Professional Documents
Culture Documents
Eis Chalisa
Eis Chalisa
Eis Chalisa
C HAPTER 1
1. BUSINESS PROCESS
Types of Business Processes / Vision & Mission of Top Management is achieved by implementing
P a g e |1
Automated Business Processes
2. B U S I N E S S P R O C E S S A U T O M A T I O N – R E M O V I N G H U M A N I N T ER V E N T I O N
▪ It is technology enabled automation of activities or services to achieve specific function/ task/ objective.
▪ This can be done for different functions like, sale, Purchase, supply chain management, HR, IT etc.
▪ Involves use of integrated Apps & s/w in automating business processes throughout Organisation.
▪ BPA enables business process to operate effectively and efficiently.
3. W H I C H B U S I N E S S P R O C E S S E S S H O U L D B E A U TO M A TE D ?
▪ Every business process is not a good fit for automation. Companies tend to automate those business
processes that are time and resource-intensive or those that are subject to human error.
▪ Following are the few examples of processes that are best suited to automation:
1. Processes involving Automating these processes results in reduction of cost and work efforts. E.g.
high-volume of making purchase orders; generating invoices etc.
tasks or repetitive
tasks
2. Processes requiring Automating these processes results in reduction of waiting time and in costs. E.g.,
multiple people to Help desk services; Tracking of goods etc.
execute tasks
3. Time-sensitive BPA results in streamlined processes and faster turnaround times. It eliminates
processes wasteful activities and focus on enhancing tasks that add value. For example -
online banking system, railway/aircraft operating and control systems etc.
4. Processes involving Since every detail of a particular process is recorded. These details can be used to
need for demonstrate compliance during audits. For example- invoice issue to vendors,
compliance and Employee management system i.e. Salary calculations & employee Attendance.
audit trail
5. Processes having Some processes are cross-functional and have significant impact on other processes
significant impact and systems. E.g., the marketing department may work with sales department.
on other processes Automating these processes results in easy sharing of information resources and
2|P a ge
Automated Business Processes
and systems improving the efficiency and effectiveness of business processes.
4. C H A L L E N G E S I N V O L V E D I N B U S I N E S S P R O C ES S A U T O M A T I O N
1. Automating Sometimes organizations start off BPA by automating the processes they find
Redundant suitable for automation without considering whether such processes are necessary
Processes and create value. In other cases, some business processes and tasks require high
amount of tacit knowledge (that cannot be documented and transferred from one
person to another) and therefore seek employees to use their personal judgment.
2. Defining Complex This requires a detailed understanding of the underlying business processes to develop
Processes an automated process.
3. Staff Resistance Human factor issues are the main obstacle to the acceptance of automated
processes. Staff may see BPA as a way of reducing their decision-making power.
Moreover, the staff may perceive automated processes as threat to their jobs.
4. Implementation The implementation of BPA involves significant costs like acquisition cost of
Cost automated systems & special skills required to operate and maintain these systems.
5. BPA I M P L E M E N T A T I O N :
Steps Explanation
i) Define why we plan to Answer to this Question provides justification for implementing BPA. List of
implement BPA generic reasons for justifying BPA may include-
a) Errors in manual process leading to enhanced cost
b) Payment process not streamlined leading to duplicate payment.
c) Payment for G/Sr supplied not received on time.
d) Poor debtor management system leading to more bad debts.
e) Poor customer services.
f) Delay in furnishing documents during audit.
ii) Understand Rules/ Any BPA must comply with applicable laws & regulations. Hence it is essential
Regulations under to Understand Rules/ Regulations under which business performs.
which business E.g. Books of A/c must be maintained for specified time as per Income Tax
performs Act.
iii) Document the process All current processes & documents which are planned to be automated must be
we want to automate correctly & completely documented.
Things to be kept in mind-
a. What docs needs to be captured?
b. Where do docs come from - Vendor or accounting software?
c. What format are they in: Paper, FAX, E-mail or PDF?
d. What is the impact of regulations on processing of these documents?
e. Can there be a better way to do the same job?
Benefits :
1. Provide clarity on process.
2. Helps identify source of inefficiencies, bottlenecks & problems.
3. Allows designing the process to focus on desired results.
iv) Define the objectives/ Enables the developer & user to understand reason for doing BPA. While
P a g e |3
Automated Business Processes
Steps Explanation
goals to be achieved by determining objectives of BPA, Goals should be-
implementing BPA
S → Specific i.e., clearly determined
M → Measurable – Easily quantifiable in monetary terms
A → Attainable – Achievable through best result.
R → Relevant – Entity Must be in need of BPA.
T → Timely- Achieved with a given time frame.
v) Select BPA Entity needs to appoint an Expert who can implement BPA. Selection depends
consultant/Company on-
a) Objectivity of consultant in understanding entity’s situation.
b) Does he have experience with entity BPA?
c) Is he experienced in resolving critical issue?
d) Can he recommend combination of H/w & S/w for BPA & implement it?
vi) Calculate ROI It helps in convincing Top Management to say ‘Yes’ to BPA exercise.
Some of the methods for justification of BPA are-
a) Cost saving; being clearly computed and demonstrated.
b) Time saving; How BPA could lead to reduction in required manpower.
c) The cost of space regained from paper, file cabinets, etc. is reduced.
d) Eliminating fines to be paid for delayed payment & eliminate double
payment
e) Taking advantage of early payment
f) Reducing cost of audits and lawsuits.
vii) Developing BPA Once requirements have been documented, ROI is computed & approval of Top
Management obtained, Consultant develop required BPA.
viii) Testing of BPA Before making the BPA live, BPA should be tested fully to determine-
a) How it works
b) Remove all problems
c) Enable improvement before official launch.
Testing helps increase user adoption and decreases resistance to change.
Final version of process is documented for
a) Training of new employees &
b) Future reference.
6.1. R I S K
Refers to
➢ Any uncertain event that may result in loss for an organization
➢ Any uncertain event that may result in significant deviation from planned objective resulting in negative
4|P a ge
Automated Business Processes
consequences
A. B U S I N E S S R I S K
Business risk is a broad category which applies to any event or circumstances related to business goals.
Businesses face all kinds of risks ranging from serious loss of profits to even bankruptcy
a) Strategic Risk Risk that prevents an organization from achieving its strategic objectives. E.g. Risk
related to strategy, regulatory, global market condition like recession.
b) Financial Risk Risk that results in negative financial impact to organization. E.g. Volatility of foreign
exchange rate, interest rate, liquidity risk etc.
c) Regulatory Risk Risk that can expose organization to fines & penalties due to non- compliance with
laws. E.g. - violation of law w.r.t Taxation, Environment, Employee health.
d) Operational Risk that can prevent organization from operating in most effective and efficient
Risk capacity. E.g. - risk of loss resulting from inadequate or failed internal processes,
fraud or any criminal activity by an employee etc.
e) Hazard Risk Risks that are insurable. E.g. - Nature disaster, Asset impairment, Terrorism etc.
f) Residual Risk Risks remaining even after counter measures are applied. All risk can’t be eliminated.
It should be minimized & kept at an acceptable low level.
B. T E C H N O L O G I C A L R I S K
BPA is technology driven and this dependence on technology has led to various challenges. All risks related
to the technology equally apply to BPA.
a) Downtime due to technology failure Information system facilities may become unavailable due to
technical problems or equipment failure.
b) Frequent change or obsolescence of Since technology keeps on evolving & is changing rapidly, there is
P a g e |5
Automated Business Processes
6.2. R I S K M A N A G E M E N T & R E L A T E D T E R M I N O L O G I E S
b) Vulnerability Refers to weakness in the system safeguards that exposes the system to threats.
It may be a weakness in information system/s, cryptographic system (security
systems), or other components (e.g., system security procedures, hardware design,
internal controls) that could be exploited by a threat.
Vulnerabilities potentially “allow” a threat to harm or exploit the system.
Some examples of vulnerabilities are given as follows:
i) Leaving the front door unlocked makes the house vulnerable to unwanted visitors.
ii) Short passwords (less than 6 characters) make the automated information system
vulnerable to password cracking or guessing routines.
Normally, vulnerability has at least one of the following conditions:
6|P a ge
Automated Business Processes
i) ‘Allows an attacker to execute commands as another user’ or
ii) ‘Allows an attacker to access data that is contrary to the specified access
restrictions for that data’ or
iii) ‘Allows an attacker to pose as another entity’ or
iv) ‘Allows an attacker to conduct a denial of service’.
c) Threat Refers to any entity, circumstance, or event with the potential to harm the software
system or component through its unauthorized access, destruction, modification, and/or
denial of service.
Threat has capability to attack on a system with intent to harm.
Assets and threats are closely correlated. A threat cannot exist without a target asset.
Threats are typically prevented by applying some sort of protection to assets.
d) Exposure Refers to extent of loss the enterprise has to face when a risk materializes. It is not just
the immediate impact, but the real harm that occurs in the long run.
For example - loss of business, failure to perform the system’s mission, loss of
reputation, violation of privacy and loss of resources etc.
e) Likelihood Refers to estimation of the probability that the threat will succeed in achieving an
undesirable event.
f) Attack Refers to attempt to gain unauthorized access to the system’s services or to
compromise the system’s dependability.
In software terms, an attack is a malicious intentional fault, usually an external fault
that has the intent of exploiting vulnerability in the targeted software or system.
Basically, it is a set of actions designed to compromise CIA (Confidentiality, Integrity or
Availability).
g) Counter An action, device, procedure, technique or other measure that reduces the vulnerability
Measure of a component or system is referred as Counter Measure.
For example, well known threat ‘spoofing the user identity’, has two countermeasures:
a) Strong authentication protocols to validate users; and
b) Passwords should be stored in some secure location.
Similarly, for other vulnerabilities, different countermeasures may be used.
After above analysis, strategies for managing Risk are decided. Not all risk requires controls to counter them
[cost Benefit analysis]
P a g e |7
Automated Business Processes
6.3. R I S K M A N A G E M EN T S T R A T EG I ES / R E S P O N S E [5 T S ]
Tolerate/ Accept Terminate/ Eliminate Transfer / Share Treat/ Mitigate Turn Back
In case of minor If risk is associated Risk may be When other options Where probability
risk i.e., where with use of a shared with are not feasible, or impact of Risk is
impact or technology, trading partners suitable controls must very low, then
probably of supplier, or vendor, & suppliers. be developed & management may
occurrence is low, it can be E.g. Outsourcing implemented decide to ignore the
Management may eliminated by of IT a) to prevent risk Risk.
accept risk as cost
➢ Replacing tech Infrastructure from occurring, or
of doing business. mgt.
with more robust b) to Minimize its
products; and Risk can also be impact.
➢ by seeking more insured.
capable
suppliers and
vendors.
7.1. E N T E R P R I S E R I S K M A N A G E M E N T F R A M E W O R K
ERM Framework
ERM provides a framework of eight interrelated components for risk management which involves:
➢ identifying potential threats or risks.
8|P a ge
Automated Business Processes
➢ determining how big a threat or risk is, what could be its consequence, its impact, etc.
➢ implementing controls to mitigate the risks.
i) Internal Environment It is foundation for risk management. It involves analysis of organization/ entity,
people of organization & environment in which it works.
ii) Objective setting ERM involves setting of objectives in line with Vision & Mission of management
& consistent with risk appetite of entity.
iii) Event Identification Includes identifying uncertain events, internal as well as external, which may
represent opportunity, risk or both.
iv) Risk Assessment Involves analysis in terms of likelihoods of risk & impact on entity.
v) Risk Response Management selects risk response in line with entity risk tolerance & risk
appetite. Higher Risk Appetite = Higher Risk tolerance = Lower Risk response
vi) Control Activity Refers to policies & procedures established to mitigate risk & maintain it at
acceptable level.
vii) Info & Risk response & controls to be applied are communicated to relevant employee
communication across the entity for carrying out necessary activities for risk management.
viii) Monitor entire ERM Entire ERM process should be monitored regularly &, if necessary, modified.
process
7.2 . B E N E F I T S O F ERM
a) Align risk appetite with ERM helps in aligning risk appetite with its strategy for achieving goals.
strategy
b) Link growth, risk & return Entities accept risk as part of value creation & expect return
commensurate with risk taken.
c) Minimize operational surprise ERM provide advanced ability to identify potential, event, assess risk &
& Losses respond to it.
d) Seize opportunity ERM enables organization to identify opportunity & take advantage.
e) Enhanced risk response ERM helps to identify & select alternative risk response i.e 5 Ts
decision
f) Identify & manage Cross Entity faces various risks. Management needs to manage not only
Enterprise risk individual risk but also related risk.
g) Provide Integrated response to ERM helps to provide integrated solution for multiple risks.
multiple risk
8. C O N T R O L S – M E A N I N G & I M P O R T A N C E
Refers to policy, procedures & practices that are designed to provide reasonable assurance that
a) Business objectives are achieved
b) Undesired events are prevented, detected or corrected
c) Risks are mitigated
d) Assets are safeguarded and
e) Efficiency and effectiveness of Business Processes are achieved.
P a g e |9
Automated Business Processes
8.1. T Y P ES O F C O N T R O L S
8.2. IT C O N T R O L S O B J E C TI V E S
Meaning Need
Statement of desired result or purpose to be a) Control cost & remain competitive
achieved by implementing controls within an IT b) To promote reliability & efficiency
activity.
c) Makes organization Resilient & helps them sustain
Implementing right type of controls is any disruption in Business Process
responsibility of management.
d) Provides policy & guidance for directing &
IT Controls helps perform dual role monitoring performance of IT activity to achieve
a) Enables enterprise to achieve objective objective
b) Mitigate Risk
8.3. T Y P ES O F IT C O N T R O L S
10 | P a g e
Automated Business Processes
IT General Control (ITGC) App Control
4. Mgt of system acquisition & implementation → c) Exception reporting i.e., all exceptions are
Process of system authorization & implemented reported.
should be controlled. d) Balancing of processing totals i.e., Debit &
5. Proper development & implementation of App/ s/w. Credit of all transaction are tallied.
6. Controls to ensure CIA and ACA of S/W & Data. e) Transaction logging i.e., all transactions are
identified with unique ID & logged.
7. Change Management → IT system must change
with change in business needs & environment or f) Separation of Business function i.e., Authority
regulatory compliance. In such case, change mgt for transaction initiation and transaction
ensures smooth transition authorization should be with different
personnel.
8. User training & qualification of Operations
personnel → IT personnel should have necessary
skills.
9. Review of SLA with vendors to ensure service are
delivered as per SLA.
10. Monitoring of system, App S/W to ensure its
functions properly.
8.4. K E Y I N D I C A T O R S O F E F F E C T I V E IT C O N T R O L S
IT controls implemented in an organization are considered to be effective on the basis of following criteria:
a) Ability to Plan & Execute new work like infrastructure upgradation to support new product/service.
b) Development projects are delivered on time and within budget, and better product and service offerings
compared to competitors.
c) Ability to allocate resource predictability.
d) Protect against new threats & vulnerability & recover from any disruption.
e) Ensure CIA & ACA of data.
f) Heightened security awareness among users & security conscious controls.
8.5. F R A M E W O R K O F I N T E R N A L C O N T R O L A S P E R SA 315
SA 315 - Identifying & assessing the Risk of Material Misstatement by understanding entity & its
Environment
SA 315 defines Internal Control as
➢ Policy, practice & procedure implemented by TCWG & MGT
➢ To provide reasonable Assurance about achieving Entity’s objective regarding
a) Reliability of F.S
b) Efficiency & effectiveness of operations
c) Safeguarding of assets
d) Compliance with applicable laws & regulations.
Need for I.C → It helps organisation in ensuring RECS.
Note: I.C. mitigates Risk & does not eliminate it.
8.6. C O M P O N E N T S O F I N TE R N A L C O N TR O L A S P E R SA 315
P a g e | 11
Automated Business Processes
Information &
Control Environment Risk Assessment Control Activities Monitoring of Control
Communication
It is a set of It involves Refers to P, P, P to It is necessary for It is Ongoing & cyclic
Standards, process & identification of a) Mitigate Risk & entity to collect process of Monitoring
structure that Risks & its important info each of 5
provides basis for assessment in b) Achieve objective about I.C. & components of I.C to
implementing I.C. terms of likelihood They are performed communicate ensure it is
It comprises of & its impact. at all levels of the with functioning smoothly.
Risk Assessment entity and may be a) employees for Comprises of
▪ integrity & ethical preventive or
& its tolerance implementatio
values of Org detective in nature. ▪ Ongoing evaluations
depends on n of I.C.
built into business
▪ organizational objective of an Includes elements like (internal)
processes which
structure organization. authorizations, b) external provide timely
▪ assignment of Risk Assessment approvals, parties in information.
authority & resp. forms the basis verifications, reco. response to
for determining and business requirements ▪ Separate
▪ accountability etc. how risks will be performance reviews & evaluations
BOD & Senior Mgt managed. that ensure expectations conducted
(external). periodically to
establish the tone a) Transactions are
assess risks &
at the top regarding authorized
effectiveness of
the importance of
b) Duties are ongoing evaluations.
I.C. including
segregated
expected standards Findings are
of conduct. c) Proper Records evaluated against
are Maintained Mgt’s criteria and
d) Assets are deficiencies are
safeguarded communicated to
Mgt & BOD as
appropriate.
8.7. L I M I T A T I O N S O F IC
▪ I.C. provides reasonable assurance & not absolute assurance about achieving entity’s objective of RECS.
▪ I.C. is subject to certain inherent limitations as follows:
a) Management consideration that cost of I.C. should not exceed expected benefit of IC.
b) I.C. is not effective in case of Transaction of unnatural nature e.g., human error due to carelessness.
c) Possibility of circumvention of I.C. through collusion with employees & other party.
d) Possibility of abuse of I.C. by person responsible for exercising I.C. i.e Director/TCWG.
e) Manipulation by Mgt. w.r.t transactions, estimates & judgements required in preparation of F.S.
9. R I S K S A N D C O N T R O L S F O R S PEC I F I C B U S I N ES S P R O C ES S E S
12 | P a g e
Automated Business Processes
Configuration Masters Transactions
function & what options are Finance etc. by user
displayed.
▪ Masters are set up first time ▪ Ex – Sale transaction, purchase
▪ Various modules of enterprise during installation & these are transaction, journal transaction,
like Procurement , sale, HR etc changed whenever the business Payment etc.
must be configured. process rules or parameters are Sample Risks
Examples changed.
Transaction Incorrect Amt
1) User activation & deactivation ▪ Relatively permanent in nature
– Defining process for setting i.e., does not change frequently. Amount Paid Incorrect
up entry to system using user Examples Period
ID & Password. Incorrect Party
1) Customer Master Data
2) Users Access & privilege –
2) Vendor / supplier M.D.
Defining process for access to 1) Transaction recorded by
particular function of App 3) Material M.D. incorrect amount.
based on Role & 4) Employee M.D.
Responsibility. 2) Transaction recorded in
Common Risks for any master incorrect period
3) Password management -
Defining criteria like length of data 3) Transaction recorded in
password, use of special 1) Change made to _____ M.D. Incorrect Ledger.
characters, frequency of file by unauthorised person. 4) Amount paid or received is not
change. 2) Invalid change made to ___ correct.
4) Mapping A/C ledger with M.D. file. 5) Amount paid/ Received in
transactions. 3) Delay in making change to incorrect period.
5) Control on parameters: Creation _____ M.D. file 6) Amount paid/ Received
of Customer Type, Vendor Type, 4) M.D. file is not updated. recorded in incorrect party.
year-end process.
5) Access to ____ M.D. file not
restricted to authorized user.
9.1. S I X B U S I N ES S P R O C E S S E S :
C M T C M T C M T C M T C M T C M T
P a g e | 13
Automated Business Processes
▪ Refers to a process of receiving order & fulfilling the order of customer’s required Goods & Services.
Steps/ Sub-Process Involved
3) Inventory cycle
▪ Process of accurately tracking the on-hand inventory level (measured in number of days).
3 Phases Involved
a) Ordering Phase → Time required to order & receive RM.
b) Production Phase → Time taken to convert RM into Finished Goods ready for use by customer.
c) Finished Goods & → Finished Goods that remains in stock & delivery time to customer.
delivery
4) Human Resource
▪ HR lifecycle refers to HRM & covers all stages of an employee’s time within the organization & the role
played by HR at each stage.
4 stages involved
a) Recruitment & ▪ Recruitment - Process of hiring which involves placing job ads, selecting
onboarding candidates, conducting interview & choosing / finalizing etc.
▪ Onboarding - Process of getting successful applicant set up in organization [Id
card , laptop, Access & privilege]
b) Orientation & ▪ Orientation - Process by which employee becomes part of company workforce i.e.,
Career Planning Learning job, establishing relationship etc.
▪ Career planning - Employee & supervisor work out long-term career goals of
14 | P a g e
Automated Business Processes
employee.
c) Career ▪ It is essential to provide career development opportunity for retaining employee
Development for long term.
d) Termination or ▪ Ensure all exit policies are followed, exit interviews are conducted & employee is
transition removed from system.
5) Fixed Assets
▪ Process of ensuring that all F.A. of enterprise are tracked for purpose of –
➢ Financial Accounting [Dep];
➢ Preventive maintenance; &
➢ Theft deterrence.
▪ It involves maintaining proper details of quantity, type, location, condition & depreciation of asset.
6 Steps Involved
1. Procuring an Asset On purchase of an asset, entry is made in A/C system when invoice is
received.
2. Registering or Adding an For depreciation purpose, details like date of acquisition, type, &
Asset depreciation basis is registered
3. Adjusting an Asset Adjustment is required due to repair, improvement, change in basis for
depreciation etc.
4. Transferring an Asset To other branches, subsidiaries or dept. within the organization group. This
needs to be reflected accurately in the fixed assets management system.
5. Depreciating an Asset Refers to decline in economic & physical value of Asset. Depreciation should
be properly calculated.
6. Disposing an Asset When an asset is no more in use, becomes obsolete or beyond repair, it is
disposed off. Any difference between the book value, and realized value, is
reported as a gain or loss and dep is no longer charged.
Mode of disposal – Sale, Abandonment or Trade-in
6) General Ledger
▪ Process of recording the transaction in system to finally generate reports from system.
▪ Input for GL→ Financial transaction
P a g e | 15
Automated Business Processes
▪ Output for GL → Reports like BS, P&L, CFS, Ratio Analysis etc.
5 steps involved
a) Entering of financial transaction in Accounting system
b) Review of transaction
Control
c) Approval of transaction
d) Posting of transaction
e) Generation of financial report
▪ Examples of GL Master Data file:
a) Ledger b) Group c) Voucher Type
10. R E G U L A T O R Y & C O M PL I A N C E R E Q U I R EM EN T S
10.1. C O M P A N I ES AC T, 2013
10.2. IC AI G U I D A N C E N O T E S O N A U D I T O F I N T ER N A L C O N T R O L O V E R F I N A N C I A L S T A T E M E N T S
16 | P a g e
Automated Business Processes
▪ CG ensures that company works in best interest of stakeholders i.e. shareholders, Govt., society, bank
etc.
▪ It refers to Framework of Rules & practice by which BOD ensures
➢ Accountability
➢ Fairness and
➢ Transparency in
Co's relationship with its stakeholders.
▪ CG Framework consists of
a) Contract between Company & stakeholders for distribution of rights, responsibilities & Rewards.
b) Procedure for reconciling conflicting interest of stakeholders with their role.
c) Procedure for supervision, control & Information flow to serve as checks & balance.
11.1. I N T R O D U C T I O N O F IT A C T
▪ IT Act covers all internet activities in India, i.e., all online transaction in India.
▪ It provides validity & legal sanctity to all online/ Electronic Transactions, Docs, signature etc.
▪ It also provides penalties & remedies in case of non- compliance & offence.
11.2. K E Y P R O V I S I O N S O F IT A C T
Section 43 - Penalty If any person, without permission of the owner or any other person who is in-
and compensation for charge of a computer, computer system or computer network (hereinafter
damage to computer, ‘Computer resource’)
computer system, etc. a) accesses or secures access to such computer resource;
b) downloads, copies or extracts any data from such computer resource;
c) damages or causes to be damaged any computer resource;
d) disrupts or causes disruption of any computer resource;
e) denies or causes the denial of access to computer resource by auth.
persons;
f) destroys, deletes or alters any information residing in computer resource;
g) introduces or causes to be introduced virus etc. into any computer resource;
h) steal, conceals, destroys or alters or causes any person to steal, conceal,
destroy or alter any computer source code,
he shall be liable to pay damages by way of compensation to the person so
affected.
Section 43A: Where a body corporate, possessing, dealing or handling any sensitive personal
Compensation for data or information in a computer resource which it owns, controls or operates,
failure to protect data.
➢ is negligent in implementing and maintaining reasonable security and
P a g e | 17
Automated Business Processes
11.3. O B J E C T I V E O F C Y B E R L A W / A D V A N T A G ES / W H Y IT A C T W A S EN A C T E D
i) To grant legal recognition for transactions carried out by means of electronic data interchange or
electronic commerce in place of paper-based method of communication. [Section 4]
ii) To give legal recognition to digital signature for authentication of any information or matter, which
requires authentication under any law. [Section 3]
iii) To facilitate electronic filing of documents with Government departments. [Section 6]
iv) The Act now allows Government to issue notification on the web thus heralding e-governance.
v) To facilitate electronic storage of data.
vi) To provide legal sanction to transfer fund electronically to and between banks and financial
institutions.
vii) To provide legal recognition for keeping books of account in electronic format by bankers. [Section 4]
viii) To provide legal infrastructure to promote e-commerce and secure information system.
ix) To manage cyber-crimes at national and international levels by enforcing laws.
18 | P a g e
Automated Business Processes
11.4. C O M P U T E R R E L A T E D O F F E N C E
‘Cyber Crime’ finds no mention either in IT Act 2000 or in any legislation of the Country. Cyber Crime is not
different than the traditional crime. The only difference is that in Cyber Crime, the computer technology is
involved and thus it is a computer related crime.
1. Credit card fraud Credit card cloning is common fraud committed against person using credit
card.
2. Cyber Terrorism Terrorist use virtual & physical storage media to hide info & record of illegal
business.
3. Cyber pornography Its legal in few countries but child pornography is illegal across world.
4. Cyber crime Any crime using computer technology is known as cyber-crime.
5. Phishing & Email Involves fraudulently acquiring PIN, Password sensitive info through
scams pretending/ masquerading itself as a trusted entity.
6. Source code theft It is most critical part of s/w & regarded as crown jewel/ Asset of company.
7. Harassment using of a person on social media.
fake profile
8. Online sale of illegal Involves sale of drugs, narcotics etc.
Articles
9. Webpage defacement Homepage of a website is replaced with defamatory post or pornographic
material.
10. Introducing virus, worms, Bombs & Trojan.
11.5. P R I V A C Y
11.6. S E N S I T I V E P E R S O N A L D A T A I N F O R M A T I O N
P a g e | 19
Automated Business Processes
11.7. S C O P E O F SPDI
Rule 5 Body corporate shall obtain consent in writing from provider of SPDI, before collecting
Consent to collect SPDI, about usage of such data.
Rule 6 Disclosure of SPDI by body corporate to any third party requires permission from
Consent to disclose provider of SPDI. No permission required if-
a) Such disclosure is necessary for compliance with legal obligation
b) Such disclosure has been agreed to in contract b/w body corporate & provider of
SPDI.
20 | P a g e
Financial Accounting System
C HAPTER 2
1. INTRODUCTION
❖ Financial Accounting System (FAS) is integral part of any business & acts as backbone for it.
❖ FAS includes other forms of business management like HR, inventory, customer relationship mgt. etc.
R Requirement from FAS is different for different person & it should fulfill Needs of all users simultaneously
2. C O N C E P T S I N C O M P U T E R I Z E D A C C O U N T I N G S Y S T EM S
2.1. T Y P ES O F D A T A
▪ To avoid confusion while preparing reports. Eg- same ledger may be iii) Date of Entry
written differently. iv) Age & weight
2.2. M A S T E R D A T A (All business process modules must use common master data)
Accounting Master DATA Inventory Master Data Payroll Master Data Statutory Master Data
P a g e | 21
Financial Accounting System
2.3. VOUCHER
2.4. V O U C H E R T Y P E S
22 | P a g e
Financial Accounting System
S No. Voucher Type Use
Module - Accounting
discount given/received, Purchase/Sale of fixed assets on credit, write-off etc.
5 Sales For recording all types of trading sales by any mode (cash/bank/credit).
6 Purchase For recording all types of trading purchase by any mode (cash/bank/credit).
7 Credit Note For making changes/corrections in already recorded sales/purchase transactions.
8 Memorandum For recording of transaction which will be in the system but will not affect the
trial balance. In other words, memorandum vouchers are used to record suspense
payments, receipt, sales, purchase etc.
Module - Inventory
9 Purchase Order For recording of a purchase order raised on a vendor.
10 Sales Order For recording of a sales order received from a customer.
11 Stock Journal For recording of physical movement of stock from one location to another.
12 Physical Stock For making corrections in stock after physical counting.
13 Delivery Note For recording of physical delivery of goods sold to a customer.
14 Receipt Note For recording of physical receipt of goods purchased from a vendor.
Module - Payroll
15 Attendance For recording of attendance of employees.
16 Payroll For recording all employee–related transactions like salary calculations.
2.5. A C C O U N T I N G F L O W : 7 S T E P S (5 S/W, 2 H U M A N )
▪ Basic objective of any Accounting S/w is to generate two primary accounting reports , i.e., P&L and Balance
sheet.
▪ For FAS, ledgers may be classified in two types only Ledger having Debit Balance and Ledger having Credit
Balance.
▪ Every ledger is classified in 1 of 4 categories only i.e., Income , expense , Asset or liability.
▪ There may be any number of sub- groups under these four basic groups. (Asset → fixed Asset → P&M –
Office Equipment – Motor vehicle )
▪ Since balance in P/L account i.e Net Profit or Net Loss is reflected in Balance sheet, everything in
accounting s/w boils down to balance sheet.
Grouping of ledgers Is important as
a) it tells software what is ‘nature of the ledger’ & where it should be shown at the time of reporting.
P a g e | 23
Financial Accounting System
3. T E C H N I C A L C O N C E P T S – C O M P U T E R I Z E D FAS
24 | P a g e
Financial Accounting System
Particulars Front End Back End
format , different colors, etc. expected also.
User Experience User interface should be simple and intuitive It processes raw data and no need of
i.e., min help should be sought by user user experience.
Language Can speak in user’s language as well as Speaks only in technical language not
technical language understood by layman (user)
Speed Separate back-end software is used for handling (storage/processing) data. This
reduces load and increases speed.
Application software generally comprises of three layers which together form the Application namely; an
Application Layer, an Operating System Layer and a Database Layer. This is called Three Tier architecture.
a) Application Layer receives the inputs from the users and performs certain validations like, if the user is
authorized to request the transaction.
b) Operating System Layer then carries these instructions and processes them using the data stored in
the database and returns the results to the application layer.
c) Database Layer stores the data in a certain form.
3.4. D I F F E R E N C E B E T W E E N I N S T A L L E D A P P A N D C L O U D B A S ED A P P
P a g e | 25
Financial Accounting System
Non – integrated System → System of maintaining data in decentralized way. Each dept. has its own
database separately. Two major problems:
a) communication Gap &
b) Mismatched Data (leads to confusion between various departments)
4. I N T E G R A T E D E N T E R P R I S E R E S O U R C E P L A N N I N G [ERP]
5. ERP I S B A S E D O N
information in real time. b) Mix & match modules from diff. vendors
c) Add new modules or delete existing modules.
▪ Info. Should be accurate, complete & authentic/
reliable & easily accessible. ▪ Add new modules of their own to improve
business performance
26 | P a g e
Financial Accounting System
6. B E N E F I T S O F ERP
1. Use of new technology like client server tech., cloud computing, mobile computing etc.
2. Information Integration as it automatically updates data b/w related functions.
3. On-time shipment as process involved in delivery of goods is automated and errors are
reduced.
4. Better customer satisfaction Customer can place order, track order etc. sitting at home.
5. Reduction in Lead time Time elapsed b/w placing of order & receiving it.
6. Reduction in Cycle time Time elapsed b/w placement of order & delivery of order.
7. Reduction in Quality cost ERP eliminates duplication/ redundancy of process & provide tools for
Total Quality Management.
8. Improved Flexibility by making info available across dept, automating process which helps it
to react to changing environment in a better way.
9. Improved Analysis, planning as it enables use of many decision support systems & “what if scenario”.
& decision
10. Improved supplier it provides vendor management tools & procurement support tools.
performance
11. Improved resource utilization Efficiency is increased as inventory is maintained at minimum level &
machine downtime is minimum.
7. R I S K & C O N T R O L I N ERP E N V I R O N M E N T
Two Major Risks arising due to use of Centralized Common Database (all Data at one place)
▪ All persons in an organization access same set ▪ All users use same data for recording transactions.
of data on day-to-day basis.
▪ This results in Risk of putting incorrect data in the
▪ This Poses/ results in risk of leakage of info. or system by unauthorized user.
access of info. System by unauthorized person. E.g. - HR person recording, purchase data.
E.g.- sales person checking salary of his friend in
production dept.
Control: RBAC
8. R O L E B A S E D A C C E S S C O N T R O L (RBAC)
P a g e | 27
Financial Accounting System
8.1. T Y P ES O F A C C E S S
Examples of Access that can be allowed & disallowed for various types of Personnel:
Directors Complete access to all Reports, Masters & Transactions but only for viewing. Can’t create or
alter.
CFO Same as director but in some cases, creation or alteration access to Masters & Transactions
may be given.
Head of a Full access to all Department related masters & transactions. No access to non-related
Department masters, transactions and reports.
Accountant Can make voucher entry & view accounting master data. Can’t create masters or access
Reports.
Data Entry Very limited access should be given. Can’t create accounting masters or access Reports.
Operator
9. ERP I M P L E M E N T A T I O N , R I S K & C O N T R O L
▪ ERP Implementation is a huge task and requires substantial money, time & patience
▪ Success, in terms of payback or RoI of ERP, depends upon successful implementation & once
implemented, proper usage of ERP.
10. I S S U E S I N I M PL E M E N TA T I O N O F ERP
Post
Technological Other Implementation
People Issues Process Issues Implementation
Issues Issues
Issues
Most critical for Main reason for Organisation Explained in Explained in
success or failure of ERP is to should be subsequent parts subsequent parts
abreast of latest
28 | P a g e
Financial Accounting System
Post
Technological Other Implementation
People Issues Process Issues Implementation
Issues Issues
Issues
ERP. ▪ Improve, technology to
Includes streamline the survive and
process and thrive.
▪ Management
▪ make it more
▪ Employee effective &
▪ Implementation efficient.
team
▪ Vendor & Consultant
Business Process BPR is not just change but dramatic Requires overhauling of Organizational
Reengineering change & dramatic improvement in structure, job descriptions, skill
way business is conducted. development, & training in use of IT.
P a g e | 29
Financial Accounting System
obsolescence evolving rapidly, ERP may get obsolete. quality vendor support.
Enhancement & ERP is not upgraded and kept upto date. Vendor should be carefully selected & ERP
upgradation should be fully updated.
Application Portfolio It focuses on selection of new business APM ensures proper selection of business
Management application. application. Also avoids duplication of
Apps.
11. A U D I T O F ERP S Y S T E M
11.1. C O N T R O L S
30 | P a g e
Financial Accounting System
General Controls Application Control
Includes Control over Deals with individual business process / function or Application
system.
▪ IT management,
Key questions to be asked by Auditor are:
▪ IT infrastructure,
i) Does the system process according to GAAP (Generally
▪ security management & s/w acquisition Accepted Accounting Principles) and GAAS (Generally
▪ monitoring and reporting IT Activity, Accepted Auditing Standards)?
▪ Security Mgt. & Maintenance ii) Does it meet the needs for reporting, whether regulatory or
organizational?
Applies to all systems in an organisation
iii) Does the system protect confidentiality and integrity of
from mainframe computer to client. information assets?
Management Environmental iv) Does it have controls to process only authentic, valid,
Control Control accurate transactions?
Deals with Operational Control
v) Are all system resources protected from unauthorized
organisation Policy, administered
access and use?
procedure & planning through computer
w.r.t. ERP system centre/computer vi) Are user privileges based on what is called ‘role-based
control. operations group access?’
and the built-in vii) Is there an ERP system administrator with clearly defined
operating system responsibilities?
controls.
viii) Are there adequate audit trails and monitoring of user
activities?
ix) Are users trained?
x) Do they have complete and current documentation?
xi) Is there a problem-escalation process?
Auditing Aspect
Ensure Physical Ensure Access is given on Includes Testing of different Involves checking of rules
Control Over Data “Need to know” and “Need modules/functions & for input of data into the
to Do” basis. features in ERP and system.
Testing of overall process of E.g. Cash sale should be
part of process in system & recorded on date of sale,
comparing it with actual. not before, not later.
12. B U S I N E S S P R O C E S S M O D U L E S A N D T H E I R I N TE G R A TI O N W I T H F I N A N C I A L A N D A C C O U N TI N G S Y S T E M S
P a g e | 31
Financial Accounting System
ACCOUNTING FLOW
SOURCE
DOCUMENT
▪ Source Document A document that captures data from transactions and events.
▪ Journal Transactions are recorded into journals from the source document.
▪ Trial Balance Unadjusted trial balance containing totals from all account heads is prepared.
▪ Financial statement The accounts are organized into the financial statements.
14. F U N C T I O N A L M O D U L E S O F ERP
32 | P a g e
Financial Accounting System
14.1. F I N A N C I A L A C C O U N T I N G M O D U L E [F&A]
14.2 . C O N T R O L L I N G M O D U L E [CO]
It is used by organisation to support sales & distribution activities of goods & services starting from enquiry
to order and ending with delivery.
Pre-sale Sales Order Inventory Delivery of Billing Payment
Activities Processing Sourcing Material
Prospecting of On receipt of Ensuring Goods Should be as Raising of sales Receipt of
customers, PO, SO (Qty, are ready & per SO. invoice against payment &
identifying Rate, available for Inventory will delivery of recording it
them, fixing Description) is delivery reduce on material to against sales
appointment, recorded in recording of customer invoice
showing demo & books. this transaction
submit quotation
P a g e | 33
Financial Accounting System
Features:
Setting up Org. ▪ Creation of new Co., Co. code, sales organisation, distribution channels,
structure divisions, maintaining sales office, etc.
Assigning org units ▪ Assigning individual component created above to each other like company code
to company, sales organization to company code, distribution channel to sales
organization, etc.
Defining pricing ▪ Like sale document, billing, tax related component etc.
component
Customer master data ▪ Setting up Customer master data records and configuration.
14.4. M A T E R I A L M A N A G E M E N T M O D U L E [MM]
Process
Evaluation of Quotation
Production Sends Purchase Purchase Evaluate Request wrt current If requisition accepted Select best
Dept Requisition Dept stock and pending order ask for quotation from option & place
approved vendor order (send PO)
14.5. P R O D U C T I O N P L A N N I N G M O D U L E [PP]
34 | P a g e
Financial Accounting System
b) Sales & operation planning (SOP) ▪ which provides ability to forecast sales & prod plans.
c) Distribution Resource Planning ▪ allows company to plan demand for distribution centre.
(DRP)
d) Material Requirement planning ▪ allows company to plan material required for production.
(MRP)
e) Capacity Planning ▪ which evaluates capacity utilization of plants.
f) Production Planning ▪ Assists in planning the production of goods
g) Product Cost Planning ▪ Evaluates value of material components to determine value of
the product.
14.6. P L A N T - M A I N T E N A N C E M O D U L E [PM]
Overview Objectives:
▪ It is a functional module. a) Achieve minimum breakdown and to keep machines in good
working condition at minimum cost.
▪ It handles maintenance of
equipment & enable efficient b) Keep machines in a condition that they are used at optimum
planning of production. capacity.
▪ This app. component provides c) Ensure availability of machines & service required by other
comprehensive software solution sections of factory for performing their functions at optimum
for all maintenance activities that capacity.
are performed within a company.
14.7. P R O J E C T S Y S T E M M O D U L E [PSM]
▪ Integrated project management tool used for planning & managing projects & portfolio management.
▪ It ensures that:
a) Projects are executed within budget & time.
b) Resources are allocated to project as per requirement.
Examples: DLF is executing a project of building a mall
ERP Implementation
14.8. Q U A L I T Y M A N A G E M E N T M O D U L E [QM]
P a g e | 35
Financial Accounting System
customer.
c) Quality Assurance ▪ Concentrates on
➢ Identifying various process
➢ Defining objective of each process
➢ Establishing procedure standards for getting required result &
➢ Documenting the procedure to enable everyone to follow the same.
d) Quality ▪ Never ending process as customer needs & expectation keeps changing.
Improvement
14.9 . S U P P L Y C H A I N M O D U L E [SC M]
▪ It is network of
➢ autonomous & semi- autonomous activities that
➢ procures RM, processes it & transfer it to intermediate goods & then to finished goods &
➢ finally delivering it to customer/ consumer through distribution channel.
▪ This is called SCM System which implies that a product reaches from manufacturer to customer through
supply.
▪ SCM Module helps organisation to optimize its supply chain & streamline its process.
14.10. C U S T O M E R R E L A T I O N S H I P M A N A G E M EN T M O D U L E [CRM]
36 | P a g e
Financial Accounting System
communication departments to work together.
e) Optimize ▪ It helps to plan marketing in a better way as it enables Org to understand the
marketing customer needs and behavior in a better way.
14.11. H U M A N R E S O U R C E P L A N N I N G [HRM]
15. I N T E G R A T I O N O F V A R I O U S M O D U L E S O F ERP
▪ ERP has many modules & all modules are inter-related & inter- dependent.
▪ All modules must work in harmony with other to get desired result.
Integration (Illustrative)
i) MM with FICO ii) HRM with FICO iii) MM with PP iv) MM with PP
v) MM with S&D vi) MM with QM vii) PP with S&D viii) SD with FICO
Report ▪ Presentation of info in proper & meaningful way. E.g. BS, P/l Account, CFS.
Reporting System ▪ system of regularly reporting on pre-decided aspects.
Objective of Reporting ▪ Give right info to right people at right time for right decisions making.
System
Two Basic Reports ▪ Balance sheet & P&L
▪ Used for basic analysis of financial position & financial Performance.
For decision making by Mgt, more reports are required. Hence, we need proper reporting system to serve the
purpose.
16.1. M A N A G E M E N T I N F O R M A T I O N S Y S T E M (MIS)
P a g e | 37
Financial Accounting System
▪ It is a tool for providing accurate, relevant, timely & structured info/ data to managers for decision
making.
▪ It is a tool used by manager to evaluate business process & operations.
▪ Large businesses have separate MIS department whose only job is to gather info & create MIS reports.
▪ Tech used - Simple S/w and spreadsheets (small businesses) to sophisticated one (large ones).
Types of MIS Depends on number of divisions/departments in an organization
➢ Sales & Marketing
➢ Manufacturing & Production
➢ HR etc.
➢ Accounting & Finance
It automatically collects data from various areas within a business & generates
16.2. F E A T U R E S O F MIS R E P O R T S
17. D A T A A N A L Y T I C S & B U S I N E S S I N T E L L I G E N C E
Tech. tools used for Data Analysis Application Area of Data Analytics
▪ Business Intelligence a) Bank & credit card companies analyses withdrawal &
spending pattern to prevent fraud.
▪ Data mining
b) Healthcare Org. mine data to evaluate effectiveness of
▪ Machine Learning treatment of diseases like AIDS, Covid-19, Cancer.
38 | P a g e
Financial Accounting System
▪ OLAP [Online Analytical Processing] c) E- commerce Company & Marketing Sr company use D.A.
to identify website visitors who are more likely to buy a
▪ Text Mining
product or service.
d) Mobile Network operators examine data to forecast how to
retain customer.
Data collected
for analysis Participants in Data Analytics Process
a) Data Analyst
Data from diff
source is combined b) Data Engineer
in std. form c) Data Scientist – Builds data analytical
model using predictive modelling tools and
Integrated data loaded
other software & languages like SQL, Python.
in analytical system
etc.
Fix data quality
problem
Analytical mode is
run on data set
17.4. B U S I N E S S I N T E L L I G E N C E (T O O L F O R D A T A A N A L Y TI C S )
P a g e | 39
Financial Accounting System
18. B U S I N E S S R E P O R T I N G / E N T E R P R I S E R E P O R T I N G
Refers to
a) public reporting of financial data by business enterprises or
b) Regular provision of info to decision makers within an organization to support them in their work.
It involves ETL with data warehouse & one or more reporting tools.
What does an organisation report? Types of Business Reporting
a) Vision, mission, objective & strategy a) Financial & Regulatory Reporting. E.g. Annual
b) Governance, arrangement & risk management Report
c) Financial, society & environmental performance b) Environmental, Social & Governance Reporting
d) Trade off b/w long-term & short-term strategies c) Integrate Reporting
18.1. W H Y I S B U S I N E S S R E P O R T I N G I M P O R TA N T ?
a) Allows organizations to present a cohesive explanation of their business and helps them engage with
internal and external stakeholders.
b) Crucial for stakeholders to assess organizational performance and make informed decisions
c) Various stakeholder groups are demanding increased ESG information, as well as greater insight into how
these factors affect financial performance and valuations.
d) High-quality reports also promote better internal decision-making.
e) High-quality business reporting is at the heart of strong & sustainable org, financial markets & economies.
40 | P a g e
Financial Accounting System
19. XBRL: E X T E N S I V E B U S I N E S S R E P O R T I N G L A N G U A G E
19.1. XBRL T A G G I N G
▪ It is a process by which
➢ financial data is tagged/linked with
➢ most appropriate element/ definition in taxonomy (dictionary of accounting terms)
➢ that best represent the data.
▪ All XBRL reports use same taxonomy.
▪ Numbers tagged with same element are comparable irrespective of how they are described by those
preparing reports.
▪ This tagging facilitates
a) identification/classification of data.
b) interchange of data b/w different I.S. & different users
c) comparison between the reports.
19.2. W H A T D O E S XBRL D O ?
XBRL makes reporting more accurate and more efficient. It allows unique tags to be associated with reported
facts, allowing:
a) People publishing To do so with confidence that the information contained in them can be consumed
reports and analysed accurately
b) People To test them against a set of business and logical rules, to capture and avoid mistakes
consuming at their source.
reports
c) People using the To do so in the way that best suits their needs.
information
d) People To do so confident that the data provided to them conforms to a set of sophisticated
consuming the pre-defined definitions
information
19.3. U S E R S O F XBRL
P a g e | 41
Financial Accounting System
c) Business regulators that need to receive & provide corporate data like F.S. of
Company to public [mca.gov.in]
d) Tax Authority for assessing tax compliance
2) Government ➢ Govt. agencies improve government reporting by standardizing the way reports are
prepared & shared with other Government Agencies as well as public.
3) Data ➢ like credit rating agencies who use data to create comparisons, Rating & other
providers value-added info like ratios of different Company to participants.
4) Analyst & ➢ Analyst - To understand relative risk & related performance
Investor
➢ Investors - To evaluate worth of a company & make decision w.r.t investment.
5) Company ➢ Company who is required to provide Business report to regulators.
➢ Company who needs to move info. in complex Group.
6) Accountant ➢ One who prepare XBRL reports.
19.4. F E A T U R E S O F XBRL:
a) Clear Definition ▪ It allows creation of reusable & authoritative elements/definitions i.e., Taxonomy
that best represent financial data. These elements/ taxonomies are developed by
Regulators, AS setters, Government agencies etc.
b) Testable ▪ It allows creation of business rules, that can be logical or mathematical.
Business Rules
▪ These rules stop poor quality information from being prepared, shared or used.
▪ It flags/ highlight questionable info resulting in corrective action or explanation.
▪ Provides value added info like ratios.
c) Multi–lingual ▪ Allows definitions i.e. Taxonomy to be prepared in as many languages as possible.
support It can also be translated into other languages.
d) Strong software ▪ Supported by wide variety of s/w - large vendor to small vendor.
support
20. A P P L I C A B L E R E G U L A T O R Y & C O M P L I A N C E R EQ U I R E M EN TS
▪ RC refers to Organization’s adherence with laws, regulations & guidelines relevant for business.
▪ Organizations aspire to ensure that they are aware of relevant laws, rules & regulation & take steps to
comply with it.
▪ Organizations are using consolidated & harmonized sets of compliance controls so that all necessary
compliance are met w/o unnecessary duplication of efforts & activities.
▪ Violation of regulatory compliance leads to punishment like interest, penalty, fee & prosecution.
GENERAL RC SPECIFIC RC
42 | P a g e
Financial Accounting System
20.1. R E G U L A T O R Y C O M P L I A N C E A N D A C C O U N T I N G S Y S TE M
▪ Closely connected as R.C requires data & A/c data comes from A/c system. Two Approaches:
Basis Same Software For A/C & Tax Compliance Diff. Software For A/C & Tax Compliance
Ease of operation LESS - As its integrated system, making MORE - As this is used only for one
changes at one place may affect other single purpose, so more specialised
aspects also
Features & LESS - As this is not an exclusive system for MORE - As its exclusive for Tax
functionality tax compliance compliance
Time & effort LESS - As this is integrated system, no time MORE - As data needs to be moved
required to transfer data to compliance s/w from A/c s/w to Tax s/w.
Accuracy MORE – As no movement of data between LESS - As there are two separate
different systems, so no error systems, possibility of mismatch of
data is always there.
Cost MORE – Customizing A/c system for Tax LESS – as its specific s/w, its less
compliance is more costly than purchasing complicated and hence less cost
separate Tax compliance s/w
P a g e | 43
Information System & Its Components
C HAPTER 3
1. INTRODUCTION
2. I N F O R M A T I O N S Y S T E M / C O M P U T E R B A S E D I.S. (CBIS)
It is the combination of Hardware, software, people, data resources & Network which
a) Processes Data into Information
b) For specific purpose/objective.
Examples:
Tally: Accounting Software in India
QuickBooks: Accounting Software across world.
Objectives Characteristics
To convert the data into information a) CBIS is developed on the basis of predetermined objective.
which is useful and meaningful. b) Inter-related and Inter dependant sub- system.
It helps Enterprises in: c) If one sub –system fails, whole system won’t work.
a) Making Decision.
d) Components Interact among themselves.
b) Controls the operation.
e) Work done by individual sub–system is integrated to
c) analyze problems and create new achieve common goal.
products or services as an output
44 | P a g e
Information System & its Components
3. I N F O R M A T I O N S Y S T E M M O D E L
I.S. Model provides a framework that emphasizes four major concepts that can be applied to all types of
information systems:
a) Input Data is collected from an organization or from external environments and converted into
suitable format required for processing.
b) Process A process is a series of steps undertaken to achieve desired outcome or goal. It facilitates
conversion of data into information.
c) Output The system processes the data by applying the appropriate procedure on it and the
information thus produced (output) is stored for future use or communicated to user.
d) Feedback I.S. needs feedback that is returned to appropriate members of the enterprises to help
them to evaluate at the input stage.
4. C O M P O N EN TS O F I N F O R M A TI O N S Y S T E M
Network &
People Computer System Data Resource
Communication System
Anyone who manage, Comprise of ▪ Data ▪ Computer Network
run, program or use I.S.
Hardware Software ▪ Database ▪ Telecommunication
▪ Programmers
▪ Input Device ▪ OS S/W ▪ Database
▪ System Admin. Management
▪ Processing ▪ App S/W System
▪ Data Entry Device
Operator ▪ DBMS Module
▪ Storage Device
▪ Help Desk
▪ Output Device
▪ CIO
4.1. HARDWARE
P a g e | 45
Information System & Its Components
Device through which user Device used to process Memory where data & Device through which
interacts with system i.e., data using program program is stored on system responds
Instructions are given to instructions, perform temporary or Provides output to
information system. calculations, and permanent basis. decision makers to
Types control other hardware Examples solve problem.
devices.
a) Text based Input– RAM & ROM, Examples
Keyboard Examples
Pen Drive, Speakers,
b) Point based Input– Central Processing Unit
(CPU), Hard disk Headphones,
Mouse, light pens.
Mother Board, Screen (Monitor),
c) Image based – Scanner,
Bar Code, QR Code reader, Network Card, Printer,
MICR Sound Card Video
d) Audio based - Microphone
4.1.1. P R O C E S S I N G D E V I C E
▪ Most common processing device is CPU which is the actual hardware that interprets and executes the
software instructions.
▪ Built on a small flake of silicon containing the equivalent of several million transistors.
▪ Transistors are like switches which could be “ON” or “OFF” i.e. taking a value of 1 or 0.
▪ CPU is known as brain of computer & consists of following three functional units:
Control Unit ALU Processor Registers
It It performs Registers are part of the computer processor which is used
➢ controls flow of ➢ arithmetic ➢ to hold a computer instruction,
data & instruction operations such
➢ perform mathematical operation &
to and from as addition,
memory, subtraction, ➢ execute commands.
multiplication,
➢ interprets the These are high speed, very small memory units within CPU
and
instruction; and for storing small amount of data (mostly 32 or 64 bits).
➢ logical Registers could be
➢ controls which
comparison of
tasks to execute a) accumulators (for keeping running totals of arithmetic
numbers: Equal
and when. values),
to, Greater than,
Less than, etc. b) address registers (for storing memory addresses of
instructions),
c) storage registers (for storing the data temporarily) and
d) miscellaneous (used for several functions for general
purpose).
4.1.2. D A TA S T O R A G E D EV I C ES
46 | P a g e
Information System & its Components
4.1.3. O U T P U T D E V I C E S
4.2. SOFTWARE
▪ Set of instructions & programs that tells Computers what to do. Created through a process of
coding/programing through language like C++, JAVA
▪ Two types:
Operating system Application Software
P a g e | 47
Information System & Its Components
Virtual Memory is not a separate device but an imaginary memory supported by OS.
If RAM required to run a program falls short, OS moves data from RAM to a space in HDD called paging file.
This frees RAM to execute the work Thus, it is allocation of HD space to help RAM.
Organization generates & collects huge quantity of different type of data like production related data, HR
related data, market related data etc. These are stored in DATABASES.
Database Database Management System Database Models
Refers to set of logically inter- Software that helps organization in Determines
related organised data i.e., data of organising, controlling & using the a) Logical structure of
some context data stored in DB. database
To manage unrelated data, separate Helps to create & maintain well b) Manner in which data
database is used. organized database. can be stored, organized
They store both operational data Normally single user. & manipulated.
(produced from day to day working) Operations that it can perform – Types of Database Models
as well as non-operational data
(used for education, research etc.) a) Hierarchical Database
Model
48 | P a g e
Information System & its Components
A) H I E R A R C H I C A L D A T A B A S E M O D E L
▪ Records/ nodes are arranged logically in hierarchy of relationship in Inverted Tree Structure.
▪ Top parent record in the hierarchy that “own” other records is called Parent Record/ Root Record which
may have one or more child records, but no child record may have more than one parent record.
▪ Types of Relationships - 1 to 1 relationship, 1 to Many relationship
▪ Data is accessed from top to down manner
▪ Search is difficult & Time consuming.
B) N E T W O R K D A T A B A S E M O D E L
C) R E L A T I O N A L D A T A B A S E M O D E L
D) O B J E C T O R I E N T E D D A T A B A S E M O D E L
P a g e | 49
Information System & Its Components
4.3.1. A D V A N T A G E S O F DBMS
1. Program & File Consistency As file formats & programs are standardized.
2. Minimize data redundancy as duplication of info is either eliminated or controlled or reduced.
3. Allows data sharing same info is available to different users.
4. Integrity can be Database contains Accurate, consistent & upto date data.
maintained Change in Database is allowed to be made only by authorised person.
5. User Friendly Enable user to access data & use it easily without need of computer expert.
6. Improved Security Since multiple users uses same data, necessary to define user access rules.
7. Data Independence Data resides in DB & not in App; so both are independent.
8. Faster application Since data is already present in DB, so App developer has to think only
development about logic to retrieve data in the way a user needs.
4.3.2. D I S A D V A N T A G E S O F DBMS
4.3.3. S O M E C O N C E P T S R E L A T E D W I T H D A T A B A S E
A. B I G D A T A
▪ Refers to such massive large data sets that conventional database tools do not have processing power
to analyze them. E.g.- Google handle billions of searches every day.
▪ Some industries that use big data analytics include E-commerce (Amazon), Retail Business (Walmart),
Healthcare Industry, Hospitality Industry etc..
Benefits of Big Data Processing
a) Improved Customer Services as it is helps in reading & evaluating customer feedback.
b) Better Operational Integration of Big Data technologies and data warehouse helps an Org to
Efficiency offload infrequently accessed data, this improving efficiency.
c) Better Decision Making by using outside intelligence. E.g. Access to social data from Facebook,
Twitter etc. helps Org to finetune their business strategy.
Also helps in Early identification of risk to the products/services, if any.
50 | P a g e
Information System & its Components
B. D A T A W A R E H O U S E
▪ Data warehouse is a large collection of business data used for storage & analysis to help an organization
make decisions.
▪ However, directly analyzing the data that is needed for day-to-day operations is not a good idea as it
creates interference in normal functioning of Organisation.
▪ The process of extracting data from operational databases and bringing it into the data warehouse is
commonly called ETL, which stands for Extraction, Transformation, and Loading.
a) First stage, the data is Extracted from one or more of the organization’s databases.
b) Second stage, the data so extracted is placed in a temporary area called Staging Area where it is
Transformed like cleansing, sorting, filtering etc. of the data as per the information requirements.
c) Final stage, Loading of the data so transformed into a data warehouse which itself is another
database for storage and analysis.
Features i.e. data warehouse should meet following criteria:
a) Uses Non-Operational Data i.e. a copy of data from the active databases
b) Data Is time Variant i.e. when data is loaded in data warehouse, it receives time stamp which allows Org.
to compare over a period of time.
c) Data is standardized in terms of rules & format like Date, Units of measurements etc.
P a g e | 51
Information System & Its Components
C. D A T A M I N I N G
▪ Process of analyzing large data to find previously unknown trends & pattern to make decision.
▪ This is accomplished through automated means against extremely large data set such as data warehouse.
▪ Examples of Data Mining tools - MS Excel, Oracle Data Mining, Rapid Miner
The steps involved in the Data Mining processes:
1. Data Integration ▪ Data is collected and integrated from all the different sources which could
be flat files, relational database, data warehouse or web etc.
2. Data Selection ▪ All the collected data may not be required for data mining. So, we select
only those data which we think is useful for data mining.
3. Data Cleaning ▪ The data that is collected may contain errors, missing values or
inconsistent data. It needs to be cleaned to remove all such
inconsistencies.
4. Data Transformation ▪ The cleaned data needs to be transformed into an appropriate form for
mining using different techniques like - smoothing, aggregation,
normalization etc.
5. Data Mining ▪ Various data mining tools are applied on the data to discover the
interesting hidden patterns.
6. Pattern Evaluation and ▪ Involves visualization, transformation, removing redundant patterns etc.
Knowledge Presentation from the patterns generated from data mining .
7. Decisions / Use of ▪ This step helps user to make use of the knowledge acquired to take better
Discovered Knowledge informed decisions.
D. D I F F E R E N C E S B / W D A T A B A S E , D A T A W A R E H O U S E & D A T A M I N I N G
52 | P a g e
Information System & its Components
4.4. N E T W O R K I N G A N D C O M M U N I C A T I O N S Y S T EM S
P a g e | 53
Information System & Its Components
5. I N F O R M A T I O N S Y S T E M C O N T R O L S
6. T Y P ES O F I.S. C O N T R O L S
6.1. I.S. C O N TR O L S B A S ED O N O B J EC T I V ES
c) Provision of necessary
from occurring in future. e) Modifying preventive controls to
controls to prevent probable d) Surprise checks by supervisor. prevent future occurrence.
54 | P a g e
Information System & its Components
6.2 . C O N T R O L S B A S E D O N N A T U R E O F I .S. R E S O U R C E S
6.2.1. Environmental Controls - Related to IT environment in which I.S. functions. Environmental exposures &
relevant controls are as follows:
Fire Water Electricity exposure Pollution Damage
Damage to equipment & Damage to equipment & Due to electrical faults Major pollutant is
facility due to fire. facility due to water related like sudden upsurge in Dust which can
Controls incidents like pipe burst, power supply, voltage cause permanent
cyclone, floods etc. fluctuations etc. damage to H/w.
a) Fire resistant material
Controls Controls Controls
b) Install manual &
automatic alarm at a) Install water alarms at a) Voltage regulator & a) Regular cleaning
strategic location. strategic locations Circuit breakers b) Prohibition on
b) Use of water proof walls, b) UPS/Generator eating , drinking
c) Install smoke detectors
ceilings & floors c) Emergency Power off & smoking in I.S
d) Install fire extinguishers facility.
c) Put computer room above switch
e) Emergency Exit/Fire exit Ground floor but not top c) Power leads
plan floor from two sub-
d) Proper drainage system
station.
6.2.2. Physical Access Control – Relates to physical security of I.S. resources. It is applied against physical
exposures which include abuse of information processing device, theft, damage, Blackmail etc.
Physical information
Locks on doors Logging on Facility Others
medium
a) Bolting door lock - a) Personal Official record of access/ a) CCTV monitored by
No duplicate key. Identification activity security.
b) Cipher locks Number (PIN) – a) Manual logging – Visitors b) Simple security guard.
combination locks means to identify & sign visitor’s log
verify authenticity of c) Controlled visitor
- To enter, a person indicating their name,
access – Responsible
presses a four- user. User needs to date & time of visit,
login by inserting a employee will escort
digit number, and company represented,
card in some device purpose of visit, & person
visitor
the door will unlock
and then enter their
P a g e | 55
Information System & Its Components
6.2 .3. L O G I C A L A C C E S S C O N T R O L
▪ Applied to protect I.S. from logical access violators like Hacker, current & past employees, IS personnel, End
User etc.)
▪ Ensures that access to system, data, program, OS is restricted to authorized users only.
▪ Key factors considered in designing logical access controls include
➢ confidentiality and privacy requirements,
➢ authorization, authentication and incident handling,
➢ virus prevention and detection,
➢ firewalls, centralized security administration, user training and tools for monitoring compliance
Logical Access Exposure/ Risk, if no logical access control is applied
Technical Exposure Asynchronous Attack
Includes Unauthorized modification of data & s/w. Data that is waiting to be transmitted is
Types liable to unauthorized access called
Asynchronous attack.
a) Data diddling - Change in data before or after entering it into
system. Limited tech knowledge required. These attacks make use of the timing
difference between the time when the
b) Bomb - Malicious code which explodes when logic inside the data is inputted to the system and the
code is satisfied causing immediate damage. Can’t infect time when it gets processed by the
other programs & hence damage is not widespread. system.
Logical bomb – E.g. If sales crosses INR 1 crore, delete all data. Types
Time bomb - Explodes at given time. a) Data leakage - Leaking of information
c) Trojan house - Malicious s/w or code that looks legitimate out of computer by copying data into
/harmless program. Once installed, it can damage, steal or external devices or print outs.
disrupt the system. E.g. Christmas card. b) Wire tapping - Spying on info being
d) Worm - Malicious program which self-replicates itself in ideal transmitted over computer network.
memory, thus slowing computer. No other damage is caused. c) Subversive Attack - Enables intruders to
e) Rounding down - Round off of small fraction of an amount and access data being transmitted & also
transfer this amount to unauthorized A/c. modify/violate integrity of data.
f) Salami Technique - slicing of small fixed amount of money d) Piggybacking - Act of following an
from computerized transaction & transfer to unauthorized A/c. unauthorized person through a secured
door that intercepts and alters
g) Trap door/Back Door - Created by developer to gain access for
transmissions.
maintenance. Can be misused by unauthorized users to access
56 | P a g e
Information System & its Components
software as well.
h) Spoofing - involves forging one’s source address. One machine
is used to impersonate the other & user is made to think that
he is interacting with the operating system.
P a g e | 57
Information System & Its Components
6.3. C L A S S I F I C A T I O N O F C O N T R O L S B A S E D O N A U D I T F U N C T I O N S
Auditors have found two ways to be useful when conducting information systems audits, as given below:
Managerial Controls Application Control
Objective: Managerial Control ensures that I.S. is Objective: App controls ensures data remains
developed, implemented, operated & maintained in complete, accurate & valid through input, update
planned and controlled manner. & storage.
Types Ensures processing is complete.
a) Top Management & I.S. Management Controls Types
b) System Development Management Controls a) Boundary Controls
c) Programming Management Controls b) Input Controls
d) Data Resource Management Controls c) Processing Controls
e) Quality Assurance Management Controls d) Output Controls
f) Security Management Controls e) Database Controls
g) Operations Management Controls f) Communication Controls
6.3.1. M A N A G E R I A L C O N T R O L S
▪ Controls of Top Mgt. should ensure that I.S. functions properly & meets strategic business objectives.
▪ Scope of controls includes Framing high level of IT policies, procedures & standards
▪ Controls flow from the top of an Organization to down but responsibility still lies with the senior mgt.
▪ 4 Major functions of Senior Management:
Planning Organising Leading Control
Top Mgt. prepares plan for To create IT organizational Includes motivating & Comparing actual
achieving I.S. goals. Two structure with documented Communicating with performance with
types of plans (Strategic & roles and responsibilities Personnel. planned
Operational plan). and agreed job descriptions. Ensures that personal performance.
Steering committee shall Includes arranging and objectives are aligned In case of any
assume overall allocating Resources needed with Org. objectives so deviation, corrective
responsibility for I.S. to achieve goals determined that there is harmony action is taken.
function. in Planning phase. of objects w/o conflict
6.3.1.2 . S Y S T E M D E V E L O P M E N T M A N A G E M EN T C O N TR O L S
58 | P a g e
Information System & its Components
2. User Specification User needs to provide detailed requirement in written form (known as Functional
Activities Requirements Document). It discusses user’s view w.r.t problems
3. Technical Design User’s specification is converted into technical design by system developer.
Activities
4. Programme Testing All modules must be tested before implementation.
Result of test is compared with standard to determine if there is any error in
logic or program.
5. User Test & Before implementation, all modules are tested as whole by user & ensures that
Acceptance it functions as per requirement of user.
6. Internal Auditor’s Should be involved at inception of system development process to examine &
Participation give suggestions on system requirements & controls throughout all phases.
6.3.1.3. P R O G R A M M I N G M A N A G E M E N T C O N T R O L S
1. Planning Uses of different techniques for s/w development like WBS [Work breakdown structure]
& PERT [Program evaluation Review technique]
2. Design Structured / systematic approach to design programme.
Modular design
3. Coding Structured/ systematic approach is adopted for coding Program.
5. Operation & Involves monitoring and making changes in system when required on timely basis.
Management Three types:
a) Repair/ corrective → Remove errors from s/w or fix the bugs.
b) Perfective → Program is finetuned to reduce resource consumption. E.g. Better UI
c) Adaptive → Change in s/w due to change in user requirement.
6.3.1.4. D A T A R E S O U R C E M A N A G E M E N T C O N TR O L S
P a g e | 59
Information System & Its Components
Ensures that data is available It ensures that database is Back up refers to making copy of data
only to authorized user. It updated by authorized persons & storing it somewhere else so that it
involves: only. can be used when first copy of data
i) User access control through is not available.
PIN, Password, CARD etc. It helps to ensure availability of data
ii) Encryption of data etc.
when required.
6.3.1.5. Q U A L I T Y A S S U R A N C E M A N A G E M E N T C O N T R O L
6.3.1.6. S E C U R I T Y M A N A G E M E N T C O N T R O L
60 | P a g e
Information System & its Components
6.3.1.7. B U S I N E S S C O N T I N U I T Y P L A N N I N G C O N TR O L S
6.3.1.8. O P E R A TI O N S M A N A G E M E N T C O N T R O L
It is responsible for daily functioning of H/w & S/w in efficient manner. It involves Control w.r.t
1. Computer Operation Ensures proper functioning of H/W & S/W on day-to-day basis.
2. Network Operations Ensures proper functioning of network devices, communication channels etc.
3. Data Preparation & Keyboard environment & facilities should be designed to promote speed &
Entry efficiency.
4. File Library Management of Org. data stored in machine- readable storage media like CD/
DVD, pen-drive & Hard disk.
5. Help Desk Assist end-user in deploying & using H/W & S/W & resolving issues.
6.3.2. A P P L I C A T I O N C O N T R O L S
Objective → to ensure that data remains complete, accurate and valid during its input, update & storage.
6.3.2.1. B O U N D A R Y C O N T R O L S
Refers to access control mechanisms that links the authentic users to the authorized resources. Involves
Identification & Authentication of users by S/w & Authorization i.e., privilege management.
P a g e | 61
Information System & Its Components
Biometric
Cryptography/ Encryption Password PIN ID Card
Device
Conversion of clear text into a cipher text Helps in Similar to Used to store Includes
for storage and transmission over networks identification password but info for use of
by sender. Receiver decrypts this cipher of users is authentication thumb,
code using auth key. through independent purpose. retina
Strength of cryptography depends on time confirmation of any user id. etc. as
& cost to decipher the cipher text by crypto of user id Assigned to biometric
analyst. allotted to user by Org. control
them. tech.
Three techniques of cryptography are Helps in user
a) Transposition - Permute the order of
identification.
characters within a set of data,
b) Substitution-Replace text with key-text.
c) Product Cipher - combination of
transposition and substitution.
6.3.2.2. I N P U T C O N T R O L S
62 | P a g e
Information System & its Components
6.3.2.3. P R O C E S S I N G C O N T R O L
6.3.2.4. O U T P U T C O N T R O L
Applied to ensure that output is presented, formatted & distributed to users in a secured & consistent
manner.
Storage &
Spooling/ Report
Controls Over Retention Logging of
distribution &
Printing Queueing Control Sensitive, critical
Collection
Forms
Output should Simultaneous Peripheral Time gap b/wConsiders the Pre-printed
be printed on Operations Online generation &
duration for stationery like
correct printer. If more than I user gives print distribution of
which output Co. letter Head,
User should be command, printer should print report should be
is to be Blank cheques
trained to select in sequential order & save reduced. retained etc. should be
correct printer. other print command for A log should be before being stored securely
printing after current job is maintained for destroyed. to prevent
printed. reports that Date should be unauthorized
were generated deter-mined destruction or
Ensure that user can continue removal and
working while print operation is and to whom for each
these were output. usage.
getting completed.
distributed.
6.3.2.5. D A T A B A S E C O N T R O L S
Applied to ensure that integrity of database is maintained while updating the database. Two types:
Update Controls Report Controls
a) Sequence check b/w transaction & master file - a) Print suspense A/c entry - so that corrective
Synchronous & correct sequencing b/w master
P a g e | 63
Information System & Its Components
files & transaction file is critical to maintain action can be taken on time.
integrity of updating, addition or deletion of b) Print-Run-to Run Control Totals: Helps in
master file. identifying errors or irregularities like record
b) Ensure all records on transaction file are processed dropped erroneously from a transaction file,
- Transaction file records are mapped with wrong sequence of updating or the application
respective master file software processing errors.
c) Maintain a suspense A/c - Where master record & c) Existence /Recovery control - Backup &
transaction record are mismatched due to failure recovery strategies together are required to
in corresponding record entry in master file, such restore any failure in DB.
mismatches are maintained in suspense file. d) Standing data - Application program use many
d) Process multiple transactions for a single master internal data to perform functions like bill
file in correct order. calculation based on rate list or interest rate
calculation etc. Maintaining integrity of price
rate or Int. rate is critical.
6.3.2.6. C O M M U N I C A T I O N C O N T R O L S
Applied to ensure that the data transmitted over network is accurate, complete & authentic.
Physical
Component Line Error Controls Flow Control Channel access Control
Controls
d) Mitigates possible While transmission of Applied, when there is Two different nodes in a
effects of data through transmission difference in speed at network can complete to
exposures to line, there can be data which two nodes in a use a communication
physical loss due to noise network can send, receive channel.
components of distortion called line error. or process data resulting a) Where possibility of
System. These errors must be in loss of data. contention of channel
detected & corrected. exists, some type of
channel access control
should be used.
7. I N F O R M A T I O N S Y S T E M ’ S A U D I T I N G - B Y IS A U D I TO R
7.1. R E A S O N S / N E E D F O R I.S. A U D I T
64 | P a g e
Information System & its Components
Factors which influence Organisation/Mgt. w.r.t. Implementation of Controls & Audit of Computers are:
1. Value of computer H/w, ▪ These I.S resources are valuable & important & must be safeguarded
S/w & Personnel
2. Maintenance of Privacy ▪ An organization collects a lot of data which are private regarding
individuals. Any leakage of private personnel data is against interest of
company & must be protected.
3. Controlled evolution of ▪ Use of technology & reliability of computer system can’t be guaranteed.
computer use Hence it must be audited.
4. Cost of Data Loss ▪ Data is very critical resource of an organization . Data loss can cause
severe damage to Organization & hence it must be protected.
5. Cost of Incorrect Decision ▪ Management takes decisions based on information produced by I.S. In
case of incorrect info, management can take incorrect decision which
affects the Organization adversely.
6. Cost of Computer Abuse ▪ Unauthorized access to computer system may cause huge damage. It
may also result in introduction of virus, malware, hacking, theft of data
etc.
7. Cost of Computer error ▪ Error may occur while performing a task which may incur huge cost for
Orgn.
7.2 . I.S. C O N T I N U O U S A U D I T
Real time production of information → Real time recording → Real time Auditing → Continuous Assurance
about Quality of data.
Thus, Continuous Audit reduces time gap between occurrence of Client’s event & Auditor’s assurance service
thereon.
Two basis for collecting audit evidence are:
a) Embedded module (Audit S/w) in system to collect, process & print Audit Evidence.
b) Special Audit records used to store Audit evidence collected.
Types of Continuous Audit Tools
System
Integrated Test Continuous &
Snapshots Control Audit Audit Hook
Facility Intermittent Simulation
Review File
Helps in tracing a ITF involves SCARF Variation of SCARF. Audit
transaction as it flows in creation of involves Used as Trap exception routines
App system. dummy entity/ embedding whenever App system that flags/
Built into the system at Test data in App audit S/w uses DBMS. highlights
points where material system. module suspicious
within an Procedure transactions
processing takes place. This test data is
incorporated in App system ▪ DBMS passes all as soon as
Takes image of flow of to provide they occur
normal data used transactions to CIS
Transactions as it moves continuous on a real
as input in App which determines
through the App. monitoring time basis.
system as a whether it wants to
These images are utilized means to verify of system’s examine it further. Thus,
to assess Authenticity, processing transactions. auditors can
completeness & accuracy ▪ CIS simulates the App
Info be informed
• Authenticity collected is
system process.
of
P a g e | 65
Information System & Its Components
8. A U D I T T R A I L
▪ Refers to logs that record activities at system, App & user level.
▪ Provides detective control to help achieve security objectives.
▪ Ensures that a chronological record of all events that has occurred in system is maintained.
▪ Example: App logs contain details w.r.t who initiated a transaction, who authorized it, date, time etc.
Need for Audit Trail
66 | P a g e
Information System & its Components
Accounting AT Operations AT
Shows source & nature of data & processes that Record of attempted or actual resource
update database. consumption in a system.
8.1. O B J E C T I V E S O F A U D I T T R A I L
8.2. I M P L E M E N T A T I O N O F A U D I T T R A I L /G E N E R A TI N G A U D I T T R A I L S
8.3. A U D I T O F V A R I O U S C O N T R O L S
9. S E G R E G A T I O N O F D U T I E S
▪ It advocates that Privilege/ Access Rights should be given on “Need to Do” & “Need to know” basis.
▪ Ensures that single individual do not passes excess privilege that could result in unauthorized activity like
fraud or manipulation of data security.
▪ For example-the person approving the purchase orders should not be allowed to make payment and
pass entries in the books at the same time.
▪ Both preventive & detective control should be place to manage SOD control.
Examples of SoD Controls
Transaction Split custody of high value Periodic review of user
Work Flow
Authorization assets rights.
P a g e | 67
Information System & Its Components
I.S requires 2 Password to an encryption Internal audit personnel Applications that are
or more key that protects sensitive can periodically review workflow-enabled can use a
person to data can be split in two user access rights to second (or third) level of
approve halves, one half assigned to identify whether any approval before certain high-
certain two persons, and the other segregation of duties value or high-sensitivity
transactions half assigned to two persons, issues exist. activities can take place.
so that no single individual E.g. workflow application
knows the entire password. that is used to set up user
Two keys for sensitive locker. accounts can include extra
management approval steps
in requests for
administrative privileges.
When SOD issues (conflicts b/w access rights of individuals) are encountered, Management needs to
mitigate the matter. How?
Reduce access privilege of individual user so Introduces new mitigation control
that conflict no longer exists. If management determines that the person need to
retain privileges which are viewed as conflict, new
preventive & detective control needs to be implemented
like increased logging of records, reconciliations of data
sets etc.
68 | P a g e
E-Commerce, M- Commerce & Emerging Tech.
C HAPTER 4
1. E-C O M M E R C E
▪ Refers to doing Business (Buying, Selling & Other related functions like inventory mgt.) electronically.
▪ Means use of Technology (Internet, computer, Mobile, Apps, website etc.) to enhance processing of
commercial transactions between company, customer & business partners like seller.
▪ Involves automation of variety of transactions such as B2B, B2C, C2C, C2B etc. through Reliable &
Secure Technology.
2. D I F F E R E N C E B E T W E E N T R A D I T I O N A L C O M M E R C E & E-C O M M E R C E
3. B E N EF I TS O F E-C O M M E R C E
P a g e | 69
E-Commerce, M-Commerce & Emerging Tech.
4. D I S A D V A N T A G E S O F E-C O M M E R C E
a) Internet Connection Internet connectivity is a pre-requisite to perform online transactions. It may not
be available in rural or remote areas.
b) High start-up costs Various components of costs involved with e- commerce are due to following
▪ Connection: Connection costs to Internet.
▪ Hardware/software: Includes cost of sophisticated computers, routers etc.
▪ Set up: Includes employee work hours involved in setting up systems.
▪ Maintenance: Includes costs involved in training of employees & maintenance
of web-pages.
c) Legal issues The legal environment in which e-commerce is conducted is full of unclear &
conflicting laws.
d) Security Concerns There is risk of security and reliability of network and internet as well as fear of
safety and security to the personal information due to the increased spywares
and malwares
e) Cultural Some customers are still somewhat fearful of sending their credit card numbers
impediments over the Internet. Also, many customers are simply resistant to change.
f) Some businesses Items such as perishable foods and high-cost items such as jewellery and
may never lend antiques may be impossible to adequately inspect from a remote location.
themselves to e -
commerce
▪ B.M. means organization of product, service & information flows for benefits of suppliers & customers.
▪ A business model enables a firm to
➢ analyze its environment more effectively and
➢ exploit the potential of its markets;
➢ better understand its customers; and
➢ raise entry barriers for rivals.
▪ An e-business model is the adaptation of an organization’s business model to internet economy.
▪ E-business models utilize the benefits of electronic communications to achieve the value additions.
▪ Some of the e-market models are explained below:
1. E-shop It is an online version of retail stores that sells products & services online. It is
convenient way of effecting direct sale to customers.
No intermediaries are involved, hence cost & time delay is reduced.
Eg- www.vanheusenindia.com
2. E- malls It is e-retailing model of a shopping mall.
It is Conglomeration of different e-shops situated in an e-commerce location.
Eg – www.emallofAmerica.com
3. E- Auction It provides channel of communication (auction websites) though which bidding process
70 | P a g e
E-Commerce, M- Commerce & Emerging Tech.
for products & services can take place between completing buyers.
Eg – www.bidderboy.com
4. Portals It is a website that serves as a gateway on the internet to a specific field of interest or
an industry.
It is a channel through which websites are offered as content.
Firms control the content or portal and earn revenue by charging customers for
subscription or advertising.
Website + login + motive is to earn money.
Eg – www.mca.gov.in, Netflix, Tax sutra, Taxmann.com
5. Buyer They bring together large no. of buyers so that they can enjoy savings which are
Aggregator generally enjoyed by large volume buyers.
Firms collects info about Goods/Services, make services providers their partners & sell
under its own brand. Eg- www.zomato.com, Ola, Uber
6. Virtual Community of customers who share common Interest & use internet to communicate
Community with each other.
It helps participants as they get greater benefits like solving queries, sharing ideas etc.,
without additional cost. E.g.- Microsoft community
7. E- marketing Process of marketing a product or service using the Internet. E.g.- Mail marketing,
digital marketing.
It changes relationship b/w buyer & seller as market information is available to all
parties in the transaction.
8. E-Procurement Refers to Management of all procurement activities though electronic means.
E- procurement infomediaries provide upto date & real time information w.r.t. supply of
material to business partners.
Leads to efficiency in accessing info & saving of time & cost. E.g. www.e-procure.gov.in
9. E- distribution e-distributor is a Co. that supplies products & services directly to individual business.
E-distribution helps in achieving efficiency by managing large volume of customers,
automating orders, communicating with partners and providing value added services like
order tracking.
An example of a firm specializing in e-distribution is www.wipro.com that uses internet
to provide fully integrated e-business enabled solutions that help to unify the
information flows across all the major distribution processes.
The e-business models relating to e-business markets can be summarized as given below:
P a g e | 71
E-Commerce, M-Commerce & Emerging Tech.
6. C O M PO N EN TS O F E-C O M M E R C E
72 | P a g e
E-Commerce, M- Commerce & Emerging Tech.
7. A R C H I T E C TU R E O F N E T W O R K ED S Y S TE M
Architecture refers to style of designing/ method of construction. In e-Business, it denotes the way
network architectures are built. E-Commerce runs through network connected system
P a g e | 73
E-Commerce, M-Commerce & Emerging Tech.
7.1. A D V A N T A G E S & L I M I TA TI O N S O F T W O - T I ER A R C H I T EC T U R E
7.2 . A D V A N T A G E S & L I M I TA TI O N S O F T H R EE T I E R A R C H I T EC TU R E
8. M- C O M M E R C E
▪ Refers to Buying & Selling of Goods & services and related activities though wireless hand-held devices
like mobile phones and Personal Digital Assistants (PDAs) like tablet etc.
▪ M-commerce enables users to access the Internet without needing to find a place to plug in.
▪ Growth in m-Commerce has been through App. It can be downloaded by user or pre-installed.
74 | P a g e
E-Commerce, M- Commerce & Emerging Tech.
Database Tier DB server i.e., Info store house where all Same
data is stored.
9. W O R K F L O W O F E-C O M M E R C E
10. R I S K S & C O N T R O L S I N E- C O M M E R C E
10.1. Risks i.e Possibility of Loss in case of e-commerce are high compared to general internet activities.
Problem of
Delay in delivery of Anonymity → Needs
goods & hidden cost Needs internet & no to identify &
(delivery/ processing personal touch authenticate user as
cost) well as supplier
P a g e | 75
E-Commerce, M-Commerce & Emerging Tech.
Repudiation of contract
Denial of service → → seller may repudiate Attack from Hacker →
Due to unavailability order after accepting it. E-commerce website
of system due to customer can also refuse may be attacked by
virus, bomb etc. to accept delivery hackers
10.2. C O N T R O L S → N E C E S S A R Y F O R E A C H P A R T I C I P A N T O F E- C O M M ER C E
1. User ▪ To ensure that genuine users are on e- commerce website. This prevents attack on
website from Hackers.
2. Seller/Merchant ▪ Should be financially & operationally stable. Control is needed for
➢ Product catalogues
➢ Price catalogues
➢ Discount and promotional schemes
➢ Shipping & return
➢ Accounting for cash received through Cash on Delivery mode of sales.
3. Government ▪ Two major concerns - Tax accounting of G/Sr sold & only legal G/Sr are sold.
4. Network Service ▪ To ensure availability & security of network. Any downtime can be disastrous.
Provider
5. Technology ▪ Includes all service other network service. E.g. cloud computing, App Backends etc.
Service Provider ▪ To ensure availability & security of technology.
6. Logistics ▪ Responsible for timely delivery of product as ordered.
service provider ▪ Success or failure of any e-commerce / m- commerce venture finally lies here.
7. Payment ▪ To ensure effective & efficient processing of payment.
Gateway
10.3. C O N TR O L S F O R M I T I G A T I N G R I S K
Communication of Ensure
Educate participants organizational compliance with Protect your e-commerce website from
about nature of risk policy to Industry Body Intrusion
Customers standard
Policy may include a) Privacy policy RBI releases a) Hackers - Use security software
a) Frequency and i.e., How data these standards package to protect website.
nature of will be used from time to b) Virus- Scan website daily for viruses.
educational b) Information
time which must
be complied. c) Password - Ensure employees use
programmes. Security policy strong password & change it
b) Participants for c) Shipping & periodically.
such programme Billing policy Also access of ex-employees must be
Example d) Return & terminated.
“Dos and Don’ts” Refund policy d) Regular s/w update - Website should
for online payments have newest version of security s/w.
advertised by e) Sensitive data - Encryption of
Banks. financial & other confidential data.
76 | P a g e
E-Commerce, M- Commerce & Emerging Tech.
11. G U I D E L I N E S & L A W S G O V E R N I N G E- C O M M ER C E
11.1. G U I D E L I N E S G O V E R N I N G E- C O M M E R C E (D EC I D ED B Y E- C O M M E R C E )
All e-commerce vendors need to create clear policy guidelines for the following & communicate it to its
users.
Product
Billing Shipping Delivery Payment Return
Guarantee/Warranty
Format Shipping Mode of delivery? Mode Which goods can Proper display
of Bill Date & be returned? guarantee/warranty
- Courier - COD
Details in Time, Within how many on website
- Hand delivery - online payment.
Bill Expected days? Also send G/w
When will goods Specific payment
Applicable date of be delivered? mode for specific Process of document along
GST dispatch verifying with product.
& product must be
- Time & date authenticity
delivery highlighted.
Where delivery is Duration after
to be made? which money will
- Home be refunded.
- Office
11.2. C O M M E R C I A L L A W S G O V E R N I N G E-C O M M ER C E
All e-commerce transactions are essentially commercial transactions. Hence following laws are applicable:
1. Income Tax Act 1961 ▪ Act to levy & collect Income Tax on Income.
▪ concerned with deciding place of origin of Transaction for tax purpose.
2. GST Act, 2017 ▪ Covers all aspect of E- commerce
▪ Each supplier is required to upload details of outward supply on common
portal.
3. Companies Act, 2013 ▪ Regulate companies. All major e-commerce organizations are companies.
4. Factories Act, 1948 ▪ Regulates working condition of workers. Extend to place of storage as well
as transportation.
5. Customs Act, 1962 ▪ Deals in Import/ Export of goods. India is signatory to GATT of WTO & can’t
levy custom duty that are not WTO compliant.
6. Consumer Protection ▪ Act to safeguard interest of consumers. It is source of most of litigation.
Act, 1896
7. Foreign Exchange ▪ Regulates FDI & flow of foreign exchange in India.
Management Act, 1999
▪ FDI upto 100% allowed in e- commerce dealing in B2B e- commerce.
8. Competition Act, ▪ Regulates practices that have appreciable adverse effect on competition
2002 through competition commission.
▪ checks predatory pricing by E-Commerce vendors.
9. Indian Contact Act ▪ Defines constituents of valid contract.
11.3. S P E C I A L L A W S G O V E R N I N G E- C O M M E R C E
P a g e | 77
E-Commerce, M-Commerce & Emerging Tech.
11.4. T R E N D S I N E-C O M M E R C E
E- marketers need to develop not only their product quality but also user experience to retain customers.
Social Mobile Artificial
Content Predictive Analysis Biometrics
commerce commerce Intelligence
Due to great Social media
P.A. helps in analysing Since e- User is Use of AI like
competition in is integral
customer’s behaviour commerce moving from fully
e-commerce, a part of a
such as If customer involves serious desktop to automated
visually customer
does not return within security threats mobile chat bot is
attractive online habit.
30days, he is lost. such as hacking, computing. another latest
website or Latest trend It helps to spamming, 55% online trend.
display of is to use online fraud, traffic is Chatbot is first
product is no a) predict customers theft of
social media buying habits as generated on point of
more sufficient. for doing e- confidential mobile & its contract &
per their taste & data etc.,
Latest trend is commerce preference, both increasing. answers all Q
to use video for like FB, Biometric of consumers.
Q&Q & verification is a Creation of
content Google etc. mobile apps Also known as
marketing to b) segmenting means to solve
customers in security issues & mobile messenger
attract marketing is bots.
customers. different using physical
categories & characteristics latest trend. Live chat users
Shoppable improve of users such as tend to spend
videos instead of conversions by fingerprint, face more & buyer
images enables offering or voice. conversion rate
customer to is higher.
shop directly ▪ Right customers
from videos. ▪ the right product
▪ in the right way
▪ at the Right time
12. D I G I T A L P A Y M E N T
78 | P a g e
E-Commerce, M- Commerce & Emerging Tech.
e) Discount from taxes d) Disputed transactions: In case of misused of electric money
f) Competitive advantage to business by someone else, it is very difficult to receive a refund.
12.1. T Y P E S D I G I T A L P A Y M E N T
12.1.1. T R A D I TI O N A L M E T H O D S
Cards
Internet Banking
Debit Card Credit Card Smart Card
Small plastic card Small plastic card Prepaid card similar to credit card Customers login to
containing unique no. issued by a bank/ and debit card in appearance, but his/ her bank
linked with bank A/c issuer, allowing the has a small microprocessor chip in account and
number holder to purchase it to store customer’s personal info. makes payments.
Issued by a bank & goods or services on such as financial facts, encryption All public sector
allows the holder to credit. keys, account information & so on. banks & large
make payment Buyer’s cash flow isa) These are not linked to any bank private sector
directly from his not instantly account & user is not mandated to banks allow this
Bank A/c. impacted as user have a bank account. facility to their
Buyer’s cash is makes payment to b) It is used to store money which is customers.
instantly affected i.e. card issuer at end of reduced as per usage.
as soon as payment billing cycle.
c) E.g. Mondex and Visa Cash cards.
is approved, buyers
account is debited.
UPI [Android only] IMPS Mobile Apps Mobile Wallet AEPS USSD
Unified payment Immediate BHIM/Bharat Mobile wallet or Aadhar Unstructured
interface. Payment Interface for e-wallet is Enable Supplementary
It is payment mode System money digital version Payment Service Data
to make instant Facilitates Developed by NPCI of a physical or system is a Banking or *99#
fund transfer from Instant inter- (National real-life wallet. Aadhaar is mobile
sender’s bank bank electronic Payment Corp. of Users can keep based digital Banking based
account to the fund transfer India) his/her money payment on Digital
receiver’s bank in E-wallet & mode. payment that
through Mobile, Based on UPI & works on basic
account through ATM & Net built on IMPS use it when AEPS allows
the mobile App. needed bank to bank phone through
banking. infra. SMS.
Steps Allows user to It stores bank transactions
account or i.e. money No need of
▪ User downloads send or receive
money to/ from Dr/Cr card info will be smartphone or
UPI APP such deducted Internet
other UPI address on mobile
as PhonePe, from sender’s
by device. Can be used for
Google Pay, A/c and
P a g e | 79
E-Commerce, M-Commerce & Emerging Tech.
UPI [Android only] IMPS Mobile Apps Mobile Wallet AEPS USSD
BHIM a) scanning QR Used to make credited to financial as well
code; or payment to the payee’s as non –
▪ Create VPA/ UPI
b) using A/c
merchants A/c directly. financial
ID
number with listed with Customers operations like
▪ Register for Indian mobile wallet need to link checking bank
Mobile Banking Financial service provider. Aadhar with balance,
Systems Code E.g. PAYTM Bank A/c generating MPIN
▪ Link Bank A/c
(IFSC); or etc.
with UPI ID & Mobikwik Can be used
Transfer Fund. c) MMID (Mobile for financial
Freecharge
It can be used to Money as well as non
transfer funds b/w Identifier) – financial
two accounts as Code for users operations
well. who don’t have Planning to
a UPI-based launch
bank A/c
Crypto Currency ▪ It is a digital currency (no physical form) produced by public network rather
than any Govt. or bank. It is completely decentralized i.e, no controlling authority.
▪ It is a medium of exchange. Strong cryptography is used to ensure that payments
are sent & received safely.
▪ Records of individual coin ownership is stored in computerized database using
strong cryptography.
▪ Strong cryptography makes it nearly impossible to counterfeit & doubled spend
▪ E.g. – Bitcoin, Litecoin, Ethereum
▪ Advantages: Less transaction processing, fast transfer b/w sender & receiver, no
risk of hacking or counterfeit currency.
Mobile Banking ▪ Service provided by a bank or other FI that allows its customers to conduct
different types of financial & non-financial transactions remotely using a
mobile device such as a mobile phone or tablet & the Mobile App provided by
Bank or FI.
▪ Each Bank provides its own mobile banking App for Android, Windows and iOS
mobile platform(s).
13. V I R T U A L I S A T I O N
▪ Refers to creation of virtual version of a device or resource such as server, network or storage device etc.
▪ It provides a layer of abstraction between hardware and software working on them.
▪ Core Concept – Partitioning which divides one physical hardware into multiple logical server/ virtual
machines and each logical server can run an OS independently.
▪ Example - Partitioning of a hard drive is considered virtualization because one drive is partitioned in a
way to create two separate hard drives.
▪ Helps in cutting IT expenses, enhancing security, and increasing operational efficiency.
80 | P a g e
E-Commerce, M- Commerce & Emerging Tech.
13.1. A P P L I C A TI O N A R EA S O F V I R TU A L I S A T I O N
13.2. T Y P ES O F V I R T U A L I S A T I O N
14. G R I D C O M P U T I N G
▪ It is a computer network in which each computer’s resource (processor, storage, Network etc.) is shared
with other computer in a system/network.
▪ It is a distributed architecture of large number of computers connected to solve complex problems. E.g.:
Data mining.
▪ In the grid computing model, servers or personal computers run independent tasks and are loosely
linked by the Internet.
▪ It turns a computer network into a powerful super-computer.
14.1. B E N E F I T S O F G R I D C O M P U T I N G
P a g e | 81
E-Commerce, M-Commerce & Emerging Tech.
resources
2. Making use of under – It provides a framework to use/ exploit unutilized IT resources in an Org.
utilized resource
3. Resource Balancing It enables RB in which if a computer’s load peaks, it can transfer its work to
another computer with less utilization.
4. Parallel CPU capacity It helps in scalability & faster performance
5. Reliability Since high –end computing systems are used, grid computing is reliable.
Further due to multiple resources, if one computer fails, work will continue as
its work will be transferred to another computer in network.
6. Management It helps in better management of large No. of computer systems. It also
manages priorities among different projects.
14.2 . T Y P E S O F R E S O U R C E S I N G R I D
Special Equipment
Software and capacities,
Computation Power (CPU) Storage Communications
License architecture and
policies
It’s the most common ▪ Each ▪ Refers to network ▪ Refers to those ▪ Different
resource shared in G.C. machine on bandwidth issued s/w installed in computers in a
Processors offered by grid provides for sending one Grid which are Grid will have
members of Grid may differ some storage, work from one too expensive for different
in architecture, memory even if computer/ installation on architectures,
etc. but can still be shared. temporary. machine to each member operating systems,
another. computer. devices, capacities,
Three ways to exploit this ▪ Storage may and equipment.
resource in G.C.: be memory ▪ Bandwidth is ▪ Some S/W
attached to critical resource vendor permits ▪ Grid can use
a) To run an App on
processors, and it should be to install such criteria for
computer in grid rather
RAM, ROM or redundant and s/w on all assigning job to
than locally.
secondary efficient, else it computers in any member of
b) To run an App that devices like may affect grid but at any Grid.
needs to be executed Hard Drive effectiveness of given time,
multiple times on diff. ▪ For example, some
G.C. only limited no.
computers in a Grid. machines may be
of computer
designated to only
c) To split the work in will be able to
be used for
separate parts so that it use the s/w.
medical research.
can be executed in
parallel on different
computers.
14.3. A P P L I C A T I O N S O F G R I D C O M P U T I N G
a) Civil engineers collaborate to do experimental research to design, execute, analyze, and validate
different models in earthquake engineering.
b) Insurance companies mine data from partner hospitals for fraud detection.
c) In scientific research, using an entire network of computers to analyze data.
d) In film industry, to give special effects in a movie.
82 | P a g e
E-Commerce, M- Commerce & Emerging Tech.
e) In financial industry, to forecast the future of a particular stock.
14.4. G R I D C O M P U T I N G S E C U R I T Y C O N S T R A I N TS / I S S U ES TO C O N S I D E R
G.C. is a highly collaborative & distributed computing model. To develop secure Grid, following need to be
considered:
a) Secured Single Sign- User should be needed to authenticate once & should be able to access resources,
on use them, & to communicate internally without further authentication.
b) Mgt. & Protection of User’s credentials like User Id, Passwords, PIN should be protected.
credentials
c) Support for secure Among Grid member computers.
group connections
d) Support for multiple There should be security for multiple participants of a Grid based on public and
implementation private key cryptography.
e) Inter-operability Access to local computer resource should have local security & there should be
between Grid Security Inter-operability between Grid Security & local security.
& local security
f) Standardization: Since G.C. is highly integrated system, standardizing protocols and interfaces
between Grid participants is a big issue.
g) Exportability The code should be exportable i.e. they cannot use a large amount of encryption
at a time.
15. C L O U D C O M PU T I N G
▪ “The Cloud” refers to applications, services, and data storage on the Internet.
▪ C.C. refers to accessing these computing resources through internet. E.g. Gmail, E-mail, Netflix etc.
▪ It is a combination of H/w & S/w based resources delivered as a service which can be accessed online.
15.1. C H A R A C T E R I S T I C S O F C L O U D C O M P U T I N G
All the characteristics may or may not be present in a specific Cloud solution.
a) Elasticity & Scalable Gives the user ability to expand or reduce resources according to requirement.
b) Pay per use User pays for cloud services only when they use it.
c) On Demand Cloud service is not permanent part of IT infrastructure. It is availed when
required.
d) Resiliency Failure of a server or storage resource does not affect Org as work is migrated
to different server in same data center or to different data center with or
without human intervention.
e) Multi – Tenancy Public cloud offers its services to multiple users making it multi–tenancy
f) Work load Management It is related with resiliency & cost consideration. A cloud service provider may
move workload from one data center to another due to:
a. save cost [where operating data center is cheap]
b. regulatory considerations
b) better network bandwidth.
P a g e | 83
E-Commerce, M-Commerce & Emerging Tech.
15.2. A D V A N T A G E S O F C L O U D
a) Streamline business by getting more work done in less time with less resource.
process
b) Reduced capital Cost No need to spend huge amount on s/w & H/w etc.
c) Reduced spending on Tech as data can be accessed on demand on pay as per use basis.
Infrastructure
d) Improved Flexibility Fast changes can be done in work environment.
e) Pervasive Accessibility Data can be accessed from anywhere on any device through internet.
f) Minimize maintenance As infrastructure is maintained by cloud service provider.
g) Globalise the workforce As people can access cloud with internet across world.
15.3. D R A W B A C K S O F C L O U D
15.4. T Y P E S O F C L O U D C O M P U T I N G E N V I R O N M EN T ( B A S ED O N U S A G E & D EP L O Y M EN T )
84 | P a g e
E-Commerce, M- Commerce & Emerging Tech.
15.4.1. C H A R A C T E R I S T I C S O F C L O U D C O M P U T I N G E N V I R O N M E N T
15.5. T Y P E S O F C L O U D C O M P U T I N G S E R V I C E M O D E L
National Institute of Standards and Technology (NIST) defines three basic service models through which
cloud services are offered to users. These are as follows:
Infrastructure as a Service (IaaS) Platform as a Service [PaaS] Software as a Service [SaaS]
It is a H/w level service which provides It provides the user ability to It provides ability to user to
computing resources like access an App over internet.
➢ Develop & Deploy
➢ Processing power ➢ app on platform S/w is installed, managed,
➢ Memory provided by Sr provider. updated & upgraded by cloud
➢ Network & Service provider.
PaaS changes Application
➢ Storage development from local User get access to App on pay
machine to online. per use (subscription) basis.
to cloud users to enable them to run
App on demand on pay per use basis. It provides Types
IT resources are installed & managed by - Programming language a) E-mail as a service (EaaS) -
cloud Service provider & users use - App framework Provides integrated system
infrastructure in form of virtual machine. - Database of mailing, record
Example - Testing Tools management, migrating,
integration etc.
AWS, Google Compute Engine, - Other S/w development
OpenStack tools b) API as a service (APIaaS) -
Characteristics Example Helps to explore
functionality of web services
a) Web Access - Enables user to Google APP Engine
like Google Maps, Payroll
Access infra over Internet. No Microsoft Azure Compute Processing etc.
physical access.
c) Testing as a service (TaaS) -
b) Metered Service - Allows user to
rent infrastructure rather than buy Provides s/w testing
it & pay on usage basis. capabilities to users.
c) Scalability & Elasticity Difference between SaaS &
PaaS is that PaaS represents a
d) Shared Infrastructure - Multi
platform for App development,
Tenancy
while SaaS provides online Apps
e) Centralized Management - It that are already developed.
ensures effective Resource
Management
P a g e | 85
E-Commerce, M-Commerce & Emerging Tech.
15.5.1. F I V E I N S T A N C E S O F I A A S
15.6. I S S U E S W I T H C L O U D C O M P U T I N G
86 | P a g e
E-Commerce, M- Commerce & Emerging Tech.
16. M O B I L E C O M P U T I N G
▪ Technology that allows transmission of data via a computer/ mobile device without having to be
connected to a fixed physical link (wireless).
▪ Users can transmit data from remote locations to other remote or fixed location, thus solving issue of
‘Mobility’
▪ Widely established, rapidly evolving & rapidly growing across world.
16.1. K E Y C O M P O N EN TS O F M O B I L E C O M PU TI N G
a) User enters or accesses data on hand held computing device using App.
b) This new data is transmitted from hand held computing device to physical I.S. where DB shall be
updated & New data is accessible to other system user as well.
c) Now, both systems i.e., handled device & physical I.S. have same information & they are in sync.
d) This process works in same way starting from other direction.
a) Flexibility in working It has enabled users to work from anywhere as long as they are connected to a
network, thus enabling work from home or work while travelling.
b) Increase in Employee’s as workers can simply work efficiently and effectively from which ever
Productivity location they see comfortable and suitable.
c) Improved Customer For example, by using a wireless payment terminal the customers in a
Service restaurant can pay for their meal without leaving their table.
d) Remote access to Provides mobile workforce with remote access to work order details, such as
work order details work order location, contact information, required completion date.
e) Improved Enables to improve Mgt. effectiveness by enhancing information flow & ability
Management to control mobile workforce.
effectiveness
f) Facilitates excellent Mobile computing facilitates excellent communication.
communication
a) Insufficient Bandwidth It uses technologies such as GPRS & EDGE & 3G, 4G networks which are
slower than direct cable connection. Higher speed wireless LANs are
P a g e | 87
E-Commerce, M-Commerce & Emerging Tech.
17. G R E E N C O M P U T I N G
17.1. G R E E N C O M PU T I N G B ES T P R A C T I C ES
88 | P a g e
E-Commerce, M- Commerce & Emerging Tech.
17.2. G R E E N IT S E C U R I T Y S E R V I C E S & C H A L L EN G E S
▪ Green Security is a new research field which involves defining & investigating security solutions under
the energy-aware perspective.
▪ The objectives of Green Security are to:
a) Evaluate the actual security mechanisms in order to assess their energy consumption.
b) Building new security mechanisms by considering the energy costs from the design phase.
▪ Need to evaluate a client’s infrastructure to accommodate green technology is really a vital issue’.
▪ Green security can be a cost-efficient and lucrative green IT service for solution providers.
18. B R I N G Y O U R O W N D E V I C E (BYOD)
▪ It is a business policy that allows Employees to use their preferred IT device like Laptop for business
purpose.
▪ Employees can connect personal device to corporate network to access information & application.
▪ It makes workspaces flexible as it enables employees to work beyond required hours.
18.1. A D V A N T A G E S O F BYOD
a) Happy Employees as Employees love to use own device at work & need not carry multiple devices.
b) Increased Employee as he is not required to learn working on new system.
efficiency
c) Lower IT Budget Leads to financial saving as Org is not required to provide device to staffs.
d) Reduced support as Employees maintain the device on their own, resulting in cost saving.
requirement
e) Early adoption of as Employees are more proactive in adopting new technologies which leads to
technology enhanced productivity.
18.2. E M E R G I N G T H R E A T S / D I S A D V A N T A G E S O F BYOD
P a g e | 89
E-Commerce, M-Commerce & Emerging Tech.
Introduction
➢ Web 1.0 → Initial days of Google/Prior to Google. Static page that could be read. No write, No sharing
➢ Web 2.0 → Dynamic page + Read & write (users can upload photos, comment on other’s photo).
Resulted in Social media network b/w people & people.
➢ Web 3.0 → Web 2.0 + such device & website are able to generate, store & share data with other
compatible devices w/o human intervention.
Web 3.0
It is known as semantic web. (Study of how language is used to produce meaning).
Refers to websites wherein raw data is generated by computer/devices (TV, AC, etc) & shared with other
devices without direct human intervention.
It is next step in evolution of Internet & web-tech. It uses
a) Semantic web tech
b) AI
c) User behavior
d) Widgets/Apps
e) User engagement depending on interest of users .
Example: Content management systems along with artificial intelligence can answer questions posed by
the users, because the application can think on its own & find the most probable answer, as per context.
In this way, Web 3.0 can also be described as a “machine to user” standard in the internet.
19.2. F U T U R E O F W E B T E C H N O L O G I E S
90 | P a g e
E-Commerce, M- Commerce & Emerging Tech.
20. I N T E R N E T O F T H I N G S (IOT)
▪ IoT is a system of –
➢ interrelated computing devices, mechanical & digital machines, animals or people with capability to
➢ transfer data over internet
➢ without human to human or human to machine interaction.
▪ Embedded with electronics, Internet connectivity, and other forms of hardware (like sensors), these
devices can communicate & interact with others over the Internet, and can be remotely monitored and
controlled.
▪ E.g. Washing machine with wi-fi capacity can connect themselves to home wi-fi & once connected, can
be controlled through manufacture’s app from anywhere.
20.1. A P P L I C A T I O N S O F IOT
a) All home appliances to be connected and that shall create a virtual home. Home owners can keep track
of all activities in house through their hand-held devices including home security through CCTV.
b) Office machines shall be connected through net.
HR managers can see how many people had a cup of coffee from vending machine & how many are
present.
How many printouts are being generated through office printer?
c) Governments can keep track of resource utilizations / extra support needed.
Under SWACHH mission government can tag all dustbins with IOT sensors. They (dustbins) generate a
message once they are full.
d) Smart Wearables
e) Connected Cars
f) Smart Supply Chain
20.2. R I S K S O F IOT
Risk to User
Risk to Product Privacy, Intentional Environmental
Technology Risk
Manufacturer Security Autonomy & Obsolescence Risk
Control
a) Data storage Greatest Risk of loss of On launching Due to Lack of May have
& analysis threat control over new device, technology impact on
must be Since devices personal life as features of old standard & house air
secured & are personal data device may be Due to variety quality due to
protected. connected to may be leaked. disabled or of H/w & S/w use of heavy
b) Manufacture N/w, they will Other major slowed down. used on earth metals
r not be hit by all concern is Who Where a different in devices.
providing IOT N/w related has ownership of manufacturer devices, it’s
will not be risks like this personal buys another, it difficult to
able to data may not support develop App.
▪ Hacker
survive in old devices sold.
future. ▪ Bomb
▪ Trojan
etc.
P a g e | 91
E-Commerce, M-Commerce & Emerging Tech.
21. A R T I F I C I A L I N T E L L I G E N C E (AI)
▪ Intelligence means ability to use memory, knowledge & experience to solve a problem.
▪ Intelligence exhibited/ displayed by a machine is called AI.
Application Risks
➢ Autonomous vehicle (self-driving cars) a) AI Relies on data it gets. Thus, incorrect Input will give
incorrect conclusions.
➢ Creating Art, poetry
b) AI (robots) carries security threat. Countries are
➢ Playing online game like chess discussing to have a kill switch in AI capable devices.
➢ Online Assistants (SIRI, ALEXA) c) In long term, AI may kill people’s skill of thinking the
➢ Medical diagnosis, in cancer Research unthinkable. AI can’t think out of the box.
➢ Robotics
22. M A C H I N E L E A R N I N G ( ML)
▪ Application of AI that enable computers to learn automatically without being explicitly programmed.
▪ Science and art of programming computers so that they can learn from data & can change when
exposed to new data.
▪ Machine learning can be used for solving problems that either are too complex for traditional
approaches or have no known algorithm such as speech recognition.
▪ Application & risks are similar to AI.
92 | P a g e
Core Banking Systems
C HAPTER 5
1. O V E R V I E W O F B A N K I N G S E R V I C E S
1.1. I N T R O D U C T I O N
Key factors/ reasons that enabled Banks to compete at world level & provide basic banking services to citizens
of India staying in remotest area of India are as follows:
a) Rapid development & adoption of IT by Banks which facilitates anytime & anywhere access.
b) Global business opportunities leading to Indian opportunities & customer’s demand for integrated services.
c) Growth of Internet penetration across India.
d) Successive Government’s focus towards financial inclusion for all Indians. E.g. Jan Dhan Yojana.
1.2. C H A R A C T E R I S T I C S / K E Y F E A T U R E S O F B A N K I N G B U S I N ES S
a) Custody of Large volume of Monetary Items like cash & Negotiable Instruments.
b) Dealer in Large volume (in number, value and variety) of transactions.
c) Operating through Wide Network of Branches & Departments, which are geographically dispersed.
d) Increased possibility of fraud making it mandatory for Banks to provide multi-point authentication checks
& high level of information security.
1.3. F U N C T I O N S O F B A N K / M A J O R P R O D U C T S & S ER V I C ES O F B A N K S / T Y P ES O F B A N K I N G S E R V I C ES
Acceptance of
Core functions deposit
[Pay Interest] Lending of money
[Earn Interest]
P a g e | 93
Core Banking Solution
94 | P a g e
Core Banking Systems
S No. Functions Explanation
In this, number of beneficiary In this, large number of accounts with
accounts are credited by debiting the Bank are debited for credit to a
periodically a single account of bank. single account.
Examples: Payment of amounts Examples: Tax collections, loan
towards dividend distribution, interest, instalment repayment, investments in
salary, pension, etc. mutual funds etc.
6 Letter of Credit & Letter of Credit Guarantee
Guarantee
It is an undertaking by Bank to the It is provided by Bank, on request of
payee (supplier of goods & services) customer of Bank (supplier), to
➢ to pay him on behalf of buyer ➢ buyer of Goods / services
➢ any amount upto the limit ➢ to guarantee performance of
specified in L.C contractual obligation or
➢ provided T&C are satisfied. ➢ for submission to Govt. authorities
like customs in lieu of the
stipulated security deposit.
7 Credit Card ▪ Processing of Application for credit card is entrusted to separate division at
central office of Bank.
▪ It is linked to one of the international credit card networks like VISA, Master,
Amex or India’s own RuPay which currently issues debit cards but credit cards
are also expected to be launched in near future.
8 Debit Card ▪ Issued by central office of Bank where customers have their account.
▪ It facilitates withdrawal of money from ATMs as well pay at authorized
outlets. When debit card is used for a transaction, amount is immediately
deducted from customer’s account.
9 Other Banking Operations
High Net Worth Risk
Back operations Retail Banking Specialized Services
Individuals (HNIs) management
Covers all Known as front Specialized It is done at Underwriting: Life
operations done office services to HNIs - Strategic Process of assessing insurance
by back office. operations that based on value/ credit worthiness or
provide direct volume of deposits - Tactical
Related to risk of a potential
services to / transactions. - Operational borrower & his
- General leger customers for & ability to repay
- MIS personal use. loan.
- technology
- Reporting E.g. Debit areas of Critical process
cards, personal Bank while determining
- Compliance loans,
etc. grant of loan to
mortgages etc. customer.
2. C O R E B A N K I N G S Y S T E M / S O L U T I O N
2.1. I N T R O D U C T I O N T O CBS
P a g e | 95
Core Banking Solution
C •Centralised
O •Online
R •Real Time
E •Exchange/Environment
2.2. C H A R A C T E R I S T I C S O F CBS
2.3. E X A M P L E S O F CBS
2.4. K E Y M O D U L E S O F CBS
Core of CBS
• Back Office • Mobile Banking
• Data Warehouse • Internet Banking
• Credit Card System • Central Server • Phone Banking
comprising of App
• ATM Switch Server & Database • Branch Banking
Server
Back End Front End
Applications Applications
96 | P a g e
Core Banking Systems
S No. Modules Explanation
compliance , Accounts & IT.
2 Data warehouse ▪ Banking professionals use data warehouses to simplify and standardize the
way they gather data and finally get to one clear version of the truth.
3 Credit Card ▪ It provides services of
system
➢ Customer Management
➢ Credit Card Management
➢ Customer Information Management
➢ online transaction authorization
➢ Supports Payment Application
4 ATM ▪ It is an electronic Banking outlet that allows customers to do basic banking
transactions without help of any branch official.
▪ Need debit card or credit card to access ATM.
▪ Enables customer to perform
➢ Quick self-service online transactions like Deposit, Withdrawal etc.
➢ to more complex transactions like bill payments.
5 Mobile Banking ▪ Internet Banking
and Internet
Banking ▪ Mobile Banking
▪ Phone Banking
6 Branch Banking ▪ Due to CBS, Front end & Back-end processes within a bank have been
automated resulting in seamless workflow. Branch Confines itself to following
key functions:
a) Creating manual document capturing data required for Input into s/w.
b) Initiating Beginning of Day (BOD) operations
c) End of Day (EOD) operations
d) Reviewing reports for control and error correction.
e) Internal Authorization.
2.5. C O R E F E A T U R E S O F CBS ( O T H E R T H A N B A N K I N G S E R V I C ES )
In addition to basic banking services that a Bank provides through use of CBS, the technology enables
Banks to add following features to its service delivery:
i) Online real time processing
ii) Transactions are posted immediately
iii) All database updated simultaneously
iv) Centralized operations [All data stored in one common database]
v) Anytime, anywhere access to customers and vendors
vi) Banking access through multiple channels like mobile, web etc.
vii) Remote interaction with customers
viii) Automatic processing of standing instructions like auto deduction of credit balance on specific date.
P a g e | 97
Core Banking Solution
3. C O M P O N E N T S & A R C H I T E C T U R E O F CBS
3.1. T E C H N O L O G Y C O M P O N E N T S O F CBS
3.2. K E Y A S P EC T S B U I L T W I T H I N A R C H I T EC TU R E O F CBS
1. Information flows This facilitates Information flow within Bank and increases speed and
accuracy of decision-making.
2. Customer Centric This enables Bank to target customers with right offers at right time to
increase profitability.
3. Regulatory Compliance This has built-in and regularly updated regulatory platform which ensures
complex compliance by Banks. Eg:- maintain required % of CRR, SLR
4. Resource optimization This optimizes resource utilisation through improved assets sharing, reusability,
faster processing and increased accuracy.
3.3. CBS IT E N V I R O N M E N T
98 | P a g e
Core Banking Systems
P a g e | 99
Core Banking Solution
g) Proxy Server ▪ It’s a computer that offers indirect n/w connection to other network server.
▪ Client connects to proxy server and then requests a connection or file or resource
available on different bank server.
h) Anti-virus ▪ It is used to host Anti-virus software. It is installed for ensuring that all s/w being
Software Server deployed on CBS are first scanned to ensure that they are safe from
virus/malware.
3.4. F U N C T I O N A L A R C H I T E C T U R E O F CBS
CBS is the ERP software of a Bank. It covers all aspects of Banking operations from
➢ Micro- to macro operations and covers all Banking services ranging from
➢ Back office to front office operations
➢ Transactions at counter to online transactions &
➢ G.L to reporting.
However, it is modular in nature & it is implemented for all functions or core functions as decided by
management.
Implementation depends on Need and critically of specific Banking service provided by the Bank.
Example: If FOREX transactions of Bank are minimal, related functions may not be implemented.
3.5. I M P L E M E N T A T I O N O F CBS
Deployment and Implementation of CBS should be controlled at various stages to ensure that Bank’s
automation objectives are achieved.
1. Planning Planning for implementation of CBS should be done as per Bank’s strategic and
business objectives.
2. Approval Since high investment and recurring costs are involved, decision must be approved by
B.O.D.
3. Selection There are multiple vendors of CBS, each solution has key differentiators. Bank should
select the right one as per their objective & requirements.
4. Design & Develop Earlier CBS was developed in-house by Banks. Currently, its mostly procured. There
or Procured should be control over design and development or procurement of CBS.
5. Testing Extensive testing must be done before CBS is live. Testing is done at various phases:
- at procurement stage (to test suitability)
- to data migration (to ensure all existing data is migrated)
- to testing processing of different types of Transactions of all modules (to ensure
correct results are produced)
6. Implementationa) Must be implemented as per pre-defined & agreed plan in a time bound manner.
7. Maintenance CBS needs to be properly maintained. E.g. Program bugs fixation.
8. Support To ensure it is working effectively.
9. Updation CBS must be updated based on changing requirements of business, technology &
regulatory compliances.
100 | P a g e
Core Banking Systems
10. Audit Should be done internally & externally to ensure controls are working as expected.
4. CBS R I S K S , S E C U R I T Y P O L I C Y & C O N T R O L S
4.1. R I S K S A S S O C I A T E D W I T H CBS
1. Operational Risk Refers to risk arising from direct or indirect loss to Bank due to inadequate or failed
➢ Internal Process, People & System.
Operational risk necessarily excludes business risk and strategic risk.
The components of operational risk include:
Transaction Information
Legal Risk Compliance Risk People Risk
Processing Risk Security Risk
Arises because Refers to risk Refers to risk Refers to Refers to risk
of faulty arising due to arising exposure to legal arising from
reporting of use of info. because of penalties & loss
➢ lack of
important systems & the an organization
➢ treatment trained key
market environment can face when it
of clients, personnel,
developments in which these fails to act as
to Bank systems ➢ sale of per industry ➢ tampering of
management. operate. products, laws and records and
May also occur or regulations.
➢ nexus
due to errors in ➢ business between front
entry of data practices and back-end
for processing. of a Bank. offices.
2. Credit Risk Refers to risk of an Asset/Loan becoming irrecoverable due to outright default or Risk
of unexpected delay in servicing of loan.
A form of counter party risk since Bank and borrower usually sign a loan contract.
3. Market Risk Refers to risk of losses in Bank’s trading book due to changes in
➢ equity price; commodity price; Interest rate; foreign currency rate etc.
To manage this risk, Bank deploys highly sophisticated mathematical & statistical
techniques.
4. Strategic Risk/ Refers to risk that earnings will decline due to change in business environment. E.g.
Business Risk New competitor, change in demand of customer etc.
5. IT Related Risk Some of the common IT risks related to CBS are as follows:
a) Ownership of Data is stored in data center. Bank must establish clear ownership of data so that
Data / Process accountability can be fixed and unwanted changes to the data can be prevented.
b) Authorization It ensures only authorized person can enter data in CBS. If authorization process is
process not robust, unauthorized person can access customer Info. & other sensitive data.
c) Authentication Username, password, PIN, OTP are commonly used for authentication process.
process
d) Several S/w A Data center may have as many as 100 different interfaces & App software.
Interface across It requires adequate Infra. like uninterrupted power supply, backup generator etc.
diverse N/w
e) Maintaining Maintaining optimum response time & uptime can be challenging.
response time
P a g e | 101
Core Banking Solution
f) Access Control Since Bank is subjected to all types of attack, designing access control is a
challenging task.
g) Change It reduces risk that new system is rejected by users. However, it requires changes at
management App level & data level of DB - Master files, transaction files and reporting software.
Large organizations like Financial Institutions and Banks need to have laid down framework for security with
proper organization structure, defined roles, responsibilities within the organization.
Since Banks deal in third party money and need to create a framework of security for its systems, this
framework needs to be of global standards to create trust in customers in and outside India
Information security → Refers to ensuring CIA of Information. It is critical to mitigate risk of risk of
Information Technologies.
RBI has suggested use of 1SO 27001: 2013 to implement information security. Also advised to obtain 1SO 27001
certification for data centers.
Information security comprises following sub-processes:
a) Info Security Policies, Refers to processes related to approval & implementation of Info security.
Procedures & I.S. policy is the basis for developing detailed procedures & practices for I.S.
Practices security & implementing it.
b) User Security Refers to the security of various users of I.S. It defines how users are created and
Administration Access is granted or disabled as per Organization structure & Access matrix.
c) Application Security Refers to how security is implemented at various aspects of Application. E.g. Event
Logging
d) Database security Refers to how security is implemented at various aspects of database. E.g. RBAC
e) Operating system Refers to how security is implemented at various aspects of OS.
security
f) Network security Refers to how security is implemented at various aspects of network & connectivity
to the servers. E.g. Use of VPN for employees, implementation of firewalls etc.
g) Physical Security Refers to how security is implemented for physical access. For example - Disabling
the USB ports.
102 | P a g e
Core Banking Systems
e) Security breach may go undetected Access to sensitive data is logged and log should be
reviewed regularly by management.
f) Inadequate preventive measure for servers and IT Adequate environmental controls should be
systems in case of environmental threats like implemented like fire alarm, disaster recovery plan,
flood, fire etc. back up etc.
4.3. I N T E R N A L C O N T R O L S Y S T E M I N B A N K S
I.C. helps mitigate the risk and must be integrated in IT solution implemented at Bank’s Branches.
Objectives of I.C. a) Ensuring Accuracy and completeness of A/c record
in Bank b) Timely preparation of reliable F.S.
c) Orderly & efficient conduct of business
d) Compliance with regulatory requirements
e) Safeguard of Assets through prevention & detection of fraud.
f) Adherence to management policy.
Examples of I.C. i) Maker Checker process - Work of one staff is checked by another worker irrespective
of nature of work.
ii) System of job rotation among staff exists.
iii) Financial and Administrative powers of each Employee is fixed & communicated.
iv) All books are to be regularly balanced and confirmed by authorized official.
v) Fraud prone items like currency, valuables etc should be in custody of 2 or more
officials of Bank.
vi) Details of lost security forms are immediately sent to controlling authority.
4.4. IT C O N T R O L S I N B A N K
IT risks are mitigated by implementing right type & level of IT controls in automated environment.
It is done by integrating controls into Info Tech/CBS.
Examples:
a) System maintains records of all log-ins and log-outs.
b) Transaction is allowed to be posted in Dormant A/c only with supervisory password.
c) System checks whether the amount to be withdrawn is within the drawing power.
d) Access to system is available only b/w stipulated hours & specified days only.
e) User Timeout is prescribed [auto log out in case system is inactive]
f) User should be given access on “Need to know basis”
g) Once end of day operations are over, ledger can’t be opened w/o supervisory password.
4.5. A P P L I C A T I O N S/ W - C O N F I G U R A T I O N , M A S T E R S , T R A N S A C T I O N S A N D R EP O R T S
There are 4 Gateways through which an Enterprise can control, access & use the various menus and
functions of Software. Examples of each are given below:
P a g e | 103
Core Banking Solution
5. CORE B U S I N E S S P R O C E S S E S – R E L E V A N T R I S K S & C O N T R O L S
5.1. C U R R E N T A C C O U N T S A V I N G A C C O U N T [C ASA]
104 | P a g e
Core Banking Systems
5.2. C R E D I T C A R D
Credit Card Process Flow of Sale - Authorization Process of Credit Card Facilities
P a g e | 105
Core Banking Solution
Same as CASA
Process Flow - Using Credit Card / Authorisation Process of Credit Card facilities
Risks & Controls w.r.t. Credit Card – Same as CASA (first 4 points)
5.3. M O R T G A G E L O A N
106 | P a g e
Core Banking Systems
5.4. L O A N A N D T R A D E F I N A N C E P R O C E S S
Lending business is main business of Bank. It is carried on by bank by offering various credit facilities.
It carries inherent risks and Bank can’t lend more than calculated risk.
Bank should ensure:
a) Proper recovery of funds lent by it; and
b) Be aware of legal remedies & laws w.r.t credit facilities provided by it .
P a g e | 107
Core Banking Solution
Process Flow - Loan Disbursal / Credit Facility Utilisation & Income Accounting
Customer Bank
Provide credit facility after verifying credit limit in loan disbursal system
108 | P a g e
Core Banking Systems
Fund Based Credit Facilities Non-Fund Based Credit Facilities
Funds are disbursed and loan is recorded in CBS as Facilities are granted
recoverable. 3 Accounting Entries
3 Accounting Entries a) On booking Facility
a) On booking loan Contingent Asset – Dr
Loan A/c – Dr To contingent liability
To customer A/c b) On booking Commission Income [accrued
b) On booking Interest/Discounting Income [accrued over tenure of Guarantee/L.C.]
daily] Customer – Dr
Customer A/c – Dr To commission
To Interest c) On maturity
c) On maturity Contingent liability – Dr
Customer A/c – Dr To contingent Asset
To Loan a/c
5.5. T R E A S U R Y P R O C E S S
Core Areas of Treasury Operations – can be divided into the following broad compartments
Front office Middle office Back office
P a g e | 109
Core Banking Solution
F.O. operations consist of M.O. operations include It supports front office. B.O.
dealing room operations where a) Risk Management
operations include
dealers enter into deal/trade a) Confirmation of deals entered
with corporate & Inter Bank b) Pricing & Valuations
by front office Team
counter parties. c) Responsible for Treasury A/c
b) Settlement of funds/ securities
Deals are entered by dealers on d) Documentation of various
various trading platforms like c) Performs Front office and Back-
deals &
Telephone, Broker & other office reconciliation to ensure
e) Producing financial result accuracy & completeness of all
private channels.
analysis & budget forecast & deals in a day
Dealer is responsible for
f) Preparing financial statement d) Checking and confirming
checking
for regulatory reporting. existence of valid & enforceable
- Counter party credit time. ISDA (International swap dealer
- Eligibility & Other Association) Agreement.
regulatory requirements of
Bank before entering into
deal with customers.
All risks are borne by dealer.
110 | P a g e
Core Banking Systems
e) Insufficient securities available for settlement Effective controls on security & margins
f) Insufficient fund available for settlement Effective controls on security and margins.
5.6. I N T E R N E T B A N K I N G P R O C E S S
P a g e | 111
Core Banking Solution
5.7. E-C O M M E R C E T R A N S A C T I O N P R O C E S S I N G
Most of the e-Commerce transactions involve advance payment either through a credit or debit card
issued by a bank.
The figure below highlights flow of transaction when a customer buys online from vendor’s e-commerce
website.
6. A P P L I C A B L E R E G U L A T O R Y A N D C O M P L I A N C E R E Q U I R E M EN TS
6.1. B A N K I N G R E G U L A T I O N A C T , 1949
It regulates all Banking Companies in India Including co-operative Banks. It provides framework for regulating
and supervision of commercial Banks.
It gives RBI power to:
a) License Bank
b) Regulating shareholding and voting rights
c) Supervise appointment of BOD and Management
d) Merger and acquisition, Liquidation
e) Impose penalties
f) Control moratorium [Period of time during which borrower need not to pay EMI on loan]
g) Issue directives to Bank in Interest of public & Bank.
112 | P a g e
Core Banking Systems
h) Give instructions for Audit.
RBI also provides
i) tech platform for NEFT and RTGS & other Central processing (clearing house).
ii) Guidelines on how to deploy IT.
6.2. N E G O T I A B L E I N S T R U M E N T A C T , 1881
Truncated Cheque i.e. electonic image of a paper cheque NI Act gives validity &
Cheque
enforceability to these
Electronic cheque i.e. cheque in electrnoic form two types of cheque.
6.3. RBI R E G U L A T I O N S
RBI was established on 1st April, 1935 as per RBI Act, 1934.
Key functions of RBI:
1. Monetary RBI formulates, implements & monitors monetary policy with objective of:
authority a) maintaining price stability; and
b) ensuring adequate flow of credit to productive sectors
Tools: CRR, SLR, Open market operations
2. Issuer of Currency Issues, exchanges or destroys currency and coins with objective of providing
adequate quantity of supply of currency notes and coins in good quality.
3. Regulator and RBI regulates financial system with objective of
Supervisor of the
➢ maintaining public confidence;
Financial System
➢ protect depositor’s interest; and
➢ provide cost effective banking services to the public.
6.4. P R E V E N T I O N O F M O N E Y L A U N D E R I N G A C T , 2002
P a g e | 113
Core Banking Solution
Objective of ML: To conceal existence, illegal source, or illegal application of proceeds of crime and to make it
appear as clean/ legitimate.
It is used by criminals to make dirty money appear clean.
6.4.1. A N T I -M O N E Y L A U N D E R I N G ( AML) U S I N G T E C H N O L O G Y
Bank can be used in M.L. as primary means for placement and layering of proceeds of crime as it acts as a
means to transfer money across geographics, A/c & currencies.
The challenge is even greater for Banks using CBS as all transactions are integrated. With regulators
adopting stricter regulations on Banks and enhancing their enforcement efforts, Banks are using special
fraud and risk management S/w to:
a) Prevent and detect M.L.
b) Daily processing and reporting of suspicious Transaction.
6.4.2. F I N A N C I N G O F T E R R O R I S M
Money to fund terrorist activities moves through the global financial system via wire transfers and in and
out of personal and business accounts.
It is a form of M.L. but it does not work the way conventional M.L. works. Money starts as clean i.e., as
“charitable donation” before moving to terrorist A/c.
It is highly time sensitive requiring quick response.
114 | P a g e
Core Banking Systems
➢ projecting or claiming it as untainted property
➢ shall be guilty of offence of money-laundering.
Sec 12 Reporting Entities are required to:
Reporting entities 1) Maintain records of all transactions that enable it to reconstruct Individual
to maintain transaction.
Records Record is to be maintained for at least 5 years from the date of Transaction b/w
client and Reporting entity.
2) Furnish information w.r.t such value & nature of transaction to Director, whether
attempted or executed, as prescribed.
3) Maintain record of Identity of client & Beneficial owner, account file, business
correspondences for 5 years after the
a) Business relation b/w client and R.E. ended; or
b) A/c has been closed;
whichever is later.
Sec 13 ▪ The Director may, either on own motion or on application made by any authority,
Power of Director officer or person, make such enquiry from R.E. as may deem necessary.
to impose fine ▪ If Director is of opinion that due to Nature & complexity of case, Audit of record is
necessary, he may direct R.E to get the records audited by an Accountant [CA] from
a panel of CAs maintained by CG.
▪ Expense of audit & incidental expenses is to be borne by CG.
▪ If the Director, during course of enquiry, finds that R.E. or its designated director or
Board or any of its employee failed to comply with PMLA, he can:
a) Issue warning in writing; or
b) Direct such R.E. or its designated director or Board or employee to comply with
specific instructions; or
c) Direct R.E. its designated director or Board or any of its employee to send reports
at prescribed interval; or
d) Impose a monetary penalty on R.E, its designated director or Board or any of its
employee of not less than 10,000 & which may extend upto 1 lakh for each failure.
Section 63 Any person who wilfully and maliciously gives false information, causing an arrest or
Punishment for a search to be made of other person under this Act shall be liable for
false information ➢ imprisonment for a term which may extend to two years; or
or failure to give
information, etc. ➢ with fine which may extend to fifty thousand rupees; or
➢ both.
If a person
a) Refuses to answer any question asked by the Authority under PMLA; or
b) Refuses to legally sign any statement made by him before the Authority; or
c) Omits to attend or present of Books of A/c at time & place required by Authority;
he shall be liable to
➢ Penalty of not less than 500 to 10,000 for each default or failure.
Before an order is passed imposing penalty, an opportunity of being heard shall be given
to such person by the Authority.
Section 70 In case of contravention by Company,
P a g e | 115
Core Banking Solution
Offence by ➢ every person who was in-charge of Company at the time of contravention as well as
Company
➢ Company shall be deemed to be
➢ guilty of contravention & punished accordingly.
No liability / Punishment of such person if he proves that:
a) contravention took place w/o his knowledge; or
b) he exercised all due diligence to prevent such contravention.
6.5. I N F O R M A T I O N T E C H N O L O G Y A C T , 2000
The Amendment Act 2008 provides stronger privacy data protection measures as well as implementing
reasonable information security by implementing ISO: 27001 or equivalent certifiable standards to protect
against cyber-crimes.
For the banks, the Act exposes them to both civil and criminal liability.
The civil liability could consist of exposure to pay damages by way of compensation up to 5 crores.
The criminal liability exposure may be to the top management of the Banks and it could consist of
➢ imprisonment for a term which would extend from three years to life imprisonment as also fine.
6.5.1. C Y B E R C R I M E
Bank is prone/ susceptible to cyber-crime as it deals with money. Using technology, fraud can be
committed across countries w/o leaving a trace.
116 | P a g e
Core Banking Systems
Hence, CBS and Banking s/w should have high level of controls covering all aspects of cyber-crime. ISO:
27001 must be implemented for Information security.
7. B A S E L III N O R M S & AI I N B A N K I N G I N D U S T R Y
P a g e | 117