Question Bank

EIS Divyastra May 22
INDEX
EIS चालीसा - Handwritten Notes

S No. Topics No. of Questions Page No.
1. Automated Business Process 38 1 – 26
2. Financial and Accounting System 33 27 – 54
3. Information System & Its Components 44 55 – 88
E-Commerce, M-Commerce, Emerging
4. 45 89 – 126
Technologies
5. Core Banking Solution 31 127 – 151
Total 191
You are theCmaster

HAPTER 1 of your
destiny. You can influence,
direct and control your own
environment.
You can make your life what
you want it to be. No One
Can Stop You Except You!!
Start…
Automated Business Processes May 22
Automated Business Processes

C HAPTER 1
A UTOMATED B USINESS P ROCESSES
In order to succeed, first have

absolute faith that “I Can”
Coverage
1) ICAI Study Material Questions & Solutions
2) RTPs & MTPs till Dec 2021
3) Past Year Questions till Dec 2021
1. ICAI S T U D Y M A TE R IA L Q U E S TIO NS
Concept Problem 1
In an enterprise, explain various categories of business processes - Operational Processes, Supporting
Processes and Management Processes with example.
Or
Business processes can be categorized in various types depending on type of industry and nature of work.
Briefly discuss various categories of Business Processes.
Answer
Various categories of business processes are as follows:
i) Operational Processes (or Primary Processes)
It deals with the core business and value chain. These processes deliver value to the customer by helping
to produce a product or service. Operational processes represent essential business activities that
accomplish business objectives, e.g., generating revenue - Order to Cash cycle (O2C), Procurement –
Purchase to Pay (P2P) cycle.
ii) Supporting Processes (or Secondary Processes)
It backs core processes and functions within an organization. Examples of supporting or management
processes include Accounting, Human Resource (HR) Management and workplace safety. One key
differentiator between operational and support processes is that support processes do not provide value
P a g e |1
May 22 Automated Business Processes
to customers directly.
iii) Management Processes
Management Processes measure, monitor and control activities related to business procedures and
systems. Examples of management processes include internal communications, governance, strategic
planning, budgeting, and infrastructure or capacity management. Like supporting processes,
management processes do not provide value directly to the customers. However, it has a direct impact on
the efficiency of the enterprise.
Concept Problem 2
BPA is the tactic a business uses to automate processes to operate efficiently and effectively. Explain the
parameters that should be met to conclude that success of any business process automation has been
achieved.
Or
Recognize the parameters based on which the success of Business Process Automation (BPA) can be
evaluated?
Answer
The success of any Business Process Automation shall only be achieved when BPA ensures the following:
i) Confidentiality: To ensure that data is only available to persons who have right to see the same;
ii) Integrity: To ensure that no un-authorized amendments can be made in the data;
iii) Availability: To ensure that data is available when asked for; and
iv) Timeliness: To ensure that data is made available in at the right time.
To ensure that all above parameters are met, BPA needs to have appropriate internal controls put in place.
Concept Problem 3
Through automation, a business organization intends to increase the accuracy of its information transfer and
certifies the repeatability of the value-added task performed by the automation of business. Being a
management consultant, identify major benefits that would help the organization to achieve its objectives.
Or
A business organization is planning to increase the accuracy of information transferred and certifies the
repeatability of the value-added task performed by the automation of business. Being a management
consultant, identify any four major benefits that the organization can achieve through the automation of a
business process.
Or
A travel agency ABC wishes to implement an automated Grievance Management System at its workplace to
manage and handle the problems with an aim of solving them. Determine the major benefits that will be
drawn out of automating this Grievance related business process.
Answer
Major benefits of automating Business Processes are as follows:
i) Quality and Consistency: Ensures that every action is performed identically - resulting in high quality,
reliable results and stakeholders will consistently experience the same level of service.
ii) Time Saving: Automation reduces the number of tasks employees would otherwise need to do manually.
It frees up time to work on items that add genuine value to the business, allowing innovation and
increasing employees’ levels of motivation.
2|P a ge

iii) Visibility: Automated processes are controlled and consistently operate accurately within the defined
timeline. It gives visibility of the process status to the organization.
iv) Improved Operational Efficiency: Automation reduces the time it takes to achieve a task, the effort
required to undertake it and the cost of completing it successfully. Automation not only ensures systems
run smoothly and efficiently, but that errors are eliminated and best practices are constantly leveraged.
v) Governance & Reliability: The consistency of automated processes means stakeholders can rely on
business processes to operate and offer reliable processes to customers, maintaining a competitive
advantage.
vi) Reduced Turnaround Times: Eliminate unnecessary tasks and realign process steps to optimize the flow
of information throughout production, service, billing and collection. This adjustment of processes distils
operational performance and reduces the turnaround times for both staff and external customers.
vii) Reduced Costs: Manual tasks, given that they are performed one-at-a-time and at a slower rate than an
automated task, will cost more. Automation allows us to accomplish more by utilizing fewer resources.
Concept Problem 4
Every business process is not a good fit for automation. Explain four examples of business processes that are
not best suited for automation.
Answer
Technology is the enabler of Business Process Automation (BPA). BPA offers many advantages to the
business. But every business process is not a good fit for automation. Companies tend to automate those
business processes that are time and resource-intensive operationally or those that are subject to human
error.
Following are the few examples of processes that are not best suited to automation:
a) Redundant Processes that do not create much value to business.
b) Processes and tasks require high amount of tacit knowledge (that cannot be documented and
transferred from one person to another) and therefore seek employees to use their personal judgment
c) Complex Processes which is very difficult to define
d) Process where implementation cost exceeds its potential benefits
e) Processes and tasks that are carried out irregularly.
Concept Problem 5
Automated processes are susceptible to challenges. Explain the major challenges involved in business process
automation.
Or
Though Business Process Automation (BPA) provides many benefits to companies which tend to automate
their business processes, however automation of the business processes is susceptible to many challenges.
Discuss these challenges.
Answer
Automated processes are susceptible to many challenges, some of them are discussed below:
a) Automating Redundant Processes: Sometimes organizations start off an automation project by
automating the processes they find suitable for automation without considering whether such processes
are necessary and create value. In other cases, some business processes and tasks require high amount
of tacit knowledge (that cannot be documented and transferred from one person to another) and
therefore seek employees to use their personal judgment. These processes are generally not good
candidates for automation as these processes are hard to encode and automate.
b) Defining Complex Processes: BPA requires reengineering of some business processes that requires
P a g e |3
significant amount of time to be allocated and spent at this stage. This requires a detailed
understanding of the underlying business processes to develop an automated process.
c) Staff Resistance: In most cases, human factor issues are the main obstacle to the acceptance of
automated processes. Staff may see process automation as a way of reducing their decision-making
power. This is due to the reason that with automated processes, the management has a greater visibility
of the process and can make decisions that used to be made by the staff earlier. Moreover, the staff
may perceive automated processes as threat to their jobs.
d) Implementation Cost: The implementation of automated processes may be an expensive proposition in
terms of acquisition/development cost of automated systems and special skills required to operate and
maintain these systems.
Concept Problem 6
The increased availability of choice to customers about products / services makes it very important for
businesses to keep themselves updated to new technology and delivery mechanisms. Being a consultant,
briefly explain the steps involved in BPA implementation.
Or
An Airline Industry wishes to automate its Grievance cell so that their clients can online register their
feedback, complaints and suggestions. The purpose of automation is to provide better service and satisfaction
to its customers. Prepare a list of various steps that are required to be taken while automating Grievance Cell.
Or
Mr. A is appointed as a manager in XYZ company which is planning to adopt the automation of its major
business processes. He has been asked to prepare a list of the sequence of steps that the company should
adhere to implement Business Process Automation. Draft Mr. A’s reply.
Or
The management of ABC company is planning to adopt the automation of its major business process. Mr. X
has been requested to brief all steps of implementing Business Process Automation to the members of
management. Enlist the sequential steps of implementing BPA that can be part of Mr. X’s presentation.
Answer
Various steps that are required while automating the Grievance Cell of the Airline Industry are as follows:
Step 1: Define why we plan to implement a Business Process Automation (BPA)?
The primary purpose for which an enterprise implements automation may vary from enterprise to enterprise.
In this case, to improve upon the Poor customer service is a major concern.
Step 2: Understand the rules / regulation under which enterprise needs to comply with?
This step emphasizes on building an understanding on the rules of engagement, which include following the
rules, adhering to regulations and following document retention requirements. This governance is established
by a combination of internal corporate policies, external industry regulations and local, state, and central
laws.
Step 3: Document the process, we wish to automate
At this step, all the documents that are currently being used need to be documented. The questions
emphasized upon are like - what documents need to be captured?; where do they come from?; what format
are they in?; who is involved in processing of the documents?; what is the impact of regulations on
processing of these documents?; can there be a better way to do the same job? and how are exceptions in
the process handled? etc.
Step 4: Define the objectives/goals to be achieved by implementing BPA
4|P a ge

Once the above steps have been completed; entity needs to determine the key objectives of the process
improvement activities. The goals need to be SMART - Specific: Clearly defined; Measurable: Easily
quantifiable in monetary terms; Attainable: Achievable through best efforts; Relevant: Entity must need
these, and Timely: Achieved within a given time frame.
Step 5: Engage the business process consultant
To decide as to which company/ consultant to partner with, depends upon the following:
i) Objectivity of consultant in understanding/evaluating entity situation.
ii) Does the consultant have experience with entity business process?
iii) Is the consultant experienced in resolving critical business issues?
iv) Whether the consultant can recommend and implementing a combination of hardware, software and
services as appropriate to meeting enterprise BPA requirements?
v) Does the consultant have the required expertise to clearly articulate the business value of every aspect of
the proposed solution?
Step 6: Calculate the RoI for project
The right stakeholders need to be engaged and involved to ensure that the benefits of BPA are clearly
communicated and implementation becomes successful. A lot of meticulous effort would be required to
convince the senior management about need to implement the right solution for BPA.
Step 7: Developing the BPA
Once the requirements have been document, ROI has been computed and top management approval to go
ahead has been received, the consultant develops the requisite BPA. The developed BPA needs to meet the
objectives for which the same is being developed.
Step 8: Testing the BPA
Once developed, it is important to test the new process to determine how well it works and identify where
additional “exception processing” steps need to be included. The process of testing is an iterative process, the
objective being to remove all problems during this phase.
Concept Problem 7
As an entrepreneur, your business may face all kinds of risks related from serious loss of profits to even
bankruptcy. What could be the possible Business Risks?
Or
Categorize the different kinds of business risks that any enterprise faces. [ICAI Dec 21]
Answer
Businesses face all kinds of risks related from serious loss of profits to even bankruptcy and are discussed
i) Strategic Risk: Risks that prevents an organization from accomplishing its objectives (meeting its
goals). Examples include risks related to strategy, political, economic, regulatory, and global market
conditions; also, could include reputation risk, leadership risk, brand risk, and changing customer needs.
ii) Financial Risk: Risk that could result in a negative financial impact to the organization (waste or loss of
assets). Examples include risks from volatility in foreign currencies, interest rates, and commodities;
credit risk, liquidity risk, and market risk.
iii) Regulatory (Compliance) Risk: Risk that could expose the organization to fines and penalties from a
regulatory agency due to non-compliance with laws and regulations. Examples include Violation of laws
or regulations governing areas such as environmental, employee health and safety, protection of personal
data & local tax or statutory laws.
iv) Operational Risk: Risk that could prevent the organization from operating in the most effective and
efficient manner or be disruptive to other operations. Examples include risks related to the organization’s
P a g e |5
human resources, business processes, technology, business continuity, channel effectiveness, customer
satisfaction, health and safety, environment, product/service failure, efficiency, capacity, and change
integration.
v) Hazard Risk: Risks that are insurable, such as natural disasters; various insurable liabilities; impairment
of physical assets; terrorism etc.
vi) Residual Risk: Any risk remaining even after the counter measures are analysed and implemented is
called Residual Risk. An organization’s management of risk should consider these two areas:
a) Acceptance of residual risk and
b) Selection of safeguards.
Even when safeguards are applied, there is probably going to be some residual risk. The risk can be
minimized, but it can seldom be eliminated. Residual risk must be kept at a minimal, acceptable level.
Concept Problem 8
Automated processes are technology driven. The dependence on technology in BPA for most of the key
business processes has led to various challenges. Explain the technology related risks involved in BPA.
Answer
Technology related risks are as follows:
i) Downtime due to technology failure: Information system facilities may become unavailable due to
technical problems or equipment failure. A common example of this type failure is non-availability of
system due to server failure.
ii) Frequent changes or obsolescence of technology: Technology keeps on evolving and changing constantly
and becomes obsolete very quickly. Hence, there is always a challenge that the investment in technology
solutions, unless properly planned, may result in loss due to risk of obsolescence.
iii) Multiplicity and complexity of systems: The Technology architecture used for services could include
multiple digital platforms and is quite complex.
iv) Proper alignment with business objectives and legal/regulatory requirements: Organizations must ensure
that the systems implemented, cater to all the business objectives and needs, in addition to the
legal/regulatory requirements.
v) Dependence on vendors due to outsourcing of IT services: In a systems environment, the organization
requires staff with specialized skills to manage IT deployed. Hence, these services could be outsourced to
vendors and there is heavy dependency on vendors and gives rise to vendor risks.
vi) Vendor related concentration risk: There may not be one but multiple vendors providing different services.
For example, network, hardware, system software and application software services may be provided by
different vendors or these services may be provided by a single vendor. Both these situations result in
higher risks due to heavy dependence on vendors.
vii) External threats leading to cyber frauds/ crime: The system environment provides access to customers
anytime, anywhere using internet. Hence, information system which was earlier accessible only within
and to the employees is now exposed as it is open to be accessed by anyone from anywhere. Making the
information available is business imperative but this is also fraught with risks of increased threats from
hackers and others who could access the software to commit frauds/crime.
viii) Higher impact due to intentional or unintentional acts of internal employees: Employees in a technology
environment are the weakest link in an enterprise.
ix) Need for governance processes to adequately manage technology and information security:
Controls in system should be implemented from macro and business perspective and not just from
6|P a ge

function and technology perspective. As Technology has become key enabler for bank and is
implemented across the organization, senior management should be involved in directing how technology
is deployed in and approve appropriate policies. This requires governance process to implement security
as required.
x) Need to ensure continuity of business processes in the event of major exigencies: The high dependence
on technology makes it imperative to ensure resilience to ensure that failure does not impact banking
services. Hence, a documented business continuity plan with adequate technology and information
systems should be planned, implemented and monitored.
Concept Problem 9
Effective risk management begins with a clear understanding of an enterprise’s risk appetite and identifying
high-level risk exposures. Explain the different risk management strategies which the Board or senior
management may take up.
Or
In an organization, effective risk management involves identification of high-level risk exposures and their
analysis. Discuss all the risk management strategies out of which Senior Management of an organization
may choose to adopt any of the risk management strategy based on the analysis of risks.
Or
Automation in a business organization enhances the customer satisfaction in the services and products
provided by the organization. However, it is vulnerable to many risks that may cause deviation from a
planned objective resulting in unwanted negative consequences. Define Risk and briefly explain various Risk
Management Strategies.
Answer
When risks are identified and analyzed, it is not always appropriate to implement controls to counter them.
Some risks may be minor, and it may not be cost effective to implement expensive control processes for
them. Risk management strategy is explained below:
i) Tolerate/Accept the risk: One of the primary functions of management is managing risk. Some risks may
be considered minor because their impact and probability of occurrence is low. In this case, consciously
accepting the risk as a cost of doing business is appropriate, as well as periodically reviewing the risk to
ensure its impact remains low.
ii) Terminate/Eliminate the risk: It is possible for a risk to be associated with the use of a technology,
supplier, or vendor. The risk can be eliminated by replacing the technology with more robust products and
by seeking more capable suppliers and vendors.
iii) Transfer/Share the risk: Risk mitigation approaches can be shared with trading partners and suppliers. A
good example is outsourcing infrastructure management. In such a case, the supplier mitigates the risks
associated with managing the IT infrastructure by being more capable and having access to more highly
skilled staff than the primary organization. Risk also may be mitigated by transferring the cost of
realized risk to an insurance provider.
iv) Treat/mitigate the risk: Where other options have been eliminated, suitable controls must be devised and
implemented to prevent the risk from manifesting itself or to minimize its effects.
v) Turn back:
Where the probability or impact of the risk is very low, then management may decide to ignore risk.
Concept Problem 10
ERM provides a framework for risk management, which typically involves identifying events or circumstances
relevant to the organization’s objectives. Discuss the main components of ERM Framework.
Answer
P a g e |7
ERM framework consists of eight interrelated components that are derived from the way management runs a
business, and are integrated with the management process.
i) Internal Environment: The internal environment sets the foundation for how risk and control are viewed
and addressed by an entity’s people. They are the engine that drives the entity and the foundation on
which everything rests.
ii) Objective Setting: ERM ensures that management has a process in place to set objectives and that the
chosen objectives support and align with the entity’s mission/vision and are consistent with the entity’s
risk appetite.
iii) Event Identification: Event identification includes identifying factors – internal and external – that
influence how potential events may affect strategy implementation and achievement of objectives. It
includes distinguishing between potential events that represent risks, those representing opportunities
and those that may be both.
iv) Risk Assessment: Identified risks are analysed to form a basis for determining how they should be
managed. Risks are assessed on both an inherent and a residual basis, and the assessment considers
both risk likelihood and impact.
v) Risk Response: Management selects an approach or set of actions to align assessed risks with the
entity’s risk tolerance and risk appetite, in the context of the strategy and objectives.
vi) Control Activities: Policies and procedures are established and executed to help ensure that the risk
responses that management selected, are effectively carried out.
vii) Information & Communication: Relevant information is identified, captured and communicated in a form
and time frame that enable people to carry out their responsibilities. Information is needed at all levels
of an entity for identifying, assessing and responding to risk. Effective communication also should occur
in a broader sense, flowing down, across and up the entity. Personnel need to receive clear
communications regarding their role and responsibilities.
viii) Monitoring: The entire ERM process should be monitored, and modifications made as necessary. In this
way, the system can react dynamically, changing as conditions warrant. Monitoring is accomplished
through ongoing management activities, separate evaluations of the ERM processes or a combination of
the both.
Concept Problem 11
SA 315 provides the definition of Internal Control that are required to facilitate the effectiveness and
efficiency of business operations in an organization. Explain all components of Internal Control as per SA315.
Answer
As per SA 315, the five components of any internal control as they relate to a financial statement audit are
explained below. All these components must be present to conclude that internal control is effective.
i) Control Environment: The Control Environment is the set of standards, processes, and structures that
provide the basis for carrying out internal control across the organization. The Board of Directors and
Senior Management establish the tone at the top regarding the importance of internal control, including
expected standards of conduct.
The resulting control environment has a pervasive impact on the overall system of internal control.
ii) Risk Assessment: Risk Assessment involves a dynamic and iterative process for identifying and
assessing risks to the achievement of objectives. Risks to the achievement of these objectives from
across the entity are considered relative to established risk tolerances.
Thus, Risk Assessment forms the basis for determining how risks will be managed. A precondition to risk
assessment is the establishment of objectives, linked at different levels of the entity. Because economic,
8|P a ge

industry, regulatory and operating conditions will continue to change; risk assessment also requires
management to consider the impact of possible changes in the external environment and within its own
business model that may render internal control ineffective.
iii) Control Activities: Control Activities are the actions established through policies and procedures that help
ensure that management’s directives to mitigate risks to the achievement of objectives are carried out.
Control activities are performed at all levels of the entity, at various stages within business processes,
and over the technology environment.
They may be preventive or detective in nature. Broadly, the control activities ensure
➢ transactions are authorized,
➢ duties are segregated,
➢ adequate documents and records are maintained,
➢ assets and records are safeguarded, and
➢ independent checks on performance and valuation of records.
iv) Information and Communication: Information is necessary for the entity to carry out internal control
responsibilities in support of the achievement of its objectives. Management obtains or generates and
uses relevant and quality information from both internal and external sources to support the functioning
of other components of internal control.
Internal communication is how information is disseminated throughout the enterprise, flowing up, down,
and across the entity. It enables personnel to receive a clear message from senior management that
control responsibilities should be taken seriously.
External communication is two-fold: it enables inbound communication of relevant external information
and provides information to external parties in response to requirements and expectations.
v) Monitoring of Controls: Monitoring controls is an ongoing, cyclical process. Ongoing evaluations, separate
evaluations, or some combination of the two are used to ascertain whether each of the five components
of internal control, including controls to affect the principles within each component is present and
functioning.
Concept Problem 12
Internal control, no matter how effective, can provide an entity with only reasonable assurance and not
absolute assurance about achieving the entity’s operational, financial reporting and compliance objectives.
Explain the inherent limitations of internal control systems.
Or
Internal control provides an entity with only reasonable assurance and not absolute assurance about
achieving the entity's operational, financial reporting and compliance objectives. Explain any four inherent
limitations of Internal Control System.
Or
Describe the term “Internal Control System”? State its limitations as well.
Answer
Internal Control System: Internal Control System means all the policies and procedures adopted by the
management of an entity to assist in achieving management’s objective of ensuring, as far as practicable,
the orderly and efficient conduct of its business, including adherence to management policies, the
safeguarding of assets, the prevention and detection of fraud and error, the accuracy and completeness of
the accounting records, and the timely preparation of reliable financial information. An Internal Control
System:
i) facilitates the effectiveness and efficiency of operations.
P a g e |9
ii) helps ensure the reliability of internal and external financial reporting.
iii) assists compliance with applicable laws and regulations.
iv) helps safeguarding the assets of the entity.
Limitations of Internal Control System are as follows:
i) The fact that most internal controls do not tend to be directed at transactions of unusual nature. The
potential for human error, such as, due to carelessness, distraction, mistakes of judgement and
misunderstanding of instructions.
ii) The possibility of circumvention of internal controls through collusion with employees or with parties
outside the entity.
iii) The possibility that a person responsible for exercising an internal control could abuse that responsibility,
for example, a member of management overriding an internal control.
iv) Manipulations by management with respect to transactions or estimates and judgements required in the
preparation of financial statements.
Concept Problem 13
As a part of his project work submission, Mr. X, a student of ABC university needs to prepare and present a
PowerPoint presentation on the topic “Advantages and limitations of Flowcharts” during his practical
examination. What shall be the relevant content?
Answer
Advantages of Flow Chart are as follows:
i) Quicker grasp of relationships: The relationship between various elements of the application
program/business process must be identified. Flowchart can help depict a lengthy procedure more easily
than by describing it by means of written notes.
ii) Effective Analysis: The flowchart becomes a blue print of a system that can be broken down into
detailed parts for study. Problems may be identified and new approaches may be suggested by
flowcharts.
iii) Communication: Flowcharts aid in communicating the facts of a business problem to those whose skills
are needed for arriving at the solution.
iv) Documentation: Flowcharts serve as a good documentation which aid greatly in future program
conversions. In the event of staff changes, they serve as training function by helping new employees in
understanding the existing programs.
v) Efficient coding: Flowcharts act as a guide during the system analysis and program preparation phase.
Instructions coded in a programming language may be checked against the flowchart to ensure that no
steps are omitted.
vi) Program Debugging: Flowcharts serve as an important tool during program debugging. They help in
detecting, locating and removing mistakes.
vii) Efficient program maintenance: The maintenance of operating programs is facilitated by flowcharts. The
charts help the programmer to concentrate attention on that part of the information flow which is to be
modified.
viii) Identifying Responsibilities: Specific business processes can be clearly identified to functional
departments thereby establishing responsibility of the process owner.
ix) Establishing Controls: Business process conflicts and risks can be easily identified for recommending
suitable controls.
10 | P a g e

Concept Problem 14
Give two examples each of the Risks and Control Objectives for the following business processes:
a) Procure to Pay at Master Level
b) Order to Cash at Transaction Level
c) Inventory Cycle at Master Level
Answer
a) Procure to Pay - Risks and Control Objectives (Master Level)
Risk Control Objective
Unauthorized changes to supplier master file. Only valid changes are made to supplier master file.
All valid changes to the supplier master file are All valid changes to the supplier master file are input
not input and processed. and processed.
b) Order to Cash - Risks and Control Objectives (Transaction Level)
Orders are processed exceeding customer credit Orders are processed only within approved customer
limits without approvals. credit limits.
Orders are not approved by management as to Orders are approved by management as to prices and
prices and terms of sale. terms of sale.
c) Inventory Cycle - Risks and Control Objectives (Master level)
Invalid changes are made to the inventory Only valid changes are made to the inventory
management master file. management master file.
Invalid changes to the inventory management All valid changes to the inventory management
master file are input and processed. master file are input and processed.
Concept Problem 15
Explain the salient features of Section 134 & Section 143 of the Companies Act 2013.
Answer
The Companies Act, 2013 has two very important Sections - Section 134 and Section 143, which have a direct
impact on the audit and accounting profession.
(i) Section 134
Section 134 of the Companies Act, 2013 on “Financial statement, Board’s report, etc.” states inter alia:
The Directors’ Responsibility Statement shall state that:
a) the Directors had taken proper and sufficient care for the maintenance of adequate accounting records in
accordance with the provisions of this Act for safeguarding the assets of the company and for preventing
and detecting fraud and other irregularities;
b) the Directors, in the case of a listed company, had laid down internal financial controls to be followed by
the company and that such internal financial controls are adequate and were operating effectively.
(ii) Section 143
P a g e | 11
Section 143, of the Companies Act 2013, on “Powers and duties of auditors and auditing standards” states
inter alia: “whether the company has adequate internal financial controls system in place and the operating
effectiveness of such controls”;
When we talk in terms of “adequacy and effectiveness of controls”; it refers to the adequacy of the control
design and whether the control has been working effectively during the relevant financial year.
Example, A company has a sales invoicing control wherein all sales invoices raised by the salesman which is
greater than INR 50,000/- are reviewed and approved by the sales manager. In terms of the of the control
design this control may seem adequate. However, if during audit, it was found that, during the year, there were
many invoices raised by the salesman which was greater than INR 50,000/- and not reviewed and approved by
the sales manager. In such a case, although the control design was adequate, the control was not working
effectively, due to many exceptions without proper approval.
Concept Problem 16
Give five examples of computer related offences that can be prosecuted under the IT Act 2000 (amended via
2008).
Or
Mr. Amar is the chief IT manager of a company who designed a new advisory for all employee s mentioning
the various cyber-crimes which may attract prosecution as per penalties and offences prescribed in
Information Technology Act, 2000. Describe the various cybercrimes that Mr. Amar could have incorporated in
his advisory.
Answer
The various cyber-crime scenarios which can attract prosecution as per the penalties and offences prescribed
in Information Technology Act, 2000 are as follows.
i) Harassment via fake public profile on social networking site: A fake profile of a person is created on a
social networking site with the correct address, residential information or contact details but he/she is
labelled as ‘prostitute’ or a person of ‘loose character’. This leads to harassment of the victim.
ii) Email Account Hacking: If victim’s email account is hacked and obscene emails are sent to people in
victim’s address book.
iii) Web Defacement: The homepage of a website is replaced with a pornographic or defamatory page.
Government sites generally face the wrath of hackers on symbolic days.
iv) Introducing Viruses, Worms, Backdoors, Rootkits, Trojans, Bugs: All these are some sort of malicious
programs which are used to destroy or gain access to some electronic information.
v) Cyber Pornography: Among the largest businesses on Internet, pornography may not be illegal in many
countries, but child pornography is.
vi) Credit Card Fraud: Unsuspecting victims would use infected computers to make online transactions.
Sections 43, 66, 66C, 66D of IT Act, 2000 are applicable in this case.
vii) Cyber Terrorism: Cyber terrorism is the terrorism conducted in cyberspace, where the criminals attempt
to damage or disrupt computer systems or telecommunication services. Examples are hacking into
computer systems, introducing viruses to vulnerable networks, web site defacing, denial-of-service
attacks, or terroristic threats made via electronic communication. Many terrorists use virtual (Drive, FTP
sites) and physical storage media (USB’s, hard drives) for hiding information and records of their illicit
business. Sections 43, 66, 66A of IT Act, 2000 are applicable in this case.
viii) Online sale of illegal Articles: Where sale of narcotics, drugs, weapons and wildlife is facilitated by the
Internet.
ix) Cyber Pornography: Among the largest businesses on Internet, pornography may not be illegal in many
12 | P a g e

countries, but child pornography is. Sections 67, 67A and 67B of the IT Act, 2000 are applicable in this
case.
x) Phishing and Email Scams: Phishing involves fraudulently acquiring sensitive information through
masquerading oneself as a trusted entity (e.g., usernames, Passwords, credit card information). Sections
66, 66C and 66D of IT Act, 2000 are applicable in this case.
xi) Theft of Confidential Information: Many business organizations store their confidential information in
computer systems. This information is targeted by rivals, criminals and disgruntled employees. Sections
43, 66 and 66B of IT Act, 2000 are applicable in this case.
xii) Source Code Theft: A Source code generally is the most coveted and important “crown jewel” asset of a
company. Sections 43, 65, 66 and 66B of IT Act, 2000 are applicable in this case.
Concept Problem 17
Corporate Governance is defined as the framework of rules and practices by which Board of Directors ensures
accountability, fairness and transparency in a company’s relationship with all its stakeholders. List the rules
and procedures that constitute corporate governance framework.
Answer
The Corporate Governance Framework consists of:
i) explicit and implicit contracts between the company and the stakeholders for distribution of
responsibilities, rights, and rewards;
ii) procedures for reconciling the sometimes-conflicting interests of stakeholders in accordance with their
duties, privileges and roles; and
iii) procedures for proper supervision, control, and information-flows to serve as a system of checks-and-
balances.
Concept Problem 18
Explain the following terms in brief:
i) Data Flow Diagram
ii) Flowchart
iii) Risk Assessment
Answer
a) Data Flow Diagrams (DFD) shows the flow of data or information from one place to another. DFDs
describe the processes showing how these processes link together through data stores and how the
processes relate to the users and the outside world. In other words, DFD provides an overview of -
• What does a system process;
• What transformations are performed;
• What data are stored;
• What results are produced and where they flow?
b) Flowcharts are used in designing and documenting simple processes or programs. They help visualize what
is going on and thereby help understand a process, and perhaps also find flaws, bottlenecks, and other
less-obvious features within it.
c) Risk Assessment is one of the five components that define Internal Control under SA 315. Every entity
faces a variety of risks from external and internal resources. Risk assessment involves a dynamic and
iterative process for identifying and assessing risks to the achievement of objectives. Thus, risk
assessment forms the basis for determining how risks will be managed. A precondition to risk
assessment is the establishment of objectives, linked at different levels of the entity. Management
P a g e | 13
specifies objectives within categories of operations, reporting, and compliance with sufficient clarity to be
able to identify and assess risks to those objectives. Risk assessment also requires management to
consider the impact of possible changes in the external environment and within its own business model
that may render internal control ineffective.
Concept Problem 19
"Enterprise Risk Management (ERM) does not create a risk-free environment; rather it enables management
to operate more effectively in environment filled with risks". In view of this statement, explain the various
benefits, which Board of Directors and Management of an entity seek to achieve by implementing the ERM
process within the entity.
Answer
Following features in Enterprise Risk Management provides enhanced capabilities to enable management to
operate more effectively in environments filled with risks:
i) Align risk appetite and strategy: Risk appetite is the degree of risk, on a broad- based level that an
enterprise is willing to accept in pursuit of its goals. Management considers the entity’s risk appetite
first in evaluating strategic alternatives, then in setting objectives aligned with the selected strategy and
in developing mechanisms to manage the related risks.
ii) Link growth, risk and return: Entities accept risk as part of value creation and preservation, and they
expect return commensurate with the risk. ERM provides an enhanced ability to identify and assess
risks, and establish acceptable levels of risk relative to growth and return objectives.
iii) Enhance risk response decisions: ERM provides the rigor to identify and select among alternative risk
responses - risk avoidance, reduction, sharing and acceptance. ERM provides methodologies and
techniques for making these decisions.
iv) Minimize operational surprises and losses: Entities have enhanced capability to identify potential events,
assess risk and establish responses, thereby reducing the occurrence of surprises and related costs or
losses.
v) Identify and manage cross-enterprise risks: Every entity faces a myriad of risks affecting different
parts of the enterprise. Management needs to not only manage individual risks, but also understand
interrelated impacts.
vi) Provide integrated responses to multiple risks: Business processes carry many inherent risks and ERM
enables integrated solutions for managing the risks.
vii) Seize opportunities: Management considers potential events, rather than just risks, and by considering a
full range of events, management gains an understanding of how certain events represent opportunities.
viii) Rationalize capital: More robust information on an entity’s total risk allows management to more
effectively assess overall capital needs and improve capital allocation.
Concept Problem 20
State the required characteristics of goals to be achieved by implementing Business Process Automation.
Answer
The required characteristics of goals to be achieved by implementing Business Process Automation (BPA)
could be abbreviated as “SMART” which means:
i) S - Specific
ii) M - Measurable
iii) A - Attainable
iv) R – Relevant
14 | P a g e

v) T – Timely
Concept Problem 21
Give some examples of the Risks and Control objectives for Human Resource Process at configuration level.
Answer
Risks and Control Objectives for Human Resource Process at Configuration Levels are as follows:
Employees who have left the company continue System access to be immediately removed when
to have system access. employees leave the company.
Employees have system access in excess of their Employees should be given system access based on a
job requirements. “need to know” basis and to perform their job
function.
Concept Problem 22
As a cyber-expert, you have been invited in a seminar to share your thoughts on data protection and privacy
in today’s electronic era. In your PowerPoint presentation on the same, you wish to incorporate the main
principles on data protection and privacy enumerated under the IT Act, 2000. Identify them.
Answer
The main principles on data protection and privacy enumerated under the IT Act, 2000 are:
i) Defining ‘data’, ‘computer database’, ‘information’, ‘electronic form’, ‘originator’, ‘addressee’ etc.
ii) creating civil liability if any person accesses or secures access to computer, computer system or
computer network
iii) creating criminal liability if any person accesses or secures access to computer, computer system or
computer network
iv) declaring any computer, computer system or computer network as a protected system
v) imposing penalty for breach of confidentiality and privacy
vi) setting up of hierarchy of regulatory authorities, namely adjudicating officers, the Cyber Regulations
Appellate Tribunal etc.
Concept Problem 23
Explain the positive aspects contained in the IT Act 2000 and its provisions from the perspective of e-
commerce in India.
Answer
From the perspective of e-commerce in India, the IT Act, 2000 and its provisions contain many positive
aspects which are as follows:
i) The implication for the e-businesses is that email is now a valid and legal form of communication in
India that can be duly produced and approved in a court of law.
ii) Companies shall now be able to carry out electronic commerce using the legal infrastructure provided by
the Act.
iii) Digital Signatures have been given legal validity and sanction in the Act.
iv) The Act throws open the doors for the entry of corporate companies in the business of being Certifying
Authorities for issuing Digital Signatures Certificates.
v) The Act allows Government to issue notification on the web thus heralding e- governance.
P a g e | 15
vi) The Act enables the companies to file any form, application or any other document with any office,
authority, body or agency owned or controlled by the appropriate Government in electronic form by
means of such electronic form as may be prescribed by the appropriate Government.
vii) The IT Act also addresses the important issues of security, which are so critical to the success of
electronic transactions.
viii) The Act has given a legal definition to the concept of secure digital signatures that would be required to
have been passed through a system of a security procedure, as stipulated by the Government at a later
date.
Under the IT Act, 2000, it shall now be possible for corporates to have a statutory remedy in case if anyone
breaks into their computer systems or network and causes damages or copies data. The remedy provided by
the Act is in the form of monetary damages, not exceeding INR 1 crore.
Concept Problem 24
General Controls are pervasive controls and apply to all the components of system, processes and data for a
given enterprise or systems environment. As an IT consultant, discuss some of the controls covered under
general controls which you would like to ensure for a given enterprise.
Or
Suppose you are an IT consultant of ABC enterprises. What general controls would you apply to all
components of system, processes and data for ABC enterprises to ensure the security of information system
and application program.
Or
Organizations should identify controls as per policy, procedures and its structure and configure them within IT
software as used in the organization. Discuss widely the Information Technology controls that can be
implemented as per risk management strategy. (Both ITGC & App Controls is required here)
Answer
General controls related to IT environment and Information Systems include the following:
a) Information Security Policy: The security policy is approved by the senior management and encompasses
all areas of operations of bank and drives access to information across the enterprise and other
stakeholders.
b) Administration, Access and Authentication: IT should be administered with appropriate policies and
procedures clearly defining the levels of access to information and authentication of users.
c) Separation of key IT functions: Secure deployment of IT requires the bank to have separate IT
organization structure with key demarcation of duties for different personnel within IT department and
to ensure that there are no SoD conflicts.
d) Management of Systems Acquisition and Implementation: Software solutions for Core Banking Systems
(CBS) are most developed acquired and implemented. Hence, process of acquisition and implementation
of systems should be properly controlled.
e) Change Management: IT solutions deployed and its various components must be changed in tune with
changing needs as per changes in technology environment, business processes, regulatory and
compliance requirements as these changes impact the live environment of banking services. Hence,
change management process should be implemented to ensure smooth transition to new environments
covering all key changes including hardware, software and business processes. All changes must be
properly approved by the management before implementation.
f) Backup, Recovery and Business Continuity: Heavy dependence on IT and criticality makes it imperative
that resilience of banking operations should be ensured by having appropriate business continuity
16 | P a g e

including backup, recovery and off-site data center.
g) Proper Development and Implementation of Application Software: Application software drives the
business processes of the banks. These solutions in case developed and implemented must be properly
controlled by using standard software development process.
h) Confidentiality, Integrity and Availability of Software and data files: Security is implemented to ensure
Confidentiality, Integrity and Availability of information. Confidentiality refers to protection of critical
information, Integrity refers to ensuring authenticity of information at all stages of processing or
contents should not be altered, and Availability refers to ensuring availability of information to users
when required. All IT operations need to be controlled by appropriate policies and procedures that refer to
how IT is deployed, implemented and maintained within the bank.
i) Incident response and management: There may be various incidents created due to failure of IT that
need to be appropriately responded and managed as per predefined policies and procedures.
Concept Problem 25
Data that is waiting to be transmitted is liable to unauthorized access called Asynchronous attack. Explain
various types of Asynchronous attacks on data.
Answer
Various types of Types of Asynchronous attacks on data are as follows:
a) Data leakage – This involves leaking of information out of computer by copying data into external devices
or print outs.
b) Wire tapping - This involves spying on info being transmitted over computer network.
c) Subversive Attack – This enables intruders to access data being transmitted & also modify/violate
integrity of some components in sub-system.
d) Piggybacking – This is act of following an unauthorized person through a secured door that intercepts and
alters transmissions.
Concept Problem 26
Draw a Flowchart for the following process:
Leebay is a new e-commerce web site that is setting up business in India. Leebay and their partner bank
Paxis have come up with a joint promotion plan for which the following offers are proposed. Customers can
either log in through a mobile app or directly from the website:
1) If the payment mode chosen is ‘Paxis Credit’, then a 20% discount is given to the user.
2) If the payment mode chosen is ‘Paxis Debit’, then a 10% discount is given to the user.
3) If other payment modes are used, then no discount is given.
Also, to promote the downloads of its new smart phone app, the company has decided to give the following
offer:
1) If the purchase mode is ‘Mobile App’, then no surcharge is levied on the user.
2) If any other purchase mode is used, then additional 5% surcharge is levied on the user. This surcharge is
applied on the bill after all necessary discounts have been applied.
With bill amount, payment mode and purchase mode as inputs, draw a flowchart for the billing procedure for
Leebay.
2. ICAI RTP S , MTP S A ND P A S T Y E A R Q U E S TIO NS

Concept Problem 27
During a job interview, an interviewer asked Mr. A to list out all the risks and their controls associated with
P a g e | 17
Order-To-Cash (O2C) business process. Prepare an appropriate draft reply.

Answer
Risks and Controls related to the Order to Cash (O2C) business process are as follows:
Risks Controls
The customer master file is not maintained properly The customer master file is maintained properly and
and the information is not accurate. the information is accurate.
Invalid changes are made to the customer master Only valid changes are made to the customer master
file. file.
All valid changes to the customer master file are not All valid changes to the customer master file are
input and processed. input and processed.
Changes to the customer master file are not Changes to the customer master file are accurate.
accurate.
Changes to the customer master file are not Changes to the customer master file are processed in
processed in a timely manner. a timely manner.
Customer master file data is not up-to- date and Customer master file data is up to date and relevant.
relevant.
System access to maintain customer masters has System access to maintain customer masters has
not been restricted to the authorized users. been restricted to the authorized users.
Concept Problem 28
Discuss all the stages of Human Resource (HR) Life Cycle.
Or
Human Resource Management (HRM) plays an important role in the effective and efficient management of
the human resource in any enterprise. As an HR manager of XYZ Ltd., which typical stages of HR life cycle
will you implement in the company?
Answer
The Human Resources (HR) Life Cycle refers to human resources management and covers all the stages of an
employee’s time within a specific enterprise and the role the human resources department plays at each
stage. Typical stage of HR cycle includes the following:
i) Recruiting and On-boarding: Recruiting is the process of hiring a new employee. The role of the human
resources department in this stage is to assist in hiring. This might include placing the job ads, selecting
candidates whose resumes look promising, conducting employment interviews and administering
assessments such as personality profiles to choose the best applicant for the position.
On boarding is the process of getting the successful applicant set up in the system as a new employee.
ii) Orientation and Career Planning: Orientation is the process by which the employee becomes a member of
the company’s work force through learning her new job duties, establishing relationships with co-workers
and supervisors and developing a niche.
Career planning is the stage at which the employee and her supervisors work out her long-term career
goals with the company. The human resources department may make additional use of personality profile
testing at this stage to help the employee determine her best career options with the company.
18 | P a g e

iii) Career Development: Career development opportunities are essential to keep an employee engaged with
the company over time. After an employee, has established himself at the company and determined his
long-term career objectives, the human resources department should try to help him meet his goals, if
they’re realistic. This can include professional growth and training to prepare the employee for more
responsible positions with the company. The company also assesses the employee’s work history and
performance at this stage to determine whether he has been a successful hire.
iv) Termination or Transition: Some employees will leave a company through retirement after a long and
successful career. Others will choose to move on to other opportunities or be laid off. Whatever the reason,
all employees will eventually leave the company. The role of HR in this process is to manage the
transition by ensuring that all policies and procedures are followed, carrying out an exit interview if that
is company policy and removing the employee from the system. These stages can be handled internally
or with the help of enterprises that provide services to manage the employee life cycle.
Concept Problem 29
Though Human Resource (HR) Department plays an important role in development of any enterprise, yet it
has certain risks associated at every stage of its life cycle. Describe all the risks related to Human Resource
Department.
Answer
The risks associated with Human Resource Department are as given below:
i) Employees who have left the company continue to have system access.
ii) Employees have system access in excess of their job requirements.
iii) Additions to the payroll master files do not represent valid employees.
iv) New employees are not added to the payroll master files.
v) Terminated employees are not removed from the payroll master files.
vi) Employees are terminated without following statutory requirements.
vii) Deletions from the payroll master files do not represent valid terminations.
viii) Invalid changes are made to the payroll master files.
ix) Changes to the payroll master files are not accurate.
x) Changes to the payroll master files are not processed in a timely manner.
xi) Payroll master file data is not up to date.
xii) Payroll is disbursed to inappropriate employees.
xiii) System access to process employee master changes has not been restricted to the authorized users.
Concept Problem 30
Discuss “Management Processes” and “Supporting Processes”. Also, state their example.
Answer
Management Processes:
Management processes measure, monitor and control activities related to business procedures and systems.
Management processes do not provide value directly to the customers, however, have a direct impact on the
efficiency of the enterprise.
Examples of management processes include internal communications, governance, strategic planning,
budgeting, and infrastructure or capacity management.
Supporting Processes:
These are the processes that back core processes and functions within an organization.
P a g e | 19
Examples of supporting or management processes include Accounting, Human Resource (HR) Management
and workplace safety. The main HR Process Areas are grouped into logical functional areas like Recruitment
and Staffing; Goal Setting; Training and Development; Compensation and Benefits; Performance
Management; Career Development and Leadership Development.
Concept Problem 31
Determine all the sub processes that are included under an Order to Cash Process.
Or
During a job interview, an interviewer panelist asked Mr. A to elaborate all the sub-processes included in an
Order-To-Cash (O2C) business process. Prepare an appropriate draft reply.
Answer
Order to Cash (O2C): OTC or O2C is a set of business processes that involve receiving and fulfilling customer
requests for goods or services. It is a set of business processes that involve receiving and fulfilling customer
requests for goods or services. An order to cash cycle consists of multiple sub-processes including:
i) Customer order is documented;
ii) Order is fulfilled or service is scheduled;
iii) Order is shipped to customer or service is performed;
iv) Invoice is created and sent to customer;
v) Customer sends payment /Collection; and
vi) Payment is recorded in general ledger.
Concept Problem 32
Discuss any two risks of Business Process Automation.
Answer
The dependence on technology in BPA for most of the key business processes has led to various challenges.
The risks of Business Process Automation (BPA) are classified below:
a) Frequent changes or obsolescence of technology: Technology keeps on evolving and changing constantly
and becomes obsolete very quickly. Hence, there is always a challenge that the investment in technology
solutions unless properly planned may result in loss to bank due to risk of obsolescence.
b) Multiplicity and complexity of systems: The Technology architecture used for services could include
multiple digital platforms and is quite complex. Hence, this requires the personnel to have knowledge
about requisite technology skills or the management of the technology could be outsourced to a company
having the relevant skill set.
c) Dependence on vendors due to outsourcing of IT services: In a systems environment, the organization
requires staff with specialized domain skills to manage IT deployed. Hence, these services could be
outsourced to vendors and there is heavy dependency on vendors and gives rise to vendor risks which
should be managed by proper contracts, controls and monitoring.
d) Vendor related concentration risk: There may not be one but multiple vendors providing different services.
For example, network, hardware, system software and application software services may be provided by
different vendors or these services may be provided by a single vendor. Both these situations result in
higher risks due to heavy dependence on vendors.
Concept Problem 33
The controls for a particular business process are implemented by breaking them down into smaller
components. Determine the main components of controls for the Purchase to Pay Cycle.
20 | P a g e

Solution
Given below is a list of the controls for the Purchase to Pay cycle, which is broken down to four main
components:
i) Purchases: When an employee working in a specific department (i.e., marketing, operations, sales, etc.)
wants to purchase something required for carrying out the job, he/she will submit a Purchase Requisition
(PR) to a manager for approval. Based on the approved PR, a Purchase Order (PO) is raised. The PO may
be raised manually and then input into the computer system or raised directly by the computer system.
ii) Goods Receipt: The PO is then sent to the vendor, who will deliver the goods as per the specifications
mentioned in the PO. When the goods are received at the warehouse, the receiving staff checks the
delivery note, PO number etc. and acknowledges the receipt of the material. Quantity and quality are
checked and any unfit items are rejected and sent back to the vendor. A Goods Receipt Note (GRN) is
raised indicating the quantity received. The GRN may be raised manually and then input into the
computer system or raised directly by computer system.
iii) Invoice Processing: The vendor sends the invoice to the accounts payable department who will input the
details into the computer system. The vendor invoice is checked with the PO to ensure that only the
goods ordered have been invoiced and at the negotiated price. Further the vendor invoice is checked with
the GRN to ensure that the quantity ordered has been received.
iv) Payment: If there is no mismatch between the PO, GRN and vendor invoice; the payment is released to
the vendor based on the credit period negotiated with the vendor.
Concept Problem 34
Though Business Process Automation (BPA) provides many advantages to diverse businesses in various forms,
however, every business is not suitable for automation. Each business needs a valid reason before it goes for
automation. Discuss some examples of business processes that are best suited to automation.
Solution
The examples of business processes that are best suited to automation are as follows:
i) Processes involving high-volume of tasks or repetitive tasks: Many business processes such as making
purchase orders involve high-volume of repetitive tasks. Automating these processes results in cost and
work effort reductions.
ii) Processes requiring multiple people to execute tasks: A business process which requires multiple people to
execute tasks often results in waiting time that can lead to increase in costs. E.g., help desk services.
Automating these processes results in reduction of waiting time and in costs.
iii) Time-sensitive processes: Business process automation results in streamlined processes and faster
turnaround times. The streamlined processes eliminate wasteful activities and focus on enhancing tasks
that add value. Time-sensitive processes are best suited to automation. For example - online banking
system, railway/aircraft operating and control systems etc.
iv) Processes involving need for compliance and audit trail: With business process automation, every detail
of a particular process is recorded. These details can be used to demonstrate compliance during audits.
For example- invoice issue to vendors.
v) Processes having significant impact on other processes and systems: Some processes are cross-
functional and have significant impact on other processes and systems. In cross functional processes,
different departments within the same company work hand in hand to achieve a common goal, e.g., the
marketing department may work with sales department. Automating these processes results in sharing
information resources and improving the efficiency and effectiveness of business processes.
Concept Problem 35
Compare between Subversive Attacks and Piggybacking.
Answer
P a g e | 21
Subversive Attacks and Piggybacking are the types of Asynchronous Attacks. However, they differ in following
aspects:
Subversive Attacks: These can provide intruders with important information about messages being
transmitted and the intruder may attempt to violate the integrity of some components in the sub-system.
Piggybacking: This is the act of following an authorized person through a secured door or electronically
attaching to an authorized telecommunication link that intercepts and alters transmissions. This involves
intercepting communication between the operating system and the user and modifying them or substituting
new messages.
Concept Problem 36
Recognize all the technical exposures that include unauthorized implementation or modification of data and
software.
Or
ABC Ltd., a Delhi based financial consultant company has huge clientele having crucial data about its
clients. Therefore, the company has robust implementation of Logical Access Controls to ensure that access
to its systems, data and programs is restricted to authorized users to safeguard information against
unauthorized use. Describe all the technical exposures against which these Logical Access Controls provide
security to the data and software of the company.
Answer
Technical Exposures: Technical exposures include unauthorized implementation or modification of data and
software. Technical exposures include the following:
i) Data Diddling: This involves the change of data before or after they entered the system. A limited
technical knowledge is required to data diddle and the worst part with this is that it occurs before
computer security can protect the data.
ii) Bomb: Bomb is a piece of bad code deliberately planted by an insider or supplier of a program. An event,
which is logical, triggers a bomb or time based. The bombs explode when the conditions of explosion get
fulfilled causing the damage immediately. However, these programs cannot infect other programs. Since,
these programs do not circulate by infecting other programs; chances of a widespread epidemic are
relatively low.
iii) Christmas Card: It is a well-known example of Trojan and was detected on internal E-mail of IBM
system. On typing the word ‘Christmas’, it will draw the Christmas tree as expected, but in addition, it
will send copies of similar output to all other users connected to the network. Because of this message on
other terminals, other users cannot save their half -finished work.
iv) Worm: A worm does not require a host program like a Trojan to relocate itself. Thus, a Worm program
copies itself to another machine on the network. Since, worms are stand-alone programs, and they can
be detected easily in comparison to Trojans and computer viruses. Examples of worms are Existential
Worm, Alarm clock Worm etc. The Alarm Clock worm places wake-up calls on a list of users. It passes
through the network to an outgoing terminal while the sole purpose of existential worm is to remain alive.
Existential worm does not cause damage the system, but only copies itself to several places in a
computer network.
v) Rounding Down: This refers to rounding of small fractions of a denomination and transferring these small
fractions into an authorized account. As the amount is small, it gets rarely noticed.
vi) Salami Techniques: This involves slicing of small amounts of money from a computerized transaction or
account. A Salami technique is slightly different from a rounding technique in the sense a fix amount is
deducted. For example, in the rounding off technique, Rs.21,23,456.39 becomes Rs. 21,23,456.40, while in
the Salami technique the transaction amount Rs. 21,23,456.39 is truncated to either Rs. 21,23,456.30 or
22 | P a g e

Rs. 21,23,456.00, depending on the logic.
vii) Trap Doors: Trap doors allow insertion of specific logic, such as program interrupts that permit a review
of data. They also permit insertion of unauthorized logic.
viii) Spoofing: A spoofing attack involves forging one’s source address. One machine is used to impersonate
the other in spoofing technique. Spoofing occurs only after a particular machine has been identified as
vulnerable. A penetrator makes the user think that s/he is interacting with the operating system. For
example, a penetrator duplicates the login procedure, captures the user’s password, attempts for a
system crash and makes the user login again.
Concept Problem 37
An auditor Mr. Sohan has been given a prime responsibility to assess the suitable implementation and
execution of various controls in his organization XYZ Ltd. To do so, he needs to check the controls at various
levels of the computer systems. Discuss the levels at which Mr. Sohan should check the implementation of
controls.
Answer
In computer systems, the levels at which the controls shall be checked are as follows:
i) Configuration: Configuration refers to the way a software system is set up. It is the methodical process of
defining options that are provided during system setup. When any software is installed, values for various
parameters should be set up (configured) as per policies and business process work-flow and business
process rules of the enterprise. The various modules of the enterprise such as Purchase, Sales, Inventory,
Finance, User Access etc. must be configured. Configuration will define how software will function and
what menu options are displayed.
Some examples of configuration are given below:
 Mapping of accounts to front end transactions like purchase and sales
 Control on parameters: Creation of Customer Type, Vendor Type, year-end process
 User activation and deactivation
 User Access & privileges - Configuration & its management
 Password Management
ii) Masters: It refer to the way various parameters are set up for all modules of software like Purchase, Sales,
Inventory, and Finance etc. These drive how the software will process relevant transactions. The masters
are set up first time during installation and these are changed whenever the business process rules or
parameters are changed. The way masters are set up will drive the way software will process transactions
of that type.
Some examples of masters are given here:
 Vendor Master: Credit period, vendor bank account details, etc.
 Customer Master: Credit limit, Bill to address, Ship to address, etc.
 Material Master: Material type, Material description, Unit of measure, etc.
 Employee Master: Employee name, designation, salary details, etc.
iii) Transactions: It refers to the actual transactions entered through menus and functions in the application
software, through which all transactions for specific modules are initiated, authorized, or approved. For
example: Sales transactions, Purchase transactions, Stock transfer transactions, Journal entries and
Payment transactions.
Concept Problem 38
P a g e | 23
Human Resource Management (HRM) plays an important role in the effective and efficient management of
the human resources in any enterprise. As an HR Manager of XYZ Ltd, which typical stages of HR life cycle
will you implemented in the company?
3. C A S E B A S E D MCQ S 1 – ICAI S T U D Y M A T E R I A L
ABC Ltd. is engaged in the business of producing consumer durable products. It is facing the problem of poor
customer service due to its broken, inefficient, and manual processes. The customers of the company are
becoming more demanding with respect to higher quality of products and delivery time.
To remain competitive in the market and to overcome the issues faced by its customers, the company
decided to optimize and streamline its essential business processes using the latest technology to automate
the functions involved in carrying out these essential processes. The management of the company is very
optimistic that with automation of business processes, it will be able to extract maximum benefit by using
the available resources to their best advantage. Moreover, with automation the company will be able to
integrate various processes and serve its customers better and faster. The management is aware that the
automation of business processes will lead to new types of risks in the company’s business. The failure or
malfunction of any critical business process will cause significant operational disruptions and materially
impact its ability to provide timely services to its customers. The management of ABC Ltd. adopted different
Enterprise Risk Management (ERM) strategies to operate more effectively in environment filled with risks.
To reduce the impact of these risks, the company also decided to implement necessary internal controls.
Read the above illustration carefully and answer the following questions:
1. The processes automated by ABC Ltd. are susceptible to many direct and indirect challenges. Which of the
following factor cannot be considered valid in case the company fails to achieve the desired results?
a. The business processes are not well thought or executed to align with business objectives.
b. The staff may perceive automated processes as threat to their jobs.
c. The documentation of all the automated business processes is not done properly.
d. The implementation of automated processes in the company may be an expensive proposition.
2. The processes automated by ABC Ltd. are technology driven. The dependence on technology in key
business processes exposed the company to various internal as well as external threats. According to you,
external threats leading to cyber-crime in BPA is because:
a. Organizations may have a highly-defined organization structure with clearly defined roles, authority
and responsibility.
b. There may not be one but multiple vendors providing different services.
c. The system environment provides access to customers anytime, anywhere using internet.
d. The dependence on technology is insignificant.
3. The management of ABC Ltd. adopted a holistic and comprehensive approach of Enterprise Risk
Management (ERM) framework by implementing controls across the company. Identify the false
statement w.r.t components of ERM framework.
a. As a part of event identification, potential events that might have an impact on the entity should
be identified.
b. As a part of risk assessment component, identified risks are analyzed to form a basis for
determining how they should be managed.
c. As a part of monitoring, the entire ERM process should be monitored with no further modifications in
the system.
d. As a part of control activities, policies and procedures are established and executed to help ensure
24 | P a g e

that the risk responses that management selected are effectively carried out.
4. The management of ABC Ltd. implemented different Information Technology General Controls (ITGCs)
across different layers of IT environment with an objective to minimize the impact of risks associated
with automated processes. Which of the following is not an example of ITGC?
a. Information Security Policy
b. Processing Controls
c. Backup, Recovery and Business Continuity
d. Separation of key IT functions
C A S E B A S E D MCQ S 2 – IC AI S T U D Y M A T
DXN Ltd. is engaged in manufacturing consumer products for women. The company released a new product
recently which met with unexpected success. The company was established as a market leader in that
product. The growing volume of sales transactions started to put a strain on company’s internal processes.
The company employed 300 more employees to ensure that the customers are served better and faster. But
with the increase in number of monthly transactions to 1.5 million, the manual processes which were being
followed by the company at present, were holding it back. The company was not able to meet consumer
demands even after employing addition 300 employees. The management consultant Mr. X of DXN Ltd.
advised to automate the key business processes of the company to handle large volume of transactions to
meet the expectations of its customers and maintain its competitive edge in the market.
Mr. X gathered extensive information about the different activities involved in the current processes followed
by DXN Ltd. like - what the processes do, the flow of various processes, the persons who are in charge of
different processes etc. The information so collected helped him in understanding the existing processes such
as flaws, bottlenecks, and other less obvious features within the existing processes. Based on the information
gathered about the current processes, Mr. X prepared various flowcharts depicting how various processes
should be performed after automation and submitted his report to the management covering the following
points:
 The major benefits of Business Process Automation;
 The processes that are best suited to automation;
 Challenges that DXN Ltd. may face while implementing automated processes;
 Risks involved in Business Process Automation and how the management should manage these risks.
Read the above illustration carefully and answer the following Questions:
1. As the DXN Ltd. was implementing the automated processes for the first time, the consultant suggested
not to automate all the processes at a time and automate only critical processes which would help the
company to handle large volume of transactions. Which of the following business processes are not best
suited to automation:
a. Processes involving repetitive tasks
b. Processes requiring employees to use personal judgment
c. Time sensitive processes
d. Processes having significant impact on other processes and systems
2. While understanding the criticality of various business processes of DXN Ltd., the consultant Mr. X
documented the current processes and identified the processes that needed automation. However,
documentation of existing processes does not help in.
a. providing clarity on the process
b. determining the sources of inefficiency, bottlenecks, and problems
P a g e | 25
c. controlling resistance of employees to the acceptance of automated processes

d. designing the process to focus on the desired result with workflow automation
3. When DXN Ltd. decided to adopt automation to support its critical business processes, it exposed itself to
number of risks. One risk that the automated process could lead to breakdown in internal processes,
people and systems is a type of__________.
a. Operational Risk
b. Financial Risk
c. Strategic Risk
d. Compliance Risk
4. Mr. X of DXN Ltd. prepared various flowcharts depicting how various processes should be performed after
automation and submitted his report to the management. The flowcharting symbol that he used to
depict processing step is __________.
a. Rectangular Box
b. Diamond
c. Oval
d. Line
Answer Key
MCQ 1 1. C 2. C 3. C 4. B
MCQ 2 1. B 2. C 3. A 4. A
26 | P a g e
Financial Accounting System May 22
Financial Accounting System

C HAPTER 2
FINANCIAL ACCOUNTING SYSTEM
If you can dream it, you can

do it. The only person who
can stop you is “You”.
Coverage
Concept Problem 1
As an Auditor, prepare a checklist of the questions that you would ask while performing an ERP Audit.
Or
You have been appointed as an Information Systems (IS) Auditor in a company JKL Ltd. and asked to perform
an ERP audit. Prepare a checklist of the common concerns that should be asked during development and
implementation of the system as well as ERP Audit.
Answer
Checklist to be followed by an IS Auditor for the audit of ERP Systems are as follows:
i) Does the system process according to GAAP (Generally Accepted Accounting Principles) and GAAS
(Generally Accepted Auditing Standards)?
ii) Does it meet the needs for reporting, whether regulatory or organizational?
iii) Were adequate user requirements developed through meaningful interaction?
iv) Does the system protect confidentiality and integrity of information assets?
P a g e | 27
May 22 Financial Accounting System
v) Does it have controls to process only authentic, valid, accurate transactions?

vi) Are effective system operations and support functions provided?
vii) Are all system resources protected from unauthorized access and use?
viii) Are user privileges based on what is called ‘role-based access?’
ix) Is there an ERP system administrator with clearly defined responsibilities?
x) Is the functionality acceptable? Are user requirements met? Are users happy?
xi) Have workarounds or manual steps been required to meet business needs?
xii) Are there adequate audit trails and monitoring of user activities?
xiii) Can the system provide management with suitable performance data?
xiv) Are users trained? Do they have complete and current documentation?
xv) Is there a problem-escalation process?
Concept Problem 2
Determine the reasons for the importance of Business Reporting. Identify the global standard for exchanging
business information and discuss it in detail.
Answer
Business Reporting or Enterprise Reporting is the public reporting of operating and financial data by a
business enterprise or the regular provision of information to decision-makers within an organization to
support them in their work.
Business Reporting is important for following reasons:

i) Effective and transparent business reporting allows organizations to present a cohesive explanation of
their business and helps them engage with internal and external stakeholders, including customers,
employees, shareholders, creditors, and regulators.
ii) High-quality business reporting is at the heart of strong and sustainable organizations, financial
markets, and economies, as this information is crucial for stakeholders to assess organizational
performance and make informed decisions with respect to an organization’s capacity to create and
preserve value.
iii) As organizations fully depend on their stakeholders for sustainable success, it is in their interest to
provide them with high-quality reports. For example, effective high- quality reporting reduces the risk
for lenders and may lower the cost of capital.
iv) Many organizations are increasingly complex, and have larger economic, environmental, and social
footprints. As a result, various stakeholder groups are demanding increased Environmental, Social and
Governance (ESG) information, as well as greater insight into how these factors affect financial
performance and valuations.
v) High-quality reports also promote better internal decision-making. High-quality information is integral
to the successful management of the business, and is one of the major drivers of sustainable
organizational success.
28 | P a g e

XBRL (eXtensible Business Reporting Language) is a freely available and global standard for exchanging
business information. XBRL is the open international standard for digital business reporting, managed by a
global not for profit consortium, XBRL International Inc. XBRL is used around the world, in more than 50
countries.
In a nutshell, XBRL provides a language in which reporting terms can be authoritatively defined. Those terms
can then be used to uniquely represent the contents of financial statements or other kinds of compliance,
performance and business reports.
Concept Problem 3
An enterprise ABC Ltd. intends to acquire software for Accounting as well as Tax compliance. Prepare a list of
pros and cons of having single software for Accounting and Tax compliance.
Or
A business organization is planning to switch on to an integrated software for accounting as well as tax
compliance instead of separate software for accounting and tax compliance. Being a consultant to the
management of this organization, you are required to advise them on various Pros and Cons of having
single software for both the accounting and tax compliance.
Answer
Single software for both the Accounting and Tax Compliance must be an integrated system.
Pros of having single integrated software for both the Accounting and Tax Compliance as compared to only a
Tax Compliance Software are as follows:
i) More Accurate: As single software for both Accounting and Tax Compliance is an integrated system,
hence accounting data and tax compliance data shall always be same and there is no need to transfer
data to compliance software and reconcile the data. However, in only tax compliance software,
reconciliation with accounting data is needed and possibility of mismatch of data between two
systems is always there.
ii) Lesser Time and efforts required: The time required to transfer data to compliance integrated software
is zero whereas it’s relatively more in the separate software wherein data from accounting software
need to put in for preparation of returns that may take extra time and efforts.
Cons of having such integrated software for both the Accounting and Tax Compliance as compared to only a
Tax Compliance Software are as follows:
i) Less ease of software operation: In an integrated system, everything is connected with other and
making changes at one place may affect other aspects also. However, single software is less
complicated and bound to be easy.
ii) Less features and facilities for Tax Compliance: As the integrated is system is not an exclusive system
for tax compliance, it may have limited features for tax compliance. Whereas single system is an
exclusive and specifically designed system for tax compliance, more features and facilities shall exist
in this system.
iii) More cost: If tax compliance feature is not available in accounting system, then to make the system
integrated and getting it customized may require some amount of cost which may be higher than
P a g e | 29
buying separate software. Whereas specific purpose software shall have less complications and the
cost also shall be less.
Concept Problem 4
An article joined an Audit firm where he was briefed upon the details of an Accounting Process Flow.
Determine the steps involved in the process.
Answer
Accounting or Book keeping cycle covers the business processes involved in recording and processing
accounting events of a company.
It begins when a transaction or financial event occurs and ends with its inclusion in the financial statements.
A typical life cycle of an accounting transaction may include the following transactions as depicted below
i) Source Document: A document that captures data from transactions and events.
ii) Journal: Transactions are recorded into journals from the source document.
iii) Ledger: Entries are posted to the ledger from the journal.
iv) Trial Balance: Unadjusted trial balance containing totals from all account heads is prepared.
v) Adjustments: Appropriate adjustment entries are passed.
vi) Adjusted Trial balance: The trial balance is finalized post adjustments.
vii) Closing Entries: Appropriate entries are passed to transfer accounts to financial statements.
viii) Financial statement: The accounts are organized into the financial statements.
Concept Problem 5
The Material Management (MM) Module in an ERP systems manages materials required, processed and
produced in enterprises. Discuss the steps involved in overall purchase process.
Or
On joining a Manufacturing company XYZ, you are briefed about the functioning of different modules like
Financial Accounting Module, Sales and Distribution Module, Human Resource Module, Material Management
Module, Production Planning Module etc. Prepare a brief description on the Material Management Module
(MM) based on your understanding.
Or
30 | P a g e

XYZ is an Indian based garment manufacturing company which has implemented ERP (Enterprise Resource
Planning). The Material Management (MM) module of ERP is used to manage its daily operations like –
import of raw material, its movement related logistics, Supply chain management, warehouse management,
production etc. Discuss the overall purchase process for XYZ company covered under MM.
Answer
Material Management (MM) Module manages materials required, processed and produced in enterprises.
Different types of procurement processes are managed with th is system. Some of the popular sub-
components in MM module are vendor master data, consumption-based planning, purchasing, inventory
management, invoice verification and so on. Material management also deals with movement of materials
via other modules like logistics, Supply Chain Management, sales and delivery, warehouse management,
production and planning.
The overall purchase process includes the following sub-processes:

i) Purchase Requisition from Production Department: Production department sends a request to purchase
department for purchase of raw material required for production.
ii) Evaluation of Requisition: Purchase department shall evaluate the requisition with the current stock
position and purchase order pending position and shall decide about accepting or rejection the
requisition.
iii) Asking for Quotation: If requisition is accepted, quotations shall be asked to approve vendors for
purchase of material.
iv) Evaluation of quotations: Quotations received shall be evaluated and compared.
v) Purchase Order: This is a transaction for letting an approved vendor know what we want to purchase,
how much we want to purchase, at what rate we want to purchase, by what date we want the delivery,
where we want the delivery. Hence a typical purchase order shall have following information.
▪ Quantity of these stock items.

▪ Rate for purchases.
▪ Due Date by which material is to be received.
▪ Godown where material is to be received.
vi) Material Receipt: This is a transaction of receipt of material against purchase order. This is commonly
known as Material Receipt Note (MRN) or Goods Receipt Note (GRN). This transaction shall have a
linking with Purchase Order. Information in Purchase Order is automatically copied to Material
Receipt Voucher for saving time and efforts of user. Stock is increased after recording of this
transaction.
vii) Issue of material: Material received by stores shall be issued to production department as per
requirement.
viii) Purchase Invoice: This is a financial transaction. Trial balance is affected due this transaction.
Material Receipt transaction does not affect trial balance. This transaction shall have a linking with
Material Receipt Transaction and all the details of material received shall be copied automatically in
purchase invoice. As stock is increased in Material Receipt transaction, it will not be increased again
P a g e | 31
after recording of purchase invoice.
ix) Payment to Vendor: Payment shall be made to vendor based on purchase invoice recorded earlier.
Payment transaction shall have a linking with purchase invoice.
Concept Problem 6
Explain the term “Business Intelligence” with example.
Or
Analyze the statement “The potential benefits of Business Intelligence (BI) programs include accelerating
and improving decision making; optimizing internal business processes; increasing operational efficiency;
driving new revenues; and gaining competitive advantages over business rivals.” Determine its justification.
Or
Business Intelligence is a technology-driven process for analysing data and presenting actionable
information to help corporate executives, business managers and other end users make more informed
business decisions. List out the benefits of using Business Intelligence in an organization.
Answer
Business Intelligence (BI) is a technology-driven process for analysing data and presenting actionable
information to help corporate executives, business managers and other end users make more informed
business decisions.
BI data can include historical information, as well as new data gathered from source systems as it is
generated, enabling BI analysis to support both strategic and tactical decision-making processes.
Benefits of Business Intelligence

i) BI improves the overall performance of the company using it. The potential benefits of business
intelligence programs include –
a) accelerating and improving decision making;

b) optimizing internal business processes;
c) enhancing communication among departments while coordinating activities;
d) increasing operational efficiency;
e) driving new revenues; and
f) gaining competitive advantages over business rivals.
ii) BI systems can also help companies identify market trends and spot business problems that need to be
addressed.
iii) BI systems help in enhancing customer experience, allowing for the timely and appropriate response to
customer problems and priorities.
Concept Problem 7
32 | P a g e

As a manager of a telecom service provider, you are concerned with MIS Report about your department’s
customer service calls. Determine the various criterions that the information in the report should meet so that
the report becomes useful for you.
Or
Being a manager of a company X, you are required to prepare a MIS report for Annual General Meeting
(AGM) of the company. What characteristics will make this information useful for the management?
Or
Mr. Rajesh, a manager of a medium-sized company’s customer service department, uses MIS reporting
tool to obtain the reports that help him evaluating company’s businesses’ daily activities or problems
that arise, making decisions and tracking progress. Elaborate the criterions that the information
generated through MIS tool meet so that it is useful to Mr. Rajes h in discharging his role.
Answer
To make information most useful, Reports should meet the following criteria:
i) Relevant: MIS reports need to be specific to the business area they address. This is important because
a report that includes unnecessary information might be ignored.
ii) Timely: Managers need to know what’s happening now or in the recent past to make decisions about
the future. Be careful not to include information that is old. An example of timely information for your
report might be customer phone calls and emails going back 12 months from the current date.
iii) Accurate: It’s critical that numbers add up and that dates and times are correct. Managers & others who
rely on MIS reports can’t make sound decisions with information that is wrong. Financial information is
often required to be accurate to the dollar. In other cases, it may be OK to round-off numbers.
iv) Structured: Information in an MIS report can be complicated. Making that information easy to follow
helps management understand what the report is saying.
Concept Problem 8
Explain the term “Data Analytics” and recognize its application areas in today’s world.
Answer
Data Analytics: It is the process of examining data sets to draw conclusions about the information they
contain, increasingly with the aid of specialized systems and software. Data Analytics predominantly
refers to an assortment of applications, from basic Business Intelligence (BI), Reporting and Online
Analytical Processing (OLAP) to various forms of advanced analytics.
Data Analytics technologies and techniques are widely used in commercial industries to enable
organizations to make more-informed business decisions and by scientists and researchers to verify or
disprove scientific models, theories and hypotheses.
Some Application areas of Data Analytics are as follows:
a) Banks and credit card companies analyse withdrawal and spending patterns to prevent fraud &
identity theft.
b) E-commerce companies and marketing services
P a g e | 33
c) Mobile network operators examine customer data to forecast so they can take steps to prevent
defections to business rivals
d) Healthcare organizations mine patient data to evaluate effectiveness of treatments for cancer & other
diseases.
Concept Problem 9
Explain the different ways in which the Regulators can use XBRL for various purposes.
Answer
Regulators can use eXtensible Business Reporting Language for following purposes:
i) Financial regulators that need significant amounts of complex performance and risk information
about the institutions that they regulate.
ii) Securities regulators and stock exchanges that need to analyse the performance and compliance of
listed companies and securities, and need to ensure that this information is available to markets to
consume and analyse.
iii) Business registrars that need to receive and make publicly available a range of corporate data about
private and public companies, including annual financial statements.
iv) Tax authorities that need financial statements and other compliance information from companies to
process and review their corporate tax affairs.
v) Statistical and monetary policy authorities that need financial performance information from many
different organizations.
Concept Problem 10
Discuss the key features of Controlling Module in an Enterprise Resource Planning (ERP).
Or
ABC Ltd., a renowned stationary manufacturer with five production units across the country, has adopted
Enterprise Resource Planning (ERP) to integrate its business processes. Identify the ERP module that
monitors and optimizes all the business process of ABC Ltd. Also, explain various key features of this module.
Or
Controlling Module is one of the business process modules of the Enterprise Resources Planning (ERP) System.
It facilitates coordinating, monitoring and optimizing all the process in an organization. In the light of these
statements, describe any six key features of Controlling Module of ERP system.
Answer
Controlling module facilitates coordinating, monitoring, and optimizing all the processes in an
organization. It controls the business flow in an organization.
Key features of this module are as under:
i) Cost Element Accounting: This component provides overview of the costs and revenues that occur in an
organization. The cost elements are the basis for cost accounting and enable the user the ability to
34 | P a g e

display costs for each of the accounts that have been assigned to the cost element.
ii) Cost Centre Accounting: This provides information on the costs incurred by the business. Cost Centres
can be created for such functional areas as Marketing, Purchasing, Human Resources, Finance,
Facilities, Information Systems, Administrative Support, Legal, Shipping/Receiving, or even Quality.
Some of the benefits of Cost Centre Accounting are that the managers can set budget/cost Centre
targets; Planning; Availability of Cost allocation methods; and Assessments/Distribution of costs to
other cost objects.
iii) Activity-Based-Accounting: This analyses cross-departmental business processes and allows for a
process-oriented and cross- functional view of the cost centres.
iv) Internal Orders: Internal Orders provide a means of tracking costs of a specific job, service, or task.
These are used as a method to collect those costs and business transactions related to the task.
This level of monitoring can be very detailed but allows management the ability to review Internal
Order activity for better- decision making purposes.
v) Product Cost Controlling: This calculates the costs that occur during the manufacture of a product or
provision of a service and allows the management the ability to analyse their product costs and to
make decisions on the optimal price(s) to market their products.
vi) Profitability Analysis: This allows the management to review information with respect to the
company’s profit or contribution margin by individual market segment.
vii) Profit Centre Accounting: This evaluates the profit or loss of individual, independent areas within an
organization.
Concept Problem 11
Nowadays, many organizations are switching over to ‘Cloud Applications' as the organizations do not want to
indulge themselves in maintenance of their own IT infrastructure to run their businesses. You, being an IT
consultant, list out some of the advantages and disadvantages of using these Cloud applications.
Or
Cloud Applications are one of the two ways of using a software including financial and Accounting Software
and now-a-days, the use of cloud applications is increasing rapidly. You, being an IT consultant, have to list
out some of the advantages and disadvantages of using cloud applications.
Answer
Advantages of using Cloud applications are as follows:
i) Installation and Maintenance: As software is installed on only one computer, i.e., a web server, it need
not be installed on each computer. Hence, installation on user computer is not required and
maintenance and updating of software becomes extremely easy.
ii) Accessibility: As software is not installed on the hard disc of user’s computer and it is used through
browser and internet, it can be used from any computer in the world. Access to the software becomes
very easy.
iii) Mobile Application: Using mobile application becomes very easy as data is available 24 x 7.
P a g e | 35
Disadvantages of using Cloud applications are as follows:

i) Data Storage: Data is not stored in the user’s server computer. It is stored on a Cloud server. Hence
user will not have any control over the data.
ii) Data Security: Data security is a big challenge in case of Cloud application as the data is not in
control of the user or owner of data. It is maintained on a Cloud server.
iii) Performance: As data is picked from Cloud server using internet, speed of operation may be slower in
Cloud applications.
iv) Flexibility: Cloud applications do not even compare to the flexibility of desktop applications. If a user
wants to write a web application that basically interacts with the user’s hardware, installed/desktop
applications are preferable.
Concept Problem 12
Central database is the main feature of an Enterprise Resource Planning (ERP) System. As the complete data
is stored at one place, ensuring safety of data and minimizing risk of loss of data is a big challenge. As an IT
expert, discuss various risks involved during ERP implementation.
Or
ERP system integrates all business components and updates the data between related business functions.
However, its implementation is a huge task that may require lot of time, money and energy and its success
majorly depend upon issues related to factors like people, process, and technology. Briefly explain other
implementation risks, if any, apart from the issues related to the factors mentioned above.
Answer
Various risks involved during ERP implementation:
i) Lengthy implementation time: ERP projects are lengthy that takes anywhere between 1 to 4 years
depending upon the size of the organization. Due to technological developments happening every day,
the business and technological environment during the start and completion of the project will never
be the same. Employee turnover is another problem.
ii) Insufficient Funding: The budget for ERP implementation is generally allocated without consulting
experts and then implementation is stopped along the way, due to lack of funds.
iii) Data Safety: As there is only one set of data, if this is lost, whole business may come to stand still.
iv) Speed of Operation: As data is maintained centrally, gradually the data size becomes more and more
and it may reduce the speed of operation.
v) System Failure: As everybody is connected to a single system and central database, in case of failure
of system, the whole business may come to stand still may get affected badly.
vi) Data Access: Data is stored centrally and all the departments access the central data. This creates a
possibility of access to non-relevant data.
Concept Problem 13
Discuss in brief the following terms:
36 | P a g e

i) Regulatory Compliance
ii) Three tier Architecture of Application Software
iii) Role-based Access Control (RBAC) in ERP
Answer
i) Regulatory Compliance describes the goal that organizations aspire to achieve in their efforts to ensure
that they are aware of and take steps to comply with relevant laws, policies, and regulations. This
approach is used to ensure that all necessary governance requirements can be met without the
unnecessary duplication of effort and activity from resources.
In other words, Regulatory Compliance is an organization’s adherence to laws, regulations,

guidelines and specifications relevant to its business. Violations of regulatory compliance regulations
often result in legal punishment, including interest, penalty and prosecution in some cases.
The compliance and regulatory requirements can be classified in two types as under.
a) General – Applicable to all irrespective of anything.
b) Specific – Applicable to specific type of businesses only.
ii) Application software generally comprises of three layers which together form the application namely;
an Application Layer, an Operating System Layer and a Database Layer. This is called Three Tier
architecture.
a) Application Layer receives the inputs from the users and performs certain validations like, if the
user is authorized to request the transaction.
b) Operating System Layer then carries these instructions and processes them using the data stored
in the database and returns the results to the application layer.
c) Database Layer stores the data in a certain form.
iii) Role-Based Access Control (RBAC) is an approach to restricting system access to authorized users. It
is used by most entities & can implement mandatory access control or discretionary access control.
RBAC is a policy neutral access control mechanism defined around roles and privileges that lets
employees having access rights only to the information they need to do their jobs and prevent them
from accessing information that doesn't pertain to them. RBAC can be used to facilitate
administration of security in large organizations with hundreds of users and thousands of permissions.
Roles for staff are defined in organization and permission to access a specific system or perform
certain operation is defined as per the role assigned.
Concept Problem 14
Customer Relationship Management (CRM) is a system which aims at improving relationship with customers.
Briefly explain key benefits of CRM Module of ERP.
Or
ABC Ltd., a soft drink manufacturing company was established in 2010. The company has implemented some
modules of ERP and was managing good business in initial seven years of its establishment. After that, the
customer’s feedback indicated a decline in the sale and therefore, the targets could not be achieved. On
analyzing the customers’ feedback, the management decided to incorporate CRM Module of ERP System to
P a g e | 37
improvise its relationship with existing customers, find new prospective customers and win back former
customers. The company implemented CRM module and found acceleration in the growth of its sale for past
four years. Discuss various key benefits of CRM module that the company may have availed after
implementing CRM?
Answer
Key benefits of a Customer Relationship Management (CRM) module of ERP are as under:
i) Improved customer relations: One of the prime benefits of using a CRM is obtaining better customer
satisfaction. By using this strategy, all dealings involving servicing, marketing, and selling out products to
the customers can be carried out in an organized and systematic way. Better services can be provided to
customers through improved understanding of their issues and this in turn helps in increasing customer
loyalty and decreasing customer agitation. In this way, continuous feedback from the customers regarding
the products and services can be received. It is also possible that the customers may recommend the product
to their acquaintances, when efficient and satisfactory services are provided.
ii) Increase customer revenues: By using a CRM strategy for any business, the revenue of the company can be
increased. Using the data collected, marketing campaigns can be popularized in a more effective way. With
the help of CRM software, it can be ensured that the product promotions reach a different and brand-new set
of customers, and not the ones who had already purchased the product, and thus effectively increase the
customer revenue.
iii) Maximize up-selling and cross-selling: A CRM system allows up-selling which is the practice of giving
customers premium products that fall in the same category of their purchase. The strategy also facilitates
cross selling which is the practice of offering complementary products to customers, based on their previous
purchases. This is done by interacting with the customers and getting an idea about their wants, needs, and
patterns of purchase. The details thus obtained will be stored in a central database, which is accessible to all
company executives. So, when an opportunity is spotted, the executives can promote their products to the
customers, thus maximizing up-selling and cross selling.
iv) Better internal communication: Following a CRM strategy helps in building up better communication within
the company. The sharing of customer data between different departments will enable them to work as a
team. This is better than functioning as an isolated entity, as it will help in increasing the company’s
profitability and enabling better service to customers.
v) Optimize marketing: CRM enables to understand the customer needs and behaviour in a better way, thereby
allowing any enterprise to identify the correct time to market its product to the customers. CRM will also
give an idea about the most profitable customer groups, and by using this information, similar
prospective groups, at the right time will be targeted. In this way, marketing resources can be optimized
efficiently and time is not wasted on less profitable customer groups.
Concept Problem 15
A business organization is shifting from traditional accounting system to computerized accounting system.
The organization needs to store the data that is relatively permanent and not expected to change frequently
in accounting system. As a financial expert, suggest the types of data used in computerized accounting
38 | P a g e

system. How do you differentiate between Master Data and Non-Master Data in a computerized accounting
system? Give examples.
Or
Discuss the different ways in which Database Administrator (DBA) can store the data of ABC enterprise
implementing Accounting Information System (AIS).
Or
A business organization is shifting from traditional accounting system to computerized accounting system.
The organization needs to store the data that is relatively permanent and not expected to change frequently
in accounting system. As a financial expert, suggest any two types of such data in accounting system.
Or
As a Database Administrator, you are invited in a Conference to speak on Data Types in front of audience of
aspiring CA students. You decide to segment your lecture in two - Master Data & Non-Master Data and
identify different types of Master Data in Financial and Accounting systems. Determine the key points of
the content of your lecture.
Answer
1) Master data is relatively permanent data that is not expected to change again and again. It may
change, but not again and again. In accounting systems, there may be following type of master data.
i) Accounting Master Data: This includes names of ledgers, groups, cost centers, accounting voucher
types, etc. E.g. Capital Ledger is created once and not expected to change frequently. Similarly, all
other ledgers like sales, purchase, expenses and income ledgers are created once and not expected
to change again and again. Opening balance carried forward from previous year to next year is also
a part of master data and not expected to change.
ii) Inventory Master Data: This includes stock items, stock groups, godowns, inventory voucher types,
etc. Stock item is something which bought and sold for business purpose, trading goods. E.g., If a
person is into the business of dealing in white goods, stock items shall be Television, Fridge, Air
Conditioner, etc. For a person running a medicine shop, all types of medicines shall be stock items
for him/her.
iii) Payroll Master Data: Payroll is a system for calculation of salary and recoding of transactions
relating to employees. Master data in case of payroll can be names of employees, group of
employees, salary structure, pay heads, etc. These data are not expected to change frequently. E.g.,
Employee created in the system will remain as it is for a longer period of time, his/her salary
structure may change but not frequently, pay heads associated with his/ her salary structure will be
relatively permanent.
iv) Statutory Master Data: This is a master data relating to statute/law which may be different for
different type of taxes. E.g., Goods and Service Tax (GST), Nature of Payments for Tax Deducted at
Source (TDS), etc. This data also shall be relatively permanent. We don’t have any control on this
data as statutory changes are made by Government and not by us. In case of change in tax rates,
forms, categories; we need to update/change our master data.
2) Non-Master Data:
It is a data which is expected to change frequently, again and again and not a permanent data. E.g.,
Amounts recorded in each transaction shall be different every time and expected to change again and
P a g e | 39
again. Date recorded in each transaction is expected to change again and again and will not be constant
in all the transactions.
Concept Problem 16
Explain the following in brief:

i) Ideal ERP System
ii) Inventory/Stores Management
iii) Functional Audit
Answer
i) An Ideal ERP System is that system which caters all types of needs of an organization and provides
right data at right point of time to right users for their purpose. Hence, definition of ideal ERP system
may change per organization. But generally, an ideal ERP system is that system where a single
database is utilized and contains all data for various software modules. These software modules can
include Manufacturing, Financials, Human Resources, Supply Chain Management and Projects etc.
ii) Inventory/Stores Management: The inventory management system is designed with a view to keeping
the track of materials in the stores. The system is used to regulate the maximum and minimum level
of stocks, raise alarm at danger level stock of any material, give timely alert for re - ordering of
materials with optimal re-order quantity and facilitate various queries about inventory like total
inventory value at any time, identification of important items in terms of stock value (ABC Analysis),
identification most frequently moving objects (XYZ Analysis) etc.
Similarly, well designed inventory management system for finished goods and semi-finished goods
provides important information for production schedule and marketing/sales strategy.
iii) Functional Audit: This includes testing of different functions / features in the system and testing of
the overall process or part of process in the system and its comparison with the actual process.
Example - Purchase Process, Sales Process, Salary Calculation Process, Recruitment Process etc. Auditor
may check this process in the system and compare it with actual process. It is quite possible that all
the aspect present in the actual process may not be integrated in the ERP system. There may be some
manual intervention.
Concept Problem 17
Explain the significance of Front End and Back End in a software.
Answer
Front End of a Software:
It is part of the overall software which interacts with the user who is using the software. For example - If a
user wants to have some information from the Balance Sheet; user will interact with Front End part of the
software and request front end to generate the report.
Back End of a Software:
40 | P a g e

It is a part of the overall software which does not directly interact with the user, but interact with Front
End only. Front End will receive the instruction from user and pass it on to the back end. Back End will
process the data, generate the report and send it to the front end. Front end will then display the
information to user.
Concept Problem 18
Major feature of an ERP system is central database. Which are the options possible to different users while
assigning access to it?
Answer
While assigning access to different users in an ERP System, following options are possible.
i) Create – Allows to create data.
ii) Alter – Allows to alter data.
iii) View – Allows only to view data.
iv) Print – Allows to print data.
Above type of access can be allowed/disallowed for:

a) Master Data
b) Transaction Data
c) Reports
Concept Problem 19
Being an IT consultant to a government agency PQR, identify the most common open international
standard, that should be used by the agency for their standardized digital business reporting. Support the
recommendation by preparing a list of its important features also.
Answer
eXtensible Business Reporting Language (XBRL) is an open international standard for digital business
reporting that provides a language in which reporting terms can be authoritatively defined. Those terms can
be used to uniquely represent the contents of financial statements or other kinds of compliance,
performance and business reports. XBRL lets reporting information move between organizations rapidly,
accurately and digitally.
XBRL is a standard-based way to communicate and exchange business information between business
systems. These communications are defined by metadata set out in taxonomies, which capture the
definition of individual reporting concepts as well as the relationships between concepts and other semantic
meaning. Information being communicated or exchanged is provided within an XBRL instance.
Important features of XBRL are as follows:

i) Clear Definitions: XBRL allows the creation of reusable, authoritative definitions, called taxonomies,
that capture the meaning contained in all the reporting terms used in a business report, as well as the
relationships between all the terms.
ii) Testable Business Rules: XBRL allows the creation of business rules that constrain what can be
reported. Business rules can be logical or mathematical, or both and can be used, for example, these
business rules can be used to stop poor quality information being sent to a regulator or third party, by
P a g e | 41
being run by the preparer while the report is in draft; stop poor quality information being accepted by
a regulator or third party, by being run at the point that the information is being received.
iii) Multi-lingual Support: XBRL allows concept definitions to be prepared in as many languages as
necessary. Translations of definitions can also be added by third parties. This means that it’s possible
to display a range of reports in a different language to the one that they were prepared in, without any
additional work. The XBRL community makes extensive use of this capability as it can automatically
open up reports to different communities.
iv) Strong Software Support: XBRL is supported by a very wide range of software from vendors large and
small, allowing a very wide range of stakeholders to work with the standard.
Concept Problem 20
Define Business Reporting. Determine the factors that makes Business Reporting significant.
Answer
Business Reporting is the public reporting of operating and financial data by a business enterprise, or the
regular provision of information to decision-makers within an organization to support them in their work.
Reporting is a fundamental part of the larger movement towards improved business intelligence and
knowledge management. Often implementation involves Extract, Transform, and Load (ETL) procedures in
coordination with a data warehouse and then using one or more reporting tools. While reports can be
distributed in print form or via email, they are typically accessed via a corporate intranet.
Significance of Business Reporting is as follows:

i) Effective and transparent business reporting allows organizations to present a cohesive explanation of
their business and helps them engage with internal and external stakeholders, including customers,
employees, shareholders, creditors, and regulators.
ii) High-quality business reporting is at the heart of strong and sustainable organizations, financial
markets, and economies, as this information is crucial for stakeholders to assess organizational
performance and make informed decisions with respect to an organization’s capacity to create and
preserve value.
iii) As organizations fully depend on their stakeholders for sustainable success, it is in their interest to
provide them with high-quality reports. For example, effective high- quality reporting reduces the risk
for lenders and may lower the cost of capital.
iv) Many organizations are increasingly complex, and have larger economic, environmental, and social
footprints. As a result, various stakeholder groups are demanding increased Environmental, Social and
Governance (ESG) information, as well as greater insight into how these factors affect financial
performance and valuations.
v) High-quality reports also promote better internal decision-making. High-quality information is integral
to the successful management of the business, and is one of the major drivers of sustainable
organizational success.
Concept Problem 21
42 | P a g e

Sales and Distribution Process that is used by organizations to support sales and distribution activities of
products and services, starting from enquiry to order and then ending with delivery is one of the most
important modules in ERP. Determine the various activities that are involved in Sales & Distribution Process.
Or
ABC Ltd. is planning to implement some modules of Enterprise Resource Planning (ERP) system to manage
different aspects related to its various business processes. Determine in specific various Sales and
Distribution activities that enterprise may get support from ERP framework.
Answer
The various activities that are involved in a Sales and Distribution Process are as follows:
i) Pre-Sales Activities: This includes prospecting of customers, identifying prospective customers, gathering
data, contacting them and fixing appointments, showing demo, submission of quotations, etc.
ii) Sales Order: Sales order is recorded in our books after getting a confirmed purchased order from our
customer. Sales order shall contain details just like purchase order. E.g., Stock Item Details, Quantity,
Rate, Due Date of Delivery, Place of Delivery, etc.
iii) Inventory Sourcing: It includes making arrangements before delivery of goods, ensuring goods are ready
and available for delivery.
iv) Material Delivery: Material is delivered to the customer as per sales order. All inventory details are
copied from Sales Order to Material Delivery for saving user’s time and efforts. This transaction shall
have a linking with Sales Order. Stock balance shall be reduced on recording of this transaction.
v) Billing: This is a transaction of raising an invoice against the delivery of material to customer. This
transaction shall have a linking with Material Delivery and all the details shall be copied from it. Stock
balance shall not affect again.
vi) Receipt from Customer: This is a transaction of receiving amount from customer against sales invoice
and shall have a linking with sales invoice.
Concept Problem 22
ERP implementation is the difficult task as the organization which is in the process of implementing ERP
should keep abreast of latest technological development. Describe the different risks associated with
technology while implementing ERP.
Or
XYZ Ltd. is the manufacturer of herbal medicines which is under the process of implementing Enterprise
Resource Planning (ERP) in its head office and various manufacturing units located across the country.
Explain the technological risks related to the implementation of ERP.
Answer
Various risks associated with technology while implementing ERP are as following:
i) Software Functionality: ERP systems offer a myriad of features and functions, however, not all
organizations require those many features. Implementing all the functionality and features just for
the sake of it can be disastrous for an organization.
ii) Technological Obsolescence: With the advent of more efficient technologies every day, the ERP system
P a g e | 43
also becomes obsolete as time goes on.
iii) Enhancement and Upgrades: ERP Systems are not upgraded and kept up-to-date. Patches and
upgrades are not installed and the tools are underutilised.
iv) Application Portfolio Management: These processes focus on the selection of new business applications
and the projects required delivering them.
Concept Problem 23
In a Financial and Accounting System, there is a document that is used as documentary evidence of any
transaction. List different types of documentary evidences used in inventory module of Accounting System.
Answer
The different types of documentary evidence used in Inventory Module are as follows:
i) Purchase Order- For recording of a purchase order raised on a vendor.
ii) Sales Order- For recording of a sales order received from a customer.
iii) Stock Journal- For recording of physical movement of stock from one location to another.
iv) Physical Stock-For making corrections in stock after physical counting.
v) Delivery Note- For recording of physical delivery of goods sold to a customer.
vi) Receipt Note- For recording of physical receipt of goods purchased from a vendor.
Concept Problem 24
As an IS Auditor, determine a checklist for the audit of ERP system in an organization. Also, summarize the
auditing aspects of ERP systems.
Answer
Checklist to be followed by an IS Auditor for the audit of ERP Systems are as follows:
i) Does the system process according to GAAP (Generally Accepted Accounting Principles) and GAAS
(Generally Accepted Auditing Standards)?
ii) Does it meet the needs for reporting, whether regulatory or organizational?
iii) Were adequate user requirements developed through meaningful interaction?
iv) Does the system protect confidentiality and integrity of information assets?
v) Does it have controls to process only authentic, valid, accurate transactions?
vi) Are effective system operations and support functions provided?
vii) Are all system resources protected from unauthorized access and use?
viii) Are user privileges based on what is called ‘role-based access?’
ix) Is there an ERP system administrator with clearly defined responsibilities?
x) Is the functionality acceptable? Are user requirements met? Are users happy?
xi) Have workarounds or manual steps been required to meet business needs?
xii) Are there adequate audit trails and monitoring of user activities?
44 | P a g e

xiii) Can the system provide management with suitable performance data?
xiv) Are users trained? Do they have complete and current documentation?
xv) Is there a problem-escalation process?
Auditing aspects in case of any ERP system can be summarized as under:
(i) Auditing of Data

a) Physical Safety – Ensuring physical control over data.
b) Access Control – Ensuring access to the system is given on “need to know” (a junior accountant
need not view Profit & Loss Account of the business) and “need to do basis” (HR executive need not
record a Purchase Order).
(ii) Auditing of Processes

a) Functional Audit - This includes testing of different functions / features in the system and testing
of the overall process or part of process in the system and its comparison with actual process. E.g.,
Purchase Process, Sales Process, Salary Calculation Process, Recruitment Process, etc. Auditor may
check this process in the system and compare it with actual process. It is quite possible that all the
aspect present in the actual process may not be integrated in the ERP system. There may be some
manual intervention.
b) Input Validations - This stand for checking of rules for input of data into the system. E.g., a
transaction of cash sales on sales counter must not be recorded in a date other than today (not a
future date or a back date), amount field must not be zero, stock item field shall not be empty, etc.
Input validations shall change according to each data input form.
Concept Problem 25
Discuss the peculiarities that must be considered while allotting a voucher number to a voucher.
Answer
A Voucher Number or a Document Number is a unique identity of any voucher/ document. A voucher may be
identified or searched using its unique voucher number.
The peculiarities that must be considered while allotting a voucher number to a voucher are as follows:
i) Voucher number must be unique.
ii) Every voucher type shall have a separate numbering series
iii) A voucher number may have prefix or suffix or both, e.g., ICPL/2034/17-18. In this case, “ICPL” is the
prefix, “17-18” is the suffix and “2034” is the actual number of the voucher.
iv) All vouchers must be numbered serially, i.e., 1,2,3,4,5,6 and so on.
v) All vouchers are recorded in chronological order and hence voucher recorded earlier must have an earlier
number, i.e., if voucher number for a payment voucher having date as 15th April 2017 is 112, voucher
number for all the vouchers recorded after this date shall be more than 112 only.
Concept Problem 26
Describe the concept of eXtensible Business Reporting Language (XBRL) Tagging.
Answer
P a g e | 45
XBRL Tagging: It is the process by which any financial data is tagged with the most appropriate element in
an accounting taxonomy (a dictionary of accounting terms) that best represents the data in addition to tags
that facilitate identification/classification (such as enterprise, reporting period, reporting currency, unit of
measurement etc.). Since all XBRL reports use the same taxonomy, numbers associated with the same
element are comparable irrespective of how they are described by those releasing the financial statements.
Comprehensive definitions and accurate data tags allow preparation, validation, publication, exchange,
consumption; and analysis of business information of all kinds. Information in reports prepared using the
XBRL standard is interchangeable between different information systems in entirely different organizations.
This allows for the exchange of business information across a reporting chain. People that want to report
information, share information, publish per romance information and allow straight through information
processing all rely on XBRL.
In addition to allowing the exchange of summary business reports, like financial statements, and risk and
performance reports, XBRL has the capability to allow the tagging of transactions that can themselves be
aggregated into XBRL reports. These transactional capabilities allow system- independent exchange and
analysis of significant quantities of supporting data and can be the key to transforming reporting supply
chains.
Concept Problem 27
Quality Management Module helps in management of quality in productions across processes in an
organization. Analyze the process of Quality Management Module.
Answer
Quality Management Module helps in management of quality in productions cross processes in an
organization. This quality management module helps an organization to accelerate their business by
adopting a structured and functional way of managing quality in different processes. Quality Management
module collaborates in procurement and sales, production, planning, inspection, notification, control, audit
management and so on.
Fig. below shows Process in Quality Management Module.
46 | P a g e

Quality Management Process includes the following:
▪ Master data and standards are set for quality management;
▪ Set Quality Targets to be met;
▪ Quality management plan is prepared;
▪ Define how those quality targets will be measured;
▪ Take the actions needed to measure quality;
▪ Identify quality issues and improvements and changes to be made;
▪ In case of any change is needed in the product, change requests are sent;
▪ Report on the overall level of quality achieved; and
▪ Quality is checked at multiple points, e.g., inwards of goods at warehouse, manufacturing, procurement,
returns.
Concept Problem 28
What is an MIS Report and who uses it?
Answer
MIS Report: Business managers at all levels of an organization, from assistant managers to executives, rely
on reports generated from these systems to help them evaluate their business’ daily activities or problems
that arise, make decisions, and track progress. MIS system reporting is used by businesses of all sizes and
in every industry.
MIS systems automatically collect data from various areas within a business. These systems can produce
daily reports that can be sent to key members throughout the organization. Most MIS systems can also
generate on-demand reports that allow managers and other users of the system to generate an MIS report
whenever they need it.
Many large businesses have specialized MIS departments, whose only job is to gather business information
and create MIS reports. Some of these businesses use sophisticated computing technology and software to
P a g e | 47
gather information. Smaller businesses often use simple software programs and spreadsheets for their MIS
reporting needs. There can be as many types of MIS reports as there are divisions within a business.
For example, information about sales revenue and business expenses would be useful in MIS reports for
finance and accounting managers. Warehouse managers would benefit from MIS reports about product
inventory and shipping information. Total sales from the past year could go into an MIS report for
marketing and sales managers.
Concept Problem 29
As an accountant, you are advised to address an audience of students and speak on different types of
Vouchers used in Financial and Accounting Systems. Prepare your notes.
Answer
In accounting language, a Voucher is a documentary evidence of a transaction. There may be different
documentary evidences for different types of transactions. E.g., Receipt given to a customer after making
payment by him/her is documentary evidence of amount received. A sales invoice, a purchase invoice, is
also a documentary evidence of transaction.
In computer language, the word “Voucher” is a place where transactions are recorded. It is a data input form
for inputting transaction data. In accounting, there may be different types of transactions, hence we use
different voucher types for recording of different transactions. Generally following types of vouchers are used
in accounting systems as shown in the Table below:
Sr. Voucher Type Module Use

No. Name
1 Contra Accounting For recording of four types of transactions as under.
a. Cash deposit in bank
b. Cash withdrawal from bank
c. Cash transfer from one location to another.
d. Fund transfer from our one bank account to our own
another bank account.
2 Payment Accounting For recording of all types of payments. Whenever the money
is going out of business by any mode (cash/bank).
3 Receipt Accounting For recording of all types of receipts. Whenever money is
being received into business from outside by any mode
(cash/bank).
4 Journal Accounting For recording of all non-cash/bank transactions. E.g.,
Depreciation, Provision, Write-off, Write-back, discount
given/received, Purchase/Sale of fixed assets on credit, etc.
5 Sales Accounting For recording all types of trading sales by any mode
(cash/bank/credit).
6 Purchase Accounting For recording all types of trading purchase by any mode
48 | P a g e

Sr. Voucher Type Module Use
No. Name
(cash/bank/credit).
7 Credit Note Accounting For making changes/corrections in already recorded
sales/purchase transactions.
8 Purchase Order Inventory For recording of a purchase order raised on a vendor.
9 Sales Order Inventory For recording of a sales order received from a customer.
10 Stock Journal Inventory For recording of physical movement of stock from one
location to another.
11 Physical Stock Inventory For making corrections in stock after physical counting.
12 Delivery Note Inventory For recording of physical delivery of goods sold to a
customer.
13 Receipt Note Inventory For recording of physical receipt of goods purchased from a
vendor.
14 Attendance Payroll For recording of attendance of employees.
15 Payroll Payroll For salary calculations.
Concept Problem 30
Cloud based applications are now taking over Installed applications. What are the major differences between
Cloud based Applications and Installed Applications? Explain any four.
Answer
Differences between Cloud based Applications and Installed Applications are given below:
Particulars Cloud based Application Installed Applications

Installation and As software is installed on hard disc of Installation on user computer is not
Maintenance the computer used by user, it needs to required. Update and maintenance are
be installed on every computer one by defined responsibility of service provider.
one. This may take lot of time. Also,
maintenance and updating of software
may take lot of time and efforts.
Accessibility As software is installed on the hard disc As software is available through online
of the user’s computer, user needs to go access, to use the software a browser
the computer only, i.e., the computer and an internet connection is needed. It
where software is installed, to use the can be used from any computer in the
software. It cannot be used from any world. Access to the software becomes
computer very easy. Also, it can be used 24 x 7.
Mobile Application Using the software through mobile Mobile application becomes very easy as
application is difficult in this case. data is available 24x7. As technology
evolves, mobile technology is becoming
an industry norm that makes cloud-
based application future oriented.
P a g e | 49
Particulars Cloud based Application Installed Applications

Data Storage Data is physically stored in the premises Data is not stored in the user’s server
of the user, i.e., on the hard disc of the computer. It is stored on a web server.
user’s server computer. Hence user will Ownership of data is defined in Service
have full control over the data Level Agreement (SLA) that defines the
rights, responsibilities and authority of
both service provider and service user
Data security As the data is in physical control of the Data security is a challenge in case of
user, user shall have the full physical cloud-based application as the data is
control over the data and he/she can not in control of the user or owner of
ensure that it is not accessed without data. As time evolves; SLAs provides for
proper access. details of back-up, disaster recovery
alternatives being used by service
provider
Performance A well written installed application shall Access is dependent on speed of internet.
always be faster than web application, Slow internet slows access to information
reason being data is picked from local and may slow operations.
server without internet.
Flexibility It shall have more flexibility and controls The success of cloud-based applications
as compared to web application. It is is that they allow flexibility against both
very easy to write desktop application to capital expenditure (CAPEX) and
Take advantage of the user’s hardware operating expenses (OPEX) to the user.
(such as scanners, cameras, Wi-Fi, serial User can scale up operations as per need.
ports, etc. Installed application have this
dis-advantage of Higher capital
expenditure (CAPEX) in comparison to
cloud-based application
Concept Problem 31
Many organizations are implementing Enterprise Resource Planning (ERP) software, where it integrates all of
the processes needed to run their business with a single system. As a system analyst, briefly explain the
benefits of ERP Systems.
Answer
Benefits of an Enterprise Resource Planning (ERP) System are as follows:
i) Information integration: The reason ERP systems are called integrated is because they possess the
ability to automatically update data between related business functions and components. For example
- one needs to only update the status of an order at one place in the order-processing system; and all
the other components will automatically get updated.
ii) Reduction of lead-time: The elapsed time between placing an order and receiving it is known as the
Lead-time. The ERP Systems by virtue of their integrated nature with many modules like Finance,
50 | P a g e

Manufacturing, Material Management Module etc.; the use of the latest technologies like EFT
(Electronic Fund Transfer), EDI (Electronic Data Interchange) reduce the lead times and make it
possible for the organizations to have the items at the time they are required.
iii) On-time Shipment: Since the different functions involved in the timely delivery of the finished goods
to the customers- purchasing, material management production, production planning, plant
maintenance, sales and distribution – are integrated and the procedures automated; the chances of
errors are minimal and the production efficiency is high. Thus, by integrating the various business
functions and automating the procedures and tasks the ERP system ensures on-time delivery of goods
to the customers.
iv) Reduction in Cycle Time: Cycle time is the time between placement of the order and delivery of the
product. In an ERP System; all the data, updated to the minute, is available in the centralized
database and all the procedures are automated, almost all these activities are done without human
intervention. This efficiency of the ERP systems helps in reducing the cycle time.
v) Better Customer Satisfaction: Customer satisfaction means meeting or exceeding customer’s

requirements for a product or service. With the help of web-enabled ERP systems, customers can place
the order, track the status of the order and make the payment sitting at home. Since all the details of
the product and the customer are available to the person at the technical support department also, the
company will be able to better support the customer.
vi) Improved Supplier Performance: ERP systems provide vendor management and procurement support
tools designed to coordinate all aspects of the procurement process. They support the organization in
its efforts to effectively negotiate, monitor and control procurement costs and schedules while assuring
superior product quality.
vii) Increased Flexibility: ERP Systems help the companies to remain flexible by making the company
information available across the departmental barriers and automating most of the processes and
procedures, thus enabling the company to react quickly to the changing market conditions.
viii) Reduced Quality Costs: Quality is defined in many different ways- excellence, conformance to
specifications, fitness for use, value for the price and so on. The ERP System’s central database
eliminates redundant specifications and ensures that a single change to standard procedures takes
effect immediately throughout the organization. The ERP systems also provide tools for implementing
total quality management programs within an organization.
ix) Better Analysis and Planning Capabilities: Another advantage provided by ERP Systems is the boost to
the planning functions. By enabling the comprehensive and unified management of related business
functions such as production, finance, inventory management etc. and their data, it becomes possible
to utilize fully many types of Decision Support Systems (DSS) and simulation functions, what-if
analysis and so on; thus, enabling the decision-makers to make better and informed decisions.
x) Improved information accuracy and decision-making capability: The three fundamental

characteristics of information are accuracy, relevancy and timeliness. The information needs to be
accurate, relevant for the decision-maker and available to the decision-makers when he requires it.
The strength of ERP Systems- integration and automation – help in improving the information
accuracy and help in better decision-making.
P a g e | 51
xi) Use of Latest Technology: ERP packages are adapted to utilize the latest developments in Information
Technology such as open systems, client/server technology, Cloud Computing, Mobile computing etc. It
is this adaptation of ERP packages to the latest changes in IT that makes the flexible adaptation to
changes in future development environments possible.
Concept Problem 32
ERP systems are expected to produce accurate, complete, and authorized information, and therefore require
major security aspects that involve physical safety, input validations and access control mechanism. In light
of this statement, explain the importance of Role Based Access Control in an ERP system.
Answer
Role Based Access Control (RBAC) is an approach to restricting system access to authorized users. RBAC
sometimes referred to as Role-Based Security is a policy neutral access control mechanism defined around
roles and privileges that lets employees having access rights only to the information they need to do their
jobs and prevent them from accessing information that doesn't pertain to them. It is used by most
enterprises and can implement Mandatory Access Control (MAC) or Discretionary Access Control (DAC).
▪ MAC criteria are defined by the system administrator strictly enforced by the Operating System and are
unable to be altered by end users. Only users or devices with the required information security clearance
can access protected resources. Organizations with varying levels of data classification, like government
and military institutions, typically use MAC to classify all end users.
▪ DAC involves physical or digital measures and is less restrictive than other access control systems as it
offers individuals complete control over the resources they own. The owner of a protected system or
resource sets policies defining who can access it.
The components of RBAC such as role-permissions, user-role and role-role relationships make it simple to
perform user assignments. RBAC can be used to facilitate administration of security in large organizations
with hundreds of users and thousands of permissions. Roles for staff are defined in organization and
permission to access a specific system or perform certain operation is defined as per the role assigned. For
example - a junior accountant in accounting department is assigned a role of recording basic accounting
transactions, an executive in human resource department is assigned a role of gathering data for salary
calculations on monthly basis, etc.
Concept Problem 33
Data Analytics refers to assortment of applications, reporting and online analytical processing to various
forms of advance analytics. Explain different advanced data analytics techniques.
Answer
The different advanced Data Analytics techniques are as follows:
a) Data Mining involves sorting through large data sets to identify trends, patterns and relationships;
b) Predictive Analytics seeks to predict customer behaviour, equipment failures and other future events;
and
c) Machine Learning is an artificial intelligence technique that uses automated algorithms to churn through
52 | P a g e

data sets more quickly than data scientists can do via conventional analytical modelling.
3. C A S E S T U D Y B A S E D MCQ I – S TU D Y M A T E R IA L
XYZ a leading publication house of Delhi was facing many issues like delay in completing the order of its
customers, manual processing of data, increased lead time, inefficient business processes etc. Hence, the top
management of XYZ decided to get SAP - an ERP system implemented in the publication house.
Using the proper method of vendor selection, Digisolution Pvt. Ltd. was selected to implement SAP software in
XYZ publication house. To implement the software, the IT team of Digisolution Pvt. Ltd. visited XYZ’s office
number of times and met its various officials to gather and understand their requirements. With due
diligence, the SAP software was customized and well implemented in the publishing house.
After the SAP implementation, the overall system became integrated and well connected with other
departments. This raised a concern in the mind of few employees of XYZ worrying about their jobs’ security
leading to quitting of jobs. The top management of XYZ showed its concern on this issue and wanted to
retain few of its employees.
Answer the following questions:
1. Imagine that you are core team member of Digisolution Pvt. Ltd. While customizing the Sales and
Distribution Module of SAP software, you need to know the correct sequence of all the activities involved
in the module.
Identify the correct option that reflects the correct sequence of the activities.
(i) Material Delivery
(ii) Billing
(iii) Pre-Sales Activities
(iv) Sales Order
(v) Payments
(vi) Inventory Sourcing
Choose the correct sequence from the following
(a) (i) - (iii) – (ii) – (iv) – (v)- (vi)
(b) (ii) – (iv)- (vi) – (iii) – (i) – (v)
(c) (iii)- (iv) – (vi)- (i) –(ii) – (v)
(d) (iv)- (i) – (iii), (v), (ii), (vi)
2. In purview of above situation, which of the following control can be helpful to management of XYZ
publishing house to retain its employees and stopping them to leave the company?
(a) Training can be imparted to employees by skilled consultant.
(b) Allocation of employees to task matching their skill set, fixing of compensation package.
(c) Management should stop the implementation of ERP.
(d) Backup arrangement is required.
3. The SAP software was successfully implemented by XYZ publication house after overcoming many
challenges. The risk associated with “Patches and upgrades not installed and the tools being
underutilized” belongs to __________ risk.
(a) Technological
(b) Implementation
(c) People
P a g e | 53
(d) Process
C A S E B A S E D MCQ S 2 – IC AI S T U D Y M A T ER I A L
Unique Services, a well-established firm of Chartered Accountants with nine branches at different locations
in Delhi, deals in accounting, auditing and taxation assignments like – return filing, corporate taxation and
planning, company formation and registration of foreign companies etc. The firm has its own ERP software.
The firm decided to come up with Real Estate Regulatory Authority (RERA) registration which requires
upgradation in its software. Hence, the principal partner of the firm asked its associate partner to prepare a
list of various clients dealing in construction and development of flats, commercial properties etc.
The firm’s management took care to select the vendor to upgrade their ERP software which will act as an
online assistant to its clients providing them the complete details about registration and filling of various
forms and resolving their frequently asked questions. The firm also wanted a safe and secure working
environment for their employees to filing various forms under RERA Act on behalf of clients using digital
signature. The management also instructed its employees to mandatorily use Digital Signature of clients for
fair practices and any dishonesty found in this regard may lead to penal provisions under various act
including IT Act, 2000.
Answer the following questions:
1. In purview of case scenario, Unique Services requires to make changes in its software for its users for
RERA related matters. Identify the part of the overall software which actually interacts with the users
using the software?
(a) Back end
(b) Front end
(c) Middle layer
(d) Reports
2. The firm decided to have an online assistant for its clients to provide complete details regarding
taxation, registration and filling of various forms and solve their queries. This is an example of
___________ application.
(a) Installed application
(b) Web Application
(c) Cloud Based Application
(d) Direct Application
3. While filling the tax for its client ABC, the firm Unique Services enters the detail of its TDS and GST in
the requisite forms. Identify from the following which type of master data it belongs to?
(a) Accounting Master Data
(b) Inventory Master Data
(c) Statutory Master Data
(d) Payroll master Data
Answer Key
MCQ 1 1. C 2. B 3. A
MCQ 2 1. B 2. C 3. C
54 | P a g e
Information Systems and Its Components May 22
C HAPTER 3
INFORMATION SYSTEMS AND ITS COMPONENTS
Believe you Can and you’re

halfway there.
Coverage
Concept Problem 1
Information System Model is responsible to convert the data into information which is useful and meaningful
to the user. Explain all steps involved in Information System Model.
Answer
An Information System model comprises of following steps:
i) Input: Data is collected from an organization or from external environments and converted into
suitable format required for processing.
ii) Process: A process is a series of steps undertaken to achieve desired outcome or goal. Information
Systems are becoming more and more integrated with organizational processes, bringing more
productivity and better control to those processes.
iii) Output: Then information is stored for future use or communicated to user after application of
respective procedure on it.
iv) Storage: Storage of data shall be done at the most detailed level possible. Regular backups should be
stored in a geographically different locations to avoid impact on both the original data and the
backup data storage due to any major disasters such as flooding or fires etc.
P a g e | 55
May 22 Information Systems and Its Components
v) Feedback: Apart from these activities, information systems also need feedback that is returned to
appropriate members of the enterprises to help them to evaluate at the input stage.
Concept Problem 2
Discuss briefly the components of Computer based Information Systems.

Answer
Information Systems are networks of hardware and software that people and organizations use to create,
collect, filter, process and distribute data.
Information Systems are interrelated components working together to collect, process, and store and
disseminate information to support decision-making, coordination, control, analysis and visualization in an
organization.
An Information System comprise of People, Hardware, Software, Data and Network for communication
support
i) People mean all those who operate, manage, maintain and use the system i.e., system administrator, IS
personnel, programmers and end users i.e., the persons, who can use hardware and software for
retrieving the desired information.
ii) Computer systems comprising of hardware and software. Hardware means the physical components of
the computers i.e., server or smart terminals with different configurations like corei3/corei5/corei7/corei9
processors etc. and software means the system software (operating systems), application software
(different type of computer programs designed to perform specific task) and utility software (e.g.,
tools).
iii) Data Resources – Data is the raw fact which is input to the system. It may be alphanumeric, text,
image, video, audio, and other forms.
iv) Network and communication system – Network means communication media (Internet, Intranet,
Extranet etc.).
Concept Problem 3
Discuss the term ’Operating System’ and various operations performed by it.
56 | P a g e
Answer
An Operating System (OS) is a set of computer programs that manages computer hardware resources and
acts as an interface with computer applications programs. The operating system is a vital component of
the system software in a computer system.
A variety of activities are executed by Operating Systems which include:
i) Performing hardware functions: Operating System acts as an intermediary between the application
program and the hardware by obtaining input from keyboards, retrieve data from disk and display
output on monitors
ii) User Interfaces: Nowadays, Operating Systems are Graphic User Interface (GUI) based which uses icons
and menus like in the case of Windows.
iii) Hardware Independence: Operating System provides Application Program Interfaces (API), which can be
used by application developers to create application software, thus obviating the need to understand the
inner workings of OS and hardware. Thus, OS gives us hardware independence.
iv) Memory Management: Operating System allows controlling how memory is accessed and maximize
available memory and storage.
v) Task Management: This facilitates a user to work with more than one application at a time i.e.,
multitasking and allows more than one user to use the system i.e., time sharing.
vi) Networking Capability: Operating systems can provide systems with features and capabilities to help
connect computer networks like Linux & Windows 8.
vii) Logical Access Security: Operating systems provide logical security by establishing a procedure for
identification and authentication using a User ID and Password.
viii) File management: The operating system keeps a track of where each file is stored and who can access
it, based on which it provides the file retrieval.
Concept Problem 4
Database Management Systems (DBMS) is a software that aids in organizing, controlling and using the data
needed by the application program However, there are many advantages and disadvantages associated with
it. Discuss them.
Or
ABC Pvt. Ltd. is a brand manufacturer of automobile parts with huge clientele all over the country. The
company maintains the data of its clients in Oracle-the Database management software. Explain the
advantages that the company would be benefitted with by using Database Management System (DBMS).
Answer
Major advantages of Database Management System (DBMS) are as follows:
i) Permitting Data Sharing: One of the principal advantages of a DBMS is that the same information can
be made available to different users.
ii) Minimizing Data Redundancy: In a DBMS, duplication of information or redundancy is, if not
P a g e | 57
eliminated, carefully controlled or reduced i.e., there is no need to repeat the same data repeatedly.
Minimizing redundancy reduces significantly the cost of storing information on storage devices.
iii) Integrity can be maintained: Data integrity is maintained by having accurate, consistent, and up-to-
date data. Updates and changes to the data only must be made in one place in DBMS ensuring
Integrity.
iv) Program and File consistency: Using a DBMS, file formats and programs are standardized. The level of
consistency across files and programs makes it easier to manage data when multiple programmers
are involved as the same rules and guidelines apply across all types of data.
v) User-friendly: DBMS makes the data access and manipulation easier for the user. DBMS also reduces
the reliance of users on computer experts to meet their data needs.
vi) Improved security: DBMS allows multiple users to access the same data resources in a controlled
manner by defining the security constraints. Some sources of information should be protected or
secured and only viewed by select individuals. Using passwords, DBMS can be used to restrict data
access to only those who should see it.
vii) Achieving program/data independence: In a DBMS, data does not reside in applications, but data base
program & data are independent of each other.
viii) Faster Application Development: In the case of deployment of DBMS, application development
becomes fast. The data is already therein databases, application developer has to think of only the
logic required to retrieve the data in the way a user need.
Disadvantages of a DBMS
i) Cost: Implementing a DBMS system in terms of both system and user-training can be expensive and
time-consuming, especially in large enterprises. Training requirements alone can be quite costly.
ii) Security: Even with safeguards in place, it may be possible for some unauthorized users to access the
database. If one gets access to database, then it could be an all or nothing proposition.
Concept Problem 5
Discuss Boundary Controls under Application Control framework in detail.
Answer
Boundary control is one of the Application access control mechanisms that links the authentic users to the
authorized resources, they are permitted to access.
The boundary subsystem establishes the interface between the would-be user of a computer system and
the computer itself.
Major Boundary Control are as follows:
i) Cryptographic Controls: It deals with programs for transforming data into cipher text that are
meaningless to anyone, who does not possess the authentication to access the respective system
resource or file.
A cryptographic technique encrypts data (clear text) into cryptograms (cipher text) and its strength
58 | P a g e
depends on the time and cost to decipher the cipher text by a cryptanalyst.
ii) Access Controls: These controls restrict the use of computer system resources to authorized users and
limit the actions authorized users can take with these resources.
The access control mechanism involves three steps:
a) User Identification - done by user itself by providing his/ her unique user id allotted to him/her or
account number.
b) Authentication mechanism is used for proving the identity with the help of a password or
biometric identification including thumb impression, eye retina etc.
c) Authorization - refers to the set of actions allowed to a user once authentication is done
successfully. For example – Read, Write, Print, etc. permissions allowed to an individual user.
iii) Personal Identification Numbers (PIN): It is a form of remembered information used to authenticate
users like verification of customers in electronic fund transfer systems.
PIN is like a password assigned to a user by an institution, a random number stored in its database
independent to a user identification details.
iv) Digital Signatures: Digital Signature (a string of 0’s and 1’s) is used as an analog signature for e-
documents. Digital Signatures are not constant like analog signatures – they vary across messages
and cannot be forged.
v) Plastic Cards: While PIN and Digital Signatures are used for authentication purposes, plastic cards are
used primarily for identification purpose.
This includes the phases namely - application for a card, preparation of the card, issue of the card,
use of the card and card return or card termination.
Concept Problem 6
Discuss Corrective Controls with the help of examples. Also, discuss their broad characteristics in brief.
Or
Identify the control that is used to correct errors, omissions or incidents once they have been detected.
Enlist its major characteristics as well.
Answer
Corrective Controls are used to correct errors, omissions or incidents once they have been detected. These
corrective processes also should be subject to preventive and detective controls, because they represent
another opportunity for errors, omissions, or falsification.
Corrective controls are designed to reduce the impact or correct an error once it has been detected.
Examples of Corrective Controls vary from simple correction of data-entry errors, to identifying & removing
unauthorized users or software from systems or networks, to recovery from incidents, disruptions, or
disasters. “Complete changes to IT access lists if individual’s role changes” is also example of corrective
control.
The main characteristics of the corrective controls are as follows:
P a g e | 59
a) Minimizing the impact of the threat;

b) Identifying the cause of the problem;
c) Providing Remedy to the problems discovered by detective controls;
d) Getting feedback from preventive and detective controls;
e) Correcting error arising from a problem; and
f) Modifying the processing systems to minimize future occurrences of the incidents.
Concept Problem 7
Describe the term Preventive Controls and provide suitable examples. Also, discuss their broad characteristics.
Answer
Preventive controls prevent errors, omissions, or security incidents from occurring. It can be implemented in
both manual and computerized environment for the same purpose. Only, the implementation methodology
may differ from one environment to the other.
Some of the examples of preventive controls can be

➢ Employing qualified personnel;
➢ Segregation of duties;
➢ Access control;
➢ Vaccination against diseases;
➢ Documentation;
➢ Prescribing appropriate books for a course;
➢ Training and retraining of staff;
➢ Authorization of transaction;
➢ Validation,
➢ edit checks in the application;
➢ Firewalls;
➢ Anti-virus software (sometimes this acts like a corrective control also), etc., and
➢ Passwords.
The main characteristics of Preventive controls are given as follows:

i) A clear-cut understanding about the vulnerabilities of the asset;
ii) Understanding probable threats;
iii) Provision of necessary controls for probable threats from materializing.
Concept Problem 8
Write short notes on the following:

i) Snapshots
ii) Audit Hooks
60 | P a g e
Answer
(i) Snapshots:
Tracing a transaction is a computerized system can be performed with the help of snapshots or
extended records. The snapshot software is built into the system at those points where material
processing occurs which takes images of the flow of any transaction as it moves through the
application. These images can be utilized to assess the authenticity, accuracy, and completeness of
the processing carried out on the transaction. The main areas to consider involving such a system are
to locate the snapshot points based on materiality of transactions when the snapshot will be captured
and the reporting system design and implementation to present data in a meaningful way.
(ii) Audit Hooks:

There are audit routines that flag suspicious transactions. For example, internal auditors at Insurance
Company determined that their policyholder system was vulnerable to fraud every time a policyholder
changed his or her name or address and then subsequently withdrew funds from the policy. They
devised a system of audit hooks to tag records with a name or address change. The internal audit
department will investigate these tagged records for detecting fraud. When audit hooks are employed,
auditors can be informed of questionable transactions as soon as they occur. This approach of real-
time notification displays a message on the auditor’s terminal.
Concept Problem 9
Recognize various factors influencing an organization towards control and audit of computers.
Answer
Need for Audit of Information Systems
Factors influencing an organization toward controls and audit of computers and the impact of the
information systems audit function on organizations are as follows:
i) Organizational Costs of Data Loss: Data is a critical resource of an organization for its present and
future process and its ability to adapt and survive in a changing environment.
ii) Cost of Incorrect Decision Making: Management and operational controls taken by managers involve
detection, investigations and correction of the processes. These high-level decisions require accurate
data to make quality decision rules.
iii) Costs of Computer Abuse: Unauthorized access to computer systems, malwares, unauthorized physical
access to computer facilities and unauthorized copies of sensitive data can lead to destruction of
assets (hardware, software, information etc.)
iv) Value of Computer Hardware, Software and Personnel: These are critical resources of an organization,
which has a credible impact on its infrastructure and business competitiveness.
v) High Costs of Computer Error: In a computerized enterprise environment where many critical business
processes are performed, a data error during entry or process would cause great damage.
vi) Maintenance of Privacy: Today, data collected in a business process contains private information
about an individual too. These data were also collected before computers but now, there is a fear that
privacy has eroded beyond acceptable levels.
P a g e | 61
vii) Controlled evolution of computer Use: Use of Technology and reliability of complex computer systems
cannot be guaranteed and the consequences of using unreliable systems can be destructive.
Concept Problem 10
Data warehouse and Data Mining are the order of the day for better management of information and quicker
and effective decision-making in organizations. Critically evaluate the statement.
Answer
This statement is correct. Data warehouse is a repository of an organization’s electronically stored data and
designed to facilitate reporting and analysis.
Organizations find data warehouses quite beneficial for several reasons
i) The process of developing a data warehouse forces an organization to better understand the data that it
is currently collecting and, equally important, what data is not being collected.
ii) A data warehouse provides a centralized view of all data being collected across the enterprise and
provides a means for determining data that is inconsistent.
iii) Once all data is identified as consistent, an organization can generate one version of the truth. This is
important when the company wants to report consistent statistics about itself, such as revenue or
number of employees.
iv) By having a data warehouse, snapshots of data can be taken over time. This creates a historical record
of data, which allows for an analysis of trends.
v) A data warehouse provides tools to combine data, which can provide new information and analysis.
Data Mining is the process of analysing data to find previously unknown trends, patterns, and associations to
make decisions. Data mining is accomplished through automated means against extremely large data sets,
such as a data warehouse.
Together, Data warehouse and data mining facilitates better management of information and quicker and
effective decision-making in organizations
Concept Problem 11
Explain the concept of Segregation of Duties (SOD) controls and its examples.
Or
Segregation of Duties (SoD) in an organization allows the individuals to access authorized activities
controlled through various controls. Identify few examples of the controls of Segregation of Duties (SoD).
Answer
SoD advocates that Privilege/ Access Rights should be given on “Need to Do” & “Need to know” basis.
It ensures that single individual do not passes excess privilege that could result in unauthorized activity like
fraud or manipulation of data security.
For example: the person approving the purchase orders should not be allowed to make payment and pass
entries in the books at the same time.
62 | P a g e
The examples of Segregation of Duties (SoD) Controls are as below:
i) Transaction Authorization: Information systems can be programmed or configured to require two (or
more) persons to approve certain transactions. This is seen in retail establishments where a manager
is required to approve a large transaction or a refund. In IT applications, transactions meeting certain
criteria may require a manager’s approval to be able to proceed.
ii) Split custody of high-value assets: Assets of high importance or value can be protected using various
means of split custody. For example, a password to an encryption key that protects a high-valued
asset can be split in two halves, one half assigned to two persons, and the other half assigned to two
persons, so that no single individual knows the entire password. Banks do this for central vaults, where
a vault combination is split into two or more pieces so that two or more are required to open it.
iii) Workflow: Applications that are workflow-enabled can use a second (or third) level of approval before
certain high-value or high-sensitivity activities can take place. For example, a workflow application
that is used to provision user accounts can include extra management approval steps in requests for
administrative privileges.
iv) Periodic reviews: IT or internal audit personnel can periodically review user access rights to identify
whether any segregation of duties issues exist. The access privileges for each worker can be compared
against a segregation of duties control matrix. When SoD issues are encountered during segregation of
duties review, management will need to decide how to mitigate the matter.
Concept Problem 12
An internet connection exposes an organization to the harmful elements of the outside world. As a network
administrator, which Network Access controls will you implement in the organization to protect from such
harmful elements?
Or
An Internet connection exposes an organization to the harmful elements of the outside world. As an EDP
(Electronic Data Processing) operator of an organization ABC, prepare a checklist for Network Access
Controls that are required to be implemented in the organization.
Answer
Network Access Control: An Internet connection exposes an organization to the harmful elements of the
outside world. The checklist for Network Access Controls that are required to be implemented in the
organization are as follows:
i) Policy on use of network services: An enterprise-wide policy applicable to internet service requirements
aligned with the business need for using the Internet services is the first step. Selection of appropriate
services and approval to access them should be part of this policy.
ii) Enforced path: Based on risk assessment, it is necessary to specify the exact path or route connecting
the networks; e.g., internet access by employees will be routed through a firewall and proxy.
iii) Segregation of networks: Based on the sensitive information handling function; say a VPN connection
between a branch office & the head-office, this network is to be isolated from the internet usage service.
iv) Network connection and routing control: The traffic between networks should be restricted, based on
identification of source and authentication access policies implemented across the enterprise network
P a g e | 63
facility.
v) Security of network services: The techniques of authentication and authorization policy should be
implemented across the organization’s network.
vi) Firewall: A Firewall is a system that enforces access control between two networks. To accomplish this, all
traffic between the external network and the organization’s Intranet must pass through the firewall that
will allow only authorized traffic between the organization and the outside to pass through it. The
firewall must be immune to penetrate from both outside and inside the organization. In addition to
insulating the organization’s network from external networks, firewalls can be used to insulate portions of
the organization’s Intranet from internal access also.
vii) Encryption: Encryption is the conversion of data into a secret code for storage in databases and
transmission over networks. The sender uses an encryption algorithm with a key to convert the original
message called the Clear text into Cipher text. This is decrypted at the receiving end. Two general
approaches are used for encryption viz. private key and public key encryption.
viii) Call Back Devices: It is based on the principle that the key to network security is to keep the intruder off
the Intranet rather than imposing security measure after the criminal has connected to the intranet. The
call- back device requires the user to enter a password and then the system breaks the connection. If
the caller is authorized, the call back device dials the caller’s number to establish a new connection. This
limit access only from authorized terminals or telephone numbers and prevents an intruder masquerading
as a legitimate user. This also helps to avoid the call forwarding and man-in-the middle attack
Concept Problem 13
A company XYZ is developing a software using the program development life cycle methodology and applying
control, phases in parallel to the development phases to monitor the progress against plan. Being an IT
developer, design the various phases and their controls for program development life cycle.
Or
Mr. X is appointed as an auditor of a software development and service provider company. Explain the various
concerns that auditor should address under different activities of Programming Management Controls.
Answer
The primary objective of Program Development Life Cycle phase within the Systems Development Life Cycle is
to produce or acquire and to implement high-quality programs. This includes the following phases:
i) Planning: Techniques like Work Breakdown Structures (WBS), Gantt Charts and PERT (Program
Evaluation and Review Technique) Charts can be used to monitor progress against plan.
ii) Control: The Control phase has two major purposes:
a) Task progress in various software life-cycle phases should be monitored against plan and corrective
action should be taken in case of any deviations.
b) Control over software development, acquisition, and implementation tasks should be exercised to
ensure that the software released for production use is authentic, accurate, and complete.
64 | P a g e
iii) Design: A systematic approach to program design, such as any of the structured design approaches or
object-oriented design is adopted.
iv) Coding: Programmers must choose a module implementation and integration strategy like Top-down,
Bottom-up and Thread’s approach; a coding strategy that follows the precepts of structured
programming, and a documentation strategy to ensure program code is easily readable and
understandable.
v) Testing: These tests are to ensure that a developed or acquired program achieves its specified
requirements. These are as follows:
a) Unit Testing – which focuses on individual program modules;

b) Integration Testing – Which focuses in groups of program modules; and
c) Whole-of-Program Testing – which focuses on whole program.
vi) Operation and Maintenance: Management establishes formal mechanisms to monitor the status of
operational programs so maintenance needs can be identified on a timely basis. Three types of
maintenance can be used are as follows:
a) Repair Maintenance: in which program errors are corrected;

b) Adaptive Maintenance: in which the program is modified to meet changing user requirements; and
c) Perfective Maintenance: in which the program is tuned to decrease the resource consumption.
Concept Problem 14
Discuss the key activities which require special attention for auditing the user access provisioning.
Answer
Auditing user access provisioning process requires attention to several key activities that include the following:
i) Access request processes: The IS auditor should identify all user access request processes and determine
if these processes are used consistently throughout the organization.
ii) Access approvals: The IS auditor needs to determine how requests are approved and by what authority
they are approved. The auditor should determine if system or data owners approve access requests, or if
any accesses are ever denied.
iii) New employee provisioning: The IS auditor should examine the new employee provisioning process to see
how a new employee’s user accounts are initially set up. The auditor should determine if new employees’
managers are aware of the access requests that their employees are given and if they are excessive.
iv) Segregation of Duties (SoD): The IS auditor should determine if the organization makes any effort to
identify segregation of duties. This may include whether there are any SoD matrices in existence and if
they are actively used to make user access request decisions.
v) Access reviews: The IS auditor should determine if there are any periodic access reviews and what
aspects of user accounts are reviewed; this may include termination reviews, internal transfer reviews,
SoD reviews and dormant account reviews.
P a g e | 65
Concept Problem 15

a) Line Error Control
b) Audit Trail
Answer
a) Line Error Control: Whenever data is transmitted over a communication line in a telecommunication
network, an error may occur because of attenuation distortion or noise that occurs on the line. These
line errors must be detected and corrected.
Error Detection: The errors can be detected by either using a loop (echo) check or building some form of
redundancy into the message transmitted.
Error Correction: When line errors have been detected, they must then be corrected using either forward
error correcting codes or backward error correcting codes.
b) Audit trail: Audit Trail controls attempt to ensure that a chronological record of all events that have
occurred in a system is maintained. This record is needed to answer queries, fulfil statutory
requirements, detect the consequences of error and allow system monitoring and tuning.
▪ The Accounting Audit Trail shows the source & nature of data and processes that update database.
▪ The Operations Audit Trail maintains a record of attempted or actual resource consumption within
a system.
Concept Problem 16
Data Warehouse extracts data from one or more of the organization’s databases and loads it into another
database for storage and analysis purpose. As a Data Warehouse Manager, determine the design criteria,
which should be met while designing Date Warehouse.
Answer
The Data Warehouse extracts data from one or more of the organization’s databases and loads it into
another database for storage and analysis purpose. A data warehouse should be designed so that it meets
the following criteria:
i) It uses non-operational data. This means that the data warehouse is using a copy of data from the
active databases that the company uses in its day- to-day operations, so the data warehouse must
pull data from the existing databases on a regular, scheduled basis.
ii) The data is time-variant. This means that whenever data is loaded into the data warehouse, it receives
a time stamp, which allows for comparisons between different time periods.
iii) The data is standardized. Because the data in a data warehouse usually comes from several different
sources, it is possible that the data does not use the same definitions or units. For the data warehouse
to match up different formats, a standard format (for example – date) would have to be agreed upon
and all data loaded into the data warehouse would have to be converted to use this standard format.
This process is called Extraction-Transformation-Load (ETL).
66 | P a g e
There are two approaches to follow when designing a data warehouse:
a) The Bottom-Up Approach starts by creating small data warehouses called Data Marts to solve specific
business problems. As these data marts are created, they can be combined into a larger data
warehouse.
b) The Top-Down Approach suggests that we should start by creating an enterprise-wide data warehouse
and then, as specific business needs are identified, create smaller data marts from the data
warehouse.
Concept Problem 17
Explain briefly the objectives of Information System’s Auditing.

Answer
The major objectives of Information System’s (IS) Auditing are as follows:
i) Asset Safeguarding: The information system assets (hardware, software, data information etc.) must
be protected by a system of internal controls from unauthorized access.
ii) Data Integrity: The importance to maintain integrity of data of an organization requires all the time
and is a fundamental attribute of IS Auditing. It is also important from the business perspective of the
decision maker, competition and the market environment.
iii) System Effectiveness: Effectiveness of a system is evaluated by auditing the characteristics and
objective of the system to meet business and user requirements.
iv) System Efficiency: To optimize the use of various information system resources such as machine time,
peripherals, system software and labour along with the impact on its computing environment.
Concept Problem 18
Explain various types of Data Coding Errors.

Answer
Data Coding Errors: Data Coding errors can cause serious problems in data processing if they go undetected.
Two types of errors - Transcription and Transposition errors can corrupt a data code and cause processing
errors.
a) Transcription Errors: It is a special type of data entry error that is commonly made by human
operators or by Optical Character Recognition (OCR) programs. These falls into three classes: Addition
errors, Truncation errors and Substitution errors.
b) Transposition Errors: It is a simple error of data entry that occur when two digits that are either
individual or part of larger sequence of numbers are reversed (Transpose) when posting a transaction.
There are two types of transposition errors: Single transposition and Multiple transposition errors.
Concept Problem 19
Physical security mechanisms in an organization provides protection to people, data, equipment, systems,
facilities and company assets. Determine some major ways of protecting the organization’s computer
installation in the event of any explosion or fire.
Answer
P a g e | 67
Fire Damage is one of the major threats to the physical security of a computer installation. Some of the
major ways of protecting the installation against fire damage are as follows:
a) Smoke Detectors: Smoke detectors should be positioned at places above and below the ceiling tiles.
Upon activation, these detectors should produce an audible alarm and must be linked to a monitored
station (for example, a fire station).
b) Norms to reduce Electric Firing: To reduce the risk of electric firing, the location of the computer room
should be strategically planned and should not be in the basement or ground floor of a multi-storey
building. Less wood and plastic material should be used in computer rooms. To reduce the risk of
electric fire occurring and spreading, wiring should be placed in the fire-resistant panels and conduit.
This conduit generally lies under the fire-resistant raised floor in the computer room. Fireproof Walls,
Floors and Ceilings surrounding the Computer Room and Fire-resistant office materials such as waste
baskets, curtains, desks, and cabinets should be used.
c) Fire Extinguishers: Manual fire extinguishers can be placed at strategic locations. Fire Alarms,
Extinguishers, Sprinklers, Instructions / Fire Brigade Nos., Smoke detectors, and Carbon-dioxide based
fire extinguishers should be well placed and maintained.
d) Fire Alarms: Both automatic and manual fire alarms may be placed at strategic locations and a control
panel may be installed to clearly indicate this. Besides the control panel, master switches may be
installed for power and automatic fire suppression system. A gas- based fire suppression system is
preferable, however, depending upon the situation, different fire suppression techniques like Dry-pipe
sprinkling systems, water-based systems, halon etc., may be used. When a fire alarm is activated, a
signal may be sent automatically to permanently manned station.
e) Regular Inspection and Raising awareness: Regular inspection by Fire Department Officials should be
conducted. The procedures to be followed during an emergency should be properly documented. Fire
Exits should be clearly marked, and all the staff members should know how to use the system in case
of emergency.
f) Documented and Tested Emergency Evacuation Plans: Relocation plans should emphasize human safety
but should not leave information processing facilities physically unsecured. Procedures should exist for a
controlled shutdown of the computer in an emergency. In all circumstances, saving human life should
be given paramount importance.
Concept Problem 20
Discuss 5 Audit Techniques and the advantages of continuous Audit Techniques.

Answer
As an Information System Auditor, various Audit Tools that can be used to perform IS Auditing are as follows:
(i) Snapshots:
Tracing a transaction is a computerized system can be performed with the help of snapshots or
extended records. The snapshot software is built into the system at those points where material
processing occurs which takes images of the flow of any transaction as it moves through the
application. These images can be utilized to assess the authenticity, accuracy, and completeness of
68 | P a g e
the processing carried out on the transaction. The main areas to dwell upon while involving such a
system are to locate the snapshot points based on materiality of transactions when the snapshot will
be captured and the reporting system design and implementation to present data in a meaningful way.
(ii) Integrated Test Facility (ITF):

The ITF technique involves the creation of a dummy entity in the application system files and the
processing of audit test data against the entity as a means of verifying processing authenticity,
accuracy, and completeness. This test data would be included with the normal production data used as
input to the application system. In such cases, the auditor must decide what would be the method to
be used to enter test data and the methodology for removal of the effects of the ITF transactions.
(iii) System Control Audit Review File (SCARF):

The SCARF technique involves embedding audit software modules within a host application system to
provide continuous monitoring of the system’s transactions. The information collected is written onto
a special audit file- the SCARF master files. Auditors then examine the information contained on this
file to see if some aspect of the application system needs follow-up. In many ways, the SCARF
technique is like the snapshot technique along with other data collection capabilities.
(iv) Continuous and Intermittent Simulation (CIS):

This is a variation of the SCARF continuous audit technique. This technique can be used to trap
exceptions whenever the application system uses a database management system. The advantage of
CIS is that it does not require modifications to the application system and yet provides an online
auditing capability.
(v) Audit Hooks:

There are audit routines that flag suspicious transactions. For example, internal auditors at Insurance
Company determined that their policyholder system was vulnerable to fraud every time a policyholder
changed his or her name or address and then subsequently withdrew funds from the policy. They
devised a system of audit hooks to tag records with a name or address change. The internal audit
department will investigate these tagged records for detecting fraud. When audit hooks are employed,
auditors can be informed of questionable transactions as soon as they occur. This approach of real-
time notification displays a message on the auditor’s terminal.
Some of the advantages of continuous audit techniques are as under:

a) Timely, Comprehensive and Detailed Auditing: Evidence would be available timelier and in a
comprehensive manner. The entire processing can be evaluated and analyzed rather than examining
the inputs and the outputs only.
b) Surprise test capability: As evidences are collected from the system itself by using continuous audit
techniques, auditors can gather evidence without the systems staff and application system users
being aware that evidence is being collected at that particular moment. This brings in the surprise
test advantages.
c) Information to system staff on meeting of objectives: Continuous audit techniques provides

information to systems staff regarding the test vehicle to be used in evaluating whether an application
system meets the objectives of asset safeguarding, data integrity, effectiveness, and efficiency.
P a g e | 69
d) Training for new users: Using the Integrated Test Facilities (ITF)s, new users can submit data to the
application system, and obtain feedback on any mistakes they make via the system’s error reports.
Concept Problem 21
Recognize the activities that deal with the System Development Controls in an IT Setup.
Answer
The activities that deal with system development controls in IT setup are as follows:
i) Problem definition and Feasibility assessment: I.S. is developed to help resolve problems or to take
advantage of opportunities. All the stakeholders must agree on the problem & feasibility assessment is
done to obtain a commitment to change & to evaluate cost-effectiveness of solutions.
All solutions must be properly and formally authorized to ensure their economic justification and
feasibility.
ii) Analysis of existing system: Designers need to analyze the existing system that involves two major
tasks:
a. Studying existing organizational history, structure, and culture to gain an understanding of social
systems, & the willingness of stakeholders to change.
b. Studying the existing product and information flows as the proposed system will be based primarily
on current product and information flows.
The designers need to understand strengths & weaknesses of existing product to determine the new
system requirements and the extent of change required.
iii) Information Processing System design: This phase involves following activities:
a. Elicitation of detailed requirements: Either ask the stakeholders for their requirement if they are
aware about it or discover it through analysis and experimentation in case they are uncertain about
their need.
b. Design of data/ information flow: Designers shall determine the flow of data/information, its
frequency & timing and the extent to which data and information flows will be formalized. Tools
such as DFD can be used for this.
c. Design of Database and user interface: Involves determining its scope and structure, whereas the
design of user interface determines the ways in which users interact with a system.
d. Physical design: Involves breaking up the logical design into units which in turn can be decomposed
further into implementation units such as programs and modules.
e. Design of the hardware/software platform: In case the hardware and software platforms are not
available in the organization, the new platforms are required to be designed to support the proposed
system.
iv) Hardware/ Software acquisition & procedures development: To purchase the new application system or
hardware, a request for a proposal must be prepared, vendor proposals are sought, and final decision is
made based on evaluation.
70 | P a g e
v) Acceptance Testing and Conversion: Acceptance Testing is carried out to identify errors or deficiencies
in the system prior to its final release into production use. Conversion phase comprises the activities
undertaken to place the new system in operation.
vi) Operation and Maintenance: The new system is run as a production system and periodically modified to
better meet its objectives. The maintenance activities associated with these systems need to be
approved and monitored carefully.
Concept Problem 22
Determine the controls that are classified based on the time when they act, relative to a security incident.
Or
Define any two information system controls based on objectives of controls.
Answer
The controls per the time that they act, relative to a security incident can be classified as under:
i) Preventive Controls:
These controls prevent errors, omissions, or security incidents from occurring. Examples include simple
data-entry edits that block alphabetic characters from being entered in numeric fields, access controls
that protect sensitive data/ system resources from unauthorized people, and complex and dynamic
technical controls such as anti-virus software, firewalls, and intrusion prevention systems.
Some examples of preventive controls can be Employing qualified personnel; Segregation of duties;
Access control; Vaccination against diseases; Documentation; Prescribing appropriate books for a course;
Training and retraining of staff; Authorization of transaction; Validation, edit checks in the application;
Firewalls; Anti-virus software (sometimes this act like a corrective control also), etc., and Passwords.
The above list contains both of manual and computerized, preventive controls.
ii) Detective Controls:

These controls are designed to detect errors, omissions or malicious acts that occur and report the
occurrence. In other words, Detective Controls detect errors or incidents that elude preventive controls.
Detective controls can also include monitoring and analysis to uncover activities or events that exceed
authorized limits or violate known patterns in data that may indicate improper manipulation.
Some examples of Detective Controls are Cash counts; Bank reconciliation; Review of payroll reports;
Compare transactions on reports to source documents; Monitor actual expenditures against budget; Use
of automatic expenditure profiling where management gets regular reports of spend to date against
profiled spend; Hash totals; Check points in production jobs; Echo control in telecommunications;
Duplicate checking of calculations; Past-due accounts report; The internal audit functions; Intrusion
Detection System; Cash counts and bank reconciliation, and Monitoring expenditures against budgeted
amount.
iii) Corrective Controls:

Corrective controls are designed to reduce the impact or correct an error once it has been detected.
Corrective controls may include the use of default dates on invoices where an operator has tried to enter
the incorrect date. For example- Complete changes to IT access lists if individual’s role changes are a
corrective control. If an accounts clerk is transferred to the sales department as a salesman his/her
P a g e | 71
access rights to the general ledger and other finance functions should be removed and he/she should be
given access only to functions required to perform his sales job.
Some other examples of Corrective Controls are Submit corrective journal entries after discovering an
error; A Business Continuity Plan (BCP); Contingency planning; Backup procedure; Rerun procedures;
Change input value to an application system; and Investigate budget variance and report violations.
Concept Problem 23
In Information Systems, identify the type of Managerial controls that are responsible for the daily running of
software and hardware facilities. Prepare a detailed note on these controls.
Answer
Under the Managerial Controls, Operations Management Controls are responsible for the daily running of
hardware & software facilities. Operations management typically performs controls over functions as below:
i) Computer Operations: The controls over computer operations govern the activities that directly support
the day-to-day execution of either test or production systems on the hardware/software platform
available.
ii) Network Operations: This includes the proper functioning of network operations and monitoring the
performance of network communication channels, network devices, and network programs and files.
Data may be lost or corrupted through component failure.
iii) Data Preparation and Entry: Irrespective of whether the data is obtained indirectly from source
documents or directly; keyboard environments and facilities should be designed to promote speed and
accuracy and to maintain the wellbeing of keyboard operators.
iv) Production Control: This includes the major functions like - receipt and dispatch of input and output; job
scheduling; management of service-level agreements with users; transfer pricing/charge-out control;
and acquisition of computer consumables.
v) File Library: This includes the management of an organization’s machine-readable storage media like
magnetic tapes, cartridges, and optical disks.
vi) Documentation and Program Library: This involves that documentation librarians ensure that
documentation is stored securely; that only authorized personnel gain access to documentation; that
documentation is kept up-to-date and that adequate backup exists for documentation.
vii) Help Desk/Technical support: This assists end-user to employ end-user hardware and software such as
micro-computers, spreadsheet packages, database management packages etc. and provided the
technical support for production systems by assisting with problem resolution.
viii) Capacity Planning and Performance Monitoring: Regular performance monitoring facilitates the
capacity planning wherein the resource deficiencies must be identified well in time so that they can
be made available when they are needed.
ix) Management of Outsourced Operations: This has the responsibility for carrying out day-to-day
monitoring of the outsourcing contract.
72 | P a g e
Concept Problem 24
Nowadays, many industries like hospitality, healthcare and public service agencies deal with massively
large data sets that conventional database tools can’t process. Big data has significant benefits due to
which it has provided a new direction to these businesses. Elaborate these benefits.
Answer
The Benefits of Big Data Processing are as follows:
i) Ability to process Big Data brings in multiple benefits, such as-

▪ Businesses can utilize outside intelligence while taking decisions.
▪ Access to social data from search engines and sites like Facebook, Twitter are enabling
organizations to fine tune their business strategies.
▪ Early identification of risk to the product/services, if any

ii) Improved customer service
Traditional customer feedback systems are getting replaced by new systems designed with Big Data
technologies. In these new systems, Big Data and natural language processing technologies are being
used to read and evaluate consumer responses.
iii) Better operational efficiency

Integration of Big Data technologies and data warehouse helps an organization to offload infrequently
accessed data, this leading to better operational efficiency.
Concept Problem 25
Operating System security involves policy, procedure and controls that determine, ‘who can access the
operating system,’ ‘which resources they can access’, and ‘what action they can take’. As an Information
Systems auditor, determine the key areas which shall be put in place by any organization.
Or
An operating system allows users and their applications to share and access common computer resources
and execute a variety of activities. Hence, protecting operating system access is extremely crucial. Identify
various steps through which protection of operating system access can be achieved.
Or
Mr. A is a System Administrator of the company who must ensure the protection of Operating System used
in information system of the company. How can this purpose be achieved?
Answer
Protecting operating system access is extremely crucial and can be achieved using following steps:
i) Automated terminal identification: This will help to ensure that a specified session could only be initiated
from a certain location or computer terminal.
ii) Terminal log-in procedures: A log-in procedure is the first line of defense against unauthorized access as
it does not provide unnecessary help or information, which could be misused by an intruder. When the
user initiates the log-on process by entering user-id and password, the system compares the ID and
password to a database of valid users and accordingly authorizes the log-in.
P a g e | 73
iii) Access Token: If the log on attempt is successful, the Operating System creates an access token that
contains key information about the user including user-id, password, user group and privileges granted to
the user. The information in the access token is used to approve all actions attempted by the user during
the session.
iv) Access Control List: This list contains information that defines the access privileges for all valid users of
the resource. When a user attempts to access a resource, the system compasses his or her user-id and
privileges contained in the access token with those contained in the access control list. If there is a
match, the user is granted access.
v) Discretionary Access Control: The system administrator usually determines; who is granted access to
specific resources and maintains the access control list. However, in distributed systems, resources may be
controlled by the end-user. Resource owners in this setting may be granted discretionary access control,
which allows them to grant access privileges to other users. For example, the controller who is owner of
the general ledger grants read only privilege to the budgeting department while accounts payable
manager is granted both read and write permission to the ledger.
vi) User identification and authentication: The users must be identified and authenticated in a fool proof
manner. Depending on risk assessment, more stringent methods like Biometric Authentication or
Cryptographic means like Digital Certificates should be employed.
vii) Password management system: An operating system could enforce selection of good passwords. Internal
storage of password should use one-way hashing algorithms and the password file should not be
accessible to users.
viii) Use of system utilities: System utilities are the programs that help to manage critical functions of the
operating system e.g., addition or deletion of users. Obviously, this utility should not be accessible to a
general user. Use and access to these utilities should be strictly controlled and logged.
ix) Duress alarm to safeguard users: If users are forced to execute some instruction under threat, the system
should provide a means to alert the authorities.
x) Terminal time out: Log out the user if the terminal is inactive for a defined period. This will prevent misuse
in absence of the legitimate user.
xi) Limitation of connection time: Define the available time slot. Do not allow any transaction beyond this
time. For example, no computer access after 8.00 p.m. and before 8.00 a.m. - or on a Saturday or Sunday.
Concept Problem 26
An Internet connection exposes an organization to the harmful elements of the outside world. Discuss the
various factors under User Access Management through which the protection can be achieved.
Answer
User Access Management: This is an important factor that involves the following:
i) User Registration: Information about every user is documented. Some questions like why and who is the
user granted the access; has the data owner approved the access, and has the user accepted the
responsibility? etc. are answered. The de-registration process is also equally important.
74 | P a g e
ii) Privilege management: Access privileges are to be aligned with job requirements and responsibilities
and are to be minimal w.r.t their job functions. For example, an operator at the order counter shall
have direct access to order processing activity of the application system.
iii) User password management: Passwords are usually the default screening point for access to systems.
Allocations, storage, revocation, and reissue of password are password management functions.
Educating users is a critical component about passwords, and making them responsible for their
password.
iv) Review of user access rights: A user’s need for accessing information changes with time and requires a
periodic review of access rights to check anomalies in the user’s current job profile and the privileges
granted earlier.
Concept Problem 27
The management of the company PQR wants to get audit of its Logical Access controls that are
implemented in the company’s infrastructure and information systems. As an IS Auditor, determine the
checklist while Auditing User Access Logs.
Or
Discuss the factors that an IS Auditor need to determine while accessing the records in an access log of an
organization.
Answer
User Access Logs: The Information Systems (IS) auditor needs to determine what events are recorded in
access logs. The IS auditor needs to understand the capabilities of the system being audited and determine
if the right events are being logged, or if logging is suppressed on events that should be logged.
i) Centralized access logs: The IS auditor should determine if the organization’s access logs are
aggregated or if they are stored on individual systems.
ii) Access log protection: The auditor needs to determine if access logs can be altered, destroyed, or
attacked to cause the system to stop logging events. For especially high- value and high-
sensitivity environments, the IS auditor needs to determine if logs should be written to digital
media that is unalterable, such as optical WORM (Write Once Read Many) media.
iii) Access log review: The IS auditor needs to determine if there are policies, processes, or procedures
regarding access log review. The auditor should determine if access log reviews take place, who
performs them, how issues requiring attention are identified, and what actions are taken when
necessary.
iv) Access log retention: The IS auditor should determine how long access logs are retained by the
organization and if they are back up.
Concept Problem 28
You are an Information Technology Consultant to a firm who is in the process of shortlisting the resources for
the controls for the environmental exposures - water damage and power spikes in that firm. Prepare a
checklist for same.
Answer
P a g e | 75
Power Spikes: This is caused due to a very short pulse of energy in a power line.
Controls for Environmental Exposures: Some of the major ways of protecting the installation against power
spikes as follows:
a) Electrical Surge Protectors: The risk of damage due to power spikes can be reduced using Electrical Surge
Protectors that are typically built into the Uninterrupted Power System (UPS).
b) Un-interruptible Power System/Generator: In case of a power failure, the UPS provides the backup by
providing electrical power from the battery to the computer for a certain span of time. Depending on the
sophistication of the UPS, electrical power supply could continue to flow for days or for just a few
minutes to permit an orderly computer shutdown.
c) Voltage regulators and circuit breakers: These protect the hardware from temporary increase or decrease
of power.
d) Emergency Power-Off Switch: When the need arises for an immediate power shut down during situations
like a computer room fire or an emergency evacuation, an emergency power-off switch at the strategic
locations would serve the purpose. They should be easily accessible and yet secured from unauthorized
people.
Water Damage: Water damage to a computer installation can be the outcome of water pipes burst. Water
damage may also result from other resources such as cyclones, tornadoes, floods etc
Controls for Environmental Exposures: Some of the major ways of protecting the installation against water
damage are as follows:
a) Water Detectors: These should be placed under the raised floor, near drain holes and near any
unattended equipment storage facilities.
b) Strategically locating the computer room: To reduce the risk of flooding, the computer room should not be
located in the basement of ground floor of a multi-storey building.
c) Some of the major ways of protecting the installation against water damage are as follows:
▪ Wherever possible have waterproof ceilings, walls and floors;
▪ Ensure an adequate positive drainage system exists;
▪ Install alarms at strategic points within the installation;
▪ In flood-prone areas, have the installation above the upper floors but not at the top floor;
▪ Water proofing; and
▪ Water leakage Alarms
Concept Problem 29
You are an IS Auditor undertaking a job of auditing the Information Systems of an ABC Bank. While
performing Audit checks, you intend to ensure the placement of Input validation controls placed in the
76 | P a g e
Information System by detecting errors in the transaction data before the data is processed. Determine the
three levels of Input Validation Controls.
Answer
Validation Controls: Input validation controls are intended to detect errors in the transaction data before
the data are processed. There are three levels of input validation controls:
i) Field Check: It involves programmed procedures that examine the characters of the data in the field.
This includes the checks like Limit Check (against predefined limits), Picture Checks (against entry
into processing of incorrect/invalid characters), Valid check codes (against predetermined transactions
codes, tables) etc.
ii) Record Check: This includes the reasonableness check of whether the value specified in a field is
reasonable for that particular field; Valid sign to determine which sign is valid for a numeric field and
Sequence Check to follow a required order matching with logical records etc.
iii) Batch Check: This includes the checks like the transaction type if all input records in a batch are of
particular type; sequence check if input records are in a particular order or not etc.
iv) File Check: This includes file’s version usage; internal and external labeling; data file security; file
updating and maintenance authorization etc.
Concept Problem 30
As a member of an EDP (Electronic Data Processing) Team of an IT Department of the Company A,

determine the controls that are related to the physical security of the tangible Information Systems
Resources stored on tangible media?
Answer
The controls that are related to the physical security of the tangible Information Systems Resources stored
on tangible media.
v) Locks on Doors: These are as below:

a) Cipher locks (Combination Door Locks) - Cipher locks are used in low security situations or when
many entrances and exits must be usable all the time. To enter, a person presses a four-digit
number, and the door will unlock for a predetermined period, usually ten to thirty seconds.
b) Bolting Door Locks – A special metal key is used to gain entry when the lock is a bolting door lock.
To avoid illegal entry, the keys should not be duplicated.
c) Electronic Door Locks – A magnetic or embedded chip-based plastics card key or token may be
entered a reader to gain access in these systems.
vi) Physical Identification Medium: These are discussed below:

a) Personal Identification Numbers (PIN): A secret number will be assigned to the individual, in
conjunction with some means of identifying the individual, serves to verify the authenticity of the
individual. The visitor will be asked to log on by inserting a card in some device and then enter
their PIN via a PIN keypad for authentication. His/her entry will be matched with the PIN number
available in the security database.
P a g e | 77
b) Plastic Cards: These cards are used for identification purposes. Customers should safeguard their
card so that it does not fall into unauthorized hands.
c) Identification Badges: Special identification badges can be issued to personnel as well as visitors.
For easy identification purposes, their colour of the badge can be changed. Sophisticated photo IDs
can also be utilized as electronic card keys.
vii) Logging on Facilities: These are given as under:

a) Manual Logging: All visitors should be prompted to sign a visitor’s log indicating their name,
company represented, their purpose of visit, and person to see. Logging may happen at both fronts
- reception and entrance to the computer room. A valid and acceptable identification such as a
driver’s license, business card or vendor identification tag may also be asked for before allowing
entry inside the company.
b) Electronic Logging: This feature is a combination of electronic and biometric security systems. The
users logging can be monitored and the unsuccessful attempts being highlighted.
Concept Problem 31
Mr. X is an auditor of the company and plays a vital role in evaluating the performance of various controls
under managerial controls. The top management is the one who takes responsibility for Information Systems
function. Explain the functions that a senior manager must perform in organizing and controlling functions.
Answer
The functions performed in organizing and controlling functions are as follows:
A. Organizing – There should be a prescribed IT organizational structure with documented roles and
responsibilities and agreed job descriptions. This includes gathering, allocating, and coordinating the
resources needed to accomplish the goals that are established during Planning function.
a. Resourcing the Information Systems Function: A major responsibility of top management is to

acquire the resources needed to accomplish the goals and objectives set out in the information
systems plan. These resources include hardware, software, personnel, finances and facilities.
b. Staffing the Information systems Function: Staffing the Information systems function involves
three major activities - Acquisition of information systems personnel, Development of information
systems personnel; and Termination of information systems personnel.
B. Controlling – This includes comparing actual performance with planned performance as a basis for
taking any corrective actions that are needed. This involves determining when the actual activities of the
information system’s functions deviate from the planned activities.
Concept Problem 32
There are multiple ways in which risks to a Data Centre and Network Operations can be accessed. As a
consultant, prepare a sample list of Risks and Controls w.r.t Data Centre and Network Operations.
Answer
Sample listing of Risks and Controls w.r.t Data Centre and Network Operations are as follows:
78 | P a g e
Risks Key IT Controls

The transaction may not be recorded completely Batch and online processing procedures are
or accurately, and the related items will be defined, executed and monitored for successful and
inaccurately or incompletely recorded. timely completion.
Any exception is reviewed and timely resolved.
Invalid items may be recorded or valid items may Access to automated job scheduling tools, and
be inaccurately or incompletely recorded. executable programs are defined to restrict to
appropriate individuals as per job requirement.
Timely and adequate technical support may not Entity has written agreement(s) with outside
be available and issues may not be resolved. contractors and/ or software vendors to provide for
technical support, as needed.
Management monitors compliance with these
agreements.
User queries may not be timely and adequately Help desk function exists to provide support on user
resolved. queries regarding systems.
Problems are recorded and the log for timely
resolution of all such user queries is monitored.
Timely execution and complete processing and Performance and capacity utilization of the
availability of data may not be ensured. computer systems are measured, reported, and
reviewed by management.
Unavailability of applications and data backups All tapes, manuals, guides are properly labelled and
in the event of a disaster. It can also result in timely stored in a secured environmentally
disclosure of sensitive information. controlled location.
Data may be lost and systems may not be Schedule backup and storage of data is done
recoverable in the event of a serious system periodically and appropriately.
failure. This may result in regulatory/ legal Management periodically reviews backups are done
complaints, loss of reputation beside financial as per back up policy and meet business and legal
loss. requirements.
Backup may not be available if subject to some Backups are archived off-site.
disaster, resulting in risk of data loss.
Concept Problem 33
Write a short note on Extraction- Transformation-Load (ETL).
Answer
Extraction-Transformation-Load (ETL)
The concept of the data warehouse includes the process of extraction of data from one or more of the
organization’s databases, its transformation into an appropriate form using different techniques like
smoothing, aggregation, normalization etc. and loading into the data warehouse which is itself another
database for storage and analysis.
For ETL to be performed on a data, a data warehouse should be designed so that it meets following criteria:
i) It uses non-operational data which means that the data warehouse is using a copy of data from the
P a g e | 79
active databases that the company uses in its day-to-day operations.
ii) The data is time-variant which means a time-stamp is received whenever data is loaded into the data
warehouse
iii) The data is to be standardized in case the data in a data warehouse comes from different sources and
does not use the same definitions or units.
For example, the Events table in Student Clubs database lists the event dates using the mm/dd/yyyy format
(e.g., 01/10/2013) whereas a table in another database might use the format yy/mm/dd (e.g.,13/01/10) for
dates. For the data warehouse to match up dates, a standard date format would have to be agreed upon and
all data loaded into the data warehouse would have to be transformed to use this standard format before its
loading into the database for storage.
Concept Problem 34
What is virtual memory? How does it differ from secondary memory?
Answer
Virtual Memory is not a separate device but an imaginary memory area supported by some operating systems
(for example, Windows) in conjunction with the hardware. If a computer lacks in required size of the
Random-Access Memory needed to run a program or operation, Windows uses virtual memory to compensate.
Virtual memory is an allocation of temporary space on hard disk space to help RAM. When RAM runs low,
virtual memory moves data from RAM to a space called a paging file. Moving data to and from the paging file
frees up RAM to complete its work.
Differences between Virtual Memory and Secondary Memory are given below:
Virtual Memory Secondary Memory
Virtual Memory is an imaginary memory area that Secondary memory is a storage device having
combines computer’s RAM with temporary space on features of non-volatility (contents are permanent in
the hard disk nature), greater capacity (they are available in large
size and greater economy
When RAM runs low, virtual memory moves data The secondary memory is available in bigger sizes;
from RAM to a space called a paging file. Moving thus, program and data can be stored permanently.
data to and from the paging file frees up RAM to
complete its work.
Concept Problem 35
Information systems have set high hopes to companies for their growth as it reduces processing speed and
helps in cutting cost. Being an auditor of ABC manufacturing company, discuss the key areas that should
pay attention to while evaluating Managerial controls by top management.
Answer
The key areas that auditors should pay attention to while evaluating Managerial controls are as follows:
i) Planning: Auditors need to evaluate whether top management has formulated a high- quality
80 | P a g e
information system’s plan that is appropriate to the needs of an organization or not. A poor-quality
information system is ineffective and inefficient leading to losing of its competitive position within the
marketplace.
ii) Organizing: Auditors should be concerned about how well top management acquires and manages staff
resources.
iii) Leading: Generally, the auditors examine variables that often indicate when motivation problems exist or
suggest poor leadership – for example, staff turnover statistics, frequent failure of projects to meet their
budget and absenteeism level to evaluate the leading function. Auditors may use both formal and
informal sources of evidence to evaluate how well top managers communicate with their staff.
iv) Controlling: Auditors should focus on subset of the control activities that should be performed by top
management – namely, those aimed at ensuring that the information systems function accomplishes
its objectives at a global level. Auditors must evaluate whether top management’s choice to the means of
control over the users of IS services is likely to be effective or not.
Concept Problem 36
Data Mining is commonly applied in banking industry to credit ratings and to intelligent anti-fraud systems
to analyze transactions, card transactions, purchasing patterns and customer financial data etc. The process
of Data Mining involves sequential execution of steps for its implementation. Discuss the steps involved in
this process.
Or
Data Mining is the process of analysing data to find previously unknown trends, patterns and associations to
make decisions. As an IT expert of the company, explain the steps involved in the data mining process.
Answer
The steps involved in the Data Mining process are as follows:
i) Data Integration: Firstly, the data are collected and integrated from all the different sources which could
be flat files, relational database, data warehouse or web etc.
ii) Data Selection: It may be possible that all the data collected may not be required in the first step. So, in
this step we select only those data which we think is useful for data mining.
iii) Data Cleaning: The data that is collected are not clean and may contain errors, missing values, noisy or
inconsistent data. Thus, we need to apply different techniques to get rid of such anomalies.
iv) Data Transformation: The data even after cleaning are not ready for mining as it needs to be
transformed into an appropriate form for mining using different techniques like - smoothing,
aggregation, normalization etc.
v) Data Mining: In this, various data mining techniques are applied on the data to discover the interesting
patterns. Techniques like clustering and association analysis are among the many different techniques
used for data mining.
vi) Pattern Evaluation and Knowledge Presentation: This step involves visualization, transformation,
removing redundant patterns etc. from the patterns we generated.
vii) Decisions / Use of Discovered Knowledge: This step helps user to make use of the knowledge acquired to
P a g e | 81
take better informed decisions.
Concept Problem 37
Due to absence of Logical Access Controls in XYZ Limited; the company’s security mechanism got attacked
by a Logical Access Violator Mr. X leading to potential loss resulting in total shutdown of the computer
functions of the company. Discuss the categories under which the Logical Access Violator Mr. X may fall into.
Or
Identify the Logical Access Violators who exploit logical exposures in an organization. Briefly explain them.
Answer
The Categories under which the logical Access Violator Mr. X may fall into are as follow:
a) Hackers: Hackers try their best to overcome restrictions to prove their ability. Ethical hackers most likely
never try to misuse the computer intentionally but assists in finding the weaknesses in the system;
b) Employees (authorized or unauthorized);
c) IS Personnel: They have easiest to access to computerized information since they come across to
information during discharging their duties. Segregation of duties and supervision help to reduce the
logical access violations;
d) Former Employees: should be cautious of former employees who have left the organization on
unfavorable terms;
e) End Users; Interested or Educated Outsiders; Competitors; Foreigners; Organized Criminals; Crackers;
Part-time and Temporary Personnel; Vendors and consultants; and Accidental Ignorant – Violation done
unknowingly.
Concept Problem 38
As an internal auditor of an organization, Mr. Anil reviews various physical security controls implemented
within his organization. Discuss various activities that he would perform while doing auditing these physical
access controls?
Answer
The activities that Mr. Anil would be performing while doing auditing of physical access controls are as follows:
(i) Sitting and Marking: Auditing building sitting and marking requires attention to several key factors and
features, including:
o Proximity to hazards: The IS auditor should estimate the building’s distance to natural and
manmade hazards, such as Dams; Rivers, lakes, and canals; Natural gas and petroleum pipelines;
Water mains and pipelines; Earthquake faults; Areas prone to landslides; Volcanoes; Severe weather
such as hurricanes, cyclones, and tornadoes; Flood zones; Military bases; Airports; Railroads and
Freeways. The IS auditor should determine if any risk assessment regarding hazards has been
performed and if any compensating controls that were recommended have been carried out.
o Marking: The IS auditor should inspect the building and surrounding area to see if building(s)
containing information processing equipment identify the organization. Marking may be visible on
82 | P a g e
the building itself, but also on signs or parking stickers on vehicles.
(ii) Physical barriers: This includes fencing, walls, barbed/razor wire, bollards, and crash gates. The IS
auditor needs to understand how these are used to control access to the facility and determine their
effectiveness.
(iii) Surveillance: The IS auditor needs to understand how video and human surveillance are used to control
and monitor access. He or she needs to understand how (and if) video is recorded and reviewed, and if
it is effective in preventing or detecting incidents.
(iv) Guards and dogs: The IS auditor need to understand the use and effectiveness of security guards and
guard dogs. Processes, policies, procedures, and records should be examined to understand required
activities and how they are carried out.
(v) Key-Card systems: The IS auditor needs to understand how key-card systems are used to control
access to the facility. Some points to consider include: Work zones: Whether the facility is divided into
security zones and which persons are permitted to access which zones whether key-card systems
record personnel movement; What processes and procedures are used to issue keycards to employees?
etc.
Concept Problem 39
ABC Ltd., an automobile manufacturer intends to establish its new manufacturing unit plant at Bhuj, Gujarat.
Out of many controls that need to be in place, the management has little more focus on successful
implementation of Environmental controls as the Bhuj area is earthquake prone. Mr. Nanda, the auditor of
ABC Ltd. conducted various physical inspections of the building at Bhuj to determine the implementation of
environmental controls in the said manufacturing unit. Briefly explain his role and the activities he shall
conduct to audit the Environmental Controls.
Answer
Role of Auditor in Auditing Environmental Controls: Audit of environmental controls should form a critical part
of every IS audit plan. The IS auditor should satisfy not only the effectiveness of various technical controls
but also the overall controls safeguarding the business against environmental risks. Audit of environmental
controls requires the IS auditor to conduct physical inspections and observe practices. Auditing environmental
controls requires knowledge of building mechanical and electrical systems as well as fire codes. The IS auditor
needs to be able to determine if such controls are effective and if they are cost effective.
Auditors shall conduct following activities in auditing Environmental controls:

a) Power conditioning: The IS auditor should determine how frequently power conditioning equipment, such
as UPS, line conditioners, surge protectors, or motor generators, are used, inspected and maintained and
if this is performed by qualified personnel.
b) Backup power: The IS auditor should determine if backup power is available via electric generators or UPS
and how frequently they are tested. S/he should examine maintenance records to see how frequently
these components are maintained and if this is done by qualified personnel.
c) Heating, Ventilation, and Air Conditioning (HVAC): The IS auditor should determine if HVAC systems are
providing adequate temperature and humidity levels, and if they are monitored. Also, the auditor should
determine if HVAC systems are properly maintained and if qualified persons do this.
P a g e | 83
d) Water detection: The IS auditor should determine if any water detectors are used in rooms where
computers are used. He or she should determine how frequently these are tested and if there are
monitored.
e) Fire detection and suppression: The IS auditor should determine if fire detection equipment is adequate,
if staff members understand their function, and i f they are tested. S/he should determine how
frequently fire suppression systems are inspected and tested, and if the organization has emergency
evacuation plans and conducts fire drills.
f) Cleanliness: The IS auditor should examine data centers to see how clean they are. IT equipment air
filters and the inside of some IT components should be examined to see if there is an accumulation of
dust and dirt.
Concept Problem 40
The processing subsystem of any application software is responsible for computing, sorting, classifying, and
summarizing the data. The processor controls of the application software are responsible to reduce the
expected losses from errors and irregularities associated with Central processors. Discus these controls.
Answer
The processor controls of any application software are as follows:
a) Error Detection and Correction: Occasionally, processors might malfunction because of design errors,
manufacturing defects, damage, fatigue, electromagnetic interference, and ionizing radiation. The failure
might be transient (that disappears after a short period), intermittent (that reoccurs periodically), or
permanent (that does not correct with time). For the transient and intermittent errors; re-tries and re-
execution might be successful, whereas for permanent errors, the processor must halt and report error.
b) Multiple Execution States: It is important to determine the number of and nature of the execution states
enforced by the processor. This helps auditors to determine which user processes will be able to carry out
unauthorized activities, such as gaining access to sensitive data maintained in memory regions assigned
to the operating system or other user processes.
c) Timing Controls: An operating system might get stuck in an infinite loop. In the absence of any control,
the program will retain use of processor and prevent other programs from undertaking their work.
d) Component Replication: In some cases, processor failure can result in significant losses. Redundant
processors allow errors to be detected and corrected. If processor failure is permanent in multicomputer or
multiprocessor architectures, the system might reconfigure itself to isolate the failed processor.
Concept Problem 41
Managerial Controls provide a stable infrastructure in which Information Systems can be built, operated, and
maintained on day-to-day basis. List down various controls that can be adapted by management for its
smooth functioning.
Answer
The controls that can be adapted by management for its smooth functioning are as follows:
a) Top Management Controls
84 | P a g e
b) System Development Management Controls
c) Programming Management Controls
d) Data Resource Management Controls
e) Quality Assurance Management Controls
f) Security Management Controls
g) Operations Management Controls
Concept Problem 42
Briefly explain any two output controls.
Answer
Various Output Controls under Application Controls are as follows:
a) Inference Controls - used to prevent compromise of statistical databases from which users can obtain
only aggregate statistics rather than the values of individual data items.
b) Batch Report Design Controls - should comply with the control procedures laid down for them during the
output process.
Concept Problem 43
Differentiate between Processor Registers and Cache Memory.
Answer
The differences between Processor Registers and Cache memory are provided in the table below:
Processor Registers Cache Memory

These are high speed memory units It is a fast memory built into computer’s CPU and is used to
within CPU for storing small amount of reduce the average time to access data from the main memory.
data (mostly 32 or 64 bits). The data that is stored within a cache might be values that have
been computed earlier or duplicates of original values that are
stored elsewhere.
The registers are the only memory units Cache memory is an interface between CPU and Main storage. It
most processors can operate on directly. is not directly accessible for operations.
Concept Problem 44
Distinguish between Connection Oriented and Connection less Networks.
3. C A S E S T U D Y B A S E D MCQ I – S TU D Y M A T E R IA L
In 2017, XYZ Systems had shifted to the SQL Server Relational Database Management System from the
previously used IBM Information Management System which used a hierarchical database model to create a
well-organized database to store organizational data.
On acquiring a good number of global clients and keeping in view the increased number, complexity of the
overseas transactions and the management’s need for periodic performance analysis; XYZ Systems planned
to leverage the benefit of data warehouse whereas the research team suggested the implementation of Big
data. However, XYZ Systems did not implement suitable security controls and hence recently faced data
security breach which led to the unauthorized manipulation of certain confidential data. This resulted in XYZ
P a g e | 85
Systems paying a substantial amount as compensation and loss of a major client.

Consequently, XYZ Systems has now implemented varied controls starting from strict password management
to high level access controls and monitoring mechanism ensuring that there are no further data security
issues.
Answer the following Questions:
1 The XYZ Systems initially used IBM Information Management system which used a hierarchical
database model. Which type of relationship is not supported by such database model?
(i) One-to-One
(ii) Many-to-One
(iii) One-to-Many
(iv) None of the above
2 The XYZ Systems recently shifted to the SQL Server DBMS from the IBM Information Management
system that it previously used. Under which aspect, the SQL Server differs from IBM Information
Management System?
(i) One-to-one relationship
(ii) One-to-many relationship
(iii) Relational Database structure
3 Which among the following is not an advantage of the SQL Server DBMS?
(i) Data Sharing
(ii) Data Redundancy
(iii) Program and File consistency
4 To ensure that the communication between their private network and public network is secured, one of
the step taken by XYZ Systems are to install firewall. The installation of firewall is type of control.
(i) Preventive
(ii) Corrective
(iii) Detective
5 XYZ Systems made its access privileges more stringent so as to prevent unauthorized users gaining entry
into secured area and also minimum entry granted to users based on their job requirements. Which of
the following Logical Access control covers this aspect?
(i) Operating System Access Control
(ii) Network Access Controls
(iii) User Access Management
(iv) Application and Monitoring System control
6 Based on the risk assessment by the audit team, the management of XYZ Systems decided to specify
the exact path of the internet access by routing the internet access by the employees through a firewall
and proxy. This is referred to as _.
86 | P a g e
(i) Encryption
(ii) Enforced Path
(iii) Call Back Devices
(iv) None of these
4. C A S E S T U D Y B A S E D MCQ 2 – S TU D Y M A TE RIA L
Bianc Computing Ltd. has implemented a set of controls including those with respect to security, quality
assurance and boundary controls to ensure that the development, implementation, operation and
maintenance of information systems takes place in a planned and controlled manner. It has also ensured
that logs are designed to record activity at the system, application, and user level.
Along with the implementation of controls and maintenance of logs, it has approached a leading firm of IS
auditors to conduct a comprehensive audit of its controls. Within the organization also, it has opened new job
roles and has hired people with the required skill sets for the same.
1 The team of network engineers of Bianc Computing Ltd. recommended certain controls to be
implemented in the organization to bridge the rate of data reception and transmission between two
nodes. Which types of controls are being referred to here?
(i) Link Controls
(ii) Flow Controls
(iii) Channel Access Controls
(iv) Line Error Controls
2 Which control is used to ensure that the user can continue working, while the print operation is getting
completed? This is known as ________.
(i) Printing Controls
(ii) Spooling File Control
(iii) Spoofing File Control
(iv) Print-Run-to Run Control Totals
3 Bianc Computing Ltd. has also opened up new job roles and has hired persons with the required skill sets
for the same as given below.
Job Role Person Responsible

1. Developing logical and physical designs of data models (a) Operations Manager
2. Providing front line user support services (b) Security Analyst
3. Staffing of resources for upcoming projects. (c) Database Architect
4. Examining logs from firewalls, and providing security (d) Help Desk Analyst
advisories
5. Performing maintenance and configuration operations on (e) Systems Analyst
systems.
6. Build and maintain network devices such as routers, (f) System Administrator
switches etc.
7. Developing technical requirements, program design, and (g) Network Engineer
software test plans
P a g e | 87
Identify the right match to the job roles assigned and the responsible persons for the job role.
i) 1(c), 2(d), 3(a), 4(b), 5(f), 6(g), 7(e)
ii) 1(d), 2(b), 3(c), 4(g), 5(f), 6(a), 7(e)
iii) 1(e), 2(b), 3(c), 4(g), 5(a), 6(f), 7(d)
iv) 1(g), 2(f), 3(e), 4(d), 5(c), 6(b), 7(a)
Answer Key
MCQ 1 1. (ii) 2. (iii) 3. (ii) 4. (i) 5. (iii) 6. (ii)

MCQ 2 1. (ii) 2. (ii) 3. (i)
88 | P a g e
E-Commerce, M-Commerce & Emerging Technologies May 22
C HAPTER 4
E-C OMMERCE , M-C OMMERCE & E MERGING T ECHNOLOGIES
The key is to keep Company

only with people who uplift
you, whose presence calls
forth your best.
Coverage
Concept Problem 1
Define the following:

i) E- Commerce
ii) M-Commerce
iii) Machine learning
iv) Bring Your Own Device (BYOD)
v) Grid Computing Security
Answer
i) E-Commerce:
It is the process of doing business electronically. It refers to the use of technology in the form of
P a g e | 89
May 22 E-Commerce, M-Commerce & Emerging Technologies
Computers, Desktops, Mobile Applications, etc. to enhance the processing of commercial transactions
between a company, its customers and its business partners.
It involves the automation of a variety of Business-To-Business (B2B) and Business-To-Consumer

(B2C) transactions through reliable and secure connections.
ii) M-commerce (mobile commerce):

It is the buying and selling of goods and services through wireless handheld devices such as cellular
telephone and Personal Digital Assistants (PDAs). M-commerce enables users to access the Internet
without needing to find a place to plug in.
The key growth in the mobile e-Commerce sector in recent years has been in through so-called Apps.
Apps, short for Mobile Applications, are small piece of software developed specifically for the operating
systems of handheld devices such as mobile phones, PDAs and Tablet computers.
iii) Machine Learning:

It is the learning in which machine can learn by its own without being explicitly programmed. It is an
application of AI that provides system the ability to automatically learn without being explicitly
programmed. Machine learning is the science and art of programming computers so that they can
learn from data.
For example, spam filter is a machine learning program that can learn to flag spam e-mails and
regular e-mails by automatically learning the words or phrases which are good predicators of spam by
detecting unusually frequent pattern of words in the spam.
iv) BYOD (Bring Your Own Device):

It refers to business policy that allows employees to use their preferred computing devices, like smart
phones and laptops for business purposes.
It means employees are welcome to use personal devices (laptops, smart phones, tablets etc.) to
connect to the corporate network to access information and application.
v) Grid Computing Security:

Grid Computing is highly collaborative and distributed computing model. It involves various inter-
connected domains with each domain consisting of its own computational, storage and communication
resources. Each domain is independently administered and free to deploy different technologies.
To develop security architecture, following constraints are considered.
i) Single Sign-on: A user should authenticate once and they should be able to acquire resources, use
them, and release them and to communicate internally without any further authentication.
ii) Protection of Credentials: User passwords, private keys, etc. should be protected.
iii) Interoperability with local security solutions: Access to local resources should have local security
policy at a local level. Despite of modifying every local resource there is an inter- domain security
server for providing security to local resource.
iv) Exportability: The code should be exportable i.e.; they cannot use a large amount of encryption at
90 | P a g e
a time. There should be a minimum communication at a time.
v) Support for secure group communication: In a communication, there are number of processes which
coordinate their activities. This coordination must be secure and for this there is no security
policy.
vi) Support for multiple implementations: There should be a security policy which should provide
security to multiple sources based on public and private key cryptography.
Concept Problem 2
Explain various components that are involved in an E-Commerce.
Or
DEF is a car battery manufacturing company which intends to provide online business to its customers.
Briefly explain various components involved in any e-Commerce transaction.
Answer
Various components of e-Commerce transaction are as follows:
i) User: This may be individual / organization or anybody using the e-commerce platforms. As e-
commerce, has made procurement easy and simple, just on a click of button, e-commerce vendors
need to ensure that their products are not delivered to wrong users.
ii) E-commerce Vendors: This is the organization / entity providing the user, goods/ services asked for. E-
commerce vendors further needs to ensure Suppliers and Supply Chain Management, Warehouse
operations, Shipping and returns, e- Commerce catalogue and product display, Marketing and loyalty
programs, Showroom and offline purchase, different ordering Methods, Guarantees, Privacy Policy and
Security etc. for better, effective and efficient transaction.
iii) Technology Infrastructure: The computers, servers, database, mobile apps, digital libraries, data
interchange enabling the e-commerce transactions.
▪ Computers, Servers and Database: These are the backbone for the success of the venture. Big e-
commerce organization invest huge amount of money/time in creating these systems.
▪ Mobile Apps: A mobile app is a software application programmed to run specifically on a mobile
device. Smartphones and tablets have become a dominant form of computing, with many more
smartphones being sold than personal computers.
▪ Digital Library: A Digital Library is a special library with a focused collection of digital objects
that can include text, visual material, audio material, video material, stored as electronic media
formats, along with means for organizing, storing, and retrieving the files and media contained
in the library collection.
▪ Data Interchange: Data Interchange is an electronic communication of data. For ensuring the
correctness of data interchange between multiple players in e-commerce, business specific
protocols are being used. There are defined standards to ensure seamless / exact communication
in e-commerce.
iv) Internet/Network: This is the key to success of e-commerce transactions. Internet connectivity is
important for any e-commerce transactions to go through. The faster net connectivity leads to better
P a g e | 91
e-commerce. At a global level, it is linked to the countries capability to create a high-speed network.
v) Web portal: This shall provide the interface through which an individual/ organization shall perform e-
commerce transactions. Web Portal is an application through which user interacts with the e-
commerce vendor. The front end through which user interacts for an e-commerce transaction. These
web portals can be accessed through desktops/laptops/PDA/hand-held computing devices/mobiles and
now through smart TVs also.
vi) Payment Gateway: Payment gateway represents the way e-commerce vendors collects their
payments. These assures seller of receipt of payment from buyer of goods/services from e-commerce
vendors. Presently numerous methods of payments by buyers to sellers are being used, including Credit
/ Debit Card Payments, Online bank payments, Vendors own payment wallet, Third Party Payment
wallets, Cash on Delivery (Cod) and Unified Payments Interface (UPI).
Concept Problem 3
Discuss the architectures of Networked Systems.

Or
E-commerce runs through different network-connected systems that can have two types of architecture
namely Two-Tier Architecture and Three – Tier Architecture. Determine the differences between both.
Answer
E-commerce runs through network-connected systems. Networked systems can have two types of
architecture namely;
i) Two tier, and

ii) Three tier.
Two Tier Client Server: In a Two-tier network, client (user) sends request to Server and the Server responds
to the request by fetching the data from it. The Two-tier architecture is divided into two tiers -
Presentation Tier and Database Tier.
Two Tier Client Server Architecture
i) Presentation Tier (Client Application/Client Tier): This is the interface that allows user to interact with
the e-commerce / m-commerce vendor. User can login to an e-commerce vendor through this tier. This
application also connects to database tier and displays the various products / prices to customers.
ii) Database Tier (Data Tier): The product data / price data / customer data and other related data are
92 | P a g e
kept here. User has not access to data / information at this level but he/she can display all data /
information stored here through application tier.
Three Tier Client Server: Three-tier architecture is a software design pattern and well- established software
architecture. Its three tiers are the Presentation Tier, Application Tier and Data Tier. Three-tier architecture is
a client-server architecture in which the functional process logic, data access, computer data storage and
user interface are developed and maintained as independent modules on separate platforms. The three-tier
architecture are as follows:
Three Tier Client Server Architecture

i) Presentation Tier: Occupies the top level and displays information related to services available on a
website. This tier communicates with other tiers by sending results to the browser and other tiers in
the network.
ii) Application Tier: Also, called the Middle Tier, Logic Tier, Business Logic or Logic Tier; this tier is pulled
from the presentation tier. It controls application functionality by performing detailed processing. In
computer software, business logic or domain logic is the part of the program that encodes the real-
world business rules that determine how data can be created, displayed, stored, and changed.
iii) Database Tier: This tier houses the database servers where information is stored and retrieved. Data in
this tier is kept independent of application servers or business logic. The Data Tier includes the data
persistence mechanisms (database servers, file shares, etc.) and the data access layer that
encapsulates the persistence mechanisms and exposes the data. The data access layer should provide
an Application Programming Interface (API) to the application tier that exposes methods of managing
the stored data without exposing or creating dependencies on the data storage mechanisms. Avoiding
dependencies on the storage mechanisms allows for updates or changes without the application tier
clients being affected by or even aware of the change.
Concept Problem 4
Differentiate Traditional Commerce and E- Commerce.
Answer
P a g e | 93
Difference between Traditional Commerce and E-Commerce (Any six)
Base for Traditional commerce E-commerce

comparison
Definition Traditional commerce includes all those E-Commerce means carrying out
activities which encourage exchange of commercial transactions or exchange of
goods/services which are manual. information, electronically on the internet.
Location It requires a marketplace to operate. It requires market-space. It is important
Generally, it is preferred to set-up stores at that website should be highly visible and
locations where there is little competition easy to find. Placement of links to the
and the location is convenient for both website is an important determinant of
customers and the owners. traffic.
Size Type of items, size of items, and the number Size of business model is also influenced
of customers influence the size of the store. by products and customers. Online stores
Stores expecting heavy traffic need to choose expecting heavy traffic need enough
a location with adequate parking and large bandwidth, processing power, and data
enough entrances and walkways. storage capacity to provide proper service.
Marketing Stores have a physical presence and are Have to invest more money, time and
known to potential customers. They do not effort to acquire a new customer. They
have to spend much to acquire new have to advertise their presence more
customers as compared to online companies. aggressively on internet. This is also called
This is also called as One-way marketing. as One-to-one marketing
Transaction Manual Electronically
Processing
Availability for For limited time. This time may be defined by 24×7×365
commercial law. Like special stores which may run 24 hrs,
transactions but in general available for limited time.
Nature Goods can be inspected physically before Goods cannot be inspected physically
purchase purchase. before purchase.
Customer Face-to-face Screen-to-face
interaction
Business Limited to particular area Worldwide reach
Scope
Information No uniform platform for exchange of Provides a uniform platform for
exchange information. information exchange.
Resource Supply side Demand side
focus
Payment Cash, cheque, credit card, etc. Credit card, fund transfer, Cash in Delivery,
Payment Wallets, UPCI application etc.
Delivery goods Instantly Takes time, but now e-Commerce websites
have created options of same day delivery,
94 | P a g e
Base for Traditional commerce E-commerce

comparison
or delivery within 4 hours.
Fraud Relatively lesser as there is personal Lack of physical presence in markets and
interaction between the buyer and the seller. unclear legal issues give loopholes for
frauds.
Concept Problem 5
A business model is the mechanism by which a business intends to generate revenue and profits. Explain the
different e-commerce business models.
Answer
Business Model can be defined as the organization of product, service and information flows, and the sources
of revenues and benefits for suppliers and customers.
An e-business model is the adaptation of an organization’s business model to the internet economy.
i) Business-to- Consumer (B2C)
B2C is typically used to refer to online retailers who sell products and services to consumers through
the Internet. Generally, this supports the activities within the consumer chain that focuses on sell-side
activities.
This may involve Direct Sellers like www.cisco.com; Online intermediaries like www.amazon.com; and
Communities built around shared interests like photography, cooking etc. www.cookingmatters.com
ii) Business-to- Business (B2B)

This supports the supply chain of organizations that involves commerce between a company and its
suppliers or other partners. A website sells its products to an intermediate buyer who then sells the
product to the final customer. Example - www.indiamart.com
iii) Consumer- to- Consumer (C2C)

With C2C e-business model, consumers sell directly to other consumers via on-line classified ads and
auctions, or by selling personal services and expertise online. In this model, revenue streams are
typically matching buyers with sellers and vice versa. Example - www.olx.in
iv) Consumer to Business (C2B)

In this model, consumers set prices and companies bid to offer products and services. The comparison
of interest rates of personal loan/car loan provided by various banks via websites. The consumer places
an estimate of amount he/she wants to spend on hiring a service for personal loan. A business
organization who fulfills the consumer's requirement within the specified budget, approaches the
customer and provides its services. Example-www.bankbazar.com
v) Consumer to Government (C2G)

This covers all the e-commerce transaction between consumers and government. Example -
www.incometaxindia.gov.in
vi) Government to Consumer (G2C)

This allows consumers to provide feedback or ask information about government authority from public
P a g e | 95
sector. Consumers can reach higher authority without going around in cities. The aim is to reduce the
average time for fulfilling citizen’s requests for various government services.
Services including land searches, confirmation of genuine licenses and vehicle ownership searches.
Disputes such as non-payment of tax or tax refunds are resolved through online support on the
Government platforms. Example – e-Seva (Andhra Pradesh)
vii) Business to Government (B2G)

B2G model is a variant of B2B model. Such websites are used by governments to trade and exchange
information with various business organizations. Such websites are accredited by the government and
provide a medium to businesses to submit application forms to the government. For example –
Business pay taxes, file reports, or sell goods and services to Government agencies.
Concept Problem 6
Explain the different steps followed by the user in buying goods online.
Or
A customer X intends to place an order for an electric cooker on an online portal ABC.com. With the help of
the diagram, determine the general workflow of the E-Commerce transaction that will take place.
Or
Ms. Neha is the owner of a consultant company named JKL Ltd. On Diwali, she decided to offer Brass
bottle as Diwali gift to each staff member. She placed an order of 20 bottles from online portal. Explain
the different steps involved in this e-commerce transaction in buying the bottles online.
Answer
The work flow Diagram/ Different steps for any E-Commerce transaction is as follows:
Description of E-Commerce Work Flow Diagram is as follows:

Step 1 - Customers Login: Few e-commerce merchants may allow same transactions to be done through
phone, but the basic information flow is e-mode.
Step 2 - Product / Service: Customer selects products / services from available options.
Step 3 - Customer Places: Order is placed for selected product / service by customer. This step leads to next
important activity ‘Payment Gateway’.
96 | P a g e
Step 4 - Payment Gateway: Customer selects the payment method. In case payment methods is other than
Cash on Delivery (COD), the merchant gets the update from payment gateway about payment realization
from customer. In case of COD, e- commerce vendor may do an additional check to validate customer.
Step 5 - Dispatch and Shipping Process: This process may be executed at two different ends. First if
product / service inventory is managed by e-commerce vendor, then dispatch shall be initiated at
merchant warehouse. Second, many e-commerce merchants allow third party vendors to sale through
merchant websites.
Step 6 - Delivery Tracking: Another key element denoting success of e-commerce business is timely
delivery. Merchants keep a track of this. All merchants have provided their delivery staff with hand held
devices, where the product / service delivery to customers are immediately updated.
Step 7 - COD Tracking: In case products are sold on COD payment mode, merchants need to have additional
check on matching delivery with payments.
Concept Problem 7
Discuss various risks associated with E-Commerce transactions that are high as compared to general Internet
activities?
Or
Mr. X is the Chief Manager of XYZ company; a well-known brand in the field of footwear. He suggested the
Board members of company to adopt the model of e- Business to meet out the demand of today’s
competitive world. The Board members asked him to present a report pertaining to pros and cons of the
same in next board meeting. Though he is well aware about the benefits of the same, help Mr. X to jot
down all the risks associated with e-Business Environment.
Or
DJY is a brand in the field of online supplier of kids’ apparels. As we know that risks associated with e-
commerce transactions are high as compared to general internet activities, what do you think are the risks
that DJY is addressing due to its online transactions?
Answer
The risks associated in E-Business Environment are as follows:
i) Privacy and Security: There are often issues of security and privacy due to lack of personalized digital
access and knowledge.
ii) Quality issues: There are quality issues raised by customers as the original product differs from the
one that was ordered.
iii) Delay in goods and Hidden Costs: When goods are ordered from another country, there are hidden costs
enforced by Companies.
iv) Needs Access to internet and lack of personal touch: The e-commerce requires an internet connection
which is extra expensive and lacks personal touch.
v) Security and credit card issues: There is cloning possible of credit cards and debit cards which pose a
security threat.
vi) Infrastructure: There is a greater need of not only digital infrastructure but also network expansion of
P a g e | 97
roads and railways which remains a substantial challenge in developing countries.
vii) Problem of anonymity: There is need to identify and authenticate users in the virtual global market
where anyone can sell to or buy from anyone, anything from anywhere.
viii) Repudiation of contract: There is possibility that the electronic transaction in the form of contract,
sale order or purchase by the trading partner or customer maybe denied.
ix) Lack of authenticity of transactions: The electronic documents that are produced during an e-
Commerce transaction may not be authentic and reliable.
x) Data Loss or theft or duplication: The data transmitted over the Internet may be lost, duplicated,
tampered with or replayed.
xi) Attack from hackers: Web servers used for e-Commerce maybe vulnerable to hackers.
xii) Denial of Service: Service to customers may be denied due to non-availability of system as it may be
affected by viruses, e-mail bombs and floods.
xiii) Non-recognition of electronic transactions: e-Commerce transactions, as electronic records and digital
signatures may not be recognized as evidence in courts of law.
Concept Problem 8
What are the ways of protecting your e-Commerce business from intrusion?
Answer
E-Commerce business can be protected from intrusion using following methods:
i) Viruses: Check your website daily for viruses, the presence of which can result in the loss of valuable
data.
ii) Hackers: Use software packages to carry out regular assessments of how vulnerable your website is to
hackers.
iii) Passwords: Ensure employees change these regularly and that passwords set by former employees of
your organization are defunct.
iv) Regular software updates: The site should always be up to date with the newest versions of security
software. If it is not done, the website will become vulnerable to attack.
v) Sensitive data: This involves considering the encryption of financial information and other confidential
data (using encryption software). Hackers or third parties will not be able to access encrypted data
without a key. This is particularly relevant for any e-Commerce sites that use a shopping cart system.
vi) Know the details of your payment service provider contract.
Concept Problem 9
Explain the important provisions of IT Act 2000 related to e-commerce.
Answer
From the perspective of e-commerce in India, the Information Technology Act, 2000 contains following
98 | P a g e
important provisions:
i) Section 4 of the IT Act provides for “legal recognition of electronic records”. It provides that where any
law requires that any information or matter should be in writing or in the typewritten or printed form,
then such requirement shall be deemed to be satisfied if it is in an electronic form.
The implications for the e-businesses would be that email would now be a valid and legal form of
communication in India that can be duly produced and approved in a court of law.
ii) Section 3 of the IT Act contains provisions related to authentication of electronic records by affixing
digital signature. The section provides the conditions subject to which an electronic record may be
authenticated by means of affixing digital signature.
The Act has given a legal definition to the concept of secure digital signatures. Companies shall now be
able to carry out electronic commerce using the legal infrastructure provided by the Act. Digital
Signatures have been given legal validity and sanction in the IT Act, 2000.
iii) The Act throws open the doors for the entry of corporate companies in the business of being Certifying
Authorities for issuing Digital Signatures Certificates.
iv) The Act now allows Government to issue notification on the web thus heralding e-governance.
v) Section 6 of the IT Act lays down the foundation of Electronic Governance. It provides that the filing of
any form, application or other documents, creation, retention or preservation of records, issue or grant of
any license or permit or receipt or payment in Government offices and its agencies may be done
through the means of electronic form.
vi) The IT Act also addresses the important issues of security which are so critical to the success of
electronic transactions. Section 14 of the IT Act relates to secure electronic record and provides that
where any security procedure has been applied to an electronic record at a specific point of time, then
such record shall be deemed to be a secure electronic record from such point of time to the time of
verification.
vii) Section 15 provides for the security procedure to be applied to Digital Signatures for being treated as a
secure digital signature.
Concept Problem 10
Subsequent to demonetization, one of your elderly neighbour, who was using traditional digital methods of
making payments like cards, net banking etc., asked for your help to know about the various new methods of
Digital Payments. Identify and explain various new methods of Digital Payments for him.
Answer
Some of the new methods of Digital Payments are as follows:
i) Unified Payment Interface (UPI) Apps
ii) Immediate Payment Service (IMPS)
iii) BHIM (Bharat Interface for Money) - Mobile App
iv) Mobile Wallets
v) Aadhar Enabled Payment Service (AEPS)
P a g e | 99
vi) Unstructured Supplementary Service Data (USSD)

vii) Crypto currency
viii) Mobile Banking
The explanation of these Digital Payments is as follows:

i) Unified Payment Interface (UPI): UPI is a payment mode which is used to make fund transfers
through the mobile app. UPI App is a system that powers multiple bank accounts of participating
banks, several banking services features like fund transfer, and merchant payments in a single mobile
application. User can transfer funds between two accounts using UPI Apps. User must register for
mobile banking to use UPI apps.
ii) Immediate Payment Service (IMPS): It is an instant interbank electronic fund transfer service through
mobile phones. It is also being extended through other channels such as ATM, Internet Banking, etc.
iii) Mobile Apps: BHIM (Bharat Interface for Money) is a Mobile App developed by National Payments
Corporation of India (NPCI) based on UPI (Unified Payment Interface). It facilitates e-payments
directly through banks and supports all Indian banks which use that platform. It is built on the
Immediate Payment Service infrastructure and allows the user to instantly transfer money between
the bank accounts of any two parties. BHIM works on all mobile devices and enables users to send or
receive money to other UPI payment addresses.
iv) Mobile Wallets: It is defined as Virtual wallets that stores payment card information on a mobile
device. Mobile Wallets provide a convenient way for a user to make in-store payments and can be used
that merchants listed with the mobile wallet service providers. There are mobile wallets like Paytm,
Freecharge, Buddy, Mobikwik etc. Some of these are owned by banks and some are owned by private
companies.
v) Aadhar Enabled Payment Service (AEPS): AEPS is an Aadhaar based digital payment mode. Customer
needs only his or her Aadhaar number to pay to any merchant. AEPS allows bank to bank transactions
which means the money that you pay will be deducted from your account and credited to the payee’s
account directly. Customers will need to link their AADHAR numbers to their bank accounts. APES once
launched can be used at POS terminals also.
vi) Unstructured Supplementary Service Data (USSD): A revolutionary idea, where to make payments
through mobiles there is neither need for internet nor any smart phone. USSD banking or *99# Banking
is a mobile banking based digital payment mode. User does not need to have a smartphone or internet
connection to use USSD banking. S/he can easily use it with any normal feature phone. USSD banking
is as easy as checking of mobile balance. S/he can use this service for many financial and non-
financial operations such as checking balance, sending money, changing Mobile Banking Personal
Identification number (MPIN) and getting Mobile Money Identifier (MMID).
vii) Cryptocurrency: Cryptocurrency is another electronic payment method that is steadily growing in
popularity. Cryptocurrency is a digital currency produced by a public network, rather than any
government, that uses cryptography to ensure that payments are sent and received safely. A
cryptocurrency is a medium of exchange wherein records of individual coin ownership are stored in a
computerized database using strong cryptography.
100 | P a g e
Cryptocurrency is called so because all the data is ensured with strong cryptography. The strong
cryptography makes it almost impossible to counterfeit or double spend. Cryptocurrency is completely
decentralized, which means that there are no servers involved and no central controlling authority.
Cryptocurrency is a digital money which does not involve any physical coin. Since it is all online, the
user can transfer cryptocurrency to someone online without going to the bank. It can be used for
making quick payments without any transaction fees. Cryptocurrency is stored in a digital wallet
either on the computer or on other hardware.
The first cryptocurrency was Bitcoin which was launched in 2009. The other cryptocurrencies
prevailing in the world today include Litecoin, Peercoin, Namecoin, as well as Ethereum.
viii) Mobile Banking:

It is a service provided by a bank or other financial institution that allows its customers to conduct
different types of financial transactions remotely using a mobile device such as a mobile phone or
tablet. It uses software, usually called an app, provided by the banks or financial institution for the
purpose. Each Bank provides its own mobile banking App for Android, Windows and iOS mobile
platform(s).
Concept Problem 11
What do you mean by “Cloud Computing”? Discuss its characteristics.
Answer
“The Cloud” refers to applications, services, and data storage on the Internet. These service providers rely
on giant server farms and massive storage devices that are connected via Internet protocols. Cloud
Computing is the use of these services by individuals and organizations.
Cloud Computing is both, a combination of software and hardware-based computing resources delivered as
a networked service.
For example, if you access your e-mail via your web browser, you are using a form of cloud computing. If
you use Google Drive’s applications, you are using cloud computing.
Characteristics of Cloud Computing

The following is a list of characteristics of a cloud-computing environment. Not all characteristics may be
present in a specific cloud solution. However, some of the key characteristics are given as follows:
i) Elasticity and Scalability: Cloud computing gives us the ability to expand and reduce resources
according to the specific service requirement.
For example, we may need a large number of server resources for the duration of a specific task. We
can then release these server resources after we complete our task.
ii) Pay-per-Use: We pay for cloud services only when we use them, either for the short term (for example,
for CPU time) or for a longer duration (for example, for cloud-based storage or vault services).
iii) On-demand: Because we invoke cloud services only when we need them, they are not permanent parts
of the IT infrastructure.
This is a significant advantage for cloud use as opposed to internal IT services. With cloud services,
there is no need to have dedicated resources waiting to be used, as is the case with internal services.
P a g e | 101
iv) Resiliency: The resiliency of a cloud service offering can completely isolate the failure of server and
storage resources from cloud users. Work is migrated to a different physical resource in the cloud with
or without user awareness and intervention.
v) Multi Tenancy: Public cloud service providers often can host the cloud services for multiple users within
the same infrastructure. Server and storage isolation may be physical or virtual depending upon the
specific user requirements.
vi) Workload Movement: This characteristic is related to resiliency and cost considerations. Here, cloud-
computing providers can migrate workloads across servers both inside the data center and across data
centers (even in a different geographic area).
This migration might be necessitated by cost (less expensive to run a workload in a data center in
another country based on time of day or power requirements) or efficiency considerations (for
example, network bandwidth).
A third reason could be regulatory considerations for certain types of workloads.
vii) Wide Range of Network Access Capacities: Resources are available to customers through a network and
can be accessed from different devices such as desktop computers, mobile phones, smartphones and
tablet devices.
Concept Problem 12
Explain the different types of clouds in Cloud Computing.
Answer
The Cloud Computing environment can consist of multiple types of clouds based on their deployment and
usage.
i) Private Cloud:
This cloud computing environment resides within the boundaries of an organization and is used
exclusively for the organization’s benefits. These are also called Internal Clouds or Corporate Clouds.
Private Clouds can either be private to the organization and managed by the single organization (On-
Premise Private Cloud) or can be managed by third party (Outsourced Private Cloud).
They are built primarily by IT departments within enterprises, who seek to optimize utilization of
infrastructure resources within the enterprise by provisioning the infrastructure with applications using
the concepts of grid and virtualization.
ii) Public Cloud:

The public cloud is the cloud infrastructure that is provisioned for open use by the general public. It
may be owned, managed, and operated by a business, academic, or government organizations, or some
combination of them.
Typically, public clouds are administrated by third parties or vendors over the Internet, and the
services are offered on pay-per-use basis.
These are also called Provider Clouds. Public cloud consists of users from all over the world wherein a
102 | P a g e
user can simply purchase resources on an hourly basis and work with the resources which are available
in the cloud provider’s premises.
iii) Hybrid Cloud:

This is a combination of both at least one private (internal) and at least one public (external) cloud
computing environments - usually, consisting of infrastructure, platforms and applications. The usual
method of using the hybrid cloud is to have a private cloud initially, and then for additional resources, the
public cloud is used.
The hybrid cloud can be regarded as a private cloud extended to the public cloud and aims at utilizing the
power of the public cloud by retaining the properties of the private cloud.
iv) Community Cloud:

The community cloud is the cloud infrastructure that is provisioned for exclusive use by a specific
community of consumers from organizations that have shared concerns (e.g., mission security
requirements, policy, and compliance considerations). It may be owned, managed, and operated by
one or more of the organizations in the community, a third party or some combination of them, and it
may exist on or off premises.
In this, a private cloud is shared between several organizations. This model is suitable for organizations
that cannot afford a private cloud and cannot rely on the public cloud either.
Concept Problem 13
Discuss various components of Mobile Computing and also the benefits of Mobile Computing.
Answer
Key components of Mobile Computing are as follows:
a) Mobile Communication: This refers to the infrastructure put in place to ensure that seamless and
reliable communication goes on. This would include communication properties, protocols, data formats
and concrete technologies.
b) Mobile Hardware: Mobile Hardware includes mobile devices or device components that receive or access
the service of mobility.
They would range from Portable laptops, Smart Phones, Tablet PCs, and Personal Digital Assistants
(PDA) that use an existing and established network to operate on.
The characteristics of mobile computing hardware are defined by the size and form factor, weight,
microprocessor, primary storage, secondary storage, screen size and type, means of input, means of
output, battery life, communications capabilities, expandability and durability of the device.
c) Mobile Software: Mobile Software is the actual programme that runs on the mobile hardware and deals
with the characteristics and requirements of mobile applications. It is the operating system of that
appliance and is the essential component that makes the mobile device operates.
Mobile applications popularly called Apps are being developed by organizations for use by customers
but these apps could represent risks, in terms of flow of data as well as personal identification risks,
introduction of malware and access to personal information of mobile owner.
Benefits of Mobile Computing
P a g e | 103
In general, Mobile Computing is a versatile and strategic technology that increases information quality and
accessibility, enhances operational efficiency, and improves management effectiveness.
But, more specifically, it leads to a range of tangible benefits, including the following:
i) It provides mobile workforce with remote access to work order details, such as work order location,
contact information, required completion date, asset history relevant warranties/service contracts.
ii) It enables mobile sales personnel to update work order status in real- time, facilitating excellent
communication.
iii) It facilitates access to corporate services and information at any time, from anywhere.
iv) It provides remote access to the corporate Knowledge base at the job location. It enables to improve
management effectiveness by enhancing information quality, information flow, and ability to control
a mobile workforce.
Concept Problem 14
Discuss some best practices of Green Computing.

Or
Considering the Covid situation nowadays, there has been a paradigm shift on the usage of electronic devices
like servers, laptops, tablets, storage devices and various networking and communication devices like routers
etc. Thus, arises the dire need to have relevant reforms to reduce the use of hazardous materials and
importance of recyclability or biodegradability of these defunct products and factory waste. The said
objective is achieved using Green Computing Best Practices. Elaborate some practices of these in detail.
Answer
Some of best practices of Green Computing is as follows:
i) Develop a sustainable Green Computing plan
▪ Involve stakeholders to include checklists, recycling policies, recommendations for disposal of used
equipment, government guidelines and recommendations for purchasing green computer equipment in
organizational policies and plans;
▪ Encourage the IT community for using the best practices and encourage them to consider green
computing practices and guidelines.
▪ On-going communication about commitment to green IT best practices to produce notable results.
▪ Include power usage, reduction of paper consumption, as well as recommendations for new equipment
and recycling old machines in organizational policies and plans; and
▪ Use cloud computing so that multiple organizations share the same computing resources thus
increasing the utilization by making more efficient use of hardware resources.
ii) Recycle
▪ Dispose e-waste according to central, state and local regulations;
▪ Discard used or unwanted electronic equipment in a convenient and environmentally responsible
104 | P a g e
manner as computers emit harmful emissions;
▪ Manufacturers must offer safe end-of-life management and recycling options when products become
unusable; and
▪ Recycle computers through manufacturer’s recycling services.
iii) Make environmentally sound purchase decisions
▪ Purchase of desktop computers, notebooks and monitors based on environmental attributes;

▪ Provide a clear, consistent set of performance criteria for the design of products;
▪ Recognize manufacturer efforts to reduce the environmental impact of products by reducing or
eliminating environmentally sensitive materials, designing for longevity and reducing packaging
materials; and
▪ Use Server and storage virtualization that can help to improve resource utilization, reduce energy costs
and simplify maintenance.
iv) Reduce Paper Consumption
▪ Reduce paper consumption by use of e-mail and electronic archiving;

▪ Use of “track changes” feature in electronic documents, rather than red line corrections on paper;
▪ Use online marketing rather than paper-based marketing; e-mail marketing solutions that are greener,
more affordable, flexible and interactive than direct mail; free and low-cost online invoicing solutions
that help cut down on paper waste; and
▪ While printing documents; make sure to use both sides of the paper, recycle regularly, use smaller
fonts and margins, and selectively print required pages.
v) Conserve Energy
▪ Use Liquid Crystal Display (LCD) monitors rather than Cathode Ray Tube (CRT) monitors;
▪ Develop a thin-client strategy wherein thin clients are smaller, cheaper, simpler for manufacturers to
build than traditional PCs or notebooks and most importantly use about half the power of a traditional
desktop PC;
▪ Use notebook computers rather than desktop computers whenever possible;

▪ Use the power-management features to turn off hard drives and displays after several minutes of
inactivity;
▪ Power-down the CPU and all peripherals during extended periods of inactivity;
▪ Try to do computer-related tasks during contiguous, intensive blocks of time, leaving hardware off at
other times;
▪ Employ alternative energy sources for computing workstations, servers, networks and data centers;
▪ Adapt more of Web conferencing instead of travelling to meetings in order to go green and save
energy.
Concept Problem 15
P a g e | 105
Mobile Computing is an important and rapidly evolving technology that allows users to transmit data from
remote location to other locations in mobility condition. Being a communication expert, identify the
limitations in current scenario that impede users to use this technology frequently.
or
Though Mobile computing is a versatile and strategic technology that increases information quality and
accessibility, however, it has its own limitations. Analyse them.
Answer
Limitations of Mobile Computing are as follows:
i) Insufficient Bandwidth: Mobile Internet access is generally slower than direct cable connections using
technologies such as General Packet Radio Service (GPRS) and Enhanced Data for GSM (Global System
for Mobile Communication) Evolution (EDGE), and 3G networks. These networks are usually available
within range of commercial cell phone towers. Higher speed wireless LANs are inexpensive but have very
limited range.
ii) Security Standards: When working mobile, one is dependent on public networks, requiring careful use of
Virtual Private Network (VPN). Security is a major concern while concerning the mobile computing
standards on the fleet. One can easily attack the VPN through a huge number of networks
interconnected through the line.
iii) Power consumption: When a power outlet or portable generator is not available, mobile computers must
rely entirely on battery power. Combined with the compact size of many mobile devices, this often
means unusually expensive batteries must be used to obtain the necessary battery life.
iv) Transmission interferences: Weather, terrain, and the range from the nearest signal point can all
interfere with signal reception. Reception in tunnels, some buildings, and rural areas is often poor.
v) Potential health hazards: People who use mobile devices while driving is often distracted from driving,
and are thus assumed more likely to be involved in traffic accidents. Cell phones may interfere with
sensitive medical devices. There are allegations that cell phone signals may cause health problems.
vi) Human interface with device: Screens and keyboards tends to be small, which may make them hard to
use. Alternate input methods such as speech or handwriting recognition require training.
Concept Problem 16
Write short note on the following terms:

a. Digital Library
b. Web Portal
Answer
a) Digital Library: A Digital Library is a special library with a focused collection of digital objects that
can include text, visual material, audio material, video material, stored as electronic media formats,
along with means for organizing, storing, and retrieving the files and media contained in the library
collection. Digital libraries can vary immensely in size and scope, and can be maintained by
individuals, organizations, or affiliated with established physical library buildings or institutions, or
106 | P a g e
with academic institutions. The digital content may be stored locally, or accessed remotely via
computer networks. An electronic library is a type of information retrieval system.
b) Web Portal: This shall provide the interface through which an individual / organization shall perform e-
commerce transactions. Web Portal is the application through which user interacts with the e-
commerce vendor. The front end through which user interacts for an e-commerce transaction. These
web portals can be accessed through desktops / laptops / PDA / handheld computing devices /
mobiles and now through smart TVs also.
Concept Problem 17
Discuss the concept of Virtualization and its various application areas.

Answer
Virtualization means to create a virtual version of a device or resource, such as a server, storage device,
network or even an operating system where the framework divides the resource into one or more execution
environments. Virtualization refers to technologies designed to provide a layer of abstraction between
computer hardware systems and the software running on them. By providing a logical view of computing
resources, rather than a physical view; virtualization allows its’ users to manipulate their systems’ operating
systems into thinking that a group of servers is a single pool of computing resources and conversely, allows its
users to run multiple operating systems simultaneously on a single machine.
Thus, the core concept of Virtualization lies in Partitioning, which divides a single physical server into
multiple logical servers. For example - Partitioning of a hard drive is considered virtualization because one
drive is partitioned in a way to create two separate hard drives. Devices, applications and human users can
interact with the virtual resource as if it were a real single logical resource.
Application Areas of Virtualization are as follows:

i) Server Consolidation: Virtual machines are used to consolidate many physical servers into fewer servers,
which in turn host virtual machines. Each physical server is reflected as a virtual machine “guest”
residing on a virtual machine host system. This is also known as “Physical-to-Virtual” or ‘P2V’
transformation.
ii) Disaster Recovery: Virtual machines can be used as “hot standby” environments for physical production
servers. This changes the classical “backup-and-restore” philosophy, by providing backup images that
can “boot” into live virtual machines, capable of taking over workload for a production server
experiencing an outage.
iii) Testing and Training: Virtualization can give root access to a virtual machine. This can be very useful
such as in kernel development and operating system courses.
iv) Portable Applications: Portable applications are needed when running an application from a removable
drive, without installing it on the system’s main disk drive. Virtualization can be used to encapsulate the
application with a redirection layer that stores temporary files, windows registry entries and other state
information in the application’s installation directory and not within the system’s permanent file
system.
v) Portable Workspaces: Recent technologies have used virtualization to create portable workspaces on
devices like iPods and USB memory sticks.
P a g e | 107
Concept Problem 18
Every business decision is accompanied with a set of threats and so is BYOD program. Explain the areas in
which the risks associated with BYOD program can be classified.
Answer
The risks associated with Bring Your Own Device (BYOD) program are classified as below:
i) Network Risks: It is normally exemplified and hidden in ‘Lack of Device Visibility’. When company-
owned devices are used by all employees within an organization, the organization’s IT practice has
complete visibility of the devices connected to the network. This helps to analyze traffic and data
exchanged over the Internet. As BYOD permits employees to carry their own devices (smart phones,
laptops for business use), the IT practice team is unaware about the number of devices being
connected to the network. As network visibility is of high importance, this lack of visibility can be
hazardous.
ii) Device Risks: It is normally exemplified and hidden in ‘Loss of Devices’. A lost or stolen device can
result in an enormous financial and reputational embarrassment to an organization as the device may
hold sensitive corporate information. Data lost from stolen or lost devices ranks as the top security
threats as per the rankings released by Cloud Security Alliance. With easy access to company emails
as well as corporate intranet, company trade secrets can be easily retrieved from a misplaced device.
iii) Application Risks: It is normally exemplified and hidden in ‘Application Viruses and Malware’. A related
report revealed that most employees’ phones and smart devices that were connected to the corporate
network weren’t protected by security software. With an increase in mobile usage, mobile
vulnerabilities have increased concurrently. Organizations are not clear in deciding that ‘who is
responsible for device security – the organization or the user’.
iv) Implementation Risks: It is normally exemplified and hidden in ‘Weak BYOD Policy’. The effective
implementation of the BYOD program should not only cover the technical issues mentioned above but
also mandate the development of a robust implementation policy. Because corporate knowledge and
data are key assets of an organization, the absence of a strong BYOD policy would fail to communicate
employee expectations, thereby increasing the chances of device misuse.
Concept Problem 19
Explain the pertinent issues involved in cloud computing implementation.
Answer
As an emerging technology, cloud computing involves several issues. Some of the pertinent issues related to
cloud computing are:
i) Threshold Policy: The main objective of implementing threshold policy is to inform cloud computing
service consumers and providers what they should do. Quite often, this policy does not exist. The only
legal document between the customer and service provider is the Service Level Agreement (SLA). This
document contains all the agreements between the customer and the service provider; it contains
what the service provider is doing and is willing to do.
108 | P a g e
However, there is no standard format for the SLA, and as such, there may be services not documented
in the SLA that the customer may be requiring in future. A carefully drafted threshold policy outlines
what cloud computing service consumers and providers should do. It is important to consider how the
cloud service provider will handle sudden increases or decreases in demand. How will unused resources
be allocated?
ii) Interoperability: If a company enters into a contract with one cloud computing vendor, it may find it
difficult to change to another computing vendor that has proprietary APIs (application programming
interfaces) and different formats for importing and exporting data. Industry cloud computing
standards do not exist for APIs or formats for importing/exporting data.
This creates problems of achieving interoperability of applications between two cloud computing
vendors. Once a company is locked in with one cloud provider, it is not easy to move an entire
infrastructure to other clouds. Moreover, each cloud provider offers a unique set of services and tools for
operating and controlling its cloud. Learning a new cloud environment is similar to learning a new
technology.
iii) Hidden Costs: Such costs may include higher network charges for storage and database applications,
or latency issues for users who may be located far from cloud service providers.
iv) Unexpected Behaviour: An application may perform well at the company’s internal data centre. It does
not necessarily imply that the application will perform the same way in the cloud. Therefore, it is
essential to test its performance in the cloud for unexpected behaviour. Testing may include checking
how the application allocates resources on sudden increase in demand for resources and how it
allocates unused resources.
v) Security Issues: Cloud computing infrastructures use new technologies and services, most which have
not been fully evaluated with respect to security. The important security issues with cloud computing
are:
a) the management of the data might not be fully trustworthy;

b) the risk of malicious insider attacks in the cloud; and
c) the failing of cloud services.
Maintaining confidentiality is one the major issues faced in cloud systems because information is
stored at a remote location which can be accessed by the service provider. Data confidentiality can be
preserved by encrypting data. Cloud systems share computational resources, storage, and services
between multiple customer applications in order to achieve efficient utilization of resources while
decreasing cost. However, this sharing of resources may violate the confidentiality users’ IT Assets.
It must be ensured that there a degree of isolation between these users.
vi) Legal Issues: Cloud systems need to adhere to several regulatory requirements, privacy laws and data
security laws. These laws vary from country to country and cloud users have no control over where
their data is physically located.
vii) Software Development in Cloud: From the perspective of the application development, developers face
the complexity of building secure applications that may be hosted in the cloud. The speed at which
applications will change in the cloud will affect both the System Development Life Cycle (SDLC) and
P a g e | 109
security.
viii) Bugs in Large-Scale Distributed Systems: One of the difficult challenges in Cloud Computing is
removing errors in these very large-scale distributed systems.
Concept Problem 20
Explain the various advantages and disadvantages of blockchain technology.
Concept Problem 21

a) Internet of Things (IoT)
b) Payment Gateway
Answer
a) Internet of Things (IoT): IoT is a system of interrelated computing devices, mechanical and digital
machines, objects, animals or people that are provided with unique identifiers and the ability to
transfer data over a network without requiring human-to-human or human- to-computer interaction.
For example: Washing machines with Wi-Fi networking capabilities can connect themselves to home
Wi-Fi. Once these machines are so connected, they can be controlled through machine manufacturer
mobile app from anywhere in the world.
b) Payment Gateway: It is the payment mode through which customers shall make payments. Payment
gateway represents the way e-commerce / m-commerce vendors collects their payments.
The payment gateway is the last and most critical part of e-commerce transactions. These assures
seller of receipt of payment from buyer of goods / services from e-commerce vendors.
Presently numerous methods of payments by buyers to sellers are being used including Credit / Debit
Card Payments, Online bank payments, Vendors own payment wallet, Third Party Payment wallets, like
SBI BUDDY or PAYTM, Cash on Delivery (COD) and Unified Payments Interface (UPI).
Concept Problem 22
Write any two application areas of Internet of Things (IOT).

Answer
Some of the applications areas of Internet of Things (IoT) are as follows:
i) All home appliances to be connected and that shall create a virtual home.
▪ Home owners can keep track of all activities in house through their hand-held devices.
▪ Home security CCTV is also monitored through hand held devices.
ii) Office machines shall be connected through internet.
▪ Human resource managers shall be able to see how many people have had a cup of coffee from
vending machine and how many are present.
110 | P a g e
▪ How many printouts are being generated through office printer?

iii) Governments can keep track of resource utilizations/extra support needed. For example- under SWACHH
mission, government can tag all dustbins with IoT sensors. They (dustbins) generate a message once
they are full. Being connected to wi-fi, they can intimate the cleaning supervisor of Municipal
Corporation so that BIN can be emptied.
iv) Washing machines with Wi-Fi networking capabilities can connect themselves to home Wi-Fi. Once
these machines are so connected, they can be controlled through machine manufacturer mobile APP
from anywhere in the world.
v) India’s living legend of cricket appearing in an Advertisement for water purifier informs that, the water
purifier is Wi-Fi enabled. When the purifying agents deplete in the machine, it connects to home Wi-Fi
and informs the service agents of the company.
Concept Problem 23
Describe any six commercial laws each in brief, that are applicable to any e-commerce or m-commerce
transactions.
Or
With promotion of cashless economy, most of the businesses are using e-commerce and m-commerce
transactions. Enlist the commercial laws that are applicable to these transactions.
Answer
All e-commerce transactions are commercial business transactions. All these transactions are covered
under multiple laws, including commercial laws. Following commercial laws are applicable to e-commerce
and m-commerce transactions.
i) Income Tax Act, 1961: Income Tax Act, has detailed provisions regarding taxation of income in India. In
respect of e-commerce / m-commerce transactions, the issue of deciding place of origin transaction
for tax purpose is critical.
ii) Companies Act, 2013: Companies Act, 2013, regulates the corporate sector. The law defines all
regulatory aspects for companies in India. Most of the merchants in e-commerce/m-commerce
business are companies, both private and public.
iii) Foreign Trade (Development and Regulation) Act, 1992: An Act to provide for the development and
regulation of foreign trade by facilitating imports into, augmenting exports from, India and for matters
connected therewith or incidental thereto. Amazon has recently allowed Indian citizens to purchase
from its global stores. All these shall be regulated through above law.
iv) The Factories Act, 1948: Act to regulate working conditions of workers. The act extends to place of
storage as well as transportation. Most of the merchants in e- commerce / m-commerce business
need to comply with provisions of the act.
v) The Custom Act, 1962: The act that defines import / export of goods / services from India and provides
for levy of appropriate customs duty. India being a signatory to General Agreement on Trade and Tariff
(GATT) under World Trade Organization, cannot levy any custom duty that GATT non-compliant.
vi) The Goods and Services Tax Act, 2017 (GST): This Act requires each applicable business, including e-
P a g e | 111
commerce/ m-commerce, to upload each sales and purchase invoice on one central IT infrastructure,
mandating reconciliations of transactions between business, triggering of tax credits on payments of
GST, facilitating filling of e-returns, etc.
vii) Indian Contract Act,1872: The act defines constituents of a valid contract. In case of e-commerce /
m-commerce business it becomes important to define these constituents.
viii) The Competition Act, 2002: Law to regulate practices that may have adverse effect on competition in
India. Competition Commission have been vigilant to ensure that e-commerce / m-commerce
merchants do not engage in predatory practices.
ix) Foreign Exchange Management Act (FEMA 1999): The law to regulate foreign direct investments, flow
of foreign exchange in India. The law has important implications for e-commerce / m-commerce
business. Foreign investment in Business to Customer (B2C) e-commerce activities has been opened
in a calibrated manner and an entity is permitted to undertake retail trading through e-commerce
under certain circumstances.
x) Consumer Protection Act, 1986: The law to protect consumer rights has been source of most of
litigations for transaction done through e-commerce and m- commerce.
Concept Problem 24
e-business benefits individuals, businesses, government and society at large. As a business seller, analyse
the benefits that you would draw from e-business.
Answer
e-businesses benefits individuals, businesses, governments and society at large. As a seller, the benefits to
Business / Sellers are as follows:
i) Increased Customer Base: Since the number of people getting online is increasing, which are creating
not only new customers but also retaining the old ones.
ii) Recurring payments made easy: Each business has number of operations being homogeneous. Brings in
uniformity of scaled operations.
iii) Instant Transaction: The transactions of e commerce are based on real time processes. This has made
possible to crack number of deals.
iv) Provides a dynamic market: Since there are several players, providing a dynamic market which enhances
quality and business.
v) Reduction in costs:
▪ To buyers from increased competition in procurement as more suppliers are able to compete in an
electronically open marketplace.
▪ To suppliers by electronically accessing on-line databases of bid opportunities, online abilities to
submit bids, and on-line review of rewards.
▪ In overhead costs through uniformity, automation, and large-scale integration of management

processes.
112 | P a g e
▪ Advertising costs.
vi) Efficiency improvement due to:
▪ Reduction in time to complete business transactions, particularly from delivery to payment.

▪ Reduction in errors, time, for information processing by eliminating requirements for re-entering
data.
▪ Reduction in inventories and reduction of risk of obsolete inventories as the demand for goods and
services is electronically linked through just-in- time inventory and integrated manufacturing
techniques.
vii) Creation of new markets: This is done through the ability to easily and cheaply reach potential
customers.
viii) Easier entry into new markets: This is especially into geographically remote markets, for enterprises
regardless of size and location.
ix) Better quality of goods: As standardized specifications and competition have increased and improved
variety of goods through expanded markets and the ability to produce customized goods.
x) Elimination of Time Delays: Faster time to market as business processes are linked, thus enabling
seamless processing and eliminating time delays.
Concept Problem 25
The Prime Minister Office of a country X plans to establish specific infrastructure setup with its access
shared amongst members of the group constituting of some selected high-profiled dignitaries and officers
from different ministries. The objective of the group is to carry out certain assignments related to nation’s
security and integrity. Which is the most suitable choice of the cloud under Cloud Computing? Discuss its
advantages and limitations as well.
Answer
The most suitable choice is Community Cloud which is the cloud infrastructure provisioned for exclusive use
by a specific community of consumers from organizations that have shared concerns (e.g., mission security
requirements, policy, and compliance considerations). It may be owned, managed, and operated by one or
more of the organizations in the community, a third party or some combination of them, and it may exist
on or off premises. In this, a private cloud is shared between several organizations. This model is suitable for
organizations that cannot afford a private cloud and cannot rely on the public cloud either.
Advantages of Community Cloud are as follows:

i) It allows establishing a low-cost private cloud.
ii) It allows collaborative work on the cloud.
iii) It allows sharing of responsibilities among the organizations.
iv) It has better security than the public cloud.
The limitation of the Community Cloud is that the autonomy of the organization is lost and some of the
security features are not as good as the private cloud. It is not suitable in the cases where there is no
collaboration.
P a g e | 113
Concept Problem 26
ABC university wants to conduct online exams for its different courses for which a contract is given to
vendor XYZ. The vendor provides computing resources such as processing power, memory, storage, and
networks to ABC university users to run their online exam application on-demand. Identify the Service
Model of Cloud Computing that vendor XYZ is providing to ABC university and also describe its
characteristics.
Or
Describe any four characteristics of Infrastructure as a Service (IaaS).
Answer
The Service Model provided by vendor XYZ to ABC university is Infrastructure as a Service (IaaS).
Characteristics of Infrastructure as a Service (IaaS) of Cloud Computing are as follows:
i) Web access to the resources: The IaaS model enables the IT users to access infrastructure resources
over the Internet. When accessing a huge computing power, the IT user need not get physical access to
the servers.
ii) Centralized Management: The resources distributed across different parts are controlled from any
management console that ensures effective resource management and effective resource utilization.
iii) Elasticity and Dynamic Scaling: Depending on the load, IaaS services can provide the resources and
elastic services where the usage of resources can be increased or decreased according to the
requirements.
iv) Shared infrastructure: IaaS follows a one-to-many delivery model and allows multiple IT users to share
the same physical infrastructure and thus ensure high resource utilization.
v) Metered Services: IaaS allows the IT users to rent the computing resources instead of buying it. The
services consumed by the IT user will be measured, and the users will be charged by the IaaS providers
based on the amount of usage.
Concept Problem 27
ABC Company is a supplier of kids’ garment successfully running its business offline as well as online. Now,
the company decides to launch its mobile app also so that its retail customers would be able to purchase or
place orders anytime and anywhere. Describe the method through which ABC Company will run its e-
Commerce architecture on Mobile app.
Answer
Mobile Applications are small piece of software developed specifically for the operating systems of
handheld devices such as mobile phones, PDAs and Tablet computers. Mobile Apps can come preloaded on
handheld devices or can be downloaded by users from the app stores over the Internet. The e-commerce
architecture that will run on mobile app is via M-Commerce (Mobile Commerce) that enables users to
access the Internet without needing to find a place to plug in. It has following three layers:
i) Client / User Interface: This layer helps the e-commerce customer connect to e-commerce merchant.
It includes Web Server, Web Browser and Internet. For example: If a user buys a mobile phone from an
114 | P a g e
e-commerce merchant it includes -User, Web Browser (Internet Explorer/Chrome) & Web Server.
ii) Application Layer: Through these application’s customer logs to merchant systems. This layer allows
customer to check the products available on merchant’s website. It includes Application Server and Back
End Server. For example - E-merchant, Reseller, Logistics partner.
iii) Database Layer: This layer is accessible to user through application layer. It includes the information
store house, where all data relating to products and price is kept.
Concept Problem 28
Ms. Y is using Google Apps through which she can access any application, service and data storage facilities
on the Internet and pay as-per-usage. Analyze which computing model is providing her these facilities.
Also, determine the model’s key characteristics.
Answer
Cloud computing model provides the facility to access shared resources and common infrastructure offering
services on demand over the network to perform operations that meet changing business needs. Thus, we
can say that Ms. Y is using the Cloud Computing model which allows her to use many computing resources
as a service through networks, typically the Internet.
Some of the key characteristics of Cloud Computing are as follows:

i) Elasticity and Scalability: Cloud computing gives us the ability to expand and reduce resources
according to the specific service requirement. For example, we may need many server resources for the
duration of a specific task. We can then release these server resources after we complete our task.
ii) Pay-per-Use: We pay for cloud services only when we use them, either for the short term (for example,
for CPU time) or for a longer duration (for example, for cloud-based storage or vault services).
iii) On-demand: Because we invoke cloud services only when we need them, they are not permanent parts
of the IT infrastructure. This is a significant advantage for cloud use as opposed to internal IT services.
With cloud services, there is no need to have dedicated resources waiting to be used, as is the case
with internal services.
iv) Resiliency: The resiliency of a cloud service offering can completely isolate the failure of server and
storage resources from cloud users. Work is migrated to a different physical resource in the cloud with
or without user awareness and intervention.
v) Multi Tenancy: Public cloud service providers often can host the cloud services for multiple users within
the same infrastructure. Server and storage isolation may be physical or virtual depending upon the
specific user requirements.
vi) Workload Movement: This characteristic is related to resiliency and cost considerations. Here, cloud-
computing providers can migrate workloads across servers both inside the data center and across data
centers (even in a different geographic area). This migration might be necessitated by cost (less
expensive to run a workload in a data centre in another country based on time of day or power
requirements) or efficiency considerations (for example, network bandwidth). A third reason could be
regulatory considerations for certain types of workloads.
Concept Problem 29
P a g e | 115
Digital Payment is a mechanism that has evolved with e-commerce transactions and are becoming
increasingly popular. Its advantageous for the banks to implement digital payments, however the same has
certain drawbacks also. Support the statement by identifying advantages as well as drawbacks of digital
payments.
Or
PQR limited is planning to receive payment from the customers through Digital Payments. Though there are
lots of benefits of digital payments but there are drawbacks as well. Briefly explain any six drawbacks of
digital payments.
Answer
Advantages of Digital Payments are as follows:
i) Easy and convenient: Digital payments are easy and convenient. Person do not need to take loads of
cash with themselves.
ii) Pay or send money from anywhere: With digital payment modes, one can pay from anywhere anytime.
iii) Discounts from taxes: Government has announced many discounts to encourage digital payments. User
get 0.75% discounts on fuels and 10% discount on insurance premiums of government insurers.
iv) Written record: User often forgets to note down his / her spending, or even if nothing is done it takes a
lot of time. These are automatically recorded in passbook or inside E-Wallet app. This helps to
maintain record, track spending and budget planning.
v) Less Risk: Digital payments have less risk if used wisely. If user losses mobile phone or debit/credit
card or Aadhar card, no need to worry a lot. No one can use anyone else’s money without MPIN, PIN or
fingerprint in the case of Aadhar. It is advised that user should get card blocked, if lost.
vi) Competitive advantage to business: Digital payment enables businesses to make sales to customers
who choose to pay electronically and gain a competitive advantage over those who accept payment
only through traditional methods.
vii) Environment Friendly: Digital payment eliminates the use of paper.
Drawbacks of Digital Payments are listed below:

i) Difficult for a Non-technical person: As most of the digital payment modes are based on mobile
phone, the internet and cards. These modes are somewhat difficult for non-technical persons such as
farmers, workers etc.
ii) The risk of data theft: There is a big risk of data theft associated with the digital payment. Hackers
can hack the servers of the bank or the E-Wallet a customer is using and easily get his/her personal
information. They can use this information to steal money from the customer’s account.
iii) Overspending: One keeps limited cash in his/her physical wallet and hence thinks twice before
buying anything. But if digital payment modes are used, one has an access to all his/her money that
can result in overspending.
iv) Disputed transactions: In case the electronic money such as credit card is misused by someone else,
it is very difficult to receive a refund.
116 | P a g e
v) Increased business costs: Digital payment systems come with an increased need to protect sensitive
financial information stored in a business’s computer systems from unauthorized access. Businesses
have to incur additional costs in procuring, installing and maintaining sophisticated payment-
security technologies.
vi) The necessity of internet access: Digital payment cannot be performed if Internet connection fails.
Concept Problem 30
To an individual/user/customer, identify various benefits that he can draw from E-commerce transactions.
Answer
Various benefits of an e-commerce transaction to Customer / Individual / User are as follows:
i) Convenience: Every product at the tip of individual’s fingertips on internet.
ii) Time saving: Number of operations that can be performed both by potential buyers and sellers increase.
iii) Various Options: There are several options available for customers which are not only being easy to
compare but are provided by different players in the market.
iv) Easy to find reviews: There are often reviews about a site or product from the previous customers which
provides valuable feedback.
v) Coupon and Deals: There are discount coupons and reward points available for customers to encourage
online transaction.
vi) Anytime Access: Even midnight access to the e commerce platforms is available which brings in
customer suitability.
Concept Problem 31
Discuss the characteristics of the Hybrid Cloud.

Or
Hybrid cloud is a combination of both at least one private and at least one public cloud computing
environments. Explain the characteristics of Hybrid Cloud.
Answer
The characteristics of Hybrid Cloud are as follows:
i) Scalable: The hybrid cloud has the property of public cloud with a private cloud environment and as the
public cloud is scalable; the hybrid cloud with the help of its public counterpart is also scalable.
ii) Partially Secure: The private cloud is considered as secured and public cloud has high risk of security
breach. The hybrid cloud thus cannot be fully termed as secure but as partially secure.
iii) Stringent SLAs: Overall the SLAs are more stringent than the private cloud and might be as per the
public cloud service providers.
iv) Complex Cloud Management: Cloud management is complex as it involves more than one type of
deployment models and the number of users is high.
Concept Problem 32
P a g e | 117
Prepare a list of the constraints that are required to develop Grid Computing Security.
Answer
Refer answer to Concept Problem 1
Concept Problem 33
Recognize the differences between Hardware Virtualization and Network Virtualization.

Answer
Hardware Virtualization: Hardware Virtualization or Platform Virtualization refers to the creation of a
virtual machine that acts like a real computer with an operating system. Software executed on these virtual
machines is separated from the underlying hardware resources. For example, a computer that is running
Microsoft Windows may host a virtual machine that looks like a computer with the Linux operating system;
based software that can be run on the virtual machine.
The basic idea of Hardware virtualization is to consolidate many small physical servers into one large
physical server so that the processor can be used more effectively. The software that creates a virtual
machine on the host hardware is called a hypervisor or Virtual Machine Manager. The hypervisor controls
the processor, memory and other components by allowing several different operating systems to run on the
same machine without the need for a source code. The operating system running on the machine will
appear to have its own processor, memory and other components.
Network Virtualization: Network Virtualization is a method of combining the available resources in a

network by splitting up the available bandwidth into channels, each of which is independent from the
others, and each of which can be assigned (or reassigned) to a particular server or device in real time. This
allows a large physical network to be provisioned into multiple smaller logical networks and conversely
allows multiple physical LANs to be combined into a larger logical network. This behaviour allows
administrators to improve network traffic control, enterprise and security. Network virtualization involves
platform virtualization, often combined with resource virtualization.
Various equipment and software vendors offer network virtualization by combining any of the Network
hardware such as switches and Network Interface Cards (NICs); Network elements such as firewalls and
load balancers; Networks such as virtual LANs (VLANs); Network storage devices; Network machine-to-
machine elements such as telecommunications devices; Network mobile elements such as laptop
computers, tablet computers, smart phones and Network media such as Ethernet and Fibre Channel.
Network virtualization is intended to optimize network speed, reliability, flexibility, scalability, and
security.
Concept Problem 34
Explain the traditional methods of Digital Payments used in e-commerce transactions.

Or
During the pandemic Covid 19, the Government of India emphasized on the usage of various digital mode of
payments by the public at large. In light of this statement, explain various types of cards that are provided
to the account holders by the banks or companies to be used as digital payment mode. [Only First part of
Answer is relevant for this Question]
118 | P a g e
Answer
Traditional Methods of Digital Payment are as follows:
i) Cards: Cards are provided by banks to their account holders. These have been the most used digital
payment modes till now. Various types of cards are as follows:
a. Credit Cards: A small plastic card issued by a bank, or issuer etc., allowing the holder to purchase
goods or services on credit. In this mode of payment, the buyer’s cash flow is not immediately
impacted. User of the card makes payment to card issuer at end of billing cycle which is generally
a monthly cycle. Credit Card issuer charge customers per transactions / 5% of transaction as
transaction fees.
b. Debits Cards: A small plastic card issued by a bank. Allowing the holder to purchase goods or
services on credit. In this mode of payment, the buyer’s cash flow is immediately affected that as
soon as payment is authorized buyers account is debited.
c. Smart Card: Smart card is a prepaid card similar to credit card and debit card in appearance, but
it has a small microprocessor chip embedded in it. It has capacity to store customer’s personal
information such as financial facts, private encryption keys, credit card information, account
information, and so on.
Moreover, these are not linked to any bank account. For this reason, smart card holder is not
mandated to have a bank account. It is also used to store money which is reduced as per usage.
Mondex and Visa Cash cards are examples of smart cards. The smart card holder has to load
money onto the card by paying cash or through transfer from his/her bank account. After loading
the money onto the card, the cardholder can use the card to spend money up to the limit of
loaded amount in the same way as using a credit or debit card. Once the loaded amount is spent,
the cardholder may reload money onto the card.
ii) Net Banking: In this mode, the customers log to his / her bank account and makes payments. All public
sectors, large private sector banks allow net banking facilities to their customers.
Concept Problem 35
Explain various Control Objectives of e-commerce o r m-commerce.
Answer
Various Control Objectives of e-Commerce or m-Commerce are as follows:
i) Prevent organizational costs of data Loss: Data is a critical resource of an organization for its present
and future process and its ability to adapt and survive in a changing environment.
ii) Prevent loss from incorrect decision making: Management and operational controls taken by managers
involve detection, investigations and correction of out-of- control processes. These high-level decisions
require accurate data to make quality decision rules.
iii) Prevent loss of Computer Hardware, Software and Personnel: These are critical resources of an
organization which has a credible impact on its infrastructure and business competitiveness.
iv) Prevent from high costs of computer Error: In a computerized enterprise environment where many
critical business processes are performed, a data error during entry or process would cause great
P a g e | 119
damage.
v) Safeguard assets from un-authorized access: The information system assets (hardware, software,
data files etc.) must be protected by a system of internal controls from unauthorized access.
vi) Ensure data integrity: The importance to maintain integrity of data of an organization depends on the
value of information, the extent of access to the information and the value of data to the business
from the perspective of the decision maker, competition and the market environment.
vii) System Effectiveness Objectives: Effectiveness of a system is evaluated by auditing the characteristics
and objective of the system to meet substantial user requirements.
viii) System Efficiency Objectives: To optimize the use of various information system resources (machine
time, peripherals, system software and labour) along with the impact on its computing environment.
Concept Problem 36
Public cloud is the cloud infrastructure that is provisioned for open use by the general public. Explain any four
characteristics of public cloud.
Answer
The characteristics of Public Cloud are as follows:
i) Highly Scalable: The resources in the public cloud are large in number and the service providers make
sure that all requests are granted. Hence public clouds are scalable.
ii) Affordable: The cloud is offered to the public on a pay-as-you-go basis; hence the user has to pay
only for what he or she is using on a per-hour basis. And this does not involve any cost related to the
deployment.
iii) Less Secure: Since it is offered by a third party and they have full control over the cloud, the public
cloud is less secure out of all the other deployment models.
iv) Highly Available: It is highly available because anybody from any part of the world can access the
public cloud with proper permission, and this is not possible in other models as geographical or other
access restrictions might be there.
v) Stringent Service Level Agreements: As the service provider’s business reputation and customer
strength are totally dependent on the cloud services, they follow SLAs strictly & violations are avoided.
Concept Problem 37
Explain the concept of green computing. How will you develop a sustainable green computing plan?
Answer
Green Computing or Green IT refers to the study and practice of environmentally sustainable computing or
IT. It is the study and practice of establishing/ using computers and IT resources in a more efficient and
environmentally friendly and responsible way.
The objective of Green computing is to reduce the use of hazardous materials, maximize energy efficiency
during the product’s lifetime, and promote the recyclability or biodegradability of defunct products and
120 | P a g e
factory waste.
Green computing’s practices include the implementation of energy-efficient Central Processing Units
(CPUs), servers and peripherals as well as reduced resource consumption and proper disposal of elec tronic
waste (e-waste).
The steps to develop a sustainable Green Computing plan are as follows:

a) Involve stakeholders to include checklists, recycling policies, recommendations for disposal of used
equipment, government guidelines and recommendations for purchasing green computer equipment in
organizational policies and plans;
b) Encourage the IT community for using the best practices and encourage them to consider green
computing practices and guidelines.
c) On-going communication about commitment to green IT best practices to produce notable results.
d) Include power usage, reduction of paper consumption, as well as recommendations for new equipment
and recycling old machines in organizational policies and plans; and
e) Use cloud computing so that multiple organizations share the same computing resources thus
increasing the utilization by making more efficient use of hardware resources.
Concept Problem 38
A business model is adopted by an organization as a framework to describe how it makes money on a
sustainable basis & grows whereas an e-business model utilizes the benefits of electronic communications.
Discuss various e-market models that help businesses to achieve the value adding processes.
Answer
The various e-market models that help businesses to achieve the value adding processes are as follows:
i) e-Shops (e-tailers): An e-shop is a virtual store front that sells products and services online. E-shop
is an online version of retail stores where customers can shop at any hour of the day or night without
leaving home. They are convenient way of effecting direct sales to customers; allow manufacturers to
bypass intermediate operators and thereby reduce costs and delivery times. For example:
www.sonicnet.com, www.wforwomen.com
ii) e-Malls: The e-mall is defined as the retailing model of a shopping mall, a conglomeration of
different shops situated in a convenient location in e-commerce. E-malls help the consumers from a
variety of stores. For e.g., Yahoo! Stores
iii) e-auctions: Electronic auctions provide a channel of communication through which the bidding
process for products and services can take place between competing buyers. At e-auctions, people
buy and sell through an auction website. In e- auctions, almost perfect information is available about
products, prices, current demand, and supply. E-auction has become an increasingly popular tool for
the buyer to access the lowest price the suppliers are willing to charge. Example – www.onsale.com,
www.ebay.com
iv) Portals: Portal is a website that serves as a gateway or a main entry point on the internet to a
specific field of interest or an industry. It is a website that is positioned as an entrance to other sites
on the internet. A portal consists of web pages that act as a starting point for using the web or web -
P a g e | 121
based services. The control of content can be a source of revenue for firms through charging firms fo r
advertising or charging consumers a subscription for access. Some major general portals include
Yahoo, Excite, and Netscape.
v) Buyer Aggregators: The Buyer Aggregator brings together large numbers of individual buyers so that
they can gain the types of savings that are usually the privilege of large volume buyers. In this, the
firm collects the information about goods/service providers, make the providers their partners, and
sell their services under its own brand. Example - www.zomato.com
vi) Virtual Communities: Virtual Community is a community of customers who share a common interest
and use the internet to communicate with each other. Amazon.com provides websites for the
exchange of information on a wide range of subjects relating to their portfolio of products and
services. Virtual communities’ benefit from network externalities whereby the more people who jo in
and contribute to the community, the greater the benefits that accrue, but without any additional
cost to participants.
vii) e-procurement: e-procurement is the management of all procurement activities via electronic means.
Business models based on e-procurement seek efficiency in accessing information on suppliers,
availability, price, quality and delivery times as well as cost savings by collaborating with partners to
pool their buying power and secure best value deals. E-procurement infomediaries specialize in
providing up-to-date & real-time information on all aspects of the supply of materials to businesses.
viii) e-distribution: e-distributor is a company that supplies products and services directly to individual
business. The e-distribution model helps distributors to achieve efficiency savings by managing large
volumes of customers, automating orders, communicating with partners and facilitati ng value-adding
services such as order tracking through each point in the supply chain. An example of a firm
specializing in e-distribution is www.wipro.com that uses the internet to provide fully integrated e-
business-enabled solutions that help to unify the information flows across all the major distribution
processes including sales and marketing automation, customer service, warehouse logistics,
purchasing and inventory management, and finance.
Concept Problem 39
Grid computing is a distributed architecture of large numbers of computers connected to solve a complex
problem. With reference to this line, identify the application areas where this technology can be used
effectively and efficiently.
Answer
The application areas where Grid Computing can be used effectively and efficiently are as follows:
a) Civil engineers collaborate to design, execute, & analyze shake table experiments.
b) An insurance company mines data from partner hospitals for fraud detection.
c) An application service provider offloads excess load to a compute cycle provider.
d) An enterprise configures internal & external resources to support e-Business workload.
e) Large-scale science and engineering are done through the interaction of people, heterogene ous
122 | P a g e
computing resources, information systems and instruments, all of which are geographically and
organizationally dispersed.
Concept Problem 40
Ms. Anita, a final year student of undergraduate course had to submit her project report in pdf form. She
initially prepared her report in MS Word and used online software from google to edit the photos used in
her assignment. Later, for final submission, she used online pdf converter to convert her word file into pdf.
Identify the Cloud Computing Service Model that is being used by her and further discuss the Model’s
different instances.
Answer
The Cloud Computing service model used by Ms. Anita is Software as a Service (SaaS). The different
instances of the model are as follows:
a) Testing as a Service (TaaS): This provides users with software testing capabilities such as generation
of test data, generation of test cases, execution of test cases and test result evaluation on a pay-per-
use basis.
b) API as a Service (APIaaS): This allows users to explore functionality of Web services such as Google
Maps, Payroll processing, and credit card processing services etc.
c) Email as a Service (EaaS): This provides users with an integrated system of emailing, office
automation, records management, migration, and integration services with archiving, spam blocking,
malware protection, and compliance features.
Concept Problem 41
Cloud Computing is an emerging technology that provides various service models to business organizations
for storage, networking, and other services. However, many limitations are associated with this
technology. Briefly explain the drawbacks of Cloud Computing .
Answer
The drawbacks of Cloud Computing are as follows:
a) If Internet connection is lost, the link to the cloud and thereby to the data and applications is lost.
b) Security is a major concern as entire working with data and applications depend on other cloud
vendors or providers.
c) Although Cloud computing supports scalability i.e. quickly scaling up and down computing resources
depending on the need, it does not permit the control on these resources as these are not owned by
the user or customer.
d) Depending on the cloud vendor or provide, customers may have to face restrictions on the availability
of applications, operating systems and infrastructure options.
e) Interoperability (ability of two or more applications that are required to support a business need to
work together by sharing data and other business-related resources) is an issue wherein all the
applications may not reside with a single cloud vendor and two vendors may have applications that do
not cooperate with each other.
Concept Problem 42
SCI Labs is an organization involved in research and development of new medicines and drugs. The
company has five branches in different cities across the country interconnected using Grid Computing
P a g e | 123
model so as to share the resources and research that are carried out in its different branches. Explain the
benefits that SCI Labs may incur while using Grid Computing.
Answer
The benefits that SCI Labs may incur while using Grid Computing are as follows:
a) Making use of Underutilized Resources: In most organizations, there are large amounts of
underutilized computing resources including even the server machines. Grid computing provides a
framework for exploiting these underutilized resources and thus has the possibility of substantially
increasing the efficiency of resource usage. Grid computing (more specifically, a data grid) can be
used to aggregate this unused storage into a much larger virtual data store, possibly configured to
achieve improved performance and reliability over that of any single machine.
b) Resource Balancing: For applications that are grid-enabled, the grid can offer a resource balancing
effect by scheduling grid jobs on machines with low utilization. This feature of grid computing
handles occasional peak loads of activity in parts of a larger organization. An unexpected peak can
be routed to relatively idle machines in the grid; and if the grid is already fully utilized, the lowest
priority work being performed on the grid can be temporarily suspended or even cancelled and
performed again later to make room for the higher priority work.
c) Parallel CPU Capacity: The potential for usage of massive parallel CPU capacity is one of the most
common visions and attractive features of a grid. A CPU-intensive grid application can be thought of
as many smaller sub-jobs, each executing on a different machine in the grid. To the extent that
these sub-jobs do not need to communicate with each other, the more scalable the application
becomes. A perfectly scalable application will, for example, finish in one tenth of the time if it uses
ten times the number of processors.
d) Access to additional resources: In addition to CPU and storage resources, a grid can provide access to
other resources as well. For example, if a user needs to increase their total bandwidth to the Internet
to implement a data mining search engine, the work can be split among grid machines that have
independent connections to the Internet. In this way, total searching capability is multiplied, since
each machine has a separate connection to the Internet.
e) Reliability: High-end conventional computing systems use expensive hardware to increase reliability.
The machines also use duplicate processors in such a way that when they fail, one can be replaced
without turning the other off. Power supplies and cooling systems are duplicated. The systems are
operated on special power sources that can start generators if utility power is interrupted. All of this
builds a reliable system, but at a great cost, due to the duplication of expensive components.
f) Management: The goal to virtualize the resources on the grid and more uniformly handle
heterogeneous systems create new opportunities to better manage a larger, more distributed IT
infrastructure. The grid offers management of priorities among different projects. Aggregating
utilization data over a larger set of projects can enhance an organization’s ability to project future
upgrade needs. When maintenance is required, grid work can be rerouted to other machines without
crippling the projects involved.
Concept Problem 43
124 | P a g e
Cloud Computing service model is used to provide services in terms of hardware (IaaS), software (SaaS)
and prebuilt computing platform to deploy and develop applications (PaaS). Explain the service models of
cloud computing other than mentioned above that can be used for further services.
Answer
The other service models apart from IaaS, SaaS and PaaS of Cloud Computing are as follows:
a) Communication as a Service (CaaS): It is an outsourced enterprise communication solution that can

be leased from a single vender. The CaaS vendor is responsible for all hardware and software
management and offers guaranteed Quality of Service (QoS). It allows businesses to selectively deploy
communication devices and modes on a pay-as- you-go, as-needed basis. This approach eliminates
the large capital investments. Examples are: Voice over IP (VolP), Instant Messaging (IM),
Collaboration and Videoconferencing application using fixed and mobile devices.
b) Data as a Service (DaaS): It provides data on demand to a diverse set of users, systems or
application. The data may include text, images, sounds, and videos. Data encryption and operating
system authentication are commonly provided for security. DaaS users have access to high-quality
data in a centralized place and pay by volume or data type, as needed. However, as the data is owned
by the providers, users can only perform read operations on the data. DaaS is highly used in
geography data services and financial data services.
c) Security as a Service (SECaaS): It is an ability given to the end user to access the security service
provided by the service provider on a pay-per-use basis. It is a new approach to security in which
cloud security is moved into the cloud itself whereby cloud service users will be protected from within
the cloud using a unified approach to threats.
d) Identity as a Service (IDaaS): It is an ability given to the end users; typically, an organization or
enterprise; to access the authentication infrastructure that is built, hosted, managed, and provided by
the third-party service provider. Generally, IDaaS includes directory services, authentication services,
risk and event monitoring, single sign-on services, and identity and profile management.
Concept Problem 44
Mr. X used to purchase electronic gadgets such as laptops, mobile phones etc. on regular basis online from
M-Commerce vendor ABC. He then used to return the products with complaints that the said product is
defective and is not working. In fact, Mr. X used to replace the original part of the product with the duplicate
defective piece. The fraud came in notice only after 2 years. Considering the above facts, comment on the
weakness of control mechanism of ABC towards the commission of fraud by Mr. X.
Answer
Following were control lapses on the part of M-Commerce vendor ABC that led to the commission of an
offence of fraud committed by Mr. X.
a) Vendor has a poor policy documentation regarding accepting of mobile returns as objective.
b) Within organization, there must have been a person putting a red mark, when the same person was
returning mobile as defective.
c) This reflects poor audit mechanism of the vendor. These control lapses reflect higher probability of
loss.
P a g e | 125
Concept Problem 45
Briefly explain the advantages of business policy “Bring in Your Own Device” (BYOD).
Answer
Following are the advantages of BYOD plicy:
a) Happy Employees: Employees love to use their own devices when at work. This also reduces the number
of devices an employee has to carry; otherwise he would be carrying his personal as well as
organization provided devices.
b) Lower IT budgets: Could involve financial savings to the organization since employees would be using
the devices, they already possess thus reducing the outlay of the organization in providing devices to
employees.
c) IT reduces support requirement: IT department does not have to provide end user support and
maintenance for all these devices resulting in cost savings.
d) Early adoption of new Technologies: Employees are generally proactive in adoption of new technologies
that result in enhanced productivity of employees leading to overall growth of business.
e) Increased employee efficiency: The efficiency of employees is more when the employee works on
his/her own device. In an organization provided devices, employees have to learn and there is a learning
curve involved in it.
126 | P a g e
Core Banking Systems May 22
Core Banking Systems

C HAPTER 5
C ORE B ANKING S YSTEMS
Tough time doesn’t last,

tough people do. So, give it
all you have and success will
be yours.
Coverage
Concept Problem 1
Distinguish between Application Server and Database Server.

Answer
Application Server
All the transactions of the customer are processed by the data center. The Application Server performs
necessary operations and this update the account of the customer ‘A’ in the database server.
The customer may do some other operation in branch “Y”. The process is validated at branch “Y” and the
data is transmitted to the application software at the data center. The results are updated in the database
server at the centralized data center.
Thus, it would be observed that whatever operations a customer may do at any of the branches of the bank
P a g e | 127
May 22 Core Banking Systems
the accounting process being centralized at the centralized data center is updated at the centralized
database.
Database Server
The Database Server of the Bank contains the entire data of the Bank. The data would consist of various
accounts of the customers and master data (e.g., of master data are customer data, employee data, base
rates for advances, FD rates, the rate for loans, penalty to be levied under different circumstances, etc.).
Application software would access the database server.
Concept Problem 2
Enlist core features of Core Banking Software.

Answer
Core features of Core Banking Software are as follows:
i) On-line real-time processing.
ii) Transactions are posted immediately.
iii) All databases updated simultaneously.
iv) Centralized Operations (All transactions are stored in one common database/server).
v) Separate hierarchy for business and operations.
vi) Business and Services are productized.
vii) Remote interaction with customers.
viii) Reliance on transaction balancing.
ix) Highly dependent system-based controls.
x) Authorizations occur within the application.
xi) Increased access by staff at various levels based on authorization.
xii) Daily, half yearly and annual closing,
xiii) Automatic processing of standing instructions,
xiv) Centralized interest applications for all accounts and account types
xv) Anytime, anywhere access to customers and vendors.
Concept Problem 3
Briefly explain major technology components of a CBS solution.

Or
List the key technology components of Core Banking System (CBS).
Answer
The key technology components of CBS are as follows:
i) Database Environment - This consists of the centrally located database servers that store the data for
all the branches of the bank which includes customer master data, interest rates, account types etc.
Whenever a customer requests for a particular service to be performed, the application server performs a
particular operation it updates the central database server.
128 | P a g e

ii) Application Environment - Application environment consist of the application servers that host the
different core banking systems like Flex Cube, Bank Mate etc. and is centrally used by different banks.
The access to these application servers will generally be routed through a firewall.
iii) Data Centre and Disaster Recovery Centre - The core banking systems consists of a Data Centre which
includes various application servers, database servers, web servers etc. and various other technological
components. The bank should adopt full-fledged documentation and prepare necessary manuals dealing
with the disaster recovery procedures. Arrangements for alternate connectivity of the banks with the
data center should be established whenever there is a disruption in the primary connectivity. Proper
awareness should be created among the employees through periodic trainings and mock drills.
iv) Online Transaction monitoring for fraud risk management - Risk evaluations are carried out and
considering the risk profile and other regulatory requirements of the bank, effective monitoring should be
done as a part of managing fraud risk management. There are also methods that facilitate fraud
reporting in CBS environment. Proper alert system should be enabled to identify any changes in the log
settings and the audit logs pertaining to user actions are captured.
v) Cyber Security - Comprehensive Cyber Security Framework is prescribed by RBI for Banks to ensure
effective information security governance.
Some key features of Cyber Security Framework as prescribed by are RBI for banks are as under:
1) Network Security and Secure Configuration
The following key measures are required to be implemented:

a) Multi-layered boundary defense through properly configured proxy servers, firewalls, intrusion
detection systems to protect the network from any malicious attacks and to detect any
unauthorized network entries.
b) Different LAN segments for in-house/onsite ATM and CBS/branch network to ensure adequate
bandwidth to deal with the volume of transactions so as to prevent slowing down and lower
efficiency.
c) To ensure security of network; proper usage of routers, hubs and switches should be envisaged.
d) Periodic security review of systems and terminals to assess the network’s vulnerability and identify
the weaknesses.
e) Identification of the risks to ensure that risks are within the bank’s risk appetite and are managed
appropriately.
2) Application Security
Full-fledged Security policy to ensure CIA of data and information needs to be developed and
implemented covering following key features:
a) Implementation of bank specific email domains (example, XYZ bank with mail domain xyz.in) with
anti-phishing (security measures to prevent steal of user data) and anti-malware software
(software tool/program to identify and prevent malicious software/malware from infecting
network).
b) Two factor authentication, an extra step added to the login process, such as a code sent
P a g e | 129
to user’s phone or a fingerprint scan, that helps verify the user’s identity and prevent cybercriminals
from accessing private information.
c) Implementation of Password Management policy to provide guidance on creating and using
passwords in ways that maximize security of password and minimize misuse/theft.
d) Effective training of employees to educate them to strictly avoid clicking any links received via
email.
e) Proper reporting mechanism to save the banks from the effects of misconduct – including legal
liability, lasting reputational harm, and serious financial losses.
f) Incident response and management mechanism to take appropriate action in case of any cyber
security incident with well written incident response procedures elaborating the roles of staff
handling such incidents.
g) Capturing of audit logs pertaining to user actions & an alert mechanism to monitor any change in
the log settings.
h) Continuous surveillance to stay regularly updated on the latest nature of emerging cyber threats.
Concept Problem 4
Discuss various risks that are associated with CBS software.

Answer
Various risks that are associated with CBS software are as follows:
(a) Operational Risk:
It is defined as a risk arising from direct or indirect loss to the bank which could be associated with
inadequate or failed internal process, people and systems.
Operational risk necessarily excludes business risk and strategic risk. The components of operational risk
include transaction processing risk, information security risk, legal risk, compliance risk and people risk.
i) Transaction Processing Risk arises because faulty reporting of important market developments to
the bank management may also occur due to errors in entry of data for subsequent bank
computations.
ii) Information Security Risk comprises the impacts to an organization and its stakeholders that could
occur due to the threats and vulnerabilities associated with the operation and use of information
systems and the environments in which those systems operate. Data breaches can cost a bank its
reputation, customers can lose time and money and above all their confidential information.
iii) Legal Risk arises because of the treatment of clients, the sale of products, or business practices of a
bank. There are countless examples of banks being taken to court by disgruntled corporate
customers, who claim they were misled by advice given to them or business products sold. Contracts
with customers may be disputed.
iv) Compliance Risk is exposure to legal penalties, financial penalty and material loss an organization
faces when it fails to act in accordance with industry laws and regulations, internal policies or
prescribed best practices.
130 | P a g e

v) People Risk arises from lack of trained key personnel, tampering of records, unauthorized access to
dealing rooms and nexus between front and back-end offices.
(b) Credit Risk:

It is the risk that an asset or a loan becomes irrecoverable in the case of outright default, or the risk of
an unexpected delay in the servicing of a loan.
Since bank and borrower usually sign a loan contract, credit risk can be considered a form of counter-
party risk.
(c) Market Risk:

Market risk refers to the risk of losses in the bank’s trading book due to changes in equity prices,
interest rates, credit spreads, foreign-exchange rates, commodity prices, and other indicators whose
values are set in a public market.
To manage market risk, banks deploy several highly sophisticated mathematical and statistical
techniques.
(d) Strategic Risk:

Strategic risk, sometimes referred to as business risk, can be defined as the risk that earnings decline
due to a changing business environment, for example new competitors or changing demand of
customers.
(e) IT Risk:
Once the complete business is captured by technology and processes are automated in CBS; the Data
Centre (DC) of the bank, customers, management and staff are completely dependent on the DC.
Some of the common IT risks related to CBS are as follows:

i) Ownership of Data/ process: Data resides at the Data Centre. Establish clear ownership.
ii) Authorization process: Anybody with access to the CBS, including the customer himself, can enter
data directly. What is the authorization process? If the process is not robust, it can lead to
unauthorized access to the customer information.
iii) Authentication procedures: Usernames and Passwords, Personal Identification Number (PIN), One
Time Password (OTP) are some of the most commonly used authentication methods. However, these
may be inadequate and hence the user entering the transaction may not be determinable or
traceable.
Concept Problem 5
Briefly discuss key provisions of Information Technology Act regarding IT related offences impacting banks.
Answer
Some of key provisions of IT related offences as impacting the banks are given here.
i) Section 43 - Penalty and compensation for damage to computer, computer system, etc.
If any person, without permission of the owner or any other person who is in- charge of a computer,
computer system or computer network -
a) accesses or secures access to such computer, computer system or computer network [or computer
P a g e | 131
resource];
b) downloads, copies or extracts any data, computer database or information from such computer,
computer system or computer network including information or data held or stored in any removable
storage medium;
c) introduces or causes to be introduced any computer contaminant or computer virus into any
computer, computer system or computer network;
d) damages or causes to be damaged any computer, computer system or computer network, data,
computer database or any other programmes residing in such computer, computer system or
computer network;
e) disrupts or causes disruption of any computer, computer system or computer network;
f) denies or causes the denial of access to any person authorized to access any computer, computer
system or computer network by any means;
g) destroys, deletes or alters any information residing in a computer resource or diminishes its value or
utility or affects it injuriously by any means;
h) steal, conceals, destroys or alters or causes any person to steal, conceal, destroy or alter any
computer source code used for a computer resource with an intention to cause damage,
he shall be liable to pay damages by way of compensation to the person so affected.
ii) Section 43A: Compensation for failure to protect data.

Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a
computer resource which it owns, controls or operates, is negligent in implementing and maintaining
reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any
person, such body corporate shall be liable to pay damages by way of compensation to the person so
affected.
iii) Section 65: Tampering with Computer Source Documents

Whoever knowingly or intentionally conceals, destroys or alters or intentionally or knowingly causes
another to conceal, destroy or alter any computer source code used for a computer, computer program,
computer system or computer network, when the computer source code is required to be kept or
maintained by law for the time being in force, shall be punishable with
➢ imprisonment up to three years, or

➢ with fine which may extend up to 2 lakh rupees, or
➢ with both.
iv) Section 66: Computer Related Offences
If any person, dishonestly, or fraudulently, does any act referred to in section 43, he shall be punishable
with
➢ imprisonment for a term which may extend to three years or
132 | P a g e

➢ fine which may extend to 5 lakh rupees or
➢ with both.
v) Section 66-B: Punishment for dishonestly receiving stolen computer resource or communication device
Whoever dishonestly receives or retains any stolen computer resource or communication device knowing or
having reason to believe the same to be stolen computer resource or communication device, shall be
punished with
➢ imprisonment of either description for a term which may extend to three years or
➢ fine which may extend to rupees one lakh or
➢ with both.
vi) Section 66-C: Punishment for identity theft
Whoever, fraudulently or dishonestly make use of the electronic signature, password or any other unique
identification feature of any other person, shall be punished with
➢ imprisonment of either description for a term which may extend to three years and
➢ fine which may extend to rupees one lakh.
vii) Section 66-D: Punishment for cheating by personation by using computer resource
Whoever, by means of any communication device or computer resource cheats by personation, is
punishable with
➢ imprisonment of either description for a term which may extend to three years and
➢ shall also be liable to fine which may extend to one lakh rupees.
viii) Section 66-E: Punishment for violation of privacy
Whoever, intentionally or knowingly captures, publishes or transmits the image of a private area of any
person without his or her consent, under circumstances violating the privacy of that person, shall be
punished with
➢ imprisonment which may extend to three years or

➢ fine not exceeding two lakh rupees, or
➢ with both.
Concept Problem 6
In line with the suggestions of RBI, M/s. ABC Bank is planning to obtain ISO 27001:2013 certification for its
Information Security Management System. As an IS Auditor, you are required to prepare a sample list of Risks
w.r.t Information Security for the bank.
Answer
Sample listing of Risks w.r.t Information Security for the Bank is as follows:
i) Significant information resources may be modified inappropriately, disclosed without authorization, and/
or unavailable when needed. (e.g., they may be deleted without authorization).
ii) Lack of management direction and commitment to protect information assets.

iii) Potential Loss of confidentiality, availability and integrity of data and system.
P a g e | 133
iv) User accountability is not established.

v) It is easier for unauthorized users to guess the password of an authorized user and access the system
and/ or data. This may result in loss of confidentiality, availability and integrity of data and system.
vi) Unauthorized viewing, modification or copying of data and/ or unauthorized use, modification or denial of
service in the system.
vii) Security breaches may go undetected.

viii) Inadequate preventive measure for key server and IT system in case of environmental threat like heat,
humidity, fire, flood etc.
ix) Unauthorized system or data access, loss and modification due to virus, worms and Trojans.
Concept Problem 7
Banks face the challenge of addressing the threat of money laundering on multiple fronts as banks can be
used as primary means for transfer of money across geographies. Considering the above statement, discuss
the Money Laundering process and its different stages.
Answer
Money laundering may be defined as the process by which the proceeds of the crime and the true ownership
of those proceeds are concealed or made opaque so that the proceeds appear to come from a legitimate
source. The objective in money laundering is to conceal the existence, illegal source, or illegal application of
income to make it appear legitimate. Money laundering is commonly used by criminals to make ‘dirty’
money appear ‘clean’ or the profits of criminal activities are made to appear legitimate.
Stages of Money Laundering are as follows:

i) Placement: The first stage involves the Placement of proceeds derived from illegal activities - the
movement of proceeds frequently currency, from the scene of the crime to a place, or into a form less
suspicious and more convenient for the criminal.
ii) Layering: Layering involves the separation of proceeds from illegal source using complex transactions
designed to obscure the audit trail and hide the proceeds. Layering involves sending the money through
various financial transactions to change its form and make it difficult to follow. Layering may consist of
several banks to bank transfers or wire transfers between different accounts in different names in
different countries making deposit and withdrawals to continually vary the amount of money in the
accounts changing the money’s currency purchasing high value items (boats, houses cars, diamonds) to
change the form of money, thus making it hard to trace.
iii) Integration: Integration involves conversion of illegal proceeds into apparently legitimate business
earnings through normal financial or commercial operations. Integration creates the illusion of a
legitimate source for criminally derived funds and involves techniques as numerous and creative as those
used by legitimate businesses.
Concept Problem 8
134 | P a g e

Information Technology (IT) risks can be reduced by implementing the right type and level of control in
automated environment that is done by integrated controls into information technology. Being an IT
consultant, suggest various steps of IT control to a branch manager of a bank.
Answer
IT risks need to be mitigated by implementing the right type and level of controls in the automated
environment. Sample list of IT related controls in Banks are as follows:
i) The system maintains a record of all log-ins and log-outs. If the transaction is sought to be posted to a
dormant or inoperative account, the processing is halted and can be proceeded with only with a
supervisory password.
ii) The system checks whether the amount to be withdrawn is within the drawing power.
iii) The system flashes a message if the balance in a lien account would fall below the lien amount after the
processing of the transaction.
iv) Access to the system is available only between stipulated hours and specified days only.
v) Individual users can access only specified directories and files. Users should be given access only on a
‘need-to-know basis’ based on their role in the bank. This is applicable for internal users of the bank
and customers.
vi) Exception situations such as limit excess, reactivating dormant accounts, etc. can be handled only with a
valid supervisory level password.
vii) A user timeout is prescribed that means that after a user logs-in and there is no activity for a pre-
determined time, the user is automatically logged out of the system.
viii) Once the end-of-the-day process is over, ledgers cannot be opened without a supervisory level password.
Concept Problem 9
Briefly explain the following terms:

a) Proxy Server
b) Key functions of RBI
Answer
a) Proxy Server: A Proxy Server is a computer that offers a computer network service to allow clients to
make indirect network connections to other network services. A client connects to the proxy server, and
then requests a connection, file, or other resource available on a different server. The proxy provides the
resource either by connecting to the specified server or by serving it from a cache. In some cases, the
proxy may alter the client’s request or the server’s response for various purposes.
b) The key functions of Reserve Bank of India (RBI) are as follows:

i) Monetary Authority: This function formulates, implements and monitors the monetary policy with
the objective of maintaining price stability and ensuring adequate flow of credit to productive
sectors.
ii) Regulator and supervisor of the financial system: It prescribes broad parameters of banking
operations within which the country’s banking and financial system functions with the objective of
P a g e | 135
maintaining public confidence in the system, protect depositors’ interest and provide cost- effective
banking services to the public.
iii) Issuer of currency: It deals with issuing and exchanging or destroying currency and coins not it for
circulation with the objective to give the public adequate quantity of supplies of currency notes and
coins and in good quality.
Concept Problem 10
Discuss various risks and controls associated with the Current and Savings Account (CASA) process.
Or
You attended an IT workshop as a CBS. You are required to provide a basic idea to the participants about
Current & Savings Accounts (CASA) and primarily discuss the risks and controls that might be relevant in
CASA process. Advise about the relevant risks and their counter controls.
Answer
Risks and Controls around the CASA Process of Current and Savings Account (CASA) Process are as follows:
Risk Key Controls
Credit Line setup is unauthorized and not in The credit committee checks that the Financial Ratios,
line with the banks policy. the Net-worth, the Risk factors and its corresponding
mitigating factors, the Credit Line offered and the
Credit amount etc. is in line with Credit Risk Policy and
that the Client can be given the Credit Line.
Credit Line setup in CBS is unauthorized Access rights to authorize the credit limit in case of
and not in line with the banks policy. account setup system should be restricted to
authorized personnel.
Customer Master defined in CBS is not in Access rights to authorize the customer master in CBS
accordance with the Pre-Disbursement should be restricted to authorized personnel.
Certificate.
Inaccurate interest / charge being calculated in Interest on fund-based facilities are automatically
CBS. calculated in the CBS as per the defined rules.
Unauthorized personnel approving the CASAS Segregation of Duties to be maintained between the
transaction in CBS. initiator and authorizer of the transaction for processing
transaction in CBS.
Inaccurate accounting entries generated in CBS. Accounting entries are generated by CBS basis the
facilities requested by the customer and basis defined
configurations for those facilities in CBS.
Concept Problem 11
a) Cyber Crime
136 | P a g e

b) Credit Risk
c) Automated Teller Machine (ATM) Channel Server
Answer
a) Cyber Crime: Cyber-crime also known as Computer Crime are crimes that involve use of a computer and
a network. It is defined as the offences that are committed against individuals or groups of individuals
with a criminal motive to intentionally harm the reputation of the victim or cause physical or mental
harm, or loss, to the victim directly or indirectly, using modern telecommunication networks such as
Internet (Chat rooms, emails, notice boards and groups) and mobile phones.
Committing of a fraud by manipulation of the input, output or throughput of a computer-based system;

Computer forgery which involves changing images or data stored in computers; Deliberate damage
caused to computer data or programs through virus programs or logic bombs; Unauthorized access to
computers by hacking into systems or stealing passwords; and unauthorized reproduction of computer
programs or software piracy are some examples of Cybercrimes.
b) Credit Risk is the risk that an asset or a loan becomes irrecoverable in the case of outright default, or
the risk of an unexpected delay in the servicing of a loan. Since bank and borrower usually sign a loan
contract, credit risk can be considered a form of counterparty risk.
c) Automated Teller Machines (ATM) Channel Server: This server contains the details of ATM account
holders. Soon after the facility of using the ATM is created by the Bank, the details of such customers
are loaded on to the ATM server. When the Central Database is busy with central end-of- day activities
or for any other reason, the file containing the account balance of the customer is sent to the ATM
switch. Such a file is called Positive Balance File (PBF). This ensures not only continuity of ATM
operations but also ensures that the Central database is always up-to-date.
Concept Problem 12
Automation of business processes has introduced new types of risks in banking service. You being the Branch
Manager of a CBS branch, list out some of the internal controls you think to be implemented in your branch.
Answer
Some examples of Internal Controls that can be implemented in a bank branch to avoid the risks are as
below:
i) Work of one staff member is invariably supervised/ checked by another staff member, irrespective of the
nature of work (Maker-Checker process).
ii) A system of job rotation among staff exists.
iii) Financial and administrative powers of each official/ position is fixed and communicated to all persons
concerned.
iv) Branch managers must send periodic confirmation to their controlling authority on compliance of the
laid down systems and procedures.
v) All books are to be balanced periodically. Balancing is to be confirmed by an authorized official.
vi) Details of lost security forms are immediately advised to controlling so that they can exercise caution.
vii) Fraud prone items like currency, valuables, draft forms, term deposit receipts, traveller’s cheques and
P a g e | 137
other such security forms are in the custody of at least two officials of the branch.
Concept Problem 13
Now-a-days, Credit Cards are extensively being used for payment purpose. As a consultant to credit card
section of a bank, advise the risks involved in the credit card process.
Answer
Various risks that are involved in the Credit Card process are as follows:
i) Credit Line setup is unauthorized and not in line with the banks policy.
ii) Masters defined for the customer are not in accordance with the Pre-Disbursement Certificate.
iii) Credit Line setup can be breached.
iv) Inaccurate interest/charge being calculated in the Credit Card system.
v) Inaccurate reconciliations performed.
Concept Problem 14
Explain various key aspects in-built into the architecture of a Core Banking System.
Answer
Some key aspects in-built into the architecture of a Core Banking System (CBS) are as follows:
i) Information flow: Facilitates information flow within the bank and improves the speed and accuracy of
decision-making. It deploys systems that streamline integration and unite corporate information to
create a comprehensive analytical infrastructure.
ii) Customer centric: A holistic core banking architecture enables banks to target customers with the right
offers at the right time with the right channel to increase profitability.
iii) Regulatory compliance: Compliance in case of banks is complex and expensive. CBS has built-in and
regularly updated regulatory platform which will ensure compliance.
iv) Resource optimization: Optimizes utilization of information and resources of banks and lowers costs
through improved asset reusability, faster turnaround times, faster processing and increased accuracy.
Concept Problem 15
Analyse new set of IT risks and challenges associated with the businesses and standards that the banks
should consider?
Or
Once the complete business of a bank is captured by technology and processes are automated in Core
Banking System (CBS), the data of the bank, customer, management and staff are completely dependent
on the Data center. From a risk assessment point of view, it is critical to ensure that the bank can impart
training to its staff in the core areas of technology for efficient risk management. Explain any six common
IT risks related to CBS.
Answer
Once the complete business is captured by technology and processes are automated in CBS; the Data Centre
138 | P a g e

(DC) of the bank, customers, management and staff are completely dependent on the DC.
Some of the common IT risks related to CBS are as follows:

i) Ownership of Data/ process: Data resides at the Data Centre. Establish clear ownership.
ii) Authorization process: Anybody with access to the CBS, including the customer himself, can enter data
directly. What is the authorization process? If the process is not robust, it can lead to unauthorized
access to the customer information.
iii) Authentication procedures: Usernames and Passwords, Personal Identification Number (PIN), One Time
Password (OTP) are some of the most commonly used authentication methods. However, these may be
inadequate and hence the user entering the transaction may not be determinable or traceable.
iv) Several software interfaces across diverse networks: A Data Centre can have as many as 75-100 different
interfaces and application software. A data center must also contain adequate infrastructure, such as
uninterruptable power supplies; backup generators and so on. Lapse in any of these may lead to real-
time data loss.
v) Maintaining response time: Maintaining the interfacing software and ensuring optimum response time
and up time can be challenging.
vi) User Identity Management: This could be a serious issue. Some Banks may have more than 5000 users
interacting with the CBS at once.
vii) Access Controls: Designing and monitoring access control is an extremely challenging task.
viii) Incident handling procedures: Incident handling procedures are used to address and manage the
aftermath of a security breach or cyberattack.
ix) Change Management: Though Change management reduces the risk that a new system or other change
will be rejected by the users; however, at the same time, it requires changes at application level and
data level of the database- Master files, transaction files and reporting software.
Concept Problem 16
Discuss the risks and their corresponding controls associated with the Treasury Process in CBS.
Answer
The Risks and their corresponding Controls associated with Treasury Process in CBS are as follows:
S. No. Risk Key Controls

1. Unauthorized securities setup in systems Appropriate Segregation of duties and review
such as Front office/Back office. controls around securities master setup/
amendments.
2. Inaccurate trade is processed. Appropriate Segregation of duties and review
controls to ensure the accuracy and authorization of
trades.
3. Unauthorized confirmations are processed. Complete and accurate confirmations to be
obtained from counter-party.
4. Insufficient Securities available for Effective controls on securities and margins.
Settlement
P a g e | 139
S. No. Risk Key Controls

5. Incomplete and inaccurate data flow Inter-system reconciliations, Interfaces and batch
between systems. processing controls.
6. Insufficient funds are available for Controls at Clearing Corporation of India Limited
settlements. (CCIL)/ National Electronic Funds Transfer (NEFT)/
Real Time Gross Settlement (RTGS) to ensure the
margin funds availability and the timely funds
settlements.
Concept Problem 17
“The deployment and implementation of Core Banking Systems (CBS) should be controlled at various stages
to ensure that the banks automation objectives are achieved”. Analyse the statement.
or
Explain the parameters through which the deployment and implementation of Core Banking Systems (CBS)
should be controlled at various stages to ensure that banks automation objectives are achieved.
or
DFK corporative bank of Uttar Pradesh decided to implement Core Banking System (CBS) to facilitate
integration of its entire business applications. Briefly explain how the deployment and implementation of
CBS can be controlled at various stages to ensure that objectives of DFK corporative bank are achieved.
or
XYZ Bank wants to deploy and implement Core Banking Systems (CBS) to all of its branches. As a
consultant, how would you suggest the deployment and implementation of CBS at various stages to ensure
that banks automation objectives are achieved?
Answer
The deployment and implementation of Core Banking Systems (CBS) should be controlled at various stages
to ensure that banks automation objectives are achieved:
i) Planning: Planning for implementing the CBS should be done as per strategic and business objectives of
bank.
ii) Approval: The decision to implement CBS requires high investment and recurring costs and will impact
how banking services are provided by the bank. Hence, the decision must be approved by the Board of
directors.
iii) Selection: Although there are multiple vendors of CBS, each solution has key differentiators. Hence, bank
should select the right solution considering various parameters as defined by the bank to meet their
specific requirements and business objectives.
iv) Design and develop or procured: CBS solutions used to be earlier developed in- house by the bank.
Currently, most of the CBS deployment are procured. There should be appropriate controls covering the
design or development or procurement of CBS for the bank.
v) Testing: Extensive testing must be done before the CBS is live. The testing is to be done at different
phases at procurement stage to test suitability to data migration to ensure all existing data is correctly
140 | P a g e

migrated and testing to confirm processing of various types of transactions of all modules produces the
correct results.
vi) Implementation: CBS must be implemented as per pre-defined and agreed plan with specific project
milestones to ensure successful implementation.
vii) Maintenance: CBS must be maintained as required. E.g. program bugs fixed, version changes
implemented, etc.
viii) Support: CBS must be supported to ensure that it is working effectively.
ix) Updation: CBS modules must be updated based on requirements of business processes, technology
updates and regulatory requirements.;
x) Audit: Audit of CBS must be done internally and externally as required to ensure that controls are
working as envisaged.
Fundamentally, in a CBS, all the bank’s branches access applications from centralized data-centers. All
transactions are routed through core systems, which are available 24x7 and accessible from anywhere,
anytime and through multiple devices such as desktops, laptops, ATM, Internet, mobile phone, tablets, etc.
Concept Problem 18
Differentiate between Internet Banking Channel Server (IBCS) and Internet Banking Application Server
(IBAS) used in Core Banking Systems (CBS).
Answer
Internet Banking Channel Server (IBCS): IBCS (Internet Banking Channel Server) software stores the name
and password of the entire internet banking customers. IBCS server also contains the details about the
branch to which the customer belongs. The Internet Banking customer would first have to log into the bank’s
website with the user name and password.
Internet Banking Application Server (IBAS): The Internet Banking Software which is stored in the IBAS
(Internet Banking Application Server) authenticates the customer with the login details stored in the IBCS.
Authentication process is the method by which the details provided by the customer are compared with the
data already stored in the data server to make sure that the customer is genuine and has been provided with
internet banking facilities.
Concept Problem 19
In the Core Banking Systems, the central server supports the entire banking process through front-end and
back-end applications and enables the users to access numerous online banking facilities 24x7. Explain
various Front-end applications of Core Banking Systems.
Or
Mr. X has opened a new account with CFG bank. The bank provides Internet banking, Mobile banking and
Phone banking. Mr. X could not understand usage of these banking facilities. Elaborate these banking
facilities to Mr. X.
Answer
Various Front-end applications of core banking systems are as follows:
P a g e | 141
i) Internet Banking also known as Online Banking, is an electronic payment system that enables customers
of a bank or other financial institution to conduct a range of financial transactions through the financial
institution's website. The online banking system offers over 250+ services and facilities that give us
real-time access to our bank account. We can make and receive payments to our bank accounts, open
Fixed and Recurring Deposits, view account details, request a cheque book and a lot more, while we are
online.
ii) Mobile Banking is a service provided by a bank or other financial that allows its customers to conduct
financial institution that allows its customers to conduct financial transactions remotely using a mobile
device such as a Smartphone or tablet. Unlike the related internet banking, it uses software, usually
called an app, provided by the financial institution for the purpose. Mobile banking is usually available on
a 24-hour basis.
iii) Phone Banking is a functionality through which customers can execute many of the banking
transactional services through Contact Centre of a bank over phone, without the need to visit a bank
branch or ATM. Registration of Mobile number in account is one of the basic pre-requisites to avail Phone
Banking. The use of telephone banking services, however, has been declining in favour of internet
banking. Account related information, Cheque Book issue request, stop payment of cheque, Opening of
Fixed deposit etc. are some of the services that can be availed under Phone Banking.
iv) Branch Banking: Core Banking Systems are the bank’s centralized systems that are responsible for
ensuring seamless workflow by automating the frontend and backend processes within a bank. CBS
enables single view of customer data across all branches in a bank and thus facilitate information
across the delivery channels. The branch confines itself to the following key functions:
• Creating manual documents capturing data required for input into software;
• Internal authorization;
• Initiating Beginning-Of-Day (BOD) operations;
• End-Of-Day (EOD) operations; and
• Reviewing reports for control and error correction

Concept Problem 20
Explain the working of Automated Teller Machines (ATM) Channel Server?
Answer
Automated Teller Machines (ATM) Channel Server: This server contains the details of ATM account holders.
Soon after the facility of using the ATM is created by the Bank, the details of such customers are loaded on
to the ATM server.
When the Central Database is busy with central end - of- day activities or for any other reason, the file
containing the account balance of the customer is sent to the ATM switch. Such a file is called Positive
Balance File (PBF). Till the central database becomes accessible, the ATM transactions are passed and the
balance available in the ATM server. Once the central database server becomes accessible, all the
transactions that took place till such time as the central database became un-accessible would be updated
142 | P a g e

in the central
Concept Problem 21
A bank PQR has many branches all over India. However, the competent authority intends to bring all the
branches together under one umbrella and make it centralized. For that, identify most prominently available
Core Banking Software in the market.
Answer
Core Banking Solution (CBS) refers to a common IT solution wherein a central shared database supports the
entire banking application. Business processes in all the branches of a bank update a common database in
a central server located at a Data Center, which gives a consolidated view of the bank’s operations.
Some examples of CBS software are given below. These are only illustrative and not exhaustive.
i) Finacle: Core banking software suite developed by Infosys that provides universal banking functionality
covering all modules for banks covering all banking services.
ii) FinnOne: Web-based global banking product designed to support banks and financial solution companies
in dealing with assets, liabilities, core financial accounting and customer service.
iii) Flexcube: Comprehensive, integrated, interoperable, and modular solution that enables banks to manage
evolving customer expectations.
iv) BaNCS: A customer-centric business model which offers simplified operations comprising loans, deposits,
wealth management, digital channels and risk and compliance components.
v) bankMate: A full-scale Banking solution which is a scalable, integrated e-banking systems that meets
the deployment requirements in traditional and non-traditional banking environments. It enables
communication through any touch point to provide full access to provide complete range of banking
services with anytime, anywhere paradigm.
Further, there are many CBS software developed by vendors which are used by smaller and co- operative
banks. Some of the banks have also developed in-house CBS software. However, the trend is for using high-
end CBS developed by vendors depending on cost-benefit analysis and needs.
Concept Problem 22
Explain the term “Mortgage Plan”. Also, briefly discuss its different types.
Answer
Mortgage Loan: A Mortgage loan is a secured loan which is secured on the borrower’s property by marking a
lien on the property as collateral for the loan. If the borrower stops paying, then the lender has the first
charge on the property.
Mortgages are used by individuals and businesses to make large real estate purchases without paying the
entire value of the purchase up front. Over the period of many years, the borrowers repay the loan amount
along with interest until there is no outstanding.
Types of Mortgage Loan are as follows:

i) Home Loan: This is a traditional mortgage where customer has an option of selecting fixed or variable
rate of interest and is provided for the purchase of property
P a g e | 143
ii) Top Up Loan: Here the customer already has an existing loan and is applying for additional amount
either for refurbishment or renovation of the house
iii) Loans for Under Construction Property: In case of under construction properties the loan is disbursed in
tranches / parts as per construction plan.
Concept Problem 23
Discuss any two risks and their corresponding controls related to the process of Mortgage involved in CBS.
Or
Mr. X mortgaged his old flat and took a loan from ABC bank to set up his new business. The said transaction
was recorded in the ABC bank software that may be prone to various risks. Discuss any two risks and their
corresponding controls related to the process of Mortgage involved in Core Banking System.
Answer
Risk and Control related to Mortgage Process are as follows:
Risk Key Controls

Incorrect customer and loan details are There is secondary review performed by an independent
captured which will affect the overall team member who will verify loan details captured in core
downstream process. banking application with offer letter.
Incorrect loan amount disbursed. There is secondary review performed by an independent
team member who will verify loan amount to be disbursed
with the core banking application to the signed offer letter.
Interest amount is incorrectly Interest amount is auto calculated by the core banking
calculated and charged. application basis loan amount, ROI and tenure.
Unauthorized changes made to loan master System enforced segregation of duties exist in the core
data or customer data. banking application where the inputter of the transaction
cannot approve its own transaction and reviewer cannot edit
any details submitted by inputter.
Concept Problem 24
Information Security that refers to ensure Confidentiality, Integrity and Availability of information, is critical
in banking industry, to mitigate the risks of Information Technology. Identify and explain various sub-
processes that are involved in Information Security.
Or
Information Security is critical to mitigate the risks of information Technology and Security should ensure
Confidentiality, Integrity and Availability (CIA) of information. Determine all the sub- processes that
comprise of Information Security.
Or
ABC Bank established in 2015 is in the process to obtain ISO 27001:2013 certification to mitigate the risk of
Information Technology as per guided by RBI. Explain the various sub processes included in Information
Security.
144 | P a g e

Answer
The various sub-processes that are involved in information Security are as follows:
i) Information Security Policies, Procedures and practices: This refers to the processes relating to approval
and implementation of information security. The security policy is basis on which detailed procedures
and practices are developed and implemented at various units/department and layers of technology, as
relevant. These cover all key areas of securing information at various layers of information processing
and ensure that information is made available safely and securely. For example – Non-disclosure
agreement with employees, vendors etc., KYC procedures for security.
ii) User Security Administration: This refers to security for various users of information systems. The
security administration policy documents define how users are created and granted access as per
organization structure and access matrix. It also covers the complete administration of users right from
creation to disabling of users is defined as part of security policy.
iii) Application Security: This refers to how security is implemented at various aspects of application right
from configuration, setting of parameters and security for transactions through various application
controls. For example – Event Logging.
iv) Database Security: This refers to various aspects of implementing security for the database software. For
example - Role based access privileges given to employees.
v) Operating System Security: This refers to security for operating system software which is installed in the
servers and systems which are connected to the servers.
vi) Network Security: This refers to how security is provided at various layers of network and connectivity to
the servers. For example - Use of virtual private networks for employees, implementation of firewalls etc.
vii) Physical Security: This refers to security implemented through physical access controls. For example -
Disabling the USB ports.
Concept Problem 25
Current and Savings Account (CASA) is a unique feature which banks offer to their customers to make them
keep their money in their banks. Discuss its business process flow.
Answer
The Business Process flow of Current and Saving Account (CASA) is as follows:
i) Either the customer approaches the relationship manager to apply for a CASA facility or will apply the
same through internet banking, the charges/ rates for the facility are provided by the relationship
manager on basis of the request made by the customer.
ii) Once the potential customer agrees for availing the facilities/products of the bank, the relationship
manager request for the relevant documents i.e., KYC and other relevant documents of the customer
depending upon the facility/product. KYC (Know Your Customer) is a process by which banks obtain
information about the identity and address of the customers. KYC documents can be Passport, Driving
License, etc.
iii) The documents received from the customers are handed over to the Credit team / Risk team for
sanctioning of the facilities/limits of the customers.
P a g e | 145
iv) Credit team verifies the document’s, assess the financial and credit worthiness of the borrowers and
updates facilities in the customer account.
v) Current Account /Saving Account along with the facilities requested are provided to the customer for
daily functioning.
vi) Customers can avail facilities such as cheque deposits/ withdrawal, Cash deposit/ withdrawal, Real Time
Gross Settlement (RTGS), National Electronics Funds Transfer System (NEFT), Electronic Clearing Service
(ECS), Overdraft Fund Transfer services provided by the bank.
Concept Problem 26
Banking has played a vital and significant role in development of economy. In the light of this statement,
explain the key features of banking business.
Answer
The key features of a banking business are as follows:
a) The custody of large volumes of monetary items, including cash and negotiable instruments, whose
physical security should be ensured.
b) Dealing in large volume (in number, value and variety) of transactions.
c) Operating through a wide network of branches and departments, which are geographically dispersed.
d) Increased possibility of frauds as banks directly deal with money making it mandatory for banks to
provide multi-point authentication checks and the highest level of information security.
Concept Problem 27
Describe the Section 63 in prevention of Money Laundering that specifies the punishment for false
implementation or failure to give information, etc.
Answer
[Section 63] Punishment for false information or failure to give information, etc.
(1) Any person willfully and maliciously giving false information and so causing an arrest or a search to be
made under this Act shall on conviction be liable for imprisonment for a term which may extend to two
years or with fine which may extend to fifty thousand rupees or both.
(2) If any person -
(a) being legally bound to state the truth of any matter relating to an offence under section 3, refuses
to answer any question put to him by an authority in the exercise of its powers under this Act; or
(b) refuses to sign any statement made by him in the course of any proceedings under this Act, which
an authority may legally require to sign; or
(c) to whom a summon is issued under section 50 either to attend to give evidence or produce books of
account or other documents at a certain place and time, omits to attend or produce books of
account or documents at the place or time, he shall pay, by way of penalty, a sum which shall not
be less than five hundred rupees but which may extend to ten thousand rupees for each such
146 | P a g e

default or failure.
(3) No order under this section shall be passed by an authority referred to in sub-section (2) unless the
person on whom the penalty is proposed to be imposed is given an opportunity of being heard in the
matter by such authority.
Concept Problem 28
BMN Bank limited has recently started its core banking operations. The Bank approached Mr. X for his advice
regarding the maintenance of records as a reporting entity considering the provisions of the PMLA, 2002.
What do you think shall be the probable reply of Mr. X mentioning the relevant provisions of the PMLA, 2002?
Answer
Section 12 of the Prevention of Money Laundering Act, 2002 provides for the obligation of Banking
Companies, Financial Institutions and Intermediaries i.e. the reporting entity to maintain records of
transactions. Mr. X should have advised BMN Bank Ltd. to maintain records in the compliance to said section.
a) Accordingly, every reporting entity shall –
i) maintain a record of all transactions, including information relating to transactions, in such manner
as to enable it to reconstruct individual transactions. Here records shall be maintained for a period
of five years from the date of transaction between a client and the reporting entity.
ii) furnish to the Director within such time as may be prescribed, information relating to such
transactions, whether attempted or executed, the nature and value of which may be prescribed;
iii) maintain record of documents evidencing identity of its clients and beneficial owners as well as
account files and business correspondence relating to its clients for a period of five years after the
business relationship between a client and the reporting entity has ended or the account has been
closed, whichever is later..
b) Every information maintained, furnished or verified, save as otherwise provided under any law for the
time being in force, shall be kept confidential.
c) The Central Government may, by notification, exempt any reporting entity or class of reporting entities
from any obligation under this Chapter.
Concept Problem 29
Briefly discuss the characteristics of Core Banking Systems (CBS).
Answer
The characteristics of Core Banking Systems (CBS) are as follows:
a. CBS is centralized Banking Application software that has several components which have been designed
to meet the demands of the banking industry.
b. CBS is supported by advanced technology infrastructure & has high standards of business functionality.
c. Core Banking Solution brings significant benefits such as a customer is a customer of the bank and not
only of the branch.
d. CBS is modular in structure and is capable of being implemented in stages as per requirements of bank.
e. A CBS software also enables integration of all third-party applications including in- house banking
P a g e | 147
software to facilitate simple and complex business processes.

f. There is a common database in a central server located at a Data Center which gives a consolidated view
of the bank’s operations.
g. Branches function as delivery channels providing services to its customers.
Concept Problem 30
Core Banking Systems (CBS) has become a mandatory requirement in the banking system. CBS are usually
running 24 x7 to Support Internet Banking, Mobile Banking, ATM services etc. with the help of its various
modules. Most of the key modules of CBS are connected to a Central Server. As an IT expert, discuss any
three Bank End Applications/ Modules and any three Front End Applications/ Modules of CBS.
Answer
Three Bank End Applications/ Modules are as follows:
a) Back Office:
The Back Office is the portion of a company made up of administration and support personnel, who are not
client-facing. Back-office functions include settlements, clearances, record maintenance, regulatory
compliance, accounting, and IT services.
b) Credit-Card System:
Credit card system provides customer management, credit card management, account management,
customer information management and general ledger functions; Support in the payment application; and at
the same time, the system has a flexible parameter system, complex organization support mechanism and
product factory based design concept to speed up product time to market.
c) Automated Teller Machines (ATM):
An Automated Teller Machine (ATM) is an electronic banking outlet that allows customers to complete basic
transactions without the aid of a branch representative or teller. Anyone with a credit card or debit card can
access most ATMs. ATMs are convenient, allowing consumers to perform quick, self-serve transactions from
everyday banking like deposits and withdrawals to more complex transactions like bill payments and
transfers.
Three Front End Applications/ Modules are as follows:
i) Internet Banking also known as Online Banking, is an electronic payment system that enables customers
of a bank or other financial institution to conduct a range of financial transactions through the financial
institution's website. The online banking system offers over 250+ services and facilities that give us real-
time access to our bank account. We can make and receive payments to our bank accounts, open Fixed
and Recurring Deposits, view account details, request a cheque book and a lot more, while you are online.
ii) Mobile Banking is a service provided by a bank or other financial institutions that allow its customers to
conduct financial transactions remotely using a mobile device such as a Smartphone or tablet. Unlike the
related internet banking, it uses software, usually called an app, provided by the financial institution for
the purpose. Mobile banking is usually available on a 24-hour basis.
iii) Branch Banking:
148 | P a g e

CBS enables single-view of customer data across all branches in a bank and thus facilitate information
across the delivery channels. The branch confines itself to the following key functions:
▪ Creating manual documents capturing data required for input into software;
▪ Internal authorization;
▪ Initiating Beginning-Of-Day (BOD) operations;
▪ End-Of-Day (EOD) operations; and
▪ Reviewing reports for control and error correction.
Concept Problem 31
Briefly explain the Web Server and Proxy Server.
Mr. Shoren has recently been associated with the procurement and sale of drugs and narcotic substances
without a license which is illegal as per Narcotic Drugs and Psychotropic Substances Act, 1985. A major part
of the sale proceeds amounting to INR 65 lakhs was collected and routed through various bank accounts held
in SNFC Bank which was subsequently advanced to various bogus companies and a series of transactions
were initiated to make the money appear to have been obtained from a legal legitimate source. These
activities were carried out with the assistance of one of the employee Mr. Sushil of SNFC Bank who
intentionally altered few computer sources codes so that no records for major transactions that took place
could be found in the database. A series of transactions ranging from INR 10,000 to INR 1 lakh was initiated in
a month for depositing the amount of INR 65 lakhs in SNFC Bank.
However, SNCF Bank had failed to keep proper record of information relating to few of the transactions as
they were not of substantial amount. Furthermore, it was later found that one of the staff members of SNFC
bank whose relative was an insurance agent, used to obtain medical information of the customers having
account with the bank for obtaining personal benefits.
1. Which amongst the following activities carried out by Mr. Shoren could be considered as an offence of
Money Laundering?
a) Expenses incurred for procurement of narcotic drugs
b) Sale of narcotic drugs without a license.
c) Routing the illegal proceeds through bank and other transactions to appear as obtained from
legitimate source.
d) Being a part of the cartel/association carrying out illegal sale of drugs.
2. An employee of SNFC Bank Mr. Sushil had assisted Mr. Shoren in routing the illegal money through bank
by altering the computer source code so that major transactions’ amounts were not traceable in the
bank’s database. Under which Section of IT Act, 2000 will this act of Mr. Sushil is punishable?
(a) Section 66E
(b) Section 66B
(c) Section 65
(d) Section 66D
P a g e | 149
3. Mr. Shoren was involved in the collection and sale of illegal drugs and got the routing done through
various banking transactions and advances to bogus companies. Which stages of Money Laundering
process address these aforesaid activities?
(a) Placement and Integration
(b) Layering and Integration
(c) Placement and Layering
(d) Placement, Layering and Integration
4. SNFC Bank failed to maintain records of information relating to baking transactions carried out by Mr.
Shoren as many of the transaction amounts were not substantial. Also, the privacy regarding the details
of medical history of its customers was breached. Which kind of risk would SNFC bank be exposed to if
it has to face legal penalties as it had failed to act in accordance with laws and requirements as per
Prevention of Money Laundering Act (PMLA)?
(a) Legal and Compliance Risk
(b) Compliance and Information Security Risk
(c) Information Security and People Risk
(d) Transaction processing and Legal risk
GNI Bank is one of the age-old conventional banks which offers an array of banking services like EFT’S,
Collections, clearing, Letter of credits/guarantees etc. to its customers. To provide latest functionalities and to
improve the overall efficiency with respect to banking services, it has recently implemented a core banking
solution. It has also put in place the necessary controls to safeguard its business from being exposed to
probable IT risks.
Mr. Doshi, a senior software developer having a savings bank account with GNI Bank has requested for
internet banking facilities. He has also applied and produced all the necessary documents for availing a
housing loan from the said bank. Though the procedures followed for sanctioning housing loans are quite
stringent, GNI bank offers floating interest rate on its loans and offers comparatively higher interest rates on
its fixed deposits compared to the other banks in the state also.
1. Given below are the features of Core Banking Solution recently implemented by GNI Bank that prove
advantageous to both the bank and its customers. Which among the following advantages would relate
the most to Mr. Doshi who has recently availed a housing loan in terms of easy and effortless Internet
banking?
(a) Reliance on transaction balancing
(b) Highly dependent system-based controls
(c) Daily, half yearly and annual closing
(d) Automatic processing of standing instructions
2. GNI Bank during this stage of the loan processing of Mr. Doshi, checks the borrower’s ability to repay
the loan based on an analysis of his credit history, and his earning capacity. This process which forms a
150 | P a g e

major aspect in loan approvals is referred to as ______.
(a) Clearing
(b) Underwriting
(c) Collections
(d) Letter of Credit
3. GNI bank has also implemented necessary controls to ensure safeguards against the exposure to IT risks.
As a practice, whenever a connection is made to website in another network, it will be routed through a
particular server. Which server would be utilized for making connections with other network services?
(a) Web Server
(b) Application Server
(c) Proxy Server
(d) Database Server
4. GSI Bank has also implemented necessary controls to ensure safeguards against the exposure to IT risks.
Which among the following controls could be implemented when risk arises due to lack or inadequate
management direction and commitment to protect information assets?
(a) The identity of users is authenticated to the systems through passwords.
(b) Security policies are established and management monitors compliance with policies.
(c) Access to sensitive data is logged and the logs are regularly reviewed by management.
(d) Physical access restrictions are implemented and administered.
Answer Key
MCQ 1 1. C 2. C 3. C 4. B
MCQ 2 1. D 2. B 3. C 4. B
P a g e | 151

Question Bank

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Question Bank

Uploaded by

Copyright:

Available Formats

EIS Divyastra May 22

EIS चालीसा - Handwritten Notes

You are theCmaster

Automated Business Processes

A UTOMATED B USINESS P ROCESSES

In order to succeed, first have

Automated Business Processes

Automated Business Processes

Automated Business Processes

Automated Business Processes

Automated Business Processes

Risk Control Objective

b) Order to Cash - Risks and Control Objectives (Transaction Level)

Risk Control Objective

c) Inventory Cycle - Risks and Control Objectives (Master level)

Risk Control Objective

Automated Business Processes

Automated Business Processes

Risk Control Objective

Automated Business Processes

2. ICAI RTP S , MTP S A ND P A S T Y E A R Q U E S TIO NS

Order-To-Cash (O2C) business process. Prepare an appropriate draft reply.

Automated Business Processes

Automated Business Processes

Automated Business Processes

Automated Business Processes

c. controlling resistance of employees to the acceptance of automated processes

Financial Accounting System

FINANCIAL ACCOUNTING SYSTEM

If you can dream it, you can

v) Does it have controls to process only authentic, valid, accurate transactions?

Business Reporting is important for following reasons:

Financial Accounting System

Financial Accounting System

The overall purchase process includes the following sub-processes:

iv) Evaluation of quotations: Quotations received shall be evaluated and compared.

▪ Quantity of these stock items.

after recording of purchase invoice.

Benefits of Business Intelligence

a) accelerating and improving decision making;

Financial Accounting System

Some Application areas of Data Analytics are as follows:

b) E-commerce companies and marketing services

Key features of this module are as under:

Financial Accounting System

Disadvantages of using Cloud applications are as follows:

Discuss in brief the following terms:

Financial Accounting System

In other words, Regulatory Compliance is an organization’s adherence to laws, regulations,

b) Specific – Applicable to specific type of businesses only.

Financial Accounting System

2. ICAI RTP S , MTP S A ND P A S T Y E A R Q U E S TIO NS

Explain the following in brief:

Explain the significance of Front End and Back End in a software.

Back End of a Software:

Financial Accounting System

Above type of access can be allowed/disallowed for:

Important features of XBRL are as follows:

Significance of Business Reporting is as follows:

Financial Accounting System

also becomes obsolete as time goes on.

i) Purchase Order- For recording of a purchase order raised on a vendor.

iv) Physical Stock-For making corrections in stock after physical counting.