a computer system. Threats
should be identified and analyzed to determine the likelihood of their occurrence and potential
to harm computer assets. This may arise from technical conditions (program bugs, disk
crash), natural disaster (fires, floods) environmental conditions (electric surges), human
factors (lack of training, errors and omission), unauthorized access (hacking) or viruses.
Threats may arise from both intentional and unintentional acts and may come from internal
and external sources.
b. Internal threats are those threats that originate from inside the organization, mostly by
employees. There is evidence that majority of frauds are originated by the organization staff
since they have easy access to the organization‘s system. This may be intentional or
unintentional. In majority of the cases destructions are committed by disgruntled employees
who have access that far exceeds what an outsider can do. The common techniques used are:
- Data entry error
- Alteration of the data during input
- Equipment or software failure
- Unauthorized computer use for personal gain including financial gain, personal entertainment
on company time
- Alteration of software instructions or functions.
- Alteration or destruction or defacement of stored data in the system by the employee.
- Theft or misutilization of stored data.
- Data destruction
- Sudden shut down of the system
c. External threats are those that originate from outside the Organizations system. This
originates from outside the system when it is connected thru internet to external networks.
This may arise from technical condition, man-made reasons, natural disaster, environmental
condition, unauthorized access, malicious acts, etc.

- Removal of information during transmission through internet

- Transmission of virus, worm, etc.
- Interception of emails
- Interception of electronic payment during transmission
- Natural disaster – earthquake, flood, riot, etc.
- Electric voltage surge
- Hacking
d. Prevention measures are:

i. Make fraud less likely to occur by password control, access control, etc.
ii Use proper hiring and firing practices so that ethical employees hired and retained.
iii Manage disgruntled employees by properly addressing the issue.
iv Train employees in security and fraud prevention measures
v Develop strong system of internal controls
vi Adequate segregation of duties
vii Require mandatory vacation and jobs rotation to prevents hiding of computer frauds.
viii Restrict access to computer equipment and data files
ix Encrypt data and programs in storage and during transmission.
x Protect telephone lines for misuse
xi. Protect the system from viruses
xii Control access to system and stored data
xiii. Control laptop computers
xiv. Fire and earthquake proof building
xv. Install surge protector
Question No 27
What is Information Security? What are the principles of Information Security?
Answer No 27
Information relates to the data that have put into a meaningful and usefu1 context. Information has
been defined by Davis and Olson as ―Information is data that has been processed into a form that
is meaningful to the recipient and is of real or perceived value in current or progressive decision‖.
Security relates to the protection of valuable assets against loss, disclosure or damage. Securing
valuable assets from threats, sabotage or natural disaster with physical safeguards such as locks,
perimeter fences and insurance is commonly understood and implemented by most organizations.

Information Security is the protection of data or information against harm from threats that will
lead to its loss, inaccessibility, alteration or wrongful disclosure and this is achieved through a
layered series of technological and non technological safeguards such as physical security
measures, user identifiers, passwords, smart cards, biometrics, firewalls, etc.
The information security objective is supported by eight core principals. They are:
a) Accountability - Responsibility and accountability must be explicit
Security of information requires an express and timely apportionment of responsibility and
accountability among data owners, technology providers and users.
b) Awareness - Awareness of risks and security initiatives must be disseminated.
In order to foster confidence in information, data owners, process owners, technology providers,
users and other parties, with a legitimate interest to learn or be informed, must be able to gain
knowledge of the existence and general extent of the risks facing the organization and its systems
and the organization‘s security initiatives and requirements.
c) Multidisciplinary - Security must be address taking into consideration both technological
and non technological issues.
Security is more than just technology; it also covers administrative, organizational, operational and
legal issues. Accordingly, technical standards should be develop with and, be reinforced by, codes
of practice; audit; legislative, legal and regulatory requirements; and awareness, education and
training.
d) Cost Effectiveness - Security must be cost effective.
Different levels and types of security may be required to address the risks to information. Security
levels and associated costs must be compatible with the values of the information.
e) Integration - Security must be coordinated and integrated.
Measures, practices and procedures for the security of information should be coordinated and
integrated with each other and with other measures, practices and procedures of the organization
and third parties on whom the organization‘s business processes depend, so as to create a coherent
system of security.
f) Reassessment - Security must be reassessed periodically.
The security of information systems should be reassessed periodically as information systems and
the requirements for their security vary over time.
g) Timeliness - Security procedures must provide for monitoring and timely response.
Organizations must establish procedures to monitor and respond to real or attempted breaches in
security in a timely manner in proportion with the risk. The increasingly interconnected real time
and trans-border nature of information and the potential for the damage to occur rapidly require
that organizations react swiftly.
h) Societal Factors - Ethics must be promoted by respecting the rights and interests of others.
Information and security of information should be provided and used in such a manner that the
rights and interests of others are respected and that the level of security must be consistent with the
use and flow of information that is the hallmark of a democratic society.

Question No 28
What is computer fraud and what are the primary risks to business from computer fraud?
Answer No 28
without leaving any evidence, therefore, computer fraud is often very difficult to detect than other
frauds.
There are different types of risks that the business can face due to the computer frauds and in
general, we can classify them in two threats – internal and external threats
Internal Threats: Internal threats are generated from the personnel within the organization and it
was found that out of 5 attacks mostly that 4 attacks are internal.
External Threats: external threats are attacks that are attempted form the people outside the
organization.
Both kind of threats results-in the following risks:
– Alteration of input to the system that can cause different financial losses, e.g., the attacker
increases the salary amount of a employee in the salary-sheet.
– Unauthorized use of processes or system time, e.g. use of internet for personal purpose.
– Tampering, copying of the software processes in unauthorized manner.
– Changing the computer instruction so that a different result is obtained. For example, Fringe
benefit is calculated at a higher rate then the authorized rate.
– Alteration of data
– Removal of information.
– Destruction of system integrity
– Interference with web pages
– Transmission of virus or other malicious software Interepation of emails
– Interception and alteration of electronic payments
Question No 29
What is computer fraud and what are the primary risks to business from computer fraud?

Answer No. 29
without leaving any evidence, therefore, computer fraud is often very difficult to detect than other
frauds.
There are different types of risks that the business can face due to the computer frauds and in
general, we can classify them in two threats – internal and external threats
Internal Threats: Internal threats are generated from the personnel within the organization and it
was found that out of 5 attacks mostly that 4 attacks are internal.
External Threats: external threats are attacks that are attempted form the people outside the
organization.
Both kinds of threats results-in the following risks:
– Alteration of input to the system that can cause different financial losses, e.g., the attacker
increases the salary amount of an employee in the salary-sheet.
– Unauthorized use of processes or system time, e.g. use of internet for personal purpose.
– Tampering, copying of the software processes in unauthorized manner.
– Changing the computer instruction so that a different result is obtained. For example, Fringe
benefit is calculated at a higher rate then the authorized rate.
– Alteration of data
– Removal of information.
– Destruction of system integrity
– Interference with web pages
– Transmission of virus or other malicious software Interepation of emails
– Interception and alteration of electronic payments
Question No 30
What are the major internal controls that are used in the computer based information system?
Answer No 30
Computer based internal controls in broader sense are of two types:
 General Controls
 Application Controls

General Controls:
These controls apply to a wide range of exposure that systematically threatens the integrity of all
applications processed within the computer based information system. General control further
divided:
 Operating system controls
 Data Management controls
 Organizational structure controls
 System development controls
 System maintenance controls
 Computer centre security controls
 Internet and intranet control
 Personal computer controls
Application Controls:
These controls are focused on exposures associated with specific systems, such as payroll,
accounts receivables and son on
Question No 31
What is the control techniques ensured to be checked to ensure security for client/ server
technology? (Old Syllabus December 2010)(6 Marks)
Answer No 31
To increase the security for the client / server technology, an Information System auditor should
ensure that the following control techniques are in places;
 Risk less work station prevents unauthorized access.
investigation, if it is monitored properly. Various monitoring devices are used for this
purpose. Since this is a detective control technique, the network administrator must
continuously monitor the activities and maintain the devices, otherwise these tools become
useless.

Question No 32
What do you mean by computer fraud? Explain the various types of computer frauds.
Answer No 32
Computer frauds have been defined as any illegal act for which knowledge of computer
technology is essential for its perpetration, investigation or prosecution. Most specifically,
computer frauds include the following:
 Unauthorized theft, use, access, modification, copying and destruction of software or data
 Theft of money by altering computer records or the theft of computer time
 Theft or destruction of computer hardware
 Use or the conspiracy to use computer resources to commit a offence
 Intend to illegally obtain information or tangible property through the use of
The various types of computer frauds are as follows:

(a) Clearly recognizable frauds such as investment frauds, secret market frauds and pyramid
scheme where a computer (usually via the Internet) is used as a new medium to convey an old
message and the hapless victim is persuaded to part with money or credit card details. Most of
the frauds that are prevalent on the Internet involve the offering of unrealistically high returns
on investment. Secret market frauds are a variation on this theme. Victims are persuaded that
there is a confidential and exclusive market for a particular kind of financial instrument, a
"prime bank guarantee" which offers a high rate of return. Pyramid schemes again offer high
returns for small contributions and invariably collapse leaving the last to join without prospect
of recovering any funds.
(b) Hacking in the generally recognized sense of unauthorized access and unauthorized
modification to computers. This includes the malicious introduction of a virus, the
modification of email or the vandalism of web pages. This is a now a popular activity
amongst hackers and considered to be a real problem for anyone doing business on the
Internet.
(c) Manipulation of computer systems to obtain money from an employer or a third party.
Examples of this are diversion of payments and creation of false employees/suppliers. These
frauds may require access to a system or part of a system from which the perpetrator is (or is
supposed to be) excluded. As we know that businesses often fail to implement even the most
basic password and access controls. They thus allow access to their systems, which could
easily be defined.
(d) Theft and/or destruction of confidential and sensitive information. This is an area where huge
damage can be caused by employees and third parties who are able to gain access to
confidential and sensitive information and pass it on to competitors or simply destroy it;

(e) Abuse of computer systems by employees. This involves an employee using the computer
system for his or her own purposes. Employees can write personal letters or run businesses
from their employer's computers. Employees can use email systems and the Internet for
private purposes. Of particular concern to business must be the explosive growth of and ready
access to Internet pornography combined with the increasing tendency of employers to allow
staff unrestricted Internet access. An equally serious risk is the increased possibility of Virus
infection from unauthorized files downloaded from the Internet.
(f) Software piracy by either using counterfeit or unlicensed software or by distributing
counterfeit software by risk, CD or through the Internet.
Question No 33
Internal Threats and external threats to Computer System
Answer No 33
SN Internal Threats External Threats
1 Those threats which are generated Those threats which are generated in the
within the organizational system system from outside the system or
(hardware and software )by the use organization
of internal staff
2 Internal threats may arises due to There may be removal of information from
altering of the data during input the website
3 It may be generated through There may be destruction of system integrity
unauthorized system use, including
the theft of computer time and
services
4 It may be committed by modifying the Transmission of viruses by email
software making illegal copies, or
using it in an authorized manner
5 It may be committed due to grudges Interception of email and electronics
among the staffs within the payments
organization
Question No 34
Identify key security threats in the e-commerce environment and briefly explain the key
dimensions of the e-commerce security. ( June 2010)(10 Marks)
Answers No 34
The most common and most damaging forms of security threats to e-commerce site include:

Malicious code: Virus, worms, Trojan horses and ―bad applets‖ are a threat to a system‘s integrity
and continued operation, often changing how a system functions or altering documents created on
the system
Hacking and cyber-vandalism: Intentionally disturbing, defacing or even destroying a site
Credit card fraud/theft: One of the most feared occurrences and one of the main reasons more
consumers do not participate in e-commerce. The most common cause of credit card fraud is lost
or stolen card that is used by someone else, followed by employee theft of customer numbers and
stolen identities.
Spoofing: Occurs when hackers attempt to hide their true identities or misrepresent themselves by
using fake e-mail addresses or masquerading as someone else. Spoofing can also involve
redirecting a web link to an address different from the intended one, with the site masquerading as
the intended destination.
Denial of service attacks: hackers flood a web site with useless traffic to inundate and overwhelm
the network, frequently causing it to shutdown and damaging a site‘s reputation and customer
relationship.
Sniffing: a type of eavesdropping program that monitors information traveling over network,
enabling hackers to steal proprietary information from anywhere on a network, including e-mail
messages, company files and confidential reports. The threat of sniffing is that confidential or
personal information will be made public.
Insider jobs- although the bulk of internet security efforts are focused on keeping outsider out, the
biggest threat is from employees who have access to sensitive information and procedures.
The major dimensions of e-commerce security are

Integrity: The ability to ensure that information displayed on the web site or sent or received via
the internet has not been altered in any way by an unauthorized party.
Non-repudiation: the ability to ensure that e-commerce participants do not deny their online
actions.
Authenticity: refers to the ability to verify an individual or business‘s identity
Confidentiality: determines whether the information shared online, such as credit card number, e-
mail communication can be viewed by anyone other than the intended recipient.
Privacy: Deals with the use of information shared during online transaction consumers want to
limit the extend to which their personal information can be divulged to other organizations, while
merchants want to protect such information from failing into the wrong hands.
Availability: Determines whether a web site is accessible and operational at any given moment.

Question No 35
Identify and discuss the major steps in developing e-commerce security plan
Answer No 35
The key steps in developing a security plan are:
Perform a risk assessment: an assessment of the risks and points of vulnerability.
Develop a security policy: a set of statements prioritizing the information risks, identifying
acceptable risk targets and identifying the mechanisms for achieving these targets
Create an implementation plan: a plan that determines how you will translate the levels of
acceptable risk into a set of tools, technologies, policies and procedures
Crate security team: the individuals who will be responsible for ongoing maintenance, audits and
improvements.
Perform periodic security audits.
Question No 36
What is firewall? Explain firewall function in protecting the system and information assets.. (June
2010)(10 Marks)
Answer No 36
A firewall is placed between private networks such as LAN/WAN and external network, Internet.
The role of firewall is to control access to internal sought by the user. The user may be an
employee, visitor, supplier, customer or a person not related to the organization. Firewall
processes names, Internet protocol (IP) addresses, applications, and all incoming requests and
confirms the authenticity and validity of the access by checking against access rules programmed
into the system. The basic advantage of firewall is that it prevents unauthorized communication
controlling the security threat to company‘s network.
There are essentially two types of firewall technologies one is ‗proxy‘ and other is ‗packet‘. In
packet technology, firewall scans each packet of incoming communication verifies the source and
addressed to whom. Then it sets up state tables out of the package and cross checks with the user
defined rules to make a decision on permission to enter the network.
Proxy firewall stops data originating from outside, checks for the access rules, and pass a ‗Proxy‘
of it to the network. Proxy is an application which acts as intermediary between private network
and Internet to control the traffic. Proxy firewall needs programming work, system resources but is
safer to a great extent to contain the threat of unauthorized access.
In additional to firewall systems, software tools are available that can be installed at locations
where sensitive data and information are stored. This software scans the identity references of the
user before access is given to the location. The use of such software tools at a few sensitive
locations is second additional control after firewall check.

If checking response is negative, access is denied or location is switched off for work and network,
an administrator is communicated to look into the incidence. The software solution is called
Intrusion Detection System.
Firewall is made up of computers and software. A firewall can be a communication processor,
known as router, or a dedicated server along with software written for checking, verification and
decision making for allowing or disallowing the access. Firewall checks network traffic for
passwords, security codes and access rights before any decisions are made. A corporate network
can have more than one firewall installed at various locations.
Question No 37
Describe the methods for the fraud detection (June 2010)(5 Marks)
Answer No 37
The methods of fraud detection are:
Conduct frequent audits:
The periodical internal and external audit should be done to detect fraud and compute abuses.
Auditors should regularly test system controls and periodically browse data files looking for
suspicious activities.
Use of Computer Security officer:
Sometime fraud cannot be detected using only auditors so own computer security officer is
essential. Security officer keeps on monitoring different security threats to reduce the fraudulent
activity.
Fraud Detection Computer software:
The spying software for the detection of fraudulent activity can be used to reduce the threats.
These will be dedicated software application to analyze the pattern of the data access, log files and
services used to detect the fraud.
Question No 38
Discuss about the primary risk to the Business (June 2010)(5 Marks)
Answer No 38
The primary risks to the business are: Internal threats and external threats
Internal Threats:
The internal threats to the business are own staffs. For the business the internal threats are more
dangerous than the external threats. Some common ways to carry out the computer frauds by
internal threats are during input by altering the data. Another would be committed through
unauthorized system use including the theft of computer time and services. People Use official
computer resources for the personal browsing of internet. Internal threats also do exist with the
changing/damaging of organizational data.
External Threats:

The intruders to the network and computer system are the external threats through the information
system to the business. Some of the external threats are:
 Removal of information
 Destruction of system integrity
 Interference with web pages
 Transmission of viruses by email
 Interception of email
 Interception of electronic payments
 Network attacks such as Denial of service attacks, data flooding etc.
Question No 39
Differentiate between threat and vulnerability. ( June 2011)(4 Marks)
Answer No 39
A vulnerability is a weakness or flaw found in software and operating systems that threats try to
exploit. Threats are malicious files or programs that attack an application's or operating system's
vulnerability to gain access to a computer. Vulnerability is essentially a weakness, found in a
program. Threats come in many forms, depending on their mode of attack. From viruses to
Trojans, spyware and bots, threats have evolved into sophisticated programs intended to
harm computers.
Risk is a function of When a threat exploits vulnerabilities it creates a risk of data loss, damage
or destruction of assets. Threats (actual, conceptual, or inherent) may exist, but if there are no
vulnerabilities then there is little/no risk. Similarly, one can have vulnerability, but if there is no
threat, then there is little/no risk.
Accurately assessing threats and identifying vulnerabilities is critical to understanding the risk to
assets. Understanding the difference between threats, vulnerabilities, and risk is the first step.
Question No 40
Explain about the vulnerability of the information system. (December 2012)(5 Marks)
Answer No 40
As the large volumes of data are stored in the electronic format in the computer based information
system it is susceptible to various types of threats. Thus threats to the computer system are also
threats to the information system. Common thresdats to the computerized information system can
be summarized as:
 Failure of computer hardware during the operation.
 Failure of the working of the software during the operation.
 Malpractices of the personnel working in the information system.
 Unauthorized access to the terminals in use.

 Theft, deletion, changes of the data, services and equipment of the information system.
 Fire and destruction of the physical infrastructure.
 Electrical power supply problem and outage.
 Unintentional human errors during the process of operation of the system.
Telecommunication and networking problems.
Question No 41
What are the potential threats to the information system? How can you prevent computer system
from frauds? (Old Syllabus December 2012)( 7 Marks)
Answer No 42
The chances of removing, altering, destroying and stealing the valuable data and information and
computer system can be termed as the potential threat to the information system. There is mainly
two types of threats to the information system. They are:
 Internal Threats and
 External Threats.
Internal Threats:
The internal threats to the business are own staffs. For the business the internal threats are more
dangerous than the external threats. Some common ways to carry out the computer frauds by
internal threats are during input by altering the data. Another would be committed through
unauthorized system use including the theft of computer time and services. People Use official
computer resources for the personal browsing of internet. Internal threats also do exist with the
changing/damaging of organizational data.
External Threats:
The intruders to the network and computer system are the external threats through the information
system to the business. Some of the external threats are:
 Removal of information
 Destruction of system integrity
 Interference with web pages
 Transmission of viruses by email
 Interception of email
 Interception of electronic payments
Here are some methods which can be adapted to prevent from computer fraud
 Use proper hiring and firing practices
 Manage disgruntled employees
 Train employees in security and fraud prevention measures
 Develop strong system of internal controls
 Restrict access to computer equipment and data files
 Encrypt data and programs
 Protect system from viruses

 Control sensitive data

 Conduct frequent audit of the system
 Use a system security mechanism
 Monitor system activities
 Implement system security tools such as firewall, antivirus etc.
Question No 43
Write short notes on Access control in electronic data processing
(Old Syllabus December 2012)( 5 Marks)
Answer No 43
In the access control in electronic processing including risks, corruption, theft, misuse and
destruction of data. Several database control features are as follows;
i) User view: It is a subset of the total database that defines the user‘s data domain and
provides access to the database. Although user views can restrict user access to a limited set
of data, they do not define task privileges such as read delete or write.
ii) Database Authorization table: This contains rules that limits the actions a user can take.
that are coded in the authority table, which is used to verify the user‘s action requests.
iii) User defined procedures: This allows the user to create a personal security program to
provide more positive user identification than a single password can e.g a series of personal
questions which only the legitimate user knows.
iv) Data Encryptions: Highly sensitive data like product formulas. Password files etc are
others. Also it protects data that are transmitted through networks.
v) Biometric Devices: This measures various personal characteristics. Such as finger prints,
voice record, signature etc which are digitized and stored permanently in a database security
file or on an identification card of the user.
Question No 44
Why are systems vulnerable? Mention the common threats against contemporary information
system. (June 2012)(5 Marks)
Answer No.44
Information systems are vulnerable to technical, organizational, and environmental threats from
internal and external sources. The weakest link in the chain is poor system management. If
managers at all levels don't make security and reliability their number one priority, then the threats
to an information system can easily become real. The figure below gives some of the threats to
each component of a typical network.

Common threats against contemporary information system are

 Errors and Omissions
 Fraud and Theft
 Employee Sabotage
 Loss of Physical and Infrastructure Support
 Malicious Hackers
 Industrial Espionage
 Malicious Code
 Malicious Software
o Virus
o Worms
o Trojan horse
 Threats to Personal Privacy
Question No 45
Briefly outline the importance of information system security for modern businesses
. (Old Syllabus, June 2012)(4 Marks)
ANSWER NO 45
The major factors that reinforce the importance of information security for modern businesses are:
i. Preservation of data and information and prevent data corruption or loss.
ii. Since data and knowledge are the main assets of a modern organization, the security measures
to ensure preservation of such assets is greatly welcome.
iii. Most of information such as business plans, product design documents, new developments,
intellectual properties, copyrighted patents etc are all in digital format and any loss of such
vital information may result in direct impact for the organization and its business potential.

So, information system should be secure to ensure that the integrity of such vital information
are aware.
Question No 46
Describe the security mechanisms used for electronic commerce. ( December 2013)(5 Marks)
Answer No 46
The main components of the security mechanism used for electronic commerce are:
i. User authentication mechanism using simple means such as normal userid/password to more
complex means such as smart cards, multi-layer passwords etc.
ii. Use of secure transaction channels over encrypted virtual private networks etc. However, this
may not be very effective in public e-commerce sites (i.e. B2C or C2C e-commerce facilities).
iii. Use of secure mechanisms such as secure HTTP, public key infrastructure or digital
signatures to ascertain the authenticity of the transactions and their sources.
iv. Use of professional and dedicated third party certification, monitoring and control mechanism
to make sure that the trust level of the transactions are high.
v. Use of robust systems to counter threats such as viruses, intrusion, hacking, man-in-the-
middle attacks etc.
Question No 47
Imagine yourself as the security auditor of the information system in a company which also has a
public website and e-commerce portal integrated to the information system. What are the major
security parameters which you have to check? ( December 2013)(5 Marks)
Answer No 47
The major factors that I shall have to consider as a security auditor are:
i. The installation quality of the system including power source, environment and temperature
assurance.
ii. To make sure that the access to the system servers and system room is restricted only to the
designated persons.
iii. To check whether proper data and system backup procedures are followed.
iv. Since the system is connected to the public network for public website, have to check if there
is proper firewall or security appliance used to restrict system access from external network.
v. To make sure that the system team has well-defined guidelines and work description for each
individual.
vi. To make sure that the system is regularly monitored for system errors or alerts and are well-
documented along with the remedies employed.
vii. To checked whether the system hardware is well-maintained and the software are properly
tuned with necessary patches and upgrades.

viii. To make sure that the e-commerce activities are properly recorded and the necessary reports
are regularly generated and filed.
Question No 48
Assume that you are hired as the IT consultant for a modern commercial bank also offering
commercial transaction over online portal. You are assigned a task of doing a thorough audit of the
security of the information systems used in that bank and recommend solutions to enhance security.
a) What are the main areas that you shall look into to evaluate the security situation of the
information systems?
b) Prepare a sample questionnaire for the employees to assess their level of awareness regarding
information security.
c) What security measures would you recommend to make the electronics payment transactions
more secure for the bank? (December 2014)(20 Marks)
Answer No 48
a) The major areas that recommended are:
 The system architecture and possible areas of security concern.
 The system deployment modality.
 Logistic arrangements such as power, network connectivity etc. Power backup and network
redundancy are critical for system reliability and robustness.
 The security arrangement at the network boundaries such as Internet access points, customer
access points etc. It is necessary to make sure that no unnecessary exposure is given to the
system.
 The system configuration and user profiles. Proper distribution of controlled privileges and
accesses into the system, both physically as well as over network, is important to ensure
optimum security.
 Data backup and system backup restoration facility is critical to recover system and data in
case of crisis.
 Robustness of the user interfaces and online applications to make sure that user credentials
are properly checked and enforced while making system foolproof from unlawful access.
 Security checking of banking software and outlets such as ATM, office counters, online
portals.
 Use of secure applications and protocols for business and monetary transaction interfaces.
b) The sample questionnaire is as follows:
 Do you use computer on a regular basis? (yes/no)
 For what purpose do you use a computer? (Internet/Office Work/Entertainment)

 Do you have username/password to open your computer? (Yes/No)

 If you have username/password, do you share that with your colleagues? (Yes/No)
 Do you share your username/password for official database or ERP access with your
colleagues with similar privilege? (Yes/No)
 Do you know about computer viruses? (Yes/No)
 Do you know about hacking and intrusion? (Yes/No)
 Is your computer having antivirus software? (Yes / No). If yes, is the software regularly
updated? (Yes/No)
 Do you know that your computer activity can be tracked by hidden programs and your data
stolen? (Yes / No).
c) Following techniques are recommended:
 Use of secure web interfaces (SSL based with authentic digital certificates) for online
transactions.
 Use of links from registered and proven service providers to connect the outlets such as
ATMs and payment kiosks.
 Use of secure VPN and data encryption technology for monetary transaction outlets such as
online portal, department store counters and even ATM terminals.
 Use of robust firewall and antivirus systems at the major boundaries of system such as server
network, bank-wide intranet, Internet access gateways, connectivity to other banks and
partners etc.
 Use of redundant network links, power backup at data centers and data backup arrangement to
prevent system outage and data loss in cases of disaster.
 Deployment of major data servers at more than one geographical locations.
 Hosting of the online portals with proven web hosting organization if the hosting is not
possible within the bank‘s own network.
 Regularly audit, update, patch and upgrade the system to stay ahead of latest threats and
loopholes.
Question No 49
Define a hacker and explain how hackers create security problems and damage systems.
Answer No 49
A hacker (or intruder) is an individual who intends to gain unauthorized access to a computer
system. Within the hacking community, the term cracker is typically used to denote a hacker with
criminal intent, although in the public press, the terms hacker and cracker are used interchangeably.
Hacker activities have broadened beyond mere system intrusion to include theft of goods and
information, as well as system damage and cybervandalism. Cybervandalism is the intentional

disruption, defacement, or even destruction of a Web site or corporate information system.

Hackers create security problems in a number of ways as given below.
Spoofing and sniffing – Spoofing is, generally, the act of one person pretending to be someone
else. Hackers attempt to hide their true identity by using fake email address or masquerading as
someone else. Spoofing can also involve redirecting a Web link to an address different from the
intended one, with a site masquerading as the intended destination. A sniffer is a type of
eavesdropping program that monitors information traveling over a network. Sniffers enable
hackers to steal proprietary information from anywhere on a network, including email messages,
company files, and confidential reports.
Denial of service attacks – In denial of service (DoS) attack, hackers flood a network server or
Web server with many thousands of false communications or requests for services to crash the
network. A distributed denial service (DDoS) attack uses numerous computers to inundate and
overwhelm the network form numerous launch points.
Identity theft – With the growth of the Internet and electronic commerce, identity theft has
become especially troubling. Identity theft is a crime in which an imposter obtains key pieces of
personal information, such as social security identification numbers, driver‘s license numbers, or
credit card numbers, to impersonate someone else.
Cyberterrorism and cyberwarfare – Concern is mounting that the vulnerabilities of the Internet
or other networks could be exploited by terrorists, foreign intelligence services, or other groups to
create widespread disruption and harm.
Question no 50
What are the risks of using Internet from office? How would you minimize those risks?
Answer No 50
The major risks of allowing Internet access from an office environment are:
 Risk of intrusion from outside into the office network using vulnerable PCs.
 Unnecessary engagement of staff in Internet facilities such as social networks, blogs, chats
resulting in loss of productivity.
 Spread of viruses, malware through Internet and email services.
 Possible exploitation of the computers by hackers to conduct cyber attacks, retrieve
confidential information and cause network failure.

Though these risks are serious, we cannot totally block Internet in office. The following are some
means of minimizing those risks:
 Use of latest and robust software. Preferably licensed and legitimate software.
 Regularly update and patch the systems.
 Use good antivirus and anti-malware tools.
 Do not allow access to social networks, blogs, YouTube from office. These kill time and
reduce productivity the most.
 Use proper security devices/software to block unwanted and malicious access / content from
the Internet.
 Make the staff aware about the risks and their mitigation techniques.
Question No 51
Define digital signature and digital certificate. What are the differences between them? (December
2017)(8 Marks)
Answer No 51
A digital signature is a method that can be used to verify the authenticity of a digital document.
Typically, a digital signature system uses three algorithms. To generate a public key/ private key
pair, it uses a key generation algorithm. It also uses a signing algorithm, which generates a
signature when given a private key and a message. Furthermore, it uses a signature verifying
algorithm to verify a given message, a signature and the public key. So in this system, signature
generated using the message and the private key combined with the public key, is used to verify
whether that the message is authentic. Furthermore, it is impossible to generate the signature
without having the private key due to the computational complexity. Digital signatures are mainly
applied for the verification of authenticity, integrity and non-repudiation.
A digital certificate is a certificate issued by a CA (Certificate Authority) to verify the identity of
the certificate holder. It actually uses a digital signature to attach a public key with a particular
individual or an entity. Typically, a digital certificate contains the following information: a serial
number that is used to uniquely identify a certificate, the individual or the entity identified by the
certificate and the algorithm that is used to create the signature. Furthermore, it contains the CA
that verifies the information in the certificate, date that the certificate is valid from and the date
that the certificate expires. It also contains the public key and the thumbprint (to make sure that the
certificate itself is not modified). Digital certificates are widely used on websites based on HTTPS
(such as E-commerce sites) to make the users feel safe in interacting with the website.
A digital signature is a mechanism that is used to verify that a particular digital document or a
message is authentic (i.e. it is used to verify that the information is not tampered) whereas digital
certificates are typically used in websites to increase their trustworthiness to its users. When digital
certificates are used, the assurance is mainly dependent on the assurance provided by the CA. But it
is possible that the content of such a certified site could be tampered by a hacker. With digital
signatures, the receiver can verify that the information is not modified.

Question No 52
What do you understand by server virtualization? How can a growing business organization benefit
by using virtualization in its computerized information system? (December 2017)(7 Marks)
Answer No 52
Server virtualization is a process of masking the physical computing resources of a server or
computing device. It can subdivide a single set of machine into multiple logical units that can
operate independently in terms of operating system, applications, network identity and services.
Virtualization technique can also enable combination of more than one set of computing resources
to form a large logical entity which can be allocated in different sizes and slices to different users,
applications or services.
To enable such management and scalable allocation of computing resources, virtualization uses a
middle layer virtualization enabler or software that sits between the hardware and the operating
systems. It also allows a single hardware entity to host multiple operating systems or logical
computing devices.
The major benefits of virtualization for a business organization are:
 Efficient utilization of resources.

 Better management as a single virtual environment and set of physical resources can be used to
create and manage multiple logical entities.
 Economical for a growing organization as it can start multiple services on a single physical
entity.
 As the organization grows, the virtualization based system allows addition of resources such as
CPU, memory, storage or even additional server machines later on without disrupting the existing
operating system or applications and services.
 It enables management of multiple instances through a single management console. As a result,
a growing enterprise can manage the IT system using minimum number of dedicated human
resource.
 For a business organization, it is always easier to manage a small number of devices compared
to a large number of computers with each running on a different machine with different operating
system and physical set of resources. It is efficient for manpower allocation as well as getting
external support from vendors or service providers.
Question No 53
Discuss Internet security. Explain the four major aspects in which the Internet security
professionals should be fluent. (December 2018)(8 Marks)
Answer No 53

When a computer connects to a network and begins communicating with other computers, it is
essentially taking a risk. Internet security involves the protection of a computer's Internet account
and files from intrusion of an unknown user. Basic security measures involve protection by well
selected passwords, change of file permissions and back up of computer's data.
Security concerns are in some ways peripheral to normal business working, but serve to highlight
just how important it is that business users feel confident when using IT systems. Security will
probably always be high on the IT agenda simply because cyber criminals know that a successful
attack can be very profitable. This means they will always strive to find new ways to circumvent IT
security, and users will consequently need to be continually vigilant. Whenever decisions need to
be made about how to enhance a system, security will need to be held uppermost among its
requirements.
The four major aspects in which the internet security professional should e fluent are as follows:
Penetration Testing
Penetration testing is a predefined step-by-step procedure to test the vulnerability of the system. For
this, the security professional should have good knowledge and experience of conducting such
testing. The thorough idea of how these tests are performed, the steps needed and the outcomes
expected of such testing is vital for any security professional required to do such penetration
testing. The professional should also have good idea about the system being tested and its potential
weaknesses.
Intrusion Detection
Intrusion detection is the process of identifying the unlawful entry into the system or an attempt for
such entry. For timely detection of such unwanted entry, the security professional should have good
idea of the symptoms and signs of such intrusion. He or she should also have clear idea about
where to look for such symptoms and signs. It is also necessary to have idea about the remedial
action to be performed in case of identification of such incidents.
Incidence Response
Whenever a security incidence such as a system breach, network breach, data loss or identity theft
etc happens and is reported or identified, the security personnel should be able to respond
appropriately. He should have idea about the steps or actions to be performed for each kind of
known incidents. It is good to have a good and well-audited documentation to guide the actions to
be performed in response to in incident. For unknown incidents, the security professional should
have appropriate judgment and presence of mind to take necessary actions, consult teams, alert
management and take external help if needed.
Legal / Audit Compliance
Security incidences are related to legal provisions and actions. Hence, the security personnel should
also be aware of the existing legal provisions related to security incidents related to information
systems and related assets. The security personnel should also regularly follow up on the findings

of system audit and the issues identified therein. Based on that the team should be able to take
corrective action so that the issues and incidents are not encountered again.
Question No 54
Explain Intrusion detection system and Intrusion prevention system. (June 2018)(7 Marks)
Answer No 54
An intrusion detection system (IDS) is a type of security software designed to automatically alert
administrators when someone or something is trying to compromise information system through
malicious activities or through security policy violations.
An IDS works by monitoring system activity through examining vulnerabilities in the system, the
integrity of files and conducting an analysis of patterns based on already known attacks. It also
automatically monitors the Internet to search for any of the latest threats which could result in a
future attack.
Intrusion prevention is a preemptive approach to network security used to identify potential threats
and respond to them swiftly. Like an intrusion detection system (IDS), an intrusion prevention
system (IPS) monitors network traffic. However, because an exploit may be carried out very
quickly after the attacker gains access, intrusion prevention systems also have the ability to take
immediate action, based on a set of rules established by the network administrator. For example, an
IPS might drop a packet that it determines to be malicious and block all further traffic from that IP
address or port. Legitimate traffic, meanwhile, should be forwarded to the recipient with no
apparent disruption or delay of service.

Chapter 9:
Disaster Recovery and Business Continuity Planning

Question No 1:
Explain the various general components of a disaster recovery plan.
(December 2003)(10 Marks) (June 2007)(5 Marks) (December 2008)(5 Marks)
Answer No 1:
The general components of Disaster Recovery plan are:
i. Emergency Plan:
The emergency plan outlines the actions to be undertaken immediately after disaster occurs. It
identifies the personnel to be notified immediately, for example, fire service, police, management,
insurance company etc. It provides guidelines on shutting down equipment, termination of power
supply, removal of storage files and removable disks, etc. It sets out evacuation procedures like
sounding the alarm bell, activating fire extinguishers, etc. It also provides return procedures as soon
as the primary facility is ready for operation like backing up data files at off-site, relocation of
proper versions of backup files etc.
ii. Recovery Plan:

This plan sets out how the full capabilities will be restored. A recovery committee is constituted.
The recovery committee will be responsible for preparing specifications of recovery like setting out
priorities for recovery of application systems, hardware replacement etc. This plan may involve the
following steps:
(1) An inventory of the hardware, application systems, systems software, documentation
etc. must be taken.
(2) It is essential to evaluate the critically of application systems to the organisation and the
importance of their loss.
(3) There is a need to spell out an application systems hierarchy.
(4) A disaster recovery site must be selected.
(5) A formal backup agreement with another company must be made.
iii. Backup Plan:

In order to cope up with the vulnerability of disaster, it is essential to have a backup of hardware
and software. As regards hardware, stand by must be kept with regards to the needs of a particular
computer environment. Whereas, as regards software, it is necessary to have copies of important
programs, data files, operating systems, and test programs etc. in order to get back into operation
before any intolerable loss occurs.
The file security techniques must also be employed for reconstruction of master files on magnetic
disks and tapes.
iv. Test Plan:

This plan looks after the testing of Disaster Recovery Plan and analysis of the result. It identifies
the deficiencies in the emergency, backup or recovery plan. It contains procedures for conducting
DRP testing like:
(1) Paper walk throughs: It involves critical personnel in the plan execution, reasoning out what
might happen in the event of different disasters.
(2) Localised tests: It simulates systems crash. This test is performed on different aspects of
DRP.
(3) Full Operational test: It is just nearer to disaster conditions. In order to simulate disaster,
Paper walk throughs and Localised tests should have been conducted before completely shutting
the operations.
Question No 2:
What do you understand by the term ‗Disaster Recovery Plan‘? Discuss its various components.
Answer No 2
The term ‗Disaster Recovery‘ describes the contingency measures that organizations have adopted
at key computing sites to recover from, or to prevent any monumentally bad event or disaster. A
disaster may result from natural causes such as fire, flood or earthquake etc. or from other sources
such as a violent takeover, wilful or accidental destruction of equipment or any other act of such
catastrophic proportions that the organization could be ruined. The primary objective of a disaster
recovery plan is to assure the management that normalcy would be restored in a set time after any
disaster occurs, thereby minimizing losses to the organization. The disaster recovery plan must take
into account the physical location of the computer centre, since it can increase or decrease the
chance of a disaster. Protection against flood, fire, earthquake or water logging etc. must be
considered.
Although each organization would like to have a specifically tailored disaster recovery plan, the
general components of the plan would be as follows:
1. Emergency Plan: This part of the Disaster Recovery Plan (DRP) outlines the actions to
be undertaken immediately after a disaster occurs. It identifies the personnel to be notified
immediately, for example, fire service, police, management, insurance company etc. It provides
guidelines on shutting down equipment, termination of power supply, removal of storage files and
removable disks, if any. It sets out evacuation procedures like sounding the alarm bell, activating
fire extinguishers, evacuation of personnel. It also provides return procedures as soon as the
primary facility is ready for operation like backing up data files at off-site, deleting data from disk
drives at third party‘s site, relocation of proper versions of backup files etc.
2. Recovery Plan: This part of the DRP sets out how the full capabilities will be restored.
A recovery committee is constituted. Preparing specifications of recovery like setting out priorities

for recovery of application systems, hardware replacement etc. will be the responsibility of
Recovery Committee. The following steps may be carried out under this plan:
i. An inventory of the hardware, application systems, system software, documentation etc.
must be taken.
ii. Criticality of application systems to the organization and the importance of their loss must
be evaluated. An indication must be given of the efforts and cost involved in restoring the
various application systems.
iii. An application systems hierarchy must be spelt out. This would be used when management
decides to accept a degraded mode of operation.
iv. Selection of a disaster recovery site must be made. A reciprocal agreement with another
organization having compatible hardware and software could be made. However, systems
availability and data security problems must be considered at this point. Hiring a service
bureau is another option. If the situation warrants, a fully operational backup site could also
be considered.
v. A formal backup agreement with another company must be made. This should cover the
periodical exchange of information between the two sites regarding changes to
hardware/software, the time and duration of systems availability, modalities of testing the
plan etc.
3. Back up plan: Organizations no matter how physically secure, their systems are always
vulnerable to disaster. Therefore, an effective safeguard is to have a backup of anything that could
be destroyed, be it hardware or software. As regards hardware, standby, as discussed above, must
be kept with regard to the needs of a particular computer environment. So far as the software is
concerned, it is necessary to make copies of important programs, data files, operating systems and
test programs, etc. in order to get back into operation before the company can suffer an intolerable
loss. Often, the originals are stored at site that is physically distant from the actual site, and where
duplicate copies are used for processing. The backup copies must be kept in a place, which is not
susceptible to the same hazards as the originals.
4. Test Plan: This plan looks after testing of DRP and analysis of the result. It identifies
deficiencies in the emergency, backup or recovery plan. It contains procedures for conducting DRP
testing like
i. Paper walkthroughs: It involves critical personnel in the plan‘s execution, reasoning out what
might happen in the event of different disasters.
ii. Localised tests: It simulates system crash. This test is performed on different aspects of DRP.

iii. Full operational test: It is nearer to disaster conditions. Paper walkthrough and localized tests
should have been conducted before completely shutting down the operations to simulate
disasters.
Question No 3
What is Business Process Reengineering (BPR)? Explain. (June 2007)(5 Marks)
Answer No 3
Business Process Reengineering (BPR) is the fundamental rethinking and the radical redesign of
processes to achieve improvement in performance like cost, quality, services and speed and some
suitable discussion.
Question No 4
What do you understand by Disaster Recovery Plan?(December 2008)(5 Marks) (December
2010)(8 Marks)
Answer No 4
Some Disasters can not be prevented or avoided. The survival of the organization affected by
disaster depends on how it reacts to a disaster. With careful planning, the full impact of a
disaster can be absorbed and the organization can still recover. The term ―Disaster Recovery‖
describes the contingency measures that organization adopts at key computing sites to recover
from or to prevent any bad event or disaster disrupting the availability of the system. The
primary objective of the Disaster Recovery Plan is to assure the management that normalcy
would be restored in a set time after any disaster occurs, thereby minimizing losses to the
organization. The Disaster Recovery Plan must take into account the physical location of the
computer peripherals as it can increase or decrease the probability of disruption in a d isaster.
Protection against flood, fire, earthquakes or water logging etc. must be considered besides
backups, alternate location, etc.
Question No 5
What is Disaster Recovery Plan? Why Disaster Recovery Plan is required? ( June 2011)(5 Marks)
Answer No 5
Disaster recovery is the process, policies and procedures related to prepare recovery or restart
infrastructure critical to an organization after a natural or human-induced disaster. Despite of all
precaution to protect the system and data, the system may be un-operational or data is lost. In that
situation, the main objective of a organization is to return to normal operations as soon as possible.
Therefore some plan and procedure is required to ensure restoration of the system very soon after
the disruption. Disaster Recovery Plan (DRP) focuses on primarily on the technical issues involved

in keeping systems up and running, such as which files to back up and the maintenance of back up
computer systems or disaster recovery services.
Disaster can be classified in two broad categories:
1) Natural disasters—Preventing a natural disaster is very difficult, but it is possible to take

precautions to avoid losses. These disasters include flood, fire, earthquake, hurricane, etc.,
2) Man-made disasters are major reasons for failure. Human error and intervention may be
intentional or unintentional which can cause massive failures such as loss of communication
and utility. These include accidents, walkouts, sabotage, burglary, virus, intrusion, etc.
For example, credit card companies maintain a duplicate computer center in a different
geographical area, far from the main centre to serve as an emergency backup to its primary
computer center. Rather than build their own back up facilities, many firms contract with disaster
recovery firms. These disaster recovery firms provide hot-sites housing spare computers at
different locations where subscribing firms can run their critical applications in an emergency.
Every organization should develop a Disaster Recovery Plan for all applications. Restoration of
systems does not necessarily imply technology redundancy. The DRP may require some procedures
to be completed manually. The decision to revert to manual procedures, rather than to build and
maintain an IT infrastructure is a cost-driven decision made by the organization. Having a DRP in
place reduces the risk that the length of time that a disruption in a business process does not go
beyond what has been determined to be acceptable by management in the organization. During the
recovery phase, the focus is on establishing controls over unwanted events to limit the risk of any
additional loses.
Question No 6
What are the main aspects of a disaster recovery plan? Explain in brief. ( December 2013)(5
Marks)
Answer No 6:
The main aspects of a disaster recovery plan are:
i. The strategy to restore the system and its normal operation in case of a disaster causing
unavailability of the system.
ii. Provisioning of a disaster recovery system setup, preferably in a separate geographical
location.
iii. Detailed data and system backup/restoration action-plan and procedures to make sure that
minimal data loss occurs even in case of major disaster.
iv. Pre-defined procedure of data recovery and restoration using backup data or other sources.

v. Mechanism to alert the system operators, administrators and users immediately in the event
of a disaster. This entails proper monitoring and alarm/alert mechanism.
Question No 7
What do you understand by the term Disaster? What are the audit tools and techniques used by a
system auditor to ensure that disaster recovery plan is in order? Briefly explain them.
Answer No 7:
The attack on the World Trade Centre in 2001 has created a worldwide alert bringing focus on
business continuity planning and environmental controls. Audit of environment controls should
form a critical part of every IS audit plan. The IS auditor should satisfy not only the effectiveness
of various technical controls but that the overall controls assure safeguarding the business against
environmental risks. Some of the critical audit considerations that an IS auditor should take into
account while conducting his audit are given below:
Audit Planning and Assessment: As part of risk assessment:

 The risk profile should include the different kinds of environmental risks that the organization
is exposed to. These should comprise both natural and man-made threats. The profile should be
periodically reviewed to ensure updation with newer risk that may arise.
 The controls assessment must ascertain that controls safeguard the organization against all
acceptable risks including probable ones and are in place.
 The security policy of the organization should be reviewed to access policies and procedures
that safeguard the organization against environmental risks.
 Building plans and wiring plans need to be reviewed to determine the appropriateness of
location of IPF, review of surroundings, power and cable wiring etc.
 The IS Auditor should interview relevant personnel to satisfy himself about employees‘
awareness of environmental threats and controls, role of the interviewee in environmental
control procedures such as prohibited activities in IPF, incident handling, and evacuation
procedures to determine if adequate incident reporting procedures exist.
 Administrative procedures such as preventive maintenance plans and their implementation,
incident reporting and handling procedures, inspection and testing plan and procedures need to
be reviewed.
The term disaster can be defined as an incident which jeopardizes business operations and/or
human life. It could be due to sabotage (human) or natural. Following is the procedural plans for
disaster recovery.
Audit tools and techniques used by a system auditor to ensure that the disaster recovery plan is in
order, are briefly discussed below:

The best audit tool and technique is a periodic simulation of a disaster. Other audit techniques
would include observations, interviews, checklists, inquiries, meetings, questionnaires and
documentation reviews. These are categorized as follows:
i. Automated tools: They make it possible to review large computer systems for a variety of
flaws in a short time period. They can be used to find threats and vulnerabilities such as
weak access controls, weak passwords, and lack of integrity of the system software.
ii. Internal Control auditing: This includes inquiry, observation and testing. The process can
detect illegal acts, errors, irregularities or lack of compliance for laws and regulations.
iii. Disaster and Security Checklists: These checklists are used to audit the system. The
checklists should be based upon disaster recovery policies and practices, which form the
baseline. Checklists can also be used to verify changes to the system from contingency
point of view.
iv. Penetration Testing: It is used to locate vulnerabilities to the system.
Question No 8:
Discuss disaster recovery planning and business continuity planning in detail.
Answer No 8:
If you run a business, you need to plan for events, such as power outages, floods, earthquakes, or
terrorist attacks that will prevent your information systems and your business from operating.
Disaster recovery planning devices plans for the restoration of computing and communications
services after they have been disrupted. Disaster recovery plans focus primarily on the technical
issues involved in keeping systems up and running, such as which files to backup and the
maintenance of backup computer systems or disaster recovery services.
Business continuity planning focuses on how the company can restore business operations after a
disaster strikes. The business continuity plan identifies critical business processes and determines
action plans for handling mission critical functions if systems go down.
Question No 9:
Explain disaster recovery plan and disaster recovery planning process. ( June 2015)(7 Marks)
Answer No 9:
Disaster Recovery Plan (DRP) is to restore the operability of systems that support mission-critical
and critical business processes. The objective is for the organization to return to normal operations
as soon as possible. Since many mission-critical and critical business processes depend on a
technology infrastructure consisting of applications, data, and IT hardware, the DRP should be an
IT focused plan. Every organization should develop a Disaster Recovery Plan for all applications.
Restoration of systems does not necessarily imply technology redundancy. The DRP may call for
some procedures to be completed manually. The decision to revert to manual procedures, rather

than to build and maintain an IT infrastructure is a cost-driven decision made by the organization.
Having a DRP in place reduces the risk that the length of time that a disruption in a business
process does not go beyond what has been determined to be acceptable by management in the
organization. During the recovery phase, the focus is on establishing controls over occurring events
to limit the risk of any additional loses.
Developing a technical disaster recovery strategy is just one step in the overall Disaster Recovery
Planning process. This process is common to all systems and utilizes the following steps:
 Develop the Business Contingency Planning Policy and Business Process
 Conduct a Risk Assessment
 Conduct the Business Impact Analysis (BIA)
 Develop Business Continuity and Recovery Strategies
 Develop Business Continuity Plans
 Conduct awareness, testing, and training of the DRP
 Conduct Disaster Recovery Plan maintenance and exercise
Question No 10
What are the general steps to be followed while creating BCP (business continuity planning)?
Answer No 10
Identify the scope and boundaries of business continuity plan. First step enables us to define scope
of BCP. It provides an idea for limitations and boundaries of plan. It also includes audit and risk
analysis reports for institution‘s assets.
 Conduct a business impact analysis (BIA). Business impact analysis is the study and
assessment of effects to the organization in the event of the loss or degradation of
business/mission functions resulting from a destructive event. Such loss may be financial, or
less tangible but nevertheless essential (e.g. human resources, shareholder liaison)
 Sell the concept of BCP to upper management and obtain organizational and financial
commitment. Convincing senior management to approve BCP/DRP is key task. It is very
important for security professionals to get approval for plan from upper management to bring
it to effect.
 Each department will need to understand its role in plan and support to maintain it. In case of
disaster, each department has to be prepared for the action. To recover and to protect the
critical functions, each department has to understand the plan and follow it accordingly. It is
also important for each department to help in the creation and maintenance of its portion of the
plan.

 The BCP project team must implement the plan. After approval from upper management plan
should be maintained and implemented. Implementation team should follow the guidelines
procedures in plan.
NIST tool set can be used for doing BCP. National Institute of Standards and Technologies has
published tools which can help in creating BCP.
Question No 11
Write short notes on Full backup vs incremental backup (December 2018)(5 Marks)
Answer no 11
Full Backup vs Incremental Backup
Full Backup: A Full Backup captures all files on the disk or within the folder selected for backup.
With a full backup system, every backup generation contains every file in the backup set. However,
the amount of time and space such a backup takes prevents it from being a realistic proposition for
backing up a large amount of data.
Incremental Backup: An Incremental Backup captures files that were created or changed since the
last backup, regardless of backup type. This is the most economical method, as only the files that
changed since the last backup are backed up. This saves a lot of backup time and space. Normally,
incremental backup are very difficult to restore. One will have to start with recovering the last full
backup, and then recovering from every incremental backup taken since.
Question No 12
Write short notes on Importance of business continuity planning (June 2019)(5 Marks)
Answer No 12
Business Continuity Planning (BCP) relates to the detailed plan prepared to make sure the business
processes and systems continue operating in the event of a disaster. This creates a detailed plan
along with recovery procedures, roles, responsibilities and stepwise plan of action to restore the
systems and services in the event of a natural or man-made disaster affecting normal system
operation.
A well-crafted BCP is important because it can act as a guiding document for the management and
IT team of the organization to restore the services, recover data and in the event of that taking
longer time, to follow an alternate course of action so that business processes continue to function.
This tells how to recover services, restore data and whom to involve or resort to in case of an
emergency. Not having this plan can lead to chaos, data loss, mismanagement and loss of
credibility in the face of a major outage caused by a disaster or any other circumstance.

Chapter 10:
Auditing and Information System

Question No 1:
What is a concurrent audit technique? (December 2003)(3 Marks)
Answer No 1:
A concurrent Audit technique is a method by which the auditor continually monitor the system
and collect audit evidence while live date are processed during regular operating hours.
Question No 2:
Elaborate on any three concurrent audit techniques. ( December 2003) (9 Mafks)
Answer No 2
i. An integrated test facility (ITF) technique places a small set of fictitious records in the master
files. The records might represent a fictitious division, department or branch office or a
customer or supplier. Processing test transactions to update these dummy records will not
affect the actual records. Because fictitious and actual records are processed together,
company employees usually remain unaware that this testing is taking place. The system must
distinguish ITF records from actual records, collect information on the effects of the test
transactions, and report the results. The auditor compares processing and expected results in
order to verify that the system and its controls are operating correctly.
In a batch processing system, the ITF technique eliminates the need to reverse test
transactions and is easily concealed from operating employees. ITF is well suited to testing
on-line processing systems because test transactions can be submitted on a frequent basis,
processed with actual transactions, and traced throughout every processing stage. All this can
be accomplished without disrupting regular processing operations. However, care must be
taken not to combine dummy and actual records during the reporting process.
ii. The snapshot technique examines the way transactions are processed. Selected transactions
are marked with a special code that triggers the snapshot process. Audit modules in the
program record these transactions and their master file records before and after processing.
Snapshot data are recorded in a special file and reviewed by the auditor to verify that all
processing steps have been properly executed.
iii. SCARF (system control audit review file) uses embedded audit modules to continuously
monitor transaction activity and collect data on transactions with special audit significance.
The data are recorded in a SCARF file or audit log. Transactions that might be recorded in a
SCARF file include those exceeding a specified rupee limit, involving inactive accounts,
deviating from company policy, or containing write-downs of asset values. Periodically the
auditor receives a printout of the SCARF file, examines the information to identify any
questionable transactions, and performs any necessary follow-up investigation.
iv. Audit hooks are audit routines that flag suspicious transactions. For example, internal auditors
at an insurance Company determined that their policyholder system was vulnerable to fraud

every time a policyholder changed his or her name or address and then subsequently
withdrew funds from the policy. They devised a system of audit hooks to tag records with a
name or address change. The internal audit department is now notified when a tagged records
is associated with a withdrawal and can appropriately investigate the transaction for fraud.
When audit hooks are employed, auditors can be informed of questionable transactions as
soon as they occur. This approach, known as real-time notification, displays a message on the
auditor's terminal.
v. Continuous and intermittent simulation (CIS) embeds an audit module in a data base
management system. The CIS module examines all transactions that update the DBMS using
criteria similar to those of SCARF. If a transaction has special audit significance, the module
independently processes the data (in a manner similar to parallel simulation), records the
results, and compares them with those obtained by the DBMS. If any discrepancies exist, the
details are written onto an audit log for subsequent investigation. If serious discrepancies are
discovered, the CIS may prevent the DBMS from executing the update process.
Question No 3:
Describe the major technique of concurrent Audit of Information Systems.
Answer No 3:
Major techniques of concurrent audit of Information system are discussed below:
(1) Integrated test facility technique places a small set of fictitious records in the master file.
Processing test transactions to update these dummy records will not affect the actual records.
Because fictitious and actual records are processed together employees remain unaware that
this testing is taking place. The auditor compares processing and expected results in order to
verify that the system and its controls are operating correctly.
(2) The snapshot technique examines the way transactions are processed. Selected transactions
are marked with a special code that triggers the snapshot process. Audit modules in the
program record these transactions and their master file records before and after processing.
Snapshort data are recorded in a special file and reviewed by the auditor.
(3) SCARF (System control audit review file) uses embedded audit modules to continuously
monitor transaction activity and collect data on transactions with the special audit
significance. The data are recorded in a SCARF file or audit log. Transactions that might be
recorded in a SCARF file include those exceeding a specified rupee limit. Periodically the
auditor examines the information to identify any questionable transactions.
(4) Auditor hooks: These are audit routines that flag suspicious transactions. For example, an
Insurance company determined that their policy holder systems was vulnerable to fraud each
time a policy holder changed his name or address and subsequently withdraw money. Internal
auditor of the company devised a system of audit hooks to log records with a name or address
change whenever a policy holder changed his name or address and then subsequently

withdraw funds from the policy. When audit hooks are employed auditors can be informed of
questionable transactions as soon as they occur.
(5) Continuous and intermitted simulation (CIS): This embeds an audit module in a data base
management system. The CIS module examines all transactions that update the DBMS using
criteria similar to those of SCARF. If a transaction has special audit significance the module
independently processes the date, records the results and compares them with DBMS results.
In case of discrepancies, the details are written onto an audit log for subsequent investigation.
Question No 4:
Discuss various issues that are of primary concern for an auditor involved in information system
audit. ( December 2005)(10 Marks)
Answer No 4:
Auditor involved in reviewing an information system should focus their concerns on the system‘s
control aspects. They must look at the total systems environment not only the computerized
segment. This requires their involvement from the time that a transaction is initiated until it is
posted to the organization‘s general ledger. Specifically, auditors must ensure that provisions are
made for:
 An adequate audit trail so that transactions can be traced forward and backward through the
system.
 Controls over the accounting for all data entered into the system and controls to ensure the
integrity of these transactions throughout the computerized segment of the system.
 Handing exceptions to and reflections from the computer system.
 Testing to determine whether the system performs as stated.
 Control over the charges to the computer system to determine whether the proper
authorization has been given.
 Authorization procedures for system overrides.
 Determining whether organization and government policies and procedures are adhered in
system implementation.
 Training user personnel in the operation of the system.
 Adequate controls between interconnected computer systems.
 Adequate security procedures to protect the user‘s data.
 Backup and recovery procedures for the operation of the system.
 Technologies provided by different vendors are compatible and controlled.
 Databases are adequately designed and controlled to ensure that common definitions of data
are used throughout the organization.
 Developing detailed evaluation criteria so that it is possible to determine whether the
implemented system has met predetermined specifications.

Question No 5:
Explain the role of information security administrator. ( December 2005)(10 Marks)
Answer No 5
Role of Information Security Administrator:
i) A security administrator attempts to ensure that the facilities in which systems are developed,
installation and/or result in loss of security.
ii) The security administrator sets policy, subject to board approval.
iii) He also investigates, monitors, advises employee, and counsels management on matters
pertaining to security.
iv) The security administrator is responsible for establishing the minimal fixed requirements for
classification of information based on the physical, procedural and logical security elements.
The needs to protect these securities are also stressed. He assigns responsibilities to job
classification and formulates what to be done in case of exceptions.
v) The security administrator guides other information security administrators and users on the
selection and application of security measures. He trains them on how to mark and handle
vi) He investigates all security violations.
vii) He advises senior management on matter of information resource control.
viii) He consults on matters of information security.
ix) A security administrator also has the responsibility of conducting a security program, which is
x) A security administrator has to consider an extensive list of possible threats to the
organization, prepare an inventory of assets, evaluate the existing controls, implement new
controls, etc.
Question No 6
Answer the followings:
Importance of Information System Audit (December 2008)(8 Marks)
Computer technology has become an integral part of day-to-day business in most of the
organizations. The system is getting more complex and a significant amount of data is stored.
Therefore it is necessary to maintain availability of the system, integrity of the data and security of
the system. The risk has increased. Therefore information system audit is needed to ensure
adequacy of data and system security.
Information system audit involves assessing the adequacy of the automated information system to
meet the organization's needs. It help ensure adequacy of the system to meet the processing needs,

adequacy of internal control of the information system and also to ensure that the assets controlled
by those information systems are adequately safeguarded.
This audit involves analysis of logs or audit trails to trace the transactions both backwards and
forward. This is important to cross-check and control transactions. Apart from audit trail analysis,
the audit also assess how the application is handling exceptions, how it controls accesses rights and
privileges and adequacy of the control and secure regulation of data flow among the interconnected
computer systems.
Computer Assisted Audit Techniques (CAAT) (December 2010)(8 Marks) .( June 2010)(10
Marks) December 2011)(5 Marks) (Old syllabus, December 2011)(5 Marks) (Old Syllabus,
June 2012)(5 Marks) ( December 2013)(5 Marks) (June 2017)(5 Marks)
Computer Assisted Audit Techniques or Computer Aided Audit Tools (CAATS) is also known as
Computer Assisted Audit Tools and Techniques (CAATTs). This is a growing field in the financial
audit profession. Basically, it is used to extract and analyze the data using computer. Some of the
audit process are also automated to assist an auditor. This would include utilizing specialized
software packages. In practice, however, CAATs has become synonymous with incorporating Data
analytics into the audit process. This is one of the emerging fields within the audit profession. In
most general terms, CAATTs refers to any computer program that is used to improve the audit
process. Popular software that are used are SAS, Excel, Access.
CAAT is audit techniques that use computer applications as the primary tool. It is generally used
for sampling, statistical analyses and exception reporting and for this specialized software, such as
generalized audit software, test data generator, computerized audit programs and specialized audit
utilities are used.
Today, in most large and medium-sized enterprises, most of the business processes are driven by
computers. Therefore, the performing audit without using information technology is hardly an
option. When all the information needed for doing an audit is on computer systems, one had to
carry out audits using the computer.
With data volumes growing and management expectations on assurances becoming more specific,
random verifications and testing do not yield the desired value. The use of audit software ensures
100 percent scrutiny of transactions in which there is audit interest, and pointed identification and
zeroing in on erroneous/exceptional transactions, even when data volumes are huge. And all this
can be done in a fraction of the time required with manual methods.
CAAT is a growing field within the financial audit profession. CAATs is the practice of using
computers to automate or simplify the audit process. In the broadest sense of the term, CAATs can
refer to any use of a computer during the audit. This would include utilizing basic software
packages such as SAS, Excel, Access, Crystal Reports,, and also word processors. In practice,
however, CAATs has become synonymous with incorporating Data analytics into the audit
process. This is one of the emerging fields within the audit profession

Audit specialized software can perform the following functions:

 Data queries.
 Data stratification.
 Sample extractions.
 Missing sequence identification.
 Statistical analysis.
 Calculations.
 Duplicate inquires.
 Pivot tables.
 Cross tabulation
Question No 7
Describe how Information System Auditor helps in the quality control.
Answer No 7
Information system Auditor involved in reviewing overall activity of the information system from
the stage of development to the operation and service. An information system auditor ensures
following things:
 An adequate audit trail so that transactions can be traced forward and backward through the
system.
 Controls over the accounting for all data entered into the system and controls to ensure the
integrity of those transactions throughout the computerized segment of the system.
 Handling exceptions to and rejections from the computer system.
 Testing to determine whether the systems perform as stated.
 Control over changes to the computer system to determine whether the proper authorization
has been given.
 Authorization procedures for system overrides.
 Determining whether organization and government policies and procedures are adhered to in
system implementation.
 Training user personnel in the operation of the system.
 Developing detailed evaluation criteria so that it is possible to determine whether the
implemented system has met predetermined specifications.
 Adequate controls between interconnected computer systems.
 Adequate security procedures to protect the users data.
 Backup and recovery procedures for the operation of the system.
 Technology provided by different vendors is compatible and controlled.
As the IS auditors ensures above activities it helps in the quality control of the information system.

Question No 8
What do you mean by CAAT? How does it help in IS audit? (December 2012)(5 Marks)
Answer No 8
CAAT (computer assisted audit technique), as it is commonly used, is the practice of analyzing
large volumes of data looking for anomalies. A well designed CAAT audit will not be a sample,
but rather a complete review of all transactions. Using CAAT the auditor will extract every
transaction the business unit performed during the period reviewed. The auditor will then test that
data to determine if there are any problems in the data. The CAAT auditor can easily look for
duplicate vendors or transactions. When such a duplicate is identified, they can approach
management with the knowledge that they tested 100% of the transactions and that they identified
100% of the exceptions.
Another advantage of CAAT is that it allows auditors to test for specific risks. For example, an
insurance company may want to ensure that it doesn't pay any claims after a policy is terminated.
Using traditional audit techniques this risk would be very difficult to test. The auditor would
"randomly select" a "statistically valid" sample of claims (usually 30-50.) They would then check
to see if any of those claims were processed after a policy was terminated. Since the insurance
company might process millions of claims the odds that any of those 30-50 "randomly selected"
claims occurred after the policy was terminated is extremely unlikely. Even if one or two of those
claims was for a date of service after the policy termination date, what does that tell the auditor?
Using CAAT the auditor can select every claim that had a date of service after the policy
termination date. The auditor then can determine if any claims were inappropriately paid. If they
were, the auditor can then figure out why the controls to prevent this failed. In a real life audit, the
CAAT auditor noted that a number of claims had been paid after policies were terminated. Here is
list of use of CAAT in brief:
 Recalculating and Verifying balances
 Testing compliance with standard
 Aging Analysis of receivables and payables
 Identifying control issue
 Testing Duplicates within data
 Testing gaps in invoice numbers
Question No 9
Write short notes on Computer Crime (December 2012)(5 Marks)
Answer No 9
Computer crime is a growing threat to society by the criminal or irresponsible actions of computer
individuals who are taking advantage of the widespread use of vulnerability of computers and the
Internet and other networks. It thus presents a major challenge to the ethical use of information

technologies. e-computer crime poses serious threats to the integrity, safety, and survival of most
e-business systems, and thus makes the development of effective security methods a top priority.
Computer crime is defined by The Association of Information Technology professionals (ATIP) as
including:
 The unauthorized use, access, modification, and destruction of hardware, software, data, or
network resources.
 The unauthorized release of information
 The unauthorized copying of software
 Denying an end user access to his or her own hardware, software, data, or network resources
 Using or conspiring to use computer or network resources to illegally obtain information or
tangible property.
Question No 10
Briefly explain the information system control and audit. (June 2012)(5 Marks)
Answer No 10
Information systems controls are methods and devices that attempt to ensure the accuracy, validity,
and propriety of information system activities. Information System (IS) controls must be
developed to ensure proper data entry, processing techniques, storage methods, and information
output. IS controls are designed to monitor and maintain the quality and security of the input,
processing, output, and storage activities of any information system.
Information systems Business systems should be periodically examined, or audited, by a
company‘s internal auditing staff or external auditors from professional accounting firms. Such
audits should review and evaluate whether proper and adequate security measures and management
policies have been developed and implemented.
An important objective of e-business system audits is testing the integrity of an application audit
trail. An audit trail can be defined as the presence of documentation that allows a transaction to be
traced through all stages of its information processing. The audit trail of manual information
systems was quite visible and easy to trace, however, computer-based information systems have
changed the form of the audit trail.
Question No 11
Describe the role of IS auditor with respect to
i) Physical access controls
ii) Environmental controls
( June 2013)(8 Marks) ( June 2015)(8 Marks) (June 2019)(7 Marks)

Answer No 11
i) Role of IS Auditor in Physical Access Controls: Auditing Physical Access requires the auditor
to review the physical access risk and controls to form an opinion on the effectiveness of the
physical access controls. This involves the following:
Risk Assessment: The auditor must satisfy himself that the risk assessment procedure
adequately covers periodic and timely assessment of all assets, physical access threats,
vulnerabilities of safeguards and exposures there from.
Controls Assessment: The auditor based on the risk profile evaluates whether the
physical access controls are in place and adequate to protect the IS assets against the risks.
Planning for review of physical access controls: It requires examination of relevant
documentation such as the security policy and procedures, premises plans, building plans,
inventory list and cabling diagrams.
Testing of Controls: The auditor should review physical access controls to satisfy for
their effectiveness. This involves:
Tour of organizational facilities including outsourced and offsite facilities.
Physical inventory of computing equipment and supporting infrastructure.
Interviewing personnel can also provide information on the awareness and knowledge of
procedures.
Observation of safeguards and physical access procedures. This would also include inspection of:
i. Core computing facilities.
ii. Computer storage rooms.
iii. Communication closets.
iv. Backup and off site facilities.
v. Printer rooms.
vi. Disposal yards and bins.
vii. Inventory of supplies and consumables.
Review of physical access procedures including user registration and authorization, authorization
for special access, logging, review, supervision etc. Employee termination procedures should
provide withdrawal of rights such as retrieval of physical devices like smart cards, access tokens,
deactivation of access rights and its appropriate communication to relevant constituents in the
organization.
Examination of physical access logs and reports. This includes examination of incident reporting
logs and problem resolution reports.
ii) Role of IS Auditor in Environment Controls:



♦ The risk profile should include the different kinds of environmental risks that the organization
is exposed to. These should comprise both natural and man-made threats. The profile should
be periodically reviewed to ensure updation with newer risk that may arise.
♦ The controls assessment must ascertain that controls safeguard the organization against all
♦ The security policy of the organization should be reviewed to access policies and procedures
that safeguard the organization against environmental risks.
♦ Building plans and wiring plans need to be reviewed to determine the appropriateness of
♦ The IS Auditor should interview relevant personnel to satisfy himself about employees‘
awareness of environmental threats and controls, role of the interviewee in environmental
control procedures such as prohibited activities in IPF, incident handling, and evacuation
procedures to determine if adequate incident reporting procedures exist.
Administrative procedures such as preventive maintenance plans and their implementation,
incident reporting and handling procedures, inspection and testing plan and procedures need to be
reviewed.
Question No 12
Describe the role of system auditor in ensuring the following:
i) Arrangement of high availability setup for a major enterprise e-commerce system.
ii) Setup of mechanism to ensure system security and transaction security of an online payment
system. (June 2014)(8 Marks)
Answer no12
Role of IS Auditor in Physical Access Controls: Auditing Physical Access requires the auditor to
review the physical access risk and controls to form an opinion on the effectiveness of the physical
access controls. This involves the following:
Risk Assessment: The auditor must satisfy himself that the risk assessment procedure adequately
covers periodic and timely assessment of all assets, physical access threats, vulnerabilities of
safeguards and exposures there from.
Controls Assessment: The auditor based on the risk profile evaluates whether the physical access
controls are in place and adequate to protect the IS assets against the risks.

Planning for review of physical access controls: It requires examination of relevant

documentation such as the security policy and procedures, premises plans, building plans,
inventory list and cabling diagrams.
Testing of Controls: The auditor should review physical access controls to satisfy for their
effectiveness. This involves:
Tour of organizational facilities including outsourced and offsite facilities.
Physical inventory of computing equipment and supporting infrastructure.
Interviewing personnel can also provide information on the awareness and knowledge of
procedures.
Observation of safeguards and physical access procedures. This would also include inspection of:
i) Core computing facilities.

ii) Computer storage rooms.
iii) Communication closets.
iv) Backup and off site facilities.
v) Printer rooms.
vi) Disposal yards and bins.
vii) Inventory of supplies and consumables.
Review of physical access procedures including user registration and authorization, authorization
for special access, logging, review, supervision etc. Employee termination procedures should
provide withdrawal of rights such as retrieval of physical devices like smart cards, access tokens,
deactivation of access rights and its appropriate communication to relevant constituents in the
organization.
Examination of physical access logs and reports. This includes examination of incident reporting
logs and problem resolution reports.
Question No 13
How important is auditing during system development process? Outline some of the activities of
auditor in this regard. (December 2014)(5 Marks)
Answer No 13
Auditing is a process of checking the overall quality and integrity of a process, system or data.
System auditing is also similar. It tries to make sure that the system is as per the objective and
requirements and the pre-defined guidelines are followed properly.
Auditing is even more important during development because if shortcomings, problems and flaws
could be identified during development, those can be quickly corrected so that the final product
shall have minimal flaws. It is increasingly difficult and costly to rectify flaws as we go deeper
into the developmental stage. Finding early and fixing early is always preferable. Auditing can help
achieve that.

The major activities that the auditor should undertake in this regard are:
i. Should interact with each of the stakeholders of the system.
ii. Should try to identify and validate the business problems and needs. Then the auditor should
try to match those with the system design & development process.
iii. Should be able to suggest necessary changes to the system prototype or module that is being
evolved into the full system.
iv. Should ensure that the system stakeholders are properly coordinated.
v. Should check whether the standards are being followed properly.
Question No 14
Discuss the role of auditing in control process. (December 2014)(5 Marks)
Answer No 14
To know that information systems controls are effective, organizations must conduct
comprehensive and systematic audits. An MIS audit identifies all the controls that govern
individual information systems and assess their effectiveness. To accomplish this, the auditor must
acquire a thorough understanding of operations, physical facilities, telecommunications, control
systems, data security objectives, organizational structure, personnel, manual procedures, and
individual applications.
For this audit, the auditor usually interviews key individuals who use and operate a specific
information system concerning their activities and procedures. Application controls, overall
integrity controls, and control disciplines are examined. The auditor should trace the flow of sample
transactions through the system and perform tests, using, if appropriate, automated audit software.
In addition to interviews, the auditor can also test the system, its design robustness, security and
functional details. Inspection of documents user privileges, logs etc are also part of the audit
process.
Question No 15
Write short notes on Role of Firewall in system security (December 2014)(5 Marks)
Answer No 15
Firewalls are designed to control access to and from a system or network. Firewalls can be used to
protect a particular system, a set of systems or a whole network. Depending upon the roles and
deployment scope, design and functionality of firewalls can be different. Firewalls designed to
protect a particular system are configured so that the system resources are protected while making
sure that the system is accessible to the legitimate users and services from outside. Hence, the
firewall is configured and programmed to protect unwanted and illegitimate access while allowing
legitimate use. Services such as user authentication, port and traffic rate control, VPN access and
rules to allow access from specific network/hosts to specific ports/services/applications in the

protected system are deployed in the firewall. The scale, complexity and size of the system
protection firewall is based on the expected traffic volume to and from the system, nature of the
system, criticality of the system and network exposure of the system. In overall principle of
operation, a system protection firewall is like any other firewall but the specific functional details,
rules and policies are specific to the particular system being protected. As in every kind of
firewall, the system protection firewall also has role of controlling access, verifying
users/networks trying to use system resources, restricting unwanted access, restricting access to
unnecessary services / ports in the system. The firewall also has to alert/inform system
administrators about any unwanted event or activity related to the system.
Question No 16
What is the basic role of Information System Auditor? What are the ethical issues associated with
Information systems? ( June 2015)(7 Marks)
Answer No 16
An IS Auditor's role is to evaluate whether adequate controls are present within the project
management and businss processes and validate the effectiveness of those controls. It is bascially
the evaluation of IT system and process to ensure protection and use of Information system assets.
An organisation is depenent on IT system for carrying out business activities and achieving its
objetives. An IS auditor has to assess whether the IT system is strong and trust worthy for its
desired results. Various IT tools and techniques are used as audit tools to guage the effectiveness
of teh IT system.
WIth rampant use of information technology in businesss, many ethical issues have come up. The
ethical questions try to indicate to the boundaries, standards and code of conduct which using IT
for various works.While IT is used to achieve better efficiency in business, at times it may lead to
harm to various people.
The key ethical issues raised by information system are :
1. Proper Use of information for intended purpose
2. Protection of personal privacy
3. Protection of intellectual property
4. Accountability for use of IS information
Question No 17
Write short notes on Audit Trails( June 2015)(5 Marks)
Answer No 17
Audit trails are logs that can be designed to record activity at the system, application, and user
level. When properly implemented, audit trails provide an important detective control to help
accomplish security policy objectives. Many operating systems allow management to select the
level of auditing to be provided by the system. This determines which events will be recorded in

the log. An effective audit policy will capture all significant events without cluttering the log with
trivial activity. Audit trails can be used to support security objectives in three ways:
(i) Detecting unauthorized access to the system,
(ii) Facilitating the reconstruction of events, and
(iii) Promoting personal accountability.
Question No 18
Eplain the information system audit process. (December 2016)(7 Marks)
Answer No 18
The process of information system audit involves four steps:
 Measuring vulnerability of information system:
The first step in the process of information system audit is the identification of the vulnerability of
each application. Where the probability of computer abuse is high, there is a greater need for an
information system audit of that application. The probability of computer abuse would depend
upon the nature of the application and the quality of controls.
 Identification of sources of threat:
Most of the threats of computer abuse are from the people. The information system auditor should
identify the people who might pose a threat to the information systems. These people include
system analysts, programmers, data entry operators, data providers, users, vendors of hardware,
software and services, computer security specialists, PC users, etc.
 Identification of high risk points:
The next step in the process of information system audit is to identify the occasions, points or
events when the information system may be penetrated. These points may be when a transaction is
added, altered or deleted. The high-risk point may also be the occasion when a data or program file
is changed or the operation is faulty.
 Check for computer abuse:
The last step in the process is to conduct the audit of high risk potential points keeping in view the
activities of the people who could abuse the information system for the applications that are highly
vulnerable.
Question No 19
Assume you are the information system auditor of a large trading house. How would you ensure the
system security and transaction security? (December 2017)(8 Marks)
Answer No 19
As the system auditor, I shall verify and carry out the following to ensure system security:
i. Platform security in terms of hardware robustness and up-to-date software.
ii. Proper and timely patching, updating, bug-fixing of the software.

iii. Well-defined access policies and roles for both end-users and administrators.
iv. Clear security guidelines for end users and system administrators.
v. Mechanism to ensure high availability for both system and network.
Similarly, to ensure the transaction security, I shall verify and carry out the following activities:
i. Recommend and enforce secure transaction modes such as those using encryption.
ii. By enforcing proper filtering and analytical arrangements to ensure that the data being
transacted are safe.
iii. Enacting security alert and alarm mechanism for both the system administrators and end users
in case of any breach or malpractice.
iv. Making sure that the system has necessary log record of each and every transaction happening
in the system. This log is of high importance in case of any fraud or loss of data.
Question No 20
Assume you are developing the Terms of Reference to hire the IS Auditor for commercial bank in
Nepal. Explain the scope of IS Audit in the given context. Why is IT strategy planning important in
modern organization? Explain. (June 2017)(10 Marks)
Answers No 20
The IS Audit of a commercial bank is all about the evaluation of overall control mechanism of
Information Communication Technology system of the organization to determine whether they
produce timely, accurate, complete and reliable information in conformity with the management
goals and objective of the bank. The scope of the evaluation of the control mechanism or scope of
IS Audit are listed as below:
(a) Evaluation of Information Technology General Control (ITGC)
(b) Evaluation of Core Banking System Application
(c) Evaluation of Network and Communication Control
(d) Evaluation of System Development/Procurement.
Evaluation of Information Technology General Control (ITGC):
Following are the points associated with the evaluation of the control of the ITGC.
i. Evaluation of ICT management control.
ii. Evaluation of ICT system administration control.
iii. Evaluation of ICT acquisition and change management control.
iv. Evaluation of ICT operational control.
v. Evaluation of ICT System logical access control.
vi. Evaluation of ICT physical equipment including server and hardwares and environmental
control.
vii. Evaluation of business continuity planning control.
viii. Evaluation of ICT based system third party service providers control.
ix. Evaluation of ICT end-user computing control.
x. Evaluation of data integrity, security, non-repudiation, authenticity control.

Evaluation of Core Banking System Application Control

Following are the points associated with the evaluation of the control of the Core Banking
Application.
i. Evaluation of application security control.
ii. Evaluation of input control.
iii. Evaluation of business rules and processing control.
iv. Evaluation of performance of application.
v. Evaluation of output control.
vi. Evaluation of exception handling control.
vii. Evaluation of master file and standing data control
Evaluation of Network and Communication Control
i. Evaluation of general network control.
ii. Evaluation of performance / integrity control.
iii. Evaluation of remote access control.
iv. Evaluation of physical security control.
v. Evaluation of logical security control.
vi. Evaluation of performance of overall network and recommendation of remedies.
Evaluation of System Development/Procurement.
i. Evaluation of general control.
ii. Evaluation of planning control.
iii. Evaluation of design and development /Procurement process control.
iv. Evaluation of implementation control.
v. Evaluation of maintenance control.
vi. Evaluation of post implementation review control.
Question No 21
Explain about the roles of Information System Auditor. (June 2012)(5 Marks)
Answer No 21
The purpose of auditing of Information System is to review and evaluate the internal controls that
protect the system. When performing an IS audit, the auditor should ascertain that the following
objectives are met:
 Securities of Information Technology are met and the data are protected from the intruders
 The System Development or acquisition processes are in accordance with management‘s
general procedures.
 The modifications have the permissions from the authorities.
 The data processing is accurate.
 The bugs identified and handles according to the prescribed process

Question No 22
Describe the role of Auditor in Environment Controls: ? Describe clustering technique in brief.
Answer No 22

♦ The risk profile should include the different kinds of environmental risks that the
organization is exposed to. These should comprise both natural and man-made threats. The profile
should be periodically reviewed to ensure updates with newer risk that may arise.
♦ The controls assessment must ascertain that controls safeguard the organization against all
♦ The security policy of the organization should be reviewed to access policies and
procedures that safeguard the organization against environmental risks.
♦ Building plans and wiring plans need to be reviewed to determine the appropriateness of
♦ The IS Auditor should interview relevant personnel to satisfy himself about employees‘
awareness of environmental threats and controls, role of the interviewee in environmental control
procedures such as prohibited activities, incident handling, and evacuation procedures to determine
if adequate incident reporting procedures exist.
♦ Administrative procedures such as preventive maintenance plans and their implementation,
incident reporting and handling procedures, inspection and testing plan and procedures need to be
reviewed.
Question NO 23
Define information systems audit. What are the benefits of this audit? What is CAAT? (December
2018)(7 Marks)
Answer No 23
First Part: An information technology audit, or information systems audit, is an examination of
the management controls within an Information Technology (IT) infrastructure. The evaluation of
obtained evidence determines if the information systems are safeguarding assets, maintaining data

integrity, and operating effectively to achieve the organization's goals or objectives. These reviews
may be performed in conjunction with a financial statement audit, internal audit, or other form of
attestation engagement. IT audits are also known as "automated data processing (ADP) audits" and
"computer audits". They were formerly called "electronic data processing (EDP) audits".
Second Part: The purposes of an IT audit are to evaluate the system's internal control design and
effectiveness. This includes, but is not limited to, efficiency and security protocols, development
processes, and IT governance or oversight. Installing controls are necessary but not sufficient to
provide adequate security. People responsible for security must consider if the controls are
installed as intended, if they are effective, or if any breach in security has occurred and if so, what
actions can be done to prevent future breaches.
The primary functions of an IT audit are to evaluate the systems that are in place to guard an
organization's information. Specifically, information technology audits are used to evaluate the
organization's ability to protect its information assets and to properly dispense information to
authorized parties. The IT audit aims to evaluate the following:
 Will the organization's computer systems be available for the business at all times when
required? (known as availability)
 Will the information in the systems be disclosed only to authorize users? (known as security
and confidentiality)
 Will the information provided by the system always be accurate, reliable, and timely?
(measures the integrity)
Many organisations are spending large amounts of money on IT because they recognise the
tremendous benefits that IT can bring to their operations and services. However, they need to
ensure that their IT systems are reliable, secure and not vulnerable to computer attacks.
IT audit is important because it gives assurance that the IT systems are adequately protected,
provide reliable information to users and properly managed to achieve their intended benefits.
Many users rely on IT without knowing how the computers work. A computer error could be
repeated indefinitely, causing more extensive damage than a human mistake. IT audit could also
help to reduce risks of data tampering, data loss or leakage, service disruption, and poor
management of IT systems.
Third Part: Computer Assisted Audit Technique (CAAT) is the tool which is used by the
auditors. This tool facilitates them to make search from the irregularities from the given data. With
the help of this tool, the internal accounting department of any firm will be able to provide more
analytical results. These tools are used throughout every business environment and also in the
industry sectors too. With the help of Computer Assisted Audit Techniques, more forensic
accounting with more analysis can be done. It‘s really a helpful tool that helps the firm auditor to
work in an efficient and productive manner.
The CAAT tool supports the forensic accounting in which larger amount can be diverted to the
analytical form and it also prompts where the tool detects the fraud. This tool simplifies the data

and in the automated form. The name of CAATs tool is placed in almost every firm where the
auditing or advance level accounting takes place. The firm is well aware of the benefits of these
tools and also making some advancement in this tool in accordance with their need, in return all
the large raw data becomes in statistical and analytical form. It‘s a time saving tool.
Question NO 24
Write short notes on:Audit trails(December 2018)(5 Marks)
Answer No 24
Audit trails are logs that can be designed to record activity at the system, application, and user
level. When properly implemented, audit trails provide an important detective control to help
accomplish security policy objectives. Many operating systems allow management to select the
level of auditing to be provided by the system. This determines which events will be recorded in
the log. An effective audit policy will capture all significant events without cluttering the log with
trivial activity. Audit trails can be used to support security objectives in three ways:
(i) Detecting unauthorized access to the system,

(ii) Facilitating the reconstruction of events,
(iii)Promoting personal accountability.
Question NO 25
Assume that you are working as a system analyst in a software development company. Your
company assigned you in a project to develop information system for XYZ Company. Based on
this scenario, answer the following questions.
a) Discuss data and process modeling tools you use during system analysis phase of the
information systems development.
b) Why do we need information systems audit? Discuss the phases of information systems audit
in detail for the system you develop for XYZ Company. (June 2018)(20 Marks)
Answer No 25
During analysis phase, a systems analyst uses entity relationship diagram (E-R diagram) as a data
modeling tool. A data model is a detailed model that captures the overall structure of
organizational data while being independent of any database management system or other
implementation consideration. The E-R diagram is a graphical representation that has three basic
concepts: entities, attributes, and relationships.
Entity: An entity is a person, place, object, event, or concept in the user environment about which
the organization wishes to capture and store data. An entity set is a collection of entities that share
common properties or characteristics. For example STUDENT is an entity set. An entity set in E-R
diagram is drawn using rectangle.

Attribute: Each entity type has a set of attributes associated with it. An attribute is a property or
characteristic of an entity that is of interest to the organization. For example, STUDENT entity set
can have Student_ID, Student_Name, Home_Address, Phone_Number, and Major as its attributes.
An attribute in E-R diagram is drawn using an ellipse.
Every entity type must have an attribute or set of attributes that distinguishes one instance from
other instances of the same type. A candidate key is an attribute or combination of attributes that
uniquely identifies each instance of an entity type. Some entity type may have more than one
candidate key. In such a case, we must choose one of the candidate keys as the identifier. An
identifier (or primary key) is a candidate key that has been selected to be used as the unique
characteristic for an entity type.
A multi-valued attribute may take more than one value for each entity instance. We use a double-
lined ellipse to represent multi-valued attribute. An attribute that has meaningful component parts is
called composite attribute. An attribute whose value can be computed from related attribute values
is called derived attribute. We use dashed ellipse to denote derived attribute.
Relationships: A relationship is an association between the instances of one or more entity types
that is of interest to the organization. We use diamond to denote relationships. Relationships are
labeled with verb phrases. The cardinality of a relationship is the number of instances of one entity
type that can (or must) be associated with each instance of another entity type. The cardinality of a
relationship can be in one of the following four forms: one-to-one, one-to-many, many-to-one, and
many-to-many.
E-R Diagram

Name ID Address Type Function Price
Qualification
Developer Develops Software
Customer Buys
Company
Name ID Address
Process modeling involves graphically representing the functions or processes that capture,
manipulate, store, and distribute data between a system and its environment and between
components within a system. A common form of a process modeling tool is a data flow diagram
(DFD). A data flow diagram (DFD) is a tool that depicts the flow of data through a system and the
work or processing performed by that system. It is also called bubble chart, transformation graph,
or process model. There are two different sets of data flow diagram symbols, but each set consists
of four symbols that represent the same things: data flows, data stores, processes, and
sources/sinks (or external entities).
Process is the work or actions performed on data so that they are transformed, stored or
distributed. Data store is the data at rest (inside the system) that may take the form of many
different physical representations. External entity (source/sink) is the origin and/or destination of
data. Data flow represents data in motion, moving from one place in a system to another.

Team Info
ID 1.0 Project Team 2.0
D2
Developer Team Member Database
Form Dev Info Develop
Team Project
Enrollment
Team Info
Receipt
3.0
Sales Record
Product Details
Product
Client Sell Product D1
Database
Request Sales Update
Payment
a) First Part: An information technology audit, or information systems audit, is an examination

of the management controls within an Information technology (IT) infrastructure. The
evaluation of obtained evidence determines if the information systems are safeguarding
assets, maintaining data integrity, and operating effectively to achieve the organization's goals
or objectives. These reviews may be performed in conjunction with a financial statement
audit, internal audit, or other form of attestation engagement. IT audits are also known as
"automated data processing (ADP) audits" and "computer audits". They were formerly called
"electronic data processing (EDP) audits".
The purposes of an IT audit are to evaluate the system's internal control design and effectiveness.
This includes, but is not limited to, efficiency and security protocols, development processes, and
IT governance or oversight. Installing controls are necessary but not sufficient to provide adequate
security. People responsible for security must consider if the controls are installed as intended, if
they are effective, or if any breach in security has occurred and if so, what actions can be done to
prevent future breaches.
The primary functions of an IT audit are to evaluate the systems that are in place to guard an
organization's information. Specifically, information technology audits are used to evaluate the
organization's ability to protect its information assets and to properly dispense information to
authorized parties. The IT audit aims to evaluate the following:
 Will the organization's computer systems be available for the business at all times when
required? (known as availability)
 Will the information in the systems be disclosed only to authorized users? (known as security
and confidentiality)
 Will the information provided by the system always be accurate, reliable, and timely?
(measures the integrity)

Many organisations are spending large amounts of money on IT because they recognise the
tremendous benefits that IT can bring to their operations and services. However, they need to
ensure that their IT systems are reliable, secure and not vulnerable to computer attacks.
IT audit is important because it gives assurance that the IT systems are adequately protected,
provide reliable information to users and properly managed to achieve their intended benefits.
Many users rely on IT without knowing how the computers work. A computer error could be
repeated indefinitely, causing more extensive damage than a human mistake. IT audit could also
help to reduce risks of data tampering, data loss or leakage, service disruption, and poor
management of IT systems.
Second Part: There are four phases in information systems audit: audit planning, risk
assessment and business process analysis, performance of audit work, and reporting. The
same shall be used to audit the system developed for xyz company.
Audit Planning - In this phase we plan the information system coverage to comply with the audit
objectives specified by the Client and ensure compliance to all Laws and Professional Standards.
The first thing is to obtain an Audit Charter from the Client detailing the purpose of the audit, the
management responsibility, authority and accountability of the Information Systems Audit function
as follows:
1. Responsibility: The Audit Charter should define the mission, aims, goals and objectives of the
Information System Audit. At this stage we also define the Key Performance Indicators and
an Audit Evaluation process;
2. Authority: The Audit Charter should clearly specify the Authority assigned to the Information
Systems Auditors with relation to the Risk Assessment work that will be carried out, right to
access the Client‘s information, the scope and/or limitations to the scope, the Client‘s
functions to be audited and the auditee expectations; and
3. Accountability: The Audit Charter should clearly define reporting lines, appraisals,
assessment of compliance and agreed actions.
The Audit Charter should be approved and agreed upon by an appropriate level within the Client‘s
Organization.
In addition to the Audit Charter, we should be able to obtain a written representation (―Letter of
Representation‖) from the Client‘s Management acknowledging:
1. Their responsibility for the design and implementation of the Internal Control Systems
affecting the IT Systems and processes
2. Their willingness to disclose to the Information Systems Auditor their knowledge of
irregularities and/or illegal acts affecting their organization pertaining to management and
employees with significant roles within the internal audit department.

3. Their willingness to disclose to the IS Auditor the results of any risk assessment that a
material misstatement may have occurred
 Risk Assessment and Business Process Analysis:Risk is the possibility of an act or event
occurring that would have an adverse effect on the organisation and its information systems.
Risk can also be the potential that a given threat will exploit vulnerabilities of an asset or
group of assets to cause loss of, or damage to, the assets. It is ordinarily measured by a
combination of effect and likelihood of occurrence.
More and more organizations are moving to a risk-based audit approach that can be adapted
to develop and improve the continuous audit process. This approach is used to assess risk and
to assist an IS auditor‘s decision to do either compliance testing or substantive testing. In a
risk based audit approach, IS auditors are not just relying on risk. They are also relying on
internal and operational controls as well as knowledge of the organisation. This type of risk
assessment decision can help relate the cost/benefit analysis of the control to the known risk,
allowing practical choices.
The process of quantifying risk is called Risk Assessment. Risk Assessment is useful in making
decisions such as:
1. The area/business function to be audited
2. The nature, extent and timing of audit procedures
3. The amount of resources to be allocated to an audit
 Performance of Audit Work: In the performance of Audit Work the Information Systems
Audit Standards require us t o provide supervision, gather audit evidence and document our
audit work. We achieve this objective through:
1. Establishing an Internal Review Process where the work of one person is reviewed by
another, preferably a more senior person.
2. We obtain sufficient, reliable and relevant evidence to be obtained through Inspection,
Observation, Inquiry, Confirmation and recomputation of calculations
3. We document our work by describing audit work done and audit evidence gathered to support
the auditors‘ findings.
Based on our risk assessment and upon the identification of the risky areas, we move ahead to
develop an Audit Plan and Audit Program. The Audit Plan will detail the nature, objectives, timing
and the extent of the resources required in the audit.
Based on the compliance testing carried out in the prior phase, we develop an audit program
detailing the nature, timing and extent of the audit procedures. In the Audit Plan various Control
Tests and Reviews can be done. They are sub-divided into:

1. General/ Pervasive Controls

2. Specific Controls
 Reporting: Upon the performance of the audit test, the Information Systems Auditor is
required to produce and appropriate report communicating the results of the IS Audit. An IS
Audit report should:
1. Identify an organization, intended recipients and any restrictions on circulation
2. State the scope, objectives, period of coverage, nature, timing and the extend of the audit
work
3. State findings, conclusions, recommendations and any reservations, qualifications and
limitations
4. Provide audit evidence
Question NO 26
What are the control techniques ensured by an IS auditor for the security of the client/server
environment? (December 2005)(5 Marks)
Answer No 26
To increase the security, an IS auditor should ensure that the following control techniques are in
place:
a) Access to data and application is secured by disabling the floppy disk drive.
b) Diskless workstation prevents unauthorized access.
c) Unauthorized users may be prevented from overriding login scripts and access by securing
automatic boot or start-up batch files.
d) Network monitoring can be done to know about the client so that it will be helpful for later
investigation, if it is monitored properly.
e) Data encryption techniques are used to protect data from unauthorized access.
f) Authentication system can be provided to a client, so that they can enter into system, only by
g) Smart cards can be used. It uses intelligent handheld devices and encryption techniques to
decipher random codes provided by client-server based operating systems.
h) Application controls may be used and users will be limited to access only those functions in the
system those are required to perform their duties.
Question No 27
What is the sole purpose of an Information System (IS) Audit? What is the role of an IS Auditor?

Answer No 27
The sole purpose of an Information system audit
The sole purpose of an Information system audit is to evaluate and review the adequacy of
automated information systems to meet processing needs, to evaluate the adequacy of internal
controls, and to ensure that assets controlled by those systems are adequately safeguarded.
Role of an IS Auditor
The Information System (IS) auditor is responsible for establishing control objectives that reduce
or eliminate potential exposure to control risks. After the objectives of the audit have been
established, the auditor must review the audit subject and evaluate the results of the review to find
out areas that need some improvement. IS auditor should submit a report to the management,
recommending actions that will provide a reasonable level of control over the assets of the entity.
Question No 28
Write short notes on Information system audit strategy (June 2019)(5 Marks)
Answer NO 28
The audit strategy is a key driver determining the type, scope, and frequency of IT audits an
organization conducts and defining the criteria organizations use to prioritize the items in the audit
universe. Organizations follow procedures in the audit strategy to assign audit priorities and use
those determinations to allocate internal auditing resources.
An audit strategy sets the direction, timing, and scope of an audit. The strategy is then used as
a guideline when developing an audit plan. The strategy document usually includes a
statement of the key decisions needed to properly plan the audit. The audit strategy is based
on the following considerations:
 The characteristics of the engagement
 Reporting objectives
 Timing of the audit
 Nature of communications
 Significant factors in directing engagement team efforts
 The results of preliminary engagement activities
 The knowledge gained on other engagements
 The nature, timing, and extent of resources available for the engagement
The audit strategy could be relatively short for the audit of a smaller entity, perhaps in the
form of a brief memo. If there are unexpected changes in conditions or the outcome of audit
procedures, it may be necessary to alter the audit strategy. If there is an alteration, the reasons
for the alteration should be stated in the accompanying documentation.
The audit plan is much more detailed than the strategy document, since the plan states the
nature, timing, and extent of the specific audit procedures to be conducted by the audit team.

Chapter 11:
Ethics and legal Issues in Information Technology

Question No 1:
Explain about the moral dimension of Information Technology. (December 2012)(5 Marks)
Answer No 1
 Information rights and obligations: What information rights do individuals and organizations
possess with respect to information about themselves? What can they protect? What
obligation do individuals and organization have concerning this information?
 Property rights: How will traditional intellectual property rights be protected in a digital
society in which tracing and accounting for ownership is difficult, and ignoring such property
rights is so easy?
 Accountability and Control: Who can and will be held accountable and liable for the harm
 System Quality: What standards of data and system quality should we demand to protect
Quality of Life: What values should be preserved in information and knowledge based society?
What institutions should we protect form violation? What cultural values and practices are
supported by the new information technology?
Question No 2:
What are the ethical issues related with technology? (June 2012)(5 Marks)
Answer No 2
The ethical issues related with the technologies are:
Information Rights:
It should be clear that what information rights do individuals and organizations possess with
respect to information about themselves. What they can protect? And at the same time it should be
clear what obligations do they have concerning those in formations.
Property Rights:
It should clear about how the traditional intellectual property rights can be protected in the digital
form.
Accountability and Control:
It should be clear who is accountable and liable to any form of harm done to individual.
System Quality:
It should clear define the standards of system to be used to protect individual and societal rights.
Quality of Life:
It should be clear about the values, cultures and practices of societies that are supported and
preserved by the information technologies.

Question No 3:
Explain ethics in an information society. (June 2016)(20 Marks)
Ethical choices are decisions made by individuals who are responsible for the consequences of
their actions. Responsibility is a key element of ethical action. Responsibility means that person
accepts the potential costs, duties, and obligations for the decisions being made. Accountability is
a feature of systems and social institutions: It means that mechanisms are in place to determine
who took responsible action, who is responsible. Systems and institutions in which it is impossible
to find out who took what action are inherently incapable of ethical analysis or ethical action.
Liability extends the concept of responsibility further to the area of laws. Liability is a feature of
political systems in which a body of laws is in place that permits individuals to recover the
damages done to them by other actors, systems, or organizations. Due process is a related feature
of law-governed societies and is a process in which laws are known and understood and there is an
ability to appeal to higher authorities to ensure that the laws are applied correctly. These basic
concepts form the underpinning of an ethical analysis of information systems and those who
manage them. First, information technologies are filtered through social institutions, organizations,
and individuals. Systems do not have impacts by themselves. Whatever information system
impacts exist are products of institutional, organizational, and individual actions and behaviors.
Second, responsibility for the consequences of technology falls clearly on the institutions,
organizations, and individual managers who choose to use the technology. Using information
technology in a socially responsible manner means that you can and will be held accountable for
the consequences of your actions. Third, in an ethical, political society, individuals and others can
recover damages done to them through a set of laws characterized by due process.
Question No 4
What is ethics? Discuss patent, trademark, and copyright that protect intellectual property rights.
Answers No 4
First Part: Ethics refers to the principle of right and wrong that individuals, acting as free moral
agents, use to make choices to guide their behaviors. At its simplest, ethics is a system of moral
principles. They affect how people make decisions and lead their lives. Ethics is concerned with
what is good for individuals and society and is also described as moral philosophy.
Second Part:
Patient: A patent grants the owner an exclusive monopoly on the ideas behind an invention for 20
years. The intent behind patent law is to ensure that inventors receive the full financial and other
rewards and yet still make widespread use of the invention possible for those wishing to use the
idea under license from the patent‘s owner. The granting of a patent is determined by the Patent

Office and relies on court rulings. The key concepts in patent law are originality, novelty, and
invention. Patent protection is that it grants a monopoly on the underlying concepts and ideas of
software. The difficulty is passing stringent criteria for novelty and invention.
Trademark: Any intellectual work product used for a business purpose can be classified as a trade
secret, provided it is not based on information in the public domain. Protections for trade secrets
vary from state to state. In general, trade secret laws grant a monopoly on the ideas behind a work
product, but it can be a very tenuous monopoly. Software that contains novel or unique elements,
procedures, or compilations can be included as a trade secret. Trade secret law protects the actual
ideas in a work product, not only their manifestation. However, in the case of computer software, it
is difficult to prevent the ideas from falling into the public domain when the software is widely
distributed.
i. Copyright: Copyright is a statutory grant that protects creators of intellectual property from
having their work copied by others for any purpose during the life of the author plus an
additional 70 years after the author‘s death. For corporate-owned works, copyright protection
lasts for 95 years after their initial creation. Most industrial nations have their own copyright
laws, and there are several international conventions and bilateral agreements through which
nations coordinate and enforce their laws. Copyright protects against copying of entire
software programs or their parts; However, the ideas behind a work are not protected, only
their manifestation in a work; A competitor can build new software that follows the same
concepts without infringing on a copyright.
Question No 5
What is ethics? What ethical issues are raised by information systems? How does copyright and
patent protect digital content? (December 2018)(7 Marks)
Answer No 5
First Part: Ethics refers to the principle of right and wrong that individuals, acting as free moral
agents, use to make choices to guide their behaviors.
Second Part: Information systems raise new ethical questions for both individuals and societies
because they create opportunities for intense social change, and thus threaten existing distributions
of power, money, rights, and obligations. Information technology can be used to achieve social
progress, but it can also be used to commit crimes and threaten cherished social values. The
development of information technology will produce benefits for many and costs for others.
Ethical issues in information systems have been given new urgency by the rise of Internet and
electronic commerce, unleashing new concerns about the appropriate use of customer information,
the protection of personal privacy, and the protection of intellectual property. Other issues raised
by information systems include establishing accountability for the consequences of information
systems, setting standards to safeguard system quality that protects the safety of the individual and

society, and preserving values and institutions considered essential to the quality of life in an
information society.
Third part: Copyright is a statutory grant that protects creators of intellectual property from
having their work copied by others for any purpose during the life of the author plus an additional
70 years after the author‘s death. For corporate-owned works, copyright protection lasts for 95
years after their initial creation. Most industrial nations have their own copyright laws, and there
are several international conventions and bilateral agreements through which nations coordinate
and enforce their laws. Copyright protects against copying of entire software programs or their
parts; However, the ideas behind a work are not protected, only their manifestation in a work; A
competitor can build new software that follows the same concepts without infringing on a
copyright.
A patent grants the owner an exclusive monopoly on the ideas behind an invention for 20 years.
The intent behind patent law is to ensure that inventors receive the full financial and other rewards
and yet still make widespread use of the invention possible for those wishing to use the idea under
license from the patent‘s owner. The granting of a patent is determined by the Patent Office and
relies on court rulings. The key concepts in patent law are originality, novelty, and invention.
Patent protection is that it grants a monopoly on the underlying concepts and ideas of software.
The difficulty is passing stringent criteria for novelty and invention.
Question No 6
Write short notes on:Ethical hacking (December 2018)(5 Marks)
Answer No 6
Ethical hacking is a process of deliberately hacking into a system in full knowledge of the system
developer or owner to find out flaws and vulnerabilities. Software development companies may
have their own internal ethical hacking team or they can also hire external ethical hackers to find
out weaknesses, backdoors and vulnerabilities in their system or network or datacenter
environment. Because of the increasing threat posed by hacking, system compromises and
subsequent loss of data and credibility, companies are increasingly using such services to make
sure their systems and equipment are sufficiently hardened to mitigate the threats. A whole
security industry that does activity such as VAPT (Vulnerability Assessment and Penetration
Testing) of the designated system, hardware, software or network infrastructure on an on-demand,
payed service basis. There are even individuals that do announced and solicited hacking without
any malicious intent.
In summary, ethical hacking is kind of a fire drill to make sure that the system in question is
secure and able to handle any malicious threats and attempts of compromise.

Question No 7
What is digital signature? Discuss its working mechanism along with benefits. (June 2018)(7
Marks)
Answer No 7
First Part: A digital signature is a mathematical technique used to validate the authenticity and
integrity of a message, software or digital document.
The digital equivalent of a handwritten signature or stamped seal, but offering far more inherent
security, a digital signature is intended to solve the problem of tampering and impersonation in
digital communications. Digital signatures can provide the added assurances of evidence to origin,
identity and status of an electronic document, transaction or message, as well as acknowledging
informed consent by the signer. In many countries, digital signatures have the same legal
significance as the more traditional forms of signed documents.
Second Part: Digital signatures are based on public key cryptography, also known as asymmetric
cryptography. Using a public key algorithm such as RSA, one can generate two keys that are
mathematically linked: one private and one public. To create a digital signature, signing software
(such as an email program) creates a one-way hash of the electronic data to be signed. The private
key is then used to encrypt the hash. The encrypted hash along with other information, such as
the hashing algorithm is the digital signature. The reason for encrypting the hash instead of the
entire message or document is that a hash function can convert an arbitrary input into a fixed
length value, which is usually much shorter. This saves time since hashing is much faster than
signing.

The value of the hash is unique to the hashed data. Any change in the data, even changing or
deleting a single character, results in a different value. This attribute enables others to validate the
integrity of the data by using the signer's public key to decrypt the hash. If the decrypted hash
matches a second computed hash of the same data, it proves that the data hasn't changed since it
was signed. If the two hashes don't match, the data has either been tampered with in some way
(integrity) or the signature was created with a private key that doesn't correspond to the public key
presented by the signer (authentication).
A digital signature can be used with any kind of message whether it is encrypted or not simply so
the receiver can be sure of the sender's identity and that the message arrived intact. Digital
signatures make it difficult for the signer to deny having signed something (non-repudiation)
assuming their private key has not been compromised as the digital signature is unique to both the
document and the signer, and it binds them together.
Digital signatures are also used extensively to provide proof of authenticity, data integrity and
non-repudiation of communications and transactions conducted over the Internet.

Chapter 12:
Electronic Transactions Act, 2063

Question No 1
What are the functions, duties and power of the controller as per Electronic Transactions Act,
2063? (December 2016)(7 Marks)
Answer No 1
Functions, duties and powers of the controller:
The functions, duties and powers of the controller shall be as follows:-
1. To issue a license to the certifying Authority,
2. To exercise the supervision and monitoring over the activities of Certifying Authority,
3. To fix the standards to be maintained by certifying authority with respect to the verification of
digital signature,
4. To specify the conditions to be complied with by the certifying authority in operating his/her
business,
5. To specify the format of the certificate and contents to be included therein,
6. To specify the procedures to be followed by the certifying authority while conducting his/her
dealings with the subscribers,
7. To maintain a record of information disclosed by the certifying authority under this act and to
make provision of computer database accessible to public and to update such database,
8. To perform such other functions as prescribed.

*****THE END*****

Mics New Suggested Ican

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mics New Suggested Ican

Uploaded by

Copyright:

Available Formats

CHARTERED ACCOUNTANCY PROFESSIONAL III

Compilation of Suggested Answers

Paper 5: Management Information and Control System

© The Institute of Chartered Accountants of Nepal

This compilation of suggested answers is prepared by the Institute of Chartered Accountants of

Organizational Management and Information System

© The Institute of Chartered Accountants of Nepal 3

The information in many databases consists of natural-language texts of documents; number-

© The Institute of Chartered Accountants of Nepal 4

2 The product development process is It provides information to the sales activity

c. Hardware evaluation criteria

© The Institute of Chartered Accountants of Nepal 5

d. Snapshot Technique (June 2011)(5 Marks)

e. IT strategy planning. (December 2012)(5 Marks)

© The Institute of Chartered Accountants of Nepal 6

f. Object Oriented Design (December 2012)(5 Marks)

g. Software Reliability (December 2012)(5 Marks)

Failure intensity is a measure of the reliability of a software system operating in a given

© The Institute of Chartered Accountants of Nepal 7

 The number of faults present in the software.

h. Role of IT in business development (June 2017)(5 Marks)

i. Project management (December 2014)(5 Marks)

© The Institute of Chartered Accountants of Nepal 8

j. Economic feasibility( June 2013)(5 Marks)

k. Consultant level role of IT professional( June 2013)(5 Marks)

© The Institute of Chartered Accountants of Nepal 9

1. Defining Problems and Opportunities

2. Gathering and analyzing data concerning the problem.

© The Institute of Chartered Accountants of Nepal 10

3. Identification of alternative solutions.

© The Institute of Chartered Accountants of Nepal 11

4. Evaluating Alternate Solutions

5. Selecting the Best Solution

6. Designing and Implementing Solution

© The Institute of Chartered Accountants of Nepal 12

 Conversion procedures and timetable for final implementation.

7. Post Implementation Review

A Systems Approach Example

© The Institute of Chartered Accountants of Nepal 13

© The Institute of Chartered Accountants of Nepal 14

© The Institute of Chartered Accountants of Nepal 15

© The Institute of Chartered Accountants of Nepal 16

© The Institute of Chartered Accountants of Nepal 17

© The Institute of Chartered Accountants of Nepal 18

© The Institute of Chartered Accountants of Nepal 19

The steps involved in selection of a computer system are:

© The Institute of Chartered Accountants of Nepal 20

© The Institute of Chartered Accountants of Nepal 21

 Information systems security professional: responsible for the design, implantation

© The Institute of Chartered Accountants of Nepal 22

C. Recommend parallel operation

© The Institute of Chartered Accountants of Nepal 23

ii. Parallel Conversion

iii. Gradual Conversion

© The Institute of Chartered Accountants of Nepal 24

iv. Modular Prototype Conversion

© The Institute of Chartered Accountants of Nepal 25

b. E conomic Feasibility and Operational Feasibility (June 2008)(4 Marks)

© The Institute of Chartered Accountants of Nepal 26

© The Institute of Chartered Accountants of Nepal 27

© The Institute of Chartered Accountants of Nepal 28

© The Institute of Chartered Accountants of Nepal 29

The minimum five strategies with example are as follows:

© The Institute of Chartered Accountants of Nepal 30