CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

CHAPTER-1 AUTOMATED BUSINESS PROCESSES

CHAPTER OVERVIEW

Operational

Categories Supporting

Management

Objectives

Automation Benefits

Implementation
ENTERPRISE BUSINESS PROCESS

Procure to Pay (P2P)

Order to Cash (O2C)

Risk Management
& Controls
Inventory Cycle

Human Resources

Specific Business
Processes Fixed Assets

General Ledger

Flowcharts
Diagrammatic
Representation
Data Flow Diagrams

Regulatory and The Companies Act, 2013

Compliance
Requirements IT Act, 2000

1 01
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

1. Explain Enterprise Information System (EIS)

Ans. An Enterprise Information System (EIS) may be defined as any kind of information system
which improves the functions of an enterprise business processes by integration. This
means classically offering high quality services, dealing with large volumes of data and
capable of supporting some huge and possibly complex organization or enterprise. All
parts of EIS should be usable at all levels of an enterprise as relevant. An EIS provide a
technology platform that enable organizations to integrate and coordinate their
business processes on a robust foundation. An EIS provides a single system that is central
to the organization that ensures information can be shared across all functional levels
and management hierarchies. It may be used to amalgamate existing applications. An
EIS can be used to increase business productivity and reduce service cycles, product
development cycles and marketing life cycles. Other outcomes include higher
operational efficiency and cost savings.

For example, when a customer places an order, the data flow automatically to other
fractions of the company that are affected by them leading to the enhanced coordination
between these different parts of the business which in turn lowers costs and increase
customer satisfaction.
• The order transaction triggers the warehouse to pick the ordered products and
schedule shipment.

• The warehouse informs the factory to replenish whatever has depleted.

• The accounting department is notified to send the customer an invoice.

• Customer service representatives track the progress if the order through every step to
inform customers about the status of their orders.

1 02
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

2. Explain following terms:

Ans. • Business Process
• Business Process Management
Business Process:
A Business Process is an activity or set of activities that will accomplish a specific
organizational goal. Business processes are designed as per vision and mission of top
management. Business processes are reflection of entities management thought
process. The success or failure of an organization is dependent on how meticulously
business processes have been designed and implemented.
Business Process Management (BPM):
Business Process Management (BPM) helps an organization achieve 3E's for business
processes, namely Effectiveness, Efficiency and Economy. BPM is a systematic approach to
improving these processes. Business Process Management is an all-round activity
working on a 24x7 basis to ensure improvement in all parameters all the time. The key
components of business process are outlined below.

The details of these processes are shown below:

Vision, Strategy, Operational Processes with Cross Functional Linkages

Business
Develop and Market and Sell Manage
Deliver Products
Management Manage Products Products and Customer
and Services
and Services Services Services
Vision and
Strategy
Management and Support Processes

Business Human Information

Financial Facilities
Resource Technology
Planning, Management Management
Management Management
Merger
Acquisition Legal, Regulatory, Knowledge,
External
Environment, Improvement and
Relationship
Health & Safety Change
Governance and Management
Management Management
Compliance

1 03
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

3. In Enterprise Business Processes, what is the difference between Operational Processes,

Supporting Processes and Management Processes? Give examples.
Ans. Depending on the organization, industry and nature of work; business processes are often
broken up into different categories as shown
Categories of Business Processes

Operational Processes Supporting Processes Management Processes

I. Operational Processes (or Primary Processes)

Operational or Primary Processes deal with the core business and value chain. These
processes deliver value to the customer by helping to produce a product or service.
Operational processes represent essential business activities that accomplish
business objectives, Ex: Generating revenue - Order to Cash cycle, procurement -
Purchase to Pay cycle.
Order to Cash Cycle (Example)
Order to Cash (OTC or 02C) is a set of business processes that involves receiving and
fulfilling customer requests for goods or services.
An order to cash cycle consists of multiple sub-processes as shown in the Fig.
• Customer Order: Customer order received is documented.
• Order Fulfillment: Order is fulfilled or service is scheduled.
• Delivery Note: Order is shipped to customer or service is performed with delivery
note.
• Invoicing: Invoice is created and sent to customer.
• Collections: Customer sends payment /collection.
• Accounting: Collection is recorded in general ledger.

Customer Order Delivery

Invoicing Collection Accounting
Order Fullfilment Note

Order to Cash Cycle

II. Supporting Processes (or Secondary Processes)
Supporting Processes back core processes and functions within an organization.
Examples of supporting processes include Accounting, Human Resource (HR)
Management and Information technology. One key differentiator between
operational and support processes is that support processes do not provide value to
customers directly. However, it should be noted that hiring the right people for the

1 04
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

right job has a direct impact on the efficiency of the enterprise.

Human Resource Management (Example)
The main HR Process Areas are grouped into logical functional areas and they are as
follows:
• Recruitment and Staffing
• Personnel Management
• Training and Development
• Time & Attendance
• Payroll Management
• Appraisal Management

III. Management Processes

Management processes measure, monitor and control activities related to business
procedures and systems. Examples of management processes include strategic
planning, budgeting, and governance. Like supporting processes, management
processes do not provide value directly to the customers.
However, it has a direct impact on the efficiency of the enterprise.
Budgeting (Example)
Referring to the following Fig., in any enterprise, budgeting needs to be driven by the
vision (what enterprise plans to accomplish) and the strategic plan (the steps to get
there). Having a formal and structured budgeting process is the foundation for good
business management, growth and development.
Stratgic Business Revenue Cost Profit Board Budget
Vision Plan Goal Projection Projection Projection Approval Review

BUDGETING PROCESS

Business Process Automation

4. Explain Business Process Automation
Ans. • Today technology innovations are increasing day by day, technology is becoming
easily available, cost of accessing and using technology is going down, internet
connectivity in term of speed and geographical spread is increasing day by day. All
these factors are having a profound impact on the business processes being used by
entity.

1 05
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

• Today most of the business processes have been automated to make enterprises
more efficient and to handle the large volumes of transactions in today's world.
This is what has led to Business Process Automation (BPA).
• Business Process Automation (BPA) is the technology-enabled automation of
activities or services that accomplish a specific function and can be implemented
for many different functions of company activities, including sales,
management, operations, supply chain, human resources, information
technology, etc.
• In other words, BPA is the tactic a business uses to automate processes to operate
efficiently and effectively.
• It consists of integrating applications and using software applications
throughout the organization.
• BPA is the tradition of analyzing, documenting, optimizing and then automating
business processes.

5. Explain the success factors while implementing BPA in an organization?

Ans. The key objectives of BPA are to provide efficient and effective business process. The
success of any business process automation shall only be achieved when BPA ensures:
• Integrity: To ensure that no un-authorized amendments can be made in the data. i.e.
data is error free.
• Confidentiality: To ensure that data is only available to persons who have right to see
the same;
• Availability: To ensure that data is available as and when required.
• Timeliness: To ensure that data is made available in at the right time.
In order to successfully achieve above parameter, BPA needs to implement appropriate
controls.

Timeliness

1 06
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

6. Which Business Processes should be automated?

Ans. BPA offers many advantages to the business but every business process is not a good fit
for automation. Companies tend to automate those business processes that are time and
resource-intensive operationally or those that are subject to human error. Following are
the few examples of processes that are best suited to automation:
• Processes involving high-volume of tasks or repetitive tasks:
Many business processes such as making purchase orders
involve high-volume of repetitive tasks. Automating these
processes results in cost and work effort reductions.

• Processes requiring multiple people to execute tasks: A

business process which requires multiple people to execute
tasks often results in waiting time that can lead to increase in
costs. E.g. Help desk services. Automating these processes
results in reduction of waiting time and cost.

• Time-sensitive processes: Time sensitive processes are those

processes that are needed to be performed within a given time
period. Time- sensitive processes are best suited for
automation. For example - online banking system,
railway/aircraft operating and control systems etc.

• Processes involving need for compliance and audit trail: With

business process automation, every detail of a particular
process is recorded. These details can be used to demonstrate
compliance during audits. For example invoice issue to vendors.
Hence those activities or tasks where the compliance report or
audit trail is particularly important should be automated.

• Processes having significant impact on other processes and systems: Some processes
are cross- functional and have significant impact on other processes and systems.
Automating these processes results in sharing information and improving the
efficiency and effectiveness of business processes.

1 07
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

7. Explain challenges involved in BPA

Ans. Automated processes are susceptible to many challenges, some of them are discussed
below:

• Automating Redundant Processes: Sometimes organizations start off an automation

project by automating the processes they find suitable for automation without
considering whether such processes are necessary and create value. In other cases,
some business processes and tasks require high amount of tacit knowledge (that
cannot be documented and transferred from one person to another) and therefore
seek employees to use their personal judgment. These processes are generally not
good candidates for automation as these processes are hard to encode and
automate.

• Defining Complex Processes: BPA requires reengineering of some business processes

that requires significant amount of time to be allocated and spent at this stage. This
requires a detailed understanding of the underlying business processes to develop an
automated process.

• Staff Resistance: In most cases, human factor issues are the main obstacle to the
acceptance of automated processes. Staff may see process automation as a way of
reducing their decision-making power. This is due to the reason that with automated
processes, the management has a greater visibility of the process and can make
decisions that used to be made by the staff earlier. Moreover, the staff may perceive
automated processes as threat to their jobs.

• Implementation Cost: The implementation of automated processes may be an

expensive proposition in terms of acquisition/development cost of automated
systems and special skills required to operate and maintain these systems.

8. What are the benefits of Automating Business Processes?

Ans. Time Saving
• Automation reduces the number of tasks employees would otherwise need to do
manually.

1 08
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

• It frees up time to work on items that add genuine value to the business, allowing
innovation and increasing employees' levels of motivation.

Reduced Costs
• Manual tasks, given that they are performed one-at-a-time and at a slower rate
than an automated task, will cost more. Automation allows us to accomplish more
by utilising fewer resources.

Improved Operational Efficiency

• Automation reduces the time it takes to achieve a task, the effort required to
undertake it and the cost of completing it successfully.
• Automation not only ensures systems run smoothly and efficiently, but that errors
are eliminated and that best practices are constantly leveraged.

Quality & Consistency

• Ensures that every action is performed identically - resulting in high quality, reliable
results and stakeholders will consistently experience the same level of service.

Visibility
• Automated processes are controlled and consistently operate accurately within the
defined timeline. It gives visibility of the process status to the organization.

Reliability
• The consistency of automated processes means stakeholders can rely on business
processes to operate and offer reliable processes to customers, maintaining a
competitive advantage.

9. Explain How to go about BPA? (Explain steps in implementing Business Process Automation.)
Ans. Business process automation is a complex task especially for organizations involved in
complex processes. In addition, it is difficult to automate all the business processes
therefore organization should analyze the critical processes which will provide better
benefits through automation.
The steps to go about implementing business process automation:

1 09
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

Step 1: Define why we plan to implement a BPA - The primary purpose for which enterprise
implements automation may vary from enterprise to enterprise.
• Errors in manual processes leading to higher costs.
• Payment processes not streamlined, due to duplicate or late payments, missing early
pay discounts, and losing revenue.
• Paying for goods and services not received.
• Poor debtor management leading to high invoice aging and poor cash flow.
• Not being able to find documents quickly during an audit or law suit or not being able
to find all documents.
• Poor customer service.

Step 2: Understand the rules / regulation under which enterprise needs to comply with - One of
the most important steps in automating any business process is to understand the rules
of engagement, which include the rules, adhering to regulations and document retention
requirements. i.e. BPA should be as per applicable laws and policies. It is important to
understand that laws may require documents to be retained for specified number of
years and in a specified format. Entity needs to ensure that any BPA adheres to the
requirements of law.

Step 3: Document the process, we wish to automate - At this step, the processes which
organization wants to automate should be documented. The processes are designed on
paper or with computer software. The design of the process is normally prepared with
flowcharts.
The key benefits of documenting the processes are:
• Provides clarity about the processes
• It helps to determine the problems and issues in the processes

Step 4: Define the objectives / goals to be achieved by implementing BPA - Once the above
steps have been completed, entity needs to determine the key objectives / reasons of the
process improvement activities. The BPA needs to follow the SMART principle i.e.;
• Specific: Clearly defined,
• Measurable: Easily quantifiable in monetary terms,
• Attainable: Achievable through best efforts,

1 10
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

• Relevant: Entity must be in need of these, and

• Timely: Achieved within a given time frame.

Step 5: Engage the business process consultant - To achieve BPA, decide which company /
consultant to partner with, depends upon following:
• Objectivity of consultant in understanding/evaluating entity situation.
• Does the consultant have experience with entity business process?
• Is the consultant experienced in resolving critical business issues?
• Whether the consultant is capable of recommending and implementing a
combination of hardware, software and services as appropriate to meeting
enterprise BPA requirements?

Step 6: Calculate the ROI for project - The right stakeholders need to be engaged and
involved to ensure that the benefits of BPA are clearly communicated and
implementation becomes successful.
Some of points which may justify BPA implementation are;
• Cost Savings, being clearly computed and demonstrated.
• How BPA could lead to reduction in required manpower leading to no new recruits
need to be hired and how existing employees can be re-deployed or used for further
expansion.
• Savings in employee salary by not having to replace those due to attrition.
• The cost of space regained from paper, file cabinets, reduced.
• Eliminating fines to be paid by entity due to delays being avoided.
• Reducing the cost of audits and lawsuits.
• Taking advantage of early payment discounts and eliminating duplicate payments.
• New revenue generation opportunities.
• Collecting accounts receivable faster and improving cash flow.

Step 7: Developing the BPA - Once the requirements have been document, ROI has been
computed and top management approval to go ahead has been received, the consultant
develops the requisite BPA.

1 11
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

Step 8: Testing the BPA - Once developed, it is important to test the new process to
determine how well it works and the process of testing is an iterative process, the
objective being to remove all problems during this phase.

Step 1: Define why we plan to implement The answer to this question will provide
BPA? justification for implementing BPA.
Step2: Understand the rules/ regulation The underlying issue is that any BPA
under which it needs to comply created needs to comply with applicable
with? laws and regulations.
Step 3: Document the process, we wish to The current processes which are planned
automate. to be automated need to be correctly and
completely documented at this step.
Step 4: Define the objectives/goals to be
This enables the developer and user to
achieved by implementing BPA.
understand the reasons for going for BPA.
The goals need to be precise and clear.
Step 5: Engage the business process Once the entity has been able to define the
consultant. above, the entity needs to appoint an
expert, who can implement it for the
entity.
Step 6: Calculate the Rol for project. The answer to this question can be used for
convincing top management to say 'yes' to
the BPA exercise.
Step 7: Development of BPA.
Once the top management grant their
approval, the right business solution has
to be procured and implemented or
developed and implemented covering the
necessary BPA.
Step 8: Testing the BPA. Before making the process live, the BPA
solutions should be fully tested.

10. What is risk and state it’s sources ?

Ans. Risk is any event that may result in a significant deviation from a planned objective
resulting in an unwanted negative consequence. The planned objective could be any
aspect of an enterprise's strategic, financial, regulatory and operational processes,

1 12
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

products or services. The degree of risk associated with an event is determined by the

likelihood (uncertainty, probability) of the event occurring, the consequences (impact) if

the event were to occur and it's timing.

Business Automation Risk

Business Risk Technology Risk Data Related Risk

Sources of Risk
The most important step in risk management process is to identify the sources of risk, the
areas from where risks can occur. This will give information about the possible threats,
vulnerabilities and accordingly appropriate risk mitigation strategy can be adapted.
Some of the common sources of risk are Commercial and Legal Relationships, Economic
Circumstances, Human Behavior, Natural Events, Political Circumstances, Technology
and Technical Issues, Management Activities and Controls, and Individual Activities.
Broadly, risk has the following characteristics:
• Potential loss that exists as the result of threat/vulnerability process;
• Uncertainty of loss expressed in terms of probability of such loss; and
• The probability/likelihood that a threat agent mounting a specific attack against a
particular system.

11. Explain Types of Business Risks?

Ans. Business Risks: Businesses face all kinds of risks related from serious loss of profits to even
bankruptcy and are discussed below:
• Strategic Risk: These are the risks that would prevent an organization from
accomplishing its objectives (meeting its goals). Examples include risks related to
strategy, political, economic, regulatory, and global market conditions; also, could
include reputation risk, leadership risk, brand risk, and changing customer needs
• Financial Risk: Risk that could result in a negative financial impact to the
organization (waste or loss of assets). Examples include risks from volatility in
foreign currencies, interest rates, and commodities; credit risk, liquidity risk, and
market risk.

1 13
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

• Regulatory (Compliance) Risk: Risk that could expose the organization to fines and
penalties from a regulatory agency due to non-compliance with laws and
regulations. Examples include Violation of laws or regulations governing areas such
as environmental, employee health and safety, protection of personal data in
accordance with global data protection requirements and local tax or statutory
laws.
• Operational Risk: Risk that could prevent the organization from operating in the most
effective and efficient manner or be disruptive to other operations. Examples include
risks related to the organization's human resources, business processes, technology,
business continuity, channel effectiveness, customer satisfaction, health and safety,
environment, product/service failure, efficiency, capacity, and change integration.
• Hazard Risk: Risks that are insurable, such as natural disasters; various insurable
liabilities; impairment of physical assets; terrorism etc.
• Residual Risk: Any risk remaining even after the counter measures are analyzed and
implemented is called Residual Risk.
An organization's management of risk should consider these two areas: Acceptance
of residual risk and Selection of safeguards. Even when safeguards are applied, there
is probably going to be some residual risk. The risk can be minimized, but it can
seldom be eliminated. Residual risk must be kept at a minimal, acceptable level. As
long as it is kept at an acceptable level, (i.e. the likelihood of the event occurring or
the severity of the consequence is sufficiently reduced) the risk can be managed

12. Explain the Types of Technology Risk?

Ans. Technology Risk: The dependence on technology in BPA for most of the key business
processes has led to various challenges. As Technology is taking new forms and
transforming as well, the business processes and standards adapted by enterprises
should consider these new set of IT risks and challenges:
(i) Frequent changes or obsolescence of technology: Technology keeps on evolving and
changing constantly and becomes obsolete very quickly. Hence, there is always a
challenge that the investment in technology solutions unless properly planned may
result in loss to Business organisation due to risk of obsolescence.
(ii) Multiplicity and complexity of systems: The Technology architecture used for services
could include multiple digital platforms and is quite complex. Hence, this requires

1 14
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

the personnel to have knowledge about requisite technology skills or the

management of the technology could be outsourced to a company having the
relevant skill set.
(iii) Different types of controls for different types of technologies/systems: Deployment of
technology gives rise to new types of risks which are explained later in this chapter.
These risks need to be mitigated by relevant controls as applicable to the
technology/information systems deployed.
(iv) Dependence on vendors due to outsourcing of IT services: In a systems environment,
the organization requires staff with specialized domain skills to manage IT deployed.
Hence, these services could be outsourced to vendors and there is heavy dependency
on vendors and gives rise to vendor risks which should be managed by proper
contracts, controls and monitoring.
(v) Segregation of Duties (SoD): Organizations may have a highly-defined organization
structure with clearly defined roles, authority and responsibility. The Segregation of
Duties as per organization structure should be clearly mapped. This is a high-risk
area since any SoD conflicts can be a potential vulnerability for fraudulent activities.
For example, if a single employee can initiate, authorize and disburse a loan, the
possibility of misuse cannot be ignored.
(vi) External threats leading to cyber frauds/ crime: The system environment provides
access to customers anytime, anywhere using internet. Hence, information system
which was earlier accessible only within and to the employees is now exposed as it is
open to be accessed by anyone from anywhere. Making the information available is
business imperative but this is also fraught with risks of increased threats from
hackers and others who could access the software to commit frauds/crime.
(vii) Need to ensure continuity of business processes in the event of major exigencies: The
high dependence on technology makes it imperative to ensure resilience to ensure
that failure does not impact Business organisation services. Hence, a documented
business continuity plan with adequate technology and information systems should
be planned, implemented and monitored.

13 Explain Data related risks?

Ans. Data related risks: These include Physical access of data and Electronic access of data.
(these will be explain in Chapter 3)

1 15
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

14. Explain Risk Management Strategies?

Ans. Effective risk management begins with a clear understanding of an enterprise's risk
appetite and identifying high-level risk exposures. After defining risk appetite and
identified risk exposure, strategies for managing risk can be set and responsibilities
clarified. Based on the type of risk, project and its significance to the business; Board and
Senior Management may choose to take up any of the following risk management
strategy in isolation or combination as required:
When risks are identified, and analyzed, it is not always appropriate to implement
controls to counter them. Some risks may be minor, and it may not be cost effective to
implement expensive control processes for them. Risk management strategy is explained
and illustrated below:
• Tolerate/Accept the risk. One of the primary functions of management is managing
risk. Some risks may be considered minor because their impact and probability of
occurrence is low. In this case, consciously accepting the risk as a cost of doing
business is appropriate, as well as periodically reviewing the risk to ensure its impact
remains low.

• Terminate/Eliminate the risk. It is possible for a risk to be associated with the use of a
technology, supplier, or vendor. The risk can be eliminated by replacing the
technology with more robust products and by seeking more capable suppliers and
vendors.

• Transfer/Share the risk. Risk mitigation approaches can be shared with trading
partners and suppliers. A good example is outsourcing infrastructure management.
In such a case, the supplier mitigates the risks associated with managing the IT
infrastructure by being more capable and having access to more highly skilled staff
than the primary organization. Risk also may be mitigated by transferring the cost of
realized risk to an insurance provider.

• Treat/mitigate the risk. Where other options have been eliminated, suitable controls
must be devised and implemented to prevent the risk from manifesting itself or to
minimize its effects.

1 16
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

• Turn back. Where the probability or impact of the risk is very low, then management
may decide to ignore the risk.

15. Explain term Control?

Ans. Control is defined as policies, procedures, practices and organization structure that are
designed to provide reasonable assurance that business objectives are achieved and
undesired events are prevented or detected and corrected.
SA-315 defines the system of internal control as the plan of enterprise and all the
methods and procedures adopted by the management of an entity to assist in achieving
management's objective of ensuring, as far as practicable, the orderly and efficient
conduct of its business, including adherence to management policies, the safeguarding of
assets, prevention and detection of fraud and error, the accuracy and completeness of the
accounting records, and the timely preparation of reliable financial information.

The system of internal control is said to be well designed and properly operated when:
• All transactions are executed in accordance with management's general or specific
authorization;
• All transactions are promptly recorded in the correct amount, in the appropriate
accounts and in the accounting period during which it is executed to permit
preparation of financial information within a framework of recognized accounting
policies and practices and relevant statutory requirements, if any, and to maintain
accountability for assets;
• Assets are safeguarded from unauthorized access, use or disposition; and
• The recorded assets are compared with the existing assets at reasonable intervals
and appropriate action is taken to reconcile any differences.

Based on the mode of implementation, these controls can be manual, automated or

semi-automated (partially manual and partially automated). The objective of a
control is to mitigate the risk.

• Manual Control: Manually verify that the goods ordered in PO (A) are received (B) in
good quality and the vendor invoice (C) reflects the quantity & price are as per the PO
(A).

1 17
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

• Automated Control: The above verification is done automatically by the computer

system by comparing (D), (E) & (F) and exceptions highlighted.

• Semi-Automated Control: Verification of. Goods Receipt (E) with PO (D) could be
automated but the vendor invoice matching could be done manually in a
reconciliation process (G).

Example - Purchase to Pay: Given below is a simple example of controls for the Purchase to
Pay cycle, which is broken down to four main components as shown in the Fig.
• Purchases: When an employee working in a specific department (i.e., marketing,
operations, sales, etc.) wants to purchase something required for carrying out the job,
he/she will submit a Purchase Requisition (PR) to a manager for approval. Based on
the approved PR a Purchase Order (PO) is raised. The PO may be raised manually and
then input into the computer system or raised directly by the computer system.

• Goods Receipt: The PO is then sent to the vendor, who will deliver the goods as per the
specifications mentioned in the PO. When the goods are received at the warehouse,
the receiving staff checks the delivery note, PO number etc. and acknowledges the
receipt of the material. Quantity and quality are checked and any unfit items are
rejected and sent back to the vendor. A Goods Receipt Note (GRN) is raised indicating
the quantity received. The GRN may be raised manually and then input into the
computer system or raised directly by the computer system.

PURCHASES GOODS INVOICE PAYMENT

RECEIPT PROCESSING

Purchase Vendor Vendor Invoice Vendor Invoice

Requisition Payment
C

Credit Purchase Goods Receipt Input Invoice

Order Details
B F

Input Purchase Input Receipt Reconciliation

Order Information
D E G

Purchase Order Accounts

Payable
A

1 18
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

Purchase Cycle - Sample Controls

• Invoice Processing: The vendor sends the invoice to the accounts payable department
who will input the details into the computer system. The vendor invoice is checked
with the PO to ensure that only the goods ordered have been invoiced and at the
negotiated price. Further the vendor invoice is checked with the GRN to ensure that
the quantity ordered has been received.
• Payment: If there is no mismatch between the PO, GRN and vendor invoice, the
payment is released to the vendor based on the credit period negotiated with
the vendor.

16. Explain Importance of IT Controls

Ans. IT Control objectives is defined as, "a statement of the desired result or purpose to be
achieved by implementing control procedures within a particular IT activity”.
Implementing right type of controls is responsibility of management. Controls provide a
clear policy and good practice for directing and monitoring performance of IT to achieve
enterprise objectives. IT Controls perform dual role:
(i) They enable enterprise to achieve objectives; and
(ii) They help in mitigating risks.
Many issues drive the need for implementing IT controls. These range from the need to
control costs and remain competitive to the need for compliance with internal and
external governance. IT controls promote reliability and efficiency and allow the
organization to adapt to changing risk environments. Any control that mitigates or
detects fraud or cyber-attacks enhances the organization's resiliency because it helps the
organization uncover the risk and manage its impact. Resiliency is a result of a strong
system of internal controls which enable a well-controlled organization-to manage
challenges or disruptions seamlessly.

Applying IT Controls
It is important for an organization to identify controls as per policy, procedures and its
structure and configure it within IT software as used in the organization.
There are different options for implementing controls as per risk management strategy.
For example, the way banking is done in a nationalized bank is traditional way with rigid
organization structure of managers at different levels, officers and clerks and clear

1 19
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

demarcation between departments and functions whereas in a private sector, the

organization structure is organized around customers and focused on relationship
banking.
A common classification of IT controls is General Controls and Application Controls.
General Controls are macro in nature and the impact pervades the IT environment at
different layers whereas Application Controls are controls which are specific to the
application software.

17. Explain Information Technology General Controls (ITGC)

Ans. ITGC also known as Infrastructure Controls pervade across different layers of IT
environment and information systems and apply to all systems, components, processes,
and data for a given enterprise or systems environment.
General controls include, but are not limited to:
• Information Security Policy: The security policy is approved by the senior
management and encompasses all areas of operations of bank and drives access to
information across the enterprise and other stakeholders.

• Administration, Access, and Authentication: IT should be administered with

appropriate policies and procedures clearly defining the levels of access to
information and authentication of users.

• Separation of key IT functions: Secure deployment of IT requires the bank to have

separate IT organization structure with key demarcation of duties for different
personnel within IT department and to ensure that there are no Segregation of Duties
(SoD) conflicts.

• Management of Systems Acquisition and Implementation: Software solutions for

CBS are most developed acquired and implemented. Hence, process of acquisition
and implementation of systems should be properly controlled.

• Change Management: IT solutions deployed and its various components must be

changed in tune with changing needs as per changes in technology environment,
business processes, regulatory and compliance requirements.

1 20
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

• Backup, Recovery and Business Continuity: Heavy dependence on IT and criticality

makes it imperative that resilience of banking operations should be ensured by
having appropriate business continuity including backup, recovery and off-site data
center.

• Confidentiality, Integrity and Availability of Software and data files: Security is

implemented to ensure Confidentiality, Integrity and Availability of information.
P Confidentiality refers to protection of critical information.
P Integrity refers to ensuring authenticity of information at all stages of
processing.
P Availability refers to ensuring availability of information to users when
required.

• Value Add areas of Service Level Agreements (SLA): SLA with vendors is regularly
reviewed to ensure that the services are delivered as per specified performance
parameters.

• User training and qualification of Operations personnel: The personnel deployed

have required competencies and skill-sets to operate and monitor the IT
environment. It is important to note that proper and consistent operation of
automated controls or IT functionality often depends upon effective IT general
controls. In later sections, detailed risk and control matrix for various types of
general controls are provided.

18. Explain Application Controls

Ans. Application Controls are controls which are implemented in an application to prevent or
detect and correct errors.
• These controls are in-built in the application software to ensure accurate and
reliable processing.
• These are designed to ensure completeness, accuracy, authorization and validity of
data capture and transaction processing.
Some examples of Application controls are as follows:
• Data edits (editing of data is allowed only for permissible fields);

1 21
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

• Separation of business functions (e.g., transaction initiation versus authorization);

• Balancing of processing totals (debit and credit of all transactions are tallied);
• Transaction logging (all transactions are identified with unique id and logged);
• Error reporting (errors in processing are reported); and
• Exception Reporting (all exceptions are reported).

19. Explain the Key indicators of effective IT controls

Ans. • The ability to execute and plan new work such as IT infrastructure upgrades required
to support new products and services.
• Develop projects that are delivered on time and within budget, resulting in cost-
effective and better product and service offerings compared to competitors.
• Ability to allocate resources predictably.
• Consistent availability and reliability of information and IT services across the
organization and for customers, business partners, and other external interfaces.
• The ability to protect against new vulnerabilities and threats and to recover from any
disruption of IT services quickly and efficiently.
• Heightened security awareness on the part of the users and a security conscious
culture.

20. Explain Five components of Internal Control as per SA 315.

Ans. SA 315 defines the system of Internal Control as “the process designed, implemented and
maintained by those charged with governance, management and other personnel to
provide reasonable assurance about the achievement of an entity's objectives regarding
reliability of financial reporting, effectiveness and efficiency of operations, safeguarding
of assets, and compliance with applicable laws and regulations.
SA 315 explains the five components of any internal control as they relate to a financial
statement audit. The five components are as follows:
• Control Environment
• Risk Assessment
• Control Activities
• Information and Communication
• Monitoring of Controls

1 22
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

I. Control Environment
• The Control Environment is the set of standards, processes, and structures that
provide the basis for carrying out internal control across the organization.
• The board of directors and senior management establish the tone at the top
regarding the importance of internal control, including expected standards of
conduct.
• The control environment is manifested in management's operating style, the
ways authority and responsibility are assigned, the functional method of the
audit committee, the methods used to plan and monitor performance and so on.

II. Risk Assessment

• Every entity faces a variety of risks from external and internal resources.
• Risk may be defined as the possibility that an event will occur and adversely affect
the achievement of objectives.
• Risk assessment involves process for identifying and assessing risks to the
achievement of objectives.
• Risks to the achievement of these objectives from across the entity are considered
relative to established risk tolerances.

III. Control Activities

• Control Activities are the actions established through policies and procedures that
help ensure achievement of objectives are carried out.
• Control activities are performed at all levels of the entity, at various stages within
business processes, and over the technology environment.
• They may be preventive or detective in nature and may encompass a range of manual
and automated activities.
Control includes,
• Segregation of Duties (SOD) is the process of assigning different people the
responsibilities of authorizing transactions, recording transactions, and maintaining
custody of assets.
• Segregation of duties is intended to reduce errors or fraud in the normal course of the
person's duties.

1 23
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

• General Controls include controls over information technology management,

information technology infrastructure, security management and software
acquisition, development and maintenance.
• Application Controls are designed to ensure completeness, accuracy, authorization
and validity of data capture and transaction processing.
Broadly, the control activities include the elements that operate to ensure
transactions are authorized, duties are segregated, adequate documents and
records are maintained, assets and records are safeguarded, and independent
checks on performance and valuation of records. Internal auditors are also
concerned with administrative controls to achieve effectiveness and efficiency
objectives. Control activities must be developed to manage, mitigate, and reduce the
risks associated with each business process. It is unrealistic to expect to eliminate
risks completely.

IV. Information & Communication

• Information is necessary for the entity to carry out internal control responsibilities in
support of the achievement of its objectives.
• Management obtains and uses relevant and quality information from both internal
and external sources to support the functioning of other components of internal
control.
• Communication is the continues process of providing, sharing, and obtaining
necessary information.
• It contains elements which inform and communicate to users on timely basis.

V. Monitoring of Controls
• Ongoing evaluations, separate evaluations, or some combination of the two are
used to ascertain whether each of the five components of internal control present
and functioning. Findings are evaluated against management's criteria and
deficiencies are communicated to management and the board of directors as
appropriate.

21. Explain Limitations of Internal Control System

Ans. Internal control, no matter how effective, can provide an entity with only reasonable

1 24
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

assurance and not absolute assurance about achieving the entity's operational, financial
reporting and compliance objectives. Internal control systems are subject to certain
inherent limitations, such as:
• Management's consideration that the cost of an internal control doesn't exceed the
expected benefits to be derived.
• The fact that most internal controls do not tend to be directed at transactions of
unusual nature. The potential for human error, such as, due to carelessness,
distraction, mistakes of judgement and misunderstanding of instructions.
• The possibility of circumvention of internal controls through collusion with
employees or with parties outside the entity.
• The possibility that a person responsible for exercising an internal control could
abuse that responsibility, for example, a member of management overriding an
internal control.
• Manipulations by management with respect to transactions or estimates and
judgements required in the preparation of financial statements.

22. Explain Enterprise Risk Management

Ans. In implementing controls, it is important to adapt a holistic and comprehensive
approach. Hence, ideally it should consider the overall business objectives, processes,
organization structure, technology deployed and the risk appetite. Based on this, overall
risk management strategy has to be adapted, which should be designed and promoted
by the top management and implemented at all levels of enterprise operations as
required in an integrated manner. Regulations require enterprises to adapt a risk
management strategy, which is appropriate for the enterprise.
Hence, the type of controls implemented in information systems in an enterprise would
depend on this risk management strategy.
The Sarbanes Oxley Act (SOX) in the US, which focuses on the implementation and review
of internal controls as relating to financial audit, highlights the importance of evaluating
the risks, security and controls as related to financial statements. In an IT environment, it
is important to understand whether the relevant IT controls are implemented.
How controls are implemented would be dependent on the overall risk management
strategy and risk appetite of the management.
Enterprise Risk Management (ERM) may be defined as a process, effected by an entity's

1 25
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

Board of Directors, management and other personnel, designed to identify potential

events that may affect the entity, and manage risk to be within its risk appetite, to provide
reasonable assurance regarding the achievement of entity objectives.
The underlying premise of Enterprise Risk Management (ERM) is that every entity,
whether for profit, not-for-profit, or a governmental body, exists to provide value for its
stakeholders.
Uncertainty presents both risk and opportunity, with the potential to erode or enhance
value. ERM provides a framework for management to effectively deal with uncertainty
and associated risk and opportunity and thereby enhance its capacity to build value.
IT security and controls are a sub-set of the overall enterprise risk management strategy
and encompass all aspects of activities and operations of the enterprise.

23. What are the benefits of Enterprise Risk Management

Ans. No entity operates in a risk-free environment, and ERM does not create such an
environment. Rather, it enables management to operate more effectively in
environments filled with risks. ERM provides enhanced capability to do the following:
• Align risk appetite and strategy: Risk appetite is the degree of risk, on a broad- based
level that an enterprise (any type of entity) is willing to accept to achieve its goals.
Management considers the entity's risk appetite first in evaluating strategic
alternatives and setting objectives.

• Link growth, risk and return: Entities accept risk as part of value creation and
preservation, and they expect return matching with the risk. ERM provides an
enhanced ability to identify and assess risks, and establish acceptable levels of risk
relative to growth and return objectives.

• Minimize operational surprises and losses: Entities have enhanced capability to identify
potential events, assess risk and establish responses, thereby reducing the
occurrence of surprises and related costs or losses.

• Seize opportunities: Management considers potential events, rather than just risks,
and by considering a full range of events, management gains an understanding of
how certain events represent opportunities.

1 26
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

• Enhance risk response decisions: ERM provides the means to identify and select among
alternative risk responses - risk avoidance, reduction, sharing and acceptance. ERM
provides methodologies and techniques for making these decisions.

• Identify and manage cross-enterprise risks: Every entity faces number of risks affecting
different parts of the enterprise. Management needs to not only manage individual
risks, but also understand interrelated impacts.

• Provide integrated responses to multiple risks: Business processes carry many inherent
risks, and ERM enables integrated solutions for managing the risks.

24. Explain the main components of Enterprise Risk Management

Ans. ERM provides a framework for risk management which typically involves identifying
events or circumstances relevant to the organization's objectives (risks and
opportunities), assessing them in terms of likelihood and magnitude of impact,
determining a response strategy, and monitoring progress. By identifying and pro-
actively addressing risks and opportunities, business enterprises protect and create value
for their stakeholders, including owners, employees, customers, regulators, and society
overall.
ERM consists of eight interrelated components. These components are as follows:
a. Internal Environment: The internal environment encompasses the tone of an
organization, and sets the basis for how risk is viewed and addressed by an entity's
people, and the environment in which they operate. The internal environment sets
the foundation for how risk and control are viewed and addressed by an entity's
people.

b. Objective Setting: Objectives in line with entity's mission / vision should be set before
management can identify events potentially affecting their achievement.

c. Event Identification: Potential events which includes risks and opportunities that
might have an impact on the entity should be identified. Event identification includes
identifying factors - internal and external - that influence how potential events may
affect strategy implementation and achievement of objectives.

1 27
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

d. Risk Assessment: Identified risks are analyzed to form a basis for determining
how they should be managed. Risk assessment is done to identify impact of such risks
on the organization objectives and strategy.

e. Risk Response: Management selects a response strategy or combination of it including

avoiding, accepting, reducing and sharing risk.

f. Control Activities: Policies and procedures are established and executed to help
ensure that the risk responses management selected, are effectively carried out.

g. Information and Communication: Relevant information is identified, captured and

communicated in a form and time frame that enable people to carry out their
responsibilities. Information is needed at all levels of an entity for identifying,
assessing and responding to risk.

h. Monitoring: The entire ERM process should be monitored, and modifications

made as necessary. Monitoring is accomplished through ongoing management
activities, separate evaluations of the ERM processes or a combination of the both.

DIAGRAMMATIC REPRESENTATION OF BUSINESS PROCESSES

25. Explain Flowchart

Ans. • Flowcharts are used in designing and documenting simple processes or programs.
Like other types of diagrams, they help visualize what is going on and thereby help
understand a process, and perhaps also find flaws, bottlenecks. There are many
different types of flowcharts, and each' type has its own repertoire of boxes and
notational conventions.

• The two most common types of boxes in a flowchart are as follows:

• Processing step, usually called activity, and denoted as a rectangular box.

Decision, usually denoted as a diamond box.

1 28
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

I.Flowcharting Symbols
BASIC FLOWCHART SHAPES

Process Decision Document Date Start 1 Start 2

Pre-defined Process Stored Date Internal Storage Sequential Data Direct Data Manual Input

Card Paper Tape Delay Display Manual Operation Preparation

Parallel Mode Loop Limit Terminator On-page Off-page Flowchart

Reference Reference Shapes

Auto Height Text Dynamic Connector Line Curve Connector Control Transfer Annotation

II. Steps for creating flowcharts for business processes

• Identify the business process that are to be documented with a flowchart and
establish the overall goal of the business process.
• Based on inputs from the business process owner obtain a complete understanding
of the process flow.
• Prepare an initial rough diagram and discuss with the business process owner to
confirm your understanding of the processes.
• Obtain additional information about the business process from the people involved
in each step, such as end users, stakeholders, administrative assistants and
department heads.
• Identify the activities in each process step and who is responsible for each activity.
• Identify the starting point of the process. The starting point of a business process
should be what triggers the process to action. In other words, it is the input that the
business seeks to convert into an output.
• Separate the different steps in the process. Identify each individual step in the process
and how it is connected to the other steps.
• In traditional Business Process Modeling Notation (BPMN), the steps are represented
by different shapes depending on their function. For example, we would use steps
such as “customer order” (an event), “process order” (an activity), “Check credit” (an
action), “Credit” (a decision gateway that leads to one of two other actions,
depending on a “yes” or “no” determination), and so on.
• Clarify who or what performs each step.

1 29
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

26. Explain various advantages of flowcharts

Ans. i) Quicker grasp of relationships - The relationship between various elements of the
application program/business process must be identified. Flowchart can help depict
a lengthy procedure more easily than by describing it by means of written notes.
ii) Effective Analysis - The flowchart becomes a blue print of a system that can be broken
down into detailed parts for study. Problems may be identified and new approaches
may be suggested by flowcharts.
iii) Communication - Flowcharts aid in communicating the facts of a business problem to
those whose skills are needed for arriving at the solution.
iv) Documentation - Flowcharts serve as a good documentation which aid greatly in
future program conversions. In the event of staff changes, they serve as training
function by helping new employees in understanding the existing programs.
v) Efficient coding - Flowcharts act as a guide during the system analysis and program
preparation phase. Instructions coded in a programming language may be checked
against the flowchart to ensure that no steps are omitted.
vi) Program Debugging - Flowcharts serve as an important tool during program
debugging. They help in detecting, locating and removing mistakes.
vii) Efficient program maintenance - The maintenance of operating programs is facilitated
by flowcharts. The charts help the programmer to concentrate attention on that part
of the information flow which is to be modified.

27 Explain various limitations of Flowchart

Ans. (i) Complex logic - Flowchart becomes complex and clumsy where the problem logic is
complex.
(ii) Modification - If modifications to a flowchart are required, it may require complete
re-drawing.
(iii) Reproduction - Reproduction of flowcharts is often a problem because the symbols
used in flowcharts cannot be typed.
(iv) Link between conditions and actions - Sometimes it becomes difficult to establish the
linkage between various conditions and the actions to be taken there upon for a
condition.
(v) Standardization – No uniform practice is followed for drawing.

1 30
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

28. Explain data flow diagrams.

Ans. • Data Flow Diagram (DFD) is a graphical representation of the flow of data through a
business process.
• It represents the flow of data from source to destination.
• DFD is a graphical representation for logical flow of data. It helps in expressing
system logics in a simple and easy to understand form.

DFD basically provides an overview of:

• What data a system processes;
• What transformations are performed;
• What data are stored;
• What results are produced and where they flow.
It is mainly used by technical staff for graphically communicating between systems
analysts and programmers.

Main symbols used in DFD

Process Step-by-step instructions are followed

that transform inputs into outputs (a
computer or person or both doing the
work).
Data flow Data flowing from place to place, such
as an input or output to a process.

External agent The source or destination of data

outside the system. The people and
organizations that send data to or
receive data from are represented by this
symbol called external agent.
Data Store Data at rest, being stored for later use.
Usually corresponds to a data entity on
an entity-relationship diagram.
Real-time link Communication back and forth between
an external agent and a process as the
process is executing (e.g. credit card
verification).

1 31
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

Diagrammatic Representation of Specific Business Processes

I. Customer Order Fulfillment (Refer Fig.)
• The process starts with the customer placing an order and the sales department
creating a sales order.
• The sales order goes through the Credit & Invoicing process to check credit (an
activity) is it OK? (a decision gateway).
• If the customer's credit check is not OK, you would move to the step “credit problem
addressed” (an activity), followed by a decision “OK?”. If, “No” the order will be
stopped.
• If the customer's “credit check” response is “yes”, and if stock is available, an invoice is
prepared, goods shipped and an invoice is sent to the customer. If the stock is not
available, the order is passed to “production control” for manufacture and then
shipped to customer with the invoice.
• The process ends with the payment being received from customer.
Customer

Process Payment
Order Generated

Order Credit Problem No Order

Sales

OK? Stopped
Completed Addressed
Yes
No
Invoicing
Credit &

Yes
Order Check OK? Credit Invoice Shipped Invoice
Received Credit OK Prepared Order Sent
Production
Control

Order No
Entered In Stock?

Yes
Copying

Production Diskettes
Scheduled Copied
Assembly &

Order
Shipping

Packages
Assembled Picked
Order
Shipped

1 32
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

II. Order to Cash (O2C)

Following Fig. indicates the different sub processes within the main processes in the Order
to Cash cycle.
(i) Sales and Marketing (SM)
• Advertises and markets the company's products and books sales orders from
customers.
(ii) Order Fulfillment
• Receives orders from SM.
• Checks inventory to establish availability of the product. If the product is
available in stock, transportation is arranged and the product is sent to the
customer.
(iii) Manufacturing
• If the product is not available in stock, this information is sent to the manufacturing
department so that the product is manufactured and subsequently sent to the
customer.
(iv) Receivables
• The invoice is created, sent to the customer, payment received and the invoice closed.

Sales Sales and Marketing Services

Marketing

Order Receive Check Yes Arrange Send to

fulfillment Orders Inventory Transportation Customer
No

Manufacturing Send info to Product

manufacturing Manufactured

Receivables Create Invoice Send to Receive Close the

for the Orders customer payments invoice

Order to Cash (Example) (O2C)

1 33
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

III Procure to Pay

The Purchase to Pay Process in following Fig. indicates the different processes
identified specifically to department/entity so that the responsibilities are clearly
defined. Let's understand flow from the perspective of each department/entity.

(i) User Department

• A user in an enterprise may require some material or service. Based on the need and
justification, the user raises a Purchase Request (PR) to the Procurement department.

(ii) Procurement Department (PD)

• PD receives the PR and prioritizes the request based on the need and urgency of the
user.
• It is then the responsibility of the PD to find the best source of supply, for the specific
material/service. PD will then request the potential vendors to submit their quotes,
based on which negotiations on price, quality and payment terms, will take place.
• The Purchase Order (PO) will then be released to the selected vendor.

(iii) Vendor
• The vendor receives the PO and carries out his own internal checks.
• Matches the PO with the quotation sent and in the event of any discrepancy will
seek clarification from the enterprise.
• If there are no discrepancies, the vendor will raise an internal sales order within the
enterprise.
• The material is then shipped to the address indicated in the PO.
• The Vendor Invoice (VI) is sent to the Accounts Payable department, based on the
address indicated in the PO.

(iv) Stores
• Receives the material.
• Checks the quantity received with the PO and quality with the users (Quality
Department). If there is any discrepancy the vendor is immediately informed.

1 34
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

• The Goods Received Note (GRN) is prepared based on the actual receipt of material
and the stores stock updated. The GRN is then, sent to the Accounts Payable
department for processing the payment.
• A Material Issue Note is created and the material is sent to the concerned user
(Production Department).

(v) Accounts Payable (AP)

• AP will do a “3-way match” of PO/GRN/Invoice. This is to ensure that the price,
quantity and terms indicated in the Invoice matches with the PO and the quantity
received in the PO matches with the GRN quantity. This check establishes that what
has been ordered has been delivered.
• If there is no discrepancy, the payment voucher is prepared for payment and the
necessary approvals obtained.
• If there is a discrepancy, the Invoice is put “on hold” for further clarification and
subsequently processed.
• Finally, the payment is made to the vendor.

1 35
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

Department Procure to Pay High Level Process Flow

Initiates purchase Request

user

-To specify the Demand of Receive the Goods and

Material / Service create the receipt in ERP
Procurement

Source the Vendors. Prepares the

Receives the Request for Quotes. Do PO will be
Purchase order
PR. the negotiations for received back
and send it to
Prioritize best price & quality of for Correction
selected vendor
the request product or
Cancellation

No
Send the
Invoice to
Vendor

'Bill To'
Matches with Send the
Receives Prepares a address of
Quote Checks for Material to
the PO Sales Order Customer
Credit Limit 'Ship To' address
Yes
of Customer

Prepare the
Goods
Issue the
Stores

Receive Check for quantity Receipt

the Material as per PO and Quality Goods
Note (GRN)
as per with the help of User Yes to User for
and send to
Gate Entry operations
AP Dept.
AP Department

Make the Create

Get Payment
payment Approval for Voucher in 3-way Match Receive the
to Yes payment ERP for PO-GRN- Invoice
Vendor payment Invoice

No
Put the
Invoice on
Hold: Clear
the query

Procure to Pay (Example)

1 36
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

RISKS AND CONTROLS FOR SPECIFIC BUSINESS PROCESSES

29. Explain configration, Master and transaction level in business process automation?
Ans. Business Processes - Risks and Controls
Suitable controls should be implemented to meet the requirements of the control
objectives.
These controls can be manual, automated or semi-automated provided the risk is
mitigated.
Based on the scenario, the controls can be Preventive, Detective or Corrective. In
computer systems, controls should be checked at three levels, namely Configura on,
Master & Transac on- level.

1. Configuration
• Configuration refers to the way a software system is set up. Configuration is the
process of defining options that are provided.
• Configuration will define how software will function and what menu options are
displayed.
• When the any software is installed, values for various parameters should be set up
(configured) as per policies and business process work flow and business process
rules of the enterprise.
• The various modules of the enterprise such as Purchase, Sales, Inventory, Finance,
User Access etc. have to be configured. Some examples of configuration are given
below:
F User activation and deactivation
F User Access & privileges - Configuration & its management
F Password Management

2. Masters
• Masters refer to the way various parameters are set up for all modules of software,
like Purchase, Sales, Inventory, Finance etc. These drives how the software will
process relevant transactions.
• The masters are set up first time during installation and these are changed whenever
the business process rules or parameters are changed.

1 37
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

• Examples are Vendor Master, Customer Master, Material Master, Accounts Master,
Employee Master etc.
• Any changes to these data have to be authorised by appropriate personnel and these
are logged and captured in exception reports.
• The way masters are set up will drive the way software will process transactions of
that type.
For example: The Customer Master will have the credit limit of the customer. When an
invoice is raised, the system will check against the approved credit limit and if the
amount invoiced is within the credit limit the invoice will be created if not the invoice
will be put on “credit hold” till proper approvals are obtained.
Some examples of masters are given here:
F Vendor Master: Credit period, vendor bank account details, etc.
F Customer Master: Credit limit, Bill to address, Ship to address, etc.
F Material Master: Material type, Material description, Unit of measure, etc.
F Employee Master: Employee name, designation, salary details, etc.

3. Transactions
Transactions refer to the actual transactions entered through menus and functions in
the application software, through which all transactions for specific modules are
initiated, authorized or approved. For example:
• Sales transactions
• Purchase transactions
• Stock transfer transactions
• Journal entries
• Payment transactions

RISK & CONTROL OBJECTIVES FOR VARIOUS PROCESSES

30. Give two examples each of the Risks and Control Objectives for the following business
processes:
Ans. A) Procure to Pay B) Order to Cash
C) Inventory Cycle D) Human Resource Management
E) Fixed Assets F) General Ledger Account

1 38
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

A) Procure to Pay (P2P) - Risks and Controls

Procure to Pay (Purchase to Pay or P2P) is the process of obtaining and managing
the raw materials needed for manufacturing a product or providing a service.

Masters : Risks and Control Objectives (Masters-P2P)

Risk
Unauthorized changes to supplier master
file.
Changes to the supplier master file are
not correct.
Changes to the supplier master file are
delayed and not processed in a timely
manner.
Supplier master file data is not up to
date.
System access to maintain vendor
masters has not been restricted to the
authorized users.
Control Objective
Only valid changes are made to the
supplier master file.
Changes to the supplier master file are
accurate.
Changes to the supplier master file are
processed in a timely manner.
Supplier master file data remain up to
date.
System access to maintain vendor
masters has been restricted to the
authorized users.

Transactions : Risks and Control Objectives (Transactions-P2P)

Risk Control Objective

Amounts posted to accounts payable are
not properly calculated and recorded.
Amounts for goods or services received
are recorded in the wrong period.
Credit notes and other adjustments are
not accurately calculated and recorded.
Credit notes and other adjustments are
recorded in the wrong period.
Disbursements are made for goods and
services that have not been received.
Disbursements are distributed to
unauthorized suppliers.
System access to process transactions has
not been restricted to the authorized
users.
Amounts posted in accounts payable are
accurately calculated and recorded.
Amounts for goods or services received
are recorded in the appropriate period.
Credit notes and other adjustments are
accurately calculated and recorded.
Credit notes and other adjustments are
recorded in the appropriate period.
Disbursements are made only for goods
and services received.
Disbursements are distributed to the
appropriate suppliers.
System access to process transactions has
been restricted to the authorized users.

1 39
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

B) Order to Cash (02C) - Risks and Controls

Order to Cash (OTC or O2C) is a set of business processes that involve receiving and
fulfilling customer requests for goods or services. An order to cash cycle consists of
multiple sub-processes including :
1. Customer order is documented;
2. Order is fulfilled or service is scheduled;
3. Order is shipped to customer or service is performed;
4. Invoice is created and sent to customer;
5. Customer sends payment /Collection; and
6. Payment is recorded in general ledger.
Masters
Risks and Control Objectives (Masters-02C)

Risk Control Objective

Invalid changes are made to the
customer master file.
Changes to the customer master file are
not accurate
Changes to the customer master file are
not processed in a timely manner.
Customer master file data is not up-to-
date and relevant.
System access to maintain customer
masters has not been restricted to the
authorized users.
Only valid changes are made to the
customer master file.
Changes to the customer master file are
accurate.
Changes to the customer master file are
processed in a timely manner
Customer master file data is up to date
and relevant.
System access to maintain customer
masters has been restricted to the
authorized users.

Transactions : Risks and Control Objectives (Transactions-02C)

Risk Control Objective

Orders are processed exceeding customer
credit limits without approvals.
Invoices are generated using
unauthorized terms and prices.
Invoices are not accurately calculated
and recorded.
Invoices are not recorded in the system.
Orders are processed only within
approved customer credit limits.
Invoices are generated using authorized
terms and prices.
Invoices are accurately calculated and
recorded.
All invoices issued are recorded.

1 40
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

Risk Control Objective

Invoices are recorded in the wrong
period.
Cash receipts are not recorded in the
period in which they are received.
Cash receipts data are not entered
correctly.
Invoices are recorded in the appropriate
period.
Cash receipts are recorded in the period in
which they are received.
Cash receipts data are entered for
processing accurately.

C) Inventory Cycle - Risks and Controls

The Inventory Cycle is a process of accurately tracking the on-hand inventory levels
for an enterprise. An inventory system should maintain accurate record of all stock
movements to calculate the correct balance of inventory. The typical phases of the
Inventory Cycle for Manufacturers are as follows:
1. The ordering phase: The amount of time it takes to order and receive raw
materials.
2. The production phase: The work in progress phase relates to time it takes to
convert the raw material to finished goods ready for use by customer.
3. The finished goods and delivery phase: The finished goods that remain in stock and
the delivery time to the customer. The inventory cycle is measured in number of
days.

Masters
Risks and Control Objectives (Masters-Inventory)

Risk Control Objective

Invalid changes are made to the
inventory management master file.
Changes to the inventory management
master file are not accurate.
Inventory management master file data
is not up to date.
System access to maintain inventory
masters has not been restricted to the
authorized users.
Only valid changes are made to the
inventory management master file.
Changes to the inventory management
master file are accurate.
Inventory management master file data
remain up to date.
System access to maintain inventory
masters has been restricted to the
authorized users.

1 41
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

Transactions : Risks and Control Objectives (Transactions-Inventory)

Risk
Raw materials are received and accepted
without valid purchase orders.
Raw materials received are not recorded
accurately.
Defective raw materials are not returned
promptly to suppliers.
Finished goods returned by customers are
not recorded completely and accurately
and are posted in an inappropriate
period.
Shipments are not recorded in the
system.
Shipments are not recorded accurately.
System access to process inventory
related [transactions has not been
restricted to the authorized users.
Control Objective
Raw materials are received and accepted
only if they have valid purchase orders.
Raw materials received are recorded
accurately.
Defective raw materials are returned
promptly to suppliers.
Finished goods returned by customers are
recorded completely and accurately in the
appropriate period.
All shipments are recorded.
Shipments are recorded accurately.
System access to process inventory
related transactions has been restricted
to the authorized users.

D) Human Resources - Risks and Controls

The Human Resources life cycle refers to human resources management and covers
all the stages of an employee's time within a specific enterprise and the role the
human resources department plays at each stage. Typical stage of HR cycle includes
the following:
1. Recruiting and On boarding: Recruiting is the process of hiring a new employee.
The role of the human resources department in this stage is to assist in hiring.
This might include placing the job ads, selecting candidates whose resumes look
promising, conducting employment interviews and administering assessments
such as personality profiles to choose the best applicant for the position.
2. Orientation and Career Planning: Orientation is the process by which the employee
becomes a member of the company's work force through learning her new job
duties, establishing relationships with co-workers and supervisors and
developing a niche. Career planning is the stage at which the employee and her
supervisors work out her long-term career goals with the company.

1 42
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

3. Career Development: Career development opportunities are essential to keep an

employee engaged with the company over time. This can include professional
growth and training to prepare the employee for more responsible positions
with the company.
4. Termination or Transition: Some employees will leave a company through
retirement after a long and successful career. Others will choose to move on to
other opportunities or be laid off. The role of HR in this process is to manage the
transition by ensuring that all policies and procedures are followed, carrying out
an exit interview if that is company policy and removing the employee from the
system.

Configuration : Risks and Control Objectives (Configuration-Human Resources)

Risk
Employees who have left the company
continue to have system access.
Employees have system access in excess
of their job requirements.
Control Objective
System access to be immediately removed
when employees leave the company.
Employees should be given system access
based on a “need to know” basis and to
perform their job function.

Masters : Risks and Control Objectives (Configuration-Human Resources)

Risk Control Objective

Additions to the payroll master files do
not represent valid employees.
New employees are not added to the
payroll master files.
Terminated employees are not removed
from the payroll master files.
Invalid changes are made to the payroll
master files.
Payroll master file data is not up to date. Payroll master file data remain up to date.
Payroll is disbursed to inappropriate
employees.
System access to process employee
master changes has not been restricted
to the authorized users.
Additions to the payroll master files
represent valid employees.
All new employees are added to the
payroll master files.
Terminated employees are removed from
the payroll master files.
Only valid changes are made to the
payroll master files.
Payroll is disbursed to appropriate
employees.
System access to process employee master
changes has been restricted to the
authorized users.

1 43
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

E) Fixed Assets - Risks and Controls

Fixed Assets process ensures that all the fixed assets of the enterprise are tracked for
the purposes of financial accounting, preventive maintenance, and theft deterrence.
Fixed assets process ensures that all fixed assets are tracked and fixed asset record
maintains details of location, quantity, condition, maintenance and depreciation
status.

Typical steps of fixed assets process are as follows:

1. Procuring an Asset: An asset is most often entered into the accounting system;
when the invoice for the asset is entered; into the accounts payable; or
purchasing module of the system.
2. Registering or Adding an Asset: Most of the information needed to set up the asset
for depreciation is available at the time the invoice is entered. Information
entered at this stage could include; acquisition date, placed-in-service date,
description, asset type, cost basis, depreciable basis etc.
3. Adjusting the Assets: Adjustments to existing asset information is often needed to
be made. Events may occur that can change the depreciable basis of an asset.
Further, there may be improvements or repairs made to asset that either adds
value to the asset or extend its economic life.
4. Transferring the Assets: A fixed asset may be sold or transferred to another
subsidiary, reporting entity, or department within the company. These may
result in changes that impact the asset's depreciable basis, depreciation, or
other asset data. This needs to be reflected accurately in the fixed assets
management system.
5. Depreciating the Assets: Depreciation is an expense which should be periodically
accounted on a company's books, and allocated to the accounting periods, to
match income and expenses.
6. Disposing the Assets: When a fixed asset is, no longer in use, becomes obsolete, is
beyond repair, the asset is typically disposed. Any difference between the book
value, and realized value, is reported as a gain or loss.

1 44

Masters
Risks and Control Objectives (Masters-Fixed Assets)
Risk
Invalid changes are made to the fixed
asset register and/or master file.
Changes to the fixed asset register
and/or master file are not accurate.
Changes to the fixed asset register
and/or master file are not promptly
processed.
Fixed asset register and/or master file
data are not kept up to date.
System access to fixed asset master file /
system configuration is not restricted to
the authorized users.
Transactions
Risks and Control Objectives (Transactions-Fixed Assets)
Risk
Fixed asset acquisitions are not
accurately recorded.
Fixed asset acquisitions are not recorded
in the appropriate period.
Fixed asset acquisitions are not recorded.
Depreciation charges are not recorded in
the appropriate period.
Fixed asset disposals/transfers are not
recorded.
Fixed asset disposals/transfers are not
recorded in the appropriate period.
System access to process fixed asset
transactions has not been restricted to
the authorized users.
1 45
CHAPTER 1 : AUTOMATED BUSINESS PROCESSES
Control Objective
Only valid changes are made to the fixed
asset register and/or master file.
Changes to the fixed asset register and/or
master file are accurate.
Changes to the fixed asset register and/or
master file are promptly processed.
Fixed asset register and/or master file
data remain up to date.
System access to fixed asset master file /
system configuration is restricted to the
authorized users.
Control Objective
Fixed asset acquisitions are accurately
recorded.
Fixed asset acquisitions are recorded in
the appropriate period.
All fixed asset acquisitions are recorded.
All depreciation-charges are recorded in
the appropriate period.
All fixed asset disposals/transfers are
recorded.
Fixed asset disposals/transfers are
recorded in the appropriate period.
System access to process fixed asset
transactions has been restricted to the
authorized users.
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

F) General Ledger - Risks and Controls

General Ledger (GL) process refers to the process of recording the transactions in the
system to finally generating the reports from financial transactions entered in the
system. The input for GL Process Flow is the financial transactions and the outputs
are various types of financial reports such as balance sheet, profit and loss a/c, funds
flow statement, ratio analysis, etc.
The typical steps in general ledger process flow are as follows:
1. Entering financial transactions into the system
2. Reviewing Transactions
3. Approving Transactions
4. Posting of Transactions
5. Generating Financial Reports

Configuration : Risks and Control Objectives (Configuration-General Ledger)

Risk Control Objective

Unauthorized General ledger entries
could be passed
System functionality does not exist to
segregate the posting and approval
functions.
Transactions can be recorded outside of
financial close cutoff requirements.
Adding to or deleting general ledger
accounts is not limited to authorized
accounting department personnel.
Access to General ledger entries is
appropriate and authorized.
System functionality exists to segregate
the posting and approval functions.
Transactions cannot be recorded outside
of financial close cutoff requirements.
Adding to or deleting general ledger
accounts is limited to authorized
accounting department personnel.

Masters : Risks and Control Objectives (Masters-General Ledger)

Risk Control Objective

General ledger master file change
reports are not generated by the system
and are not reviewed as necessary by an
individual who does not input the
changes.
General ledger master file change reports
are generated by the system and
reviewed as necessary by an individual
who does not input the changes

1 46
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

Risk Control Objective

A standard chart of accounts has not A standard chart of accounts has been
been approved by management and is approved by management and is utilized
not utilized within all entities of the within all entities of the corporation
corporation

Transactions : Risks and Control Objectives (Transactions-General Ledger)

Risk Control Objective

General ledger balances are not reconciled
to s u b le d g e r b a la n c e s a n d s u c h
reconciliation are not reviewed for
accuracy and not approved by supervisory
personnel.
Interrelated balance sheets and income
statement accounts do not undergo
automated reconciliation to confirm
accuracy of such accounts.
A report of all journal entries completed
as part of the closing process is not
reviewed by management to confirm the
completeness and appropriateness of all
recorded entries.
Entries booked in the close process are not
complete and accurate.
General ledger balances reconcile to sub
ledger balances and such reconciliation
are reviewed for accuracy and approved
by supervisory personnel.
Interrelated balance sheets and income
statement: accounts undergo automated
reconciliation to confirm accuracy of such
accounts.
A report of all journal entries completed
as part of the closing process is reviewed
by management to confirm the
completeness and appropriateness of all
recorded entries.
Entries booked in the close process are
complete and accurate.

REGULATORY AND COMPLIANCE REQUIREMENTS

The core to any enterprise's success is to have an efficient and effective financial
information system to support decision-making and monitoring. The risks, controls and
security of such systems should be clearly understood in order to pass an objective
opinion about the adequacy of control in an IT environment.

1 47
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

31. Explain the salient features of Section 134 & Section 143 of the Companies Act 2013.
Ans. The Companies Act, 2013
The Companies Act, 2013 has two very important Sections - Section 134 and Section 143,
which have a direct impact on the audit and accounting profession.
(i) Section 134
Section 134 of the Companies Act, 2013 on “Financial statement, Board's report, etc.”
states inter alia:
The Directors' Responsibility Statement referred to in clause (c) of sub-section (3)
shall state that:
The Directors had taken proper and sufficient care for the maintenance of adequate
accounting records in accordance with the provisions of this Act for safeguarding the
assets of the company and for preventing and detecting fraud and other
irregularities;
The Directors, in the case of a listed company, had laid down internal financial
controls to be followed by the company and that such internal financial controls are
adequate and were operating effectively.
Explanation: For the purposes of this clause, the term “internal financial controls”
means the policies and procedures adopted by the company for ensuring the orderly
and efficient conduct of its business, including adherence to company's policies, the
safeguarding of its assets, the prevention and detection of frauds and errors, the
accuracy and completeness of the accounting records, and the timely preparation of
reliable financial information the directors had devised proper systems to ensure
compliance with the provisions of all applicable laws and that such systems were
adequate and operating effectively.
(ii) Section 143
Section 143, of the Companies Act 2013, on “Powers and duties of auditors and
auditing standards” states inter alia:
Section 143(3) contains the auditor's report which states:
“whether the company has adequate internal financial controls system in place and
the operating effectiveness of such controls”;
When we talk in terms of “adequacy and effectiveness of controls”; it refers to the
adequacy of the control design and whether the control has been working effectively
during the relevant financial year. The impact of this statement is that it involves

1 48
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

continuous control monitoring during the year and not a review “as at” a particular
date.
For example, let us assume that a company has a sales invoicing control wherein all
sales invoices raised by the salesman which is greater that `50,000/- are reviewed
and approved by the sales manager. In terms of the of the control design this control
may seem adequate. However, if during audit, it was found that, during the year,
there were many invoices raised by the salesman which was greater than ` 50,000/-
and not reviewed and approved by the sale's manager. In such a case, although the
control design was adequate, the control was not working effectively, due to many
exceptions without proper approval.
As per ICAI's “Guidance Note on Audit of Internal Financial Controls over Financial
Reporting”:
Clause (i) of Sub-section 3 of Section 143 of the Companies Act, 2013 (“the 2013 Act”
or “the Act”) requires the auditors' report to state whether the company has adequate
internal financial controls system in place and the operating effectiveness of such
controls.

I. Auditors' Responsibility
The auditor's objective in an audit of internal financial controls over financial
reporting is to express an opinion on the effectiveness of the company's internal
financial controls over financial reporting and the procedures in respect thereof are
carried out along with an audit of the financial statements. Because a company's
internal controls cannot be considered effective if one or more material weakness
exists, to form a basis for expressing an opinion, the auditor should plan and perform
the audit to obtain sufficient appropriate evidence to obtain reasonable assurance
about whether material weakness exists as of the date specified in management's
assessment. A material weakness in internal financial controls may exist even when
the financial statements are not materially misstated.

II. Corporate Governance Requirements

Corporate Governance is the framework of rules and practices by which a board of
directors ensures accountability fairness and transparency in a company's
relationship with its all stakeholders (financiers, customers, management,

1 49
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

employees, government, and the community).

The corporate governance framework consists of :
(i) Explicit and implicit contracts between the company and the stakeholders for
distribution of responsibilities, rights, and rewards.
(ii) Procedures for reconciling the sometimes conflicting interests of stakeholders in
accordance with their duties, privileges, and roles, and
(iii) Procedures for proper supervision, control, and information-flows to serve as a
system of checks-and-balances.

III. Enterprise Risk Management's Framework

As discussed in the previous section of the chapter, Enterprise Risk Management
(ERM) in business includes the methods and processes used by organizations to
manage risks and seize opportunities related to the achievement of their objectives.
As shown in the Fig. ERM provides a framework for risk management, which typically
involves identifying particular events or circumstances relevant to the organization's
objectives (risks and opportunities), assessing them in terms of likelihood and
magnitude of impact, determining a response strategy, and monitoring progress. By
identifying and pro-actively addressing risks and opportunities, business enterprises
protect and create value for their stakeholders, including owners, employees,
customers, regulators, and society overall.

Risk Identification
Risk
Assessment Risk Analysis
Risk Prioritization
Risk
Management
Risk Reduction
Risk Mitigation
/ Control Risk Planning
Risk Monitoring

Fig. Framework Provided by ERM

Management selects a risk response strategy for specific risks identified and
analysed, which may include:
(i) Avoidance: Not doing an activity which causes risk.
(ii) Reduction: taking action to reduce the likelihood or impact related to the risk.

1 50
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

(iii) Alternative Actions: deciding and considering other feasible steps to minimize risks.
(iv) Share or Insure: transferring or sharing a portion of the risk, to finance it.
(v) Accept: no action is taken, due to a cost/benefit decision.

32. Explain cyber crime. List out computer related crime defined u/s 43 of IT Act, 2000.
Ans. Cyber Crime: The term 'Cyber Crime' finds no mention either in The Information
Technology Act 2000 or in any legislation of the Country. Cyber Crime is not different than
the traditional crime. The only difference is that in Cyber Crime the computer technology
is involved and thus it is a Computer related crime. This can be explained by the following
instance:
• Traditional Theft: Thief 'A' enters in B's house and steals an object kept in the house.
• Hacking: Many business organizations store their confidential information in
computer system which is often targeted by rivals, criminals and disgruntled
employees. Hacking generally refers to unauthorized intrusion into a computer or a
network. This may be done by either altering system or security features to
accomplish a goal that differs from the original purpose of the system.
I. Computer related offences
Section 43 provides for Penalty and compensation for damage to computer,
computer system, etc.
If any person without permission of the owner or any other person who is in-charge
of a computer, computer system or computer network, or computer resource:
• Accesses or secures access to such computer, computer system or computer
network;
• Downloads, copies or extracts any data, computer database or information from
such computer, computer system or computer network including information or
data held or stored in any removable storage medium;
• Introduces or causes to be introduced any computer contaminant or computer
virus into any computer, computer system or computer network;
• Damages or causes to be damaged any computer, computer system or computer
network, data, computer database or any other programs residing in such
computer, computer system or computer network;
• Disrupts or causes disruption of any computer, computer system or computer
network;

1 51
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

• Denies or causes the denial of access to any person authorized to access any
computer, computer system or computer network by any means;
• provides any assistance to any person to facilitate access to a computer, computer
system or computer network in contravention of the provisions of this Act, rules or
regulations made thereunder;
• Changes the services availed of by a person to the account of another person by
tampering with or manipulating any computer, computer system, or computer network,
• Destroys, deletes or alters any information residing in a computer resource or
diminishes its value or utility or affects it injuriously by any means;
• Steals, conceals, destroys or alters or causes any person to steal, conceal, destroy
or alter any computer source code used for a computer resource with an intention
to cause damage; shall be liable to pay damages by way of compensation to the
person so affected.

33. Explain provisions covering IT related crime and it’s penalties under Information
Technology Act,2000.
Ans. 1. Section 43A: - Compensation for failure to protect data
Where a body corporate, possessing, dealing or handling any sensitive personal data
or information in a computer resource which it owns, controls or operates, (Crime) is
negligent in implementing and maintaining reasonable security practices and
procedures and thereby causes wrongful loss or wrongful gain to any person,
(Punishment)such body corporate shall be liable to pay damages by way of
compensation to the person so affected.

2. Section 65: - Tampering with Computer Source Documents

(Crime) Whoever knowingly or intentionally conceals, destroys or alters or
intentionally or knowingly causes another to conceal, destroy or alter any computer
source code used for a computer, computer program, computer system or computer
network, when the computer source code is required to be kept or maintained by law for
the time being in force, (Punishment) shall be punishable with imprisonment up to three
years, or with fine which may extend up to 2 lakh rupees, or with both. The explanation
clarifies ‘Computer Source Code” means the listing of programme, Computer
Commands, Design and layout and program analysis of computer resource in any form.

1 52
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

3. Section 66: - Computer Related Offences

(Crime) If any person, dishonestly, or fraudulently, does any act referred to in Section 43,
(Punishment) he shall be punishable with imprisonment for a term which may extend
to three years or with fine which may extend to 5 lakh rupees or with both.

4. Section 66B:- Punishment for dishonestly receiving stolen computer resource or

communication device
(Crime) Whoever dishonestly receives or retains any stolen computer resource or
communication device knowing or having reason to believe the same to be stolen
computer resource or communication device,
(Punishment) shall be punished with imprisonment of either description for a term which
may extend to three years or with fine which may extend to rupees one lakh or with both.

5. Section 66C: - Punishment for identity theft

(Crime) Whoever, fraudulently or dishonestly make use of the electronic signature,
password or any other unique identification feature of any other person,
(Punishment) shall be punished with imprisonment of either description for a term
which may extend to three years and shall also be liable to fine which may extend to
rupees one lakh.

6. Section 66D:- Punishment for cheating by personation by using computer resource

(Crime) Whoever, by means of any communication device or computer resource
cheats by personation,
(Punishment) shall be punished with imprisonment of either description for a term
which may extend to three years and shall also be liable to fine which may extend to
one lakh rupees.

7. Section 66E: - Punishment for violation of privacy

(Crime) Whoever, intentionally or knowingly captures, publishes or transmits the
image of a private area of any person without his or her consent, Under
circumstances violating the privacy of that person, (Punishment) shall be punished
with imprisonment which may extend to three years or with fine not exceeding two
lakh rupees, or with both.

1 53
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

8. Section 66F: - Punishment for cyber terrorism

(a) Whoever -
(a) with intent to threaten the unity, integrity, security or sovereignty of India or to
strike terror in the people or any section of the people by-
(i) denying or cause the denial of access to any person authorized to access
computer resource; or
(ii) attempting to penetrate or access a computer resource without
authorization or exceeding authorized access; or
(iii) introducing or causing to introduce any computer contaminant,
and by means of such conduct causes or is likely to cause death or injuries to
persons or damage to or destruction of property or disrupts or knowing that it
is likely to cause damage or disruption of supplies or services essential to the
life of the community or adversely affect the critical information infrastructure
specified under section 70; or
(b) knowingly or intentionally penetrates or accesses a computer resource without
authorization or exceeding authorized access, and by means of such conduct
obtains access to information, data or computer database that is restricted for
reasons of the security of the State or foreign relations; or any restricted
information, data or computer database, with reasons to believe that such
information, data or computer database so obtained may be used to cause or
likely to cause injury to the interests of the sovereignty and integrity of India,
the security of the State, friendly relations with foreign States, public order,
decency or morality, or in relation to contempt of court, defamation or
incitement to an offence, or to the advantage of any foreign nation, group of
individuals or otherwise, commits the offence of cyber terrorism.
(c) Whoever commits or conspires to commit cyber terrorism shall be punishable
with imprisonment which may extend to imprisonment for life.

9. Section 67: - Punishment for publishing or transmitting obscene material in

electronic form
(Crime) Whoever publishes or transmits or causes to be published or transmitted in
the electronic form, any material which is lascivious or appeals to the prurient
interest or if its effect is such as to tend to deprave and corrupt persons who are likely,

1 54
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

having regard to all relevant circumstances, to read, see or hear the matter
contained or embodied in it,
(punishment) shall be punished on first conviction with imprisonment of either
description for a term which may extend to three years and with fine which may
extend to five lakh rupees and in the event of a second or subsequent conviction with
imprisonment of either description for a term which may extend to five years and
also with fine which may extend to ten lakh rupees.

10. Section 67A: - Punishment for publishing or transmitting of material containing

sexually explicit act, etc. in electronic form
(Crime) Whoever publishes or transmits or causes to be published or transmitted in
the electronic form any material which contains sexually explicit act or conduct shall
be
(Punishment) punished on first conviction with imprisonment of either description for
a term which may extend to five years and with fine which may extend to ten lakh
rupees and in the event of second or subsequent conviction with imprisonment of
either description for a term which may extend to seven years and also with fine
which may extend to ten lakh rupees.

11. Section 67B: - Punishment for publishing or transmitting of material depicting

children in sexually explicit act, etc. in electronic form
(Crime) Whoever, -
(a) publishes or transmits or causes to be published or transmitted material in any
electronic form which depicts children engaged in sexually explicit act or
conduct; or
(b) creates text or digital images, collects, seeks, browses, downloads, advertises,
promotes, exchanges or distributes material in any electronic form depicting
children in obscene or indecent or sexually explicit manner; or cultivates,
entices or induces children to online relationship with one or more children for
and on sexually explicit act or in a manner that may offend a reasonable adult
on the computer resource; or
(c) facilitates abusing children online; or (d) records in any electronic form own
abuse or that of others pertaining to sexually explicit act with children,

1 55
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

(Punishment) shall be punished on first conviction with imprisonment of either

description for a term which may extend to five years and with a fine which may
extend to ten lakh rupees and in the event of second or subsequent conviction
with imprisonment of either description for a term which may extend to seven
years and also with fine which may extend to ten lakh rupees:

PROVIDED that provisions of Section 67, Section 67A and this section does not extend to
any book, pamphlet, paper, writing, drawing, painting representation or figure in
electronic form –
(i) the publication of which is proved to be justified as being for the public good on the
ground that such book, pamphlet, paper writing, drawing, painting, representation
or figure is in the interest of science, literature, art or learning or other objects of
general concern; or
(ii) which is kept or used for bona fide heritage or religious purposes.

34. Give five examples of Computer Related Offences that can be prosecuted under the
IT Act 2000 (amended via 2008)
Ans. Common Cyber-crime scenarios : Let us look at some common cyber-crime scenarios which
can attract prosecution as per the penalties and offences prescribed in IT Act 2000
(amended via 2008) Act.
• Harassment via fake public profile on social networking site (Section 67): A fake
profile of a person is created on a social networking site with the correct address,
residential information or contact details but he/she is labelled as a person of ‘loose
character’. This leads to harassment of the victim.

• Introducing Viruses, Worms, Backdoors, Rootkits, Trojans, and Bugs: All these are
some sort of malicious programs which are used to destroy or gain access to some
electronic information. Sections 43 and 66 of IT Act, 2000 are applicable in this case.

• Cyber Terrorism: It is conducted in cyberspace, where the criminals attempt to

damage or disrupt computer systems or telecommunication services by using virtual
(Drive, FTP sites) and physical storage media (USB’s, hard drives) for hiding
information and records.

1 56
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

Examples:
• hacking computer systems,
• web site defacing,
• denial-of-service attacks,
• introducing viruses,
• terroristic threats.
Sections 43, 66, 66A of IT Act, 2000 are applicable in this case.

• Email Account Hacking: If any once’s email account is hacked and offensive emails
are sent to contacts stored in that email account. Sections 43, 66, 66A, 66C, 67, 67A
and 67B of IT Act, 2000 are applicable in this case.

• Credit Card Fraud: Unsuspecting victims would use infected computers to make
online transactions.
Sections 43, 66, 66C, 66D of IT Act, 2000 are applicable in this case.

• Web Defacement: The homepage of a website is replaced with a defamatory page.

Government sites generally face this issue on special days.
Sections 43, 66, 66F and 67 of IT Act, 2000 are applicable in this case.

• Online sale of illegal Articles: Where sale of narcotics, drugs, weapons and wildlife is
facilitated by the Internet.

• Phishing and Email Scams: Phishing involves fraudulently collecting sensitive

information through masquerading (representing) oneself as a trusted entity (e.g.
usernames, Passwords, credit card information).
Sections 66, 66C and 66D of IT Act, 2000 are applicable in this case.

• Theft of Confidential Information: Many business organizations store their

confidential information in computer systems. This information is targeted by rivals,
criminals and unhappy employees.
Sections 43, 66 and 66B of IT Act, 2000 are applicable in this case.

1 57
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

• Source Code Theft: A Source code generally is the most coveted and important
“crown jewel” asset of a company. (include coding for precious software)
Sections 43, 65, 66 and 66B of IT Act, 2000 are applicable in this case.

III. Privacy
• When people access the Web, they often they provide their vital personal information
like their name, address, credit card number, etc. to their Internet Service Providers
and to the websites they accessed. (E.g Amazon.com)

• Information so collected may fall into wrong hands and may be used for illegitimate
purposes (by hacker or organisation).

• The organizations that collect and manage the personal information of people must
also protect it against misuse.

• The collection of personal information by an organization is an important issue

related to the privacy of online data.

• Privacy laws vary in different countries.

• Multi-national companies often receive information in one country and process this
information in some other country where privacy laws are altogether different.

• Therefore, in a globalized world it becomes very challenging for these companies to

ensure uniform standards of privacy.

The main principles on data protection and privacy enumerated under the IT Act, 2000
are as follows:
• Defining ‘data’, ‘computer database’, ‘information’, ‘electronic form’, ‘originator’,
‘addressee’ etc.

• creating civil liability if any person accesses or secures access to computer, computer
system or computer network

1 58
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

• creating criminal liability if any person accesses or secures access to computer,

computer system or computer network

• declaring any computer, computer system or computer network as a protected

system

• imposing penalty for breach of confidentiality and privacy setting up of hierarchy of

regulatory authorities, namely adjudicating officers, the Cyber Regulations
Appellate Tribunal etc

IV. Sensitive Personal Data Information (SPDI)

Define:
Rule 3 defines sensitive
personal information as
a. Passwords;
b. Financial information;
c. Physical/ physiological/
mental health condition; Section 43A of the
d. Sexual orientation;
Medical records and
history;
e. Biometric information.
(does not include
information that is
associated to an already
identified individual - such
as habits, location, or
activity.)
Rules
Reasonable Security
Practices and Procedures
and Sensitive Personal
Data or Information Rules
2011 formed under
Information Technology
Act 2000 define a data
protection framework for
the processing of digital
data by Body Corporate.
Consent to collect
Rule 5(1) requires that
Body Corporate should,
prior to collection, obtain
consent in writing
through letter or fax or
email from the provider
of sensitive personal data
regarding the use of that
data.

1 59
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

35. Explain advantages of Cyber Laws / IT Act, 2000

Ans. From the perspective of e-commerce in India, the IT Act 2000 and its provisions contain
many positive aspects which are as follows:
• The implications for the e-businesses would be that email would now be-a valid and
legal form of communication in India that can be duly produced and approved in a
court of law.
• Companies shall now be able to carry out electronic commerce using the legal
infrastructure provided by the Act.
• Digital signatures have been given legal validity and sanction in the Act.
• The Act throws open the doors for the entry of corporate companies in the business of
being Certifying Authorities for issuing Digital Signatures Certificates.
• The Act now allows Government to issue notification on the web thus heralding e-
governance.
• The Act enables the companies to file any form, application or any other document
with any office, authority, body or agency owned or controlled by the appropriate
Government in electronic form by means of such electronic form as may be prescribed
by the appropriate Government.
• The IT Act also addresses the important issues of security, which are so critical to the
success of electronic transactions.
• The Act has given a legal definition to the concept of secure digital signatures that
would be required to have been passed through a system of a security procedure, as
stipulated by the Government at a later date.
• Under the IT Act, 2000, it shall now be possible for corporates to have a statutory
remedy in case if anyone breaks into their computer systems or network and causes
damages or copies data.
The remedy provided by the Act is in the form of monetary damages, not exceeding
Rs. 1 crore.

1 60
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

FLOW CHART QUESTIONS

Q.1 Draw a flowchart to compute simple interest

Q.2 Draw a flowchart to calculate discount on sales, where discount is 5 % of sales Output
needs name & PAN also.

Q.3 Draw a flowchart to calculate & print discounted amount, discount rate is 20 % , if sale
is < `10,000 Or else 30 %

Q.4 The goods imported from the foreign countries are classified into four categories for the
purpose of levying custom duty. The rate of custom duty and value of goods for each
category is given in data base :
1. Electronic items 10% 2. Heavy machinery 15%
3. Footwear items 20% 4. All Other Uncategorized items 25%
Draw a flow chart to compute appropriate custom duty including Educational Cess at
the rate of 3% of the value of custom duty

Q. 5. Draw a Flowchart to compute and print income tax, surcharge and education cess on
the income of a person, where income is to be read from terminal and tax is to be
calculated as per the following rates:
Slab(`) Rate
(1) 1 to 1,00,000 No Tax
(2) 1,00,001 to 1,50,000 @10% amount above ` 1,00,000
(3) 1,50,001 to 2,50,000 ` 5,000 + 20% of Amount above ` 1,50,000
(4) 2,50,001 onwards ` 25,000 + 30% of Amount above ` 2,50,000

Surcharge @10% on the amount of tax, if income of a person exceeds `10,00,000.

Education cess 2% on the total tax.

Q.6. (I) Input name & basic salary for 100 employees.
Each employee contributes 10 % of basic salary towards provident fund. Find and
print the name , P.F. contribution made by each employee.
(II) Also print the total contribution of all employees

1 61
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

Q.7. A book publisher offers discount to customers on the basis of customer type and
number of copies ordered as shown below
Customer type Number of Copies Ordered % of discount
Book Seller More than 10 25
Less than or equal to 10 15
Library More than 5 20
Less than or equal to 5 10
Customer number , name , type , book number , number of copies ordered and unit
price are given as input . Draw a flow chart to calculate the net amount of the bill
for each customer and print it . The above is to be carried out for 50 customers.

Q.8. An electric supply company charges the following rates from its consumers
No. of Units consumed Charges (` /unit )
For the first 200 units 2.50
For the next 300 units 3.50
Over 500 units 5.00
Computer database of the company has the following information :
1) Consumer name 2) Address 3) Unit consumed
4) Bill Date 5) Payment date
• If the consumer pays his bill within 15 days from the bill date,10 % discount is
given.
• If he makes the payment after 15 days from the bill date,5 % surcharge is
levied.
Draw a flow chart to calculate the net amount of the bill for each consumer
and print it.

Q.9. An electricity distribution company has three categories of consumers namely

(i) Domestic (ii) Commercial (iii) Industry
The charges of electricity per unit consumed by these consumers are Rs.3, Rs.4 and Rs.5
respectively. The computer Database of the company has the following information:
(a) Consumers Category (b) Units consumed (c) Bill date (d) Date of payment
The company processes bills according to the following criterion. If the consumer is
domestic and pays bill within 10 days of the bill date 5% discount is given. If he pays the

1 62
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

bill within 15 days, no discount is given. If he makes the payment after 15 days of the
bill date, 10% surcharge is levied.
For the non-domestic consumers (commercial or industry), corresponding percentages
be 10%, 0% and 15% respectively draw a flow chart to calculate the bill amount,
discount, surcharge and net amount of the bill for each type of consumer and print it.

Q.10. A bicycle shop in a city hires bicycles by the day at different rates for different models as
below
Model no Hire rate per day (`)
Model No.1 14.00
Model No.2 12.00
Model No.3 10.00

In order to attract customers , the shopkeeper gives a discount on the number of days a
bicycle is hired for .The policy of discount is as given below
No.of days Discount Rate(%)
1-5 0.00
6-10 8
11 and over 15
For every bicycle hired a deposit of Rs.30.00 must be paid. Develop a flow chart to print
out details for each customer such as name of the customer, bicycle model number,
number of days a bicycle is hired for, hire charges, discount and total charges.

Q.11. A Housing Society in a newly developed Smart City has provided several advanced
security systems to each house in that city. Based on the value of these advanced
security systems installed in each house, the Society has divided all the houses in four
categories and fixed the criteria for annual maintenance charges as under:
House Category Maintenance charges as % of value of
advanced security systems installed at house
A 8%
B 6%
C 4%
D 3%

1 63
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

In addition to above there is a service tax @ 12.36% on the amount of maintenance

charges. Considering house number and value of advanced security system installed, as
input, draw a flow chart to have printed output as house number, maintenance
charges, service tax and the total amount to be paid by each house owner.

Q.12. An E-commerce site has the following cash back offers.

(i) If the purchase mode is via website, an initial discount of 10% is given on the bill
amount.
(ii) If the purchase mode is via phone app. An initial discount of 20% is given on the bill
amount.
(iii) If done via any other purchase mode, the customer is not eligible for any discount.
Every purchase eligible to discount is given 10 reward points.
(a) If the reward points are between 100 and 200 points, the customer is eligible for a
further 30% discount on the bill amount after initial discount.
(b) If the reward points exceed 200 points, the customer is eligible for a further 40%
discount on the bill amount after initial discount.
Taking purchase mode, bill amount and number of purchases as input draw a flowchart
to calculate and display the total reward points and total bill amount payable by the
customer after all the discount calculation.

Q.13. The GST of 50 items is to be calculated as per the following details. With Code No. and
Value of Supply as input, draw a flowchart to calculate the Tax and print the Tax,
Code No. of the Item and the Type of Item. (Note: The rates have been taken
hypothetically)
Code No.(C_No) Types of Items Tax Rate
001 Perishable 15%
002 Textiles 10%
003 Luxury Items 20%
004 Machinery 12%

1 64
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

Q.14 A bicycle shop in Delhi provides hired bicycles for day(s) at different rates as shown in
table:
Season Charges per day
Spring (March - May) ₹ 8.00
Summer (June - August) ₹ 9.50
Autumn (Sept - Nov.) ₹ 5.00
Winter (Dec. - Feb.) ₹ 6.00
To attract his customers, the proprietor also gives a discount on the number of days a
bicycle is hired for. If the hire period is more than 10 days, a reduction of 15% is made.
For every bicycle hired, a deposit of ₹ 20 must be paid.
Develop a flowchart to print out the details for each customer such as name of
customer, number of days a bicycle is hired for, hire-charges and total charges
including the deposit. It is also assumed that there are 25 customers and complete
details for each customer such as name of customer, season and number of days the
bicycle is required for is inputted through console.

Q.15. Consider the following flow chart :

START

X=10, Y=20, Z=30

S=0, I=0
Step A

S=Z
Z=Y
Y=X
X=S

I=I+1

No
Step B If
I=1
Yes
PRINT X,Y,Z

STOP

1 65
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

(a) What is the output of the flow chart?

(b) In Step-B, put I=3 in place of I = 1; what will be output then?
(c) In Step-B, put I=6 in place of I = 1; what will be the output then?
(d) In the given flow-chart, replace I = 0 by I = 1 at step A, what will be the output?

Q.16. (a) Draw a flow chart to incorporate for the following steps:
L1 N =1
L2 PRINT N
L3 N=N x (N+1)
L4 STOP when N exceeds 100
L5 GOTO L2
Note that in step L3, 'x' denotes multiplication sign.
(b) List the output for the above program.
(c) List the output if the above program is modified in the step L 1 as N =0

1 66
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

CLASSWORK SECTION

1. Explain Risk Management and Related Terms?

Ans. Various terminologies relating to risk management are given as follows:

1. Risk Management: Risk Management is the process of assessing risk, taking steps to
reduce risk to an acceptable level and maintaining that level of risk. Risk
management involves identifying, measuring, and minimizing uncertain events
affecting resources.

2. Asset: Asset can be defined as something of value to the organization; e.g.,

information in electronic or physical form, software systems, employees. Irrespective
the nature of the assets themselves, they all have one or more of the following
characteristics:
• They are recognized to be of value to the organization.
• They are not easily replaceable without cost, skill, time, resources or a combination.
• They form a part of the organization's corporate identity, without which, the
organization may be threatened.
• Their data classification would normally be Proprietary, Highly confidential or
even Top Secret.
It is the purpose of Information Security Personnel to identify the threats against the risks
and the associated potential damage to, and the safeguarding of Information Assets.

3. Vulnerability: Vulnerability is the weakness in the system safeguards that exposes

the system to threats. It may be a weakness in information system/s, cryptographic
system (security systems), or other components (e.g. system security procedures,
hardware design, internal controls) that could be exploited by a threat.
Vulnerabilities potentially “allow” a threat to harm or exploit the system. For
example, vulnerability could be a poor access control method allowing dishonest
employees (the threat) to exploit the system to adjust their own records. Some
examples of vulnerabilities are given as follows:
• Leaving the front door unlocked makes the house vulnerable to unwanted visitors.
• Short passwords (less than 6 characters) make the automated information
system vulnerable to password cracking or guessing routines.

1 67
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

4. Threat: Any entity, circumstance, or event with the potential to harm the software
system or component through its unauthorized access, destruction, modification,
and/or denial of service is called a Threat. It is an action, event or condition where
there is a compromise in the system, its quality and ability to inflict harm to the
organization. Threat has capability to attack on a system with intent to harm.

5. Exposure: An exposure is the extent of loss the enterprise has to face when a risk
materializes. It is not just the immediate impact, but the real harm that occurs in the
long run. For example - loss of business, failure to perform the system's mission, loss
of reputation, violation of privacy and loss of resources etc.

6. Likelihood: Likelihood of the threat occurring is the estimation of the probability that
the threat will succeed in achieving an undesirable event. The presence, tenacity and
strengths of threats, as well as the effectiveness of safeguards must be considered
while assessing the likelihood of the threat occurring.

7. Attack: An attack is an attempt to gain unauthorized access to the system's services

or to compromise the system's dependability. In software terms, an attack is a
malicious intentional fault, usually an external fault that has the intent of exploiting
vulnerability in the targeted software or system.
Basically, it is a set of actions designed to compromise CIA (Confidentiality, Integrity
or Availability), or any other desired feature of an information system. Simply, it is
the act of trying to defeat Information Systems (IS) safeguards. The type of attack
and its degree of success determines the consequence of the attack.
value
Owners
wish to minimize
impose to reduce
Counter Measures that may possess

that may be
reduced by
may be aware of
Vulnerabili es
Threat Agents
leading to
Risk
give that
rise exploit to
that increase
to
Threats to
Assets
wish to abuse and/or may damage

1 68
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

8. Counter Measure: An action, device, procedure, technique or other measure that

reduces the vulnerability of a component or system is referred as Counter Measure.
For example, well known threat 'spoofing the user identity', has two
countermeasures:
• Strong authentication protocols to validate users; and
• Passwords should not be stored in configuration files instead some secure
mechanism should be used.
Similarly, for other vulnerabilities, different countermeasures may be used.
The relationship and different activities among these terms may be understood by
the Fig.

9. Risk can be defined as the potential harm caused if a threat exploits a particular
vulnerability to cause damage to an asset.

10. Risk Analysis is defined as the process of identifying security risks and determining
their magnitude and impact on an organization.

11. Risk Assessment includes the following:

• Identification of threats and vulnerabilities in the system;
• Potential impact or magnitude of harm that a loss of CIA, would have on
enterprise operations or enterprise assets, should an identified vulnerability be
exploited by a threat; and

Example 1: Draw a Flowchart for finding the sum of first 100 odd numbers.
Solution : The flowchart is drawn as Fig. 1.7.3 and is explained step by step below. The
step numbers are shown in the flowchart in circles and as such are not a part of the
flowchart but only a referencing device.
Our purpose is to find the sum of the series 1, 3, 5, 7, 9,................(100 terms.) The student
can verify that the 100th term would be 199. We propose to set A = 1 and then go on
incrementing it by 2 so that it holds the various terms of the series in turn. B is an
accumulator in the sense that A is added to B whenever A is incremented. Thus, B will
hold:

1 69
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

1
1+3=4
4 + 5 = 9,
9 + 7 = 16, etc. in turn.
Step 1 - All working locations are set at zero. This is necessary because if they are
holding some data of the previous program, that data is liable to corrupt the
result of the flowchart.
Step 2 - A is set at 1 so that subsequently by incrementing it successively by 2, we get
the wanted odd terms: 1,3,5,7 etc.
Step 3 - A is poured into B i.e., added to B. B being 0 at the moment and A being 1, B
becomes 0 + 1 = 1.
Step 4 - poses a question. “Has A become 1999” if not, go to step 5, we shall increment
A by 2. So that although at the moment A is 1, it will be made 3 in step 5, and
so on. Then go back to step 3 by forming loop.

START

1
CLEAR WORKING
LOCATIONS

SET 2
A=1

5
B=B+A 3
A=A+2

A=199
? 4
NO

YES

PRINT B 6

END

1 70
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

Flowchart for addition of first 100 odd numbers

Since we must stop at the 100th term which is equal to 199, Thus, A is repeatedly
incremented in step 5 and added to B in step 3. In other words, B holds the cumulative
sum up to the latest terms held in A.
When A has become 199 that means the necessary computations have been carried out
so that in step 6 the result is printed.

Example 2
An E-commerce site has the following cash back offers.
(i) If the purchase mode is via website, an initial discount of 10% is given on the bill
amount.
(ii) If the purchase mode is via phone app, an initial discount of 20% is given on the bill
amount.
(iii) If done via any other purchase mode, the customer is not eligible for any discount.
Every purchase eligible to discount is given 10 reward points.
(a) If the reward points are between 100 and 200 points, the customer is eligible for a
further 30% discount on the bill amount after initial discount.
(b) If the reward points exceed 200 points, the customer is eligible for a further 40%
discount on the bill amount after initial discount.
Taking purchase mode, bill amount and number of purchases as input; draw a
flowchart to calculate and display the total reward points and total bill amount
payable by the customer after all the discount calculation.
Solution
PM: Purchase Mode,
BA: Bill Amount,
TBA: Total Bilk Amount,
NOP: Number of Purchases,
TRP: Total Reward Points, IN DISC: Initial Discount
ET_DISC: Extra Discount on purchases
N: Counter (to track the no. of purchases),

1 71
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

Start

TRP = 0, TBA = O, BA = 0

Read PM, BA, NOP

Yes
If PM = Website? IN_DISC = 0.10
No

Yes
If PM = Phone App?
IN_DISC = 0.20

No
IN_DISC = 0 TRP = NOP* 10

BA = BA - (BA*IN_DISC)

Yes
ET_DISC = 0.30 If 100 <= TRP <= 200?

No
Yes
ET_DISC = 0.40 If TRP > 200?

No
TBA = BA - (BA*ET_DISC) TBA = BA

Print TRP, TBA Stop

Example 3
A bank has 500 employees. The salary paid to each employee is sum of his Basic Pay (BP),
Dearness Allowance (DA) and House Rent Allowance (HRA). For computing HRA, bank
has classified his employees into three classes A, B and C. The HRA for each class is
computed at the rate of 30%, 20% and 10% of the BP Pay respectively. The DA is
computed at a flat rate of 60% of the Basic Pay. Draw a flow chart to determine
percentage of employee falling in the each of following salary slabs:
(i) Above ` 30,000
(ii) ` 15,001 to ` 30,000
(iii) ` 8,001 to ` 15,000
(iv) Less than or equal to ` 8,000

1 72
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

Solution
START

CLEAR ALL WORKING LOCATIONS

I=1

READ BASIC, CLASS

IF No IF No
CLASS=“A” CLASS=“B” HRA = 0.1*BASIC
? ?
Yes Yes
HRA = 0.3 * BASIC HRA = 0.2*BASIC

DA = 0.6 * BASIC

SALARY = BASIC + DA +HRA

IF SALARY ≤ 8,000 C1= C1 + 1

Yes
No
I=I+1
IF SALARY = 15,000 C2= C2+ 1
Yes
No

IF SALARY = 30,000 C3= C3+ 1

Yes
No
C4= C4+ 1

IF I=500? P1= C1*100/500 P2= C2*100/500

No Yes
P3= C3*100/500

P4= C4*100/500

Print P1, P2, P3, P4

Stop

I. Some Definitions in IT Act

The IT Act, 2000 defines the terms Access in Section 2(a), computer in Section 2(i),
computer network in Section (2j), data in Section 2(o) and information in Section 2(v).
These are all the necessary ingredients that are useful to technically understand the
concept of Cyber Crime.

1 73
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

2(a) “Access” with its grammatical variations and cognate expressions means gaining
entry into, instructing or communicating with the logical, arithmetical, or memory
function resources of a computer, computer system or computer network;

2(i) “Computer” means any electronic, magnetic, optical or other high-speed data
processing device or system which performs logical, arithmetic, and memory
functions by manipulations of electronic, magnetic or optical impulses, and includes
all input, output, processing, storage, computer software, or communication
facilities which are connected or related to the computer in a computer system or
computer network;

2(j) “Computer Network” means the interconnection of one or more Computers or

Computer systems or Communication device through-
(i) the use of satellite, microwave, terrestrial line, wire, wireless or other
communication media; and
(ii) terminals or a complex consisting of two or more interconnected computers or
communication device whether or not the interconnection is continuously
maintained;

2(o) “Data” means a representation of information, knowledge, facts, concepts or

instructions which are being prepared or have been prepared in a formalized
manner, and is intended to be processed, is being processed or has been
processed in a computer system or computer network and may be in any form
(including computer printouts magnetic or optical storage media, punched
cards, punched tapes) or stored internally in the memory of the computer;

2(v) “Information” includes data, message, text, images, sound, voice, codes, computer
programmes, software and databases or microfilm or computer generated
microfiche;
In a cyber-crime, computer or the data are the target or the object of offence or a tool
in committing some other offence. The definition of term computer elaborates that
computer is not only the computer or laptop on our tables, as per the definition
computer means any electronic, magnetic, optical or other high speed data

1 74
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

processing devise of system which performs logical, arithmetic and memory function
by manipulations of electronic, magnetic or optical impulses, and includes all input,
output, processing, storage, computer software or communication facilities which
are connected or related to the computer in a computer system or computer network.
Thus, the definition is much wider to include mobile phones, automatic washing
machines, micro-wave ovens etc.

1. Section 43A – Compensation for failure to protect data.

2. Section 66 – Computer Related Offences
3. Section 66A – Punishment for sending offensive messages through
communication service, etc.
4. Section 66B – Punishment for dishonestly receiving stolen computer resource
or communication device.
5. Section 66C – Punishment for identity theft
6. Section 66D – Punishment for cheating by personation by using computer
resource
7. Section 66E – Punishment for violation for privacy
8. Section 66F – Punishment for cyber terrorism
9. Section 67 – Punishment for publishing or transmitting obscene material in
electronic form
10. Section 67A – Punishment for publishing or transmitting of material
containing sexually explicit act, etc. in electronic form
11. Section 67B – Punishment for publishing or transmitting of material depicting
children in sexually explicit act, etc. in electronic form.

1 75
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

FLOW CHART QUESTIONS

Q.1 Draw a flowchart to draw & print discounted amount, where Discount is 5 %

Q.2 Draw a flowchart to calculate Simple Interest, if rate of interest for Indians 10 % and for
others 20 %

Q. 3 Draw flow chart to compute and print income-tax and surcharge on the income of the
individual, the income is to be read from terminal and tax is to be calculated as per the
following rates:
Income (in `) Rate
Up to 50,000 No tax
From 50,001 to 60,000 @10% of amount above ` 50,000
From 60,001 to 1,50,000 ` 1000+20% of amount above ` 60,000
Above Rs. 1,50,000 `19,000 + 30% of amount above ` 1,50,000
Charge surcharge @5% on the amount of tax, if the income of a person exceeds ` 60,000

Q.4 Draw a flowchart to calculate Simple Interest of 50 customers & calculate total simple
interest of 50 customers

Q.5 An electric supply company charges the following rates from its consumers
No. of Unit consumed Charges/unit (`)
For the first 200 units 2.50
For the next 300 units 3.50
Over 500 units 5.00
Surcharge @ 20 % of bill is to be added to the charges to the bill .
Draw a flowchart to read the consumer no & no of units consumed & print out Total
charges with customer number & units consumed

Q.6 Draw a Flowchart for the following process:

Leebay is a new e-commerce web site that is setting up business in India. Leebay and their
partner bank Paxis have come up with a joint promotion plan for which the following
offers are proposed
Customers can either log in through a mobile app or directly from the website:

1 76
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

(1) If the payment mode chosen is 'Paxis Credit,' then a 20% discount is given to the user.
(2) If the payment mode chosen is 'Paxis Debit,' then a 10% discount is given to the user.
(3) If other payment modes are used, then no discount is given.
Also, to promote the downloads of its new smartphone app, the company has decided to
give the following offer:
(1) If the purchase mode is 'Mobile App,' then no surcharge is levied on the user.
(2) If any other purchase mode is used, then additional 5% surcharge is levied on the
user.
This surcharge is applied on the bill after all necessary discounts have been applied.
With bill amount, payment mode and purchase mode as inputs, draw a flowchart for the
billing procedure for Leebay.

Q.7 A company is selling three types of products, namely, A, B and C to two different types of
customers viz, dealers and retailers. To promote the sales, the company is offering the
following discounts:
(i) 10% discount is allowed on Product A, irrespective of the category of customers and
the value of order.
(ii) On product B, 8% discount is allowed to retailers and 12% discount to dealers,
irrespective of the value of order.
(iii) On product C, 15% discount is allowed to retailers irrespective of the value of order
and 20% discount to dealers if the value of order is minimum of `10,000.
Draw a flowchart to calculate the discount for the above policy.

Q.8 A bicycle shop in a city provides rental facility to its customers at different rates for
different models as given below:
Model No. Hire rate per day
Model No. 1 ` 10
Model No. 2 `9
Model No. 3 `8
Model No. 4 `7
To attract customers, the shopkeeper gives a discount of 15 percent to all those
customers, who hire a bicycle for more than one-week period. Further to attract women
customer, he gives additional discount of 10 percent irrespective of hire period. For

1 77
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

every bicycle hired, a security deposit of ` 25 must be paid. Draw a flow chart to print out
the details of each customer such as name of customer, bicycle model number, number
of days a bicycle is hired for, hire charges, discount and total charges including deposits.

1 78
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

Multiple Choice Questions

1. Which of the following is not an objective of Enterprise Information Systems?

(a) Reduce service cycles (b) Identify manual processes
(c) Reduce costs (d) Increase operational efficiency .
2. Which one of the following represents Operational Processes?
(a) Deals with legal compliance
(b) Deal with the core business and value chain
(c) Deal with core processes and functions within an organization
(d) Deals with measuring, monitoring and control activities
3. Which one of the following is not a benefit of business process automation?
(a) Reduce turnaround time (b) Operational efficiency
(c) Legal compliance (d) Reduce costs
4. Which of the following is not a Business Risk?
(a) Strategic (b) Financial
(c) Operational (d) Environmental
5. Which one of the following does not represent a system of Internal Control?
(a) Meeting sales targets
(b) Safeguarding assets
(c) Prevention and detection of fraud and error
(d) Completeness of accounting records
6. Which of the following is not a Flowcharting symbol?
(a) Process (b) Decision
(c) Document (d) Risk
7. Which of the following is not a component of Enterprise Risk Management?
(a) Internal environment (b) Organisation chart
(c) Objective setting (d) Event identification
8. Which one of the following is not an objective of Internal Control?
(a) Compliance with applicable laws and regulations
(b) Meeting sales targets
(c) Reliability of reporting
(d) Effectiveness and efficiency of operations

1 79
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

9. Which one of the following deals with Section 143 of the Companies Act 2013?
(a) Acquisition and Mergers
(b) Powers and duties of Board of Directors
(c) Powers and duties of auditors and auditing standards
(d) Penalties due to non-compliance
10. Which one of the following is not defined as Sensitive Personal Information?
(a) Home address (b) Password
(c) Financial information (d) Biometric information
11. Which one of the following represents Management Processes?
(a) Deals with legal compliance
(b) Deal with the core business and value chain
(c) Deal with core processes and functions within an organization
(d) Deals with measuring, monitoring and control activities
12. Which one of the following deals with Section 134 of the Companies Act 2013?
(a) Acquisition and Mergers
(b) Powers and duties of Board of Directors
(c) Powers and duties of auditors and auditing standards
(d) Penalties due to non-compliance
13. Which one of the following is not a benefit of Enterprise Risk Management?
(a) Align Risk appetite with strategy
(b) Link risk, return and growth
(c) Seize opportunity
(d) Reduce turnaround time
14. Which one of the following is not an objective of Business process Automation or
Success factors of BPA?
(a) Confidentiality (b) Integrity
(c) Adequacy (d) Timeliness
15. Which one of the following is not a benefit of flow charts?
(a) Quicker grasp of relationships (b) Documentation
(c) Program Debugging (d) Reproduction
16. Which of the following is not a symbol of DFD?
(a) Process (b) Decision Box
(c) Data Flow (d) External Agent

1 80
 CHAPTER 1 : AUTOMATED BUSINESS PROCESSES

17. ___________________is referred as risk management strategy which ensures taking

action to reduce the likelihood or impact related to the risk.
(a) Avoidance (b) Reduction
(c) Sharing (d) Accept
18. _________________is a cyber crime where homepage of a website is replaced with a
defamatory page.
(a) Web defacement (b) Cyber Terrorism
(c) Phishing (d) Email Account Hacking
19. Which of the following is not a category of business process?
(a) Accounting Process (b) Operational Process
(c) Supporting Process (d) Management Process
20. Which of the following is not a goal of process improvement activity under BPA?
(a) Specific (b) Measurable
(c) Accurate (d) Relevant
21. _______________is a risk of BPA where all data & programs could be lost if there is no
proper backup in the event of a disaster and the business could come to a standstill?
(a) Input & Access (b) Processing
(c) Data (d) Infrastructure
22. All of the following are Risk response strategy under ERM except?
(a) Avoidance (b) Reduction
(c) Management (d) Share
ANSWER

1 B 2 B 3 C 4 D 5 A 6 D
7 B 8 B 9 C 10 A 11 D 12 B
13 D 14 C 15 D 16 B 17 B 18 A
19 A 20 C 21 D 22 C

1 81