Professional Documents
Culture Documents
EIS Full Notes - Nov 22
EIS Full Notes - Nov 22
Commerce Harbour’s
Svadhyaya Series
Edition 2.0 || August 2022
Commerce Harbour’s
Svadhyaya Series
Edition 1 • Feb 2022
1. Introduction:
A company has several types of information systems built in and around diverse functions and
business processes that automatically exchange information. However, due to size of the business
it is rather difficult for a company person to gather all information. It is imperative to know the
availability of a product, stock status of the product etc.
In order to solve this problem, EIS (Enterprise Information system) plays an important role.
This system collects the data from various verticals of the business i.e., finance, production,
manufacturing, sales, and marketing and storing the data in single central data repository. As
such EIS helps in smooth functioning of business processes by integrating these processes.
EIS provides platform to the organization to integrate and coordinate their business
processes on a robust (मजबूत)foundation. An EIS provides a single system that is central to the
organization that ensures information can be shared all across all functional level of organization.
• Operational/Primary Processes→
Deals with core business and value chain. These processes deliver values to its customers.
It represents essential business activities that accomplish business objectives. For
instance, order to cash cycle, purchase to pay cycle etc.
• Supporting Processes→
This process backs core processes and functions with an organization. One of the major
differences between operational & supporting process is that supporting process don’t
provide the values to the customer. Some of the support processes are HRM (Human
Resource Management), accounting and workplace safety.
• Management Processes→
These processes monitor and control activities related to business procedures and
systems. Example of management processes includes internal communications,
governance, strategic planning, budgeting, infrastructure etc.
3 Support Process For all activities to be done as envisioned by top management, a huge
effort was needed on human resources front. This included:
(a) Defining and creating a new management structure
(b) Performing all human resource activities as listed above.
▪ Time-sensitive processes:
Business process automation results in streamlined processes and faster turnaround times.
The streamlined processes eliminate wasteful activities and focus on enhancing tasks that
add value. Time-sensitive processes such as online banking system, railway/aircraft
operating and control systems etc. are best suited to automation.
• Staff Resistance:
▪ Human factor issues are the main obstacle to the acceptance of automated processes.
▪ Due to automation process, management has a greater visibility of the process and
decisions are being taken by management, that used to be made by the staff earlier.
▪ Moreover, the staff may perceive automated processes as threat to their jobs.
• Implementation Cost:
▪ Implementation of automated processes may be an expensive proposition in terms of
acquisition/development cost & also special skill is required to operate & maintain these
systems.
(b) Step 2 →Understand rules/regulations under which enterprise needs to comply with:
This is one of the most important steps to be kept in mind. This includes understanding and
following the rules and regulations & document retention requirement. This governance is
formulated by a combination of internal corporate policies, external industry regulations, and
local laws. In this case it is imperative to understand the requirement of law in respect of
retention of records for specified number of years.
4. Risks Management:
Risk Management is the process of assessing risk, taking steps to reduce risk to an acceptable level and
maintaining that level of risk. Risk management involves identifying, measuring, and minimizing uncertain
events affecting resources.
4.1 Definitions:
ASSETS:
Asset can be defined as something of value to the organization. Example information in e-form,
software system, employees. Following are the characteristics of the assets:
1. Recognized to be value to the organization.
2. Assets can’t be replaced without cost, skills, and time.
3. They form the part of organization’s corporate identity.
4. They are capable of distinguishing the information level i.e., confidential, proprietary etc.
VULNERABILITY:
(a) It is the weakness in the system safeguard that exposes system to THREATS. E.g.:
1. Leaving door unlocked makes the house vulnerable to theft.
2. Use of short passwords which are prone to cracking or hacking.
3. We have studied about the vulnerability and examples. But why vulnerabilities arise...!!!
THREATS:
(a) Any entity, circumstances with the potential to harm the software system or component
through unauthorized access, destructions, or modifications
(b) It is an action, event, or condition where there is compromise in the quality and ability to
harm the organization
(c) Threats exists where there is asset. Asset is nothing but the data contained in information
system. CHARACTERISTICS OF THE THREAT:
▪ It is action/event/condition where there is a compromise in the system
▪ Negative impact on the quality of the system.
▪ Threat has the capability to attack on the system with the intent to harm it.
EXPOSURE:
(a) It is the extent of the loss to the organization when a risk materialized (occurs).
(b) For instance, loss of business, loss of reputation, violation of the privacy etc.
LIKELIHOOD: (संभावना)
It is the estimation of probability that threat will succeed in achieving undesirable threat.
ATTACK:
(a) It is the set of action designed to compromise confidentiality, integrity & availability of an
information system.
(b) It is an attempt to gain unauthorized access to the system services. In software terms, an
attack is a malicious intentional fault that has intent of exploiting vulnerabilities.
COUNTERMEASURE:
a) An action, device, procedure, technique that reduces the vulnerability of a system or
Component is referred as counter measure.
b) It is an attempt to gain unauthorized access to the system services. In software terms, an
attack is a malicious intentional fault that has intent of exploiting vulnerabilities.
RISK:
Risk is any event that may result in a significant deviation from a planned objective resulting in
an unwanted negative consequence. The planned objective could be any aspect of an
enterprise’s strategic, financial, regulatory, and operational processes, products or services. The
degree of risk associated with an event is determined by the likelihood (uncertainty,
probability) of the event occurring, the consequences (impact) if the event were to occur and
it’s timing.
Data
Business Technology TYPES OF
related
Risks Risks RISKS
risks
• Business Risks
Business risk is a broad category which applies to any event or circumstances related to
business goals.
Code to remember: C.H.O.R - S.F.
(Since CHOR is not SaFe for homes, similarly risks are not safe for businesses)
• Compliance Risks:
▪ Includes risk could expose organization to fines & penalties from a regulatory agency.
▪ Due to non-compliance of with laws and regulations such as environmental, employee
health and safety, lack of due diligence, protection of personal data etc.
• Hazards Risks:
▪ Hazard risks include risks that are insurable, such as natural disasters; various insurable
liabilities; impairment of physical assets; terrorism etc.
• Operational Risks:
▪ Implementation of automated processes may be an expensive proposition in terms of
acquisition/development cost & also special skill is required to operate & maintain
these systems.
• Residual Risks:
▪ This includes any risk remaining even after the counter measures are analyzed and
implemented.
▪ An organization’s management of risk should consider these two areas - Acceptance of
residual risk and Selection of safeguards. The risk can be minimized, but it can seldom
be eliminated even if proper safeguards are applied by the organization.
• Strategic Risks:
▪ These are the risks that would prevent an organization from accomplishing its
objectives (meeting its goals).
▪ Examples - risks related to strategy, political, economic relationship issues with
suppliers and global market conditions, reputation risk, leadership risk etc.
• Financial Risks:
▪ Financial risks are those risks that could result in a negative financial impact to the
organization (waste or loss of assets).
▪ Examples - risks from volatility in foreign currencies, interest rates, liquidity risk etc.
• Technology Risk
The dependence on technology in BPA for most of the key business processes has led to various
challenges. As Technology is taking new forms and transforming as well, the business processes
and standards adapted by enterprises should consider these new set of IT risks and challenges:
6. Complexity of systems:
▪ The Technology architecture used for services could include multiple digital platforms
and is quite complex.
▪ This calls for the personnel to have knowledge about requisite technology skills or the
management of the technology.
9. Employee Actions:
▪ Fraudsters use new social engineering techniques such as socializing with employees to
extract relevant information about company to commit fraud.
▪ For example: extracting information about passwords from staff acting as genuine
customer and using it to commit frauds.
1. Data Diddling:
▪ This involves the change of data before or after they entered the system.
▪ A limited technical knowledge is required to data diddle and the worst part with this is
that it occurs before computer security can protect the data.
2. Bomb:
▪ Bomb is a piece of bad code deliberately planted by an insider or supplier of a program.
▪ An event triggers a bomb, or it is time based. The bombs explode when conditions of
explosion get fulfilled causing damage immediately but cannot infect other programs.
3. Christmas Card:
▪ On typing word ‘Christmas’, it will draw the Christmas tree as expected, but in addition, it
will send copies of similar output to all other users connected to the network.
▪ It was detected on internal E-mail of IBM system and because of the above message,
other users cannot save their half-finished work.
4. Worm:
▪ A Worm program copies itself to another machine on the network.
▪ Since, worms are stand-alone programs and can be detected easily in comparison to
Trojans and computer viruses.
▪ Alarm clock worm- A worm that reaches out through the network to an outgoing terminal
(one equipped with a modem), and places wake-up calls to a list of users.
5. Rounding Down:
▪ This refers to rounding of small fractions of a denomination and transferring these
small fractions an authorized account. As the amount is small, it gets rarely noticed.
6. Salami Technique:
▪ This involves slicing of small amounts of money from a computerized transaction or
account.
▪ A Salami technique is slightly different from a rounding technique in the sense a fix
amount is deducted. E.g., amount of ₹ 21,446.39 is written as ₹ 21,446.30.
7. Trap Doors:
▪ Trap doors allow insertion of specific logic such as program interrupts that permit a
review of data. They also permit insertion of unauthorized logic.
8. Spoofing:
▪ A spoofing attack involves forging one’s source address. One machine is used to
impersonate the other in spoofing technique. Spoofing occurs only after a particular
machine has been identified as vulnerable.
▪ A penetrator makes the user think that s/he is interacting with the operating system.
Spoofing is a cyberattack that occurs when a scammer is disguised as a trusted source to
gain access to important data or information.
9. Asynchronous Attacks:
▪ They occur in many environments where data can be moved synchronously across
telecommunication lines.
▪ Such attack uses the timing difference between the input time of data and processing
time. Data that is waiting to be transmitted are liable to unauthorized access called
Asynchronous Attack.
▪ Such attacks are very small (pin like insertion) and hence hard to detect. Some of the
asynchronous attacks-
o Data Leakage: This involves leaking information out of the computer by means of
dumping files to paper or stealing computer reports and tape.
o Subversive Attacks: These can provide intruders with important information
about messages being transmitted and the intruder may attempt to violate the
integrity of some components in the sub-system.
o Wire-Tapping: This involves spying on information being transmitted over
communication network.
o Piggybacking: This is the act of following an authorized person through a secured
door or electronically attaching to an authorized telecommunication link that
intercepts and alters transmissions. This involves intercepting communication
between the operating system and the user and modifying them or substituting
new messages. Piggybacking also refers to someone allowing another person to
follow right after them into a restricted area.
Enterprise Risk Management (ERM) may be defined as a process affected by an entity’s Board of
Directors, management, and other personnel, applied in strategy setting and across the enterprise,
designed to identify potential events that may affect the entity, and manage risk to be within its risk
appetite, to provide reasonable assurance regarding the achievement of entity objectives.
ERM in business includes the methods and processes used by organizations to manage risks and
seize opportunities related to the achievement of their objectives. ERM is a common framework
applied by business management and other personnel to identify potential events that may affect
the enterprise, manage the associated risks and opportunities, and provide reasonable assurance
that an enterprise’s objectives will be achieved.
b) Rationalize capital:
More robust information on entity’s risk allows management to access capital requirement
more effectively and improvise capital allocation.
f) Opportunities:
Business processes carry many inherent risks and ERM enables to provide integrated solutions.
2. Monitoring:
Entire ERM process should be monitored and modified wherever necessary. This ensures
that the system can react dynamically. Monitoring is accomplished through ongoing
management activities.
3. Internal Environment:
This encompasses tone of an organisation & sets the basis of how risk is viewed and
addressed by an entity’s people including risk management, risk appetite, integrity and
ethical values.
5. Control Activities:
Policies and procedures that are established by the company ensures that risk responses
that management selected are effectively carried out.
6. Risks Assessment:
Risks which are identified are analyzed to form basis of determining how they should be
managed. Risks are assessed on both an inherent and a residual basis and assessment
considers both risk likelihood and impact.
7. Risks Response:
Management selects an approach to align assessed risk with entity’s risk tolerance and risk
appetite. Personnel identify and evaluate possible response to risks (Avoidance, accepting,
reduction & sharing).
8. Objective Setting:
ERM should ensure that management has a process in place to set objectives and that
chosen objectives support and align with overall objectives of the company.
6. Controls:
Controls are defined as policies, procedures, practices, and organizational structure that are
designed to provide reasonable assurance that
▪ Business objectives are achieved and.
▪ Undesired events are prevented or detected and corrected.
The system of internal control extends beyond those matters which relates directly to the functions
of the accounting system. Below is the diagrammatic representation of purchase to pay controls.
There are 4 stages:
(a) Purchases
(b) Good Receipt
(c) Invoice Processing
(d) Payment
Based on the implementation of the above controls, it can be categorized under manual, semi-
automated and automated. The objective of these controls is to mitigate the risk associated with the
business. Below are the 3 categories can be explained:
Manual Manual verifying the goods received as per PO and checking with vendor
invoice.
Semi-Automated Verification of goods receipt (E) with PO (D) could be automated, but the
vendor invoice could be done manually in reconciliation process.
Automated Automation can be done by the computer system by comparing D, E and F.
Now will study about the GENERAL CONTROLS (Illustrative List as per Institute material)-
Code to Remember: S2I.M.B.A. - D.U.M. – V.C.C. (SIMBA में DUM है – Very Cool Cop)
As per SA315, 5 components of any internal control as they relate to a financial statement audit
are explained below.
All these components must be present to conclude that internal control is effective.
♫ Monitoring of functioning of all the 5 components. ♫ Information is necessary for every business.
♫ Going or separate evaluation or combination of ♫ Mgmt. collects information from external &
both may be required for monitoring. internal sources to support functioning of
♫ Findings are evaluated by management & shared. internal controls.
♫ Such information’s’ are vital.
♫ Risk may be defined as the possibility that an event ♫ Set of standards & Processes that provides
will occur and adversely effects the organization. basis for carrying out internal controls
♫ Risk assessment involves a dynamic and iterative across the business.
process for identifying & assessing risks. ♫ Control environment comprises integrity &
♫ Such assessment forms basis for determining how ethical values of organization.
risks are managed. ♫ Helps top management in carrying out its
♫ Risk assessment requires management to consider governance responsibilities.
impact of possible changes in external
environment.
In computer system, controls should be checked at 3 levels namely configuration, master and
transaction level.
Master
parameters are set up
Transaction
up. It is methodogical for all the modules of business process can be
process of defining software like done from risk or
options that are control perspective. In
purchase, inventory, case of risk perspective,
provided. finance etc. we need to consider
each of the key sub-
•When any software is •The masters are first processes or activities
updated, values for set up during performed in a business
various perimeters installation & these process and look at
existing and related
should be set up & are changed control objectives and
business process work whenever business existing controls and the
flow and business parameters are residual risks after
process rules of the changed. application of controls.
enterprise.
The Human Resources life cycle refers to human resources management and covers all the
stages of an employee’s time within a specific enterprise. Typical stage of HR cycle.
1. Recruiting and On-boarding: Recruiting is the process of hiring a new employee. The role of the
human resources department in this stage is to assist in hiring. This might include placing the job
ads, selecting candidates whose resumes look promising, conducting employment interviews.
2. Orientation and Career Planning: Orientation is the process by which the employee becomes
a member of the company’s work force through learning her new job duties, establishing
relationships with co-workers and supervisors and developing a niche. Career planning is the
stage at which the employee and her supervisors work out her long-term career goals with the
company.
3. Career Development: Career development opportunities are essential to keep an employee
engaged with the company over time. After an employee, has established himself at the
company and determined his long-term career objectives.
4. Termination or Transition: Some employees will leave company through retirement after a
long & successful career. The role of HR in this process is to manage the transition by ensuring
that all policies and procedures are followed, carrying out an exit interview if that is company
policy and removing the employee from system.
Transferring the fixed asset maybe sold or transferred to another subsidiary, reporting
Assets entity, or department within the company. These inter- company and intra-
company transfers may result in changes that impact the asset’s
depreciable basis, depreciation, or other asset data. This needs to be
reflected accurately in the fixed assets management system
Depreciating the The decline in an asset’s economic and physical value is called depreciation.
Assets Depreciation is an expense which should be periodically accounted on a
company’s books, and allocated to the accounting periods, to match
income and expenses. Sometimes, the revaluation of an asset, may also
result in appreciation of its value
Disposing the Assets When a fixed asset is no longer in use, becomes obsolete, is beyond repair;
the asset is typically disposed. When an asset is taken out of service,
depreciation cannot be charged on it. There are multiple types of
disposals, such as abandonments, sales, and trade-ins. Any difference
between the book value, and realized value, is reported as a gain or loss
Based on the inputs from the business process, owner obtain a complete
7.
understanding.
Diagrammatic representation of
business
of the processes:
process flow.
7.1.1 Prepare
FLOWCHARTS→
initial rough diagram & discuss with business process owner to
Flowcharts
confirm your are used to design
understanding and document
of the process flow. simple processes or programs. There are
different types of flowcharts and each one has its different boxes. The most 2 common types
of boxes in flowchartObtain
are asadditional
follows: information from other stakeholders about the business
• A processing step;processes.
usually called ACTIVITY
Any deviation and be
should denoted as RECTANGULAR
highlighted BOX.to be
and corrective steps
• A decision; usually denoted as DIAMOND.
taken.
Below are the steps for creating flowcharts for business purposes-
Identify activities in each step and who is responsible for each activity.
Identify the starting point of the process. The starting point of a business
process should be what triggers the process to action.
Separate the different steps in process. Analyze how one step is connected to
next step. Generally, we have events, activities & decision gateways which are
showed using connectors, arrows.
• A library loans system identifies each book in its stock by a unique Book ID.
• The Book ID is encoded in a barcode attached to the book.
• When a borrower returns a book, it is scanned and any fine that is due is calculated by
extracting from the library database the date that the book was due back.
• DFD is mainly used by technical staff for graphically communicating between systems
analysts and programmers. Main symbols used in DFD are provided in Table below-
Process Step-by-step instructions are followed that transform inputs
into outputs (a computer or person or both doing the work).
Data flow Data flowing from place to place, such as an input or output to
a process.
External The source or destination of data outside the system. The
Agent people and organizations that send data to or receive data
from are represented by this symbol called external agent.
Data Store Data at rest, being stored for later use. Usually corresponds to a
data entity on an entity-relationship diagram.
Real- time Communication back & forth between an external agent & a
link process as the process is executing.
Order To cash
(a) Sales and Marketing:
• Advertise and markets the company’s product and book sales orders from the customer.
(b) Order Fulfilment:
• Receive order from SM (sales & Marketing).
• Check inventory level to confirm availability of the product. If available, transportation is
arranged and is sent to customer.
(c) Manufacturing:
• In case product is not available, this information is sent to manufacturing department so
that product is manufactured and subsequently sent to customer.
(d) Receivables:
• Invoice raised, send to customer. Amount received and that invoice get closed.
Procure to Pay
Below illustration indicates different processes identified specially to department/entity through
“silanes” so that responsibilities are clearly defined.
(c) Vendor:
• Vendor receives PO and carries out his own internal checks.
• Matches PO with the quotation sent and in case of discrepancy, seek clarification.
• If no discrepancies, vendor will raise sales order p& material is shipped to buyer.
• Vendor invoice is them send to accounts payable department, based on the address
indicated in PO.
(d) Stores:
• Receive the material.
• Checks the quantity of material received with PO and quality with the user.
• Goods Received Notes (GRN) is prepared based on actual receipt of material & stores
update stock. Then GRN is sent to accounts department for payment.
Cyber Crime
The only difference is that in Cyber Crime the computer technology is involved and thus it is a
computer related crime. It involves “hacking” i.e., Mr. A, a cyber-criminal while sitting in his
own house, through his computer hacks the computer of Mr. B and steals the data saved in
Mr. B’s computer without physically touching the computer or entering in B’s house.
• Web Defacement:
The homepage of a website is replaced with a defamatory (Bad) page.
Name Description
“Access” means gaining entry into, instructing, or communicating with the logical,
arithmetical, or memory function resources of a computer, computer system or
computer network
“Computer” Means any
Electronic, magnetic, optical or other high-speed data processing device;
Or system which performs logical, arithmetic, and memory functions by
manipulations of electronic, magnetic or optical impulse.
And includes all input, output, processing, storage, computer software;
Or communication facilities which are connected or related to the computer
in a computer system or computer network.
“Computer Means the interconnection of one or more Computers or computer systems or
Network” Communication device through:
(i) the use of satellite, microwave, terrestrial line, wire, wireless or other
communication media; and
(ii) Terminals or a complex consisting of two or more interconnected
computers or communication device whether or not the interconnection
is continuously maintained
“Information” Includes data, message, text, images, sound, voice, codes, computer
program, software and databases or micro film or computer-generated micro
fiche.
“Data” Means:
1. Representation of information, knowledge, facts, concepts, or instructions
which are being prepared or have been prepared in a formalized manner
2. Intended to be processed, is being processed or has been processed in
a computer system or computer network and may be in any form
(including computer printouts magnetic or optical storage media,
punched cards, punched tapes) or stored internally in the memory of the
computer.
Privacy:
The main principles on data protection and privacy enumerated under the IT Act, 2000 are:
• Defining ‘data’, ‘computer database’, ‘information’, ‘electronic form’, ‘originator’, ‘addressee’ etc.
• Creating civil liability if any person accesses or secures access to computer, computer system or
computer network
• Creating criminal liability if any person accesses or secures access to computer, computer system or
computer network.
• Declaring any computer, computer system or computer network as a protected system.
• Imposing penalty for breach of confidentiality and privacy.
• Setting up of hierarchy of regulatory authorities, namely adjudicating officers, the Cyber Regulations
Appellate Tribunal etc.
Personal Information-
Personal information as “information that relates to a natural person which either directly or
indirectly, in combination with other information available or likely to be available with a body
corporate, is capable of identifying such person.” Below are treated to be under the definition
of personal information-
♫ Passwords
♫ Financial information
♫ Physical/physiological/mental health condition
♫ Sexual orientation
♫ Medical records and history; and
♫ Biometric information
Rule 5(1) requires that Body Corporate should, prior to collection, obtain consent in writing
through letter or fax or email from the provider of sensitive personal data regarding the use of
that data.
Ques 1-Draw a Flowchart for finding the sum of first 100 odd numbers
Solution 1
The flowchart is drawn as under and is explained step by step below. The step numbers are shown
in the flowchart in circles and as such are not a part of the flowchart but only a referencing device
Our purpose is to find the sum of the series 1, 3, 5, 7, 9 (100 terms). The student can verify that the 100 th
term would be 199. We propose to set A = 1 and then go on incrementing it by 2 so that it holds the
various terms of the series in turn. B is an accumulator
in the sense that A is added to B whenever A is
incremented. Thus, B will hold
1+3=4
4 + 5 = 9,
9 + 7 = 16, etc. in turn
Since we must stop at the 100th term which is equal to 199. Thus, A is repeatedly incremented in
step 5 and added to B in step 3. In other words, B holds cumulative sum up to the latest terms held
in A.
Question 2
A bank has 500 employees. The salary paid to each employee is sum of his Basic Pay (BP),
Dearness Allowance (DA) and House Rent Allowance (HRA). For computing HRA, bank has
classified his employees into three classes A, B and C. The HRA for each class is computed at the
rate of 30%, 20% and 10% of the BP Pay respectively. The DA is computed at a flat rate of 60% of
the Basic Pay. Draw a flow chart to determine percentage of employee falling in the each of
following salary slabs.
• Above ₹ 30,000
• ₹ 15,001 to ₹ 30,000
• ₹ 8,001 to ₹ 15,000
• Less than or equal to ₹ 8,000
Solution 2
P1, P2, P3 and P4: Percentage of employees falling in salary slab (salary<=8,000); salary slab
(8,001<= salary<=15,000); salary slab (15,001<= salary<=30,000) and salary slab (salary >=30,000)
respectively.
C1, C2, C3 and C4 are the number employees falling in salary slab (salary<=8,000); salary slab
(8,001<= salary<=15,000); salary slab (15,001<= salary<=30,000) and salary slab (salary >=30,000)
respectively.
Question 3
ABC Ltd. is engaged in the business of producing consumer durable products. It is facing the
problem of poor customer service due to its broken, inefficient, and manual processes. The
customers of the company are becoming more demanding with respect to higher quality of
products and delivery time.
To remain competitive in market & to overcome issues faced by its customers, the company
decided to optimize & streamline its essential business processes using latest technology to
automate the functions involved in carrying out these essential processes. The management of
company is very optimistic that with automation of business processes, it will be able to extract
maximum benefit by using the available resources to their best advantage. Moreover, with
automation the company will be able to integrate various processes and serve its customers
better and faster. The management is aware that automation of business processes will lead to
new types of risks in the company’s business.
The failure or malfunction of any critical business process will cause significant operational
disruptions and materially impact its ability to provide timely services to its customers. The
management of ABC Ltd. adopted different Enterprise Risk Management (ERM) strategies to
operate more effectively in environment filled with risks. To reduce impact of these risks,
company also decided to implement necessary internal controls. Answer the following Questions-
1. The processes automated by ABC Ltd. are susceptible to many direct and indirect
challenges. Which of the following factor cannot be considered valid in case the company
fails to achieve the desired results?
(a) Business processes are not well thought or executed to align with business objectives.
(b) The staff may perceive automated processes as threat to their jobs.
(c) The documentation of all the automated business processes is not done properly.
(d) Implementation of automated processes in company maybe an expensive proposition.
2. The processes automated by ABC Ltd. are technology driven. The dependence on
technology in key business processes exposed the company to various internal as well as
external threats. According to you, external threats leading to cyber-crime in BPA is
because:
(a) Organizations may have a highly defined organization structure with clearly defined
roles, authority and responsibility.
(b) There may not be one but multiple vendors providing different services.
(c) System environment provides access to customers anytime, anywhere using internet.
(d) The dependence on technology is insignificant.
3. Management of ABC Ltd. adopted a holistic & comprehensive approach of Enterprise Risk
Management (ERM) framework by implementing controls across the company. Identify
the false statement w.r.t. components of ERM framework.
(a) As a part of event identification, potential events that might have an impact on the
entity should be identified.
(b) As a part of risk assessment component, identified risks are analyzed to form a basis
for determining how they should be managed.
(c) As a part of monitoring, the entire ERM process should be monitored with no further
modifications in the system.
(d) As a part of control activities, policies and procedures are established and executed to
help ensure that the risk responses that management selected are effectively carried
out.
Solution 3
Q. Answer Answer Description
1 C The documentation of all automated business processes is not done properly.
2 C System environment provides access to customers anytime, anywhere using
internet
3 C As a part of monitoring, the entire ERM process should be monitored with no
further modifications in the system.
4 B Processing Control
Question 4
DXN Ltd. is engaged in manufacturing consumer products for women. Company released a new
product recently which met with unexpected success. The company was established as a market
leader in that product. The growing volume of sales transactions started to put a strain on
company’s internal processes. The company employed 300 more employees to ensure that the
customers are served better and faster. But with the increase in number of monthly transactions
to 1.5 million, the manual processes which were being followed by the company at present, were
holding it back. The company was not able to meet consumer demands even after employing
addition 300 employees. The management consultant Mr. X of DXN Ltd. advised to automate the
key business processes of the company to handle large volume of transactions to meet the
expectations of its customers and maintain its competitive edge in the market.
Mr. X gathered extensive information about the different activities involved in the current
processes followed by DXN Ltd. like what the processes do, the flow of various processes, the
persons who are in-charge of different processes etc. The information so collected helped him in
understanding the existing processes such as flaws, bottlenecks, and other less obvious features
within the existing processes. Based on the information gathered about the current processes,
Mr. X prepared various flowcharts depicting how various processes should be performed after
automation and submitted his report to the management covering the following points:
♦ The major benefits of Business Process Automation.
♦ The processes that are best suited to automation.
♦ Challenges that DXN Ltd. may face while implementing automated processes
♦ Risks involved in Business Process Automation and how management should manage risks.
2. While understanding the criticality of various business processes of DXN Ltd., the consultant
Mr. X documented the current processes and identified the processes that needed
automation. However, documentation of existing processes does not help in_.
(a) providing clarity on the process
(b) determining the sources of inefficiency, bottlenecks, and problems
(c) controlling resistance of employees to the acceptance of automated processes
(d) designing the process to focus on the desired result with workflow automation
3. When DXN Ltd. decided to adopt automation to support its critical business processes, it
exposed itself to number of risks. One risk that the automated process could lead to
breakdown in internal processes, people and systems is a type of _.
(a) Operational Risk
(b) Financial Risk
(c) Strategic Risk
(d) Compliance Risk
4. Mr. X of DXN Ltd. prepared various flowcharts depicting how various processes should be
performed after automation and submitted his report to the management. The flowcharting
symbol that he used to depict processing step is _.
(a) Rectangular Box
(b) Diamond
(c) Oval
(d) Line
Solution 4
Q. Answer Answer Description
1 B Processes requiring employees to use personal judgment.
2 C Controlling resistance of employees to the acceptance of automated processes
3 A Operational Risk
4 A Rectangle Box
In systems there are various elements which are inter-related and inter-dependent and
interact with each other to achieve the goals of the system. All systems generally have:
▪ Inputs, outputs, and feedback mechanisms,
▪ Maintain an internal steady state despite a changing external environment,
▪ Have boundaries that are usually defined by the system observer.
A system includes defined methods and process to perform a activity. So basically, processes
are important components in any system.
Master Data
▪ Master data is permanent data that is not expected to change again and again.
▪ It may change, but not again and again.
▪ Below are types of master data:
Master Data
Non-Master Data
▪ It is a data which is expected to change frequently and not a permanent data.
▪ Example: Amount covered under transactions differs each time. Date recorded in each
transaction is expected to change again and again and will not be constant in all the
transactions.
Generally following types of vouchers are used in accounting systems as shown in the Table
S.N. Voucher Type Module Use
Name
1 Payment Accounting For recording of all types of payments. Whenever the
money is going out of business by any mode (cash/bank)
2 Receipt Accounting For recording of all types of receipts. Whenever money is
being received into business from outside by any mode
(cash/bank).
3 Journal Accounting For recording of all non-cash/bank transactions.
E.g., Depreciation, Provision, Write-off, Write-back,
discount given/received, Purchase/Sale of fixed assets on
credit, etc.
4 Sales Accounting For recording all types of trading sales by any mode
(cash/bank/credit).
5 Purchase Accounting For recording all types of trading purchase by any
mode (cash/bank/credit).
6 Credit/ Debit Accounting For making changes/corrections in already
Note recorded sales/purchase transactions.
7 Purchase Inventory For recording of a purchase order raised on a vendor.
Order
8 Sales Order Inventory For recording of a sales order received from a customer.
9 Stock Journal Inventory For recording of physical movement of stock from one
location to another.
10 Physical Stock Inventory For making corrections in stock after physical counting.
11 Delivery Note Inventory For recording of physical delivery of goods sold to a
customer.
12 Receipt Note Inventory For recording of physical receipt of goods purchased
from a vendor.
13 Memorandum Accounting For recording of transaction which will be in the system but
will not affect the trial balance.
14 Attendance Payroll For recording of attendance of employees.
15 Payroll Payroll For salary calculations.
Now will study with the help of an example, what is front end and back end-
There is a table within your restaurant- a place where a controlled interaction happens between
customers and the restaurant staff. (Front End). Waiter will receive the order and pass it on to the
cook in the kitchen. Cook will process the food as per requirement and had it over to the waiter.
(Back End)
Installed Application-
These are programs that are installed on the hard disc of the user’s computer
Cloud-Based Application
Organizations increasingly are hosting their applications on Internet and outsource the IT
functions. There are many methods through which this can be achieved. Most common among
them being SaaS – Software as a Service or IaaS – Infrastructure as a Service
Performance A well written installed application shall Access is dependent on speed of internet.
always be faster than web application, Slow internet slows access to information
reason being data is picked from local and may slow operations.
server.
Accessibility As software is installed on the hard disc As software is available through online
of the user’s computer, user needs to go access, to use the software a browser and
to the computer in which the software is an internet connection are needed.
installed to use the software. It cannot
be used from any other computer.
Installation & As software is installed on hard disc of the Installation on user computer is not
Maintenance computer used by user, it needs to be required. Update and maintenance are
installed on every computer one by one. defined responsibility of service provider.
This may take lot of time. Also,
maintenance & updating of software may
take lot of time and efforts.
Data Storage Data is physically stored in the premises Data is not stored in the user’s server
of the user, i.e., on the hard disc of the computer. It is stored on a web server.
user’s server computer. Hence user will Ownership of data is defined in Service
have full control over the data. Level Agreement (SLA). It defines the
responsibilities & authority of both service
provider & service user.
Security of As the data is in physical control of the Data is not in control of user or owner of
Data user, user shall have the full physical data. As time evolves; SLAs provide for
control over the data, and he/she can details of back-up, disaster recovery
ensure that it is not accessed without alternatives being used by service
proper access. provider.
2. Technology usage:
• ERP packages are adapted to utilize the latest developments in Information Technology
such as open systems, client/server technology, Cloud Computing, Mobile computing etc.
• It is this adaptation of ERP to the latest changes in IT makes the adaptation to changes in
future development environments possible.
3. Ontime Shipment:
• Since ERP encompasses integration and automation of all functions of the business, hence
chances of errors are minimal, and the production efficiency is high.
• Thus, by integrating the various business functions and automating the procedures and
tasks, the ERP system ensures on-time delivery of goods to the customers.
6. Flexibility:
• ERP Systems help companies to remain flexible by making company information available
across the departmental barriers and automating most of the processes and procedures,
thus enabling the company to react quickly to the changing market conditions
8. Information Integration:
• The reason ERP systems are called integrated is because they possess the ability to
automatically update data between related business functions and components.
• For example - one needs to only update the status of an order at one place in the order-
processing system and all the other components will automatically get updated;
9. Low Cost:
• An ERP System’s central database eliminates redundant specifications and ensures that a
single change to standard procedures takes effect immediately throughout the
organization.
• It also provides tools for implementing total quality management programs within an entity.
(a) All the persons in the organization access the same set of data on a day to basis. This
again poses the risk of leakage of information.
(b) all users shall use the same data for recording of transactions. Hence there is one more
risk of putting incorrect data in the system by unrelated user.
ERP system implementation is a huge task and requires lot of time, money and above all
patience. The success or failure of any ERP or saying it in terms of payback or ROI of an ERP, is
dependent on its successful implementation and once implemented proper usage. It provides
extensive discussion on the risks related to various aspects including – People, Process,
Technological, Implementation and Post implementation issues that arise during
implementation and related controls respectively. Below is the tabular presentation of risk
associated and control required on-
PEOPLE ASPECT
Aspects Risk Associated Control Required
Change The way in which entity functions will Project requirements are to be
Management change, planning, forecasting & properly documented and signed by
decision-making capability improves. the users and senior management.
Training Since, greater part of the training takes Training is a project-managed activity
place towards end of ERP & shall be imparted to users in an
implementation cycle, mgmt. may entity by skilled consultants and
curtail the training because of budget. representatives of hardware vendors.
Staff Employee Turnover → Qualified and This can be controlled and minimized
Turnover skilled personnel leaving company by allocation of employees to tasks
during the implementation and matching their skill-set; fixing of
transition phases can affect the compensation package and other
schedules and this results in delayed benefits accordingly.
implementation and cost overrun.
Top Mgmt. ERP implementation will fail if top ERP implementation shall be started
Support management doesn’t support and only after the top management is fully
grant permission for the availability of convinced & assure of providing full
the huge resources. support.
Consultants These are experts in implementation The consultants should be assigned a
of the ERP package and might not be liaison officer - a senior manager –
familiar with the internal workings and who can familiarize them with the
organizational culture. company and its working.
PROCESS ASPECT
Aspects Risk Associated Control Required
Program There could be a possibility of Requires bridging the information gap
Management information gap between day-to- between traditional ERP-based function
day. & operational mgmt. functions.
Business Process BPR means not just change but Requires overhauling of organizational
Reengineering dramatic change & dramatic structure, management structure and
(BPR) improvements. systems, job descriptions etc.
TECHNOLOGICAL ASPECT
Aspects Risk Associated Control Required
Software Implementing all the functionality Care should be taken to incorporate
Functionality and features just for the sake of it the features that are required by the
can be dangerous for an organization. organization and supporting additional
features and functionality that might
be required at a future date.
Technological With launch of efficient technologies Requires critical choice of technology,
Obsolescence every day, the ERP system also architecture of product, easy
becomes obsolete as time goes on. enhancements and upgrading, quality
of vendor support.
Enhancement ERP Systems are not upgraded and Care must be taken while selecting the
and Upgrades kept up-to date. Patches & upgrades vendor and upgrade/support contracts
are not installed should be signed to minimize the risks.
Application Processes focus on the selection of IT organizations can begin to reduce
Portfolio new business applications and the duplication and complexity.
Management projects required in delivering them.
IMPLEMENTATION ASPECT
Aspects Risk Associated Control Required
Lengthy ERP projects are lengthy that Care must be taken to keep the momentum
implementation takes between 1 to 4 years high and enthusiasm live amongst the
time depending upon size of entity. employees, so as to minimize the risk.
Insufficient Budget for ERP implementation It is necessary to allocate necessary funds
Funding is allocated without consulting for the ERP implementation project and
the experts & then then allocate some more for contingencies.
implementation is stopped due
to lack of funds.
Speed of Centralized database leads to This can be controlled by removing the
Operation heavy size and thereby reducing redundant data, use of warehouse etc.
speed of operations.
Controls
Management controls deal with
organizations, policies,
procedures, planning, and so on
Environmental controls
General Application are operational controls
Controls Controls
administered through the
computer centre
/computer operations
Management Environmental group and the built-in
controls controls operating system controls
Some of the queries may be made by the auditor during ERP audit:
Does the system process according to GAAP Does it meet needs for reporting?
Are effective system operations and Does system protect confidentiality & integrity of
support functions provided information assets?
Are there adequate audit trails and Is there an ERP system administrator with clearly
monitoring of user activities defined responsibilities?
Are users trained? Do they have completed Is there a problem-escalation process?
and current documentation?
AUDIT OF
Physical Safety
DATA
Ensuring physical Access Control
control over data Ensuring access to the system
is given on “need to know” and
“need to do basis”
AUDIT OF
PROCESSES
Functional Audit
This includes testing of different
functions / features in the system
Input Validations
and testing of overall process or
part of process in the system and its This stands for checking of rules for
comparison with actual process input of data into the system. Input
validations shall change according to
each data input form.
• Service Business – This type of business does not have any inventory. It is selling of skills /
knowledge/Efforts/time. E.g., Doctors, Architects, Chartered Accountants, are professionals
into service business. This industry does not require inventory module.
There may be different business units within a business. Hence different modules are
possible in an integrated system. Diagram on next page denotes types of modules in ERP
system:
Financial Accounting Module:
This module is the most important module of the overall ERP System and it connects all the
modules to each other. Following are the features of this module:
o Tracking of flow of financial data across the organization in a controlled manner.
o General Ledger Accounting
o Tax Configuration
o Account Payables (Creation of Vendor Master data).
o Account Receivables (Creation of Customer Master data).
o Asset Accounting.
o Integration with Sales and Distribution and Materials Management.
Controlling Module:
This module facilitates coordinating, monitoring, & optimizing all processes in an organization.
It controls the business flow in an organization. Two kinds of elements are managed in
Controlling −Cost Elements and Revenue Elements. Following are the key features of this
module:
o Overview of the costs and revenues that occur in an organization.
o Cost Center Accounting;
o Activity-Based-Accounting
o Internal Orders;
o Product Cost Controlling
o Profitability Analysis.
Sales and Distribution Module:
Sales and Distribution is used by organizations to support sales and distribution activities of
products and services, starting from enquiry to order and then ending with delivery. Key Features:
• Setting up Organization Structure;
• Assigning organizational units.
• Defining Pricing Components.
• Setting up sales document types, billing types & tax related.
• Setting up customer master data records and configuration.
Conversion into Work in Process (WIP) may include more than one steps. Also, conversion
into Finished Goods may include packing process also.
These data analysis happens to be done by different industries by different means. Below are
the types of data analysis done by these industries:
1. Advanced types of data analytics include data mining, which involves sorting through large
data sets to identify trends, patterns & relationships. Big data analytics applies data mining.
2. E-commerce companies and marketing services providers do clickstream analysis to identify
website visitors who are more likely to buy a product or service based on navigation and
page-viewing patterns.
3. Mobile network operators examine customer data to prevent defections to business rivals;
to boost customer relationship management efforts etc.
4. Healthcare organizations mine patient data to evaluate the effectiveness of treatments for
cancer and other diseases.
In an Online Transaction Processing (OLTP) system information that could be fed into
product database could be
• Add a product line
• Change a product price
Correspondingly, in a Business Intelligence system query that would be executed for the
product subject area could be did the addition of new product line or change in product
price increase revenues. In an advertising database of OLTP system query that could be
executed
• Changed in advertisement options
• Increase radio budget
In BI system query that could be executed would be how many new clients added due to
change in radio budget. In OLTP system dealing with customer demographic data bases
data that could be fed would be:
• Increase customer credit limit.
• Change in customer salary level.
3. This reporting process involves querying data sources with different logical models
to produce a readable report for the stakeholders.
4. Organizations conduct a wide range of reporting, including financial and regulatory
reporting; Environmental, Social, and Governance (ESG) reporting (or sustainability
reporting); and, increasingly, integrated reporting.
5. Organizations communicate with their stakeholders about:
▪ Mission, vision, objectives, and strategy.
▪ Governance arrangements and risk management.
▪ Trade-offs between the shorter and longer-term strategies; and
▪ Financial, social, and environmental performance.
Working of XBRL:
1. XBRL is a standards-based way to communicate and exchange business information
between business systems.
2. These communications are defined by metadata set out in taxonomies;
3. That captures the definition of individual reporting concepts as well as the
relationships between concepts.
4. The new digital format allows us to have information being clearly defined,
platform-independent, testable and also digital.
Ques 1-
XYZ a leading publication house of Delhi was facing many issues like delay in completing the
order of its customers, manual processing of data, increased lead time, inefficient business
processes etc. Hence, the top management of XYZ decided to get SAP - an ERP system
implemented in the publication house.
Using the proper method of vendor selection, Digisolution Pvt. Ltd. was selected to implement
SAP software in XYZ publication house. To implement the software, the IT team of Digisolution
Pvt. Ltd. visited XYZ’s office number of times and met its various officials to gather and
understand their requirements. With due diligence, the SAP software was customized and well
implemented in the publishing house. After the SAP implementation, the overall system
became integrated and well connected with other departments. This raised a concern in the
mind of few employees of XYZ worrying about their jobs’ security leading to quitting of jobs.
The top management of XYZ showed its concern on this issue and wanted to retain few of its
employees. Answer the following questions-
1. Imagine that you are core team member of Digisolution Pvt. Ltd. While customizing Sales &
Distribution Module of SAP software, you need to know the correct sequence of all activities
involved in the Identify the correct option that reflects the correct sequence of activities:
i. Material Delivery
ii. Billing
iii. Pre-Sales Activities
iv. Sales Order
v. Payments
vi. Inventory Sourcing
Choose the correct sequence from the following-
a) (i) - (iii) – (ii) – (iv) – (v)- (vi)
b) (ii) – (iv)- (vi) – (iii) – (i) – (v)
c) (iii)- (iv) – (vi)- (i) –(ii) – (v)
d) (iv)- (i) – (iii), (v), (ii), (vi)
2. In purview of above situation, which of the following control can be helpful to management of
XYZ publishing house to retain its employees and stopping them to leave the company?
a) Training can be imparted to employees by skilled consultant.
b) Allocation of employees to task matching their skill set, fixing of compensation package.
c) Management should stop the implementation of ERP.
d) Backup arrangement is required.
3. The SAP software was successfully implemented by XYZ publication house after overcoming
many challenges. The risk associated with “Patches and upgrades not installed, and the tools
being underutilized” belongs to __________ risk?
a) Technological.
b) Implementation.
c) People.
d) Process.
Solution 1-
Q. Answer Answer Description
1 C (iii)- (iv) – (vi)- (i) –(ii) – (v)
2 B Allocation of employees to task matching their skill set, fixing of compensation package.
3 A Technological
Ques 2-
Unique Services, a well-established firm of Chartered Accountants with nine branches at
different locations in Delhi, deals in accounting, auditing, and taxation assignments like – return
filing, corporate taxation and planning, company formation & registration of foreign companies
etc. The firm has its own ERP software. The firm decided to come up with Real Estate Regulatory
Authority (RERA) registration which requires upgradation in its software. Hence, the principal
partner of the firm asked its associate partner to prepare a list of various clients dealing in
construction and development of flats, commercial properties etc. The firm’s management took
care to select the vendor to upgrade their ERP software which will act as an online assistant to its
clients providing them the complete details about registration and filling of various forms and
resolving their frequently asked questions. The firm also wanted a safe and secure working
environment for their employees to filing various forms under RERA Act on behalf of clients using
digital signature. The management also instructed its employees to mandatorily use Digital
Signature of clients for fair practices and any dishonesty found in this regard may lead to penal
provisions under various act including IT Act, 2000. Answer the following questions-
1. Unique Services requires to make changes in its software for its users for RERA related
matters. Identify the part of overall software which actually interacts with users?
a) Back End.
b) Front End.
c) Middle Layer.
d) Reports.
2. Firm decided to have an online assistant for its clients to provide complete details regarding
taxation, registration & filling of various forms & solve their queries. This is an example
of_________ application?
a) Installed application
b) Web Application
c) Cloud Based Application
d) Direct Application
3. While filling the tax for its client ABC, firm Unique Services enters the detail of its TDS and GST
in the requisite forms. Identify from the following which type of master data it belongs to?
a) Accounting Master Data
b) Inventory Master Data
c) Statutory Master Data
d) Payroll master Data
Solution 2-
Q. Answer Answer Description
1 B Front End
2 C Cloud Based Application.
3 C Statutory Master Data
Information
Sharing of
The main aim and purpose of each Information System is to convert the data into information
which is useful and meaningful. An Information System depends on –
to perform input, processing, output, storage, and control activities that transform data
resources into information products. This information system model highlights the relationships
among the components and activities of information systems. An information system model
comprises of following steps:
o Input: Data is collected from an organization or from external environments &
converted into suitable format required for processing.
o Process: A process is a series of steps undertaken to achieve desired outcome or goal.
Businesses looking to effectively utilizes Information Systems do more. Using
technology to manage and improve processes, both within a company and
externally with suppliers and customers, is the goal.
o Output: Then information is stored for future use or communicated to user after
application of respective procedure on it.
o Storage: The storage of data shall be done at the most detailed level possible. Regular
backups should be stored in a geographically different locations to avoid impact
on both the original data storage and the backup data storage due to any major
disasters such as flooding or fires etc.
o Feedback: Apart from these activities, information system also needs feedback that is
returned to appropriate members of the enterprises to help them to evaluate
at the input stage.
People : People here mean IT professionals i.e., who can use hardware and software for
retrieving the desired information.
Hardware : Means the physical components of the computers i.e., servers.
Software : Means the system software, application software.
Data : Data is the raw fact, which may be in the form of database
Network : Means communication media i.e., internet, intranet, extranet etc.
• Hardware- That part of Information Systems that you can touch-the physical
components of technology i.e., keyboard, mouse etc. It basically consists of devices that
perform the functions of input, processing, data storage and output activities of the
computer. Some of these devices:
a. Input devices: Devices through which we interact with the systems and include
devices like Keyboard, Mouse and other pointing devices.
b. Processing Devices: Include computer chips that contain the Central Processing Unit
and main memory. The Central Processing Unit (CPU or microprocessor) is the actual
hardware that interprets and executes the program (software) instructions. The
processor or CPU is like the brain of the computer. Following are the 3 functional
units of CPU:
Control Unit (CU): CU controls the flow of data and instruction to and from memory,
interprets the instruction and controls which tasks to execute and when.
Arithmetic and Logical Unit (ALU): Performs arithmetic operations such as addition,
subtraction, multiplication, and logical comparison of numbers: Equal to, Greater
than, less than, etc.
Processor Registers: These are high speed memory units within CPU for storing small
amount of data (mostly 32 or 64 bits). Registers could be:
▪ Accumulators: They can keep running totals of arithmetic values.
▪ Address Registers: They can store memory addresses which tell CPU as to where
in the memory an instruction is located.
▪ Storage Registers: They can temporarily store data that is being sent to or coming
from the system memory.
c. Data storage Devices: Refers to memory where data and programs are stored.
Various type of storage techniques/devices are-
Cache Memory:
There exists difference in speed between primary memory & registers. In order to
bridge the gap, we have cache memory which stores the copies of data from frequent
used main memory location.
1. Secondary Memory:
Secondary memory devices are non-volatile, have greater capacity (they are available in
large size), greater economy (the cost of these is lesser compared to register and RAM)
and slow speed (slower in speed compared to registers or primary storage).
d. Output Devices: Computer system provide output to decision makers at all level of the
enterprises to solve the business problems. These outputs may be visual, audio or digital
forms. Below are some types of output→
• Textual output comprises of characters that are used to create words, sentences, and
paragraphs.
• Graphical outputs are digital representations of non-text information such as drawings, charts,
photographs, and animation.
• Tactile output such as raised line drawings may be useful for some individuals who are blind.
• Audio output is any music, speech, or any other sound.
• Video output consists of images played back at speeds to provide the appearance of full motion.
• Software- Software is defined as a set of instructions that tell the hardware what to do.
Software is created through the process of programming. Software can be broadly divided
into two categories: Operating Systems Software and Application Software.
Computer Network:
Computer Network is a collection of computers and other hardware interconnected by
communication channels that allow sharing of resources and information.
Types of Networks:
Following are 2 types of networks:
Connection Here connection is first
Oriented established & data is
networks exchnaged thereafter.
Types of
Network No prior connection is made before data
exchange. Data which is to be exchanged
Connectionless has a complete contact information of
Networks recipient and at each intermediate
destination, it is decided how to proceed
further.
These networks have helped model computer networks. Each of these networks is modeled
to address the following mentioned basic issues:
o Routing: It refers to the process of deciding on how to communicate the data from
source to destination in a network.
o Bandwidth: It refers to the amount of data which can be sent across a network in given
time.
o Resilience: It refers to the ability of a network to recover from any kind of error like
connection failure, loss of data etc.
o Contention: It refers to the situation that arises when there is a conflict for some
common resource in a network. For example, network contention could arise when two
or more computer systems try to communicate at the same time.
1. Absence of controls:
• Absence or inadequate IS control framework and also lack or weak general controls
and IS controls.
4. Implementation complexities:
• Complexities of implementation of controls in distributed computing environments
and extended enterprises.
Classification
The controls as per the time that they act, can be classified as under
OBJECTIVES OF
Preventive Control + Detective Control + Corrective Control. Now will study
CONTROLS
all in detail-
• Preventive Controls:
▪ These controls prevent errors, omissions, or security incidents from occurring.
▪ Examples: sometimes we came across some security checks where passwords should
not include name, data entry that should alphabetically word in case of numeric field
etc.
▪ Any control can be implemented in both manual and computerized environment.
▪ One can give numerous examples on putting up preventive controls over manual and
computerized environment.
▪ Examples: Segregation of duties; Access control; Vaccination against diseases;
Documentation etc.
• Detective Controls:
▪ These controls are designed to detect errors, omissions or malicious acts that occur
and report the occurrence.
▪ Detective controls include monitoring and analysis to uncover activities or events
that exceed authorized limits or violate known patterns in data.
▪ A scenario: a detective control may identify account numbers of inactive accounts or
accounts that have been flagged for monitoring of suspicious activities.
▪ Cash counts; Bank reconciliation; Review of payroll reports; Compare transactions on
reports to source documents, Hash totals, Past-due accounts report etc.
• Corrective Controls:
▪ It is desirable to correct errors, omissions, or incidents once they have been detected.
▪ This includes correction of data-entry errors, to identifying and removing
unauthorized users or software from systems or networks to recovery from incidents
etc.
▪ These corrective processes also should be subject to preventive and detective
controls because they represent another opportunity for errors, omissions, or
falsification.
▪ Example: A Business Continuity Plan (BCP); Contingency planning; Backup procedure;
Rerun procedures etc.
• Environmental Controls:
▪ These controls aimed at controlling IT environment such as power, air-conditioning,
Uninterrupted Power Supply (UPS), smoke detection, fire-extinguishers etc.
▪ Examples of physical access controls: Security guards, door alarms, restricted entry to secure
areas, visitor logged access, CCTV monitoring etc.
▪ Logical access controls are implemented to ensure that access to systems, data and
programs is restricted to authorized users.
▪ Logical access controls are the system-based mechanisms used to assign who will access or
what to be accessed.
Review of user ▪ A user need for accessing information changes with time.
access rights ▪ The same need to be reviewed at periodic interval.
Network Call Back ▪ It is based on the motto to keep intruder off the intranet
Access Control Devices despite imposing security measures.
▪ The call-back device requires the user to enter a password
Code to
and then the system breaks the connection.
Remember ▪ If the caller is authorized, call back device dials the caller’s
N. – C.U.R.E.S. – number to establish a new connection.
F.E.
Policy on ▪ A business should formulate policy for internet services
NAC CURES Network Use that aligns with the business objectives.
Faults & Errors ▪ Selection of appropriate services and approval to access
them should be part of this policy.
Operating Operating System is computer control program. It allows users & their
System Access applications to share & access common computer resources. “Operating
Control system” control policy includes determine who can access operating system,
resources they access etc. OS can be protected by following means-
• Password management system:
Code to ▪ Password protected file should not be accessible to all the users.
remember • User identification and authentication:
▪ The users must be identified and authenticated by use of biometric
P.U.T. - D.A. - authentication, digital certificates etc.
T.A.L.C. • Terminal identification automation:
▪ This will help to ensure that a specified session could only be initiated
from a certain location or computer terminal.
• Duress alarm to safeguard users:
▪ This alarm will activate and inform the concerned authority in case a
person accesses the operating system under threat.
• Access Token:
▪ After the successful login into the system, it will create unique access
token that contains details of the person who accessed.
▪ This token will be used for approve different type of tasks on OS.
• Terminal time out:
▪ In case a terminal is inactive for a defined period, the system
automatically times out the session. E.g., on income-tax site, 1 session is
of 15 minutes. After its expiry, re-login is required.
• Access Control:
▪ System administrator keeps a log of all access and maintains control of it.
▪ Resource owners are granted discretionary access control, which allows
them to grant access privileges to other users.
• Log-in procedures:
▪ Login procedure is first step in controlling unauthorized access of
systems.
▪ When user login by entering user-id & password, system compares ID and
password to a database of valid users & accordingly authorizes the log-in.
• Control List:
▪ This list contains information that defines the access privileges for all valid
users.
▪ When a user attempts to access a resource, the system compasses his or
her user-id & rights contained in the access token with those contained in
the access control list. If matched, access is granted.
Problem definition
Planning and Feasibility Definition
Planning
assessment Controls
Analysis of Existence
Organising Control /Backup
existing system
Controls
Information
Leading processing Access
Design
system design Controls
Hardware /
Controlling Software Update
Coding
Acquisition Controls
Acceptance
Testing and Concurrency
Testing
Conversion Controls
Operational
Managment Operation and Operation & Quality
Maintenance Maintenance Controls
Controls
Plan Emergence
File Library Security Management
Controls
Goals of
quality Quality Assurance
Operation & control Management Controls
Maintenance
These controls ensure that the information systems function correctly and they meet the strategic
business objectives. It is management’s responsibilities to determine whether the controls that
the enterprise system has put in place are sufficient to ensure that the IT activities are adequately
controlled. The controls flow from the top of an organization to down; the responsibility still lies
with the senior management. Top management is responsible for preparing a master plan for the
information systems function.
Planning:
This includes determining the goals of the information systems function and the means of
achieving these goals. The steering committee shall comprise of representatives from all areas of
the business, and IT personnel that would be responsible for the overall direction of IT.
Organizing:
There should be a prescribed IT organizational structure with documented roles and
responsibilities and agreed job descriptions. This includes gathering, allocating, and coordinating
the resources needed to achieve organizational objectives. This includes motivating, guiding, &
communicating with personnel.
Leading:
This includes the activities like motivating, guiding, and communicating with personnel. The
purpose of leading is to achieve the harmony of objectives, i.e., a person’s or group’s objectives
must not conflict with the organization’s objectives. The process of leading requires managers to
motivate subordinates, direct them and communicate with them.
Controlling:
This includes comparing actual performance with planned performance. This involves determining
when the actual activities of the information system’s functions deviate from the planned
activities. Following are the activities undertaken in under controlling head:
▪ All the stakeholders must reach to agreement on problem and should understand the possible
threats associated with possible solutions/systems related to asset safeguarding, data integrity,
system effectiveness, and system efficiency.
▪ The feasibility assessment is done to obtain a commitment to change & to evaluate whether
cost- effective solutions are available to address the problem or opportunity that has been
identified. All solutions must be properly and formally authorized to ensure their economic
justification and feasibility.
▪ If data repository system is used properly, it can enhance data & application system
reliability.
▪ Controls should be exercised over the roles by appointing trustworthy persons, separating
duties, maintaining, and monitoring logs of the data and database activities.
▪ Following control activities must be put in the place to maintain the integrity of the
database:
Code to Remember : Q. - A. - D. U. C. E.
(Q- D.U.C.E. court and Ad court in Tennis)
1. Quality Controls:
▪ These controls ensure accuracy, completeness, & consistency of data in the database.
▪ Controls may include putting up validation check of input data and batch control over data
in transit.
2. Access Controls:
▪ Designed to prevent unauthorized individual from.
▪ Viewing, retrieving, computing, or destroying the entity’s data.
• User Access Controls through passwords, tokens, and biometric Controls; and
• Data Encryption: Keeping the data in database in encrypted form.
3. Definition Controls:
▪ These controls are placed to ensure that the database always corresponds and comply
with its definition standards.
4. Update Controls:
▪ These controls are placed to ensure restrict update of the database to authorized user in
following manner:
o By permitting only addition of data to the database; and
o Allowing users to change or delete existing data.
5. Concurrency Controls:
▪ These controls provide solutions, agreed-upon schedules, and strategies to overcome the
data integrity problems.
▪ That may arise when two update processes access the same data at the same time.
6. Existence/Backup Controls:
▪ These controls ensure that proper backup and recovery plans are in place in case of
disaster.
▪ Backup refers to making copies of the data so that these additional copies may be used to
restore the original data.
▪ Backup controls ensure the availability of system in the event of data loss because of
unauthorized access, software and hardware failure.
▪ Various backup strategies like dual recording of data; periodic dumping of data; logging
input transactions and changes to the data are used.
▪ However, despite of controls, there could be a possibility that a control might fail. When
disaster strikes, it still must be possible to recover operations and mitigate losses.
▪ There are 2 ways - A Disaster Recovery Plan (DRP) and Insurance.
▪ Disaster Recovery Plan (DRP) → A comprehensive DRP comprise four parts – an
Emergency Plan, a Backup Plan, a Recovery Plan and a Test Plan. The plan lays down the
policies, guidelines, and procedures for all Information System personnel.
Insurance→ Adequate insurance must be able to replace Information Systems assets and
to cover the extra costs associated with restoring normal operations.
1. Quality of Software:
▪ Users are more demanding on the quality of the software they use when it comes to
the use of such software in their workings.
2. Cost factor:
▪ Poor quality control over the production, implementation, operation, and
maintenance of software can be costly.
▪ This indeed will lead to dissatisfied users and customer, lower morale among IS staff,
higher maintenance and strategic projects etc.
3. Project driven:
▪ Organizations are undertaking more ambitious projects when they build software.
4. Trend of improvement:
▪ Improving the quality of Information Systems is a part of a worldwide trend .
▪ The same is destined to improve the quality of the goods and services they sell.
Application control
framework
PIN Validation of Data Flow Controls Virtual Memory Application Batch Report
Input Control Controls Software Controls Design Controls
Topological
Controls
Cryptographic
Plastic Cards Controls
Channel Access
Controls
File Handling
Controls
Controls over
Subversive threats
Accounting Audit Trail of boundary control Operations Audit Trail of boundary control
• All application-oriented events occurring within • This includes the details like resource
the boundary subsystem should be recorded. usage from log-on to log-out time and log
• Data related to identity of the user of system; of resource consumption.
authentication information supplied; resources
requested or provided or denied; and
• Terminal Identifier & Start/ Finish Time; number
of sign-on attempts; privileges allowed/denied.
Batch Batching is process of grouping together transactions that have some type of
Controls relationship to each other. Various controls can be exercised over batch to
prevent or detect errors. 2 types of batches that occur are as follows:
▪ Financial Totals:
▪ Hash Totals
▪ Document/Record Counts
Validation Input validation controls are intended to detect errors in the transaction data
Controls before the data are processed. Some of these controls include the following:
(a) Field check- It involves programmed procedures that examine the characters
of the data in the field e.g., picture, record check etc.
(b) Record check- This includes reasonableness check of whether the value
specified in a field is reasonable for that field.
(c) Batch Check- This includes the checks like transaction type if all input records
in a batch are of particular type.
(d) File Check- This includes file’s version usage; internal and external labeling;
data file security; file updating and maintenance authorization etc.
Accounting Audit Trail of Input control Operations Audit Trail of Input control
• This must record origin, contents, & timing of • Some of the data that might be collected
transaction entered into application system, include time to key in a source document or
thus involving the details & also identity of the an instrument at a terminal;
person (organization) who was the source of • E.g.; Number of keying errors identified
the data & who entered data into system. during verification; frequency with which an
• Time and date when the data was captured; instruction in a command language is used;
the identifier of physical device used to enter and time taken to invoke an instruction
the data into the system; the account or record using different input devices like light pen
to be updated by the transaction. or mouse.
• Details of the transaction; and the number of
the physical or logical batch to which the
transaction belongs.
Accounting Audit Trail of communication control Operations Audit Trail of Communication control
• This includes collection of the data like • This includes the details like number of
unique identifier of the source, destination. messages that have traversed each link
• Each node that traverses (पार) the message and each node; queue lengths at each
unique identifier of the person or process node.
authorizing dispatch of the message; time • Number of errors occurring on each link
and date at which the message was or at each node; number of
dispatched and received by the sink node. retransmissions that have occurred across
• Time & date at which node in network was each link; log of errors to identify
traversed by message; message sequence locations and patterns of errors; log of
number; & image of the message received system restarts; and message transit
at each node traversed in the network. times between nodes and at nodes.
Timing Controls An operating system might get stuck in an infinite loop. In the absence of
any control, the program will retain use of processor and prevent other
programs from undertaking their work.
Accounting Audit Trail of processing control Operations Audit Trail of processing control
• This includes the data items like- to trace and • This includes a comprehensive log on
replicate processing performed on a data hardware consumption – CPU time used,
item that enters into the processing secondary storage space used,
subsystem, to follow triggered transactions • and communication facilities used &
from end to end by monitoring input data comprehensive log on software
entry, intermediate results and output data consumption – compilers, subroutine
values, to check for existence of any data libraries, file management facilities and
flow diagrams or flowcharts that describe communication software used.
data flow in the transaction, and
• Whether diagrams or flowcharts correctly
identify the flow of data & to check whether
audit log entries recorded changes made in
the data items at any time.
2. Integrity Controls: These are required to ensure that the accuracy, completeness, and
uniqueness of instances used within the data or conceptual modeling are maintained.
4. Concurrency Controls: These are required to address the situation that arises either due
to simultaneous access to the same database or due to deadlock.
5. Cryptographic Controls: These controls can be well used for protecting the integrity of
data stored in the database using block encryption.
6. File Handling Controls: These controls are used to prevent accidental destruction of
data contained on a storage medium. These are exercised by hardware, software, and
the operators or users who load/unload storage media.
Accounting Audit Trail of database control Operations Audit Trail of database control
• This includes the data items to confirm • This maintains a chronology of resource
whether an application properly accepts, consumption events that affects the
processes, and stores information, to attach a database definition or the database.
unique time stamp to all transactions, to
attach before-images and after-images of the
data item on which a transaction is applied to
the audit trail,
• Modifications to audit trail transactions
accommodating changes that occur within an
application system.
▪ Inference control:
• These are used to prevent compromise of statistical databases from which users can obtain
only aggregate statistics.
• These are restriction controls which limit the set of responses provided to users to try to
protect the confidentiality of data about persons in the database.
Accounting Audit Trail of database control Operations Audit Trail of database control
• This includes what output was • This maintains the record of resources consumed
used for the presentation to the by components in the output subsystem to
users; what output was then produce, distribute, use, store and dispose of
presented to the users; who various types of output like graphs, images etc.,
received the output; when the • To record data that enables print times, response
output was received; and what times and display rates for output to be
actions were subsequently taken determined & to manage information that enables
with the output. the organization to improve the timelines of
output production.
COST OF INCORRECT
OTHER FACTORS
COST OF DATA LOSS DECISION MAKING
Maintenance of Privacy
COST RELATED
Controlled evolution of
COSTS OF COMPUTER HIGH COSTS OF computer Use
ABUSE COMPUTER ERROR
3. Snapshot technique:
(a) The snapshot is built into the system at those points where material processing occurs
which takes image of the flow of the transactions as it moves through applications.
(b) These images then used to access the accuracy, authenticity and completeness of the
processing carried out on the transactions.
(c) All snapshot data related to transaction can be collected at one place facilitating audit work.
5. Audit Hooks:
(a) These are audit routines that flag suspicious transactions.
(b) For instance, policyholder system of insurance company is vulnerable to fraud every time a
policyholder change name or address.
(c) In this case, auditor must devise system of audit hook to tag records with name/address
change.
(d) When audit hooks are employed, auditors can be informed of suspicious transactions.
o Backup power:
▪ The IS auditor should determine if backup power is available via electric generators
or UPS and how frequently they are tested.
▪ The IS auditor should also examine maintenance records of these components.
o Water detection:
▪ The IS auditor should determine if any water detectors are used in rooms where
computers are kept.
▪ He or she should determine how frequently these are tested and if they are
monitored.
o Cleanliness:
▪ The IS auditor should examine data centers to see how clean they are.
▪ IT equipment air filters and the inside of some IT components should be examined
to see if there is an accumulation of dust and dirt.
(i) Sitting and Marking: Auditing building sitting and marking requires attention to
several key factors and features, including:
o Proximity to hazards: The IS auditor should estimate the building’s distance to
natural and manmade hazards, such as Dams; Rivers, Lakes, and Canals; Natural
gas & petroleum pipelines; Water mains and pipelines; Earthquake faults; Areas
prone to landslides; Volcanoes; etc. The IS auditor should determine if any risk
assessment is done & if any compensating controls have been carried out.
o Marking: The IS auditor should inspect the building and surrounding area to see
if the building(s) containing information processing equipment identify
organization. Marking may be visible on the building itself, but also on signs or
parking stickers on vehicles.
(ii) Physical barriers: This includes fencing, walls, razor wire etc. The IS auditor needs
to understand how these are used to control access to facility.
(iii) Surveillance: The IS auditor needs to understand how video and human
surveillance are used to control and monitor access. Auditor needs to understand
how video is recorded and reviewed and is it effective in preventing or detecting
incidents.
(iv) Guards and dogs: IS auditor needs to understand use and effectiveness of security
guards and guard dogs. Processes, policies, procedures, & records should be
examined to understand required activities and how they are carried out.
(v) Key-Card systems: IS auditor needs to understand how key-card systems are used
to control access to the facility.
Role of IS Auditor in auditing Physical Access Controls: Auditing physical access requires
the auditor to review the physical access risk and controls to form an opinion on the
effectiveness of the physical access controls. This involves the following activities:
• Risk Assessment: The auditor must satisfy him/herself that the risk assessment
procedure adequately covers periodic and timely assessment of all assets, physical
access threats, vulnerabilities of safeguards and exposures there from.
• Controls Assessment: Auditor should evaluate whether the physical access
controls are in place and adequate to protect the IS assets against the risks.
• Review of Documents: It requires examination of relevant documentation such as
the security policy and procedures, premises plans, building plans etc.
Auditing Password
Management
Auditing Employee
Terminations
Now, will study each one of the above in details. Refer to table on next page:
Particulars Description
User Access Auditing User Dormant accounts: The IS auditor should determine if any
Controls Access automated or manual process exists to identify and close
Controls dormant accounts. Dormant accounts are user (or system)
User access accounts that exist but are unused.
controls are Code To Shared accounts: The IS auditor should determine if there
often the only remember are any shared user accounts (Used by more than 1person)
barrier between
System accounts: The IS auditor should identify all system-
unauthorized D.S. से level accounts on networks, systems, and applications. The
parties and purpose of each system account should be identified.
S.A.U.D.A –
sensitive or
valuable Authentication: The auditor should examine network &
information system resources to determine if it requires authentication,
or resources can be accessed without first authenticating.
User account lockout: The auditor should determine if
systems and networks can automatically lock user accounts
that are the target of attacks.
Detection and prevention of intrusion: The auditor should
examine these systems to see whether they have up-to-date
configurations and signatures, whether they generate alerts,
and whether the recipients of alerts act upon them.
Access violations: The auditor should determine if systems,
networks, and authentication mechanisms can log access
violations. These usually exist in the form of system logs
showing invalid login attempts.
Auditing 1. The IS auditor needs to examine password configuration on
Password information systems to determine how it is controlled.
Management 2. Some check point - How many characters must a password
have & whether there is a maximum length; how frequently
must passwords be changed; whether former passwords
may be used again; whether the password is displayed when
logging in or when creating a new password etc.
Auditing User Provisioning of new employee: IS auditor should examine
Access that how a new employee’s user accounts are initially set up.
Provisioning The auditor should determine if new employees’ managers
are aware of access requests.
Code To Access approvals: IS auditor needs to determine how
remember requests are approved & authority they are approved.
Reviews access: The IS auditor should determine if there are
P.A.R.D.A. any periodic access reviews and what aspects of user
accounts are reviewed.
Duties segregation (SOD): IS auditor should determine if
there is SOD matrices in organization & if they are actively
used to make user access request decisions.
Access request processes: IS auditor should identify all user
access request processes and determine if these processes
are used consistently throughout the organization.
Auditing Contractor access and terminations: The IS auditor needs
Employee to determine how contractor access and termination is
Termination managed and if such management is effective.
Organizing:
• Auditors should be concerned about how well top management acquires and
manages staff resources for three reasons:
o Information system staff needs to remain up to date and motivated in their jobs.
o Intense competition made acquiring & retaining good system staff a complex activity.
o Research indicates that employees of an organization are most likely persons to
perform irregularities.
Leading:
• Auditors examine variables that often indicate when motivation problems exist or
suggest poor leadership i.e., staff turnover statistics, frequent budget failure etc.
• Auditors may use both formal and informal sources of evidence to evaluate how well
top managers communicate with their staff.
Controlling:
• Auditors should focus on subset of control activities that should be performed by top
management – namely, those aimed at ensuring that the information systems
function accomplishes its objectives at a global level.
• Auditors must evaluate whether top management’s choice to the means of control
over the users of IS services is likely to be effective or not.
Auditors should check for mechanism if a Auditors should determine what report
damaged or destroyed database can be programs are sensitive and important, who
restored in an authentic, accurate, all are authorized to access them.
complete, and timely way. Auditors should review the action
Auditors should check backup and recovery privileges that are assigned to authorized
strategies for the restoration of damaged users are appropriate to their job
or destroyed database in the event of requirement or not.
failure . Auditors should determine whether the
Auditors shall evaluate whether the privacy report collection, distribution and
of data is protected during all backup & printing controls are executed in an
recovery activities. organization or not.
Auditors should address their concerns
regarding maintenance of data integrity.
Database models
▪ Second stage→ Data so extracted is placed in a temporary area called Staging Area where
it is transformed like sorting, filtering etc. of the data as per the information
requirements.
▪ Final stage→ involves the Loading of the transformed data into a data warehouse which
itself is another database for storage and analysis.
▪ Data Mining-
• Data Mining is the process of analyzing data to find out unknown trends, patterns,
and associations to make decision. It is accomplished through automated means
against extremely large data sets.
• Example of data mining→Analysis of sales of a month by a super market store about
the product which is sold most.
• Below are the steps involved in data mining:
a. Data Integration: Firstly, the data are collected and integrated from all the different
sources which could be relational database, data warehouse or web etc.
b. Data Selection: So, in this step we select only those data which we think is useful for
data mining.
c. Data Cleaning: The data that is collected are not clean and may contain errors,
missing values, noisy or inconsistent data. Thus, we need to apply different
techniques to get rid of such anomalies.
d. Data Transformation: The data even after cleaning are not ready for mining as it
needs to be transformed into an appropriate form by using different techniques like -
smoothing, aggregation, normalization etc.
e. Data Mining: Data mining techniques are applied on data to discover the interesting
patterns. Techniques like clustering and association analysis are some examples.
f. Pattern Evaluation and Knowledge Presentation: This step involves visualization,
transformation, removing redundant patterns etc. from the patterns we generated.
g. Decisions / Use of Discovered Knowledge: This step helps user to make use of the
knowledge acquired to take better informed decisions.
Database Data Warehouse Data Mining
▪ This stores real ▪ This store both historic ▪ This analyses data to find
time information. & transactional data. previously unknown trends.
▪ Telecom company’s ▪ In telecom company’s ▪ For example- In the same
database stores information in a data telecommunication sector,
information related warehouse will be used information will be analyzed
to monthly billing for product by data mining techniques
details, call records, promotions, decisions to find out call duration with
etc. relating to sales, cash respect a particular age
etc. group from the entire data
available.
▪ Its function is to ▪ Its function is to report and ▪ Its function is to extract
record. analysis. useful data.
▪ Example - MySQL, ▪ Example – Teradata, ▪ Example- R-Language, data
MS Access etc. Informatica etc. mining and Oracle etc.
It has been noticed that people are being shuffled from one business vertical to another.
These organizational changes are usually performed to help an organization meet new
objectives that require new partnerships and teamwork that were less important before.
Below are some of the illustrative reasons of changing in the organizational structure:
o Market conditions:
1. Changes in market positions can cause an organization to realign its internal
structure in order to strengthen itself.
2. For example, if a competitor lowers its prices based on a new sourcing strategy, an
organization may need to respond by changing its organizational structure to put
experienced executives in-charge of specific activities.
▪ Regulation:
1. New regulations may induce an organization to change its organizational
structure.
2. For instance, an organization that becomes highly regulated may elect to move its
security and compliance group away from IT and place it under the legal
department, since compliance has much more to do with legal compliance than
industry standards.
▪ Available talent:
1. When someone leaves the organization or moves to another position within the
organization, a space opens in the org chart that often cannot be filled right away.
2. Senior management will temporarily change the structure of the organization by
moving the leaderless department under the control of someone else.
3. For example, if the director of IT program management leaves the organization,
the existing department could temporarily be placed under the IT operations
department, in this case because the director of IT operations used to run IT
program management.
This is the title Usually responsible Responsible Responsible for all Responsible for
the protection and
of the top for an entity's overall for all aspects aspects of data- use of personal
most leader technology strategy. of security, related security. information.
Software
Development
Software
Systems Systems Software
Developer,
Architect Analyst Tester
Programmer
This position is usually A systems analyst is This position develops This position tests
responsible for the involved with the application software. In changes in
overall information design of applications, organizations that utilize programs made by
systems architecture including changes in an
purchased application software
in the organization. application’s original
design software, developers developers
Data Management
Develops logical and physical Builds and maintains Performs tasks carrying out
designs of data models for databases designed by the routine data maintenance
applications database architect and and monitoring tasks
databases
Network
Management
Network
Network Architect Network Engineer Telecom Engineer
Administrator
This position designs This position builds and performs routine tasks in Positions in this role
data & (increasingly) maintains network the network such as work with
voice networks and devices such as making minor telecommunications
designs changes and routers, switches, configuration changes technologies such as
upgrades to the firewalls, and gateways data circuits, phone
network. systems
General
Operations
Systems
Management
Responsible for the overall Responsible for designing, Responsible for Responsible for
architecture of systems and building, & maintaining designing, building, and performing
design of services such as servers & server operating maintaining servers & maintenance
authentication systems server operating systems operations on systems
Security
Operations
▪ Transaction Authorization:
1. Information systems can be programmed or configured to require two (or more) persons to
approve certain transactions.
2. In IT applications, transactions meeting certain criteria (for example, exceeding normally
accepted limits or conditions) may require a manager’s approval to be able to proceed.
▪ Workflow:
1. Applications that are workflow-enabled can use a second (or third) level of approval before certain
high-value or high-sensitivity activities can take place.
2. For example, a workflow application that is used to provision user accounts can include extra
management approval steps in requests for administrative privileges.
▪ Periodic review:
1. IT or internal audit personnel can periodically review user access rights to identify whether any
segregation of duties issues exist.
2. The access privileges for each worker can be compared against a segregation of duties control
matrix.
When SOD issues are encountered during a segregation of duties review, management will
need to decide how to mitigate the matter. The choices for mitigating a SOD issue:
▪ Reduce access privileges:
1. Management can reduce individual user privileges so that the conflict no longer exists.
▪ Introduce a new mitigating control:
1. If management has determined that the person(s) need to retain privileges that are viewed as a
conflict, then new preventive or detective controls need to be introduced.
2. Examples of mitigating controls include increased logging to record the actions of personnel,
improved exception reporting to identify possible issues, reconciliations of data sets, and
external reviews of high-risk controls
Ques 1-
In 2017, XYZ Systems had shifted to the SQL Server Relational Database Management System
from the previously used IBM Information Management System which used a hierarchical
database model to create a well-organized database to store organizational data.
On acquiring a good number of global clients and keeping in view the increased number,
complexity of the overseas transactions and the management’s need for periodic performance
analysis; XYZ Systems planned to leverage the benefit of data warehouse whereas the research
team suggested the implementation of big data. However, XYZ Systems did not implement
suitable security controls and hence recently faced data security breach which led to the
unauthorized manipulation of certain confidential data. This resulted in XYZ Systems paying a
substantial amount as compensation and loss of a major client.
Consequently, XYZ Systems has now implemented varied controls starting from strict
password management to high level access controls and monitoring mechanism ensuring that
there are no further data security issues. Answer the following questions-
1. The XYZ Systems initially used IBM Information Management system which used a hierarchical
database model. Which type of relationship is not supported by such database model:
(a) One-to-One
(b) Many-to-One
(c) One-to-Many
(d) None of the above
2. The XYZ Systems recently shifted to the SQL Server DBMS from the IBM Information
Management system that it previously used. Under which aspect, the SQL Server differs from
IBM Information Management System?
i. One-to-one relationship.
ii. One-to-many relationship.
iii. Relational database structure.
iv. None of the above.
3. Which among the following is not an advantage of the SQL Server DBMS?
i. Data sharing
ii. Data Redundancy.
iii. Program and file consistency.
iv. None of the above.
4. To ensure that the communication between their private network & public network is
secured, one of the steps taken by XYZ Systems are to install firewall. The installation of
firewall is__________type of control?
i. Preventive
ii. Corrective.
iii. Detective.
iv. None of the above.
5. XYZ Systems made its access privileges more stringent so as to prevent unauthorized users
gaining entry into secured area and also minimum entry granted to users based on their job
requirements. Which of the following Logical Access control covers this aspect?
i. Operating System Access Control
ii. Network Access Controls
iii. User Access Management
iv. Application and Monitoring System control
6. Based on the risk assessment by the audit team, the management of XYZ Systems decided to
specify the exact path of the internet access by routing the internet access by the employees
through a firewall and proxy. This is referred to as?
i. Encryption
ii. Enforced Path
iii. Call Back Devices
iv. None of these
Solution 1-
Q. Answer Answer Description
1 (ii) Many-to-One
2 (iii) Relational database structure
3 (ii) Data Redundancy
4 (i) Preventive
5 (iii) User Access Management
6 (ii) Enforced Path
Ques 2-
Bianc Computing Ltd. has implemented a set of controls including those with respect to
security, quality assurance and boundary controls to ensure that the development,
implementation, operation and maintenance of information systems takes place in a planned
and controlled manner. It has also ensured that logs are designed to record activity at the
system, application, and user level. Along with the implementation of controls and maintenance
of logs, it has approached a leading firm of IS auditors to conduct a comprehensive audit of its
controls. Within the organization also, it has opened new job roles and has hired people with the
required skill sets for the same. Answer the following questions-
1. The team of network engineers of Bianc Computing Ltd. recommended certain controls to be
implemented in the organization to bridge the rate of data reception and transmission
between two nodes. Which types of controls are being referred to here?
i. Link controls
ii. Flow controls
iii. Channel access controls
iv. Line error controls
2. Which control is used to ensure that the user can continue working, while the print
operation is getting completed? This is known as________?
i. Printing Controls
ii. Spooling File Control
iii. Spoofing File Control
iv. Print-Run-to Run Control Totals
3. Bianc Computing Ltd. has also opened up new job roles and has hired persons with the
required skill sets for the same as given below-
Identify the right match to the job roles assigned and the responsible persons for the job role.
i. 1(c), 2(d), 3(a), 4(b), 5(f), 6(g), 7(e)
ii. 1(d), 2(b), 3(c), 4(g), 5(f), 6(a), 7(e)
iii. 1(e), 2(b), 3(c), 4(g), 5(a), 6(f), 7(d)
iv. 1(g), 2(f), 3(e), 4(d), 5(c), 6(b), 7(a)
Solution 2-
Q. Answer Answer Description
1 (ii) Flow Controls
2 (ii) Spooling File control
3 (i) 1(c), 2(d), 3(a), 4(b), 5(f), 6(g), 7(e)
E-COMMERCE, M-COMMERCE
AND EMERGING TECHNOLOGIES
1. Introduction to E-commerce:
E-Commerce means “Sale / Purchase of goods / services through electronic mode”. This could
include the use of technology in the form of Computers, Desktops, Mobile Applications, etc.
With the passage of time, e-commerce has gathered attention of nearly all the companies
towards it.
These companies are realizing that business via the Internet is inevitable
that they will not be able to ignore. The lure of reaching additional customers, expanding market
shares, providing value-added services, advancing technological presence, and increasing
corporate profits is just too valuable to disregard, and will eventually attract companies to
electronic commerce.
E-Commerce is the process of doing business electronically. It refers to the
use of technology to enhance the processing of commercial transactions between a company, its
customers, and its business partners. It involves the automation of a variety of Business-To-
Business (B2B) and Business-To-Consumer (B2C) transactions through reliable and secure
connections. Now we will study the various aspect of E-commerce:
Order Placed by User Shopping Cart Credit Card is Charged Order is completed
E-COMMERCE
Shipment
sent to
Customer
Shipping
Carrier
Sent to Warehouse for fulfilment Email is sent to Customer &
picks up
Merchant
shipment
Code to remember: RT NDL SPAM (R.T. pcr test S2.P2.A.M. mail at New DeLhi station)
BENEFITS TO GOVERNEMNT
LEGAL ISSUES:
• Legal issues are significant impediment to conducting business on the Internet.
• It is almost uncertain to ascertain the legal issues that will start to pop up as business on
Internet progresses.
• Legal issues may also arise if customer-sensitive data fall into the hands of strangers.
The legal environment in which e-commerce is conducted is full of unclear and
conflicting laws.
INTERNET CONNECTION:
• Internet connectivity is a pre-requisite to perform online transactions.
• Internet connectivity may not be available in rural or remote areas. Many people may
not have Internet connectivity due to which they may not be able to do online
transactions.
FRAUD FEAR:
• Some customers are still fearful of sending their credit card details over Internet.
Moreover, many customers are simply resistant to change and are uncomfortable
viewing merchandise on a computer screen rather than in person.
SECURITY CONCERNS:
• Technical obstacles including issues related to security and reliability of network and
Internet are major concerns in online transactions.
• There is always fear of safety and security to the personal information due to the
increased spywares and malwares being rampant on the internet.
1.5 E-Marketing:
Marketing is the process of marketing a product or service using the Internet. The internet
changes the relationship between buyers and sellers because market information is available
to all parties involved in the transaction. Some relevant terms related to e-marketing-
Definitions Description
Portal • Portal is a website that serves as a gateway or a main entry point on the
internet to a specific field of interest or an industry.
• A portal consists of web pages that act as a starting point for using the
web or web-based services.
• Example - Yahoo! Stores is a shopping cart software app that offers small
business operators & owners a variety of tools and features.
E-Shop • An e-shop is a virtual store front that sells products and services online
where customers can shop anytime.
• It is a convenient way of affecting direct sales to customers; allowing
manufacturers to bypass intermediate operators and thereby reducing
costs and delivery times.
2. Component to E-commerce:
Below are the components of e-commerce:
1. USER:
• This may be individual / organization or anybody using the e-commerce platforms.
• As e-commerce, has made procurement easy and simple, just on a click of button e-
commerce vendors needs to ensure that their products are not delivered to wrong
users.
2. E-Commerce Vendors:
• This is the organization / entity providing the user, goods/ services asked for.
• In order to ensure quality of goods and services, E-commerce Vendors further needs to
ensure following for better, effective and efficient transaction.
3. Technological Infrastructure:
• E-commerce is technology driven. Various types of e-commerce applications and
technologies are being used by the organizations to increase scope of business.
• Below are the characteristics of technology used in e-commerce:
with minimal effort to The technology to make a website
Easy to use and
convenient
Design
Scalable
Responsive
handle peak traffic selected should accessible and usable
and to accommodate enable the customers on every device is
the needs of to find what they important for the
business's online want as well as enable success of an e-
growth the merchant to commerce site.
promote its products
• The computers, servers, database, mobile apps, digital libraries, data interchange are
the components of Technology Infrastructure that enable the e-commerce
transactions. These components are discussed as below:
4. Internet/Network:
• This is the critical enabler for e-commerce. Internet connectivity is important for any
e-commerce transactions to go through.
• The faster net connectivity leads to better e-commerce. The success of e-commerce
trade depends upon the internet capability of organization.
5. Web Portal:
• This provides the interface through which an individual/organization shall perform e-
commerce transactions.
• Web Portal is an application through which user interacts with. These are the front
end through which user interacts for an e-commerce transaction and can be accessed
through desktops/laptops/PDA/hand-held computing devices/mobiles & now
through smart TVs also.
6. Payment Gateway:
• In an e-commerce transaction, the major proportion of online payments is being
performed based on payment gateway technology.
• A payment gateway is a server that is dedicated to linking websites and banks so that
online transactions can be completed in real-time.
Database Tier:
1. This tier houses the database servers where information is stored and retrieved. Data in
this tier is kept independent of application servers or business logic.
2. The data access layer should provide an Application Programming Interface (API) to the
application tier that exposes methods of managing the stored data without exposing or
creating dependencies on the data storage mechanisms.
2 Application Application Server and Back End This layer allows customer to
Layer Server. For example - In the same check the products available
example, it includes on merchant’s website.
- E-merchant - Reseller
- Logistics partner
3 Database The information store house, where This layer is accessible to user
Layer all data relating to products, price it through application layer.
kept.
1. Infrastructure:
• There is a greater need of not only digital infrastructure but also network
expansion of roads and railways. This is a challenge for a developing country.
2. Hidden Cost:
• When goods are ordered from another country, there are hidden costs enforced by
Companies.
4. Denial of service:
• Service to customers may be denied due to non- availability of system as it may be
affected by viruses, e-mail bombs and floods.
5. Contract Repudiation:
• There is possibility that the electronic transaction in the form of contract, sale
order or purchase by the trading partner or customer maybe denied.
• It means that item ordered by a customer may not be delivered by the trader or
customer cancels the order.
• Sellers / Buyers / Merchants- These people need to proper framework in place to ensure
success of business and needs to put controls on price, catalogue, discount schemes etc.
• Government- Governments across the world and in India have few critical concerns vis-à-
vis electronic transactions, namely (1) Tax accounting of all products / services sold.
(2) All products / services sold are legal.
• Network Service Providers - They need to ensure availability and security of network.
Any downtime of network can be disastrous for business.
• Logistics Service Providers - Logistics service providers are the ones who are finally
responsible for timely product deliveries.
• Payment Gateways - E-commerce vendors’ business shall run only when their payment
gateways are efficient, effective and foolproof.
Above aforesaid controls are useless unless the participants are not trained and made aware
of the risks and ways to control them. So, following steps to be taken in order to minimize
the risk of failure of controls:
(d) Protect your e-Commerce business from intrusion: Below are the types of intrusion-
1. Viruses: Check your website daily for viruses, the presence of which can result in the
loss of valuable data.
2. Hackers: Use software packages to carry out regular assessments of how vulnerable
your website is to hackers.
3. Passwords: Ensure employees change these regularly and that passwords set by
former employees of your organization are defunct.
4. Regular software updates: Site should always be up to date with the newest versions
of security software. If you fail to do this, you leave your website vulnerable to attack.
5. Sensitive data: Consider encrypting financial information and other confidential data
Hackers or third parties will not be able to access encrypted data.
SA 315 recognizes that it poses specific risks to an entity’s internal control in the form of
the following:
Reliance on systems or programs that are inaccurately processing data, processing
inaccurate data, or both.
Unauthorized access to data that may result in destruction of data or improper changes to
data, including the recording of unauthorized or non-existent transactions, or inaccurate
recording of transactions. Particular risks may arise where multiple users access a common
database.
The possibility of IT personnel gaining access privileges beyond those necessary to perform
their assigned duties thereby breaking down segregation of duties.
Inappropriate manual intervention & loss of data or inability to access data as required.
4. Periodical review of access rights to all IT resources to ensure that the access to the users is
commensurate with their functional roles and responsibilities.
5. Timely employee awareness campaigns focusing on methods of intrusion which can be
stopped based on individual actions.
6. Use of firewalls by the Company to allow internet activity in accordance with the rules defined.
7. Any vulnerability scans or penetration testing performed by the Company and any findings
noted.
8. Are the backups scheduled properly and timely checked by restoration of data?
Matter Descriptions
Guidelines related to billing are:
Billing 1. Format of bill.
2. Details to be shared in bills.
3. Applicable GST.
Product guarantee / Proper display of product guarantee / warranty online as well as
warranty documents sent along with the products
Shipping Below are the things that to be put in the policy documents:
1. The shipping time.
2. frequency of shipping
3. the packing at time of shipping
This will ensure products are properly packed and timely shipped.
Policy needs to be defined for:
Delivery 1. Which mode of delivery to be chosen – Own, third party.
2. When deliveries to be made – day time or fixed time.
3. Where deliveries to be made – Buyer’s office, home, shop etc.
Policy for return of goods need to be put in place defining:
1. Which Product will be returned?
Return 2. The number of days within which returns can be accepted
3. The time within which buyer shall be paid his/her amount back
for goods returned.
Policy guidelines need to be created for following payment related
issues:
Payment 1. Mode of payment.
2. For which products, specific payment mode shall be there.
Organization restricts COD for few consumable products.
Foreign Trade Act, 1. An Act to provide for the development & regulation of foreign trade.
1992 2. The same is done by facilitating imports into, augmenting exports from,
India & for matters connected therewith or incidental thereto.
Matter Descriptions
The Goods and 1. This Act requires each applicable business, including e-commerce/ m-
Services Tax Act, commerce, to upload each sale & purchase invoice on one central IT
2017 (GST) infrastructure.
3. This mandates reconciliations of transactions between business,
triggering of tax credits on payments of GST & facilitating filling of e-
returns, etc.
Foreign Exchange 1. This regulates foreign direct investments, flow of foreign exchange in
Management Act India.
(FEMA 1999) 2. E-commerce activities has been opened in a calibrated manner & an
entity is permitted to undertake retail trading through e-commerce in
following circumstances:
• A manufacturer is permitted to sell its products manufactured in
India through e-commerce retail.
3. An Indian manufacturer is permitted to sell its own single brand
products through e-commerce retail.
Consumer 3. This law protects consumer rights.
Protection Act, 1986
Matter Descriptions
Proliferation 1. The user is moving from desktop to mobile computing.
(rapid increase) 2. 55% traffic is from mobile. The creation of mobile application for e-
of Mobile Device commerce website is the latest trend to drive many online shoppers
who use mobile apps for online shopping.
Convergence of 1. Mobile internet is characterized by goal-oriented activities.
Mobile Telecom 2. The transition from 3G to 5G and faster data rate along with many new
Network & applications and services makes the success of e-commerce possible.
Internet
Social Network 1. Social media allows consumer to buy product without even leaving the
social media platform.
2. Social media tool box will help e-marketers to become familiar with
their clients & at same time will also enable the customers to develop
deep relationships with the merchants they buy from.
Predictive Analysis 1. Use of predictive analysis tools is increasing to predict the online
customers’ behavior, buying habits, their tastes, & preferences, both
quantitative and qualitative.
2. The analytical approach would lead to an increase in the number of
new customers.
3. Based on this information, marketer can create unique, personalized
promotions for each customer.
6. Digital Payment:
6.1. Forces behind the E-commerce revolution:
Digital Payment is a way of payment which is made through digital modes. In digital
payments, payer and payee both use digital modes to send and receive money. It is also
called electronic payment. All the transactions in digital payments are completed online.
It is an instant and convenient way to make payments. Since, evolution of online payment
has been tremendous, new banking services and ways should be adapted to use various
digital channels to interact and provide services to customers. To reach out to customers at
their convenience, banks are aggressively going digital. A high level of adaptability is a must
for banking sector in this highly digital and tech- savvy age, where banking transactions can
happen even on a mobile or tablet with a few clicks.
Methods Description
Mobile Apps: • It is a Mobile App developed by National Payments Corporation of
BHIM (Bharat India (NPCI) based on UPI (Unified Payment Interface).
Interface for • It facilitates e-payments directly through banks & supports all Indian
Money) banks which use that platform.
• It is built on the Immediate Payment Service infrastructure.
7. Computing Technologies:
It is expected to revolutionize the value-additions to the huge information component, which is
growing exponentially. Now we will study various aspects of computing technology:
7.1. Virtualization:
MEANING/CONCEPT→
Virtualization means to create a virtual version of a device or resource such as a server,
storage device, network or even an operating system where the framework divides
resource into one or more execution environment.
▪ Portable Workplaces:
1. Portable applications are needed when running an application from a removable
drive, without installing it.
2. Virtualization can be used to encapsulate (summarize) the application that stores
temporary files, windows registry entries and other state information in the
application’s installation directory and not within the system’s permanent file
system
3. These devices include iPods and USB memory sticks.
▪ Applications:
1. Virtualization can give root access to a virtual machine
2. This can be very useful such as in operating system courses.
▪ Disaster recovery:
1. Virtual machines can be used as “hot standby”.
2. This includes process by providing backup images that can “boot” into live virtual
machines, capable of taking over workload for a production server experiencing an
outage.
▪ Server consolidation:
1. Virtual machines are used to consolidate many physical servers into fewer servers.
2. Each physical server is reflected as a virtual machine “guest” residing on a virtual
machine host system.
3. This is also known as “Physical-to-Virtual” or ‘P2V’ transformation.
Virtual 1. User of grid computing can be organized into number of virtual entities.
resources 2. These virtual entities can share their resources such as data, specialized
devices, software, services, licenses, and so on, collectively as a larger grid.
3. Grid can help in enforcing security rules among them & implement policies.
Resource 1. Grid can offer a resource balancing effect by scheduling grid jobs on
Balancing machines with low utilization and of least priority.
1. This feature of grid computing handles occasional peak loads of activity in
parts of a larger organization. In case of peak loads, activities can be
diverted to idle machines.
CPU Capacity 2. The potential for usage of massive parallel CPU capacity is one of the most
common visions and attractive features of a grid.
3. A CPU- intensive grid application can be thought of as many smaller sub-
jobs, each executing on a different machine in the grid.
1. Due to availability of multiple processors, applications are calculated in no
time.
Access to 2. A grid can provide access to other resources as well.
resources 2. E.g. - if a user higher bandwidth for internet, then instead of shelling
money, user can divide work among grid machines having independent
internet connection.
Management 1. Grid offer management of priorities among different projects and
aggregating utilization data over a larger set of projects.
2. When maintenance is required, grid work can be rerouted to other
machines without crippling (harming) the projects involved.
Software and 1. The grid may have software installed that may be too expensive to
Licenses install on every grid machine.
2. Some software licensing arrangements permit the software to be
installed on all of the machines of a grid but may limit installations
number that can be simultaneously used at any given point of time.
(Remember it is grid computing)
3. License management software keeps track of how many concurrent
copies of the software are being used and prevents more than that
number from executing at any given time.
Special 1. Platforms on the grid may have different architectures, operating
equipment, systems, devices, capacities, and equipment.
capacities, 2. Each of these items represents a different kind of resource that the
architectures & grid can use as criteria for assigning jobs to machines. E.g., some
policies machines may be designated to only be used for medical research.
3. Multi-tenancy:
(a) Public cloud service providers often can host the cloud services for multiple users
within the same infrastructure.
(b) Server and storage isolation may be physical or virtual depending upon the specific
user requirements.
4. On-Demand:
(a) With cloud services there is no need to have dedicated resources waiting to be
used, as is the case with internal services.
5. Resiliency (लचीला):
(a) The resiliency of a cloud service offering can completely isolate the failure of
server and storage resources from cloud users.
(b) Work is migrated to a different physical resource in the cloud with or without user
awareness and intervention.
2. Flexibility improvement:
(a) It is possible to make fast changes in our work environment without creating any issues.
4. Accessibility:
(a) Data and applications can be accesses anytime, anywhere, using any smart computing
device, making our life so much easier.
5. Monitoring of projects:
(a) It is feasible to confine within budgetary allocations. It means that it is easy to monitor if
any project is not exceeding the allocated budget amount.
6. Economies of scale:
(a) Volume output or productivity can be increased even with fewer systems and thus
(b) reduce the cost per unit of a project or product
2. Restriction on availability:
(a) Customers may have to face restrictions on the availability of applications, operating
systems and infrastructure options.
(b) This is due to reason where various vendors offer different service.
4. No control on resources:
(a) Although Cloud computing supports scalability (i.e., quickly scaling up and down
computing resources depending on the need),
(b) It does not permit the control on these resources as these are not owned by the user or
customer.
Private Cloud
A private cloud is a proprietary network or a data center that supplies hosted services to a
limited number of people. These are typically deployed within an organization's own internal
ecosystem. This private cloud can be managed by:
• On-Premises Private Cloud: Cloud can private to organization & managed by single entity.
• Outsourced Private Cloud: Private cloud managed by third party.
(a) Secure:
• Private cloud is being managed by organization itself, hence less chance of data being
stolen and leaked out.
Public Cloud
A public cloud sells services to anyone on the Internet. (Currently, Amazon Web Services is the
largest public cloud provider). Public cloud services may be free or offered on a pay-per-usage
model. This environment can be used by general public. Below are the characteristics:
Code to Remember: S.A.L.S.A.
(a) Scalable:
• Resources and the users in the public code are large and service provider has to grant all
the requests. Hence public clouds are considered to be scalable. (Able to be changed in
size or scale).
(b) Affordable:
• In this case, user pays for that only foe what he or she is using and this don’t involve any
cost related to the deployment
(c) Less Secure:
• Since it is offered by third party and they have full control over the cloud, as such it is
less secured as compared to on-premises public cloud.
(d) Stringent SLAs:
• Since there is Service level agreement between the service provider and users, and
reputation of the service provider is dependent on that, they follow the SLA very strictly.
(e) Available:
• It is highly available since anyone can link to public cloud with the proper permission.
Hybrid Cloud
A hybrid storage cloud uses a combination of public and
private storage clouds. Hybrid storage clouds are often
useful for archiving and backup functions, allowing local
data to be replicated to a public cloud. E.g., a business may
choose to run an ERP system from their private cloud, and
utilize a public cloud for offsite backup & disaster recovery
purpose.
Community Cloud
Here the cloud is being shared by person(s) of one community and hence the name. In this type
of cloud infrastructure is provisioned by a specific community. For e.g., mission security
requirements etc.
Cloud
3. Infrastructure sharing:
• In IaaS, different users share same physical infrastructure and thus ensure high
resource utilization.
4. Metered Services:
• IaaS allows the user not to buy the computing resources but to rent them. The
user will be charged as per the usage.
Hidden costs
• Such costs may include higher network charges for storage and database applications.
Interoperability issues
• If a company enters into a contract with one cloud computing vendor, it may find it
difficult to change to another computing vendor that has proprietary APIs (Application
Programming Interfaces) and different formats for importing and exporting data.
• Industry cloud computing standards do not exist for APIs or formats for importing and
exporting data. This creates problems of achieving interoperability of applications
between two cloud computing vendors.
Unexpected behavior
• An application may perform well at the company’s internal data center. It does not
necessarily imply that the application will perform the same way in the cloud.
• Therefore, it is essential to test its performance in the cloud for unexpected behavior.
Testing may include monitoring the application behavior on sudden increase in demand
for resources and how it allocates unused resources.
Security issues
• The important security issues with cloud computing are- the management of the data
might not be fully trustworthy; the risk of malicious insider attacks in the cloud; and
failing of cloud services.
• Maintaining confidentiality is one the major issues faced in cloud systems because
information is stored at a remote location which can be accessed by the service
provider.
• Data confidentiality can be preserved by encrypting data. Sharing of resources over
remote location may violate the confidentiality users’ IT Assets. It must be ensured that
there a degree of isolation between these users.
Mr. C
In a company there is a director name Mr. A and he has a subordinate Mr. B (who is in
meeting), regional director of Faridabad region, has a field boy Mr. C who does all the
marketing work. Now we will discuss the benefit of mobile computing:
1. Mobile computing enables to access to work details like order status, contact
information, service contracts etc. (Mr. B meeting में है and he require all data related
to contract)
2. It enables mobile salesperson to update work order status in real time. (Mr. C जो field
work में है will update his work when finished)
3. Mr. A (director) of company can access the corporate complete information from
anywhere and at any time. (Mr. A दे ि सकते है at any time, the information about the
contract.)
4. Provide remote access to corporate knowledge base at job location.
5. Improves management efficiency by enhancing quality information, excellent
information communication etc.
(b) Recycle:
1. Dispose e-waste as per regulations.
2. Discard unwanted equipment in environmentally responsible manner.
3. Manufacturers must provide option how to dispose equipment when become
unusable.
2. Since employee bring their own device, this result in decrease in outlay of the
organization. (Organizations need not to purchase the devices for their employee) –
(Lower IT budgets)
3. Since, devices are of employee there is cost saving since IT doesn’t have to provide and
user support and maintenance activities – (Reduced IT support requirement)
4. In case of self-device, user is efficient in working on its own device. In case it works on
other devices some learning phase is included – (Increased Employee efficiency).
1. Implementation risks:
(a) It is exemplified and regarded as “Weak BYOD policy”.
(b) BYOD implementation must not cover only the technical aspects but also demand for
robust (strong) policy too.
(c) A weak BYOD policy may result in the failure of communication of employee
expectations; thereby increase the chances of device misuse.
2. Application risks:
(a) It is in general context that employee’s phone or smart devices that are connected to
corporate network are not protected by security software.
(b) Due to increased use of mobile and like devices the vulnerabilities have increased
consequently.
3. Network risks:
(a) It is exemplified and regarded as “Lack of device visibility”.
(b) When employee uses the company assets, then IT part of organization has full control
over such devices and have complete visibility of devices connected to the network.
4. Device risks:
(a) It is exemplified (illustrated) in “Loss of Device”.
(b) Lost or stolen computer device or mobile phones can result adverse impact on the
company as these devices contains vital information about the company. With ease
access to company mails one can easily obtain the trade secrets of the organization.
1. Semantic Web:
• Provides the user a common platform where data can be used across various
organization, applications and community boundaries. The data is readily available so
that machines are able to analyze the data on their own.
2. Web Services:
• It is software that supports computer-to-computer interaction over the internet.
Applications→
(a) All home appliances to be connected and that shall create a virtual home. Homeowners
can keep track of all activities in house through their hand-held devices. Home security
CCTV is also monitored through handheld devices.
(b) Office machines shall be connected through net.
(c) Governments can keep track of resource utilizations / extra support needed.
(d) Some Definitions:
Models Definition
Wearables ▪ Wearables are an important potential IoT application like
Apple smartwatch.
Smart City ▪ Smart city is a big innovation.
▪ It spans a wide variety of use cases, from water distribution
and traffic management to waste management etc.
Smart Grids ▪ Smart grids are another area of IoT technology.
▪ A smart grid promises to extract information on behaviors of
consumers and electricity suppliers in an automated way to
improve efficiency & reliability of electricity distribution.
Industrial Internet ▪ Industrial IoT is means connected machines and devices in
of things (IoT) industries such as power generation, oil, gas, etc. for
monitoring and improving control efficiency.
▪ With an IoT enabled system, factory equipment that contains
embedded sensors communicate data about different
parameters, such as pressure, temperature, etc.
▪ The IoT system can also process workflow and change
equipment settings to optimize performance.
Connected Car ▪ Connected car technology is a vast and an extensive network
of multiple sensors, antennas, embedded software, and
technologies that assist in communication to navigate.
Connected Health ▪ IoT has various applications in healthcare, which are from
remote monitoring equipment to advance and smart sensors
to equipment.
Smart Retail ▪ Retailers started adopting IoT solutions. Using IoT embedded
systems improve store operations, increasing purchases,
better stock management and enhancing consumer’s
shopping experience.
Smart Supply Chain: ▪ Offering solutions to problems like tracking of goods while
they are in transit.
Risks→
Risk to the manufacturers – B.O.A. ( it is a snake, hence bad)
Impact on Business Manufacturers may be out of business in few years if IOT becomes a
necessary product feature of the business
Obsolescence of devices Dismantling old products means, disabling old operating software
and the buyer doesn’t support old product data.
Analytics & Data storage Manufacturers will to ensure that the huge data generated from IoT
devices is kept secured. Any sort of hacking & losing of data may
prove detrimental to the business
Risk to users of the products – SAP (Again snake in Hindi)
Security As home devices and office equipment’s are connected to network,
they shall be hit by all network related risks, including hacking, virus
attacks, stealing confidential data etc.
Autonomy, Privacy & Individuals may lose control over their personal life. The other major
control concern is who has the ownership of this personal data.
Technological Risks
De-standardization Lack of technical standards in terms of both hardware variations and
differences in software running on them, makes task of developing
applications tough.
Environment risk due to Technology
Impact on Here impact on house air quality, due to use of heavy earth metals
environmental in device is being studied. the risk is being considered in terms of
resources resource depletion, harm to biodiversity, ecological balance
disruption, nuclear and space waste etc.
Risks→
• AI relies heavily of data it gets.
• AI (robots) carries a security threat.
• AI in long term may kill human skills of thinking the unthinkable. All the data shall be
processed in a structured manner. These machines shall not have capability of thinking
out of box.
Controls→
• The set of controls in AI will be extremely complex because of the nature of processing of
information and must be dealt with based on the nature of the AI tool and the purpose
etc.
•A transaction like
Step 2 •The network
sending money to •Transaction is validates the
someone is broadcasted via transaction using
initated the network. cryptography.
Step 1 Step 3
•The transaction is
Step 5 • Block is
represented
online as a block.
•Block is added to added to
the existing
blockchain
the existing
Step 4 Step 6
Application→
Below are the areas of application:
◼ Financial Services-
Blockchain can be used to provide an automated trade lifecycle in terms of transaction
log of any transaction of asset or property – both physical or digital.
◼ Healthcare-
Blockchain provides secure sharing of data in healthcare industry by increasing the
privacy, security, and interoperability of the data by eliminating the interference of third
party and avoiding the overhead costs.
◼ Government-
Blockchain improves the transparency and provides a better way to monitor and audit
the transactions in these systems where mostly all matters are decentralized.
◼ Travel Industry-
Blockchain can be applied in money transactions and in storing important documents
like passports, reservations & managing travel insurance, loyalty etc.
◼ Economic Forecast-
Blockchain makes possible the financial and economic forecasts based on decentralized
prediction markets, decentralized voting & stock trading, thus enabling organizations to
plan and shape their businesses.
Risks→
• Different block chain carries different risk magnitude that may further lead to conflict
when monitoring controls are designed for a blockchain
• The reliability of financial transactions is dependent on underlying technology and any
tampering may result in compromise with information stored.
• In the absence of any central authority monitoring, there could be a challenge in the
establishment of process control activities.
• As blockchain involves humongous data getting updated frequently, risk related to
information overload could potentially challenge the level of monitoring required.
1. Overview of Banking:
Information Technology (IT) is an integral aspect of functioning of enterprises and professionals in
this digital age. The dependence on IT is such that the banking business cannot be thought of in
isolation without IT. There has been massive use of technology across many areas of banking
business in India. Banking is the engine of economic growth specifically in a rapidly developing
country like India with its diverse background, practices, cultures & large geographic dispersion of
citizens. Banking has played a vital and significant role in the development of the economy.
The changes in the banking scenario due to moving over to Core Banking System
and IT-based operations have enabled banks to reach customers and facilitate seamless
transactions. Core banking system has enabled following activities in all branches with lesser
physical infrastructure-
1. Loan processing & sanctioning
2. Safe keeping of security documents
3. Post sanction monitoring & supervision of borrower’s accounts
4. Accounting of day-to-day transactions, receipts and payments of cash and cheques and updating
passbooks/statements.
Acceptance of Deposits
It involves deposits by customers in various schemes for pre-defined periods.
Deposits fuel the growth of banking operations; this is the most important
function of a commercial bank. Commercial banks accept deposits in various
forms such as term deposits, savings bank deposits, current account deposits,
recurring deposit, saving-cum-term deposit & various others innovative products.
Remittances
Remittances involve transfer of funds from one place to another. Below
are the most common modes of remittance of funds:
1. Demand drafts: are issued by one branch of the bank and are payable
by another branch of the Bank.
2. Mail Transfers: No instrument is handed over to the applicant.
Transmission of instrument is responsibility of the branch. Generally,
the payee of MT is an account holder of the paying branch.
3. Electronic Fund Transfers: This includes instantaneous transfer of
funds between two centers electronically. Some of the methods are-
• Real Time Gross Settlement (RTGS) - is an electronic form of
funds transfer where transmission takes place on real-time basis.
• National Electronic Funds Transfer (NEFT) - individuals can
electronically transfer funds from any bank branch to any
individual having an account with any other bank branch.
• Immediate Payment Service (IMPS) - IMPS offers an inter-bank
electronic fund transfer service through mobile phones even on
holidays (Unlike RTGS or NEFT).
Collections
Collections involve collecting proceeds on behalf of the customer. Customers can
lodge various instruments such as cheques, drafts, pay orders, travelers’ cheques,
dividend and interest warrants, tax refund orders, etc. Banks also collect
instruments issued by post offices, like national savings certificates, postal orders
etc.
Clearing
• It involves collecting instruments on behalf
of customers of bank. The instruments
payable locally are collected through clearing
house mechanism.
• While the instruments payable outside is
sent by the Bank with whom the instrument
has been lodged, for collection to the
branches of the issuing Bank. Clearing house
settles the inter-Bank transactions among
the local participating member banks.
• It is technology which allows machines to
read & process cheques enabling thousands
of cheque transactions in a short time- MICR
• ECS is generally used for bulk transfers
performed by institutions for making
payments like dividend, interest, salary,
pension, etc. - ECS
Debit Cards are issued by the bank where customer is having their
account. Debit Cards facilitates customers to pay at any authorized outlet
` as well as to withdraw money from an ATM from their account.
Credit Cards: The processing of applications for issuance of credit cards is
usually entrusted to a separate division at the central office of a bank. The
dues against credit cards are collected by specified branches
o Business Application:
▪ CBS is centralized banking application software that has several components which
are designed to cater the needs of the users.
o Delivery Channel:
▪ Branch function as delivery channel providing services to its customers.
o Integration:
▪ CBS software enables integration of all third-party application to facilitate simple and
complex business processes.
o Customer Benefit:
▪ CBS brings significant benefits such as a customer is a customer of bank and not only
of the branch.
Models Definition
Back Office ▪ The Back Office is the portion of a company made up of administration
and support personnel, who are not client-facing. It includes settlements,
clearances, record maintenance, regulatory compliance, accounting etc.
Data ▪ Data warehouses take care of the difficult data management & digesting
Warehouse large quantities of data and ensuring accuracy and make it easier for
professionals to analyze data.
Credit Card ▪ Credit card system provides customer management, credit card
System management, account management, customer information management
and general ledger functions.
▪ System has a flexible parameter system, complex organization support
mechanism.
Automated ▪ An Automated Teller Machine (ATM) is an electronic banking outlet that
Teller Machines allows customers to complete basic transactions without the aid of a
(ATM) branch representative or teller. ATMs are convenient, allowing
consumers to perform quick, self-serve transactions.
Central Server ▪ Most banks use core banking applications to support their operations
creating Centralized Online Real-time Exchange (or Environment) (CORE).
▪ This means that all the bank's branches access applications from
centralized data centers/servers.
Mobile Banking ▪ Service provided by a bank or other financial that allows its customers to
conduct financial institution that allows its customers to conduct
financial transactions remotely using a mobile device. It uses software,
usually called an app. Mobile banking is usually available on a 24-hour
basis.
Internet ▪ It is an electronic payment system that enables customers of a bank or
Banking other financial institution to conduct a range of financial transactions.
▪ We can make and receive payments to our bank accounts, open Fixed
and Recurring Deposits, view account details, request a cheque book and
a lot more, when online.
Phone Banking ▪ Customers execute many of the banking transactional services through
Contact Centre of a bank over phone.
▪ Registration of Mobile number in account is one of the basic perquisites
to avail Phone Banking.
Branch Banking ▪ CBS enables single-view of customer data across all branches in a bank
and thus facilitate information across the delivery channels. Branch
functions→
▪ Initiating Beginning-Of-Day & End-of-Day operations.
▪ Reviewing reports for control and error correction etc.
In addition to basic banking services that a bank provides through use of CBS, the
technology enables bank to add following features too:
Code to remember: P.AT.I. - C.U.R.E. (पैसे है पति का इलाज) – CBS is source of money
2. DATABASE SERVER:
▪ The Database Server of the Bank contains the entire data of the Bank. This data
includes information about accounts of the customers and master data.
▪ It also includes base rates for advances, FD rates, the rate for loans, penalty to be
levied etc.
▪ Application software would access the database server.
6 WEB SERVER:
▪ The Web Server is used to host all web services and internet related software.
▪ A Web server is a program that uses HTTP (Hypertext Transfer Protocol) to serve the
files that form Web pages to users, in response to their requests.
▪ Dedicated computers and appliances may be referred to as Web servers as well. All
computers that host Web sites must have Web server programs.
7 PROXY SERVER:
▪ A Proxy Server is a computer that offers a computer network service to allow clients
to make indirect network connections to other network services.
▪ A client connects to the proxy server, and then requests a connection, file, or other
resource available on a different server.
Application Security
Cyber Security
Data Centre and
Disaster Recovery
Technology Centre
Application
component Environment
of CBS Online Transaction
monitoring for fraud
Database risk management
Environment
Database Environment:
This consists of the centrally located database servers that store the data for all the
branches of the bank which includes customer master data, interest rates, account types
etc. Whenever a customer requests for a particular service to be performed, the
application server performs a particular operation it updates the central database server.
The databases are kept very secure to prevent any unauthorized changes.
Application Environment:
Application environment consist of application servers that host the different core banking
systems like Flex Cube, bankMate etc. and is centrally used by different banks. The access to
these application servers will generally be routed through a firewall.
Cyber Security:
Comprehensive Cyber Security Framework is prescribed by RBI for Banks to ensure effective
information security governance. Some key features of Cyber Security Framework as
prescribed by are RBI for banks are as under-
b) Application security:
1. Implementation of bank specific email domains with anti-phishing and anti-malware
software with controls enforced at the email solution.
2. Two step authentications to be added to log- in process, such as a code sent to user’s
phone or a fingerprint scan, that helps verify user’s identity and prevent cybercrimes.
3. Implementation of Password Management policy to provide guidance on creating and using
passwords in ways that maximize security of the password & minimize misuse of password.
4. Effective training of employees to educate them to avoid clicking any links received via
email.
5. Effective change management process to record/ monitor all the changes that are moved/
pushed into production environment.
6. Capturing of the audit logs pertaining to user actions and an alert mechanism to monitor
any change in the log settings.
Approval: The decision to implement CBS requires high investment and recurring costs
and will impact how banking services are provided by the bank. Hence, the decision must
be approved by the board of directors.
Selection: Although there are multiple vendors of CBS, each solution has key
differentiators. Hence, bank should select the right solution considering various
parameters as defined by the bank to meet their specific requirements and business
objectives.
Design and Develop/Procure: CBS solutions used to be earlier developed in-house by the
bank. Currently, most of the CBS deployments are procured. There should be appropriate
controls covering the design or development or procurement of CBS for the bank.
Testing: Extensive testing must be done before CBS is made live. The testing is to be done
at different phases at procurement stage to test suitability to data migration to ensure all
existing data is correctly migrated and testing to confirm processing of various types of
transactions of all modules produces the correct results.
Implementation: CBS must be implemented as per pre-defined and agreed plan with
specific project milestones to ensure successful implementation.
Maintenance: CBS must be maintained as required. E.g., program bugs fixed, version
changes implemented, etc.
Audit: Audit of CBS must be done internally and externally as required to ensure that
controls are working as envisaged.
Compliance Risk:
Compliance risk is exposure to legal penalties, financial penalty and material loss an organization faces
when it fails to act in accordance with industry laws and regulations, internal policies or prescribed best
practices.
It is the risk that an asset or a loan Refers to the risk of losses in the
Can be defined as the risk that
becomes irrecoverable in the case bank’s trading book due to
earnings decline due to a
of outright default changes in equity prices, interest
changing business environment
rates etc.
Market Strategic
Credit Risk
Risk Risk
5.2 IT Risk:
Once the complete business is captured by technology and processes are automated in CBS;
the Data Centre (DC) of the bank, customers, management and staff are completely
dependent on the DC. Some of the common IT risks related to CBS are as follows:
▪ Ownership of Data/ process: Data resides at the Data Centre. Establish clear ownership.
▪ Authorization process: Anybody with access to the CBS, including the customer himself,
can enter data directly. What is the authorization process?
▪ Access Controls:
Designing and monitoring access control is an extremely challenging task. Bank
environments are subject to all types of attacks. Access control, however, does vary
between branch networks and head office locations.
▪ Change Management:
Requires at application level and data level of the database- Master files, transaction files
and reporting software.
4. Reports:
▪ Summary of transactions of day and Daily General Ledger (GL) of day
▪ Activity Logging and reviewing & MIS report for each product or service.
▪ Reports covering performance/compliance & exception.
• Once the potential customer agrees for availing the facilities/products of the bank, the
relationship manager request for the relevant documents i.e., KYC and other relevant
documents of the customer depending upon the facility/product.
• The documents received from the customers are handed over to the credit team for
sanctioning of the facilities/limits of the customers.
• Credit teams verify documents, assess the financial and credit worthiness of the borrowers
and issues a credit limit to the customer in CBS and allots a credit card.
• POS (Point of Sale) will process the transaction only once the same is authenticated.
• The POS (Point of Sale) will send the authentication request to the merchant’s bank (also
referred as “acquiring bank”) which will then send the transaction authentication verification
details to the credit card network (such as VISA, MASTER CARD, AMEX, RUPAY) from which
the data will be validated by the credit card issuing bank. Acquirer bank→Card
network→Issuing bank
• Once the transaction is validated, the approval message is received from credit card issuing
bank to the credit card network which then flows to the merchant’s bank and approves the
transaction in the POS (Point of Sale) machine. (Approval के बाद, issue bank to POS merchant)
• The receipt of the transaction is generated and the sale is completed.
6.5 Process flow of clearing and settlement process of credit card facility:
• The transaction data from the merchant is transferred to the merchant’s bank.
Merchant’s bank clears settlement amount to Merchant after deducting Merchant fees.
Merchant’s bank, in turn now provides the list of settlement transactions to the credit
card network which then provides the list of transactions made by the customer to the
credit card issuing bank.
• The credit card issuing bank basis the transactions made, clears the amount to
Merchant’s bank but after deducting interchange transaction fees.
• At the end of billing cycle, card issuing company charges the customer’s credit card
account with those transactions in CBS.
Here the customer already has an existing loan and is applying for
additional amount either for refurbishment or renovation of the house
Core areas of treasury operation: Below are 3 major categories of treasury operations:
FRONT OFFICE→
1. The Front Office operations consist of dealing room operations wherein the dealers
enter into deal with the various corporate and interbank Counter-parties.
2. Deals are entered by dealers on various trading/Communication platform such as
Reuters’ system, telephonic conversation, Brokers or any other private channel.
The dealers are primarily responsible to check for counter-party credit Limits,
eligibility, and other requirements of the Bank before entering into the deal with the
customers.
3. Dealers must ensure that all risk/credit limits are available before entering into a deal.
MIDDLE OFFICE→
1. The Middle Office includes risk management, responsibility for treasury accounting,
and documentation of various types.
2. Responsibilities also includes producing the financial results, analysis and budget
forecasts for the treasury business unit, input into regulatory reporting.
3. It is also responsible for monitoring of counter-party, country, dealer and market-
related limits that have been set and approved.
4. Credit Line setup can be Loan disbursement system/CBS restricts booking of loans/
breached in Loan facilities if the limit assigned to the customer is breached.
disbursement system/ CBS.
5. Lower rate of interest/ Loan disbursement system/CBS restricts booking of loans/
Commission may be facilities if the rate charged to the customer are not as per
charged to customer. defined masters in system.
Layering:
Stages of This involves the separation of proceeds from illegal source using complex
Money transactions designed to obscure the audit trail and hide the proceeds.
Laundering Layering involves sending the money through various financial transactions
to change its form and make it difficult to follow
Integration:
Integration involves conversion of illegal proceeds into apparently legitimate
business earnings through normal financial or commercial operations.
Integration creates the illusion of a legitimate source for criminally derived
funds and involves techniques as numerous and creative as those used by
legitimate businesses.
• Negative publicity, damage to reputation and loss of goodwill, legal and
Anti-Money regulatory sanctions and adverse effect on the bottom line are all
Laundering possible consequences of a bank’s failure to manage the risk of money
using laundering.
technology • Banks face the challenge of addressing the threat of money laundering
on multiple fronts as banks can be used as primary means for transfer
of money across geographies.
• With adopting stricter regulations on banks & enhancing their
enforcement efforts, banks are using special fraud and risk
management software to prevent and detect fraud.
▪ One of the largest stakeholders of SPDI are include banks apart from
insurance companies, financial institutions, hospitals, educational
institutions, etc.
▪ Every bank should develop, communicate and host the privacy policy of
the bank. The policy should include all key aspects of how they deal with
the personal information collected by the bank. To provide practical
perspective of how compliance to the provisions of IT Act specifically
relating to privacy and protection of personal information, the next section
provides an overview of requirements of privacy policy of a bank
The detail of this concept has been discussed in Chapter 1 of the study
material.
Ques 1-
Mr. Shoren has recently been associated with the procurement and sale of drugs and narcotic
substances without a license which is illegal as per Narcotic Drugs and Psychotropic Substances
Act, 1985. A major part of the sale proceeds amounting to ` 65 lakhs was collected and routed
through various bank accounts held in SNFC Bank which was subsequently advanced to various
bogus companies and a series of transactions were initiated to make the money appear to have
been obtained from a legal legitimate source. These activities were carried out with the assistance
of one of the employee Mr. Sushil of SNFC Bank who intentionally altered few computer sources
codes so that no records for major transactions that took place could be found in the database. A
series of transactions ranging from ₹ 10,000 to ₹ 1 lakh was initiated in a month for depositing the
amount of ₹ 65 lakhs in SNFC Bank.
However, SNCF Bank had failed to keep proper record of information relating to few of the
transactions as they were not of substantial amount. Furthermore, it was later found that one of
the staff members of SNFC bank who’s relative was an insurance agent, used to obtain medical
information of customers having account with the bank for obtaining personal benefits. Answer
the following questions-
1. Which amongst the following activities carried out by Mr. Shoren could be considered as an
offence of Money Laundering:
(a) Expenses incurred for procurement of narcotic drugs
(b) Sale of narcotic drugs without a license
(c) Routing the illegal proceeds through bank & other transactions to appear as obtained
from legitimate source.
(d) Being a part of the cartel/association carrying out illegal sale of drugs.
2. An employee of SNFC Bank Mr. Sushil had assisted Mr. Shoren in routing the illegal money
through bank by altering the computer source code so that major transactions’ amounts were
not traceable in bank’s database. Under which Section of IT Act, 2000 will this act of Mr. Sushil
is punishable?
(a) Section 66E
(b) Section 66B
(c) Section 65
(d) Section 66D
3. Mr. Shoren was involved in the collection and sale of illegal drugs and got routing done
through various banking transactions and advances to bogus companies. Which stages of
Money Laundering process address these aforesaid activities?
(a) Placement and Integration
(b) Layering and Integration
(c) Placement and Layering
(d) Placement, Layering and Integration
4. SNFC Bank failed to maintain records of information relating to baking transactions carried out
by Mr. Shoren as many of the transaction amounts were not substantial. Also, the privacy
regarding the details of medical history of its customers was breached. Which kind of risk
would SNFC bank be exposed to if it has to face legal penalties as it had failed to act in
accordance with laws and requirements as per Prevention of Money Laundering Act (PMLA)?
(a) Legal and Compliance Risk
(b) Compliance and Information Security Risk.
(c) Information Security and People Risk
(d) Transaction processing and Legal risk
Solution 1-
Q. Answer Answer Description
1 (c) Routing the illegal proceeds through bank & other transactions to appear as
obtained from legitimate source.
2 (c) Section 65
3 (c) Placement and Layering
4 (b) Compliance and Information Security Risk.
Ques 2-
GNI Bank is one of the age-old conventional banks which offers an array of banking services like
EFT’S, Collections, clearing, Letter of credits/guarantees etc. to its customers. To provide latest
functionalities and to improve the overall efficiency with respect to banking services, it has
recently implemented a core banking solution. It has also put in place the necessary controls to
safeguard its business from being exposed to probable IT risks.
Mr. Doshi, a senior software developer having a savings bank account with GNI Bank has
requested for internet banking facilities. He has also applied and produced all the necessary
documents for availing a housing loan from the said bank. Though the procedures followed for
sanctioning housing loans are quite stringent, GNI bank offers floating interest rate on its loans
and offers comparatively higher interest rates on its fixed deposits compared to the other banks in
the state also. Answer the following questions-
1. Given below are the features of Core Banking Solution recently implemented by GNI Bank that
prove advantageous to both the bank & its customers. Which among the following advantages
would relate the most to Mr. Doshi who has recently availed a housing loan in terms of easy
and effortless Internet banking
(a) Reliance on transaction balancing
(b) Highly dependent system-based controls
(c) Daily, half yearly and annual closing
(d) Automatic processing of standing instructions
2. GNI Bank during this stage of the loan processing of Mr. Doshi, checks the borrower’s ability
to repay the loan based on an analysis of his credit history, and his earning capacity. This
process which forms a major aspect in loan approvals is referred to as _____
(a) Clearing
(b) Underwriting
(c) Collections
(d) Letter of Credit
3. GNI bank has also implemented necessary controls to ensure safeguards against the exposure
to IT risks. As a practice, whenever a connection is made to website in another network, it will
be routed through a particular server. Which among the servers would be utilized for making
connections with other network services?
(a) Web Server
(b) Application Server
(c) Proxy Server
(d) Database Server
4. GSI Bank has also implemented necessary controls to ensure safeguards against the exposure
to IT risks. Which among the following controls could be implemented when risk arises due to
lack or inadequate management direction and commitment to protect information assets?
(a) The identity of users is authenticated to the systems through passwords.
(b) Security policies are established and management monitors compliance with policies.
(c) Access to sensitive data is logged and the logs are regularly reviewed by management.
(d) Physical access restrictions are implemented and administered.
Solution 2-
Q. Answer Answer Description
1 (d) Automatic processing of standing instructions
2 (b) Underwriting
3 (c) Proxy server
4 (b) Security policies are established and management monitors compliance with
policies.