Eis Chalisa

Automated Business Processes
C HAPTER 1
A UTOMATED B USINESS P ROCESSES
1. BUSINESS PROCESS
▪ Business Process is co-ordinated & standard set of activities

➢ to accomplish specific Objectives of an organization
➢ set by Top Management as per their vision & mission.
▪ Key guiding factor for any Business process shall be Top Management Vision & Mission.
▪ The success or failure of an organization is dependent on how meticulously business processes have been
designed and implemented.
▪ Business Process Management is the
➢ Systematic approach to improving Business Process which
➢ helps an organization to achieve 3E’s i.e., Efficiency, Effectiveness & Economy.
▪ It is 24x 7 process to ensure improvement in all parameters.
Types of Business Processes / Vision & Mission of Top Management is achieved by implementing
Operating Processes Supporting Processes Management Processes

It deals with ▪ It helps improve efficiency of ▪ It monitors, measures & controls
a) core business & value chain; Organization by providing activities related to Operating
& support to business processes & Processes & Supporting
functions in organization. Processes.
b) delivers value directly to
customers by providing ▪ It does not provide value to ▪ Like Supporting Processes, it
goods or services or both. customers directly. does not provide value to
customers directly but it has a
Represents essential business ▪ However, hiring right people for
direct impact on the efficiency
activities to achieve goals / the right job has a direct
of the Enterprise.
object. of business. impact on efficiency of the
Enterprise. E.g. Strategic Planning, Budgeting,
E.g. Order to cash [O2C]; Procure
Infra capacity Management,
to Pay [P2P]; Developing E.g. Accounting, HR, IT, Legal,
Internal communication etc.
Products, Manufacturing Work-place safety.
Marketing etc.
P a g e |1
2. B U S I N E S S P R O C E S S A U T O M A T I O N – R E M O V I N G H U M A N I N T ER V E N T I O N
▪ It is technology enabled automation of activities or services to achieve specific function/ task/ objective.
▪ This can be done for different functions like, sale, Purchase, supply chain management, HR, IT etc.
▪ Involves use of integrated Apps & s/w in automating business processes throughout Organisation.
▪ BPA enables business process to operate effectively and efficiently.
Features/ Objectives/ Factors Affecting success of BPA Advantages/ Benefits of BPA

BPA objectives shall be achieved when BPA ensures a) Quality & consistency - Ensures every action is
the following: performed identically to provide reliable &
a) Confidentiality - To ensure that data is only consistent experience to stakeholders.
available to person who has right to see it. b) Time saving - It reduces no. of tasks required to
b) Integrity - Ensure that there is no unauthorized
perform an activity. This saves time & add value.
change/ amendment in data. c) Reduced cost - It enables simultaneous
c) Availability - To ensure that data is available performance of tasks by using lesser resource. So
when asked for. cost, especially labour cost, reduces.
d) Reduced Turnaround time - BPA eliminates
d) Timeliness - To ensure that data is available in
right time. unnecessary tasks & streamlines BP. Info. flows in
better way resulting in reduced turnaround time.
To ensure that above parameters are met, BPA
e) Improved operating efficiency - Since time
needs to have appropriate internal controls.
consumed & cost required to do a task reduces.
f) Governance & reliability – Consistency of Business
process means stakeholders can rely on BP to offer
quality service to customer.
3. W H I C H B U S I N E S S P R O C E S S E S S H O U L D B E A U TO M A TE D ?
▪ Every business process is not a good fit for automation. Companies tend to automate those business
processes that are time and resource-intensive or those that are subject to human error.
▪ Following are the few examples of processes that are best suited to automation:
1. Processes involving Automating these processes results in reduction of cost and work efforts. E.g.
high-volume of making purchase orders; generating invoices etc.
tasks or repetitive
tasks
2. Processes requiring Automating these processes results in reduction of waiting time and in costs. E.g.,
multiple people to Help desk services; Tracking of goods etc.
execute tasks
3. Time-sensitive BPA results in streamlined processes and faster turnaround times. It eliminates
processes wasteful activities and focus on enhancing tasks that add value. For example -
online banking system, railway/aircraft operating and control systems etc.
4. Processes involving Since every detail of a particular process is recorded. These details can be used to
need for demonstrate compliance during audits. For example- invoice issue to vendors,
compliance and Employee management system i.e. Salary calculations & employee Attendance.
audit trail
5. Processes having Some processes are cross-functional and have significant impact on other processes
significant impact and systems. E.g., the marketing department may work with sales department.
on other processes Automating these processes results in easy sharing of information resources and
2|P a ge
and systems improving the efficiency and effectiveness of business processes.
4. C H A L L E N G E S I N V O L V E D I N B U S I N E S S P R O C ES S A U T O M A T I O N
1. Automating Sometimes organizations start off BPA by automating the processes they find
Redundant suitable for automation without considering whether such processes are necessary
Processes and create value. In other cases, some business processes and tasks require high
amount of tacit knowledge (that cannot be documented and transferred from one
person to another) and therefore seek employees to use their personal judgment.
2. Defining Complex This requires a detailed understanding of the underlying business processes to develop
Processes an automated process.
3. Staff Resistance Human factor issues are the main obstacle to the acceptance of automated
processes. Staff may see BPA as a way of reducing their decision-making power.
Moreover, the staff may perceive automated processes as threat to their jobs.
4. Implementation The implementation of BPA involves significant costs like acquisition cost of
Cost automated systems & special skills required to operate and maintain these systems.
5. BPA I M P L E M E N T A T I O N :
Steps Explanation
i) Define why we plan to Answer to this Question provides justification for implementing BPA. List of
implement BPA generic reasons for justifying BPA may include-
a) Errors in manual process leading to enhanced cost
b) Payment process not streamlined leading to duplicate payment.
c) Payment for G/Sr supplied not received on time.
d) Poor debtor management system leading to more bad debts.
e) Poor customer services.
f) Delay in furnishing documents during audit.
ii) Understand Rules/ Any BPA must comply with applicable laws & regulations. Hence it is essential
Regulations under to Understand Rules/ Regulations under which business performs.
which business E.g. Books of A/c must be maintained for specified time as per Income Tax
performs Act.
iii) Document the process All current processes & documents which are planned to be automated must be
we want to automate correctly & completely documented.
Things to be kept in mind-
a. What docs needs to be captured?
b. Where do docs come from - Vendor or accounting software?
c. What format are they in: Paper, FAX, E-mail or PDF?
d. What is the impact of regulations on processing of these documents?
e. Can there be a better way to do the same job?
Benefits :
1. Provide clarity on process.
2. Helps identify source of inefficiencies, bottlenecks & problems.
3. Allows designing the process to focus on desired results.
iv) Define the objectives/ Enables the developer & user to understand reason for doing BPA. While
P a g e |3
Steps Explanation
goals to be achieved by determining objectives of BPA, Goals should be-
implementing BPA
S → Specific i.e., clearly determined
M → Measurable – Easily quantifiable in monetary terms
A → Attainable – Achievable through best result.
R → Relevant – Entity Must be in need of BPA.
T → Timely- Achieved with a given time frame.
v) Select BPA Entity needs to appoint an Expert who can implement BPA. Selection depends
consultant/Company on-
a) Objectivity of consultant in understanding entity’s situation.
b) Does he have experience with entity BPA?
c) Is he experienced in resolving critical issue?
d) Can he recommend combination of H/w & S/w for BPA & implement it?
vi) Calculate ROI It helps in convincing Top Management to say ‘Yes’ to BPA exercise.
Some of the methods for justification of BPA are-
a) Cost saving; being clearly computed and demonstrated.
b) Time saving; How BPA could lead to reduction in required manpower.
c) The cost of space regained from paper, file cabinets, etc. is reduced.
d) Eliminating fines to be paid for delayed payment & eliminate double
payment
e) Taking advantage of early payment
f) Reducing cost of audits and lawsuits.
vii) Developing BPA Once requirements have been documented, ROI is computed & approval of Top
Management obtained, Consultant develop required BPA.
viii) Testing of BPA Before making the BPA live, BPA should be tested fully to determine-
a) How it works
b) Remove all problems
c) Enable improvement before official launch.
Testing helps increase user adoption and decreases resistance to change.
Final version of process is documented for
a) Training of new employees &
b) Future reference.
6. RISKS & ITS MANAGEMENT
6.1. R I S K
Refers to
➢ Any uncertain event that may result in loss for an organization
➢ Any uncertain event that may result in significant deviation from planned objective resulting in negative
4|P a ge
consequences
Characteristics of Risk Source of Risk

a) Potential loss exists due to threat/vulnerability. a) Commercial & legal relationship
b) Uncertainty of loss expressed in terms of b) Economic circumstance
probability of loss; immediate direct financial c) Human behaviour
loss as well as loss due to its impact in the long
run like loss of reputation and business [Approx. d) Natural Event
loss] e) Political circumstance
c) Probability/ likelihood of that threat attacking f) Technology & Technical issue
organization [%]
g) Management activities & control
A. B U S I N E S S R I S K
Business risk is a broad category which applies to any event or circumstances related to business goals.
Businesses face all kinds of risks ranging from serious loss of profits to even bankruptcy
a) Strategic Risk Risk that prevents an organization from achieving its strategic objectives. E.g. Risk
related to strategy, regulatory, global market condition like recession.
b) Financial Risk Risk that results in negative financial impact to organization. E.g. Volatility of foreign
exchange rate, interest rate, liquidity risk etc.
c) Regulatory Risk Risk that can expose organization to fines & penalties due to non- compliance with
laws. E.g. - violation of law w.r.t Taxation, Environment, Employee health.
d) Operational Risk that can prevent organization from operating in most effective and efficient
Risk capacity. E.g. - risk of loss resulting from inadequate or failed internal processes,
fraud or any criminal activity by an employee etc.
e) Hazard Risk Risks that are insurable. E.g. - Nature disaster, Asset impairment, Terrorism etc.
f) Residual Risk Risks remaining even after counter measures are applied. All risk can’t be eliminated.
It should be minimized & kept at an acceptable low level.
B. T E C H N O L O G I C A L R I S K
BPA is technology driven and this dependence on technology has led to various challenges. All risks related
to the technology equally apply to BPA.
a) Downtime due to technology failure Information system facilities may become unavailable due to
technical problems or equipment failure.
b) Frequent change or obsolescence of Since technology keeps on evolving & is changing rapidly, there is
P a g e |5
Technology a risk of obsolescence of tech resulting in loss.

c) Dependence on vendor due to BPA requires staff with specialized domain skills to manage IT
outsourcing of IT service deployed. These services could be outsourced to vendors and
there is heavy dependency on vendors.
d) External threat leading to cyber If I.S can be accessed anytime & anywhere using internet, there
fraud/ crime is a risk of fraud.
e) Proper alignment of tech with Business must ensure it.
business objectives & legal
requirement
f) Higher impact due to intentional or Employee are weakest link in tech environment. Employees are
unintentional act of employee expected to be trusted individuals that are granted extended
privileges, which can easily be abused.
g) Need to ensure continuity of business Organizations must have well documented business continuity
in case of major emergency plan.
6.2. R I S K M A N A G E M E N T & R E L A T E D T E R M I N O L O G I E S
Risk Management refers to Process of

➢ identifying, assessing risk,
➢ taking steps to mitigate/ reduce risk to
➢ acceptable level based on Risk Appetite &
➢ monitoring it.
Effective Risk management involves
a) Identifying high level risk exposure
b) Risk appetite, i.e, ability/ willingness of entity to take risk
a) Asset Refers to something of value to the organization; e.g., information in electronic or
physical form, software systems, employees.
Assets have one or more of the following characteristics:
i) They are recognized to be of value to the organization.
ii) They are not easily replaceable without cost, skill, time, resources or a combination.
iii) They form a part of the organization’s corporate identity.
iv) Their data classification may be Proprietary, highly confidential or even Top Secret.
b) Vulnerability Refers to weakness in the system safeguards that exposes the system to threats.
It may be a weakness in information system/s, cryptographic system (security
systems), or other components (e.g., system security procedures, hardware design,
internal controls) that could be exploited by a threat.
Vulnerabilities potentially “allow” a threat to harm or exploit the system.
Some examples of vulnerabilities are given as follows:
i) Leaving the front door unlocked makes the house vulnerable to unwanted visitors.
ii) Short passwords (less than 6 characters) make the automated information system
vulnerable to password cracking or guessing routines.
Normally, vulnerability has at least one of the following conditions:
6|P a ge
i) ‘Allows an attacker to execute commands as another user’ or
ii) ‘Allows an attacker to access data that is contrary to the specified access
restrictions for that data’ or
iii) ‘Allows an attacker to pose as another entity’ or
iv) ‘Allows an attacker to conduct a denial of service’.
c) Threat Refers to any entity, circumstance, or event with the potential to harm the software
system or component through its unauthorized access, destruction, modification, and/or
denial of service.
Threat has capability to attack on a system with intent to harm.
Assets and threats are closely correlated. A threat cannot exist without a target asset.
Threats are typically prevented by applying some sort of protection to assets.
d) Exposure Refers to extent of loss the enterprise has to face when a risk materializes. It is not just
the immediate impact, but the real harm that occurs in the long run.
For example - loss of business, failure to perform the system’s mission, loss of
reputation, violation of privacy and loss of resources etc.
e) Likelihood Refers to estimation of the probability that the threat will succeed in achieving an
undesirable event.
f) Attack Refers to attempt to gain unauthorized access to the system’s services or to
compromise the system’s dependability.
In software terms, an attack is a malicious intentional fault, usually an external fault
that has the intent of exploiting vulnerability in the targeted software or system.
Basically, it is a set of actions designed to compromise CIA (Confidentiality, Integrity or
Availability).
g) Counter An action, device, procedure, technique or other measure that reduces the vulnerability
Measure of a component or system is referred as Counter Measure.
For example, well known threat ‘spoofing the user identity’, has two countermeasures:
a) Strong authentication protocols to validate users; and
b) Passwords should be stored in some secure location.
Similarly, for other vulnerabilities, different countermeasures may be used.
After above analysis, strategies for managing Risk are decided. Not all risk requires controls to counter them
[cost Benefit analysis]
P a g e |7
6.3. R I S K M A N A G E M EN T S T R A T EG I ES / R E S P O N S E [5 T S ]
Tolerate/ Accept Terminate/ Eliminate Transfer / Share Treat/ Mitigate Turn Back
In case of minor If risk is associated Risk may be When other options Where probability
risk i.e., where with use of a shared with are not feasible, or impact of Risk is
impact or technology, trading partners suitable controls must very low, then
probably of supplier, or vendor, & suppliers. be developed & management may
occurrence is low, it can be E.g. Outsourcing implemented decide to ignore the
Management may eliminated by of IT a) to prevent risk Risk.
accept risk as cost
➢ Replacing tech Infrastructure from occurring, or
of doing business. mgt.
with more robust b) to Minimize its
products; and Risk can also be impact.
➢ by seeking more insured.
capable
suppliers and
vendors.
7. ENTERPRISE RISK MANAGEMENT
It is a process which is applied by –

➢ BOD, management & other personnel
➢ For strategy setting
➢ To identify potential event that may affect entity &
➢ Manage risk within Risk appetite
➢ To provide reasonable assurance that entity’s objective will be achieved.
All entities face uncertainty which presents both risk & opportunity, with potential to erode or enhance
value.
ERM helps management to effectively deal with uncertainty and associated risk and opportunity and
thereby enhance its capacity to build value.
ERM is relevant for every entity, whether for profit, not-for-profit, or a governmental body.
ERM does not create risk free environment.
7.1. E N T E R P R I S E R I S K M A N A G E M E N T F R A M E W O R K
ERM Framework
ERM provides a framework of eight interrelated components for risk management which involves:
➢ identifying potential threats or risks.
8|P a ge
➢ determining how big a threat or risk is, what could be its consequence, its impact, etc.
➢ implementing controls to mitigate the risks.
i) Internal Environment It is foundation for risk management. It involves analysis of organization/ entity,
people of organization & environment in which it works.
ii) Objective setting ERM involves setting of objectives in line with Vision & Mission of management
& consistent with risk appetite of entity.
iii) Event Identification Includes identifying uncertain events, internal as well as external, which may
represent opportunity, risk or both.
iv) Risk Assessment Involves analysis in terms of likelihoods of risk & impact on entity.
v) Risk Response Management selects risk response in line with entity risk tolerance & risk
appetite. Higher Risk Appetite = Higher Risk tolerance = Lower Risk response
vi) Control Activity Refers to policies & procedures established to mitigate risk & maintain it at
acceptable level.
vii) Info & Risk response & controls to be applied are communicated to relevant employee
communication across the entity for carrying out necessary activities for risk management.
viii) Monitor entire ERM Entire ERM process should be monitored regularly &, if necessary, modified.
process
7.2 . B E N E F I T S O F ERM
a) Align risk appetite with ERM helps in aligning risk appetite with its strategy for achieving goals.
strategy
b) Link growth, risk & return Entities accept risk as part of value creation & expect return
commensurate with risk taken.
c) Minimize operational surprise ERM provide advanced ability to identify potential, event, assess risk &
& Losses respond to it.
d) Seize opportunity ERM enables organization to identify opportunity & take advantage.
e) Enhanced risk response ERM helps to identify & select alternative risk response i.e 5 Ts
decision
f) Identify & manage Cross Entity faces various risks. Management needs to manage not only
Enterprise risk individual risk but also related risk.
g) Provide Integrated response to ERM helps to provide integrated solution for multiple risks.
multiple risk
8. C O N T R O L S – M E A N I N G & I M P O R T A N C E
Refers to policy, procedures & practices that are designed to provide reasonable assurance that
a) Business objectives are achieved
b) Undesired events are prevented, detected or corrected
c) Risks are mitigated
d) Assets are safeguarded and
e) Efficiency and effectiveness of Business Processes are achieved.
P a g e |9
8.1. T Y P ES O F C O N T R O L S
Manual Control Automated Control Semi- automated Control

Involves physical verification Involves verification that is done Involves verification that is partly
that actual material received is automatically by computer manual & partly automated.
as per PO & it is reflected system and exceptions Eg- verification of goods received
correctly in vendor’s invoice. highlighted. with PO can be automated but the
vendor invoice matching could be
done manually in a reconciliation
process.
Order [Po] → 1000 qty of A + grade material
8.2. IT C O N T R O L S O B J E C TI V E S
Meaning Need
Statement of desired result or purpose to be a) Control cost & remain competitive
achieved by implementing controls within an IT b) To promote reliability & efficiency
activity.
c) Makes organization Resilient & helps them sustain
Implementing right type of controls is any disruption in Business Process
responsibility of management.
d) Provides policy & guidance for directing &
IT Controls helps perform dual role monitoring performance of IT activity to achieve
a) Enables enterprise to achieve objective objective
b) Mitigate Risk
8.3. T Y P ES O F IT C O N T R O L S
IT General Control (ITGC) App Control

It is macro in nature & pervades across IT environment Application represents the interface between the
& Information System in organization & applies to all user and the business functions.
systems & processes. It includes: App Controls refers to control implemented in an
1. IT security policy → Approved by sr. Management App to prevent, detect & correct errors.
& covers all systems & process in organization These controls are in-built in the App and ensures
w.r.t. how to protect a company’s information CIA & ACA of data / info. For example, in Banking
assets. App, withdrawals are not allowed beyond limits,
2. Administration, Authentication & Access → There etc
should be proper policy for administration of Example- [DEBTS]
system and & authorization of users in I.S.
a) Data edit i.e., Editing of data should be allowed
3. Separation of key IT functions → Org should ensure only for permissible field.
Key demarcation of duties for different personnel b) Error reporting i.e., Errors in processing are
within IT department & ensure that there are no reported.
Segregation of Duties (SoD) conflicts.
10 | P a g e
IT General Control (ITGC) App Control
4. Mgt of system acquisition & implementation → c) Exception reporting i.e., all exceptions are
Process of system authorization & implemented reported.
should be controlled. d) Balancing of processing totals i.e., Debit &
5. Proper development & implementation of App/ s/w. Credit of all transaction are tallied.
6. Controls to ensure CIA and ACA of S/W & Data. e) Transaction logging i.e., all transactions are
identified with unique ID & logged.
7. Change Management → IT system must change
with change in business needs & environment or f) Separation of Business function i.e., Authority
regulatory compliance. In such case, change mgt for transaction initiation and transaction
ensures smooth transition authorization should be with different
personnel.
8. User training & qualification of Operations
personnel → IT personnel should have necessary
skills.
9. Review of SLA with vendors to ensure service are
delivered as per SLA.
10. Monitoring of system, App S/W to ensure its
functions properly.
8.4. K E Y I N D I C A T O R S O F E F F E C T I V E IT C O N T R O L S
IT controls implemented in an organization are considered to be effective on the basis of following criteria:
a) Ability to Plan & Execute new work like infrastructure upgradation to support new product/service.
b) Development projects are delivered on time and within budget, and better product and service offerings
compared to competitors.
c) Ability to allocate resource predictability.
d) Protect against new threats & vulnerability & recover from any disruption.
e) Ensure CIA & ACA of data.
f) Heightened security awareness among users & security conscious controls.
8.5. F R A M E W O R K O F I N T E R N A L C O N T R O L A S P E R SA 315
SA 315 - Identifying & assessing the Risk of Material Misstatement by understanding entity & its
Environment
SA 315 defines Internal Control as
➢ Policy, practice & procedure implemented by TCWG & MGT
➢ To provide reasonable Assurance about achieving Entity’s objective regarding
a) Reliability of F.S
b) Efficiency & effectiveness of operations
c) Safeguarding of assets
d) Compliance with applicable laws & regulations.
Need for I.C → It helps organisation in ensuring RECS.
Note: I.C. mitigates Risk & does not eliminate it.
8.6. C O M P O N E N T S O F I N TE R N A L C O N TR O L A S P E R SA 315
P a g e | 11
Information &
Control Environment Risk Assessment Control Activities Monitoring of Control
Communication
It is a set of It involves Refers to P, P, P to It is necessary for It is Ongoing & cyclic
Standards, process & identification of a) Mitigate Risk & entity to collect process of Monitoring
structure that Risks & its important info each of 5
provides basis for assessment in b) Achieve objective about I.C. & components of I.C to
implementing I.C. terms of likelihood They are performed communicate ensure it is
It comprises of & its impact. at all levels of the with functioning smoothly.
Risk Assessment entity and may be a) employees for Comprises of
▪ integrity & ethical preventive or
& its tolerance implementatio
values of Org detective in nature. ▪ Ongoing evaluations
depends on n of I.C.
built into business
▪ organizational objective of an Includes elements like (internal)
processes which
structure organization. authorizations, b) external provide timely
▪ assignment of Risk Assessment approvals, parties in information.
authority & resp. forms the basis verifications, reco. response to
for determining and business requirements ▪ Separate
▪ accountability etc. how risks will be performance reviews & evaluations
BOD & Senior Mgt managed. that ensure expectations conducted
(external). periodically to
establish the tone a) Transactions are
assess risks &
at the top regarding authorized
effectiveness of
the importance of
b) Duties are ongoing evaluations.
I.C. including
segregated
expected standards Findings are
of conduct. c) Proper Records evaluated against
are Maintained Mgt’s criteria and
d) Assets are deficiencies are
safeguarded communicated to
Mgt & BOD as
appropriate.
8.7. L I M I T A T I O N S O F IC
▪ I.C. provides reasonable assurance & not absolute assurance about achieving entity’s objective of RECS.
▪ I.C. is subject to certain inherent limitations as follows:
a) Management consideration that cost of I.C. should not exceed expected benefit of IC.
b) I.C. is not effective in case of Transaction of unnatural nature e.g., human error due to carelessness.
c) Possibility of circumvention of I.C. through collusion with employees & other party.
d) Possibility of abuse of I.C. by person responsible for exercising I.C. i.e Director/TCWG.
e) Manipulation by Mgt. w.r.t transactions, estimates & judgements required in preparation of F.S.
9. R I S K S A N D C O N T R O L S F O R S PEC I F I C B U S I N ES S P R O C ES S E S
In computerized B.P., Controls are checked at 3 levels
Configuration Masters Transactions

▪ Refers to the way a S/W is set ▪ Refers to the way various ▪ Actual transaction entered in
up initially. parameters are set up for all App s/w by user.
modules of software, like
▪ It defines how s/w will ▪ Changes frequently & entered
Purchase, Sales, Inventory, and
12 | P a g e
Configuration Masters Transactions
function & what options are Finance etc. by user
displayed.
▪ Masters are set up first time ▪ Ex – Sale transaction, purchase
▪ Various modules of enterprise during installation & these are transaction, journal transaction,
like Procurement , sale, HR etc changed whenever the business Payment etc.
must be configured. process rules or parameters are Sample Risks
Examples changed.
Transaction Incorrect Amt
1) User activation & deactivation ▪ Relatively permanent in nature
– Defining process for setting i.e., does not change frequently. Amount Paid Incorrect
up entry to system using user Examples Period
ID & Password. Incorrect Party
1) Customer Master Data
2) Users Access & privilege –
2) Vendor / supplier M.D.
Defining process for access to 1) Transaction recorded by
particular function of App 3) Material M.D. incorrect amount.
based on Role & 4) Employee M.D.
Responsibility. 2) Transaction recorded in
Common Risks for any master incorrect period
3) Password management -
Defining criteria like length of data 3) Transaction recorded in
password, use of special 1) Change made to _____ M.D. Incorrect Ledger.
characters, frequency of file by unauthorised person. 4) Amount paid or received is not
change. 2) Invalid change made to ___ correct.
4) Mapping A/C ledger with M.D. file. 5) Amount paid/ Received in
transactions. 3) Delay in making change to incorrect period.
5) Control on parameters: Creation _____ M.D. file 6) Amount paid/ Received
of Customer Type, Vendor Type, 4) M.D. file is not updated. recorded in incorrect party.
year-end process.
5) Access to ____ M.D. file not
restricted to authorized user.
9.1. S I X B U S I N ES S P R O C E S S E S :
Procure to Pay Order to Cash Inventory Human Fixed General

[P2P] [O2C] Cycle Resource Asset Ledger
C M T C M T C M T C M T C M T C M T
1) Procure to pay [Purchase]

▪ Refers to process of obtaining & managing RM needed for manufacturing a product or providing service.
▪ Using automation, it is possible to have a seamless ‘procure to pay’ process covering the complete life-
cycle from point of order to payment.
▪ 9 steps from MM module of ERP.
▪ Relevant Ledger: Accounts Payable
▪ Examples of Vendor Master Data file:
a) Name b) Contact Details c) Address d) Bank details e) GSTIN f) Credit Period & limit
2) Order to cash [Sale]
P a g e | 13
▪ Refers to a process of receiving order & fulfilling the order of customer’s required Goods & Services.
Steps/ Sub-Process Involved
Customer Order Delivery Invoicing Collection Accounting

order Fulfillment Note from Customer
a) Customer order → Customer order received is documented

b) Order Fulfillment → Order is fulfilled or service is scheduled
c) Delivery Note → Order is shipped to customer or service is performed
d) Invoicing → Invoice is created and sent to customer
e) Collection from Customer → Customer sends payment / Collection
f) Accounting → Payment is recorded in general ledger.
Relevant Ledger: Accounts Receivable
▪ Examples of Customer Master Data file:

a) Name b) Contact Details c) Address d) Bank details e) GSTIN f) Credit Period & limit
3) Inventory cycle
▪ Process of accurately tracking the on-hand inventory level (measured in number of days).
3 Phases Involved
a) Ordering Phase → Time required to order & receive RM.
b) Production Phase → Time taken to convert RM into Finished Goods ready for use by customer.
c) Finished Goods & → Finished Goods that remains in stock & delivery time to customer.
delivery
▪ Examples of Inventory/Material Management Master Data file:

a) Stock Item b) Stock Description c) Stock Group d) Units of measurement
4) Human Resource
▪ HR lifecycle refers to HRM & covers all stages of an employee’s time within the organization & the role
played by HR at each stage.
4 stages involved
a) Recruitment & ▪ Recruitment - Process of hiring which involves placing job ads, selecting
onboarding candidates, conducting interview & choosing / finalizing etc.
▪ Onboarding - Process of getting successful applicant set up in organization [Id
card , laptop, Access & privilege]
b) Orientation & ▪ Orientation - Process by which employee becomes part of company workforce i.e.,
Career Planning Learning job, establishing relationship etc.
▪ Career planning - Employee & supervisor work out long-term career goals of
14 | P a g e
employee.
c) Career ▪ It is essential to provide career development opportunity for retaining employee
Development for long term.
d) Termination or ▪ Ensure all exit policies are followed, exit interviews are conducted & employee is
transition removed from system.
▪ Examples of Employee/ Payroll Master Data file:

a) Employee Name b) Designation c) Address d) Gender e) Salary Structure
5) Fixed Assets
▪ Process of ensuring that all F.A. of enterprise are tracked for purpose of –
➢ Financial Accounting [Dep];
➢ Preventive maintenance; &
➢ Theft deterrence.
▪ It involves maintaining proper details of quantity, type, location, condition & depreciation of asset.
6 Steps Involved
1. Procuring an Asset On purchase of an asset, entry is made in A/C system when invoice is
received.
2. Registering or Adding an For depreciation purpose, details like date of acquisition, type, &
Asset depreciation basis is registered
3. Adjusting an Asset Adjustment is required due to repair, improvement, change in basis for
depreciation etc.
4. Transferring an Asset To other branches, subsidiaries or dept. within the organization group. This
needs to be reflected accurately in the fixed assets management system.
5. Depreciating an Asset Refers to decline in economic & physical value of Asset. Depreciation should
be properly calculated.
6. Disposing an Asset When an asset is no more in use, becomes obsolete or beyond repair, it is
disposed off. Any difference between the book value, and realized value, is
reported as a gain or loss and dep is no longer charged.
Mode of disposal – Sale, Abandonment or Trade-in
▪ Examples of FA Master Data file:

a) Type b) Location c) Depreciation Basis
Risk & Control at Transaction Level

Wrong Amount FA Acquisition
Wrong Period Depn
Wrong Party Disposal
6) General Ledger
▪ Process of recording the transaction in system to finally generate reports from system.
▪ Input for GL→ Financial transaction
P a g e | 15
▪ Output for GL → Reports like BS, P&L, CFS, Ratio Analysis etc.
5 steps involved
a) Entering of financial transaction in Accounting system
b) Review of transaction
Control
c) Approval of transaction
d) Posting of transaction
e) Generation of financial report
▪ Examples of GL Master Data file:
a) Ledger b) Group c) Voucher Type
10. R E G U L A T O R Y & C O M PL I A N C E R E Q U I R EM EN T S
Companies Act, 2013 IT Act, 2000
10.1. C O M P A N I ES AC T, 2013
Section 143 [Powers & duties of Auditor & Auditing

Section 134 [FS, BOARD’s REPORT etc.]
Standard]
Director Responsibility Statement (DRS) shall state Auditor report shall state
that
➢ Whether Company has
a) Directors had taken sufficient care for
➢ adequate Internal Financial Control &
➢ maintaining adequate A/C record
➢ operating effectiveness of such control during
➢ for safeguarding Asset of company relevant FY.
➢ for preventing & detecting fraud & other
irregularity.
b) Directors, in case of Listed Co., had laid down
internal financial control & that such IFC are
➢ Adequate [ adequacy of design] &
➢ Operating effectively.
10.2. IC AI G U I D A N C E N O T E S O N A U D I T O F I N T ER N A L C O N T R O L O V E R F I N A N C I A L S T A T E M E N T S
Management Responsibility Auditor Responsibility

▪ Auditor has to express an opinion the effectiveness of Co’s internal
Section 134
financial control over FR.
▪ A company’s I.C. is said to be effective if there is no material weakness
in I.C.
▪ No material weakness = I.C. is effective
▪ Auditor should perform Audit to obtain sufficient evidence to get
reasonable assurance that no material weakness exists in I.C.
10.3. CORPORATE GOVERNANCE
16 | P a g e
▪ CG ensures that company works in best interest of stakeholders i.e. shareholders, Govt., society, bank
etc.
▪ It refers to Framework of Rules & practice by which BOD ensures
➢ Accountability
➢ Fairness and
➢ Transparency in
Co's relationship with its stakeholders.
▪ CG Framework consists of
a) Contract between Company & stakeholders for distribution of rights, responsibilities & Rewards.
b) Procedure for reconciling conflicting interest of stakeholders with their role.
c) Procedure for supervision, control & Information flow to serve as checks & balance.
11. I N F O R M A T I O N T E C H N O L O G Y AC T 2000, A M EN D E D B Y 2008
Key Objective/ Computer Related Principle of

Introduction SPDI
Provisions Advantage offence privacy
11.1. I N T R O D U C T I O N O F IT A C T
▪ IT Act covers all internet activities in India, i.e., all online transaction in India.
▪ It provides validity & legal sanctity to all online/ Electronic Transactions, Docs, signature etc.
▪ It also provides penalties & remedies in case of non- compliance & offence.
11.2. K E Y P R O V I S I O N S O F IT A C T
Section 43 - Penalty If any person, without permission of the owner or any other person who is in-
and compensation for charge of a computer, computer system or computer network (hereinafter
damage to computer, ‘Computer resource’)
computer system, etc. a) accesses or secures access to such computer resource;
b) downloads, copies or extracts any data from such computer resource;
c) damages or causes to be damaged any computer resource;
d) disrupts or causes disruption of any computer resource;
e) denies or causes the denial of access to computer resource by auth.
persons;
f) destroys, deletes or alters any information residing in computer resource;
g) introduces or causes to be introduced virus etc. into any computer resource;
h) steal, conceals, destroys or alters or causes any person to steal, conceal,
destroy or alter any computer source code,
he shall be liable to pay damages by way of compensation to the person so
affected.
Section 43A: Where a body corporate, possessing, dealing or handling any sensitive personal
Compensation for data or information in a computer resource which it owns, controls or operates,
failure to protect data.
➢ is negligent in implementing and maintaining reasonable security and
P a g e | 17
➢ thereby causes wrongful loss or wrongful gain to any person,

➢ such body corporate shall be liable to pay damages by way of compensation
to the person so affected.
Punishments for various Computer Related Offences
Section Nature of Offence Punishment
65: Tampering with If a person knowingly or intentionally Imprisonment – upto 3 years; or
Computer Source conceal, destroys or alter or cause other Fine - upto 2 lakhs; or
Documents person to conceal, destroys or alter a source
code used for a computer resource when Both.
source code is required to be kept by law.
66E: Punishment for If a person intentionally or knowingly Same as above
violation of privacy captures, publishes or transmits the image
of a private area of any person without his
or her consent.
66 C: Punishment for If a person Fraudulently make use of Imprisonment – upto 3 years; and
Identify theft electronic signature, password or other Fine – upto 1 Lakh
Identification feature of a person
66D: Punishment for If a person cheats by personation using any Same as above
cheating by computer resource
personation by using
computer resource
66: Computer Related If a person, fraudulently does any act Imprisonment – upto 3 years; or
Offences u/s 43 referred to in section 43 Fine – upto 5 Lakhs; or
Both.
66 B: Punishment for If a person dishonestly and knowingly Imprisonment – upto 3 years; or
dishonestly receiving receives or retains stolen computer resources Fine – upto 1 Lakhs; or
stolen computer or communication devices.
resource or Both.
communication device
11.3. O B J E C T I V E O F C Y B E R L A W / A D V A N T A G ES / W H Y IT A C T W A S EN A C T E D
i) To grant legal recognition for transactions carried out by means of electronic data interchange or
electronic commerce in place of paper-based method of communication. [Section 4]
ii) To give legal recognition to digital signature for authentication of any information or matter, which
requires authentication under any law. [Section 3]
iii) To facilitate electronic filing of documents with Government departments. [Section 6]
iv) The Act now allows Government to issue notification on the web thus heralding e-governance.
v) To facilitate electronic storage of data.
vi) To provide legal sanction to transfer fund electronically to and between banks and financial
institutions.
vii) To provide legal recognition for keeping books of account in electronic format by bankers. [Section 4]
viii) To provide legal infrastructure to promote e-commerce and secure information system.
ix) To manage cyber-crimes at national and international levels by enforcing laws.
18 | P a g e
11.4. C O M P U T E R R E L A T E D O F F E N C E
‘Cyber Crime’ finds no mention either in IT Act 2000 or in any legislation of the Country. Cyber Crime is not
different than the traditional crime. The only difference is that in Cyber Crime, the computer technology is
involved and thus it is a computer related crime.
1. Credit card fraud Credit card cloning is common fraud committed against person using credit
card.
2. Cyber Terrorism Terrorist use virtual & physical storage media to hide info & record of illegal
business.
3. Cyber pornography Its legal in few countries but child pornography is illegal across world.
4. Cyber crime Any crime using computer technology is known as cyber-crime.
5. Phishing & Email Involves fraudulently acquiring PIN, Password sensitive info through
scams pretending/ masquerading itself as a trusted entity.
6. Source code theft It is most critical part of s/w & regarded as crown jewel/ Asset of company.
7. Harassment using of a person on social media.
fake profile
8. Online sale of illegal Involves sale of drugs, narcotics etc.
Articles
9. Webpage defacement Homepage of a website is replaced with defamatory post or pornographic
material.
10. Introducing virus, worms, Bombs & Trojan.
11.5. P R I V A C Y
Main principle on data protection & privacy under IT Act are

a) Defining data, Information, Computer database etc.
b) Creating civil liability if any person accesses or attempts to secure access to computer, computer
system & computer network.
c) ___________ criminal liability _____________.
d) Declaring any computer, computer system or computer network as Protected.
e) Imposing penalty for breach of confidentiality & privacy.
f) Setting up hierarchy of regulatory authority, namely adjudicating authority, Appellate Authority.
11.6. S E N S I T I V E P E R S O N A L D A T A I N F O R M A T I O N
Personal Data Section 43A of IT Act SPDI (Rule 3)

Info. relating to natural prescribes SPDI Rules 2011 which a) Password,
person which, directly or defines a data protection framework b) Financial Info,
indirectly, is capable of for
identifying such person. c) Mental / physical health condition,
➢ Processing of digital data
d) Medical Record,
➢ By body corporate.
e) Biometric &
f) Sexual orientation
P a g e | 19
11.7. S C O P E O F SPDI
Applies on Body corporate which include Firm, sole Excludes:

proprietor or other association of individuals a) Government Bodies & individuals using big data
engaged in commercial & profession activities.
b) Others having no access to big data.
Rule 5 Body corporate shall obtain consent in writing from provider of SPDI, before collecting
Consent to collect SPDI, about usage of such data.
Rule 6 Disclosure of SPDI by body corporate to any third party requires permission from
Consent to disclose provider of SPDI. No permission required if-
a) Such disclosure is necessary for compliance with legal obligation
b) Such disclosure has been agreed to in contract b/w body corporate & provider of
SPDI.
For EIS-SM, use Code CAKISHAN on Unacademy App for

a) Free Lectures &
b) Maximum Discount on Plus & Iconic courses
F OR T AXATION , VISIT KKC WEBSITE OR DOWNLOAD OUR KKC A PP
20 | P a g e
Financial Accounting System
C HAPTER 2
F INANCIAL A CCOUNTING S YSTEM
1. INTRODUCTION
❖ Financial Accounting System (FAS) is integral part of any business & acts as backbone for it.
❖ FAS includes other forms of business management like HR, inventory, customer relationship mgt. etc.
R Requirement from FAS is different for different person & it should fulfill Needs of all users simultaneously
Accountant’s view Auditor’s view Business Manager/ Owner’s view

▪ B.S. and P&L must be ▪ B.S. and P& L must be ▪ Right info at right time for
prepared easily w/o much correct at any point of time right decision making.
effort & time. i.e. as per AS & gives true &
fair view.
2. C O N C E P T S I N C O M P U T E R I Z E D A C C O U N T I N G S Y S T EM S
2.1. T Y P ES O F D A T A
MASTER DATA NON-MASTER DATA

a) Relatively permanent data that is not expected to change frequently i.e. a) Data which changes
can change but not frequently. frequently.
b) Example: Our Name, Address, Blood Group, Gender, Date of Birth etc b) Entered by user.
c) Created by Database administrator. Examples
d) Generally, not type by the user, rather than selected from the available list i) Amount recorded in
ledger
▪ To maintain standardization as we need to collect all the data at one
place for reporting; and ii) Voucher Number
▪ To avoid confusion while preparing reports. Eg- same ledger may be iii) Date of Entry
written differently. iv) Age & weight
2.2. M A S T E R D A T A (All business process modules must use common master data)
Accounting Master DATA Inventory Master Data Payroll Master Data Statutory Master Data
P a g e | 21
Includes names of Includes System of calculating Date related to statute/

salary & recording law.
▪ Ledgers ▪ Stock items
employee related details. Different for different
▪ Groups ▪ stock groups
Includes taxes.
▪ Voucher types. ▪ Inventory voucher
types ▪ Name of employee No control on this data
Opening balance b/f. ▪ Group of employees as statutory changes are
(Just like physical made by Government.
godown, details of ▪ Salary heads like
stock are maintained in Basic Pay, HRA, Examples
computer for easy Allowances etc. ▪ Different types of TDS,
search) TCS, GST & their rates.
Why Master and Non-Master Data?

Basic objective of accounting system is to record input in the form of transactions and generate output in the
form of reports.
Transactions Processing Reports
2.3. VOUCHER
Voucher Meaning Voucher Number

▪ Voucher is a documentary evidence of ▪ Unique identity of any voucher. May be used to
transaction. Before recording any transaction in search for any voucher.
the accounting system, it must be supported by
▪ It is a non-master data.
documentary proof.
▪ Features / Peculiarities:
▪ Example: Receipt given to a customer after
making payment by him/her is documentary a) Voucher number must be unique.
evidence of amount received. b) Each voucher type shall have separate unique
▪ In computer language, voucher is a place where numbering series.
transaction is recorded. c) Recorded in chronological order.
▪ It is a master date. d) Numbered serially.
▪ Diff Transactions = Different vouchers. e) May have separate suffix and prefix [Sale -
001-KKC].
2.4. V O U C H E R T Y P E S
S No. Voucher Type Use

Module - Accounting
1 Contra For recording of four types of transactions as under:
Cash deposit in bank; Cash withdrawal from bank;
Cash transfer from one location to another; Fund transfer from our one bank
account to our own another bank account.
2 Payment For recording of all types of payments by any mode (cash/bank)
3 Receipt For recording of all types of receipts by any mode (cash/bank)
4 Journal For recording of all non-cash/bank transactions. E.g., Depreciation, Provision,
22 | P a g e
S No. Voucher Type Use
Module - Accounting
discount given/received, Purchase/Sale of fixed assets on credit, write-off etc.
5 Sales For recording all types of trading sales by any mode (cash/bank/credit).
6 Purchase For recording all types of trading purchase by any mode (cash/bank/credit).
7 Credit Note For making changes/corrections in already recorded sales/purchase transactions.
8 Memorandum For recording of transaction which will be in the system but will not affect the
trial balance. In other words, memorandum vouchers are used to record suspense
payments, receipt, sales, purchase etc.
Module - Inventory
9 Purchase Order For recording of a purchase order raised on a vendor.
10 Sales Order For recording of a sales order received from a customer.
11 Stock Journal For recording of physical movement of stock from one location to another.
12 Physical Stock For making corrections in stock after physical counting.
13 Delivery Note For recording of physical delivery of goods sold to a customer.
14 Receipt Note For recording of physical receipt of goods purchased from a vendor.
Module - Payroll
15 Attendance For recording of attendance of employees.
16 Payroll For recording all employee–related transactions like salary calculations.
2.5. A C C O U N T I N G F L O W : 7 S T E P S (5 S/W, 2 H U M A N )
Transaction → Voucher Entry → Posting → Balancing -→ Trial Balance – P/L - BS

Human performed by software
Since Steps are mechanical, Time consuming and huge efforts are required.
In few cases, voucher entry can be automated & performed by s/w automatically.
E.g. Interest calculation on monthly basis can be done by s/w automatically at the end of the month.
2.6. FUNDAMENTALS OF ACCOUNTING
▪ Basic objective of any Accounting S/w is to generate two primary accounting reports , i.e., P&L and Balance
sheet.
▪ For FAS, ledgers may be classified in two types only Ledger having Debit Balance and Ledger having Credit
Balance.
▪ Every ledger is classified in 1 of 4 categories only i.e., Income , expense , Asset or liability.
▪ There may be any number of sub- groups under these four basic groups. (Asset → fixed Asset → P&M –
Office Equipment – Motor vehicle )
▪ Since balance in P/L account i.e Net Profit or Net Loss is reflected in Balance sheet, everything in
accounting s/w boils down to balance sheet.
Grouping of ledgers Is important as
a) it tells software what is ‘nature of the ledger’ & where it should be shown at the time of reporting.
P a g e | 23
b) facilitates better presentation while reporting.

Note - S/w cannot prevent incorrect grouping of ledger.
3. T E C H N I C A L C O N C E P T S – C O M P U T E R I Z E D FAS
Working of any Software/ Restaurant
FRONT END BACK END
Part of software which actually Part of software which interacts

interacts with users. with front end but not users
User Front End Back End
3.1. F R O N T E N D & B A C K E N D – M E A N I N G & W H Y S EP A R A T E ?
Particulars Front End Back End

Meaning Part of the overall software which actually Part of the overall software which does
interacts with user using the software. not directly interact with user but
interact with Front End only.
Domain expertise Meant for handling request form users Meant for storing and handling the data.
Presentation Meant for presenting information in proper Not meant for presentation and it’s not
24 | P a g e
Particulars Front End Back End
format , different colors, etc. expected also.
User Experience User interface should be simple and intuitive It processes raw data and no need of
i.e., min help should be sought by user user experience.
Language Can speak in user’s language as well as Speaks only in technical language not
technical language understood by layman (user)
Speed Separate back-end software is used for handling (storage/processing) data. This
reduces load and increases speed.
3.2. APPLICATION SOFTWARE
Application software generally comprises of three layers which together form the Application namely; an
Application Layer, an Operating System Layer and a Database Layer. This is called Three Tier architecture.
a) Application Layer receives the inputs from the users and performs certain validations like, if the user is
authorized to request the transaction.
b) Operating System Layer then carries these instructions and processes them using the data stored in
the database and returns the results to the application layer.
c) Database Layer stores the data in a certain form.
3.3. INSTALLED APP VS CLOUD BASED APP
Installed App Web Based App Cloud Based App

Program installed on Program installed on Co’s web server Many organizations do not install
hard disk of user’s & accessed through internet financial App on their own IT
computer. connection. infrastructure as cost may be prohibitive.
They host app on internet & outsource IT
Function.
Common method to achieve this are IaaS
and SaaS. (Chapter 4)
3.4. D I F F E R E N C E B E T W E E N I N S T A L L E D A P P A N D C L O U D B A S ED A P P
Basics Installed App Cloud Based App

Installation & Needs to be installed in each computer one by Installed on Cloud. Updation and
Maintenance one. Its time consuming and difficult to maintenance is responsibility of cloud
update. service provider.
Accessibility User can access software only from the Software is available online and can be
system its installed. Thus, Restricted accessed 24 x7 through internet.
Accessibility.
Mobile App Difficult to use software through Mobile. It is easier to use software through mobile as
data is available 24x7.
Performance Faster Performance as data is picked from It depends on speed of internet which may
local server without internet. fluctuate, thus affecting performance.
Data storage Physically stored in premises of user or hard Data is stored in cloud service provider’s
disk of user’s server computer. server. Ownership of data is defined in SLA
in which rights & responsibility of each
party is defined.
P a g e | 25
Basics Installed App Cloud Based App

Data security Full physical control of the user. Data is not in control of user or owner.
Hence, there should be Back up & disaster
recovery plan
Flexibility More flexible as it is easy to write desktop App Allows flexibility in respect of Cap
using user’s hardware like processor Camera, expenditure and Opex.
wi-fi etc. Disadvantage: More capex & Opex
required.
Non – integrated System → System of maintaining data in decentralized way. Each dept. has its own
database separately. Two major problems:
a) communication Gap &
b) Mismatched Data (leads to confusion between various departments)
4. I N T E G R A T E D E N T E R P R I S E R E S O U R C E P L A N N I N G [ERP]
▪ It is an enterprise-wide integrated information system designed to,

➢ co-ordinate all the info. System resources & activities needed to
➢ complete business process, such as order fulfillment.
▪ Covers functions like A/c & finance function, manufacturing, supply chain management, HRM, CRM etc.
and integrate into one unified database.
▪ An ERP must cover at least two functions or more.
Examples
Tally: Accounting & Inventory
Quickbook: Accounting & payroll
SAP, Oracle, MFG Pro, MS Axapta: Multi modules
5. ERP I S B A S E D O N
Centralized / Common Database Modular S/w

▪ Data from different functions is integrated. ▪ Enables a business to
▪ It allows every department to store & retrieve a) Select the module it needs
information in real time. b) Mix & match modules from diff. vendors
c) Add new modules or delete existing modules.
▪ Info. Should be accurate, complete & authentic/
reliable & easily accessible. ▪ Add new modules of their own to improve
business performance
1 ERP → 1 Centralised Database → Multiple s/w modules.

Definition of ideal ERP may change as per organization. However, generally single centralized DB is used
which contain all data for various s/w modules.
Manufacturing Financial HR SCM PROJECT CRM Data w/h
26 | P a g e
6. B E N E F I T S O F ERP
1. Use of new technology like client server tech., cloud computing, mobile computing etc.
2. Information Integration as it automatically updates data b/w related functions.
3. On-time shipment as process involved in delivery of goods is automated and errors are
reduced.
4. Better customer satisfaction Customer can place order, track order etc. sitting at home.
5. Reduction in Lead time Time elapsed b/w placing of order & receiving it.
6. Reduction in Cycle time Time elapsed b/w placement of order & delivery of order.
7. Reduction in Quality cost ERP eliminates duplication/ redundancy of process & provide tools for
Total Quality Management.
8. Improved Flexibility by making info available across dept, automating process which helps it
to react to changing environment in a better way.
9. Improved Analysis, planning as it enables use of many decision support systems & “what if scenario”.
& decision
10. Improved supplier it provides vendor management tools & procurement support tools.
performance
11. Improved resource utilization Efficiency is increased as inventory is maintained at minimum level &
machine downtime is minimum.
7. R I S K & C O N T R O L I N ERP E N V I R O N M E N T
Two Major Risks arising due to use of Centralized Common Database (all Data at one place)
▪ All persons in an organization access same set ▪ All users use same data for recording transactions.
of data on day-to-day basis.
▪ This results in Risk of putting incorrect data in the
▪ This Poses/ results in risk of leakage of info. or system by unauthorized user.
access of info. System by unauthorized person. E.g. - HR person recording, purchase data.
E.g.- sales person checking salary of his friend in
production dept.
Control: RBAC
8. R O L E B A S E D A C C E S S C O N T R O L (RBAC)
It is a policy neutral access control mechanism that

a) Allows employees have access rights to access info they need to do their job; and
b) Prevents them from accessing information that doesn’t pertain to them.
It is an approach of restricting system access to authorized users on “Need to Know” & “Need to Do” basis.
Advantage: Facilitates administration of security in large organisation with hundreds of users & thousands
of permissions.
Mandatory Access Control (MAC) Discretionary Access Control (DAC)

▪ MAC criteria are defined by the system ▪ DAC involves physical or digital measures and is
administrator, strictly enforced by the Operating less restrictive than other access control systems
System and are unable to be altered by end users. as it offers individuals complete control over the
resources they own.
▪ Only users or devices with the required
P a g e | 27
Mandatory Access Control (MAC) Discretionary Access Control (DAC)

information security clearance can access ▪ The owner of a protected system or resource sets
protected resources. policies defining who can access it.
▪ A central authority regulates access rights based
on multiple levels of security.
▪ Organizations with varying levels of data
classification, like Govt. and military institutions,
typically use MAC to classify all end-users.
8.1. T Y P ES O F A C C E S S
Create Data Alter Data View Data Print Data
a) Create Data Can be allowed or disallowed to various employees for

b) Alter Data ➢ master data,
c) View Data ➢ transaction data &
d) Print Date ➢ Report
Examples of Access that can be allowed & disallowed for various types of Personnel:
Directors Complete access to all Reports, Masters & Transactions but only for viewing. Can’t create or
alter.
CFO Same as director but in some cases, creation or alteration access to Masters & Transactions
may be given.
Head of a Full access to all Department related masters & transactions. No access to non-related
Department masters, transactions and reports.
Accountant Can make voucher entry & view accounting master data. Can’t create masters or access
Reports.
Data Entry Very limited access should be given. Can’t create accounting masters or access Reports.
Operator
9. ERP I M P L E M E N T A T I O N , R I S K & C O N T R O L
▪ ERP Implementation is a huge task and requires substantial money, time & patience
▪ Success, in terms of payback or RoI of ERP, depends upon successful implementation & once
implemented, proper usage of ERP.
10. I S S U E S I N I M PL E M E N TA T I O N O F ERP
Post
Technological Other Implementation
People Issues Process Issues Implementation
Issues Issues
Issues
Most critical for Main reason for Organisation Explained in Explained in
success or failure of ERP is to should be subsequent parts subsequent parts
abreast of latest
28 | P a g e
Post
Technological Other Implementation
People Issues Process Issues Implementation
Issues Issues
Issues
ERP. ▪ Improve, technology to
Includes streamline the survive and
process and thrive.
▪ Management
▪ make it more
▪ Employee effective &
▪ Implementation efficient.
team
▪ Vendor & Consultant
10.1. People Issues

Basis Risk Control
Top management ERP Implementation will fail if Top ERP Implementation should start only
support Management does not support as huge after Top Management is fully convinced
funds are required. and assures full support.
Change There will a change in job profile i.e., some Proper training with well documented
management job will become irrelevant & new jobs will manual should be provided for smooth
be created. transition in job profile.
Training It mainly happens at end of ERP Proper project-based training should be
Implementation. Management may curtail provided by skilled experts.
training to save cost.
Staff Turnover Due to integration of departments, it Allocation of employees to task as per their
becomes complex & employees tend to skills & fixing remuneration accordingly.
leave.
Consultants May not be familiar with internal working Consultant should be assigned a senior
of organizational culture manager (a liaison officer) to help them
understand Co’s culture.
10.2. Process Issues

Basis Risk Control
Program management There may be information gap between Bridge the information gap between them
a) Day to day operation so that they are in sync.
b) ERP Function
Business Process BPR is not just change but dramatic Requires overhauling of Organizational
Reengineering change & dramatic improvement in structure, job descriptions, skill
way business is conducted. development, & training in use of IT.
10.3. Technological Issues

Basis Risk Control
Software functionality ERP offers various functions. Organization should install only those
implementing all can be disastrous. functions which are required by it.
Technology Due to advent of new technologies ERP should be modular, easily updatable &
P a g e | 29
obsolescence evolving rapidly, ERP may get obsolete. quality vendor support.
Enhancement & ERP is not upgraded and kept upto date. Vendor should be carefully selected & ERP
upgradation should be fully updated.
Application Portfolio It focuses on selection of new business APM ensures proper selection of business
Management application. application. Also avoids duplication of
Apps.
10.4. Other Implementation Issues

Basis Risk Control
Lengthy It may take between 1 to 4 years Care should be taken to keep momentum
implementation Time depending upon size at organization. high & enthusiasm alive.
Insufficient funding Budget is allocated without consulting Necessary to allocate required funds &
Experts & then work stops due to lack of also allocate some funds for
fund. contingencies.
Data safety Since there is only one set of data, if its Back up and disaster recovery plan should
lost, whole business stops. be maintained. Strict physical & Logical
access control should be maintained.
System Failure Since there is central database, in case Allocate alternate Hardware and Network
of system failure, entire business (Internet) arrangement.
operations will get adversely affected.
Data Access Leakage & Unauthorized Access of data. Access rights need to be defined carefully
& provided on ‘need to do’ & ‘need to
know basis’.
10.5. Post implementation Issue → Lifelong Commitment
11. A U D I T O F ERP S Y S T E M
Objectives of I.S. Control

▪ To ensure CIA (confidentiality, Integrity & Availability) of data.
▪ Restricted access to authorized users & prevents unauthorized access.
▪ Objective of Audit & Controls do not change in ERP Environment.
▪ ERP should produce Accurate, Complete & authentic information on timely basis.
In computerized environment, this accomplished by
• Combination of controls in ERP system Controls in Environment in which ERP

system operates including OS
11.1. C O N T R O L S
30 | P a g e
General Controls Application Control
Includes Control over Deals with individual business process / function or Application
system.
▪ IT management,
Key questions to be asked by Auditor are:
▪ IT infrastructure,
i) Does the system process according to GAAP (Generally
▪ security management & s/w acquisition Accepted Accounting Principles) and GAAS (Generally
▪ monitoring and reporting IT Activity, Accepted Auditing Standards)?
▪ Security Mgt. & Maintenance ii) Does it meet the needs for reporting, whether regulatory or
organizational?
Applies to all systems in an organisation
iii) Does the system protect confidentiality and integrity of
from mainframe computer to client. information assets?
Management Environmental iv) Does it have controls to process only authentic, valid,
Control Control accurate transactions?
Deals with Operational Control
v) Are all system resources protected from unauthorized
organisation Policy, administered
access and use?
procedure & planning through computer
w.r.t. ERP system centre/computer vi) Are user privileges based on what is called ‘role-based
control. operations group access?’
and the built-in vii) Is there an ERP system administrator with clearly defined
operating system responsibilities?
controls.
viii) Are there adequate audit trails and monitoring of user
activities?
ix) Are users trained?
x) Do they have complete and current documentation?
xi) Is there a problem-escalation process?
Auditing Aspect
Auditing of Data Auditing of Process
Physical Security Access Control Function Audit Input Validation
Ensure Physical Ensure Access is given on Includes Testing of different Involves checking of rules
Control Over Data “Need to know” and “Need modules/functions & for input of data into the
to Do” basis. features in ERP and system.
Testing of overall process of E.g. Cash sale should be
part of process in system & recorded on date of sale,
comparing it with actual. not before, not later.
12. B U S I N E S S P R O C E S S M O D U L E S A N D T H E I R I N TE G R A TI O N W I T H F I N A N C I A L A N D A C C O U N TI N G S Y S T E M S
Business Process refers to

➢ set of co-ordinated activities that are performed
➢ to realize a business goal like order fulfillment.
How to manage Business Process?
1. Define the task/steps in the process.
P a g e | 31
2. Establish performance measures.

3. Describe organization set up to enable standardization & adherence to process throughout organization.
Business Process Flow
Number & type of business processes and how the processes are performed would vary across enterprises.
It is also impacted by automation. However, most common processes flow a generic life cycle.
ACCOUNTING FLOW
SOURCE
DOCUMENT
▪ Source Document A document that captures data from transactions and events.
▪ Journal Transactions are recorded into journals from the source document.
▪ Ledger Entries are posted to the ledger from the journal.
▪ Trial Balance Unadjusted trial balance containing totals from all account heads is prepared.
▪ Adjustments Appropriate adjustment entries are passed.
▪ Adjusted Trial The trial balance is finalized post adjustments.

balance
▪ Closing Entries Appropriate entries are passed to transfer accounts to financial statements.
▪ Financial statement The accounts are organized into the financial statements.
13. B U S I N E S S P R O C ES S M O D U L ES (where Profit making is Objective)
Trading Business Manufacturing Business Service Business

Buying & selling of Goods Includes all aspects of Trading & Involves selling of skills / knowledge/
without modification. Additional aspects of efforts/ time.
Requires manufacturing conversion of raw E.g. Doctors, Architects, Chartered
a) Accounting module
material finished goods. Accountants, are the professionals into
Requires service business.
b) Inventory module
a) Accounting module
There may be other type of business
into service, i.e. courier business,
b) Inventory module security service, etc.
c) Manufacturing Module No inventory so no inventory module.
14. F U N C T I O N A L M O D U L E S O F ERP
Financial Controlling Selling & Material Production Plant

Accounting Module Module Distribution Management Planning Maintenance
Project System 1. Quality Supply Chain Human Resource Customer

Management Management Management Management Relationship
Management
.
32 | P a g e
14.1. F I N A N C I A L A C C O U N T I N G M O D U L E [F&A]
Overview & Objective Features:

▪ Most important & critical module of a) Tracking Flow of Financial Data across the org. in a controlled
overall ERP system. manner & integrating all info for effective decision making.
▪ It Connects with all other modules. b) Creation of Org. Structure → Defining Company, company
codes, functional areas, Controls.
▪ Objective is to generate Financial
Statement. c) General Ledger Accounting → Creation of Chart of Accounts,
Account Groups, creation of General Ledger Account.
d) Account Receivables → creation of customer master data &
customer related finance attributes like payment terms.
e) Account Payables → creation of vendor master data & vendor
related finance attributes like payment terms.
f) Asset Accounting → creation of Asset Master Data.
g) Tax Configuration & Creation and Maintenance of House of
Banks.
14.2 . C O N T R O L L I N G M O D U L E [CO]
Overview Key Features:

▪ Facilitates coordination, a) Cost element accounting – Provides overview of costs and
monitoring and optimization of revenues that occur in an organization. It is basis of cost A/c &
business processes in organization. enables user to display cost of each element i.e. Material,
Labour, Overhead.
▪ Help in analyzing actual figures
with planned data. b) Cost Centre accounting - Provides info on cost incurred w.r.t.
various dept/functional areas like marketing ,HR, Legal etc.
▪ It controls cost elements & revenue
elements. c) Activity based Costing- Facilitates analysis of cross function
cost allocation to various cost centres.
d) Product cost accounting- Analysis of cost incurred to
manufacture a product or provision of service.
e) Profit Centre accounting- Evaluates P&L on individual
independent areas of business.
f) Profitability accounting - Reviews info. w.r.t. Co’s profit by
individual market segment.
14.3. S A L E S & D I S T R I B U T I O N M O D U L E [S&D]
It is used by organisation to support sales & distribution activities of goods & services starting from enquiry
to order and ending with delivery.
Pre-sale Sales Order Inventory Delivery of Billing Payment
Activities Processing Sourcing Material
Prospecting of On receipt of Ensuring Goods Should be as Raising of sales Receipt of
customers, PO, SO (Qty, are ready & per SO. invoice against payment &
identifying Rate, available for Inventory will delivery of recording it
them, fixing Description) is delivery reduce on material to against sales
appointment, recorded in recording of customer invoice
showing demo & books. this transaction
submit quotation
P a g e | 33
Features:
Setting up Org. ▪ Creation of new Co., Co. code, sales organisation, distribution channels,
structure divisions, maintaining sales office, etc.
Assigning org units ▪ Assigning individual component created above to each other like company code
to company, sales organization to company code, distribution channel to sales
organization, etc.
Defining pricing ▪ Like sale document, billing, tax related component etc.
component
Customer master data ▪ Setting up Customer master data records and configuration.
14.4. M A T E R I A L M A N A G E M E N T M O D U L E [MM]
▪ It manages material required, processed & produced in an org.

▪ It handles all kinds of purchase transactions.
▪ Popular Sub Component
a) Vendor master data
b) Consumption based planning
c) Purchasing
d) Inventory management accounting
Process
Evaluation of Quotation
Production Sends Purchase Purchase Evaluate Request wrt current If requisition accepted Select best
Dept Requisition Dept stock and pending order ask for quotation from option & place
approved vendor order (send PO)
Recording of Receipt of Mat. by

Payment to Store dept issue Store dept. which
purchase invoice RM to Prod. Dept
vendor issues GRN/MRN
by A/c Dept.
14.5. P R O D U C T I O N P L A N N I N G M O D U L E [PP]
It includes software designed especially for production planning & management.

Multiple Multiple
Issue of RM Steps Steps
from store
It collaborates with the following:

a) Master Data ▪ This includes material master, work centres, & bill of
materials
34 | P a g e
b) Sales & operation planning (SOP) ▪ which provides ability to forecast sales & prod plans.
c) Distribution Resource Planning ▪ allows company to plan demand for distribution centre.
(DRP)
d) Material Requirement planning ▪ allows company to plan material required for production.
(MRP)
e) Capacity Planning ▪ which evaluates capacity utilization of plants.
f) Production Planning ▪ Assists in planning the production of goods
g) Product Cost Planning ▪ Evaluates value of material components to determine value of
the product.
14.6. P L A N T - M A I N T E N A N C E M O D U L E [PM]
Overview Objectives:
▪ It is a functional module. a) Achieve minimum breakdown and to keep machines in good
working condition at minimum cost.
▪ It handles maintenance of
equipment & enable efficient b) Keep machines in a condition that they are used at optimum
planning of production. capacity.
▪ This app. component provides c) Ensure availability of machines & service required by other
comprehensive software solution sections of factory for performing their functions at optimum
for all maintenance activities that capacity.
are performed within a company.
14.7. P R O J E C T S Y S T E M M O D U L E [PSM]
▪ Integrated project management tool used for planning & managing projects & portfolio management.
▪ It ensures that:
a) Projects are executed within budget & time.
b) Resources are allocated to project as per requirement.
Examples: DLF is executing a project of building a mall
ERP Implementation
Create Create Project Budgeting Project Project

templates Project Planning Implementaion Copletion
14.8. Q U A L I T Y M A N A G E M E N T M O D U L E [QM]
▪ Helps in management of quality in production across processes in an organization.

Process
a) Quality Planning ▪ Refers to process of Planning production activities to achieve goal of meeting
customer requirement in time, within available resources.
b) Quality control ▪ Refers to System of maintenance of proper standard in manufacture of goods,
especially by periodic random inspections of the product.
▪ It involves checking & monitoring of the process and products with an
intention of preventing non-conforming materials from going to the
P a g e | 35
customer.
c) Quality Assurance ▪ Concentrates on
➢ Identifying various process
➢ Defining objective of each process
➢ Establishing procedure standards for getting required result &
➢ Documenting the procedure to enable everyone to follow the same.
d) Quality ▪ Never ending process as customer needs & expectation keeps changing.
Improvement
14.9 . S U P P L Y C H A I N M O D U L E [SC M]
▪ It is network of
➢ autonomous & semi- autonomous activities that
➢ procures RM, processes it & transfer it to intermediate goods & then to finished goods &
➢ finally delivering it to customer/ consumer through distribution channel.
▪ This is called SCM System which implies that a product reaches from manufacturer to customer through
supply.
▪ SCM Module helps organisation to optimize its supply chain & streamline its process.
RM Manufacturer Manufacturing Distribution Retailer/ Consumer

Customer
14.10. C U S T O M E R R E L A T I O N S H I P M A N A G E M EN T M O D U L E [CRM]
▪ It is a system which aims at

➢ Improving relationship with existing customers
➢ Finding new prospective customer
➢ Winning back former customer.
▪ It helps org to manage relationship with customers & to determine who are high value customer &
documenting their interaction with org.
▪ Only large ERP has this module and it does not exchange transaction with other modules as it does not
have transactions like Purchase, Sale.
Key Benefits
a) Improved customer ▪ CRM helps analyses need / issue of customer & provide service to address the
relationship issue (feedback).
b) Increase ▪ Using data of customer, marketing campaign can be planned in an effective
customer’s revenue way. Also repeat customer also helps in increasing sales.
c) Maximize up- ▪ CRM allows up selling i.e., giving premium product that fall in same category to
selling & cross customers. It also allows cross-selling i.e., selling complementary product based
selling on previous purchase.
d) Better Internal ▪ Helps better communication within org as sharing customer data helps different
36 | P a g e
communication departments to work together.
e) Optimize ▪ It helps to plan marketing in a better way as it enables Org to understand the
marketing customer needs and behavior in a better way.
14.11. H U M A N R E S O U R C E P L A N N I N G [HRM]
▪ It manages human capital of organization.

▪ It handles all activities from hiring of employee to evaluating its performance, managing promotions,
handling payroll etc.
▪ It exchanges very few details with other modules.
Features
a) Maintains Employee Database.
b) Defines leave, holidays, PF, ESI etc.
c) Handles input transaction like attendance, leave, holidays, advance etc
d) Generate payroll reports.
15. I N T E G R A T I O N O F V A R I O U S M O D U L E S O F ERP
▪ ERP has many modules & all modules are inter-related & inter- dependent.
▪ All modules must work in harmony with other to get desired result.
Integration (Illustrative)
i) MM with FICO ii) HRM with FICO iii) MM with PP iv) MM with PP
v) MM with S&D vi) MM with QM vii) PP with S&D viii) SD with FICO
IMPORTANT POINTS FOR INTEGRATION OF MODULES:

1) Master data across modules must be same & shared with all modules.
2) Common transaction data must be shared with other modules where required.
3) Separate voucher types to be used for each module for easy identification of dept. recording it.
4) Figure & transaction flow across department. So, system should be designed accordingly. E.g. closing
stock is reported in Trading a/c as well as BS.
16. R E P O R T I N G S Y S T E M & M A N A G E M E N T I N F O R M A T I O N S Y S T E M (MIS)
Report ▪ Presentation of info in proper & meaningful way. E.g. BS, P/l Account, CFS.
Reporting System ▪ system of regularly reporting on pre-decided aspects.
Objective of Reporting ▪ Give right info to right people at right time for right decisions making.
System
Two Basic Reports ▪ Balance sheet & P&L
▪ Used for basic analysis of financial position & financial Performance.
For decision making by Mgt, more reports are required. Hence, we need proper reporting system to serve the
purpose.
16.1. M A N A G E M E N T I N F O R M A T I O N S Y S T E M (MIS)
P a g e | 37
▪ It is a tool for providing accurate, relevant, timely & structured info/ data to managers for decision
making.
▪ It is a tool used by manager to evaluate business process & operations.
▪ Large businesses have separate MIS department whose only job is to gather info & create MIS reports.
▪ Tech used - Simple S/w and spreadsheets (small businesses) to sophisticated one (large ones).
Types of MIS Depends on number of divisions/departments in an organization
➢ Sales & Marketing
➢ Manufacturing & Production
➢ HR etc.
➢ Accounting & Finance
It automatically collects data from various areas within a business & generates
Daily report On-demand Daily report

Sent to key member throughout Org as prescribed Allows managers & other users to generate
customised MIS report whenever needed.
16.2. F E A T U R E S O F MIS R E P O R T S
Relevant Timely Accurate Structured

Should contain Should contain info. w.r.t what is Should not contain Info should be presented in
Specific info. happening now or in recent past. mistake or wrong info. simple manner which is
related to Old data is not required. If easily understood by Mgt.
business needed, can be generated on-
demand.
17. D A T A A N A L Y T I C S & B U S I N E S S I N T E L L I G E N C E
17.1. Data Analytics

Process of analyzing data sets to
➢ draw conclusions about the info. they contain with
➢ aid of specialized system & software.
Data Information Knowledge Intelligence Intelligent

Decision
w/o Context Data + Context Info + Insight Knowledge + Foresight
Tech. tools used for Data Analysis Application Area of Data Analytics
▪ Business Intelligence a) Bank & credit card companies analyses withdrawal &
spending pattern to prevent fraud.
▪ Data mining
b) Healthcare Org. mine data to evaluate effectiveness of
▪ Machine Learning treatment of diseases like AIDS, Covid-19, Cancer.
38 | P a g e
▪ OLAP [Online Analytical Processing] c) E- commerce Company & Marketing Sr company use D.A.
to identify website visitors who are more likely to buy a
▪ Text Mining
product or service.
d) Mobile Network operators examine data to forecast how to
retain customer.
17.2. TYPE OF DATA ANALYTICS
Quantitative Qualitative Exploratory Confirmatory Data Mining Machine Predictive

D.A. D.A. D.A. D.A. D.A. Learning Analysis
Analysis of Analysis of Aims to find Applies involves Artificial It seeks to
numerical Quantitative pattern & statistical sorting Intelligence predict
data with non- relationship tech to through technique future
quantifiable numerical in data. determine large data that events like
variable that data like whether sets to analyses customer
can be picture, Akin to hypotheses identify data more behaviour,
measured video etc. Detective about a data trends, quickly than equipment
using work is true or patterns & conventional failure etc.
statical false. relationships analytical
measures model/ tech
Akin to work / Softwares
of judge
during a trial
Big Data Analytics applies data mining, predictive analytics and machine learning tools to sets of big
data that often contain unstructured and semi-structured data.
Text mining provides a means of analysing documents, emails and other text-based content.
17.3. PROCEDURE OF DATA ANALYTICS
Data collected
for analysis Participants in Data Analytics Process
a) Data Analyst
Data from diff
source is combined b) Data Engineer
in std. form c) Data Scientist – Builds data analytical
model using predictive modelling tools and
Integrated data loaded
other software & languages like SQL, Python.
in analytical system
etc.
Fix data quality
problem
Analytical mode is
run on data set
Communicate result generated to

business executives for decision making
17.4. B U S I N E S S I N T E L L I G E N C E (T O O L F O R D A T A A N A L Y TI C S )
Refers to technology driven process for

➢ analyzing data &
P a g e | 39
➢ presenting actionable Info

➢ to help corporate executives & other users to make informed decisions.
BI Tech used OLAP Data Warehouse Hadoop System Cloud Computing
Data Mining Text Mining Predictive Analysis Data visualization S/w
BI Apps can be bought separately from different vendors or as part of unified B.T.
Platform. E.g.- QlikView, Tableau
Reasons for BI Benefits of BI

Ultimate objective of BI - Improved timeliness & a) It improves overall performance of Co. It helps in
quality of Info which helps users in making
▪ Accelerating decision making
informed decisions.
It reveals to user ▪ Optimizing internal business process
a) Position of firm vis-a-vis competitors. ▪ Increasing operational efficiency
b) Market condition & future trends. ▪ Gaining competitive Adv over business Rivals.
c) Change in customer behavior & spending pattern b) Helps identify market leads & spot business
d) Capabilities of Firm. problem that needs to be addressed.
e) What other firms in market are doing c) Helps in enhancing customer experience by
f) Social, Regulatory & political environment.
allowing timely & appropriate response to their
problems.
18. B U S I N E S S R E P O R T I N G / E N T E R P R I S E R E P O R T I N G
Refers to
a) public reporting of financial data by business enterprises or
b) Regular provision of info to decision makers within an organization to support them in their work.
It involves ETL with data warehouse & one or more reporting tools.
What does an organisation report? Types of Business Reporting
a) Vision, mission, objective & strategy a) Financial & Regulatory Reporting. E.g. Annual
b) Governance, arrangement & risk management Report
c) Financial, society & environmental performance b) Environmental, Social & Governance Reporting
d) Trade off b/w long-term & short-term strategies c) Integrate Reporting
18.1. W H Y I S B U S I N E S S R E P O R T I N G I M P O R TA N T ?
a) Allows organizations to present a cohesive explanation of their business and helps them engage with
internal and external stakeholders.
b) Crucial for stakeholders to assess organizational performance and make informed decisions
c) Various stakeholder groups are demanding increased ESG information, as well as greater insight into how
these factors affect financial performance and valuations.
d) High-quality reports also promote better internal decision-making.
e) High-quality business reporting is at the heart of strong & sustainable org, financial markets & economies.
40 | P a g e
19. XBRL: E X T E N S I V E B U S I N E S S R E P O R T I N G L A N G U A G E
▪ It is an Open International standard language for

a) Digital business reporting &
b) Exchanging business information.
▪ It is often termed as ‘bar codes for reporting’.
▪ It is managed by global not for profit consortium, XBRL International Inc. (more than 600 Org)
▪ It simplifies the way, people can prepare, share, use & analyse business data.
▪ It is used across the world in more than 50 countries.
19.1. XBRL T A G G I N G
▪ It is a process by which
➢ financial data is tagged/linked with
➢ most appropriate element/ definition in taxonomy (dictionary of accounting terms)
➢ that best represent the data.
▪ All XBRL reports use same taxonomy.
▪ Numbers tagged with same element are comparable irrespective of how they are described by those
preparing reports.
▪ This tagging facilitates
a) identification/classification of data.
b) interchange of data b/w different I.S. & different users
c) comparison between the reports.
19.2. W H A T D O E S XBRL D O ?
XBRL makes reporting more accurate and more efficient. It allows unique tags to be associated with reported
facts, allowing:
a) People publishing To do so with confidence that the information contained in them can be consumed
reports and analysed accurately
b) People To test them against a set of business and logical rules, to capture and avoid mistakes
consuming at their source.
reports
c) People using the To do so in the way that best suits their needs.
information
d) People To do so confident that the data provided to them conforms to a set of sophisticated
consuming the pre-defined definitions
information
19.3. U S E R S O F XBRL
1) Regulators a) Financial Regulators. E.g. RBI for regulating banks.

b) Securities Regulator [SEBI] & Stock Exchanges which analyse performance &
compliance of listed co.
P a g e | 41
c) Business regulators that need to receive & provide corporate data like F.S. of
Company to public [mca.gov.in]
d) Tax Authority for assessing tax compliance
2) Government ➢ Govt. agencies improve government reporting by standardizing the way reports are
prepared & shared with other Government Agencies as well as public.
3) Data ➢ like credit rating agencies who use data to create comparisons, Rating & other
providers value-added info like ratios of different Company to participants.
4) Analyst & ➢ Analyst - To understand relative risk & related performance
Investor
➢ Investors - To evaluate worth of a company & make decision w.r.t investment.
5) Company ➢ Company who is required to provide Business report to regulators.
➢ Company who needs to move info. in complex Group.
6) Accountant ➢ One who prepare XBRL reports.
19.4. F E A T U R E S O F XBRL:
a) Clear Definition ▪ It allows creation of reusable & authoritative elements/definitions i.e., Taxonomy
that best represent financial data. These elements/ taxonomies are developed by
Regulators, AS setters, Government agencies etc.
b) Testable ▪ It allows creation of business rules, that can be logical or mathematical.
Business Rules
▪ These rules stop poor quality information from being prepared, shared or used.
▪ It flags/ highlight questionable info resulting in corrective action or explanation.
▪ Provides value added info like ratios.
c) Multi–lingual ▪ Allows definitions i.e. Taxonomy to be prepared in as many languages as possible.
support It can also be translated into other languages.
d) Strong software ▪ Supported by wide variety of s/w - large vendor to small vendor.
support
20. A P P L I C A B L E R E G U L A T O R Y & C O M P L I A N C E R EQ U I R E M EN TS
▪ RC refers to Organization’s adherence with laws, regulations & guidelines relevant for business.
▪ Organizations aspire to ensure that they are aware of relevant laws, rules & regulation & take steps to
comply with it.
▪ Organizations are using consolidated & harmonized sets of compliance controls so that all necessary
compliance are met w/o unnecessary duplication of efforts & activities.
▪ Violation of regulatory compliance leads to punishment like interest, penalty, fee & prosecution.
TYPEs OF REGULATORY COMPLIANCE
GENERAL RC SPECIFIC RC
Applicable to all irrespective of anything Applicable to specific type of business only.

Eg.- Income tax Eg.- Co. law applies to Co. only
42 | P a g e
20.1. R E G U L A T O R Y C O M P L I A N C E A N D A C C O U N T I N G S Y S TE M
▪ Closely connected as R.C requires data & A/c data comes from A/c system. Two Approaches:
Basis Same Software For A/C & Tax Compliance Diff. Software For A/C & Tax Compliance
Ease of operation LESS - As its integrated system, making MORE - As this is used only for one
changes at one place may affect other single purpose, so more specialised
aspects also
Features & LESS - As this is not an exclusive system for MORE - As its exclusive for Tax
functionality tax compliance compliance
Time & effort LESS - As this is integrated system, no time MORE - As data needs to be moved
required to transfer data to compliance s/w from A/c s/w to Tax s/w.
Accuracy MORE – As no movement of data between LESS - As there are two separate
different systems, so no error systems, possibility of mismatch of
data is always there.
Cost MORE – Customizing A/c system for Tax LESS – as its specific s/w, its less
compliance is more costly than purchasing complicated and hence less cost
separate Tax compliance s/w

a) Free Lectures &
P a g e | 43
Information System & Its Components
C HAPTER 3
I NFORMATION S YSTEM & I TS C OMPONENTS
1. INTRODUCTION
Data Information System

Raw & unorganized piece of information Processed form of data. Group of inter-related & inter
without context. Data is organized by dependent components working
It is not meaningful & does not convey any organization from internal together to achieve a common
message as such. & external sources. goal.
It may be E.g. Traffic light Human Body
a) Qualitative (weight , Height, Colour); or

b) Quantitative (Numbers)
2. I N F O R M A T I O N S Y S T E M / C O M P U T E R B A S E D I.S. (CBIS)
It is the combination of Hardware, software, people, data resources & Network which
a) Processes Data into Information
b) For specific purpose/objective.
Examples:
Tally: Accounting Software in India
QuickBooks: Accounting Software across world.
Objectives Characteristics
To convert the data into information a) CBIS is developed on the basis of predetermined objective.
which is useful and meaningful. b) Inter-related and Inter dependant sub- system.
It helps Enterprises in: c) If one sub –system fails, whole system won’t work.
a) Making Decision.
d) Components Interact among themselves.
b) Controls the operation.
e) Work done by individual sub–system is integrated to
c) analyze problems and create new achieve common goal.
products or services as an output
44 | P a g e
Information System & its Components
3. I N F O R M A T I O N S Y S T E M M O D E L
I.S. Model provides a framework that emphasizes four major concepts that can be applied to all types of
information systems:
a) Input Data is collected from an organization or from external environments and converted into
suitable format required for processing.
b) Process A process is a series of steps undertaken to achieve desired outcome or goal. It facilitates
conversion of data into information.
c) Output The system processes the data by applying the appropriate procedure on it and the
information thus produced (output) is stored for future use or communicated to user.
d) Feedback I.S. needs feedback that is returned to appropriate members of the enterprises to help
them to evaluate at the input stage.
4. C O M P O N EN TS O F I N F O R M A TI O N S Y S T E M
Network &
People Computer System Data Resource
Communication System
Anyone who manage, Comprise of ▪ Data ▪ Computer Network
run, program or use I.S.
Hardware Software ▪ Database ▪ Telecommunication
▪ Programmers
▪ Input Device ▪ OS S/W ▪ Database
▪ System Admin. Management
▪ Processing ▪ App S/W System
▪ Data Entry Device
Operator ▪ DBMS Module
▪ Storage Device
▪ Help Desk
▪ Output Device
▪ CIO
4.1. HARDWARE
Tangible portion of Computer System that can be seen and touched.

Input device Processing device Data storage device Output device
P a g e | 45
Device through which user Device used to process Memory where data & Device through which
interacts with system i.e., data using program program is stored on system responds
Instructions are given to instructions, perform temporary or Provides output to
information system. calculations, and permanent basis. decision makers to
Types control other hardware Examples solve problem.
devices.
a) Text based Input– RAM & ROM, Examples
Keyboard Examples
Pen Drive, Speakers,
b) Point based Input– Central Processing Unit
(CPU), Hard disk Headphones,
Mouse, light pens.
Mother Board, Screen (Monitor),
c) Image based – Scanner,
Bar Code, QR Code reader, Network Card, Printer,
MICR Sound Card Video
d) Audio based - Microphone
4.1.1. P R O C E S S I N G D E V I C E
▪ Most common processing device is CPU which is the actual hardware that interprets and executes the
software instructions.
▪ Built on a small flake of silicon containing the equivalent of several million transistors.
▪ Transistors are like switches which could be “ON” or “OFF” i.e. taking a value of 1 or 0.
▪ CPU is known as brain of computer & consists of following three functional units:
Control Unit ALU Processor Registers
It It performs Registers are part of the computer processor which is used
➢ controls flow of ➢ arithmetic ➢ to hold a computer instruction,
data & instruction operations such
➢ perform mathematical operation &
to and from as addition,
memory, subtraction, ➢ execute commands.
multiplication,
➢ interprets the These are high speed, very small memory units within CPU
and
instruction; and for storing small amount of data (mostly 32 or 64 bits).
➢ logical Registers could be
➢ controls which
comparison of
tasks to execute a) accumulators (for keeping running totals of arithmetic
numbers: Equal
and when. values),
to, Greater than,
Less than, etc. b) address registers (for storing memory addresses of
instructions),
c) storage registers (for storing the data temporarily) and
d) miscellaneous (used for several functions for general
purpose).
4.1.2. D A TA S T O R A G E D EV I C ES
Primary memory Secondary memory

Also known as Main Memory or Internal Memory. It is directly accessed by It is external memory.
the processor using data bus. Mainly of two types:
46 | P a g e
RAM ROM Not directly accessible by

CPU but can be accessed
a) Stores data that computer is using a) Stores data which are intact even by Primary Memory.
at present when power is off. E.g. BIOS, Boot
system Characteristics
b) Volatile in nature i.e. info is lost as
soon as possible Power is lost b) Non-volatile in nature a) Non-volatile
(permanent storage),
c) Information stored can be Read & c) Information stored can be only
Modified Read & not modified. b) Large capacity,
d) Has high impact on system's d) Has no impact on system's c) Slower speed,

performance. More running Apps = performance. d) Economical
more RAM consumed e) Cheaper & slower Examples
e) Costly & Higher speed
Hard disk, Pen drive,
Cache Memory - Helps to bridge the huge speed gap b/w Registers & primary memory card etc.
memory.
It is smaller, very fast memory in-built into CPU. Acts as a buffer between
RAM & CPU.
Cache memory stores data frequently used by main memory so that
Registers/CPU can access it faster. E.g. Values that have been computed
earlier.
Processor Cache Memory Primary memory Secondary Memory

Registers
4.1.3. O U T P U T D E V I C E S
▪ Output devices are devices through which system responds.

▪ CBIS provide output to decision makers at all levels in an enterprise to solve business problems, the
desired output may be in visual, audio or digital forms.
▪ Information shown on a display device is called soft copy because the information exists electronically
and is displayed for a temporary period.
Types of Output
a) Textual output comprises of characters that are used to create words, sentences, and paragraphs.
b) Graphical are digital representations of non-text information such as drawings, charts,
outputs photographs, and animation.
c) Tactile output such as raised line drawings may be useful for some individuals who are blind.
d) Audio output any music, speech, or any other sound.
e) Video output consists of images played back at speeds to provide the appearance of full motion.
4.2. SOFTWARE
▪ Set of instructions & programs that tells Computers what to do. Created through a process of
coding/programing through language like C++, JAVA
▪ Two types:
Operating system Application Software
P a g e | 47
Set of instruction/program/software that Include all software that causes computer to

perform useful tasks other than running the
➢ manages H/w resource and
computer itself.
➢ acts an intermediary b/w hardware & App software. It addresses real-life problems of its end users
Example which may be business or scientific or any other
Windows, Linux, Android, Tizen, Harmony OS, iOS problem.
Activities by OS [HUMAN –FT] It can be:
a) Performing hardware function- acts as intermediary a) Standardised - MS Office

b/w H/w & App s/w. b) Customized - KKC
b) User Interface- Helps to connect user with I.S. It may Group of App S/w is called App suite.
be GUI based (uses icons and menus) or CUI based.
Examples
c) Memory management – Maximizes available App suite – MS office, G Suite
memory & storage. Provides Virtual Memory (later)
Content Access S/w – VLC, Abode PDF Reader
d) Logical Access Control – OS helps in user
identification & Authorization through Password PIN. Enterprise S/w – ERP like SAP
e) Network capability - Helps to connect various H/w. Advantages Disadvantages
f) File Management – Keeps a track of where each file a) Addresses user a) Costly
is stored based on which it provides the file retrieval. needs development App
g) Task Management - Facilitates a user to work with b) Low threat from S/W
more than one App at a time (Multitasking). Also, virus b) Risk of Virus attack
allows more than one user to use system (Time
sharing) c) Regular update
h) Hardware Independence – Any device irrespective of

manufacturer or design can use OS to run itself. OS
provides Application Programme Interface (APIs)
used to create App without considering details of H/w.
Virtual Memory is not a separate device but an imaginary memory supported by OS.
If RAM required to run a program falls short, OS moves data from RAM to a space in HDD called paging file.
This frees RAM to execute the work Thus, it is allocation of HD space to help RAM.
4.3. DATA RESOURCE
Organization generates & collects huge quantity of different type of data like production related data, HR
related data, market related data etc. These are stored in DATABASES.
Database Database Management System Database Models
Refers to set of logically inter- Software that helps organization in Determines
related organised data i.e., data of organising, controlling & using the a) Logical structure of
some context data stored in DB. database
To manage unrelated data, separate Helps to create & maintain well b) Manner in which data
database is used. organized database. can be stored, organized
They store both operational data Normally single user. & manipulated.
(produced from day to day working) Operations that it can perform – Types of Database Models
as well as non-operational data
(used for education, research etc.) a) Hierarchical Database
Model
48 | P a g e
Hierarchy of database ▪ Adding, Deleting or Modifying b) Network Database Model

a) Database: Collection of Files. files in database & c) Relational Database
Model
b) File / Table / Entity: Collection ▪ Retrieving data from existing file
of Records. d) Object Oriented Database
Examples Model
c) Record: Collection of Fields.
Commercial DBMS- MY SQL, Oracle
d) Field: Collection of Characters
Personal DBMS – MS Access, Open
e) Characters: Collection of Bits. Office Base
A) H I E R A R C H I C A L D A T A B A S E M O D E L
▪ Records/ nodes are arranged logically in hierarchy of relationship in Inverted Tree Structure.
▪ Top parent record in the hierarchy that “own” other records is called Parent Record/ Root Record which
may have one or more child records, but no child record may have more than one parent record.
▪ Types of Relationships - 1 to 1 relationship, 1 to Many relationship
▪ Data is accessed from top to down manner
▪ Search is difficult & Time consuming.
B) N E T W O R K D A T A B A S E M O D E L
▪ Variation of Hierarchical database.

▪ It views data in sets where each record is composed of one owner record & one or more member record.
▪ Record can be member of more than one set at same time.
▪ Users can access database from any point to search DB.
▪ Types of Relationships - 1 to 1, 1 to many, many to 1, many to many.
▪ More flexible & faster search in DB.
C) R E L A T I O N A L D A T A B A S E M O D E L
▪ It allows organisation of data in Two-dimensional Table structure.

▪ Most Popular; Highly flexible; More Efficient & Faster Search
▪ Three key terms used in RDBMS
a) Relations – A relation is a table with columns and rows.
b) Attribute – Columns of the relation are called Attributes [Identify key Attribute]
c) Domain – Set of values that attributes can take.
▪ Relational database contains multiple tables.
▪ For each table, one of the fields is identified as a Primary Key, which is the unique identifier for each
record in the table.
▪ If the primary key of one table is used in another table to access the former, it is called Foreign Key.
▪ Example: MS Access, MYSQL, Oracle
D) O B J E C T O R I E N T E D D A T A B A S E M O D E L
P a g e | 49
▪ OODBMS is a set of objects.

▪ Objects are pre- defined set of program codes used to perform a specific task.
▪ OODBMS helps to store more complex data like audio, image, video etc.
▪ Example - Computer Added Design & Engineering, Multimedia video processing
4.3.1. A D V A N T A G E S O F DBMS
1. Program & File Consistency As file formats & programs are standardized.
2. Minimize data redundancy as duplication of info is either eliminated or controlled or reduced.
3. Allows data sharing same info is available to different users.
4. Integrity can be Database contains Accurate, consistent & upto date data.
maintained Change in Database is allowed to be made only by authorised person.
5. User Friendly Enable user to access data & use it easily without need of computer expert.
6. Improved Security Since multiple users uses same data, necessary to define user access rules.
7. Data Independence Data resides in DB & not in App; so both are independent.
8. Faster application Since data is already present in DB, so App developer has to think only
development about logic to retrieve data in the way a user needs.
4.3.2. D I S A D V A N T A G E S O F DBMS
1. Costly & Time in terms of both system and user-training.

consuming
2. Security Risk It may be possible for some unauthorized user to access the DB. In such cases,
it could be at all or nothing proposition.
4.3.3. S O M E C O N C E P T S R E L A T E D W I T H D A T A B A S E
A. B I G D A T A
▪ Refers to such massive large data sets that conventional database tools do not have processing power
to analyze them. E.g.- Google handle billions of searches every day.
▪ Some industries that use big data analytics include E-commerce (Amazon), Retail Business (Walmart),
Healthcare Industry, Hospitality Industry etc..
Benefits of Big Data Processing
a) Improved Customer Services as it is helps in reading & evaluating customer feedback.
b) Better Operational Integration of Big Data technologies and data warehouse helps an Org to
Efficiency offload infrequently accessed data, this improving efficiency.
c) Better Decision Making by using outside intelligence. E.g. Access to social data from Facebook,
Twitter etc. helps Org to finetune their business strategy.
Also helps in Early identification of risk to the products/services, if any.
50 | P a g e
B. D A T A W A R E H O U S E
▪ Data warehouse is a large collection of business data used for storage & analysis to help an organization
make decisions.
▪ However, directly analyzing the data that is needed for day-to-day operations is not a good idea as it
creates interference in normal functioning of Organisation.
▪ The process of extracting data from operational databases and bringing it into the data warehouse is
commonly called ETL, which stands for Extraction, Transformation, and Loading.
a) First stage, the data is Extracted from one or more of the organization’s databases.
b) Second stage, the data so extracted is placed in a temporary area called Staging Area where it is
Transformed like cleansing, sorting, filtering etc. of the data as per the information requirements.
c) Final stage, Loading of the data so transformed into a data warehouse which itself is another
database for storage and analysis.
Features i.e. data warehouse should meet following criteria:
a) Uses Non-Operational Data i.e. a copy of data from the active databases
b) Data Is time Variant i.e. when data is loaded in data warehouse, it receives time stamp which allows Org.
to compare over a period of time.
c) Data is standardized in terms of rules & format like Date, Units of measurements etc.
Two School of thoughts/Approach

Bottom-Up Approach Top-Down Approach
Step I: Create small data warehouses known as Step I: Create enterprise wise data warehouse
Data Marts to solve specific problems.
Step II: Combine them to form large data Step II: As specific needs are identified, create
warehouse. smaller data marts from data ware house.
Benefits of Database Warehouse

a) Better understanding of data.
b) Determine inconsistent data as it provides centralized view of all collected data.
c) Generate one version of truth viz. number of employees, sales etc.
d) Create historical record of data which allows an Organization to analyze trends.
e) Data warehouse can be used along with Business Intelligence tools for new information & analysis.
P a g e | 51
C. D A T A M I N I N G
▪ Process of analyzing large data to find previously unknown trends & pattern to make decision.
▪ This is accomplished through automated means against extremely large data set such as data warehouse.
▪ Examples of Data Mining tools - MS Excel, Oracle Data Mining, Rapid Miner
The steps involved in the Data Mining processes:
1. Data Integration ▪ Data is collected and integrated from all the different sources which could
be flat files, relational database, data warehouse or web etc.
2. Data Selection ▪ All the collected data may not be required for data mining. So, we select
only those data which we think is useful for data mining.
3. Data Cleaning ▪ The data that is collected may contain errors, missing values or
inconsistent data. It needs to be cleaned to remove all such
inconsistencies.
4. Data Transformation ▪ The cleaned data needs to be transformed into an appropriate form for
mining using different techniques like - smoothing, aggregation,
normalization etc.
5. Data Mining ▪ Various data mining tools are applied on the data to discover the
interesting hidden patterns.
6. Pattern Evaluation and ▪ Involves visualization, transformation, removing redundant patterns etc.
Knowledge Presentation from the patterns generated from data mining .
7. Decisions / Use of ▪ This step helps user to make use of the knowledge acquired to take better
Discovered Knowledge informed decisions.
D. D I F F E R E N C E S B / W D A T A B A S E , D A T A W A R E H O U S E & D A T A M I N I N G
DATABASE DATA WAREHOUSE DATA MINING

This stores real time This stores both historic & This analyses data to find previously
information. transactional data. unknown trends.
Example: In a tele- Example: In the same tele- Example: In the same tele-
communication sector, the communication sector, communication sector, information
database stores information information in a data warehouse will be analysed by data mining
related to monthly billing will be used for product techniques to find out call duration
details, call records, promotions, decisions relating to with respect a particular age group
minimum balance etc. sales, cash back offers etc. from the entire data available.
Its function is to record Its function is to report & analyse Its function is to extract useful data
52 | P a g e
4.4. N E T W O R K I N G A N D C O M M U N I C A T I O N S Y S T EM S
1. Computer Network Collection of Computers & other hardware interconnected by communication

channel/ mode/ medium which allows sharing of data, resources & information.
2. Telecommunication Refers to sharing/exchanging of data/info over computer network. It helps in
a) Increase in efficiency of operations;
b) Improvement in effectiveness of management; and
c) Innovation in market place.
3. Network & Consists of both hardware as well as software.

Communication Links various piece of hardware & transfer data from one physical location to
System another.
Computers and communications equipment can be connected in networks for
sharing voice, data, images, sound and video.
Types:
Connection Oriented N/w Connection Less N/w
First connection is established between sender No prior connection is made
& receiver. before data exchange.
Then data is exchanged. Inspired by portal Network.
E.g. – Telephone; Transfer of movie from laptop E.g. – Email, SMS
Computer Network is used to address following issues:

1. Routing Process of deciding on how to communicate the data from source to destination in a
network.
2. Bandwidth Amount of data which can be transferred across the network in a given time. Higher
bandwidth, higher is the speed of data transfer.
3. Resilience Ability of a network to recover from any kind of error like power failure, connection
failure etc. If one server is down, other will manage.
4. Contention Situation where there is some conflict for some common resource in a network. Policy
should be made for priority access.
Benefits of computer network Value & impact of telecommunication

a) Computation power is distributed among computers in a) Time compression - Enables organization
Network. This reduces load on individual system & to transmit data & information quickly &
improve performance. accurately b/w remote sites.
b) User communication - it allows users to communicate b) Overcoming Geographical Dispersion -
using e-mail, video conferencing etc. Enables Org with units in remote areas to
c) Resource sharing - Data stored in Database can be
function as I unit.
shared across different systems using computer c) Restructuring of Business Relationship -
network. Similarly, H/w like Printer can be shared. Eliminates intermediaries from various
d) Reliability - Enable critical operations to run across
business processes. This results in
different systems which are distributed across network. increased operational efficiency.
Hence reliability increases.
e) Distributed nature of information - Enables distribution
of Info geographically as well as consolidation of
P a g e | 53
information when required. E.g. Preparing Financial

Statements of Bank.
5. I N F O R M A T I O N S Y S T E M C O N T R O L S
▪ Objectives of I.S. Controls

a) Undesired risk, events are prevented, detected created
b) To ensure Business objectives are achieved.
▪ How above objectives are achieved?

By designing & implementing effective information control framework which
➢ comprises policies, procedures, practices, and organization structure
➢ that gives reasonable assurance that business objective shall be achieved.
▪ Critical controls lacking in a computerized environment are as follows
a) Lack of management understanding of IS risks and related controls;
b) Lack of awareness & knowledge of IS risks and controls amongst the business users and even IT staff;
c) Absence or inadequate IS control framework;
d) Complexity of implementation of controls.
6. T Y P ES O F I.S. C O N T R O L S
Objective of Controls Nature of I.S. Resources Audit Functions

Preventive Detective Corrective Environmental Physical Access Logical Access Managerial App
Control Control Control Control Control Control Functions Controls
6.1. I.S. C O N TR O L S B A S ED O N O B J EC T I V ES
Preventive Controls Detective Controls Corrective Controls

It prevents errors, omissions or Designed to detect errors, Designed to correct errors, omissions or
security incidents from omissions or security incidents security incidents once they have been
happening. that escape preventive controls. detected.
Proactive in nature. Investigative in nature. Reactive in nature.
Can be implemented in manual Characteristics: Reduces impact of risk/ security
or computerized environment. a) Clear understanding of lawful
incident once it has been detected.
Characteristics: activities. Characteristics:
a) Clear-cut understanding b) Established mechanism to a) Minimizing impact of threat
about the vulnerabilities of refer the reported security b) Identifying root cause of problem
the asset. incident to appropriate person.
c) Provide remedy
b) Understanding probable c) Interaction with preventive
threats. control to prevent such act d) Getting feedback
c) Provision of necessary
from occurring in future. e) Modifying preventive controls to
controls to prevent probable d) Surprise checks by supervisor. prevent future occurrence.
54 | P a g e
Preventive Controls Detective Controls Corrective Controls

threats from materializing. Examples Corrective process should also be
Examples subject to preventive & detective
▪ Fire alarm, CCTV camera,
controls.
▪ Locks; Security Guards ▪ Cash Counting. Generally, its more effective to prevent
▪ Fireproof walls, Smoke ▪ Review of payroll reports error or detect them as early as
detectors possible to their source.
▪ Monitor actual expenditures
▪ Qualified Personnel against budget Examples
▪ PIN & Password ▪ Duplicate checking of ▪ Quarantining the virus,
▪ Firewall & Anti-virus calculations ▪ System Rebooting,
▪ Internal audit functions ▪ Corrective journal entries
▪ Bank reconciliation ▪ Business Continuity Plan
▪ Intrusion Detection System ▪ Backup procedure
6.2 . C O N T R O L S B A S E D O N N A T U R E O F I .S. R E S O U R C E S
6.2.1. Environmental Controls - Related to IT environment in which I.S. functions. Environmental exposures &
relevant controls are as follows:
Fire Water Electricity exposure Pollution Damage
Damage to equipment & Damage to equipment & Due to electrical faults Major pollutant is
facility due to fire. facility due to water related like sudden upsurge in Dust which can
Controls incidents like pipe burst, power supply, voltage cause permanent
cyclone, floods etc. fluctuations etc. damage to H/w.
a) Fire resistant material
Controls Controls Controls
b) Install manual &
automatic alarm at a) Install water alarms at a) Voltage regulator & a) Regular cleaning
strategic location. strategic locations Circuit breakers b) Prohibition on
b) Use of water proof walls, b) UPS/Generator eating , drinking
c) Install smoke detectors
ceilings & floors c) Emergency Power off & smoking in I.S
d) Install fire extinguishers facility.
c) Put computer room above switch
e) Emergency Exit/Fire exit Ground floor but not top c) Power leads
plan floor from two sub-
d) Proper drainage system
station.
6.2.2. Physical Access Control – Relates to physical security of I.S. resources. It is applied against physical
exposures which include abuse of information processing device, theft, damage, Blackmail etc.
Physical information
Locks on doors Logging on Facility Others
medium
a) Bolting door lock - a) Personal Official record of access/ a) CCTV monitored by
No duplicate key. Identification activity security.
b) Cipher locks Number (PIN) – a) Manual logging – Visitors b) Simple security guard.
combination locks means to identify & sign visitor’s log
verify authenticity of c) Controlled visitor
- To enter, a person indicating their name,
access – Responsible
presses a four- user. User needs to date & time of visit,
login by inserting a employee will escort
digit number, and company represented,
card in some device purpose of visit, & person
visitor
the door will unlock
and then enter their
P a g e | 55
for a PIN via a PIN keypad to see d) Single entry point

predetermined for authentication. b) Electronic logging - e) Dead Man’s Door - Pair
period b) Plastic card - used Combination of biometric of doors where first
c) Electronic door for identification security & electronic entry door must close
lock-magnetic or purposes. security system. & lock, for second door
chip-based plastics c) Identification badge to open, with only one
Maintains details/logs of person permitted in
card key is used to access attempt, whether
gain access in these the holding area.
failed or successful.
systems. f) Alarm system &
Perimeter fencing
6.2 .3. L O G I C A L A C C E S S C O N T R O L
▪ Applied to protect I.S. from logical access violators like Hacker, current & past employees, IS personnel, End
User etc.)
▪ Ensures that access to system, data, program, OS is restricted to authorized users only.
▪ Key factors considered in designing logical access controls include
➢ confidentiality and privacy requirements,
➢ authorization, authentication and incident handling,
➢ virus prevention and detection,
➢ firewalls, centralized security administration, user training and tools for monitoring compliance
Logical Access Exposure/ Risk, if no logical access control is applied
Technical Exposure Asynchronous Attack
Includes Unauthorized modification of data & s/w. Data that is waiting to be transmitted is
Types liable to unauthorized access called
Asynchronous attack.
a) Data diddling - Change in data before or after entering it into
system. Limited tech knowledge required. These attacks make use of the timing
difference between the time when the
b) Bomb - Malicious code which explodes when logic inside the data is inputted to the system and the
code is satisfied causing immediate damage. Can’t infect time when it gets processed by the
other programs & hence damage is not widespread. system.
Logical bomb – E.g. If sales crosses INR 1 crore, delete all data. Types
Time bomb - Explodes at given time. a) Data leakage - Leaking of information
c) Trojan house - Malicious s/w or code that looks legitimate out of computer by copying data into
/harmless program. Once installed, it can damage, steal or external devices or print outs.
disrupt the system. E.g. Christmas card. b) Wire tapping - Spying on info being
d) Worm - Malicious program which self-replicates itself in ideal transmitted over computer network.
memory, thus slowing computer. No other damage is caused. c) Subversive Attack - Enables intruders to
e) Rounding down - Round off of small fraction of an amount and access data being transmitted & also
transfer this amount to unauthorized A/c. modify/violate integrity of data.
f) Salami Technique - slicing of small fixed amount of money d) Piggybacking - Act of following an
from computerized transaction & transfer to unauthorized A/c. unauthorized person through a secured
door that intercepts and alters
g) Trap door/Back Door - Created by developer to gain access for
transmissions.
maintenance. Can be misused by unauthorized users to access
56 | P a g e
software as well.
h) Spoofing - involves forging one’s source address. One machine
is used to impersonate the other & user is made to think that
he is interacting with the operating system.
Logical Access Control

App & Monitoring
User access User
Network access control OS Access Control System Access
Management responsibility
control
a) User Reg- Info a) Password Internet connection a) Automated terminal a) Information access
w.r.t. user is use- should exposes Organization to identification - restriction - Access
documented. be strong harmful elements. Ensures that only to info is restricted
De-registration (min length, a) Policy on use of N/w - authorized terminal is by App. User can
is equally imp. special Selection of connected to I.S. access only those
b) Privilege character)& appropriate services b) Terminal log-in data which is
Management- should be and approval to procedure - User authorized.
User access and changed access them should provides ID and b) Sensitive System
privileges should periodically be part of this policy. password to login isolation - Based
be aligned with b) Unattended
b) Enforced path - User
system. First line of on critical
his duties i.e. user is routed through a defence. constitution of
‘Need to know equipment - definite path for c) Access token - After
system in Org, it
basis’ or ‘Need user should connecting to Org. successful login by may be necessary
to do basis’. be educated network that may be user, OS generates to run specific
c) User password
not to leave through firewall. access token which system in isolation.
mgt - Involves their device contains user info. E.g. Cash counting.
activities like unattended c) Firewall - System that This info is used to c) Event logging - all
& enforces access
creation, control between two provide access to user events should be
storage, unprotected. during the session. logged (user id,
networks
revocation & d) Access control list -
time of access,
reissue of d) Encryption - terminal location
Discussed later. OS has A.C.L which
password. contains info on user’s etc), archived &
d) Review of user e) Segregation of network access rights. reviewed.
access rights -Sensitive N/w is d) Monitor System use
over a period of segregated from other. e) Terminal timeout - - Based on risk
Logout the user if
time as duties f) Call back devices- system is inactive for assessment and
& Aims to keep intruder specified period. criticality of
responsibilities off the intranet. It system, it should
change. ensures access to N/w f) Limitation of be monitored.
is allowed only from connection time- Extent of detail
authorized telephone Define available time and frequency of
no. or terminal. User is slot for connection to review depends on
required to enter a OS. sensitivity of
password & then the g) Duress alarm – means system.
system breaks the to alert authorities if
connection. If caller is user is forced to
authorized, the call execute a command
back device dials the h) Password Mgt. - could
caller’s no. to enforce selection of
establish a new good passwords.
connection.
P a g e | 57
6.3. C L A S S I F I C A T I O N O F C O N T R O L S B A S E D O N A U D I T F U N C T I O N S
Auditors have found two ways to be useful when conducting information systems audits, as given below:
Managerial Controls Application Control
Objective: Managerial Control ensures that I.S. is Objective: App controls ensures data remains
developed, implemented, operated & maintained in complete, accurate & valid through input, update
planned and controlled manner. & storage.
Types Ensures processing is complete.
a) Top Management & I.S. Management Controls Types
b) System Development Management Controls a) Boundary Controls
c) Programming Management Controls b) Input Controls
d) Data Resource Management Controls c) Processing Controls
e) Quality Assurance Management Controls d) Output Controls
f) Security Management Controls e) Database Controls
g) Operations Management Controls f) Communication Controls
6.3.1. M A N A G E R I A L C O N T R O L S
6.3.1.1. T O P M A N A G E M E N T & I.S. M A N A G E M E N T C O N T R O L S
▪ Controls of Top Mgt. should ensure that I.S. functions properly & meets strategic business objectives.
▪ Scope of controls includes Framing high level of IT policies, procedures & standards
▪ Controls flow from the top of an Organization to down but responsibility still lies with the senior mgt.
▪ 4 Major functions of Senior Management:
Planning Organising Leading Control
Top Mgt. prepares plan for To create IT organizational Includes motivating & Comparing actual
achieving I.S. goals. Two structure with documented Communicating with performance with
types of plans (Strategic & roles and responsibilities Personnel. planned
Operational plan). and agreed job descriptions. Ensures that personal performance.
Steering committee shall Includes arranging and objectives are aligned In case of any
assume overall allocating Resources needed with Org. objectives so deviation, corrective
responsibility for I.S. to achieve goals determined that there is harmony action is taken.
function. in Planning phase. of objects w/o conflict
6.3.1.2 . S Y S T E M D E V E L O P M E N T M A N A G E M EN T C O N TR O L S
▪ Related to process of system development life cycle.

▪ Ensures proper documentation & authorizations are available for each phase of system development.
▪ 6 steps
1. System Authorization All systems must be properly & formally authorized to ensure their economic &
Activities technical justification and feasibility.
58 | P a g e
2. User Specification User needs to provide detailed requirement in written form (known as Functional
Activities Requirements Document). It discusses user’s view w.r.t problems
3. Technical Design User’s specification is converted into technical design by system developer.
Activities
4. Programme Testing All modules must be tested before implementation.
Result of test is compared with standard to determine if there is any error in
logic or program.
5. User Test & Before implementation, all modules are tested as whole by user & ensures that
Acceptance it functions as per requirement of user.
6. Internal Auditor’s Should be involved at inception of system development process to examine &
Participation give suggestions on system requirements & controls throughout all phases.
6.3.1.3. P R O G R A M M I N G M A N A G E M E N T C O N T R O L S
▪ Major phase in system development life cycle.

▪ Objective: To produce or acquire & to implement high-quality programs that is Authentic, accurate &
complete
▪ Six phases of program development lifecycle & related controls are as below:
Phases Controls
1. Planning Uses of different techniques for s/w development like WBS [Work breakdown structure]
& PERT [Program evaluation Review technique]
2. Design Structured / systematic approach to design programme.
Modular design
3. Coding Structured/ systematic approach is adopted for coding Program.
4. Testing Program is tested before implementation. Three types:

a) Unit test → Testing of individual program module.
b) Integration test → Testing of group of program module.
c) Whole of Programme testing → Focuses on whole Program
5. Operation & Involves monitoring and making changes in system when required on timely basis.
Management Three types:
a) Repair/ corrective → Remove errors from s/w or fix the bugs.
b) Perfective → Program is finetuned to reduce resource consumption. E.g. Better UI
c) Adaptive → Change in s/w due to change in user requirement.
6. Control Runs parallel in all phases. Two Major Purposes:

a) Control over s/w lifecycle phases to ensure task progress is as per plan & corrective
action should be taken in case of any deviation.
b) Control on overall s/w development / acquisition process to ensure it is accurate,
authentic & complete.
6.3.1.4. D A T A R E S O U R C E M A N A G E M E N T C O N TR O L S
P a g e | 59
Objectives w.r.t. Data Resource Management Controls

a) confidentiality of Data is maintained → Access control
b) Integrity of Data is preserved → update control
c) Availability of Data to users when needed → Back up control
Access Control Update Control Back up Control
Ensures that data is available It ensures that database is Back up refers to making copy of data
only to authorized user. It updated by authorized persons & storing it somewhere else so that it
involves: only. can be used when first copy of data
i) User access control through is not available.
PIN, Password, CARD etc. It helps to ensure availability of data
ii) Encryption of data etc.
when required.
The above is accomplished by

a) Appointing senior trust worthy persons
b) Segregating duties to the extent possible
c) Maintaining & monitoring logs of data administrator & data administrator’s activities.
6.3.1.5. Q U A L I T Y A S S U R A N C E M A N A G E M E N T C O N T R O L
Quality Assurance management is concerned with ensuring that

a) I.S produced achieve certain quality goals.
b) Development, implementation & maintenance is done as per Quality standard.
Who will ensure Quality Assurance?

QA Personnel who ensures
a) Quality goals are established & clearly understood by all stakeholders.
b) Compliance occurs with standard.
c) Best practices in the industry are also incorporated during the production of information systems.
6.3.1.6. S E C U R I T Y M A N A G E M E N T C O N T R O L
Related to Control based on nature of I.S. resources i.e., it covers

a) Environmental Control (E.g. Fire, water)
b) Physical Access Control
c) Logical Access Control
However, despite all controls, disasters i.e., events which critically hit the business continuity in irreversible
manner may occur.
Controls for disasters
i) Disaster Recovery Plan - Deals with how the organization recovers from a disaster and comes back to
its normalcy. A comprehensive DRP comprise four parts –
➢ an Emergency Plan,
➢ a Backup Plan,
60 | P a g e
➢ a Recovery Plan and

➢ a Test Plan.
ii) Insurance - Adequate insurance must be able to replace Information Systems assets and to cover the
extra costs associated with restoring normal operations.
6.3.1.7. B U S I N E S S C O N T I N U I T Y P L A N N I N G C O N TR O L S
BCP mainly deals with

➢ carrying on the critical business operations in the event of a disaster so as to
➢ ensure minimum impact on the business.
The BCP controls are related to having an operational and tested IT continuity plan, which is in line with
the overall business continuity plan, and its related business requirements.
6.3.1.8. O P E R A TI O N S M A N A G E M E N T C O N T R O L
It is responsible for daily functioning of H/w & S/w in efficient manner. It involves Control w.r.t
1. Computer Operation Ensures proper functioning of H/W & S/W on day-to-day basis.
2. Network Operations Ensures proper functioning of network devices, communication channels etc.
3. Data Preparation & Keyboard environment & facilities should be designed to promote speed &
Entry efficiency.
4. File Library Management of Org. data stored in machine- readable storage media like CD/
DVD, pen-drive & Hard disk.
5. Help Desk Assist end-user in deploying & using H/W & S/W & resolving issues.
6. Documentation & Ensures documentation of

Programme Library
• Security Policy
• BCP/DRP
• System development related documents
7. Management of Responsible for carrying out day to day monitoring of outsourced contracts.
outsourced operations
6.3.2. A P P L I C A T I O N C O N T R O L S
Objective → to ensure that data remains complete, accurate and valid during its input, update & storage.
Boundary Input Processing Output Communication Database

Control Control Control Control Control
Control
6.3.2.1. B O U N D A R Y C O N T R O L S
Refers to access control mechanisms that links the authentic users to the authorized resources. Involves
Identification & Authentication of users by S/w & Authorization i.e., privilege management.
P a g e | 61
Biometric
Cryptography/ Encryption Password PIN ID Card
Device
Conversion of clear text into a cipher text Helps in Similar to Used to store Includes
for storage and transmission over networks identification password but info for use of
by sender. Receiver decrypts this cipher of users is authentication thumb,
code using auth key. through independent purpose. retina
Strength of cryptography depends on time confirmation of any user id. etc. as
& cost to decipher the cipher text by crypto of user id Assigned to biometric
analyst. allotted to user by Org. control
them. tech.
Three techniques of cryptography are Helps in user
a) Transposition - Permute the order of
identification.
characters within a set of data,
b) Substitution-Replace text with key-text.
c) Product Cipher - combination of
transposition and substitution.
6.3.2.2. I N P U T C O N T R O L S
Applied to ensure that data input in system is correct & complete.

Source Data
Data Coding Controls Batch Controls Validation Controls
Controls
Required These controls are aimed at Process of grouping together Intended to detect errors in transaction before
where reducing the error during data transactions that has relationship data is processed.
physical feeding. with each other.
source doc. Transcription Transposition Financial Doc. Field Record File
is used to Hash Total
Error Error Total Total Interrogation Interrogation Interrogation
initiate
transaction. Error in entry Change in Grand Grand total Grand Examines Includes Includes
E.g. made by position of total is is total of characters
▪ Reasonable- ▪ Version usage
Invoices. human or two digits calculated calculated No. of of data in
ness check - Always use
Controls OCR. while entry is for each for any docs/ the field.
i.e., whether latest version
Types: made. field code on a record Includes
▪ Use pre- value in field
Types: containing Doc in the in the ▪ Data file
numbered ▪ Addition is reasonable
monetary batch. batch. ▪ Limit security - for
source Error - ▪ Single– check or not.
amount. E.g. Source access to
document Extra digit Two against ▪ Valid sign- to authorized
Doc Serial determine
Serial no Added. adjacent pre- users only.
No. which sign is
digits are defined
▪ Should be ▪ Truncation valid in field. ▪ File updation
reversed. limit
sequential Error - E.g. weight &
Digit is ▪ Multiple- ▪ Picture can’t be in cm maintenance
▪ Periodic
removed. Non- check done by
Audit. ▪ Sequence
adjacent against auth. Users
▪ Substitution check– To
digits are invalid only
Error –
changed. characters follow a
Replaceme required
nt of a order
digit with matching
another with a
logical seq.
62 | P a g e
6.3.2.3. P R O C E S S I N G C O N T R O L
Responsible for computing, classifying & summarizing Data.

Virtual
Real Memory Data Processing
Processor Controls Memory
Controls Controls
Controls
To reduce errors & irregularities in processing. Seeks to Used when Applied to identify
a) Error detection & correction – Processor may detect & RAM is error during data
mal-function due to design defect, damage etc. correct error insufficient to processing.
of real execute a Required to ensure
Failure can be transient (temporary), memory/ program.
intermittent (periodic) or permanent . both the
RAM & This control is completeness and
In case of transmit or intermittent errors restart Prevent required to the accuracy of
the device, but in case of permanent errors, halt unauthorized map virtual data being
the processor & report. access. memory processed.
b) Timing Control - CPU should run a program for address with Generally enforced
specified time only. Once time is completed, real memory through DBMS.
another program should run else there will be address.
infinite loop & it will consume CPU.
c) Component Replication – In some cases,
processor failure can result in heavy losses.
Hence Redundant Processor should be kept.
6.3.2.4. O U T P U T C O N T R O L
Applied to ensure that output is presented, formatted & distributed to users in a secured & consistent
manner.
Storage &
Spooling/ Report
Controls Over Retention Logging of
distribution &
Printing Queueing Control Sensitive, critical
Collection
Forms
Output should Simultaneous Peripheral Time gap b/wConsiders the Pre-printed
be printed on Operations Online generation &
duration for stationery like
correct printer. If more than I user gives print distribution of
which output Co. letter Head,
User should be command, printer should print report should be
is to be Blank cheques
trained to select in sequential order & save reduced. retained etc. should be
correct printer. other print command for A log should be before being stored securely
printing after current job is maintained for destroyed. to prevent
printed. reports that Date should be unauthorized
were generated deter-mined destruction or
Ensure that user can continue removal and
working while print operation is and to whom for each
these were output. usage.
getting completed.
distributed.
6.3.2.5. D A T A B A S E C O N T R O L S
Applied to ensure that integrity of database is maintained while updating the database. Two types:
Update Controls Report Controls
a) Sequence check b/w transaction & master file - a) Print suspense A/c entry - so that corrective
Synchronous & correct sequencing b/w master
P a g e | 63
files & transaction file is critical to maintain action can be taken on time.
integrity of updating, addition or deletion of b) Print-Run-to Run Control Totals: Helps in
master file. identifying errors or irregularities like record
b) Ensure all records on transaction file are processed dropped erroneously from a transaction file,
- Transaction file records are mapped with wrong sequence of updating or the application
respective master file software processing errors.
c) Maintain a suspense A/c - Where master record & c) Existence /Recovery control - Backup &
transaction record are mismatched due to failure recovery strategies together are required to
in corresponding record entry in master file, such restore any failure in DB.
mismatches are maintained in suspense file. d) Standing data - Application program use many
d) Process multiple transactions for a single master internal data to perform functions like bill
file in correct order. calculation based on rate list or interest rate
calculation etc. Maintaining integrity of price
rate or Int. rate is critical.
6.3.2.6. C O M M U N I C A T I O N C O N T R O L S
Applied to ensure that the data transmitted over network is accurate, complete & authentic.
Physical
Component Line Error Controls Flow Control Channel access Control
Controls
d) Mitigates possible While transmission of Applied, when there is Two different nodes in a
effects of data through transmission difference in speed at network can complete to
exposures to line, there can be data which two nodes in a use a communication
physical loss due to noise network can send, receive channel.
components of distortion called line error. or process data resulting a) Where possibility of
System. These errors must be in loss of data. contention of channel
detected & corrected. exists, some type of
channel access control
should be used.
7. I N F O R M A T I O N S Y S T E M ’ S A U D I T I N G - B Y IS A U D I TO R
Process of attesting/ assuring / confirming objective of –

a) External Auditor that focuses on Safeguarding of Assets & Integrity of Data; and
b) Internal Auditor that focuses on Effectiveness & Efficiency.
Objectives of I.S. Audit
Asset Safeguarding Data Integrity System Effectiveness System efficiency
e) I.S. Asset i.e., H/w It is fundamental attribute Involves evaluating To optimize use of
S/w, data, info (quality) of auditing. Whether I.S. meets various I.S. resources
etc. must be It should be maintained at all requirements of
b) To compete task with
protected by using time & data should not be business & users in minimum consumption of
internal control accessible to unauthorized decision making or resources.
from unauthorised users. not.
access.
7.1. R E A S O N S / N E E D F O R I.S. A U D I T
64 | P a g e
Factors which influence Organisation/Mgt. w.r.t. Implementation of Controls & Audit of Computers are:
1. Value of computer H/w, ▪ These I.S resources are valuable & important & must be safeguarded
S/w & Personnel
2. Maintenance of Privacy ▪ An organization collects a lot of data which are private regarding
individuals. Any leakage of private personnel data is against interest of
company & must be protected.
3. Controlled evolution of ▪ Use of technology & reliability of computer system can’t be guaranteed.
computer use Hence it must be audited.
4. Cost of Data Loss ▪ Data is very critical resource of an organization . Data loss can cause
severe damage to Organization & hence it must be protected.
5. Cost of Incorrect Decision ▪ Management takes decisions based on information produced by I.S. In
case of incorrect info, management can take incorrect decision which
affects the Organization adversely.
6. Cost of Computer Abuse ▪ Unauthorized access to computer system may cause huge damage. It
may also result in introduction of virus, malware, hacking, theft of data
etc.
7. Cost of Computer error ▪ Error may occur while performing a task which may incur huge cost for
Orgn.
7.2 . I.S. C O N T I N U O U S A U D I T
Real time production of information → Real time recording → Real time Auditing → Continuous Assurance
about Quality of data.
Thus, Continuous Audit reduces time gap between occurrence of Client’s event & Auditor’s assurance service
thereon.
Two basis for collecting audit evidence are:
a) Embedded module (Audit S/w) in system to collect, process & print Audit Evidence.
b) Special Audit records used to store Audit evidence collected.
Types of Continuous Audit Tools
System
Integrated Test Continuous &
Snapshots Control Audit Audit Hook
Facility Intermittent Simulation
Review File
Helps in tracing a ITF involves SCARF Variation of SCARF. Audit
transaction as it flows in creation of involves Used as Trap exception routines
App system. dummy entity/ embedding whenever App system that flags/
Built into the system at Test data in App audit S/w uses DBMS. highlights
points where material system. module suspicious
within an Procedure transactions
processing takes place. This test data is
incorporated in App system ▪ DBMS passes all as soon as
Takes image of flow of to provide they occur
normal data used transactions to CIS
Transactions as it moves continuous on a real
as input in App which determines
through the App. monitoring time basis.
system as a whether it wants to
These images are utilized means to verify of system’s examine it further. Thus,
to assess Authenticity, processing transactions. auditors can
completeness & accuracy ▪ CIS simulates the App
Info be informed
• Authenticity collected is
system process.
of
P a g e | 65
of process being carried • Completeness & written on ▪ Result of selected questionable

out by system. SCARF transactions processed transactions
• Accuracy.
Important points to master file. by CIS is compared as soon as
Auditor must decide with result produced they occur.
consider- Similar to
a) Method to be snapshot by App s/w to This
a) Locate the snapshot determine whether
used to enter technique approach of
point based on both are same or not.
test data in with data real-time
materiality.
System. collection ▪ In case of any diff, notification
b) Determine when will capabilities. displays a
b) Method for exceptions are
snapshot be captured. message on
removing effect identified by CIS &
c) Reporting system is of ITF written to exception auditor’s
designed & transaction. file. terminal.
implemented to
Advantage:
present data in
meaningful manner. No modification in App
system but provides
online audit capability
Advantages of Continuous Audit Techniques

1. Timely, Evidence would be available timelier & in a comprehensive manner. Entire
Comprehensive & processing can be evaluated & analyzed rather than examining inputs and
Detailed Auditing outputs only.
2. Surprise test As evidences are collected from the system itself by using continuous audit
capability techniques, auditors can gather evidence without knowledge of systems staff
and application system users. This brings in the surprise test advantages.
3. Information to Continuous audit technique provides information to systems staff regarding the
system staff on test vehicle to be used in evaluating whether an application system meets the
meeting of objectives of asset safeguarding, data integrity, effectiveness, and efficiency.
objectives
4. Training for new Using the Integrated Test Facilities (ITF)s, new users can submit data to the
users application system, and obtain feedback on any mistakes they make via the
system’s error reports.
8. A U D I T T R A I L
▪ Refers to logs that record activities at system, App & user level.
▪ Provides detective control to help achieve security objectives.
▪ Ensures that a chronological record of all events that has occurred in system is maintained.
▪ Example: App logs contain details w.r.t who initiated a transaction, who authorized it, date, time etc.
Need for Audit Trail
To Answer Queries Fulfill Statutory Detect Errors Monitoring

Requirements Systems
66 | P a g e
Accounting AT Operations AT
Shows source & nature of data & processes that Record of attempted or actual resource
update database. consumption in a system.
8.1. O B J E C T I V E S O F A U D I T T R A I L
Detecting Unauthorised Access Reconstructing Events Personal Accountability

In real time or after the event.used to reconstruct the steps that Audit trail is used to monitor user
Helps protect the system from led to events such as system activity at lowest level of detail
outsiders who are attempting to failures, security violations by Preventive capability i.e. act as
breach control. individuals, or App processing deterrent for potential violators if
errors. they know that their actions are
Such Knowledge can be used to not recorded in an audit log.
assign responsibility and to avoid
similar situations in the future.
8.2. I M P L E M E N T A T I O N O F A U D I T T R A I L /G E N E R A TI N G A U D I T T R A I L S
Info. in Audit Trail is useful for

➢ Accountants in measuring damage or loss due to App errors, Abuse of authority etc.
➢ It helps in assessing whether controls in place are adequate or not & need for Additional Control.
Audit logs, however, can generate data in overwhelming detail. Important information can easily get lost
among the superfluous detail of daily operation.
Thus, poorly designed logs can be useless.
8.3. A U D I T O F V A R I O U S C O N T R O L S
Role of I.S. Auditor Audit of Controls

a) To determine whether objectives of a) Conduct Risk assessment. Higher the risk, more is control.
controls are met or not. b) Conduct review of controls i.e. whether controls are
b) Assess effectiveness of controls implemented or not & whether working effectively or not.
c) Whether controls are monitored by qualified personnel or not.
9. S E G R E G A T I O N O F D U T I E S
▪ It advocates that Privilege/ Access Rights should be given on “Need to Do” & “Need to know” basis.
▪ Ensures that single individual do not passes excess privilege that could result in unauthorized activity like
fraud or manipulation of data security.
▪ For example-the person approving the purchase orders should not be allowed to make payment and
pass entries in the books at the same time.
▪ Both preventive & detective control should be place to manage SOD control.
Examples of SoD Controls
Transaction Split custody of high value Periodic review of user
Work Flow
Authorization assets rights.
P a g e | 67
I.S requires 2 Password to an encryption Internal audit personnel Applications that are
or more key that protects sensitive can periodically review workflow-enabled can use a
person to data can be split in two user access rights to second (or third) level of
approve halves, one half assigned to identify whether any approval before certain high-
certain two persons, and the other segregation of duties value or high-sensitivity
transactions half assigned to two persons, issues exist. activities can take place.
so that no single individual E.g. workflow application
knows the entire password. that is used to set up user
Two keys for sensitive locker. accounts can include extra
management approval steps
in requests for
administrative privileges.
When SOD issues (conflicts b/w access rights of individuals) are encountered, Management needs to
mitigate the matter. How?
Reduce access privilege of individual user so Introduces new mitigation control
that conflict no longer exists. If management determines that the person need to
retain privileges which are viewed as conflict, new
preventive & detective control needs to be implemented
like increased logging of records, reconciliations of data
sets etc.

a) Free Lectures &
68 | P a g e
E-Commerce, M- Commerce & Emerging Tech.
C HAPTER 4
E-COMMERCE, M-COMMERCE & EMERGING TECHNOLOGY
1. E-C O M M E R C E
▪ Refers to doing Business (Buying, Selling & Other related functions like inventory mgt.) electronically.
▪ Means use of Technology (Internet, computer, Mobile, Apps, website etc.) to enhance processing of
commercial transactions between company, customer & business partners like seller.
▪ Involves automation of variety of transactions such as B2B, B2C, C2C, C2B etc. through Reliable &
Secure Technology.
2. D I F F E R E N C E B E T W E E N T R A D I T I O N A L C O M M E R C E & E-C O M M E R C E
Basis Traditional Commerce E- Commerce

Transaction Processing Manual Electronically
Customer Interaction Face to face Screen to face
Business scope Limited to particular area Worldwide reach
Availability for business Limited Time 24x7x 365
Information Exchange No uniform platform Provides uniform platform
Fraud Relatively less due to personal More Risk due to Lack of physical
interaction b/w buyer and seller. presence & unclear legal issues
3. B E N EF I TS O F E-C O M M E R C E
Individual User Seller Government

a) Time Saving - Some products a) Reduction of Cost - of overhead (salary), a) Instrument to
such as e-books, recharge of Rent, marketing and advertisements [E- fight
mobile can be delivered online mail /Digital marketing] etc. corruptions - as
through internet. b) Recurring Payments made easy.
all transaction
b) Various Options- by diff. sellers are recorded, No
c) Instant Transaction - which are processed in tax evasion.
which are easy to compare. real time, so no. of sales made increases.
b) Reduction in use
c) Convenience– w.r.t. Searching, d) Increased Customer Base - since no. of
Placing Order & Payment. of ecologically
people getting online is increasing. damaging
d) Anytime Access- [24X7X365] material.
e) Easier Entry into New Market - as reach of
e) Easy to Find Reviews - User can e-commerce is worldwide.
give feedback & ratings which f) Efficiency Improvement - Reduction in
helps buyer to make better
decision. ➢ Time required to complete transactions;
f) Coupon and Deals ➢ Errors in billing, invoicing & data entry
➢ Inventory holding cost due to JIT.
P a g e | 69
E-Commerce, M-Commerce & Emerging Tech.
4. D I S A D V A N T A G E S O F E-C O M M E R C E
a) Internet Connection Internet connectivity is a pre-requisite to perform online transactions. It may not
be available in rural or remote areas.
b) High start-up costs Various components of costs involved with e- commerce are due to following
▪ Connection: Connection costs to Internet.
▪ Hardware/software: Includes cost of sophisticated computers, routers etc.
▪ Set up: Includes employee work hours involved in setting up systems.
▪ Maintenance: Includes costs involved in training of employees & maintenance
of web-pages.
c) Legal issues The legal environment in which e-commerce is conducted is full of unclear &
conflicting laws.
d) Security Concerns There is risk of security and reliability of network and internet as well as fear of
safety and security to the personal information due to the increased spywares
and malwares
e) Cultural Some customers are still somewhat fearful of sending their credit card numbers
impediments over the Internet. Also, many customers are simply resistant to change.
f) Some businesses Items such as perishable foods and high-cost items such as jewellery and
may never lend antiques may be impossible to adequately inspect from a remote location.
themselves to e -
commerce
5. E-C O M M E R C E B U S I N E S S M O D E L S & E-C O M M E R C E M A R K E TS
▪ B.M. means organization of product, service & information flows for benefits of suppliers & customers.
▪ A business model enables a firm to
➢ analyze its environment more effectively and
➢ exploit the potential of its markets;
➢ better understand its customers; and
➢ raise entry barriers for rivals.
▪ An e-business model is the adaptation of an organization’s business model to internet economy.
▪ E-business models utilize the benefits of electronic communications to achieve the value additions.
▪ Some of the e-market models are explained below:
1. E-shop It is an online version of retail stores that sells products & services online. It is
convenient way of effecting direct sale to customers.
No intermediaries are involved, hence cost & time delay is reduced.
Eg- www.vanheusenindia.com
2. E- malls It is e-retailing model of a shopping mall.
It is Conglomeration of different e-shops situated in an e-commerce location.
Eg – www.emallofAmerica.com
3. E- Auction It provides channel of communication (auction websites) though which bidding process
70 | P a g e
for products & services can take place between completing buyers.
Eg – www.bidderboy.com
4. Portals It is a website that serves as a gateway on the internet to a specific field of interest or
an industry.
It is a channel through which websites are offered as content.
Firms control the content or portal and earn revenue by charging customers for
subscription or advertising.
Website + login + motive is to earn money.
Eg – www.mca.gov.in, Netflix, Tax sutra, Taxmann.com
5. Buyer They bring together large no. of buyers so that they can enjoy savings which are
Aggregator generally enjoyed by large volume buyers.
Firms collects info about Goods/Services, make services providers their partners & sell
under its own brand. Eg- www.zomato.com, Ola, Uber
6. Virtual Community of customers who share common Interest & use internet to communicate
Community with each other.
It helps participants as they get greater benefits like solving queries, sharing ideas etc.,
without additional cost. E.g.- Microsoft community
7. E- marketing Process of marketing a product or service using the Internet. E.g.- Mail marketing,
digital marketing.
It changes relationship b/w buyer & seller as market information is available to all
parties in the transaction.
8. E-Procurement Refers to Management of all procurement activities though electronic means.
E- procurement infomediaries provide upto date & real time information w.r.t. supply of
material to business partners.
Leads to efficiency in accessing info & saving of time & cost. E.g. www.e-procure.gov.in
9. E- distribution e-distributor is a Co. that supplies products & services directly to individual business.
E-distribution helps in achieving efficiency by managing large volume of customers,
automating orders, communicating with partners and providing value added services like
order tracking.
An example of a firm specializing in e-distribution is www.wipro.com that uses internet
to provide fully integrated e-business enabled solutions that help to unify the
information flows across all the major distribution processes.
The e-business models relating to e-business markets can be summarized as given below:
Consumer to Consumer Government Business to

Business to Consumers Business to to Consumer
Consumer to Business Government
[B2C] Business [B2B]
[C2C] [C2B] [G2C] [B2G]
Refers to online Refers to Consumers Consumers Allows Variant of B2B
retailers who sell commerce b/w sell directly to set prices & consumers to model.
products & services company, its other Companies provide Govt. accredits
through internet. suppliers or other consumers bid to offer feedback & selected
Supports activities participants. through online product & ask info. like websites.
within consumer chain. Supports supply classified Ads, service. land search,
auctions or license These websites
Focuses on sell side chain of Org. E.g.- act as a
personal confirmation,
activities. E.g. selling. Comparison vehicle medium of
www.Indiamart. of interest ownership etc. exchanging
P a g e | 71
Consumer to Consumer Government Business to

Business to Consumers Business to to Consumer
Consumer to Business Government
[B2C] Business [B2B]
[C2C] [C2B] [G2C] [B2G]
Types com Matches rates of from Govt. information
a) Direct sellers - E.g.
Revenue loans by authorities. Businesses use
vanheusenindia.com stream of various Government these websites
buyers with banks to provides the to
b) Online sellers & vice customers information
Intermediary- E.g. -versa. like Paisa ➢ File Reports
Amazon.com asked for.
E.g. OLX.in Bazar ➢ Pay taxes
c) Community built
E.g. ➢ Sell Goods &
around shared e-Seva services to
interest like (Andhra Govt
cooking, Pradesh)
photography etc.
E.g.
www.cookingmatter
s.com
6. C O M PO N EN TS O F E-C O M M E R C E
Technology Internet/ Payment

User E-Commerce Vendors Web Portal
Infrastructure Network Gateway
Any Refers to Org/ Entity E-commerce is It is Key to Provides system of
individual / providing the G/s user technology driven. success of interface/ computer
organization asked for. E.g. Flipkart. To be successful, web e- comm. front end processes
or anybody They need to ensure site should be: Transaction through that
using e- following for effective & & Critical which user authorizes,
commerce a) Scalable with Enabler. interacts verifies, and
efficient Transactions: minimal effort to
platforms. with e- accepts or
a) E-commerce catalogues handle peak traffic Faster commerce declines
E-comm and product display - internet
vendors b) Easy to use and results in vendor. payment on
all info should be convenient behalf of
need to displayed properly. better e- Can be
ensure that commerce. accessed merchant
c) Implementing
user’s b) Suppliers & SCM - through through
Responsive Design secure
loyalty is Should have enough to make website laptop,
built & also right suppliers who are desktop, Internet
accessible & usable connections.
that their financially & operation- on every device. mobile &
products are ally stable. hand-held Last & most
not Following tech. enable device. crucial part of
Should provide real-
delivered to time stock inventory & e-commerce: Simplicity e- comm
wrong short delivery time. a) Computer server & transactions.
and clarity
person. DB - Backbone of e- of content on Assures seller
c) W/H operations - Where commerce.
Goods are stored & web portal is of receipt of
packed as per pre- E-Comm Vendors directly payment.
determined standard. invest huge amount linked to Various
in such infra. customer modes are
d) Shipping & Returns -
b) Mobile App - Smaller experience of
Supplementary & buying a ▪ Debit card
complementary to w/h version of computer
product
operation. Fast return is s/w programmed to ▪ Credit Card
run on mobile/ tablet. online.
USP of vendors.
72 | P a g e
Technology Internet/ Payment

User E-Commerce Vendors Web Portal
Infrastructure Network Gateway
e) Showroom and offline Expensive & runs on 1 ▪ UPI
purchase - Many type of OS.
vendors have opened ▪ COD
c) Digital Library -
outlets for customer Special library
experience of their focussed on
products. collection of digital
f) Marketing & loyalty objects (text, audio,
program - To establish video) stored in e-
long-term relationship media format.
with customer. Type of info. retrieval
g) Privacy policy - Explains system.
usage of customer’s d) Data Interchange -
data in as per IT Act Electronic
2000. communication of
h) Security policy - So that data b/w different
data is safe through parties.
tech like SSL. There are defined
standards to ensure
seamless comm.
7. A R C H I T E C TU R E O F N E T W O R K ED S Y S TE M
Architecture refers to style of designing/ method of construction. In e-Business, it denotes the way
network architectures are built. E-Commerce runs through network connected system
Two Tier Architecture Three Tier Architecture
User DB Server User App Server DB Server
Presentation Tier/ Presentation Application/ Logic/ Database

Client Tier/ Client Database Tier Tier /Client Tier Business/Middle Tier Tier
App Tier
Top level & Controls App functionality Same as
Refers to Data like Product displays info. by performing detailed Two tier
interface that data, Price data, related to goods processing.
allows user to customer data & and services on All processing is done at
interact with e- other data is kept website. this level like how data
commerce here. For login & can be created, displayed,
vendor. All information is checking the stored and changed, data
User can login to stored & retrieved products, App tier security mgt, load
e-commerce from this tier. is used. balancing etc.
through this tier User has no
& all information access to data at Thus, it is a client-server architecture in which the business
is displayed to this level by can logic, computer data storage and user interface are developed
him. view it through and maintained as independent modules on separate
Client Tier. platforms.
All e-commerce & M-commerce applications follow three-tier
network architecture.
P a g e | 73
7.1. A D V A N T A G E S & L I M I TA TI O N S O F T W O - T I ER A R C H I T EC T U R E
Advantages Disadvantages / Limitations

a) Easy to setup & maintain due to simple a) Performance declines if number of users
structure. increase.
b) Higher system performance since business logic b) Restricted flexibility as any change in version of
& database are physically close. s/w needs to be installed in each user’s device.
c) Processing is shared b/w client & database. c) Lesser choice of DBMS.
Hence more users can interact with system.
7.2 . A D V A N T A G E S & L I M I TA TI O N S O F T H R EE T I E R A R C H I T EC TU R E
Advantages Disadvantages / Limitations

a) Change Mgt. (updating version of s/w) - Any a) Increased need of network traffic management,
component change can be done on App server load balancing & fault tolerance.
rather than user’s device in easy & faster way. b) Current tools are relatively immature & complex.
b) Dynamic load balancing - if some bottleneck in c) Maintenance tools are inadequate for
performance occurs, the server process can be maintaining server.
shifted to another server in real time.
c) Separation of DB tier, Client tier & App tier -
results in quicker development of s/w.
d) Other Benefits - Higher performance, Flexibility in
deployment of Architecture due to modular s/w,
Scalability, Improved security & data integrity.
8. M- C O M M E R C E
▪ Refers to Buying & Selling of Goods & services and related activities though wireless hand-held devices
like mobile phones and Personal Digital Assistants (PDAs) like tablet etc.
▪ M-commerce enables users to access the Internet without needing to find a place to plug in.
▪ Growth in m-Commerce has been through App. It can be downloaded by user or pre-installed.
E-Commerce Architecture Vide Internet & Mobile Apps
Layer/Tier E-commerce vide Internet E-Commerce vide Mobile Apps

Client/ Presentation Web server, web browser & Internet Mobile web browser, Mobile App,
Tier (user interface) Helps the e-commerce customer to connect Internet
to e-commerce merchant. Helps the e-commerce customer to
connect to e-commerce merchant.
Application Tier App server & Back–end server (includes Same
seller, logistic partner, Payment gateway)
It allows customer to check the products
available on merchant’s website.
74 | P a g e
Database Tier DB server i.e., Info store house where all Same
data is stored.
9. W O R K F L O W O F E-C O M M E R C E
1. Customers Login Customer log-in on e-commerce website or mobile App.

2. Product / Service Customer selects products / services from available options.
3. Customer Places Order is placed for selected product / service by customer.
Order
4. Payment Gateway Customer selects the payment method. In case payment methods is other than
Cash on Delivery (COD), the merchant gets the update from payment gateway
about payment realization from customer.
5. Dispatch and This process may be executed at two different ends. First if product / service
Shipping Process inventory is managed by e-commerce vendor, then dispatch shall be initiated at
merchant warehouse. Second, many e-commerce merchants allow third party
vendors to sale through merchant websites.
6. Delivery Tracking All merchants have provided their delivery staff with hand held devices, where
the product / service delivery to customers are immediately updated.
7. COD Tracking In case products are sold on COD payment mode, merchants need to have
additional check on matching delivery with payments.
10. R I S K S & C O N T R O L S I N E- C O M M E R C E
10.1. Risks i.e Possibility of Loss in case of e-commerce are high compared to general internet activities.
Security of credit Quality Issue →

Privacy & Security of card issue → Risk of Actual product may
sensitive personal data differ from product
cloning Dr/Cr card
ordered
Problem of
Delay in delivery of Anonymity → Needs
goods & hidden cost Needs internet & no to identify &
(delivery/ processing personal touch authenticate user as
cost) well as supplier
P a g e | 75
Repudiation of contract
Denial of service → → seller may repudiate Attack from Hacker →
Due to unavailability order after accepting it. E-commerce website
of system due to customer can also refuse may be attacked by
virus, bomb etc. to accept delivery hackers
10.2. C O N T R O L S → N E C E S S A R Y F O R E A C H P A R T I C I P A N T O F E- C O M M ER C E
1. User ▪ To ensure that genuine users are on e- commerce website. This prevents attack on
website from Hackers.
2. Seller/Merchant ▪ Should be financially & operationally stable. Control is needed for
➢ Product catalogues
➢ Price catalogues
➢ Discount and promotional schemes
➢ Shipping & return
➢ Accounting for cash received through Cash on Delivery mode of sales.
3. Government ▪ Two major concerns - Tax accounting of G/Sr sold & only legal G/Sr are sold.
4. Network Service ▪ To ensure availability & security of network. Any downtime can be disastrous.
Provider
5. Technology ▪ Includes all service other network service. E.g. cloud computing, App Backends etc.
Service Provider ▪ To ensure availability & security of technology.
6. Logistics ▪ Responsible for timely delivery of product as ordered.
service provider ▪ Success or failure of any e-commerce / m- commerce venture finally lies here.
7. Payment ▪ To ensure effective & efficient processing of payment.
Gateway
10.3. C O N TR O L S F O R M I T I G A T I N G R I S K
Communication of Ensure
Educate participants organizational compliance with Protect your e-commerce website from
about nature of risk policy to Industry Body Intrusion
Customers standard
Policy may include a) Privacy policy RBI releases a) Hackers - Use security software
a) Frequency and i.e., How data these standards package to protect website.
nature of will be used from time to b) Virus- Scan website daily for viruses.
educational b) Information
time which must
be complied. c) Password - Ensure employees use
programmes. Security policy strong password & change it
b) Participants for c) Shipping & periodically.
such programme Billing policy Also access of ex-employees must be
Example d) Return & terminated.
“Dos and Don’ts” Refund policy d) Regular s/w update - Website should
for online payments have newest version of security s/w.
advertised by e) Sensitive data - Encryption of
Banks. financial & other confidential data.
76 | P a g e
11. G U I D E L I N E S & L A W S G O V E R N I N G E- C O M M ER C E
11.1. G U I D E L I N E S G O V E R N I N G E- C O M M E R C E (D EC I D ED B Y E- C O M M E R C E )
All e-commerce vendors need to create clear policy guidelines for the following & communicate it to its
users.
Product
Billing Shipping Delivery Payment Return
Guarantee/Warranty
Format Shipping Mode of delivery? Mode Which goods can Proper display
of Bill Date & be returned? guarantee/warranty
- Courier - COD
Details in Time, Within how many on website
- Hand delivery - online payment.
Bill Expected days? Also send G/w
When will goods Specific payment
Applicable date of be delivered? mode for specific Process of document along
GST dispatch verifying with product.
& product must be
- Time & date authenticity
delivery highlighted.
Where delivery is Duration after
to be made? which money will
- Home be refunded.
- Office
11.2. C O M M E R C I A L L A W S G O V E R N I N G E-C O M M ER C E
All e-commerce transactions are essentially commercial transactions. Hence following laws are applicable:
1. Income Tax Act 1961 ▪ Act to levy & collect Income Tax on Income.
▪ concerned with deciding place of origin of Transaction for tax purpose.
2. GST Act, 2017 ▪ Covers all aspect of E- commerce
▪ Each supplier is required to upload details of outward supply on common
portal.
3. Companies Act, 2013 ▪ Regulate companies. All major e-commerce organizations are companies.
4. Factories Act, 1948 ▪ Regulates working condition of workers. Extend to place of storage as well
as transportation.
5. Customs Act, 1962 ▪ Deals in Import/ Export of goods. India is signatory to GATT of WTO & can’t
levy custom duty that are not WTO compliant.
6. Consumer Protection ▪ Act to safeguard interest of consumers. It is source of most of litigation.
Act, 1896
7. Foreign Exchange ▪ Regulates FDI & flow of foreign exchange in India.
Management Act, 1999
▪ FDI upto 100% allowed in e- commerce dealing in B2B e- commerce.
8. Competition Act, ▪ Regulates practices that have appreciable adverse effect on competition
2002 through competition commission.
▪ checks predatory pricing by E-Commerce vendors.
9. Indian Contact Act ▪ Defines constituents of valid contract.
11.3. S P E C I A L L A W S G O V E R N I N G E- C O M M E R C E
P a g e | 77
Information Technology Act, 2000 RBI Act, 1934

▪ Govern all internet activities in India including all RBI frames guidelines to be followed by E-
online transaction in India. Commerce & M- Commerce.
▪ Provides legal sanctity to online transactions, E.g. Conversion of Dr/Cr card into chip-based card.
online contracts & provides for penalty for non- OTP/PIN must for online payments or
compliance. payments at PoS.
▪ Refer Chapter 1 & 5 for detailed discussion.
11.4. T R E N D S I N E-C O M M E R C E
E- marketers need to develop not only their product quality but also user experience to retain customers.
Social Mobile Artificial
Content Predictive Analysis Biometrics
commerce commerce Intelligence
Due to great Social media
P.A. helps in analysing Since e- User is Use of AI like
competition in is integral
customer’s behaviour commerce moving from fully
e-commerce, a part of a
such as If customer involves serious desktop to automated
visually customer
does not return within security threats mobile chat bot is
attractive online habit.
30days, he is lost. such as hacking, computing. another latest
website or Latest trend It helps to spamming, 55% online trend.
display of is to use online fraud, traffic is Chatbot is first
product is no a) predict customers theft of
social media buying habits as generated on point of
more sufficient. for doing e- confidential mobile & its contract &
per their taste & data etc.,
Latest trend is commerce preference, both increasing. answers all Q
to use video for like FB, Biometric of consumers.
Q&Q & verification is a Creation of
content Google etc. mobile apps Also known as
marketing to b) segmenting means to solve
customers in security issues & mobile messenger
attract marketing is bots.
customers. different using physical
categories & characteristics latest trend. Live chat users
Shoppable improve of users such as tend to spend
videos instead of conversions by fingerprint, face more & buyer
images enables offering or voice. conversion rate
customer to is higher.
shop directly ▪ Right customers
from videos. ▪ the right product
▪ in the right way
▪ at the Right time
12. D I G I T A L P A Y M E N T
▪ It is way of payment which is made through digital modes.

▪ Also known as electronic payment as No cash is involved & Transaction is completed online.
Advantages Disadvantages / Drawbacks / Limitations
a) Easy & Convenient a) Overspending
b) Accessible from anywhere b) Risk of data theft server of digital payment service provider
c) Less Risk if used wisely
can be hacked.
c) Difficult for non-technical person
d) Written record of transaction
78 | P a g e
e) Discount from taxes d) Disputed transactions: In case of misused of electric money
f) Competitive advantage to business by someone else, it is very difficult to receive a refund.
g) Environment Friendly e) The necessity of internet access

f) Increased business costs: additional costs in procuring,
installing and maintaining sophisticated payment-security
technologies.
12.1. T Y P E S D I G I T A L P A Y M E N T
Traditional Methods New Methods
12.1.1. T R A D I TI O N A L M E T H O D S
Cards
Internet Banking
Debit Card Credit Card Smart Card
Small plastic card Small plastic card Prepaid card similar to credit card Customers login to
containing unique no. issued by a bank/ and debit card in appearance, but his/ her bank
linked with bank A/c issuer, allowing the has a small microprocessor chip in account and
number holder to purchase it to store customer’s personal info. makes payments.
Issued by a bank & goods or services on such as financial facts, encryption All public sector
allows the holder to credit. keys, account information & so on. banks & large
make payment Buyer’s cash flow isa) These are not linked to any bank private sector
directly from his not instantly account & user is not mandated to banks allow this
Bank A/c. impacted as user have a bank account. facility to their
Buyer’s cash is makes payment to b) It is used to store money which is customers.
instantly affected i.e. card issuer at end of reduced as per usage.
as soon as payment billing cycle.
c) E.g. Mondex and Visa Cash cards.
is approved, buyers
account is debited.
12.1.2. NEW METHODS
UPI [Android only] IMPS Mobile Apps Mobile Wallet AEPS USSD
Unified payment Immediate BHIM/Bharat Mobile wallet or Aadhar Unstructured
interface. Payment Interface for e-wallet is Enable Supplementary
It is payment mode System money digital version Payment Service Data
to make instant Facilitates Developed by NPCI of a physical or system is a Banking or *99#
fund transfer from Instant inter- (National real-life wallet. Aadhaar is mobile
sender’s bank bank electronic Payment Corp. of Users can keep based digital Banking based
account to the fund transfer India) his/her money payment on Digital
receiver’s bank in E-wallet & mode. payment that
through Mobile, Based on UPI & works on basic
account through ATM & Net built on IMPS use it when AEPS allows
the mobile App. needed bank to bank phone through
banking. infra. SMS.
Steps Allows user to It stores bank transactions
account or i.e. money No need of
▪ User downloads send or receive
money to/ from Dr/Cr card info will be smartphone or
UPI APP such deducted Internet
other UPI address on mobile
as PhonePe, from sender’s
by device. Can be used for
Google Pay, A/c and
P a g e | 79
UPI [Android only] IMPS Mobile Apps Mobile Wallet AEPS USSD
BHIM a) scanning QR Used to make credited to financial as well
code; or payment to the payee’s as non –
▪ Create VPA/ UPI
b) using A/c
merchants A/c directly. financial
ID
number with listed with Customers operations like
▪ Register for Indian mobile wallet need to link checking bank
Mobile Banking Financial service provider. Aadhar with balance,
Systems Code E.g. PAYTM Bank A/c generating MPIN
▪ Link Bank A/c
(IFSC); or etc.
with UPI ID & Mobikwik Can be used
Transfer Fund. c) MMID (Mobile for financial
Freecharge
It can be used to Money as well as non
transfer funds b/w Identifier) – financial
two accounts as Code for users operations
well. who don’t have Planning to
a UPI-based launch
bank A/c
Crypto Currency ▪ It is a digital currency (no physical form) produced by public network rather
than any Govt. or bank. It is completely decentralized i.e, no controlling authority.
▪ It is a medium of exchange. Strong cryptography is used to ensure that payments
are sent & received safely.
▪ Records of individual coin ownership is stored in computerized database using
strong cryptography.
▪ Strong cryptography makes it nearly impossible to counterfeit & doubled spend
▪ E.g. – Bitcoin, Litecoin, Ethereum
▪ Advantages: Less transaction processing, fast transfer b/w sender & receiver, no
risk of hacking or counterfeit currency.
Mobile Banking ▪ Service provided by a bank or other FI that allows its customers to conduct
different types of financial & non-financial transactions remotely using a
mobile device such as a mobile phone or tablet & the Mobile App provided by
Bank or FI.
▪ Each Bank provides its own mobile banking App for Android, Windows and iOS
mobile platform(s).
P ART II - E MERGING T ECHNOLOGIES
13. V I R T U A L I S A T I O N
▪ Refers to creation of virtual version of a device or resource such as server, network or storage device etc.
▪ It provides a layer of abstraction between hardware and software working on them.
▪ Core Concept – Partitioning which divides one physical hardware into multiple logical server/ virtual
machines and each logical server can run an OS independently.
▪ Example - Partitioning of a hard drive is considered virtualization because one drive is partitioned in a
way to create two separate hard drives.
▪ Helps in cutting IT expenses, enhancing security, and increasing operational efficiency.
80 | P a g e
13.1. A P P L I C A TI O N A R EA S O F V I R TU A L I S A T I O N
Server Testing and

Disaster Recovery Portable App Portable workspace
consolidation training
It consolidates Can be used as hot Useful for kernel It enables to have It helps to create
many servers into standby and in development of OS portable Apps portable
fewer servers. case any virtual & OS courses for where Apps can be workspaces/ OS
Known as machine is down, training and executed from that can be carried
physical to virtual its work can be testing. removable device on devices like
transformation. handled by other (PD/HD) directly memory stick, USB,
virtual machines, without installing iPad.
Each physical thus helping in it into system
server is known disaster recovery. main disk.
as virtual
machine host &
virtual machines
appear as real.
13.2. T Y P ES O F V I R T U A L I S A T I O N
Hardware Virtualization Network Virtualization Storage Virtualization

▪ Known as platform virtualisation ▪ It is a method of combining ▪ Refers to pooling of data
available resources by form multiple storage devices
▪ Involves creation of virtual
splitting bandwidth/network into what appears to be a
machines that acts like real
into multiple channels. single device that is managed
computer with OS.
centrally.
▪ Each channel is independent
▪ S/w on these virtual machines
& can be assigned/reassigned ▪ Helps to perform job of back
is separate from underlying H/W
to any server. up, achieving (old & unused
▪ Basic idea of virtualization is data), recovery easily by
▪ It allows a large physical
consolidation of server where disguising the complexity of
network into multiple logical
multiple servers are storage access network
networks and vice- versa.
consolidated to create virtual [SAN].
server ▪ Intended to optimize speed,
scalability, flexibility etc.
▪ Two softwares: Hypervisor and
virtual machine manager.
14. G R I D C O M P U T I N G
▪ It is a computer network in which each computer’s resource (processor, storage, Network etc.) is shared
with other computer in a system/network.
▪ It is a distributed architecture of large number of computers connected to solve complex problems. E.g.:
Data mining.
▪ In the grid computing model, servers or personal computers run independent tasks and are loosely
linked by the Internet.
▪ It turns a computer network into a powerful super-computer.
14.1. B E N E F I T S O F G R I D C O M P U T I N G
1. Access to additional like computational power, Network, storage etc.
P a g e | 81
resources
2. Making use of under – It provides a framework to use/ exploit unutilized IT resources in an Org.
utilized resource
3. Resource Balancing It enables RB in which if a computer’s load peaks, it can transfer its work to
another computer with less utilization.
4. Parallel CPU capacity It helps in scalability & faster performance
5. Reliability Since high –end computing systems are used, grid computing is reliable.
Further due to multiple resources, if one computer fails, work will continue as
its work will be transferred to another computer in network.
6. Management It helps in better management of large No. of computer systems. It also
manages priorities among different projects.
14.2 . T Y P E S O F R E S O U R C E S I N G R I D
Special Equipment
Software and capacities,
Computation Power (CPU) Storage Communications
License architecture and
policies
It’s the most common ▪ Each ▪ Refers to network ▪ Refers to those ▪ Different
resource shared in G.C. machine on bandwidth issued s/w installed in computers in a
Processors offered by grid provides for sending one Grid which are Grid will have
members of Grid may differ some storage, work from one too expensive for different
in architecture, memory even if computer/ installation on architectures,
etc. but can still be shared. temporary. machine to each member operating systems,
another. computer. devices, capacities,
Three ways to exploit this ▪ Storage may and equipment.
resource in G.C.: be memory ▪ Bandwidth is ▪ Some S/W
attached to critical resource vendor permits ▪ Grid can use
a) To run an App on
processors, and it should be to install such criteria for
computer in grid rather
RAM, ROM or redundant and s/w on all assigning job to
than locally.
secondary efficient, else it computers in any member of
b) To run an App that devices like may affect grid but at any Grid.
needs to be executed Hard Drive effectiveness of given time,
multiple times on diff. ▪ For example, some
G.C. only limited no.
computers in a Grid. machines may be
of computer
designated to only
c) To split the work in will be able to
be used for
separate parts so that it use the s/w.
medical research.
can be executed in
parallel on different
computers.
14.3. A P P L I C A T I O N S O F G R I D C O M P U T I N G
a) Civil engineers collaborate to do experimental research to design, execute, analyze, and validate
different models in earthquake engineering.
b) Insurance companies mine data from partner hospitals for fraud detection.
c) In scientific research, using an entire network of computers to analyze data.
d) In film industry, to give special effects in a movie.
82 | P a g e
e) In financial industry, to forecast the future of a particular stock.
14.4. G R I D C O M P U T I N G S E C U R I T Y C O N S T R A I N TS / I S S U ES TO C O N S I D E R
G.C. is a highly collaborative & distributed computing model. To develop secure Grid, following need to be
considered:
a) Secured Single Sign- User should be needed to authenticate once & should be able to access resources,
on use them, & to communicate internally without further authentication.
b) Mgt. & Protection of User’s credentials like User Id, Passwords, PIN should be protected.
credentials
c) Support for secure Among Grid member computers.
group connections
d) Support for multiple There should be security for multiple participants of a Grid based on public and
implementation private key cryptography.
e) Inter-operability Access to local computer resource should have local security & there should be
between Grid Security Inter-operability between Grid Security & local security.
& local security
f) Standardization: Since G.C. is highly integrated system, standardizing protocols and interfaces
between Grid participants is a big issue.
g) Exportability The code should be exportable i.e. they cannot use a large amount of encryption
at a time.
15. C L O U D C O M PU T I N G
▪ “The Cloud” refers to applications, services, and data storage on the Internet.
▪ C.C. refers to accessing these computing resources through internet. E.g. Gmail, E-mail, Netflix etc.
▪ It is a combination of H/w & S/w based resources delivered as a service which can be accessed online.
15.1. C H A R A C T E R I S T I C S O F C L O U D C O M P U T I N G
All the characteristics may or may not be present in a specific Cloud solution.
a) Elasticity & Scalable Gives the user ability to expand or reduce resources according to requirement.
b) Pay per use User pays for cloud services only when they use it.
c) On Demand Cloud service is not permanent part of IT infrastructure. It is availed when
required.
d) Resiliency Failure of a server or storage resource does not affect Org as work is migrated
to different server in same data center or to different data center with or
without human intervention.
e) Multi – Tenancy Public cloud offers its services to multiple users making it multi–tenancy
f) Work load Management It is related with resiliency & cost consideration. A cloud service provider may
move workload from one data center to another due to:
a. save cost [where operating data center is cheap]
b. regulatory considerations
b) better network bandwidth.
P a g e | 83
15.2. A D V A N T A G E S O F C L O U D
a) Streamline business by getting more work done in less time with less resource.
process
b) Reduced capital Cost No need to spend huge amount on s/w & H/w etc.
c) Reduced spending on Tech as data can be accessed on demand on pay as per use basis.
Infrastructure
d) Improved Flexibility Fast changes can be done in work environment.
e) Pervasive Accessibility Data can be accessed from anywhere on any device through internet.
f) Minimize maintenance As infrastructure is maintained by cloud service provider.
g) Globalise the workforce As people can access cloud with internet across world.
15.3. D R A W B A C K S O F C L O U D
a) Loss of internet connection will result in loss of Access to cloud.

b) Security is major concern as data & Application working depend on third party.
c) Scalability may be affected as No control of user on IT infrastructure.
d) While cloud service provider provides unlimited capacity to user, there may be some restrictions on
services.
e) Inter-Operability- If two Apps use different cloud service providers, they may not co-operate with each
other.
15.4. T Y P E S O F C L O U D C O M P U T I N G E N V I R O N M EN T ( B A S ED O N U S A G E & D EP L O Y M EN T )
Private Cloud Public Cloud Hybrid Cloud Community Cloud

It resides within the It is provisioned for It is a combination of at least 1 It is provisioned for
boundaries of Org & open use by general Private (internal) cloud & at exclusive use by specific
used exclusively for public. least 1 Public (external) cloud. community of consumers
Org benefit. Also called Provider It may be regarded as a private from Organizations that
Also called Internal Clouds. cloud extended to public cloud. have shared concerns
Cloud or Corporate like security, compliance
May be owned & Aim is to use power of public etc.
Cloud operated by Business cloud by retaining benefit of
Can be managed by or Academic or Govt. Private Cloud. May be owned,
single organization organization or any managed, & operated by
Typically offered in either of one or more of the Org
[on premise private combination thereon. two ways:
cloud] or can be in community, a third
Administrated by 3rd a) A vendor has private cloud party or a combination
outsourced to third party vendor over
party [outsourced Pvt & forms a partnership with of them, and it may
Internet a public cloud provider or exist on or off premises.
cloud].
Sr. is offered on Pay b) a public cloud vendor forms In this, a private cloud is
Built by Internal IT per use basis.
Team using concepts partnership with a vendor shared between several
of Virtualisation & that provides private cloud organizations.
Grid Computing platforms.
84 | P a g e
15.4.1. C H A R A C T E R I S T I C S O F C L O U D C O M P U T I N G E N V I R O N M E N T
Basis Private cloud Public cloud Hybrid Cloud Community cloud

Security & High as it is deployed Less as it is offered Partially Secure - Partially Secure -
Privacy & managed by the Org by Third Party higher than public & higher than public &
itself lesser than private lesser than private
Cost Very High Affordable Less than Private Cost Effective
SLA Weak Stringent Stringent Stringent
Scalability Not Easy Highly Highly Yes
Specific Centralised Control Loss of Autonomy & Complex Mgt. Loss of Autonomy &
Points Privacy Privacy
15.5. T Y P E S O F C L O U D C O M P U T I N G S E R V I C E M O D E L
National Institute of Standards and Technology (NIST) defines three basic service models through which
cloud services are offered to users. These are as follows:
Infrastructure as a Service (IaaS) Platform as a Service [PaaS] Software as a Service [SaaS]
It is a H/w level service which provides It provides the user ability to It provides ability to user to
computing resources like access an App over internet.
➢ Develop & Deploy
➢ Processing power ➢ app on platform S/w is installed, managed,
➢ Memory provided by Sr provider. updated & upgraded by cloud
➢ Network & Service provider.
PaaS changes Application
➢ Storage development from local User get access to App on pay
machine to online. per use (subscription) basis.
to cloud users to enable them to run
App on demand on pay per use basis. It provides Types
IT resources are installed & managed by - Programming language a) E-mail as a service (EaaS) -
cloud Service provider & users use - App framework Provides integrated system
infrastructure in form of virtual machine. - Database of mailing, record
Example - Testing Tools management, migrating,
integration etc.
AWS, Google Compute Engine, - Other S/w development
OpenStack tools b) API as a service (APIaaS) -
Characteristics Example Helps to explore
functionality of web services
a) Web Access - Enables user to Google APP Engine
like Google Maps, Payroll
Access infra over Internet. No Microsoft Azure Compute Processing etc.
physical access.
c) Testing as a service (TaaS) -
b) Metered Service - Allows user to
rent infrastructure rather than buy Provides s/w testing
it & pay on usage basis. capabilities to users.
c) Scalability & Elasticity Difference between SaaS &
PaaS is that PaaS represents a
d) Shared Infrastructure - Multi
platform for App development,
Tenancy
while SaaS provides online Apps
e) Centralized Management - It that are already developed.
ensures effective Resource
Management
P a g e | 85
15.5.1. F I V E I N S T A N C E S O F I A A S
Backend as a Database as Desktop as a

Network as a service Storage as a service
service service service
NaaS provides data STaaS provides
BaaS provides DBaaS provides DTaaS enables
communication storage infrastructure
back-end infra to database user to use
capacity to the user to to user to store data
users to connect infrastructure desktop
execute data intensive online. their App to cloud to user to virtualization
activities requiring User can access data Infrastructure. create, store, without buying
more network like from anywhere & Additional services modify & own
video conferencing. anytime over Internet. include user mgt, access infrastructure.
Enables creation of push notification databases.
virtual N/w & other N/w etc.
components.
Infrastructure is owned & managed by vendor
User pays on demand & pay as per use
User can use infrastructure w/o buying it
Accessible over Internet anytime and anywhere
15.6. I S S U E S W I T H C L O U D C O M P U T I N G
Software Bugs in Interoperability

Hidden Unexpected Threshold
Legal resources development large scale
cost Behaviour policy
in cloud distribution
Such cost App may Need to adhere Developers It’s difficult Each C.C. Main objective
may perform well at to several face difficulty to remove vendor has of
include Co’s internal in developing errors in different APIs & implementing
▪ Regulatory
higher N/w data center but secure Apps very large- format for T.P. is to
requirement
charge for it may not that can be scale importing/ Inform C.C.
storage & work in same ▪ Privacy hosted in distributed exporting data. service
database manner in laws cloud. system. Industry C.C. provider &
Apps, for cloud. standard do not user about
users who ▪ Data what they
App behaviour security exist.
may be must be should do.
located far laws. This creates
checked for problem of A carefully
from cloud unexpected These laws drafted T.P.
service vary from achieving
behaviour. interoperability outlines*
provider. country to
*E.g. How App country & of App b/w two Generally, T.P
allocates Cloud users C.C vendors. is not present
resources on have no control It is also & only legal
sudden increase over where difficult to doc is SLA.
in demand and data is move infra from
how it allocates physically one Cloud to
unused stored. another
resources.
86 | P a g e
16. M O B I L E C O M P U T I N G
▪ Technology that allows transmission of data via a computer/ mobile device without having to be
connected to a fixed physical link (wireless).
▪ Users can transmit data from remote locations to other remote or fixed location, thus solving issue of
‘Mobility’
▪ Widely established, rapidly evolving & rapidly growing across world.
16.1. K E Y C O M P O N EN TS O F M O B I L E C O M PU TI N G
Mobile Communication Mobile Hardware Mobile Software

Infrastructure put in place to Handheld mobile device that Actual Program that runs on mobile H/w.
ensure seamless & reliable receives or access service of It is the operating system of that
communication. mobility. Appliance and is essential component
Includes Mobile towers, E.g. – Portable Laptops, Tablet, that makes the mobile device operate.
comm. protocols & data laptop, mobile phone. Apps are also being developed by
formats etc. Organizations for use by customers.
16.2. WORKING OF MOBILE COMPUTING
a) User enters or accesses data on hand held computing device using App.
b) This new data is transmitted from hand held computing device to physical I.S. where DB shall be
updated & New data is accessible to other system user as well.
c) Now, both systems i.e., handled device & physical I.S. have same information & they are in sync.
d) This process works in same way starting from other direction.
16.3. BENEFITS OF MOBILE COMPUTING
a) Flexibility in working It has enabled users to work from anywhere as long as they are connected to a
network, thus enabling work from home or work while travelling.
b) Increase in Employee’s as workers can simply work efficiently and effectively from which ever
Productivity location they see comfortable and suitable.
c) Improved Customer For example, by using a wireless payment terminal the customers in a
Service restaurant can pay for their meal without leaving their table.
d) Remote access to Provides mobile workforce with remote access to work order details, such as
work order details work order location, contact information, required completion date.
e) Improved Enables to improve Mgt. effectiveness by enhancing information flow & ability
Management to control mobile workforce.
effectiveness
f) Facilitates excellent Mobile computing facilitates excellent communication.
communication
16.4. LIMITATIONS OF MOBILE COMPUTING
a) Insufficient Bandwidth It uses technologies such as GPRS & EDGE & 3G, 4G networks which are
slower than direct cable connection. Higher speed wireless LANs are
P a g e | 87
inexpensive but have very limited range.

b) Security standard Since public network is used, VPN should be carefully used.
c) Power consumption In case power is not available, batteries are used which are expensive.
d) Human Interface with Small screen and small keys are hard to use.
device
e) Transmission Interface Weather, terrain and the range from the nearest signal point can all interfere
with signal reception. Signal in tunnel, lift, rural area may not be good.
f) Potential Health No mobile should be used while driving as it distracts drivers. Cell phone may
Hazard interfere with sensitive medical devices, thus causing health issues.
17. G R E E N C O M P U T I N G
▪ Study & practice of environmentally sustainable computing or IT.

▪ Refers to using computer & IT resources in
➢ More efficient, Responsible & Environment friendly way.
▪ Objective
Reduce use of Maximize efficiency Promote recycling Bio – degradability of

hazardous material defunct product
17.1. G R E E N C O M PU T I N G B ES T P R A C T I C ES
Recycle Make environmentally Reduce

Develop sustainable
sound purchase consumption of Conserve Energy
Green Computing plan
decision paper
Involve all stakeholders. ▪ Dispose e- ▪ Purchase IT ▪ By using E- ▪ Use LCD & LED
Includes waste as per resources based on mail & monitors instead
Govt. Green Attributes. electronic of CRT.
a) Checklist guidelines & archiving.
▪ Recognize ▪ Use notebook/
b) Recycling policies regulations.
manufacturer’s ▪ Online Laptop rather than
c) Recommendation ▪ Manufacturer efforts to reduce marketing the Desktop.
for purchasing G.C. must offer environmental rather than
▪ Use power
d) Reduction of paper safe end of life impact of product paper-based
Management
consumption mgt. & by reducing or marketing.
feature to turn off
recycling eliminating use of
e) Use cloud ▪ While hard drives and
options when environmentally
computing so that printing, print displays after
product is sensitive material.
multiple Org share both sides several minutes of
unusable.
common infra. ▪ Use shared using smaller inactivity.
▪ It should Resources & font size.
f) Create awareness ▪ Use alternative
recycle virtualization that
about commitment ▪ Use ‘Track source of energy
computer can help to
to G.C. changes’ in like solar energy.
using its improve resource
E-document
recycling utilization, reduce ▪ Adapt more of Web
rather than
service. energy costs & conferencing
red line
simplify maint. instead of
correction on
travelling.
paper.
88 | P a g e
17.2. G R E E N IT S E C U R I T Y S E R V I C E S & C H A L L EN G E S
▪ Green Security is a new research field which involves defining & investigating security solutions under
the energy-aware perspective.
▪ The objectives of Green Security are to:
a) Evaluate the actual security mechanisms in order to assess their energy consumption.
b) Building new security mechanisms by considering the energy costs from the design phase.
▪ Need to evaluate a client’s infrastructure to accommodate green technology is really a vital issue’.
▪ Green security can be a cost-efficient and lucrative green IT service for solution providers.
18. B R I N G Y O U R O W N D E V I C E (BYOD)
▪ It is a business policy that allows Employees to use their preferred IT device like Laptop for business
purpose.
▪ Employees can connect personal device to corporate network to access information & application.
▪ It makes workspaces flexible as it enables employees to work beyond required hours.
18.1. A D V A N T A G E S O F BYOD
a) Happy Employees as Employees love to use own device at work & need not carry multiple devices.
b) Increased Employee as he is not required to learn working on new system.
efficiency
c) Lower IT Budget Leads to financial saving as Org is not required to provide device to staffs.
d) Reduced support as Employees maintain the device on their own, resulting in cost saving.
requirement
e) Early adoption of as Employees are more proactive in adopting new technologies which leads to
technology enhanced productivity.
18.2. E M E R G I N G T H R E A T S / D I S A D V A N T A G E S O F BYOD
Network Risk Device Risk Application Risk Implementation Risk

Referred as ‘Lack of Device Referred as ‘Loss of Referred as ‘App Virus Referred as ‘Weak
Visibility’ Device’ & Malware’ BYOD policy’
IT practice team is unaware Device can be lost or Employee’s personal Effective
about total no of devices stolen causing enormous device may not be implementation of
connected to Org network. loss in terms of finance protected by security BYOD program should
This can be hazardous. & reputation. S/w. cover implementation
Company trade secrets Org is not clear who is policy along with
Suppose virus hits N/w & above technical issues.
company needs to scan all can be retrieved from a responsible for device
devices connected to N/w. misplaced device. security - Organization Note: A strong BYOD
or employee. policy mitigate the
It may be possible some risk.
employee’s device skip scan.
19. WEB 3.0
P a g e | 89
Introduction
➢ Web 1.0 → Initial days of Google/Prior to Google. Static page that could be read. No write, No sharing
➢ Web 2.0 → Dynamic page + Read & write (users can upload photos, comment on other’s photo).
Resulted in Social media network b/w people & people.
➢ Web 3.0 → Web 2.0 + such device & website are able to generate, store & share data with other
compatible devices w/o human intervention.
Web 3.0
It is known as semantic web. (Study of how language is used to produce meaning).
Refers to websites wherein raw data is generated by computer/devices (TV, AC, etc) & shared with other
devices without direct human intervention.
It is next step in evolution of Internet & web-tech. It uses
a) Semantic web tech
b) AI
c) User behavior
d) Widgets/Apps
e) User engagement depending on interest of users .
Example: Content management systems along with artificial intelligence can answer questions posed by
the users, because the application can think on its own & find the most probable answer, as per context.
In this way, Web 3.0 can also be described as a “machine to user” standard in the internet.
19.1. C O M PO N E N T S O F WEB 3.0
Semantic web Web Services/Apps

▪ It allows machines to interpret data/info so that ▪ Software system that supports computer to
machines are able to take decision on their own by computer interaction over internet.
finding and acting upon relevant data on web.
▪ It provides common framework to web user that
can be used to share & access data across website.
19.2. F U T U R E O F W E B T E C H N O L O G I E S
▪ Web 4.0 called “Intelligent Web” is autonomous, proactive, content-exploring, self-learning,

collaborative, and content-generating agents based on fully matured semantic & Artificial Intelligence.
Examples- Services interacting with sensors or virtual reality services.
▪ Web 5.0, “The Telepathic Web/The Symbionet Web” is set to be highly complex future web generation,
to be present after the year 2030 in which some things such as brain implants are expected to be
popular.
▪ Brain implants will give people the ability to communicate with the internet through thought, to think
of a question and open up a web page.
▪ Any sort of payments, such as groceries, will be paid for with a microchip in the brain or the hand and
all devices will be connected to the internet.
90 | P a g e
20. I N T E R N E T O F T H I N G S (IOT)
▪ IoT is a system of –
➢ interrelated computing devices, mechanical & digital machines, animals or people with capability to
➢ transfer data over internet
➢ without human to human or human to machine interaction.
▪ Embedded with electronics, Internet connectivity, and other forms of hardware (like sensors), these
devices can communicate & interact with others over the Internet, and can be remotely monitored and
controlled.
▪ E.g. Washing machine with wi-fi capacity can connect themselves to home wi-fi & once connected, can
be controlled through manufacture’s app from anywhere.
20.1. A P P L I C A T I O N S O F IOT
a) All home appliances to be connected and that shall create a virtual home. Home owners can keep track
of all activities in house through their hand-held devices including home security through CCTV.
b) Office machines shall be connected through net.
HR managers can see how many people had a cup of coffee from vending machine & how many are
present.
How many printouts are being generated through office printer?
c) Governments can keep track of resource utilizations / extra support needed.
Under SWACHH mission government can tag all dustbins with IOT sensors. They (dustbins) generate a
message once they are full.
d) Smart Wearables
e) Connected Cars
f) Smart Supply Chain
20.2. R I S K S O F IOT
Risk to User
Risk to Product Privacy, Intentional Environmental
Technology Risk
Manufacturer Security Autonomy & Obsolescence Risk
Control
a) Data storage Greatest Risk of loss of On launching Due to Lack of May have
& analysis threat control over new device, technology impact on
must be Since devices personal life as features of old standard & house air
secured & are personal data device may be Due to variety quality due to
protected. connected to may be leaked. disabled or of H/w & S/w use of heavy
b) Manufacture N/w, they will Other major slowed down. used on earth metals
r not be hit by all concern is Who Where a different in devices.
providing IOT N/w related has ownership of manufacturer devices, it’s
will not be risks like this personal buys another, it difficult to
able to data may not support develop App.
▪ Hacker
survive in old devices sold.
future. ▪ Bomb
▪ Trojan
etc.
P a g e | 91
21. A R T I F I C I A L I N T E L L I G E N C E (AI)
▪ Intelligence means ability to use memory, knowledge & experience to solve a problem.
▪ Intelligence exhibited/ displayed by a machine is called AI.
Application Risks
➢ Autonomous vehicle (self-driving cars) a) AI Relies on data it gets. Thus, incorrect Input will give
incorrect conclusions.
➢ Creating Art, poetry
b) AI (robots) carries security threat. Countries are
➢ Playing online game like chess discussing to have a kill switch in AI capable devices.
➢ Online Assistants (SIRI, ALEXA) c) In long term, AI may kill people’s skill of thinking the
➢ Medical diagnosis, in cancer Research unthinkable. AI can’t think out of the box.
➢ Robotics
22. M A C H I N E L E A R N I N G ( ML)
▪ Application of AI that enable computers to learn automatically without being explicitly programmed.
▪ Science and art of programming computers so that they can learn from data & can change when
exposed to new data.
▪ Machine learning can be used for solving problems that either are too complex for traditional
approaches or have no known algorithm such as speech recognition.
▪ Application & risks are similar to AI.

a) Free Lectures &
92 | P a g e
Core Banking Systems
C HAPTER 5
C ORE B ANKING S YSTEMS
1. O V E R V I E W O F B A N K I N G S E R V I C E S
1.1. I N T R O D U C T I O N
Key factors/ reasons that enabled Banks to compete at world level & provide basic banking services to citizens
of India staying in remotest area of India are as follows:
a) Rapid development & adoption of IT by Banks which facilitates anytime & anywhere access.
b) Global business opportunities leading to Indian opportunities & customer’s demand for integrated services.
c) Growth of Internet penetration across India.
d) Successive Government’s focus towards financial inclusion for all Indians. E.g. Jan Dhan Yojana.
1.2. C H A R A C T E R I S T I C S / K E Y F E A T U R E S O F B A N K I N G B U S I N ES S
a) Custody of Large volume of Monetary Items like cash & Negotiable Instruments.
b) Dealer in Large volume (in number, value and variety) of transactions.
c) Operating through Wide Network of Branches & Departments, which are geographically dispersed.
d) Increased possibility of fraud making it mandatory for Banks to provide multi-point authentication checks
& high level of information security.
1.3. F U N C T I O N S O F B A N K / M A J O R P R O D U C T S & S ER V I C ES O F B A N K S / T Y P ES O F B A N K I N G S E R V I C ES
Acceptance of
Core functions deposit
[Pay Interest] Lending of money
[Earn Interest]
S No. Functions Explanation

1 Acceptance of ▪ Most important function of a commercial bank which fuel the growth of
Deposits banking operations.
▪ Banks accept deposits from customers for a pre-defined period.
▪ Various forms of Acceptance of deposit are Fixed deposit, Current A/c deposit,
P a g e | 93
Core Banking Solution

Saving deposit, Recurring deposit, Flexi deposit etc.
2 Granting of ▪ It constitutes major source of earning by commercial banks.
Advance/ Lending
of money ▪ Various forms - Cash credit, Loans, Overdraft, Discounting of Bills etc.
▪ Bank helps in disbursement of loans under various social welfare schemes
like Kisan credit card, mudra Yojana etc.
3 Remittances ▪ Involves transfer of funds from one account to another account.
▪ Common modes:
a) Demand draft – It is issued by one branch of a Bank and are payable by
another branch of the Bank. The demand drafts are handed over to the
Applicant.
b) Mail Transfer – It is a way of remitting money from one place to another
through a Bank. Bank does not hand over any Instrument to Applicant and
transmission of the instrument is responsibility of the branch.
c) Electronic Fund Transfer – EFT facilitates almost instantaneous transfer of
funds between two centers electronically. Types of EFTs are as follows:
RTGS (Real Time Gross NEFT (National Electronic IMPS (Immediate
Settlement) fund transfer) Payment System)
Type of EFT where the Type of EFT that facilitates It is instant inter-bank
transmission takes transfer of funds from any EFT done through
place on a real-time bank branch to any mobile or internet
basis. individual having an account banking.
In India, it is done for with any other bank branch Unlike other two, it is
high value transactions. in the country. available 24x7
Min value – 2L Comparatively slower including on bank
No minimum value holiday.
4 Collection ▪ Involves collecting proceeds on behalf of customers by collecting bank.

▪ Customers can submit instruments like cheque, draft etc which are drawn in
their favour, with their Bank for collection of amount from drawee bank.
▪ For these services, Banks charge nominal collection fees.
5 Clearing ▪ Involves collecting instruments on behalf of customers of Bank by clearing
house.
▪ Clearing house settles inter Bank transactions among banks & Post Offices.
▪ There may be separate clearing house for MICR [Magnetic Ink Character
recognition] & non MICR instruments.
▪ MICR is technology that allows machine to read & process cheques enabling
thousands of cheque transactions in short time.
▪ Electronic Clearing Services (ECS) is used extensively for bulk clearing which
is an electronic method of fund transfer from one bank account to another.
It takes two forms:
ECS credit ECS Debit
94 | P a g e
In this, number of beneficiary In this, large number of accounts with
accounts are credited by debiting the Bank are debited for credit to a
periodically a single account of bank. single account.
Examples: Payment of amounts Examples: Tax collections, loan
towards dividend distribution, interest, instalment repayment, investments in
salary, pension, etc. mutual funds etc.
6 Letter of Credit & Letter of Credit Guarantee
Guarantee
It is an undertaking by Bank to the It is provided by Bank, on request of
payee (supplier of goods & services) customer of Bank (supplier), to
➢ to pay him on behalf of buyer ➢ buyer of Goods / services
➢ any amount upto the limit ➢ to guarantee performance of
specified in L.C contractual obligation or
➢ provided T&C are satisfied. ➢ for submission to Govt. authorities
like customs in lieu of the
stipulated security deposit.
7 Credit Card ▪ Processing of Application for credit card is entrusted to separate division at
central office of Bank.
▪ It is linked to one of the international credit card networks like VISA, Master,
Amex or India’s own RuPay which currently issues debit cards but credit cards
are also expected to be launched in near future.
8 Debit Card ▪ Issued by central office of Bank where customers have their account.
▪ It facilitates withdrawal of money from ATMs as well pay at authorized
outlets. When debit card is used for a transaction, amount is immediately
deducted from customer’s account.
9 Other Banking Operations
High Net Worth Risk
Back operations Retail Banking Specialized Services
Individuals (HNIs) management
Covers all Known as front Specialized It is done at Underwriting: Life
operations done office services to HNIs - Strategic Process of assessing insurance
by back office. operations that based on value/ credit worthiness or
provide direct volume of deposits - Tactical
Related to risk of a potential
services to / transactions. - Operational borrower & his
- General leger customers for & ability to repay
- MIS personal use. loan.
- technology
- Reporting E.g. Debit areas of Critical process
cards, personal Bank while determining
- Compliance loans,
etc. grant of loan to
mortgages etc. customer.
2. C O R E B A N K I N G S Y S T E M / S O L U T I O N
2.1. I N T R O D U C T I O N T O CBS
P a g e | 95
C •Centralised
O •Online
R •Real Time
E •Exchange/Environment
Common IT solution where

Central shared database
CBS
Supports entire banking application & function.
It allows customers to use various banking facilities irrespective of bank branch location.
2.2. C H A R A C T E R I S T I C S O F CBS
a) Common Database in Central Server located at Data Center.

b) Centralized Banking App s/w having several components to meet the demands of Banking industry.
c) Supported by Advanced Technology infrastructure.
d) Modular structure and can be implemented in stages as per requirements of Banks.
e) Enables integration of all third-party apps [BHIM] & in-house banking s/w.
f) Branches function as delivery channels providing services to its customers
2.3. E X A M P L E S O F CBS
Finacle BaNCS Flexcube FinnOne bankMate
2.4. K E Y M O D U L E S O F CBS
Core of CBS
• Back Office • Mobile Banking
• Data Warehouse • Internet Banking
• Credit Card System • Central Server • Phone Banking
comprising of App
• ATM Switch Server & Database • Branch Banking
Server
Back End Front End
Applications Applications
S No. Modules Explanation

1 Back Office ▪ Part of Bank comprising of Administration and Support Personnel who are not
client facing.
▪ Back-office functions include settlement, record maintenance, regulatory
96 | P a g e
S No. Modules Explanation
compliance , Accounts & IT.
2 Data warehouse ▪ Banking professionals use data warehouses to simplify and standardize the
way they gather data and finally get to one clear version of the truth.
3 Credit Card ▪ It provides services of
system
➢ Customer Management
➢ Credit Card Management
➢ Customer Information Management
➢ online transaction authorization
➢ Supports Payment Application
4 ATM ▪ It is an electronic Banking outlet that allows customers to do basic banking
transactions without help of any branch official.
▪ Need debit card or credit card to access ATM.
▪ Enables customer to perform
➢ Quick self-service online transactions like Deposit, Withdrawal etc.
➢ to more complex transactions like bill payments.
5 Mobile Banking ▪ Internet Banking
and Internet
Banking ▪ Mobile Banking
▪ Phone Banking
6 Branch Banking ▪ Due to CBS, Front end & Back-end processes within a bank have been
automated resulting in seamless workflow. Branch Confines itself to following
key functions:
a) Creating manual document capturing data required for Input into s/w.
b) Initiating Beginning of Day (BOD) operations
c) End of Day (EOD) operations
d) Reviewing reports for control and error correction.
e) Internal Authorization.
2.5. C O R E F E A T U R E S O F CBS ( O T H E R T H A N B A N K I N G S E R V I C ES )
In addition to basic banking services that a Bank provides through use of CBS, the technology enables
Banks to add following features to its service delivery:
i) Online real time processing
ii) Transactions are posted immediately
iii) All database updated simultaneously
iv) Centralized operations [All data stored in one common database]
v) Anytime, anywhere access to customers and vendors
vi) Banking access through multiple channels like mobile, web etc.
vii) Remote interaction with customers
viii) Automatic processing of standing instructions like auto deduction of credit balance on specific date.
P a g e | 97
ix) Centralized Internet application for all accounts

x) Business and Services are productized.
3. C O M P O N E N T S & A R C H I T E C T U R E O F CBS
3.1. T E C H N O L O G Y C O M P O N E N T S O F CBS
Data centre/ Connectivity Enterprise Security Online

Application Database
Data recovery to Corporate Architecture & transaction
Environment Environment
centre N/w & Internet Solution monitoring
Consists of App Consists of Includes various There should To ensure security; Effective
servers that host centrally located App servers, DB be adequate proxy servers, monitoring
different CBS like database servers servers, web bandwidth to firewalls, intrusion should be done
Flex Cube, Bank that store the servers etc. and deal with the detection systems as part of
Mate etc. and is data for all various other volume of are used to protect managing
centrally used by branches of the technological transactions the network from fraud risk mgt.
different Banks. Bank. components. so as to any malicious Proper alert
Access to these Data may Proper prevent attacks and to system should
application include awareness slowing down detect any be enabled to
servers will customer master should be and resulting unauthorized identify any
generally be data, interest created among in lower network entries. changes in the
routed through a rates, account the employees efficiency. Periodic log settings.
firewall. types etc. through periodic assessment and
It is updated by trainings and testing are carried
App servers. mock drills for out to assess
disaster recovery vulnerability &
procedures. identify
weaknesses.
3.2. K E Y A S P EC T S B U I L T W I T H I N A R C H I T EC TU R E O F CBS
1. Information flows This facilitates Information flow within Bank and increases speed and
accuracy of decision-making.
2. Customer Centric This enables Bank to target customers with right offers at right time to
increase profitability.
3. Regulatory Compliance This has built-in and regularly updated regulatory platform which ensures
complex compliance by Banks. Eg:- maintain required % of CRR, SLR
4. Resource optimization This optimizes resource utilisation through improved assets sharing, reusability,
faster processing and increased accuracy.
3.3. CBS IT E N V I R O N M E N T
CBS is a Technology Environment based on Client-Server Architecture, having a

➢ Remote Server (called Data Centre) and
➢ Clients (called Service Outlets which are connected through channel servers) branches.
The server is a sophisticated computer that accepts service requests from different machines called
Clients. The requests are processed by the server and sent back to the clients.
98 | P a g e
Constituents / Types of servers used in deploying CBS are as follows:

a) Application ▪ It performs necessary operations & updates the A/c of a customer in DB server.
server
▪ Whatever transaction a customer does at any Branch of Bank, it is updated at
centralized database by App server.
b) Database Server ▪ It contains data of entire Bank like account of customers and master data like
customer data, employee data, rates for loan, etc. It is accessed by App server.
c) Automated Teller ▪ It contains details of ATM A/c holders. When central DB is busy due to central
Machine end of day activity or due to any other reason, file containing A/c balance of
Channel Server customers is sent to ATM switch (file is called positive balance file).
▪ This ensures continuity of ATM operations.
▪ ATM PIN numbers of ATM account holders is not stored in ATMCS but in IBCS.
d) Internet Banking ▪ It stores username & password of all internet Banking customers and the branch
Channel Server to which the customer belongs. Such information is not stored in ATM servers.
e) Internet Banking ▪ It stores Internet Banking software which authenticates customer with login
App Server details stored in IBCS.
f) Web Server ▪ It hosts website and all internet related S/w. All online requests on website are
serviced through web server.
▪ It is a program that uses HTTP (Hypertext Transfer Protocol) to serve the files
that form Web pages to users, in response to their requests.
P a g e | 99
g) Proxy Server ▪ It’s a computer that offers indirect n/w connection to other network server.
▪ Client connects to proxy server and then requests a connection or file or resource
available on different bank server.
h) Anti-virus ▪ It is used to host Anti-virus software. It is installed for ensuring that all s/w being
Software Server deployed on CBS are first scanned to ensure that they are safe from
virus/malware.
3.4. F U N C T I O N A L A R C H I T E C T U R E O F CBS
CBS is the ERP software of a Bank. It covers all aspects of Banking operations from
➢ Micro- to macro operations and covers all Banking services ranging from
➢ Back office to front office operations
➢ Transactions at counter to online transactions &
➢ G.L to reporting.
However, it is modular in nature & it is implemented for all functions or core functions as decided by
management.
Implementation depends on Need and critically of specific Banking service provided by the Bank.
Example: If FOREX transactions of Bank are minimal, related functions may not be implemented.
3.5. I M P L E M E N T A T I O N O F CBS
Deployment and Implementation of CBS should be controlled at various stages to ensure that Bank’s
automation objectives are achieved.
1. Planning Planning for implementation of CBS should be done as per Bank’s strategic and
business objectives.
2. Approval Since high investment and recurring costs are involved, decision must be approved by
B.O.D.
3. Selection There are multiple vendors of CBS, each solution has key differentiators. Bank should
select the right one as per their objective & requirements.
4. Design & Develop Earlier CBS was developed in-house by Banks. Currently, its mostly procured. There
or Procured should be control over design and development or procurement of CBS.
5. Testing Extensive testing must be done before CBS is live. Testing is done at various phases:
- at procurement stage (to test suitability)
- to data migration (to ensure all existing data is migrated)
- to testing processing of different types of Transactions of all modules (to ensure
correct results are produced)
6. Implementationa) Must be implemented as per pre-defined & agreed plan in a time bound manner.
7. Maintenance CBS needs to be properly maintained. E.g. Program bugs fixation.
8. Support To ensure it is working effectively.
9. Updation CBS must be updated based on changing requirements of business, technology &
regulatory compliances.
100 | P a g e
10. Audit Should be done internally & externally to ensure controls are working as expected.
4. CBS R I S K S , S E C U R I T Y P O L I C Y & C O N T R O L S
4.1. R I S K S A S S O C I A T E D W I T H CBS
1. Operational Risk Refers to risk arising from direct or indirect loss to Bank due to inadequate or failed
➢ Internal Process, People & System.
Operational risk necessarily excludes business risk and strategic risk.
The components of operational risk include:
Transaction Information
Legal Risk Compliance Risk People Risk
Processing Risk Security Risk
Arises because Refers to risk Refers to risk Refers to Refers to risk
of faulty arising due to arising exposure to legal arising from
reporting of use of info. because of penalties & loss
➢ lack of
important systems & the an organization
➢ treatment trained key
market environment can face when it
of clients, personnel,
developments in which these fails to act as
to Bank systems ➢ sale of per industry ➢ tampering of
management. operate. products, laws and records and
May also occur or regulations.
➢ nexus
due to errors in ➢ business between front
entry of data practices and back-end
for processing. of a Bank. offices.
2. Credit Risk Refers to risk of an Asset/Loan becoming irrecoverable due to outright default or Risk
of unexpected delay in servicing of loan.
A form of counter party risk since Bank and borrower usually sign a loan contract.
3. Market Risk Refers to risk of losses in Bank’s trading book due to changes in
➢ equity price; commodity price; Interest rate; foreign currency rate etc.
To manage this risk, Bank deploys highly sophisticated mathematical & statistical
techniques.
4. Strategic Risk/ Refers to risk that earnings will decline due to change in business environment. E.g.
Business Risk New competitor, change in demand of customer etc.
5. IT Related Risk Some of the common IT risks related to CBS are as follows:
a) Ownership of Data is stored in data center. Bank must establish clear ownership of data so that
Data / Process accountability can be fixed and unwanted changes to the data can be prevented.
b) Authorization It ensures only authorized person can enter data in CBS. If authorization process is
process not robust, unauthorized person can access customer Info. & other sensitive data.
c) Authentication Username, password, PIN, OTP are commonly used for authentication process.
process
d) Several S/w A Data center may have as many as 100 different interfaces & App software.
Interface across It requires adequate Infra. like uninterrupted power supply, backup generator etc.
diverse N/w
e) Maintaining Maintaining optimum response time & uptime can be challenging.
response time
P a g e | 101
f) Access Control Since Bank is subjected to all types of attack, designing access control is a
challenging task.
g) Change It reduces risk that new system is rejected by users. However, it requires changes at
management App level & data level of DB - Master files, transaction files and reporting software.
4.2. SECURITY POLICY
Large organizations like Financial Institutions and Banks need to have laid down framework for security with
proper organization structure, defined roles, responsibilities within the organization.
Since Banks deal in third party money and need to create a framework of security for its systems, this
framework needs to be of global standards to create trust in customers in and outside India
Information security → Refers to ensuring CIA of Information. It is critical to mitigate risk of risk of
Information Technologies.
RBI has suggested use of 1SO 27001: 2013 to implement information security. Also advised to obtain 1SO 27001
certification for data centers.
Information security comprises following sub-processes:
a) Info Security Policies, Refers to processes related to approval & implementation of Info security.
Procedures & I.S. policy is the basis for developing detailed procedures & practices for I.S.
Practices security & implementing it.
b) User Security Refers to the security of various users of I.S. It defines how users are created and
Administration Access is granted or disabled as per Organization structure & Access matrix.
c) Application Security Refers to how security is implemented at various aspects of Application. E.g. Event
Logging
d) Database security Refers to how security is implemented at various aspects of database. E.g. RBAC
e) Operating system Refers to how security is implemented at various aspects of OS.
security
f) Network security Refers to how security is implemented at various aspects of network & connectivity
to the servers. E.g. Use of VPN for employees, implementation of firewalls etc.
g) Physical Security Refers to how security is implemented for physical access. For example - Disabling
the USB ports.
Risk & Control w.r.t. Information Security

Risk Control
a) Lack of Management Direction & Commitment to Security policies are established and management
protect Information Asset. has to monitor compliance with policies.
b) User accountability is not established All users are required to have unique user ID.
c) Potential loss of CIA of data/ Info Appropriate physical access controls should be
implemented.
Vendor default password for OS, DB, N/w etc. User
should change it on receiving software.
d) It is easier of unauthorized users to guess Password should be complex & changed frequently
password of an authentic user
102 | P a g e
e) Security breach may go undetected Access to sensitive data is logged and log should be
reviewed regularly by management.
f) Inadequate preventive measure for servers and IT Adequate environmental controls should be
systems in case of environmental threats like implemented like fire alarm, disaster recovery plan,
flood, fire etc. back up etc.
4.3. I N T E R N A L C O N T R O L S Y S T E M I N B A N K S
I.C. helps mitigate the risk and must be integrated in IT solution implemented at Bank’s Branches.
Objectives of I.C. a) Ensuring Accuracy and completeness of A/c record
in Bank b) Timely preparation of reliable F.S.
c) Orderly & efficient conduct of business
d) Compliance with regulatory requirements
e) Safeguard of Assets through prevention & detection of fraud.
f) Adherence to management policy.
Examples of I.C. i) Maker Checker process - Work of one staff is checked by another worker irrespective
of nature of work.
ii) System of job rotation among staff exists.
iii) Financial and Administrative powers of each Employee is fixed & communicated.
iv) All books are to be regularly balanced and confirmed by authorized official.
v) Fraud prone items like currency, valuables etc should be in custody of 2 or more
officials of Bank.
vi) Details of lost security forms are immediately sent to controlling authority.
4.4. IT C O N T R O L S I N B A N K
IT risks are mitigated by implementing right type & level of IT controls in automated environment.
It is done by integrating controls into Info Tech/CBS.
Examples:
a) System maintains records of all log-ins and log-outs.
b) Transaction is allowed to be posted in Dormant A/c only with supervisory password.
c) System checks whether the amount to be withdrawn is within the drawing power.
d) Access to system is available only b/w stipulated hours & specified days only.
e) User Timeout is prescribed [auto log out in case system is inactive]
f) User should be given access on “Need to know basis”
g) Once end of day operations are over, ledger can’t be opened w/o supervisory password.
4.5. A P P L I C A T I O N S/ W - C O N F I G U R A T I O N , M A S T E R S , T R A N S A C T I O N S A N D R EP O R T S
There are 4 Gateways through which an Enterprise can control, access & use the various menus and
functions of Software. Examples of each are given below:
Configuration Master Transaction Reports
P a g e | 103
a) User Activation & a) Customers a) Deposit Transaction – Generated periodically or on

Deactivation master data – opening of A/c, demand by users at diff. level.
Process Type, name withdrawal, Interest
Address, PAN computation etc. - Standard
b) User access &
privileges b) Employees b) Loan & Advance - Ad-hoc
management Master Data - Transaction CBS has extensive reporting
c) Password
Employee name, c) General Ledger - Entry of feature like:
management ID, Date of expenses, Interest, a) Summary of Daily
joining, charges etc. Transactions
designation,
salary etc. b) Daily general ledger
c) Tax Master Data c) MIS report for each product/
– Tax rates, service.
slab, TDS rate d) Report of exceptions
etc.
e) Activity logging and review.
Risk & Control w.r.t. Application Controls

Risk Control
a) Inaccurate calculation of Interest Interest is auto calculated as per defined rules
b) Inaccurate assignment of rate codes The interest rate code is defaulted at the account level
c) Charges not levied resulting in loss of revenue or The charges applicable for various transactions as per
inappropriate charges levied resulting in account types are properly configured as per bank rules.
customer disputes The Charges are in compliances with RBI & bank’s
policies.
d) Inappropriate reversal of charges resulting in System does not permit reversal of the charges in excess
loss of revenue. of the original amount charged.
e) Incorrect classification of NPA resulting in Configuration/customization exists in the application to
financial misstatement. perform the NPA classification as per relevant RBI
guidelines.
5. CORE B U S I N E S S P R O C E S S E S – R E L E V A N T R I S K S & C O N T R O L S
Loan & Trade E-commerce Internet

CASA Credit Card Mortgage Loan Treasury process
finance Transaction Banking
▪ Process ▪ Process ▪ Process ▪ Process ▪ Process ▪ Process ▪ Process
▪ Risk & Control ▪ Risk & Control ▪ Risk & Control ▪ Risk & control ▪ Risk & Control
5.1. C U R R E N T A C C O U N T S A V I N G A C C O U N T [C ASA]
104 | P a g e
Risks & Controls w.r.t. CASA

Risk Control
1. Credit limit is set up in CBS by unauthorized Access right to authorize credit limit should be
person. restricted to authorised personnel only.
2. Credit line set up in CBS is not in line with Credit committee checks financial ratio, net worth and
Bank’s policy ensure credit limit is as per policy of Bank.
3. Customer master data defined in CBS is Access right to authorize customer master data in CBS
inaccurate should be restricted to authorised personnel only
4. Interest/ charge being calculated in CBS is Interest/ charge is auto calculated as per defined rules
incorrect
5. Unauthorized person is approving CASA SOD is maintained b/w initiator and authorizer of
transaction in CBS transaction for processing of transaction.
6. Inaccurate A/c entries generated in CBS CBS should be configured to generate entry as per
defined rules AS.
5.2. C R E D I T C A R D
Process Flow of Issuance of Credit Card
Credit Card Process Flow of Sale - Authorization Process of Credit Card Facilities
Process Flow of Clearing & Settlement process of Credit Card Facility
Process Flow - Issuance of credit card
P a g e | 105
Same as CASA
Process Flow - Using Credit Card / Authorisation Process of Credit Card facilities
Process Flow - Clearing & Settlement of Credit Card facilities
Risks & Controls w.r.t. Credit Card – Same as CASA (first 4 points)
5.3. M O R T G A G E L O A N
Refers to a secured loan which is secured on Borrower’s property.

A charge/lien is created on the property as collateral. If borrower defaults on repayment of loan, lender can
sell the property to recover due amount.
Mortgages are used by individuals and businesses to make large real estate purchases without paying the
entire value of the purchase up front.
Home Loan Top – up Loan Loan for under –construction property
Traditional mortgage for Additional loan is applied by a Loan is granted in parts/tranches as
purchase of property. customer who is already having a per construction plan.
Customer has an option of loan either for refurbishment or
selecting fixed or variable renovation of the house.
rate of interest.
106 | P a g e
Risks & Controls w.r.t. Mortgage Loan

Risk Control
Incorrect customer and loan detail is captured in Secondary review is performed by independent team
CBS who will verify details captured in CBS with offer letter.
Incorrect loan amount is disbursed Same as above
Interest amount is incorrectly calculated and Interest is auto-calculated by CBS based on pre-defined
charged rules i.e., Loan Amount, Interest rate, Tenure etc.
Unauthorized changes made to loan master data SOD must exist in CBS. Every transaction entered in CBS
and customer master data must be authorized by another person.
Reviewer cannot edit any details submitted by person
putting data.
5.4. L O A N A N D T R A D E F I N A N C E P R O C E S S
Lending business is main business of Bank. It is carried on by bank by offering various credit facilities.
It carries inherent risks and Bank can’t lend more than calculated risk.
Bank should ensure:
a) Proper recovery of funds lent by it; and
b) Be aware of legal remedies & laws w.r.t credit facilities provided by it .
Classification of Credit Facilities
P a g e | 107
Fund Based Credit Facilities Non-Fund Based Credit Facilities

Involves outflow of funds i.e., money of Bank is lent Does not involve outflow of fund
to customer. Types:
Types: Letter of credit
Cash credits / Overdrafts Guarantee
Term loans / Demand Loans
Discounting of Bills
Process Flow - Customer Master Creation in Loan Disbursal System
Process Flow - Loan Disbursal / Credit Facility Utilisation & Income Accounting
Approaches for availing credit facility as per sanction letter
Customer Bank
Provide credit facility after verifying credit limit in loan disbursal system
108 | P a g e
Fund Based Credit Facilities Non-Fund Based Credit Facilities
Funds are disbursed and loan is recorded in CBS as Facilities are granted
recoverable. 3 Accounting Entries
3 Accounting Entries a) On booking Facility
a) On booking loan Contingent Asset – Dr
Loan A/c – Dr To contingent liability
To customer A/c b) On booking Commission Income [accrued
b) On booking Interest/Discounting Income [accrued over tenure of Guarantee/L.C.]
daily] Customer – Dr
Customer A/c – Dr To commission
To Interest c) On maturity
c) On maturity Contingent liability – Dr
Customer A/c – Dr To contingent Asset
To Loan a/c
S. No. Product Income for banks Accounting of Income

1. Cash Credit/ Interest Credits Interest accrued on daily basis at agreed rates
Overdraft credits/ Overdraft
balances
2. Demand Loans/ Interest on Demand Interest accrued on daily basis at agreed rates
Terms Loans Loans/Term Loan
3. Bill Discounting Discounting Income Interest accrued on daily basis at agreed rates
4. Bank Guarantee Commission Commission accrued over the tenure of the
bank guarantee.
5. Letter of Credit Commission Commission accrued over the tenure of the L.C.
Risks & Controls w.r.t. Loans & Advance Process

Same as Mortgage Loan & first 4 points of CASA.
5.5. T R E A S U R Y P R O C E S S
Products in Investment Category Product in Trading category
- Government security - Foreign exchange

- Shares - Derivatives (Future & Option)
- Debenture and Bonds
- Venture capital fund
Mutual funds
Core Areas of Treasury Operations – can be divided into the following broad compartments
Front office Middle office Back office
P a g e | 109
F.O. operations consist of M.O. operations include It supports front office. B.O.
dealing room operations where a) Risk Management
operations include
dealers enter into deal/trade a) Confirmation of deals entered
with corporate & Inter Bank b) Pricing & Valuations
by front office Team
counter parties. c) Responsible for Treasury A/c
b) Settlement of funds/ securities
Deals are entered by dealers on d) Documentation of various
various trading platforms like c) Performs Front office and Back-
deals &
Telephone, Broker & other office reconciliation to ensure
e) Producing financial result accuracy & completeness of all
private channels.
analysis & budget forecast & deals in a day
Dealer is responsible for
f) Preparing financial statement d) Checking and confirming
checking
for regulatory reporting. existence of valid & enforceable
- Counter party credit time. ISDA (International swap dealer
- Eligibility & Other Association) Agreement.
regulatory requirements of
Bank before entering into
deal with customers.
All risks are borne by dealer.
Risks & Controls w.r.t. Treasury Process

Risk Control
a) Unauthorized security set-up in systems such as Appropriate SOD and review controls to ensure
F.O./ B.O. accurate security set-up.
b) Inaccurate trade is processed Appropriate SOD and review controls for ensuring
accuracy of Trade processing.
c) Unauthorized confirmations are processed Complete and accurate confirmations to be
obtained from counter-party.
d) Inaccurate info flow b/w 3 systems Inter-system reconciliation & Inter-system
Interfaces
110 | P a g e
e) Insufficient securities available for settlement Effective controls on security & margins
f) Insufficient fund available for settlement Effective controls on security and margins.
5.6. I N T E R N E T B A N K I N G P R O C E S S
Facilities Available in Internet Banking

a) Password change
b) A/c Balance check
c) Fund transfer
d) Statement of A/c
e) Request cheque Book
f) Credit Card/ Debit card request /payment / Block
P a g e | 111
g) Opening of FD/ RD and breaking it.
5.7. E-C O M M E R C E T R A N S A C T I O N P R O C E S S I N G
Most of the e-Commerce transactions involve advance payment either through a credit or debit card
issued by a bank.
The figure below highlights flow of transaction when a customer buys online from vendor’s e-commerce
website.
6. A P P L I C A B L E R E G U L A T O R Y A N D C O M P L I A N C E R E Q U I R E M EN TS
REGULATORY AND COMPLAINCE

REQUIREMENTS
Banking Negotiable IT Act 2000

Regulations Act, Instruments Act, RBI Regulations PMLA, 2002 amended by 2008
1949 1881
6.1. B A N K I N G R E G U L A T I O N A C T , 1949
It regulates all Banking Companies in India Including co-operative Banks. It provides framework for regulating
and supervision of commercial Banks.
It gives RBI power to:
a) License Bank
b) Regulating shareholding and voting rights
c) Supervise appointment of BOD and Management
d) Merger and acquisition, Liquidation
e) Impose penalties
f) Control moratorium [Period of time during which borrower need not to pay EMI on loan]
g) Issue directives to Bank in Interest of public & Bank.
112 | P a g e
h) Give instructions for Audit.
RBI also provides
i) tech platform for NEFT and RTGS & other Central processing (clearing house).
ii) Guidelines on how to deploy IT.
6.2. N E G O T I A B L E I N S T R U M E N T A C T , 1881
Truncated Cheque i.e. electonic image of a paper cheque NI Act gives validity &
Cheque
enforceability to these
Electronic cheque i.e. cheque in electrnoic form two types of cheque.
6.3. RBI R E G U L A T I O N S
RBI was established on 1st April, 1935 as per RBI Act, 1934.
Key functions of RBI:
1. Monetary RBI formulates, implements & monitors monetary policy with objective of:
authority a) maintaining price stability; and
b) ensuring adequate flow of credit to productive sectors
Tools: CRR, SLR, Open market operations
2. Issuer of Currency Issues, exchanges or destroys currency and coins with objective of providing
adequate quantity of supply of currency notes and coins in good quality.
3. Regulator and RBI regulates financial system with objective of
Supervisor of the
➢ maintaining public confidence;
Financial System
➢ protect depositor’s interest; and
➢ provide cost effective banking services to the public.
6.4. P R E V E N T I O N O F M O N E Y L A U N D E R I N G A C T , 2002
Black Money White Money
• Unaccounted Money on which

Tax is not paid • From Legitimate source
• Earned from illegal means like
➔Terrorism
➔Smuggling
➔Drug trafficing
➔Illegal Arms sale
t 2008
Money laundering is a process by which
➢ proceeds of crime and true ownership of those proceeds are
➢ concealed so that it appears to come from legitimate source.
P a g e | 113
Objective of ML: To conceal existence, illegal source, or illegal application of proceeds of crime and to make it
appear as clean/ legitimate.
It is used by criminals to make dirty money appear clean.
3 Stages of Money Laundering

Placement Layering Integration
It involves placement / Involves separation of proceeds of Involves conversion of proceeds of
movement of proceeds of crime crime form illegal source using crime into apparent legitimate
into a form which is less complex transactions to obscure earning through normal financial or
suspicious & more convenient. the audit trail & hide the proceeds. commercial transaction.
Eg:- Putting money in This is done through sending Eg: Fake invoice for good exports,
legitimate financial system. money through various Banks, Buying properties.
Countries, currencies, continuous It creates illusion that dirty money
deposits & withdrawals. is derived from legitimate source.
6.4.1. A N T I -M O N E Y L A U N D E R I N G ( AML) U S I N G T E C H N O L O G Y
What if Bank fails to control Money Laundering?
Loss of reputation Legal and Regulatory Declining profit.

and G/w. sanction.
Bank can be used in M.L. as primary means for placement and layering of proceeds of crime as it acts as a
means to transfer money across geographics, A/c & currencies.
The challenge is even greater for Banks using CBS as all transactions are integrated. With regulators
adopting stricter regulations on Banks and enhancing their enforcement efforts, Banks are using special
fraud and risk management S/w to:
a) Prevent and detect M.L.
b) Daily processing and reporting of suspicious Transaction.
6.4.2. F I N A N C I N G O F T E R R O R I S M
Money to fund terrorist activities moves through the global financial system via wire transfers and in and
out of personal and business accounts.
It is a form of M.L. but it does not work the way conventional M.L. works. Money starts as clean i.e., as
“charitable donation” before moving to terrorist A/c.
It is highly time sensitive requiring quick response.
6.4.3. K E Y P R O V I S I O N S O F PMLA, 2 002
Sec 3 Whosoever directly or indirectly indulges, attempts to indulge or knowingly assists or

is a party to any process or activity connected with the proceeds of crime including its
➢ concealment, possession, acquisition or use and
114 | P a g e
➢ projecting or claiming it as untainted property
➢ shall be guilty of offence of money-laundering.
Sec 12 Reporting Entities are required to:
Reporting entities 1) Maintain records of all transactions that enable it to reconstruct Individual
to maintain transaction.
Records Record is to be maintained for at least 5 years from the date of Transaction b/w
client and Reporting entity.
2) Furnish information w.r.t such value & nature of transaction to Director, whether
attempted or executed, as prescribed.
3) Maintain record of Identity of client & Beneficial owner, account file, business
correspondences for 5 years after the
a) Business relation b/w client and R.E. ended; or
b) A/c has been closed;
whichever is later.
Sec 13 ▪ The Director may, either on own motion or on application made by any authority,
Power of Director officer or person, make such enquiry from R.E. as may deem necessary.
to impose fine ▪ If Director is of opinion that due to Nature & complexity of case, Audit of record is
necessary, he may direct R.E to get the records audited by an Accountant [CA] from
a panel of CAs maintained by CG.
▪ Expense of audit & incidental expenses is to be borne by CG.
▪ If the Director, during course of enquiry, finds that R.E. or its designated director or
Board or any of its employee failed to comply with PMLA, he can:
a) Issue warning in writing; or
b) Direct such R.E. or its designated director or Board or employee to comply with
specific instructions; or
c) Direct R.E. its designated director or Board or any of its employee to send reports
at prescribed interval; or
d) Impose a monetary penalty on R.E, its designated director or Board or any of its
employee of not less than 10,000 & which may extend upto 1 lakh for each failure.
Section 63 Any person who wilfully and maliciously gives false information, causing an arrest or
Punishment for a search to be made of other person under this Act shall be liable for
false information ➢ imprisonment for a term which may extend to two years; or
or failure to give
information, etc. ➢ with fine which may extend to fifty thousand rupees; or
➢ both.
If a person
a) Refuses to answer any question asked by the Authority under PMLA; or
b) Refuses to legally sign any statement made by him before the Authority; or
c) Omits to attend or present of Books of A/c at time & place required by Authority;
he shall be liable to
➢ Penalty of not less than 500 to 10,000 for each default or failure.
Before an order is passed imposing penalty, an opportunity of being heard shall be given
to such person by the Authority.
Section 70 In case of contravention by Company,
P a g e | 115
Offence by ➢ every person who was in-charge of Company at the time of contravention as well as
Company
➢ Company shall be deemed to be
➢ guilty of contravention & punished accordingly.
No liability / Punishment of such person if he proves that:
a) contravention took place w/o his knowledge; or
b) he exercised all due diligence to prevent such contravention.
Miscellaneous Company includes anybody corporate, a firm or other association of Individual.

Director - In relation to firm, means partner.
6.5. I N F O R M A T I O N T E C H N O L O G Y A C T , 2000
Key Objectives/ Computer Privacy

Intro Provisions Advantages Related & SPDI Chap 1
Offence
The Amendment Act 2008 provides stronger privacy data protection measures as well as implementing
reasonable information security by implementing ISO: 27001 or equivalent certifiable standards to protect
against cyber-crimes.
For the banks, the Act exposes them to both civil and criminal liability.
The civil liability could consist of exposure to pay damages by way of compensation up to 5 crores.
The criminal liability exposure may be to the top management of the Banks and it could consist of
➢ imprisonment for a term which would extend from three years to life imprisonment as also fine.
6.5.1. C Y B E R C R I M E
Cyber Crime refers to offences that are committed

➢ against individuals or groups of individuals with a
➢ criminal motive to intentionally harm the reputation of the victim or cause physical or mental harm, or
loss, to the victim directly or indirectly,
➢ using modern telecommunication networks such as Internet (Chat rooms, emails, notice boards and
groups) and mobile phones.
It involves use of a computer and a network. The computer may have been used in committing a crime, or
it may be the target.
UN manual on Prevention and Control of Computers Related Crime classifies cyber-crimes into:
a) Committing of fraud by manipulating input, output or throughput of a computer-based system.
b) Computer forgery which involves changing image or data stored in computers.
c) Deliberate damage caused to computer data or programs through virus or logic bombs.
d) Unauthorized access to computer by hacking into system or stealing password.
e) Unauthorized reproduction of computer programs or s/w privacy.
Bank is prone/ susceptible to cyber-crime as it deals with money. Using technology, fraud can be
committed across countries w/o leaving a trace.
116 | P a g e
Hence, CBS and Banking s/w should have high level of controls covering all aspects of cyber-crime. ISO:
27001 must be implemented for Information security.
7. B A S E L III N O R M S & AI I N B A N K I N G I N D U S T R Y
Introduction Process How Bank specific risk are assured

Financial crises of 2008 Base III is a comprehensive set As nature of Banking Business & risk involved
caused significant of reform measures developed by is quite large and complex, traditional
concern for the Banking Basel Committee on Banking assessment tools i.e., MIS and DSS do not
Industry. Supervision which aims to: work.
It exposed weak a) Strengthen the regulation & Thus, AI powered tools are used.
financial & risk supervision For this, data from CBS is transferred to
management system in b) Strengthen risk management data warehouse for analysis/ data mining
Banks. using AI tools.
c) Enhance its ability to absorb
financial shock. This helps in identifying hidden trends which
It specifies capital adequacy helps in risk Assessment
norms for Banks based on Risk This improves Risk management of Bank and
assessment. in turn assessment of capital adequacy
under BASEL III.

a) Free Lectures &
P a g e | 117

Eis Chalisa

Uploaded by

Copyright:

Available Formats

You might also like

Eis Chalisa

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Eis Chalisa

Uploaded by

Copyright:

Available Formats

Automated Business Processes

A UTOMATED B USINESS P ROCESSES

▪ Business Process is co-ordinated & standard set of activities

Operating Processes Supporting Processes Management Processes

Features/ Objectives/ Factors Affecting success of BPA Advantages/ Benefits of BPA

6. RISKS & ITS MANAGEMENT

Characteristics of Risk Source of Risk

Technology a risk of obsolescence of tech resulting in loss.

Risk Management refers to Process of

7. ENTERPRISE RISK MANAGEMENT

It is a process which is applied by –

Manual Control Automated Control Semi- automated Control

Order [Po] → 1000 qty of A + grade material

IT General Control (ITGC) App Control

In computerized B.P., Controls are checked at 3 levels

Configuration Masters Transactions

Procure to Pay Order to Cash Inventory Human Fixed General

1) Procure to pay [Purchase]

2) Order to cash [Sale]

Customer Order Delivery Invoicing Collection Accounting

a) Customer order → Customer order received is documented

Relevant Ledger: Accounts Receivable

▪ Examples of Customer Master Data file:

▪ Examples of Inventory/Material Management Master Data file:

▪ Examples of Employee/ Payroll Master Data file:

▪ Examples of FA Master Data file:

Risk & Control at Transaction Level

Companies Act, 2013 IT Act, 2000

Section 143 [Powers & duties of Auditor & Auditing

Management Responsibility Auditor Responsibility

10.3. CORPORATE GOVERNANCE

11. I N F O R M A T I O N T E C H N O L O G Y AC T 2000, A M EN D E D B Y 2008

Key Objective/ Computer Related Principle of

➢ thereby causes wrongful loss or wrongful gain to any person,

Main principle on data protection & privacy under IT Act are

Personal Data Section 43A of IT Act SPDI (Rule 3)

Applies on Body corporate which include Firm, sole Excludes:

For EIS-SM, use Code CAKISHAN on Unacademy App for

F OR T AXATION , VISIT KKC WEBSITE OR DOWNLOAD OUR KKC A PP

F INANCIAL A CCOUNTING S YSTEM

Accountant’s view Auditor’s view Business Manager/ Owner’s view

MASTER DATA NON-MASTER DATA

Includes names of Includes System of calculating Date related to statute/

Why Master and Non-Master Data?

Voucher Meaning Voucher Number

S No. Voucher Type Use

Transaction → Voucher Entry → Posting → Balancing -→ Trial Balance – P/L - BS

2.6. FUNDAMENTALS OF ACCOUNTING

b) facilitates better presentation while reporting.

Working of any Software/ Restaurant

FRONT END BACK END

Part of software which actually Part of software which interacts

User Front End Back End

3.1. F R O N T E N D & B A C K E N D – M E A N I N G & W H Y S EP A R A T E ?

Particulars Front End Back End

3.2. APPLICATION SOFTWARE

3.3. INSTALLED APP VS CLOUD BASED APP

Installed App Web Based App Cloud Based App