IPCC – PAPER 7A

2
EIS 1.O
SUMMARY
NOTES ON EIS
Edition 1

CA AKHIL KUMAR MITTAL

Founder - Commerce Harbour Academy || SRCC
Alumni

Super Summary on EIS – Paper 7 – IPCC New Syllabus.

Prepared & crafted for easy revision at exam time.

Strictly as per updated ICAI syllabus.

Applicable for May 2022 exams and onwards.

Immediate dispatch of PDF.

Revision material in JUST 70 pages.

 REVISION BOOKLET FOR EIS || MAY 2022

Contents
Chapter 1 : Automated Business Process................................................................................................................ 3

Chapter 2 : Financial & Accounting Systems ...................................................................................................... 12

Chapter 3 : Information Systems & its components ....................................................................................... 21

Chapter 4 : E-Commerce, M-commerce & emerging technologies .......................................................... 41

Chapter 5 : Core Banking System............................................................................................................................ 57

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 02

 REVISION BOOKLET FOR EIS || MAY 2022

Chapter 1 : Automated Business Process

Enterprise Business Processes
A business process is an activity that will accomplish a specific business goal. Business process
management (BPM) is a systematic approach to improvise all the business processes.

Categories of Enterprise Business Process Business Process Automation

Benefits of Business Process Automation Process which requires Business Process Automation

Code to Remember → T.V. - Q. - G.I.R2 Code to Remember → H.I.M.A.T.

High-volume of tasks or repetitive tasks

Automating these processes results in cost and work effort
reductions.

Impact of processes on other processes and systems

Some processes are cross-functional and have significant impact
on other processes and systems.

Multiple people required to execute tasks

A business process which requires multiple people to execute
tasks results in waiting time that can lead to increase in costs

Audit trail compliances

With business process automation, every detail of a particular process is
recorded. These details can be used for compliance during audits

Time-sensitive processes
The streamlined processes eliminate wasteful activities and focus
on enhancing tasks that add value.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 03

 REVISION BOOKLET FOR EIS || MAY 2022

Challenges in business Process Risks & its Management

Code to Remember → R2.I.D.
Risk Management is the process of assessing risk,
taking steps to reduce risk to an acceptable level
Automating
Redundant
Implementation and maintaining that level of risk. Risk
Processes
Cost management involves identifying, measuring,
and minimizing uncertain events affecting
resources.
Defining
Staff Resistance Complex Exposure is the extent
Asset can be defined as
Processes of the loss to the
something of value to
organisation when a
risk (occurs) the organisation

Steps in BPA Implementation

Likelihood is estimation Vulnerability is the
of probability that threat weakness in the system
will succeed in achieving safeguard that exposes
undesirable threat. system to threats.

Threat is an action, event Attack is the set of action

or condition where there designed to compromise
is compromise in the confidentiality, integrity
quality and ability to & availability of an
harm the organisation. information system.

RISKS

▪ Commercial and Legal Relationships ▪ Natural Events

Sources of ▪ Economic Circumstances ▪ Technology and Technical Issues
Risk ▪ Human Behavior ▪ Management Activities and Controls

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 04

 REVISION BOOKLET FOR EIS || MAY 2022

Types of Risks

Business Technology Data

Risks Risks related risks

C.H.O.R. – S. F V.G. - S.A.D.- C.O.M.E.T

• Compliance Risks. • Vendor related concentration risk. • Data diddling.

• Hazards Risks • Governance processes requirement • Bomb
• Operational Risks • Segregation of Duties (SoD). • Christmas Card.
• Residual Risks • Alignment with business objectives. • Worm.
• Strategic Risks • Dependence on vendors due to • Rounding Down.
• Financial Risks outsourcing of IT services. • Salami Technique.
• Complexity of systems • Trap Doors.
• Obsolescence or frequent changes • Spoofing.
of technology. • Asynchronous Attacks.
• Multiple types of controls.
• Employee actions.
• Threats leading to cyber frauds/
crimes.
Risk Management Enterprise Risks Benefits of Risks
Strategies Management Management

Accept the Risk

(जोखिम को स्वीकार करना)
Eliminate the Ris
(जोखिम को समाप्त करना)
Share the Risk
(जोखिम शेयर करना)
Mitigate the Risk
(जोखिम शेयर करना)
Enterprise Risk Management (ERM)
may be defined as a process affected
by an entity’s Board of Directors,
management and other personnel,
applied in strategy setting and across
the enterprise, designed to identify
potential events that may affect the
entity, and manage risk to be within
its risk appetite, to provide
reasonable assurance regarding
achievement of entity objectives.
ERM in business includes
methods & processes used by
organizations to manage risks and
seize opportunities related to the
achievement of their objectives.
R3 - M. - C. O. L. A
• Risk Response Decision.
• Rationalize capital.
• Response to multiple risks.
• Minimize operational surprises
& Losses.
• Cross enterprise risk identify &
its management.
• Opportunities.
• Link growth, risk and return.
• Align risk appetite & strategy.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 05

 REVISION BOOKLET FOR EIS || MAY 2022

Enterprise Risk management framework

Code to Remember: E - M.I2.C.R2.O.

Information and
Event Identification Monitoring Internal Environment
communication

•Potential events that •Entire ERM process •This encompasses •Relevant information
might have an impact should be monitored tone of an is identified,
on entity should be and modified organisation & sets captured and
identified. wherever necessary. the basis of how risk communicated in a
is viewed and form and stipulated
addressed by an time frame .
entity’s people.

Control Activities Risks Assessment Risks Response Objective Setting

•Policies & •Risks which are •Management selects •ERM should ensure
procedures that are identified are an approach to align that management
established by analyzed to form assessed risk with has a process in
company ensures basis of determining entity’s risk place to set
that risk responses how they should be tolerance and risk objectives.
that mgmt. selected managed. appetite.
are effectively
carried out.

CONTROLS

Based on the implementation of controls, it

can be categorized under manual, semi-
automated and automated. The objective of
these controls is to mitigate the risk
associated with the business. Below are the
3 categories:
• Manual
• Semi-Automated
• Automated

Classification of controls-
• General Controls
• Application Controls

Objectives of IT controls-
Statement of desired result or purpose to
be achieved by implementation of
control procedures within a particular IT
activity.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 06


General Controls
General Controls are macro in nature and are
applicable to all applications & data resources.
Application Controls are controls which are
specific to the application software.
Examples or types of general controls:
Code to Remember: S2I.M.B.A. - D.U.M. – V.C.C. ▪ Data edits (editing of data is allowed only for
(S2IMBA में DUM है – Very Cool Cop)
▪ Security Policy (Information)
▪ Separation of key IT functions
▪ Incident response and management
▪ Management of Systems Acquisition and
Implementation
▪ Backup, Recovery and Business Continuity.
▪ Administration, Access, and Authentication.
▪ Development & Implementation of the
application software.
▪ User training & qualification of Operations ▪ Exception Reporting (all exceptions are
personnel.
▪ Monitoring of Applications & supporting
Servers.
▪ Value Added areas of Service Level
Agreements (SLA).
▪ Change Management.
▪ Confidentiality, Integrity and Availability of
Software and data files.
Indicators of effective IT controls
Code to Remember: C.A.R .E .S 2 2 Ongoing & separate evaluations or some
• Clear communication to management.
• Availability and reliability.
• Resources allocation.
• Recovery from new vulnerabilities.
• Execution of new work.
• Effective development of projects.
• Security awareness on the part of the users.
CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal
REVISION BOOKLET FOR EIS || MAY 2022
Application Controls
Application Controls are controls which are
implemented in an application to prevent or
detect and correct errors. These controls are in-
built in the application software to ensure
accurate and reliable processing.
Examples or types of application controls:
permissible fields);
▪ Separation of business functions (e.g.,
transaction initiation versus authorization);
▪ Balancing of processing totals (debit & credit
of all transactions are tallied);
▪ Transaction logging (all transactions are
identified with unique id and logged);
▪ Error reporting (errors in processing are
reported); and
reported).
5 components of any internal control
• Monitoring:
combinations are used to ascertain whether each of
the 5 components are present & functioning.
• Information & communication:
Info. Is necessary for entity to carry out internal
control responsibilities to achieve the objectives.
• Control activities:
Actions which are established through policies &
procedures that help ensure that mgmt.’s directive
to mitigate risks.
• Risk assessment:
Basis for determining how risks will be managed.
• Control environment:
Set of standards, processes and structures that
provide basis of carrying out internal control across
the organisation.
07
 REVISION BOOKLET FOR EIS || MAY 2022

Controls checking Diagrammatic presentation of business

Processes
In computer system, controls should be checked at
three levels namely configuration, master and Flowcharts-
transaction level. Flowcharts are used to design and document
simple processes or programs. There are different
Configuration types of flowcharts and each one has its different
▪ It refers to a way software system is set up. It is boxes. The most 2 common types of boxes in
methodogical process of defining options that flowchart are as follows:
are provided.
▪ When any software is updated, values for various A processing step:
perimeters should be set up & business process Usually called activity & denoted as rectangular
work flow and business process rules of the box.
enterprise. A decision:
A decision; usually denoted as diamond.
Master
▪ Refers to way various parameters are set up for Advantages-
all the modules of software like purchase, (a) Documentation.
inventory, finance etc. (b) Maintenance of program.
▪ Masters are first set up during installation and (c) Responsibilities Identification.
these changes whenever business parameters (d) Communication.
are changed. (e) Control Establishment.
(f) Analysis.
Transactions (g) Debugging of program.
▪ Implementation or review of specific business (h) Relationship understanding.
process can be done from risk or control (i) Effective Coding.
perspective.
▪ In case of risk perspective, we need to consider Disadvantages-
(a) Complex Logics.
each of key sub-processes or activities
(b) Modifications.
performed in a business process & look at
(c) Link B/w condition & Actions
existing & related control objectives & existing
(d) Standardization.
controls & residual risks after application of
(e) Reproduction.
controls.
Data flow diagram-
Data FLOW Diagram shows the flow of data from
Processes & control checking:
one place to another DFDs’ describe the process
▪ Procure to pay (P2P).
showing how these processes are linked through
▪ Order to cash (O2C).
data stores and how processes relate to the user
▪ Inventory Cycle.
and the outside world.
▪ Human resource.
DFD is mainly used by technical staff for
▪ Fixed Assets.
graphically communicating between systems
▪ General Ledger.
analysts and programmers.

Space to write notes -

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 08

 REVISION BOOKLET FOR EIS || MAY 2022

Regulatory and compliance requirements

Information Technology Act

Computer Related Code to Remember: V. - F.I.N.D. - P.A.T.H.

Offence (In commando movie, Vikcy chaddha FIND PATH to hack computers of dead people)

• Introducing Viruses, Worms, Backdoors, Rootkits, Trojans, Bugs. (Virus)

• Credit Card Fraud. (Fraud)
• Hiding illicit business. (Illicit business)
• Negative Image i.e., Harassment. (Negative impact)
• Web Defacement. (Defacement)
• Phishing and Email Scams. (Phishing)
• Sale of illegal Article. (Article – illegal sale)
• Theft of Confidential Information. (Theft)
• Email Account Hacking. (Hacking)

Key provisions of IT Act

The IT Act, 2000 defines the terms Access in Section 2(a), computer in Section 2(i), computer
network in Section (2j), data in Section 2(o) and information in Section 2(v). These are all the
necessary ingredients that are useful to technically understand the concept of Cyber Crime-

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 09

 REVISION BOOKLET FOR EIS || MAY 2022

Definitions
Name Description
“Access” Means gaining entry into, instructing or communicating with the logical, arithmetical, or
memory function resources of a computer, computer system or computer network
“Computer” Means any
 Electronic, magnetic, optical or other high-speed data processing device;
 Or system which performs logical, arithmetic, and memory functions by manipulations
of electronic, magnetic or optical impulse;
 And includes all input, output, processing, storage, computer software;
 Or communication facilities which are connected or related to the computer in a
computer system or computer network.
“Computer Means the interconnection of one or more Computers or computer systems or
Network” Communication device through:
(i) the use of satellite, microwave, terrestrial line, wire, wireless or other
communication media; and
(ii) Terminals or a complex consisting of two or more interconnected computers or
communication device whether or not the interconnection is continuously
maintained
“Information” Includes data, message, text, images, sound, voice, codes, computer program,
software and databases or micro film or computer-generated micro fiche.
“Data” Means:
1. A representation of information, knowledge, facts, concepts or instructions which
are being prepared or have been prepared in a formalized manner
2. Intended to be processed, is being processed or has been processed in a computer
system or computer network and may be in any form (including computer printouts
magnetic or optical storage media, punched cards, punched tapes) or stored
internally in the memory of the computer.

Computer crimes & penalties for offences

Sec Kind of offence Penalties of offences
65 Intentionally Concealment, destroy, alteration Imprisonment → 3 years
any source code, computer program, computer Fine →₹ 2,00,000 or BOTH.
system, network, resources etc.
66 Damage to the computer, computer resources, by Imprisonment → 3 years
doing acts defined in Sec-43 Fine →₹ 5,00,000 or BOTH
66B Receiving dishonestly any stolen computer Imprisonment → 3 years
resources or communication devices Fine →₹ 1,00,000 or BOTH
66C Identification theft fraudulently by making use Imprisonment → 3 years
of the electronic signature, password Fine →₹ 1,00,000 or BOTH

66D Cheating by personation by using computer Imprisonment → 3 years

resources. Fine →₹ 1,00,000 or BOTH

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 10

 REVISION BOOKLET FOR EIS || MAY 2022

Sec Kind of offence Penalties of offences

66E Violation of the privacy of any person Imprisonment → 3 years
Fine →₹ 2,00,000 or BOTH
66F Cyber Terrorism done with:
▪ Intent to threaten integrity of India. LIFETIME
▪ Penetrates computer resources result in IMPRISONMENT
damage to property (Intentional)
67 Punishment for publishing or transmitting Conviction Imprisonment Fine
st
obscene material in electronic form 1 3 YEARS 5,00,000
Subsequent 3 YEARS 10,00,000
67A Punishment for publishing or transmitting of Conviction Imprisonment Fine
material contain sexually explicit act etc. in 1st 5 YEARS 5,00,000
electronic form. Subsequent 7 YEARS 10,00,000
67B Punishment for publishing or transmitting of Conviction Imprisonment Fine
material depicting children in sexually explicit 1st 5 YEARS 5,00,000
act etc. in electronic form. Subsequent 7 YEARS 10,00,000

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 11

 REVISION BOOKLET FOR EIS || MAY 2022

Chapter 2 : Financial & Accounting Systems

Introduction
Financial and Accounting Systems forms an integral
part of any business and acts as a backbone for it. In
the process of learning about Financial & Accounting
systems.
Types of system
ERP-
In systems there are various elements which are inter-
related & inter-dependent and interact with each other
to achieve the goals of the system. E.g., ERP.
Process
A Process is defined as a sequence of
events that uses inputs to produce
outputs. From a business perspective, a
Process is a coordinated & standardized
flow of activities performed by people
or machines, which can traverse
functional or departmental boundaries
to achieve a business objective and
creates value for internal or external
customer.

Non-integrated system-
System elements are not inter-linked and inter
dependent.

Types of Data

Accounting Master Data

Data Types This includes names of ledgers, cost centers,
voucher types, etc. E.g., Capital Ledger is
created once & not expected to change
Master Data Non-Master Data frequently. Similarly, other ledgers like, sales,
(Relatively
(Expected to purchase, expenses & income ledgers are
Permanent)
changes created once & not expected to change again
frequently) & again.

Payroll Master Data

Payroll is a system for calculation of salary &
Accounting Inventory Payroll Statutory recoding of transactions relating to
employees. Master data in case of payroll can
be names of employees, group of employees,
salary structure, pay heads, etc. are not
expected to change frequently.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 12

 REVISION BOOKLET FOR EIS || MAY 2022

Voucher Types Accounting Flow

Voucher Type Module Use
Payment Accounting For recording of all types of payments. Accounting Flow
Whenever the money is going out of
business by any mode (cash/bank)
Receipt Accounting For recording of all types of receipts.
Whenever money is being received into
business from outside by any mode
(cash/bank).
Journal Accounting For recording of all non-cash/bank
transactions. E.g., Depreciation,
Provision, Write-off, Write-back,
discount given and received,
Purchase/Sale of fixed assets on credit,
etc.
Sales Accounting For recording all types of trading sales
by any mode (cash/bank/credit).
Purchase Accounting For recording all types of trading Types of Ledgers
purchase by any mode (cash/ bank/
credit).
Credit and Accounting For making changes/corrections
Debit Note in already recorded
sales/purchase transactions.
Purchase Inventory For recording of a purchase order
Order raised on a vendor.
Sales Order Inventory For recording of a sales order received
from a customer.
Stock Journal Inventory For recording of physical movement
of stock from one location to
another.
Physical Stock Inventory For making corrections in stock after
physical counting.
Delivery Note Inventory For recording of physical delivery of
goods sold to a customer. Grouping of Ledgers
Receipt Note Inventory For recording of physical receipt of At the time of creation of any new
goods purchased from a vendor. ledger, it must be placed under a
For recording of transaction which will
particular group. There are four basic
Memorandum Accounting
be in the system but will not affect the groups in accounting, i.e., Income,
trial balance. Expense, Asset, Liability. E.g.,
Attendance Payroll For recording of attendance of the Machinery account is an asset and
employees. has to classified or categorized
Payroll Payroll For salary calculations. under ASSETS in balance sheet.

Application Software-
Application software performs many functions such as receiving the inputs from the user, interprets the
instructions and performs logical functions so a desired output is achieved. There are mainly 3 layers which
together form an application and as such called Three Tier architecture. These 3 layers are:
Application layer Operating system layer Database layer

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 13

 REVISION BOOKLET FOR EIS || MAY 2022

POD Installed Application Web Application

Code to Remember: M.F. - P.A.I.D.S. (Mutual fund खरीदा hence installed)
Mobile Using the software through mobile Mobile application becomes very easy as data
Application application is difficult in this case. is available 24x7.
Flexibility It shall have more flexibility and controls Success of cloud-based applications is that
as compared to web application. It is they allow flexibility against both Capital
very easy to write desktop applications Expenditure (CAPEX) & Operating Expense
(OPEX) to user.
Performance A well written installed application shall Access is dependent on speed of internet.
always be faster than web application, Slow internet slows access to information and
reason being data is picked from local may slow operations.
server.
Accessibility As software is installed on the hard disc As software is available through online access,
of the user’s computer, it cannot be used to use the software a browser and an internet
from any other computer. connection are needed.
Installation & As software is installed on hard disc of Installation on user computer is not required.
Maintenance the computer used by user, it needs to be Update & maintenance are defined
installed on every computer one by one. responsibility of service provider.
This may take lot of time. Also,
maintenance & updating of software
may take lot of time and efforts.
Data Storage Data is physically stored in the premises Data is not stored in user’s server computer.
of the user, i.e., on the hard disc of the It is stored on a web server. Ownership of data
user’s server computer. Hence user will is defined in Service Level Agreement (SLA).
have full control over the data. SLA defines responsibilities & authority of
both service provider & service user.
Security of As the data is in physical control of user, Data is not in control of user or owner of data.
Data user shall have full physical control over As time evolves; SLAs provide for details of
the data and he/she can ensure that it is back-up, disaster recovery alternatives being
not accessed without proper access. used by service provider.

Enterprise Resource Planning (ERP)System

ERP is an enterprise-wide information system designed to coordinate all the resources, information,
and activities needed to complete business processes. Below are the features of ERP-
Code to Remember : C – T.O.U.R. – F.A.I.L.

1. Customer satisfaction enhancement:

2. Technology usage:
3. Ontime Shipment:
4. Utilization of resources efficiently:
5. Reduction in cycle time:
6. Flexibility:
7. Better Analysis and planning capabilities:
8. Information Integration:

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 14

 REVISION BOOKLET FOR EIS || MAY 2022

Successful implementation of ERP depends on the following parameters

PEOPLE ASPECT
Aspects Risk Associated
Change The way in which entity functions will
Management change, the planning, forecasting and
decision-making capabilities will improve.
Training Since, greater part of the training takes place
towards end of ERP implementation cycle,
mgmt. may curtail the training because of
budget.
Staff Employee Turnover → Qualified and skilled
Turnover personnel leaving company during the
implementation and transition phases can
affect the schedules and this results in
delayed implementation and cost overrun.
Top Mgmt. ERP implementation will fail if top
Support management doesn’t support & grant
permission for availability of huge
resources.
Consultants These are experts in implementation of ERP
package & might not be familiar with
internal workings and organizational
culture.
Control Required
Project requirements are to be properly
documented and signed by the users and
senior management.
Training is a project-managed activity & shall
be imparted to users in an entity by skilled
consultants and representatives of
hardware vendors.
This can be controlled and minimized by
allocation of employees to tasks matching
their skill-set; fixing of compensation
package and other benefits accordingly.
ERP implementation shall be started only
after the top management is fully convinced
& assure of providing full support.
Consultants should be assigned a liaison
officer - a senior manager – who can
familiarize them with company & its
working.

PROCESS ASPECT
Aspects Risk Associated Control Required
Program There could be a possibility of information Requires bridging the information gap
Management gap between day-to-day. between traditional ERP-based function &
operational mgmt. functions.
Business Process BPR means not just change but dramatic Requires overhauling of organizational
Reengineering change and dramatic improvements. structure, management structure and
(BPR) systems, job descriptions etc.

TECHNOLOGICAL ASPECT
Aspects Risk Associated Control Required
Software Implementing all the functionality and Care should be taken to incorporate features
Functionality features just for the sake of it can be that are required by organization & other
dangerous for an organization. functionality that might be required.
Technological With launch of efficient technologies Requires critical choice of technology,
Obsolescence every day, ERP system also becomes architecture of product, easy enhancements
obsolete as time goes on. and upgrading, quality of vendor support.
Enhancement ERP Systems are not upgraded and kept Care must be taken while selecting the vendor
and Upgrades up-to date. Patches & upgrades are not and upgrade/support contracts should be
installed signed to minimize the risks.
Application Processes focus on selection of new IT organizations can begin to reduce
Portfolio Mgmt. business applications and the projects. duplication and complexity.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 15

 REVISION BOOKLET FOR EIS || MAY 2022

IMPLEMENTATION ASPECT
Aspects Risk Associated Control Required
Lengthy ERP projects are lengthy that takes Care must be taken to keep the momentum
implementation between 1 to 4 years depending upon high and enthusiasm live amongst the
time size of entity. employees, so as to minimize the risk.
Insufficient Budget for ERP implementation is It is necessary to allocate necessary funds for
Funding allocated without consulting the the ERP implementation project and then
experts & then implementation is allocate some more for contingencies.
stopped due to lack of funds.
Speed of Centralized database leads to heavy size This can be controlled by removing the
Operation and thereby reducing speed of redundant data, use of warehouse etc.
operations.

POST IMPLEMENTATION ASPECT

Aspects Risk Associated Control Required
Lifelong There will always be new modules to This requires a strong level of commitment
Commitment install, new persons to be trained, new and consistency by the management and
technologies to be embraced etc. users of the system.

Role Based Access Control (RBAC) in ERP system Types of Access

Role-based access control is an approach to restricting ▪ Create – Allows to create data

system access to authorized users. It is used by most ▪ Alter – Allows to alter data
enterprises & can implement mandatory access control or ▪ View – Allows only to view data
discretionary access control. Some of the features of RBAC. ▪ Print – Allows to print data

ERP systems should produce accurate, complete, and authorized information that is
supportable and timely. All these can be accomplished or achieved by combination of various
controls in ERP system. Controls are divided into General Controls and Application Controls.
Below is the diagrammatic representation of controls.
Audit of ERP system

Management Controls
controls deal with
organizations,
policies, procedures,
planning, and so on General Application
Controls Controls

Environmental controls are

operational controls administered
Management Environmental through the computer centre
controls controls /computer operations group and
the built-in operating system
controls.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 16

 REVISION BOOKLET FOR EIS || MAY 2022

Business Processes

Meaning It consists of set of activities that are performed in an organizational and

technical environment. Each business process is enacted by a single
organization, but it may interact with business processes performed by other
organizations.

Business process flow Business Process is a prescribed sequence of work steps

performed to produce a desired result for the organization.
Each of the business processes has either a direct or indirect
effect on the financial status of the organization.

Accounting & book keeping Source Document Journal Ledger Trial Balance
Adjustments Adjusted Trial balance Closing entries
financial statement.

ERP Business Processes Module

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 17

 REVISION BOOKLET FOR EIS || MAY 2022

Reporting system & management Information system

Reporting System Management Information System

Reporting system is a system of regular
reporting on the pre-decided aspects. The
basic purpose of any Financial and
Accounting system is to give right
information at right point of time to right
people for right decision making. Two basic
reports, i.e., Balance Sheet and Profit & Loss
Account are used for basic analysis of
financial position and financial performance.
Key reports are analyzed by management to
determine if appropriate financial decisions
are made at the right time.
An MIS report is a tool that managers use to
evaluate business processes and operations.
Hence, MIS system:
(a) Automatically collect data from various
areas within a business.
(b) These systems can produce daily reports
that can be sent to key members
throughout the organization.
MIS is all about presenting information to
management in a meaningful way

The information more meaningful, it should meet the following criteria

Data Analytics
Relevant Accurate Timely Structured

DATA ANALYTICS is the process of examining data sets to draw conclusions about the information
they contain. Various software and techniques are used to draw meaningful conclusion out of
information we have. Types of Data Analytical applications:

Exploratory Data Confirmatory Data Quamtitaive Data Qualitative Data

Analysis Analysis Analysis Analysis
Aims to find patterns Applies statistical Involves analysis of It focuses on
and relationships in techniques to determine numerical data with understanding the
data whether hypotheses quantifiable variables content of non-
about a data set are that can be compared or numerical data like
True or False measured
text, images, audio

These data analysis happens to be done by different industries by different means-

1. E-commerce companies and marketing services providers do clickstream analysis
2. Mobile network operators examine customer data to prevent defections to business rivals.
3. Healthcare organizations mine patient data to evaluate the effectiveness of treatments for
cancer and other diseases.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 18

 REVISION BOOKLET FOR EIS || MAY 2022

Business Intelligence
Business Intelligence (BI) is a technology-driven process for analyzing
Meaning data and presenting actionable information and contains variety of tools
and applications to do so.

 Helps in Accelerating and improving decision making.

 Driving new revenues & gaining competitive advantage.
Benefits of BI  Optimization of internal business processes, increasing efficiency.
 BI systems can also help companies identify market Trends.

 BI uses data from different sources and helps to find solutions to various
questions.
Examples of BI
 Online transaction processing & online analytical processing is the
example of BI.

Business reporting and fundamentals of XBRL

Meaning of Business reporting & XBRL

Importance of Business Reporting/Why

reporting important-
1. Business reporting allows organizations
to present a cohesive explanation of
their business.
2. Helps in engaging with various
stakeholders i.e., customers, employees,
shareholders, creditors, and regulators.
3. Information contained in the business
reporting is crucial for stakeholders to
assess organizational performance.
4. High-quality information is integral to the
successful management of the business,
and is one of the major drivers of
sustainable organizational success

1. XBRL Tagging is process by which any financial data is tagged with most appropriate element in an
accounting taxonomy,
2. Represents the data in addition to tags that facilitate identification/classification (such as enterprise,
reporting period, reporting currency, unit of measurement etc.)
3. Comprehensive definitions & accurate data tags allow preparation, validation, publication, exchange,
consumption; & analysis of business information of all kinds.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 19

 REVISION BOOKLET FOR EIS || MAY 2022

Applicable regulatory and compliance requirements

Compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory
Compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they are
aware of and take steps to comply with relevant laws, policies, and regulations. Regulatory compliance
is an organization’s adherence to laws, regulations, guidelines and specifications relevant to its
business. Violations of regulatory compliance regulations may result in legal interest, penalty,
prosecution etc. We can classify compliance & regulatory requirement into:
a. General – Applicable to all irrespective of anything.
b. Specific – Applicable to specific type of businesses.

Regulatory Compliance describes the goal that organizations aspire to achieve in their efforts to ensure
that they are aware of and take steps to comply with relevant laws, policies, and regulations. Below are 2
types of software which have both negative and positive aspects:

S. N. Particulars Accounting & Tax Compliance Software
1 Ease of software Less - As this is integrated system
operation of accounting & tax compliance,
everything connected with other
and making changes at one place
may affect other aspects also.
2 Features and Less - Since this system is not an
facilities exclusive system for tax
compliance, it may have limited
features for tax compliance.
3 Time and efforts Less - Since this is an integrated
required system, time required to transfer
data to compliance software is
zero.
4 Accuracy More - As this is an integrated
system and hence accounting data
and tax compliance data shall
always be same, ensuring more
accuracy in data.
5 Cost More - If tax compliance feature is
not available in accounting system,
getting it customized may require
good amount of money.
Only Tax Compliance Software
More - As this is used only for one
single purpose so it is less
complicated and bound to be easy.
More - Since this is an exclusive
designed system for tax
compliance, more features &
facilities shall exist here.
More - Since this is separate
software, data from accounting
software need to put. This may
take extra time and efforts.
Less - There are two separate
system, reconciliation with
accounting data is needed,
possibility of mismatch of data is
always there.
Less - Since this is specific purpose
software, there shall be less
complications and the cost also
shall be less.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 20


Chapter 3 : Information Systems & its components
Introduction
An Information system is a combination of people,
hardware, software, communicating devices,
network and data resources that processes (can be
storing, retrieving, transforming information) data &
information for a specific purpose.
Information System
Components of Information system
CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal
REVISION BOOKLET FOR EIS || MAY 2022
Info. System depends on
The main aim and purpose of each
Information System is to convert the data
into information which is useful and
meaningful. An Information System
depends on:
1. Resources of people (end users and IS
specialists).
2. Hardware (machines and media),
3. Software (programs and procedures),
4. Data (data and knowledge bases), and
5. Networks (communications media and
network support)
To perform input, processing, output,
storage, and control activities that
transform data resources into information
products.
21
 REVISION BOOKLET FOR EIS || MAY 2022

Computer System – Hardware and Software

Devices through It includes Refers to memory Output devices

An Operating Application
which we computer chips that where data and are devices System (OS) is a
contain the Central programs are stored. through which software
interact with
Processing Unit and set of computer includes all that
the systems and Various type of system responds.
main memory. The programs that computer
include devices storage These outputs
CPU is the actual manages software that
like Keyboard, techniques/devices may be visual,
hardware that computer causes a
Mouse and are primary memory audio or digital
interprets and hardware computer to
other pointing & Secondary forms.
executes the resources and perform useful
devices. memory
program (software) acts as an tasks beyond the
instructions. interface with running of the
computer computer itself.
applications It is a collection
programs. of programs that
Random Access Memory Read Only Memory helps in solving
This memory is volatile in the problems.
This memory is not
nature. If power off, data volatile in nature even if
gone. there is no power off.

Main purpose is to hold Used to store small

program and data while amount of information
they are in use. for quick reference by
Information can be read CPU and Information can
as well as modified. be read not modified.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 22

 REVISION BOOKLET FOR EIS || MAY 2022

Charts of Differences

Code to remember: C.D. - B.A.S.I.C.S

Aspects Random Access memory (RAM) Read Only memory (ROM)
Cost Volatile memory is costly per unit size. Non-volatile memory is cheap per unit
size.
Data Volatile in nature means Information is lost Non-volatile in nature (contents remain
Retention as soon as power is turned off. intact even in absence of power).
Basic The purpose is to hold program and data Used to store small amount of
Working while they are in use. information that is rarely changed.
Access to Information can be read as well as Information can be read only and not
Information modified. modified.
Storage These are responsible for storing instructions These are used by manufacturers to
& data that computer is using at that present store data and programs like translators
moment, that is why it is a temporary that is used repeatedly, that is why it is
memory. a Permanent memory.
Impact RAM has high impact on system's ROM has no impact on system's
performance. performance.
Capacity RAM memory is large and high capacity. ROM is generally small and of low
capacity.
Speed RAM speed is quite high. ROM speed is slower than RAM.

Code to remember: M.E.S.S. - B.A.D. - F.R.

MESS is BAD and Very Far
Aspects Primary/Main Memory Secondary Memory
Memory Primary memory is an internal memory. Secondary memory is an external
memory.
Expense Primary memory is costlier than secondary Secondary memory is cheaper than
memory. primary memory.
Speed to Accessing data from primary memory is Accessing data from secondary memory
Access data faster. is slower.
Size The computer has a small primary memory. The computer has a larger secondary
memory.
Basic Primary memory is directly accessible by Secondary memory is not directly
Processor/CPU. accessible by CPU.
Access Primary memory is accessed by data bus. Secondary memory is accessed by
input-output channels.
Data Data to be currently executed are copied to Data to be permanently stored is kept
main memory. in secondary memory.
Volatility Primary memory is usually volatile. Secondary memory is non-volatile.
Formation Primary memories are made of Secondary memories are made of
semiconductors. magnetic and optical material.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 23

 REVISION BOOKLET FOR EIS || MAY 2022

Data & Database Management System (DBMS)

DATA
Data are the raw bits and pieces of information
with no context. Data can be quantitative or
qualitative. Quantitative data is numeric &
Qualitative data is descriptive. Once we have
put our data into context, aggregated &
analyzed it, we can use it to make decisions for
entity.
Activities which are executed by Operating
Systems (8 points)
DATABASE
Main aim of information system is to transform
data into meaningful & presentable information.
To do this, the system must be able to take data,
put the data into context, and provide tools for
aggregation and analysis. A database is designed
for such purpose. Separate databases should be
created to manage unrelated information. Below
are the advantages of DBMS:
Code to Remember : D.R.A.C.U.L.A.S.
Permitting Data Minimizing Data
Sharing Redundancy

Performing Hardware Function. •Same information can •In a DBMS, duplication

be made available to of information, if not
different users. eliminated, controlled
Task Management or reduced.

User Interfaces. Faster Application Consistency of

development program and file
Network Capabilities •In case of depolymen of •File formats & programs
DBMS, as the data is are standardized. This
already therein makes data files easier
database, developer has to maintain because the
Hardware Independence. to think about logic to same rules & guidelines
retrieve the data. apply across all data.

Logical Access Controls

Latest data and its
User Friendly
Memory Management.
integrity
•DBMS makes data •Data intergrity is
access & manipulation maintained by having
File Management easier for users & accurate, consistent &
reduces reliance of upto data. Updates and
users on computer changes to data have to
experts. be made in DBMS

Achieving program/data
Security improvement
independency
•In a DBMS, data does •DBMS allows multiple
not resides in users to access same
applications but data data resources which
base program & data could lead to risk to an
are independent of enterprise if not
each other . controlled.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 24

 REVISION BOOKLET FOR EIS || MAY 2022

Network & Communication system Types of networks

Computer Network is a collection of

computers and other hardware Types of
interconnected by communication channels Network
that allow sharing of resources & information.

Issues related to network Connection

Connectionless
Oriented
Networks
networks
Bandwidth Routing

Issues Here connection is Data which is to be

first established & exchanged has a
data is exchnaged complete conatct
Resilience Contention thereafter. information.

Important benefits of a computer Networks

Code to Remember: S.C. - R.U. N
1. Sharing of resources:
• Data could be stored at a central location and can be shared across different systems.
• Even resource sharing could be in terms of sharing peripherals like printers, which are
normally shared by many systems.

2. Computational Power:
• If the processing is distributed amongst computer systems, the computational power of
the application increases.

3. Reliability:
• It refers to the ability of a network to recover from any kind of error like connection
failure, loss of data etc.

4. User Communication:
• Network allows users to communicate using email, newsgroup, video conferencing etc.

5. Nature of information:
• There are situations where information must be distributed geographically.
• Accounting information of various customers could be distributed across various
branches but to make consolidated Balance Sheet at the year- end, it needs networking
to access information from all its branches.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 25

 REVISION BOOKLET FOR EIS || MAY 2022

Information Systems Control

IT should cover all key aspects of business processes of an enterprise and should have an impact on
its strategic and competitive advantage for its success.
Control lacking in computerized
Need for information system
environment

Code to Remember: A. - S. L. I. C. K.
Increased the ability
For storing all financial
to capture, store, Absence
Absenceofof Inadequate
InadequateSecurity
Security
records centrally
analyze and process controls
controls functionalities
functionalities
•Absence
•Absence oror •Inappropriate
•Inappropriate
inadequate
inadequate IS IS
control
control technology
technology
For information integrity, reliability framework
framework and
and also
also implementations
implementations oror
and validity for timely flow of lack
lack
oror
weak
weakgeneral
general inadequate
inadequatesecurity
security
accurate information throughout the controls
controlsand
and
IS IS functionality
functionality
inin
organization. controls.
controls. technologies
technologies
implemented
implemented

Lack
Lackofofmgmt.
mgmt. Implementation
Implementation
understanding
understanding complexities
complexities
•Lack
•Lackofof
management
management •Complexities
•Complexitiesofof
Classification of information system understanding
understanding ofof
ISIS implementation
implementation ofof
controls risks
risks
and
andrelated
related controls
controls
inin
controls
controls distributed
distributed
computing
computing
environments
environments and
and
extended
extended enterprises
enterprises

Objectives Nature of IS IS Function Lack of Control Lack of Knowledge of

Of controls resource features IS risks

• Lack of control • Lack of

Preventive Environmental Management features or their awareness and
Control Control Control implementation knowledge of IS
Framework is highly risks and controls
technological amongst the
Detective Physical Access driven business user
Control Control Application environment and IT staff
Control
Corrective Logical Access Framework
Control Control

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 26


Preventive Controls
▪ These controls prevent errors,
omissions, or security incidents
from occurring.
▪ Examples: sometimes we came
across some security checks
where passwords should not
include name, data entry that
should alphabetically word in case
of numeric field etc.
▪ Control can be implemented in
both manual and computerized
environment.
▪ Examples: Segregation of duties;
Access control; Vaccination
against diseases; Documentation
etc.
Blank space for notes:
CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal
REVISION BOOKLET FOR EIS || MAY 2022
Objectives of controls
Detective Controls Corrective Controls
▪ These controls are designed to ▪ It is desirable to correct
detect errors, omissions or errors, omissions, or
malicious acts that occur and incidents once they have
report the occurrence. been detected. This includes
▪ Detective controls include correction of data-entry
monitoring and analysis to errors, to identifying and
uncover activities or events that removing unauthorized users
exceed authorized limits or or software from systems or
violate known patterns in data. networks, to recovery from
▪ A scenario: A detective control incidents etc.
may identify account numbers of ▪ These corrective processes
inactive accounts or accounts that also should be subject to
have been flagged for monitoring preventive and detective
of suspicious activities. controls, because they
▪ Cash counts; Bank reconciliation; represent another
Review of payroll reports; opportunity for errors,
Compare transactions on reports omissions, or falsification.
to source documents, Hash totals, ▪ Example: A Business
Past-due accounts report etc. Continuity Plan (BCP);
Backup procedure etc.
27
 REVISION BOOKLET FOR EIS || MAY 2022

Nature of Information systems (IS) resources

Environment Controls Physical Access Controls Logical Access Controls

iv Physical Access
▪ These controls aimed at ▪ These are the controls relating to ▪ These are Controls
controls relating to
controlling IT environment such physical security of the tangible logical access to information
as power, air-conditioning, IS resources and intangible e Controls
resources such as operating
Uninterrupted Power Supply resources stored on tangible systems controls, software
(UPS), smoke detection, fire- media. boundary controls etc.
extinguishers etc. ▪ Examples of physical access ▪ Logical access controls are
controls: Security guards, door implemented to ensure that
alarms, restricted entry to secure access to systems, data &
areas, visitor logged access, programs is restricted to
CCTV monitoring etc. authorized user.

Control for environmental Control for physical access

Exposure Exposure User User Access
Responsibilities Management

• Smoke Detectors. • Cipher Locks.

Network Operating system
• Norms to reduce Electric • Bolting Door Locks. access controls access controls
Firing. • Electronic Door Locks. Responsibilities
• Fire Extinguishers. • Personal Identification No.
• Fire Alarm. • Plastic Cards. Application and Monitoring
• Regular Inspection and raising • Identifications badges. System Access Control
awareness. • Manual Logging.
• Electrical Surge Protectors • Electronic Logging.
• Un-interruptible Power • Cameras.
System and Generator • Security Guards.
• Voltage regulators and circuit • Dead men Doors.
breakers. • Computer terminal Locks.
• Emergency Power-Off Switch • Alarm System
• Water Detectors.
• Strategically locating the
computer room.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 28

 REVISION BOOKLET FOR EIS || MAY 2022

Logical Access Controls chart-

Operating Application and

User User Access Network access
system access Monitoring System
Responsibilities Management controls Access Control
controls

Password
User Netwok Mobile
Password use management
controlling
registration Seggregation system

Unattended User
Privilege Call Back Monitor System
user identification &
Users
Management Services authentication
equipment

User Terminal Information

Policy on
password Network Use
identification access
Mgmt. automation restriction

Review of Network
Duress alarm to Clock
user access connection
safeguard users Synchronization
rights Controls

Enforced
Access Token Event Logging
Path

Security of
Terminal Sensitive
network system isolation
services
time out

Access
Firewall
Control

Log-in
Encryption
procedures

Control List

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 29

 REVISION BOOKLET FOR EIS || MAY 2022

Nature of Information systems (IS)

Management Control Framework Application Control Framework

Top Mgmt. & Systems Boundary Controls Input Controls

Information Development
Systems Mgmt. Controls
Management Communication Processing
Controls controls Controls
Programming Data Resource
Mgmt. Controls Management Controls
Database Controls Output Controls

Operational Security Mgmt.

Mgmt. control Controls

Quality Assurance
Management
Controls

SUMMARIZING – Management control framework

Top Mgmt. & Planning Organizing Leading Controlling
Information
Systems
Management
Controls
These controls ensure that the information systems function correctly and they meet the
strategic business objectives.
Problem Hardware/
Analysis of Information
definition &
existing Processing Software acquisition &
feasibility
Systems system System design procedures development
assessment
Development
Mgmt. Controls
Acceptance Operation
Testing and and
Conversion Maintenance

Programming Operation
Mgmt. Controls Planning Control Design Coding Testing and
Maintenance

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 30

 REVISION BOOKLET FOR EIS || MAY 2022

Data Resource
Quality Access Definition Update
Management Controls Controls Controls Controls
Controls

Concurrency Existence/Back
Controls up Controls

Operational Computer Network

Data Production
Preparation File library
Mgmt. control Operations Operations
and Entry Control

Documentatio Help Capacity Planning Mgmt. of

n and Program Desk/Technical and Performance Outsourced
Library support Monitoring Operations

Security Mgmt. Threat Disaster Recovery

Insurance
Controls Identification Plan (DRP)

Quality Assurance
Quality of Trend of
Management Cost factor Project driven
Software improvement
Controls

Safety critical
system

SUMMARIZING – Application control framework

Boundary Cryptographic Digital

Access Controls PIN Plastic Cards
Controls Controls Signatures

Input Validation of
Data Code
Controls Controls
Batch Controls Data Input
Control

Communicat Physical Channel

Line Error Flow Link Topological
-ion controls Component Access
Controls Controls Controls Controls Controls
Controls

Controls over
Subversive threats

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 31

 REVISION BOOKLET FOR EIS || MAY 2022

Application
Processing Processor Real Memory Virtual Memory
Software
Controls Controls Controls Controls
Controls

Database Application Cryptogra File

Access Integrity Concurrency
Controls Software phic Handling
Controls Controls Controls Controls
Controls Controls

Output
Batch Output Batch Report Online output
Controls Inference Controls
Controls Design Controls Controls

Information Systems Auditing

Computers are used extensively to process data and to provide information for decision-making. Since
computers play a large part in assisting us to process data and to make decisions, it is significant that
their use is in controlled manner.

Need for audit of Information system Information system audit Objectives

Code to Remember: A. - P.R.I.D.E

COST OF INCORRECT
COST OF DATA LOSS DECISION MAKING

COST RELATED

COSTS OF COMPUTER HIGH COSTS OF

ABUSE COMPUTER ERROR
OTHER FACTORS

Maintenance of Privacy

Controlled evolution of
computer Use

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 32

 REVISION BOOKLET FOR EIS || MAY 2022

Tools of IS Audit

Audit Trail & controls framework (Nature of IS – 3rd classification type)

Managerial Controls Scope Audit Trails

Top Management and Discusses top’s management’s
Information Systems role in planning, organizing,
Management Controls leading and controlling the
information systems function.
Planning: Auditors need to evaluate
whether top mgmt. has formulated a
high- quality IS’s plan that is
appropriate to the needs of an
organization or not.
Organizing: Auditors should be
concerned about how well top mgmt.
acquires & manages staff resources.
Leading: Auditors need to
examine those variables indicating
when motivation problems exist.
Controlling: Auditors need to evaluate
whether top mgmt. choice to the
means of control over the users of IS
services is likely to be effective or not.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 33


Managerial Controls Scope
System Development Provide contingency perspective
Management Controls on models of the information
systems development process
that auditors can use as a basis
for evidence collection &
evaluation.
Programming Discusses the major phases in the Planning: Auditors must evaluate how
Management Controls program life cycle and the well the planning work is being
important controls that should undertaken.
be exercised in each phase.
CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal
REVISION BOOKLET FOR EIS || MAY 2022
Audit Trails
Concurrent Audit: Auditors assist
the team in improving the quality of
systems development for the specific
system they are building and
implementing.
• Post-implementation Audit: Auditors
seek to help an organization learn
from its experiences in development
of a specific application system.
General Audit: Auditors seek to
determine whether they can reduce
extent of substantive testing needed
to form an audit opinion about mgmt.
assertions relating to the financial
statements for systems effectiveness
and efficiency.
Control: Auditors must evaluate
whether the nature of & extent of
control activities undertaken are
appropriate for different types of s/w
that are developed or acquired.
Design: Auditors should find out
whether programmers use some type
of systematic approach to design.
• Coding: Auditors should seek
evidence to check whether
programmers employ automated
facilities to assist them with their
coding work.
• Testing: Auditor’s primary concern is
to see that unit-testing, integration
testing of system testing has been
undertaken appropriately.
Operation and Maintenance: Auditors
need to ensure effectively & timely
reporting of maintenance needs
occurs & maintenance is carried out in
a well- controlled manner.
34
 REVISION BOOKLET FOR EIS || MAY 2022

Managerial Controls Scope Audit Trails

Data Resource Discusses the role of database Auditors should determine what
Management Controls administrator & the controls that controls are exercised to maintain data
should be exercises in each phase. integrity. They might employ test data
to evaluate whether access controls &
update controls are working.
Quality Assurance Discuss major functions that Auditors might use interviews,
Management Controls quality assurance mgmt. should observations and documentation to
perform to ensure that evaluate how well Quality Assurance
implementation operation & (QA) personnel perform their
maintenance is as per standards. monitoring role.
Operations Discusses the major functions Auditors should pay concern to see
Management Controls performed by management to whether documentation is maintained
ensure day-to- day operations of securely and that it is issued only to
IS function are well controlled. authorized personnel.
Security Management Discuss operations performed by Auditors must evaluate whether
Controls operations by security security administrators are conducting
administrator to identify major ongoing, high- quality security reviews
threats. or not.

APPLICATION CONTROLS AND FRAMEWORK

Application Controls Accounting Audit Trail Operational Audit Trails
Boundary Controls Action privileges allowed or This includes details like resource
This maintains chronology of events denied. usage from log-on to log-out time
that occur when a user attempts to and log of resource consumption
gain access to & employ systems
resources. This includes Identity of
the would-be user of system;
authentication information
supplied; Resources requested;
Action privileges requested;
Terminal Identifier; Start & Finish
Time; Number of Sign-on attempts;
and Resources provided/denied.
Input Controls • Identification of person- • Time to key in source document
This maintains chronology of events
- Who was source of data. or an instrument at a terminal;
from the time data and instructions
are captured and entered into an
- who enters the data. • Number of keying errors
application system until the time - Time & date when data was identified during verification.
they are deemed valid and passed Captured. • frequency with which an
onto other subsystems within the - The account or record to be instruction in a command
application system. updated by the transaction. language is used.
• The number of the physical or
logical batch to which the
transaction belongs.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 35

 REVISION BOOKLET FOR EIS || MAY 2022

Application Controls Accounting Audit Trail Operational Audit Trails

Communication Controls • Unique identifier of source or
This maintains a chronology of the
events from the time a sender • Time & date at which message
dispatches a message to the time a
receiver obtains the message.
• Time & date at which node in
• Message sequence number; &
Processing Controls
The audit trail maintains
chronology of events from the time
data is received from input or
communication subsystem to time
data is dispatched to the database,
communication, or output
subsystems
Database Controls
The audit trail maintains chronology
of events that occur either to the
database definition or the database
itself.
Output Controls
Audit trail maintains chronology of
events that occur from the time the
content of the output is determined
until the time users complete their
disposal of output because it no
longer should be retained.
• No. of messages that have
sink node. traversed each link & each node;
• Queue lengths at each node;
was received by the sink mode. • Number of errors occurring on
each link or at each node;
the network was traversed by • Number of retransmissions that
the message. have occurred across each link;
• Log of errors to identify
image of the message received locations and patterns of errors;
at each node traversed in the
network.
• To trace & replicate processing • Comprehensive log on hardware
performed on a data item. consumption – CPU time used,
• To check for existence of any secondary storage space used,
data flow diagram or and communication facilities
flowchart that describes data used.
flow in the transaction. • Comprehensive log on software
• To check whether audit log consumption.
entries recorded the changes – Compilers used; file mgmt.
made in the data items at any facilities used, & communication
time including who made software used.
them.
• To attach before- images and • To maintain a chronology of the
after- images of the data item resources consumption events
on which transaction is applied that affects the database
to the audit trail. definition or the database.
• Modifications or corrections to
audit trail transactions
accommodating changes that
occur within an application.
• What output was presented. • To maintain the record of the
• Who received the output? resources consumed – graphs,
• When output was received? images, report pages, printing
• What actions were taken with time and display rate to produce
the output? the various outputs.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 36

 REVISION BOOKLET FOR EIS || MAY 2022

Audit Trail & controls framework (Nature of IS resources – 2nd classification type)

Controls Meaning Audit(s)

Auditing environmental These controls aimed at
controls controlling IT environment.
P.W.C. - F.A.B. (Audit है
वहाां PWC is FAB)
Auditing physical security These are the controls relating to
controls physical security of the tangible
IS resources and intangible
resources stored on tangible
media.
• Power conditioning.
• Water detection
• Cleanliness.
• Fire detection and suppression
• Air Conditioning (HVAC), heating and
Ventilation.
• Backup power
• Sitting and marking.
• Physical Barriers.
• Surveillance
• Guards and dogs
• Key-Card systems

Logical access controls

Controls Meaning Audit(s) consideration
User Access Auditing User Code to remember: D.S. - S.A.U.D.A.
Controls Access Controls  Dormant accounts: The IS auditor should ensure that Dormant
accounts are user (or system) accounts that exist but are unused.
 Shared accounts: The IS auditor should determine if there are any
shared user accounts (Used by more than 1person)
 System accounts: The IS auditor should identify all system-level
accounts on networks, systems, and applications.
 Authentication: The auditor should examine network & system
resources to determine if it requires authentication, or resources
can be accessed without first authenticating.
 User account lockout: The auditor should determine if systems
and networks can automatically lock user accounts that are the
target of attacks.
 Detection and prevention of intrusion: Auditor should examine
these systems to see whether they have up-to-date
configurations and signatures etc.
 Access violations: auditor should determine if the systems,
networks, & authentication mechanisms can log access
violations.
Auditing Password • The IS auditor needs to examine password configuration on
Management information systems to determine how it is controlled.
• Some check point - How many characters must a password have &
whether there is a maximum length; how frequently must
passwords be changed; whether former passwords may be used
again etc.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 37

 REVISION BOOKLET FOR EIS || MAY 2022

Controls Meaning Audit(s) consideration

Auditing User Code to remember: P.A.R.D.A.
Access Provisioning  Provisioning of new employee: The auditor should determine if
new employees’ managers are aware of access requests.
 Access approvals: IS auditor needs to determine how requests
are approved & authority they are approved.
 Reviews access: The IS auditor should determine if there are any
periodic access reviews & what aspects of user accounts are
reviewed.
 Duties segregation (SOD): IS auditor should determine if there is
SOD matrices in organization & if they are actively used to make
user access request decisions.
 Access request processes: IS auditor should identify all user
access request processes and determine if these processes are
used consistently throughout the organization.
Auditing Employee Code to remember: C.A.T.
Termination • Contractor access and terminations: IS auditor needs to
determine how contractor access and termination is managed and
if such management is effective.
• Access Review: IS auditor should determine if any internal reviews
of terminated accounts are performed, which would indicate a
pattern of concern for effectiveness in this important activity.
• Termination Process: The IS auditor should examine the employee
termination process and determine its effectiveness.
User Access • Centralized access logs→IS auditor should determine if organization’s access logs are
Log* aggregated or if they are stored on individual systems. (Prepare करो)
• Access log protection→Auditor needs to determine if access logs can be altered,
*LOG means destroyed, or attacked to cause the system to stop logging events. IS auditor needs to
full information determine if logs should be written to digital media that is unalterable. (Protect करो)
• Access log review→ IS auditor needs to determine if there are policies, processes or
So, here LOG
procedures regarding access log review. The auditor should determine if access log
prepare करो,
reviews take place, who performs them etc. (Timely review करो)
protect करो, timely
• Access log retention→The IS auditor should determine how long access logs are
review करो and
retained by the organization and if they are back up. (Retain of LOGS).
retain करो
Investigation Auditing investigative procedures requires attention to several key activities, including:
Procedure  Investigation policies and procedures: IS auditor should determine if there are any
policies or procedures regarding security investigations. This includes who is
Log* means full responsible for performing investigations, where information about investigations is
information stored, & to whom the results of investigations are reported. (Access +Responsibility
+ Reporting)
 Computer crime investigations: IS auditor should determine if there are policies,
processes, procedures, and records regarding computer crime investigations.
 Computer Forensic: The IS auditor should determine if there any procedure
established for conducting computer forensic. He should also identify tools &
techniques that are available to the organization.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 38

 REVISION BOOKLET FOR EIS || MAY 2022

Data Related Concept

Meaning of Database -
A Database Model is a type of data model that determines the logical structure of a database and
fundamentally determines in which manner data can be stored, organized & manipulated.

Database model-
Below are 4 types of models related to database:

Hierarchical Database Model Relational Database Model

Database models

Network Database Model Object Oriented Database Model

Hierarchical Database Model Relational Database Model

• Hierarchically structured database is • A Relational Database allows in organizing

arranged logically in an inverted tree
pattern. Here is the example of
hierarchical database model.
• This database model organizes data
into a tree-like-structure, with a single
root, to which all the other data is
linked.
• The hierarchy starts from root data &
expands like a tree, adding child nodes
to the parent nodes
the data and its structures, storage &
retrieval operations in tabular format.
• 3 key terms - Relations, Attributes, & Domains.
• A relational database contains multiple
tables that implies a relationship among
those two records.
• In a relational database, all the tables are
related by one or more fields so that all
tables in database can be connected.

Network Database Model Object Oriented Database Model

• A network database structure views all • Object-Oriented database management

records in sets wherein each set is
composed of an owner record and one
or more member records.
• The network model implements one-to-
one, one-to-many, many-to-one and the
many-to- many relationship types.
• The network model can represent
redundancy in data more efficiently
than in the hierarchical model.
System (OODBMS) helps programmers
make objects created in a programming
language.
• It combines different aspects of object-
oriented programming language into a
DBMS like-complex data.
• This model helps programmers make
objects which are independently
functioning application or program,
assigned with specific task to perform.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 39

 REVISION BOOKLET FOR EIS || MAY 2022

Big Data Data Warehouse

The term refers to such massively large data sets
that conventional database tools do not have
the processing power to analyze them. Storing
and analyzing that much data is beyond the
power of traditional database-management
tools. Hence there is requirement of developing
such tools that are able to collect, store and
analysis.
Benefit of big data processing-
• Ability to process Big Data brings in multiple
benefits.
• Improved customer service
• Better operational efficiency
Data Mining
• Data Mining is the process of analyzing data
to find out unknown trends, patterns, and
associations to make decision. It is
accomplished through automated means
against extremely large data sets.
Data warehouse is a concept starting with
extract data from one or more of the
organization’s databases and load it into the data
warehouse (which is itself another database) for
storage and analysis. Below is the process flow-
• This stage involves extracting the data from
various sources such as ERP systems used,
databases etc.
• Data so extracted is placed in temporary area
called Staging Area where it is transformed like
sorting, filtering etc.
• Involves loading of transformed data into a
data warehouse which itself is another
database for storage & analysis.
Approaches while designing a data warehouse
Bottom-Up Approach Top-Down Approach
Starts by creating small Suggests that we
data warehouses, called should start by creating
data marts, to solve an enterprise-wide data
specific business problems. warehouse

• Example of data mining→Analysis of sales of As these data marts are Specific business needs
created, they can be are identified, create
a month by a super market store about the combined into a larger data smaller data marts from
product which is sold most. warehouse. the data warehouse.

• Below are the steps involved in data mining- Advantages of Data Warehouse (U.C.- D.A.T.)
▪ Data Integration
▪ Data Selection Heading Descriptions
▪ Data Cleaning
▪ Data Transformation Understanding Process of developing a data
▪ Data Mining the data warehouse requires an entity to
▪ Pattern Evaluation & Knowledge Presentation better understand collected data.
▪ Decisions / Use of Discovered Knowledge Consistency Once all data is identified as
of Data consistent, an entity can easily
report consistent statistics.
Data Data warehouse provides a
centralization centralized view of all data which is
collected across business.
Analysis of Data warehouse provides a
Information centralized view of all data which is
collected across business.
Trend analysis Having data warehouse, snapshots
of data can be taken over time.
Thus creates a historical record.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 40

 REVISION BOOKLET FOR EIS || MAY 2022

Chapter 4 : E-Commerce, M-commerce & emerging

technologies

Introduction → E-Commerce Difference between

E-Commerce means “Sale / Purchase of goods / Traditional

Difference E Commerce
services through electronic mode”. This could Commerce
include the use of technology in the form of Resource Supply side Demand side
Computers, Desktops, Mobile Applications, etc. focus
With the passage of time, e-commerce has Transaction Manual Automated
gathered attention of nearly all the companies Processing
towards it Scope Limited \ Worldwide
Size Type and size of Online stores have
Illustration of E-commerce items, & no. of heavy traffic need
customers enough bandwidth,
influences size of processing power, and
store data storage capacity.
Payment Cash, Cheque, Credit card, Fund
Credit Card, etc. transfer, Wallets, UPI
etc.
Profit Overhead exp. Less costly than owning
Impact etc. lower profit a physical store. Hence,
margin. more profit margin.
Availability For limited time 24 X 7 X 365
Marketing Stores have To advertise their
physical presence presence more
aggressively on internet.
Nature of Goods can be Goods cannot be
purchase inspected inspected physically
physically before before purchase.
purchase.
Definition Includes activities carrying out commercial
which are manual transactions or
and non- electronically on
electronic. internet.
Location Require market Require market space.
place.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 41

 REVISION BOOKLET FOR EIS || MAY 2022

Benefits of E-commerce

BENEFITS TO THE CONSUMER BENEFITS TO THE BUSINESS/SELLER

Code To Remember: D. – C.A.R.T. Code To Remember: Q.C. – D.I.C.E.
Deals & There are discount coupons and Better Excess competition has increased and
Coupons reward points available for Quality of also improved the quality of goods
customers to encourage online goods through expanded markets.
transaction.
Cost Low advertising cost & large-scale
Convenience Every product at individual’s reduction economies lead to low cost.
fingertips on internet.
Dynamic Since there are several players, providing
Anytime Access to the e commerce Market a dynamic market which enhances
Access platforms is available which quality and business.
brings in customer suitability.
Instant The transactions of e commerce are
Reviews There are often reviews about Transaction based on real time processes. This has
particular site/product from made possible to crack number of deals.
previous customers which
provides valuable feedback. Customer Since No. of people getting online is
Base increasing, which are creating new
Time saving No. of operations that can be increased customers but also retaining old ones.
performed both by potential
buyers and sellers increase. Efficiency - Due to reduced transaction time.
improvement - Reduction in inventories & risk of
obsolete inventories
BENEFITS TO THE GOVERNMENT
Instrument to fight Commerce provides a pivotal hand to fight the corruption. The Information Technology
corruption Act, 2000 provides a legal framework for electronic governance by giving recognition to
electronic records and digital signatures.
Reduction in use of There has been reduction in the use of ecologically damaging materials through
ecological electronic coordination of activities and the movement of information rather than
damaging materials physical objects.

Disadvantage of E-commerce

Code To Remember: C.L.I.F.F.S. (चट्टानों – Danger – Disadvantage)

Food &
Cost of Internet insoect Security
Legal Issues Fraud Fear
components Connection related Concerns
Items

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 42

 REVISION BOOKLET FOR EIS || MAY 2022

E – Market Models E-commerce business models

Portal • Portal is a website that serves as a
A Business Model can be defined as the
gateway or a main entry point on the
internet to a specific field of interest or mechanism by which a business intends to
an industry. generate revenue and profits and includes
• A portal consists of web pages that act products, services and information flows, the
as a starting point for using the web or sources of revenues, and benefits for suppliers
web-based services. Eg - Yahoo! Stores and customers.
E-Shop • An e-shop is a virtual store front that
sells products & services online where
customers can shop anytime.
• It is a convenient way of affecting
direct sales to customers; allowing
manufacturers to bypass intermediate
operators & thereby reducing costs.
E-mall An e-mall consists of a collection of e-
= 1 or more shops usually grouped under a single
E-shops Internet address. It is a website that
displays electronic catalog from several
suppliers.
E-auctions • These provide channel of
communication through which
bidding process for products &
services can take place between
competing buyers.
• In e-auctions, information is available
about the products, prices, current
demand, and supply.
Buyer In this, firm collects the information
Aggregator about goods/service providers, make Space for notes-
the providers their partners and sell
their services under its own brand. For
example - www.zomato.com.
Virtual • Virtual Community is a platform for
community community of customers who share
common interest and use the internet
to communicate with each other.
• E.g. - www.facebook.com .
E- • E-distribution is a concept wherein a
distribution company supplies products and
services directly to individual
businesses.
E- • E-procurement is management of all
Procurement procurement activities via electronic
means.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 43

 REVISION BOOKLET FOR EIS || MAY 2022

Components of E-commerce

Components of E-commerce

USER E-Commerce Technological Internet &

Vendors Network Web Portal
Infrastructure
This may be This is the critical
individual / E-commerce is
This is the technology driven.
enabler for e- Web Portal is
organization or organization / commerce. an application
anybody using Various types of e-
entity providing Internet through which
the e-commerce commerce applications
the user, goods/ connectivity is user interacts
platforms. and technologies are
services asked important for any with.
being used by the
for e-commerce
organizations to
transactions to go
increase scope of
As e-commerce, has through
business
made procurement In order to ensure
easy and simple, just quality of goods
on a click of button and services, E- characteristics of technology
e-commerce commerce Vendors used in e-commerce
vendors needs to further needs to Payment Gateway
ensure that their ensure following - Scalable
products are not for better, effective -Easy to use and convenient
delivered to wrong and efficient
users. -Responsive Design
transaction
A payment gateway is a server that is
dedicated to linking websites and banks
so that online transactions can be
• Showroom and offline purchase completed in real-time
• Different Ordering Methods
• Guarantees
• Security
• Warehouse operations
• Shipping & Returns
• E - Commerce catalogue & product
• Marketing and loyalty programs
•
CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 44
 REVISION BOOKLET FOR EIS || MAY 2022

Components of Technology Infrastructure

Architecture of networked systems

Advantages 2 Tier Architecture Disadvantages

• System performance is • Performance deteriorates
good due to business if no. of users’ increases.
logic & database being • There is restricted
physically close. flexibility & choice of
• Since processing is DBMS, since data
shared between client language used in server
& server, more users differs with different
could interact with vendors.
system.
• By having structure, it
is easy to setup and
maintain entire system
smoothly.
Presentation Tier (Client Application/Client Tier):
This is the interface that allows user to interact with
the e-commerce vendor. User can login to an e-
commerce vendor through this tier. This application
also displays the various products / prices to
customers
Database Tier (Data Tier): The product data / price
data / customer data and other related data are kept
here. User has not access to data / information at this
level.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 45

 REVISION BOOKLET FOR EIS || MAY 2022

Advantages 3 Tier Architecture Disadvantages

• Clear separation of • Increased need of Traffic
application & user Mgmt.:
Interface: It creates increased need
System performance is for network traffic
higher because the management, server load
business logic & data - balancing, and fault
base are physically tolerance.
close. • Complex:
• Balancing: Tools are relatively
If bottlenecks in terms immature and are more
of performance occur, complex.
the server process can Presentation Tier: Occupies top level and displays • Maintenance inadequacy:
be moved to other information related to services available on a
Maintenance tools are
website. This tier communicates with other tiers by
servers at runtime. currently inadequate for
sending results to the browser and other tiers in the
• Change Management: network. maintaining server libraries.
It is easy and faster to
Application Tier: Also, called Middle Tier, Logic Tier, This is a potential obstacle.
exchange component
Business Logic or Logic Tier; this tier is pulled from
on the server. the presentation tier. It controls application
functionality by performing detailed processing.
Database Tier: This tier houses the database servers
where information is stored and retrieved. Data in
this tier is kept independent of application servers or
business logic.

E-commerce architecture vide Internet / Mobile App

E-commerce architecture vide Internet E-commerce architecture vide Mobile App

Layer Purpose
Client / User Mobile Web Browser and Internet.
Interface Mobile
- APP (Application)
- User
Application Application Server and back-end server.
Layer For example: In the same example, it
includes:
- E-merchant
- Reseller
- Logistics partner
Layer Purpose - Payment Gateway
Client / This layer helps e-commerce customer connect
User to e-commerce merchant. Database The information store house, where all
Interface Layer data relating to products, price it kept.
Application This layer allows customer to check the
Layer products available on merchant’s website.

Database This layer is accessible to user through

Layer application layer.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 46

 REVISION BOOKLET FOR EIS || MAY 2022

Work flow diagram for e-commerce

Step Activities
Customer’s login Few e-commerce merchants may allow same transactions to be done through phone, but
the basic information flow is e-mode.
Product / Service Customer selects products / services from available options.
Selection
Customer Places Order is placed for selected product / service by customer. This step leads to next
Order important activity PAYMENT GATEWAY.
Payment Gateway Here customer makes a selection of the payment method. In case payment methods is
other than cash on delivery (COD), the merchant gets the update from payment gateway
about payment realization from customer. In case of COD, e-commerce vendor may do
an additional check to validate customer.
Dispatch & This process may be executed at two different ends. First if product / service inventory is
Shipping Process managed by e-commerce vendor, then dispatch shall be initiated at merchant
warehouse. For example: FLIPKART states that it has more than 1 lac registered third
party vendors on its website.
Delivery Tracking Another key element denoting success of e-commerce business is timely delivery.
Merchants keep a track of this. All merchants have provided their delivery status with
hand where the product / service delivery to customers is immediately updated.
COD tracking In case products are sold on COD payment mode, merchants need to have additional
check on matching delivery with payments.

Risks and Controls

Below is the list of Risks associated with e-commerce transaction-

[ Code to Remember: I. H.A.D. – C.L.A.P. ]

(Knowing all risks, I was happy and I HAD a CLAP)

Denial of
Infrastructure Attack from
service
hackers
Contract
Hidden Cost
Repudiation
Privacy and
Absence of Loss or theft security
Audit trail of data

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 47

 REVISION BOOKLET FOR EIS || MAY 2022

Below are the controls need to be implemented while doing an e-commerce transaction-

•Ensure that the genuine user is using e-commerce & M-commerce

Users
platform.

Sellers / Buyers / •Proper framework in place to ensure success of business and needs to
Merchants put controls on price, catalogue, discount schemes etc

• Ensuring - (1) Tax accounting of all products / services sold.

Government
(2) All products / services sold are legal

Network Service
• They need to ensure availability and security of network
Providers

Technology Service •Includes cloud computing back- ends, applications backends and
Providers like. They are also prone to risk of availability and security

Logistics Service •Logistics service providers are the ones who are finally
Providers responsible for timely product deliveries

But sometimes it is observed that “though” controls are in place and yet “threats” happens. In this
case following steps to be taken in order to minimize the risk of failure of controls-

Communication of Ensure Compliance with Protect your e-Commerce

Educating participant organizational policies to
about the nature of risks Industry Body Standards business from intrusion
its customers

To avoid customer All e-Commerce Below are the types of

Every participant needs businesses are
dissatisfaction and Intrusion-
to be educated / required to comply
disputes, it is necessary
sensitized towards risk with and adhere to
to make the following
associated with such rules outlined by the
information clear
transactions. law of land.
throughout your website.

Viruses:
- Privacy Policies In India, RBI has been Hackers:
Frequency and nature of - Information security releasing these
standards from time to Passwords
education programs Shipping and billing time. Regular software
policies updates
-Refund policies Sensitive data

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 48

 REVISION BOOKLET FOR EIS || MAY 2022

Cyber security risk consideration

SA 315 recognizes that it poses specific risks to an Below are levels through which breach can occur-
entity’s internal control in the form of the following:

 Reliance on systems or programs that are

inaccurately processing data, processing
inaccurate data, or both.
 Unauthorized access to data that may result in
destruction of data or improper changes to data,
including the recording of unauthorized or non-
existent transactions, or inaccurate recording of
transactions. Particular risks may arise where
multiple users access a common database.
 Possibility of IT personnel gaining access privileges
beyond those necessary to perform their assigned
duties so, breaking down segregation of duties.
 Unauthorized changes to data in master files. 1. Network Diagram detailing, databases, hubs,
 Unauthorized changes to systems or programs. servers, routers, internal & external network, etc.
 Failure to make necessary changes to systems or 2. Any incidents of cyber security breach which
programs. occurred and the actions taken and controls built
 Inappropriate manual intervention. in to avoid them from occurring again.
Potential loss of data or inability to access data as 3. Are the IT managers responsible for the
required. safeguarding of the assets from cyber-attack?
4. Periodical review of access rights to all IT
Guidelines and law governing e-commerce resources to ensure that the access to the users is
commensurate with their functional roles and
Matter Descriptions responsibilities.
Billing Guidelines related to billing are 5. Timely employee awareness campaigns focusing
format of bill; details to be on methods of intrusion which can be stopped
shared in bills; applicable GST. based on individual actions.
6. Use of firewalls by the Company to allow internet
Product guarantee Proper display of product activity in accordance with the rules defined.
/ Warranty guarantee / warranty online as 7. Any vulnerability scans or penetration testing
well as documents sent along performed by the Company and any findings
with the products noted.
Shipping Below are the things that to be 8. Are the backups scheduled properly and timely
put in the policy documents: checked by restoration of data?
1. The shipping time.
2. frequency of shipping
3. Packing at time of shipping
Policy needs to be defined for:
Delivery 1. Which mode of delivery to
choose– Own, third party.
2. When deliveries to be made
– day time or fixed time.
3. Where deliveries to be
made – Buyer’s office,
home, shop.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 49

 REVISION BOOKLET FOR EIS || MAY 2022

Law governing e-commerce

Commercial law Special law governing

Income Tax Act Custom Act, 1962 Information Technology

Act, 2000

Companies Act 2013 GST ACt 2017 Reserve Bank of India,

1932
Foreign Trade Act,
FEMA 1999
1992

Consumer Protection
Factories Act, 1948
Act, 1986

Digital Payments

Meaning & type Advantages & Disadvantages

Digital Payment is a way of payment Advantages-
which is made through digital modes. In 1. Discount for Taxes:
digital payments, payer and payee both • Govt. announced many discounts to encourage the
use digital modes to send and receive digital payments.
money. It is also called electronic 2. Record:
payment. Below are types of digital • These are automatically recorded in passbook or
payments- inside E-Wallet app.
• BHIM (Bharat Interface for Money) 3. Less Risk:
• Mobile Wallets • Digital payments have less risk. No one can use
• Aadhar Enabled Payment Service anyone else’s money without MPIN, PIN etc.
(AEPS) 4. Easy and convenient:
• Mobile banking • Digital payments are easy and convenient.
• Crypto-currency 5. Transaction ease:
• E-Rupi • With digital payment modes, one can pay from
anywhere anytime.

Disadvantages-
1. Difficult for a Non-technical person:
• Payment through internet mode is difficult for non-
technical persons such as farmers, workers etc.
2. Over-spending:
• With digital payment mode, one has an access to
all his/her money that can result in overspending.
3. Theft risk:
• Hackers can hack the servers of the bank or the E-
Wallet a customer is using.
4. Increased business costs:
• Costs incurred in procuring & maintaining
sophisticated payment-security technologies.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 50

 REVISION BOOKLET FOR EIS || MAY 2022

Computing Technologies

Virtualization Cloud computing Mobile Computing

Grid computing Green computing

Computing
Bring your own
device
Technologies Web 3.0

Artificial Intelligence Machine Learning

Virtualization:
Virtualization means to create a virtual version of a device or resource such as a server, storage device,
network or even an operating system where the framework divides resource into one or more execution
environment.

Application of Virtualization Types of Virtualizations

Hardware/Platform Virtualization
Code to Remember: T. – P.A.D.S
1. Testing and Training Refers to the creation of a virtual machine
2. Portable Workplaces that acts like a real computer with an
3. Applications operating system. Hardware virtualization is
4. Disaster recovery a method whereby one or more "virtual
machines" are created to share the hardware
5. Server consolidation
resources of one physical computer.

It is a method of combining the It is pooling of data from multiple storage

Network
available resources in a network by
Virtualization
splitting up the available bandwidth
into channels. Each channel is
independent from the others, and
each of which can be assigned
devices. It helps storage administrator perform
the tasks of backup, archiving, and recovery. It
is sometimes described as “abstracting the
logical storage from the physical storage
Storage Virtualization

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 51

 REVISION BOOKLET FOR EIS || MAY 2022

Grid computing:
Grid Computing is a computer network in which each computer’s resources are shared with every other
computer in the system. In the ideal grid computing system, every resource is shared, turning a computer
network into a powerful supercomputer.

Benefits of Grid Computing Resources of Grid Computing

Code to Remember: U.R. - V.R. - C.A.M Computation: Computing cycles provided by the
1. Underutilized Resources usage. processors of machines on grid, where processors can
2. Resource Balancing. vary in speed, architecture & other factors.
3. Virtual Resources. Storage: A grid providing an integrated view of data
storage is sometimes called a Data Grid. Each machine
4. Reliability. on grid usually provides some storage for grid use
5. CPU Capacity. Communications: Communications within the grid are
6. Access to resources. important for sending jobs and their required data to
7. Management. points within the grid.
Software and Licenses: License management software
keeps track of how many concurrent copies of the
software are being used and prevents more than that
number from executing at any given time.
Special equipment, capacities, architectures & policies:
Platforms on grid may have different architectures,
operating systems, devices, capacities, & equipment

Grid Computing Security

Code to Remember: D.S. - S.P.I.C.E.S. (DS group spices)

Main Points Descriptions
Data Management 1. Users’ data-intensive, high-performance computing applications in grid
computing require the efficient management and transfer of huge data.
Standardization 1. Grid computing as a highly integrated system involves multi-purpose protocols
and interfaces to resolve the issues.
2. Standardizing these protocols and interfaces is a big issue in grid computing.
Single Sign on 3. A user should authenticate once and they should be able to acquire resources,
use them, and release them.
4. The same to be communicated internally without any further authentication.
Policy for securing 1. In a communication, there are various processes which coordinate their
grp communication activities. This coordination must be secured.
Interoperability 1. Access to local resources should have local security policy at a local level.
with local security 2. There is an inter-domain security server for providing security to local resource.
solution
Credential 1. User passwords, private keys, etc. should be protected.
protection
Exportability 2. Code should be exportable i.e.; they cannot use large number of encryptions at a
time and there be a minimum communication at a time.
Support for multiple 3. There should be a security policy which should provide security to multiple
implementation sources based on public and private key cryptography.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 52

 REVISION BOOKLET FOR EIS || MAY 2022

Cloud computing:
“The Cloud” refers to applications, services, and data storage on the Internet. Cloud computing is the use of
these services by individuals and organization. The best example of cloud computing is Google Apps, where
it can be opened on any web browser and application can be installed. Cloud computing is both, a
combination of software and hardware-based computing resources delivered as a networked service. This
model of IT enabled services enables anytime access to a shared pool of applications and resources.

Characteristic of cloud Advantages of cloud Limitations of cloud

computing computing computing

Code to Remember: G –
Code to Remember: F.R.A.M.E.S. Code to Remember:
M.P. – M.O.R.E - Globalize workforce D.R.I.N.K.
• Movement of workload - Flexibility improvement 1. Difficult in Interoperability.
• Pay per use - Reduce spending on 2. Restriction on availability.
• Multi-tenancy technology infrastructure 3. Internet connection absence.
• On-Demand - Accessibility 4. No control on resources.
- Monitoring of projects 5. Knocking of security
• Resiliency (लचीला) measures.
- Economies of scale.
• Elasticity and scalability - Streamline business processes.

Cloud computing environment

Private Cloud Public Cloud Community Cloud Hybrid Cloud

Meaning Meaning Meaning Meaning

A private cloud is a
proprietary network or a
data center that supplies
hosted services to a
limited number of
people
A public cloud sells Here the cloud is being A hybrid cloud uses a
services to anyone on shared by person(s) of combination of public
Internet. Public cloud one community and and private storage
services may be free or hence the name. E.g., clouds.
offered on pay per usage mission security
model. requirements

Characteristic Characteristic Characteristic Advantages

- Secure: S.A.L.S.A. - Cost effective.
- Scalable.
- Central Control: -Scalable - Partly secure.
- Partly secure
- Weak SLA* -Affordable. - Collaborative and
- Stringent SLAs.
(*Service Level Agreement) -Less Secure distributive maintenance.
- Complex cloud mgmt.
-Stringent SLAs - Complex cloud mgmt.
-Available

Advantages Advantages Advantages

Improve server utilization. Cost effective. - Low-cost private cloud.
Better control. Scalability to meet needs. - Collaborative work.
High level of security. Strict SLAs. - Responsibilities sharing.
No resource wastage. - Better security.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 53

 REVISION BOOKLET FOR EIS || MAY 2022

Cloud computing service Models

Infrastructure as a Service (IaaS)
Provides computing resources
such as processing power,
memory, storage, and networks
for cloud users to run their
application non-demand. It
allows users to maximize
utilization of computing
capacities without manage their
own resources.
Characteristic of IaaS
Code to Remember: M. – W.I.S.E
1. Management is centralized.
2. Web access to resources
3. Infrastructure sharing
4. Metered Services
5. Elasticity & dynamic Scaling
Platform as a Service (PaaS)
PaaS provides the users the
ability to develop and deploy
an application on the
development platform
provided by the service
provider. PaaS services can
consist of preconfigured
features that customers can
subscribe to; they can choose
to include features that meet
their requirements while
discarding those that do not.
Software as a Service (SaaS)
Software-as-a-Service is cloud
service where consumers are
able to access software
applications over the internet.
Users don’t have to worry about
the installation, setup and
running of the application.
Service provider will do that.
Different instance of SaaS
Code to Remember: T.E.A.
1. Testing as a service (TaaS).
2. Email as a service (EaaS)
3. API as a service (APIaaS)

Other cloud service models Pertinent Issues related to Cloud Computing

- Communication as a Service (CaaS) - Threshold policy - Security Issues

- Data as a Service (DaaS) - Hidden Costs - Software development in cloud

- Security as a Service (SECaaS) - Interoperability issues. - Bugs in large scale distribution

- Identity as a Service (IDaaS) - Unexpected Issues.

Mobile computing:
A technology that allows transmission of data, via a computer, without having to be connected to a fixed
physical link. Mobile voice communication is widely established throughout the world and has had a very rapid
increase in the number of subscribers to the various cellular networks over the last few years. An extension of
this technology is the ability to send and receive data across these cellular networks.

Component of mobile computing

Mobile Communication

Mobile Hardware

Mobile Software

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 54

 REVISION BOOKLET FOR EIS || MAY 2022

Working of mobile Benefits of mobile Limitations of mobile

computing computing computing

- User enters or access data - Enables to access work Code to Remember:

using application on hand-held
computing device.
- Using one of the several
connecting technologies, data
is transmitted from hand-held
to site’s information system
where files are updated and
the new data is accessible to
other system user.
- Now both systems (hand-held
and site’s computer) have the
same information and are in
sync.
- The process works the same
way starting from the other
direction.
details.
B.S.P. - H. - H.T.
- Enables salesperson to
update work order status in 1. Bandwidth insufficiency.
real time.
2. Security standards.
- Management personnel can
3. Power consumption.
view any information at any
time.
4. Human interface with the
device.
- Provide remote access to
corporate knowledge. 5. Health Hazards.
- Improves mgmt. efficiency by 6. Transmission interface.
enhancing quality info., info.
communication etc.

Green computing: Web 3.0

GREEN IT refers to study and practices of
establishing/using computers and IT resources in a more
efficient and environmentally friendly way. Computers
indeed use lot of natural resources such as power &
problems of disposing them. Following are the steps for
Green IT include the following:
- Develop a sustainable green Computing plan
- Recycle
- Make environment sound purchase decisions
- Reduced Paper Consumption
- Conserve Energy
Web 3.0 is also known as semantic Web. In this,
site wherein the computers will be generated
raw data on their own without direct user
interaction. Web 3.0 uses semantic web
technology, drag and drop mash, and
consolidation of web content depending on the
interest of individual user. It is based on the
“DATA WEB” technology, which contains the
data records publishable and reusable through
query format. 2 Components of Web 3.0-
- Semantic Web
- Web Services

Bring your Own Devices

Advantages of BYOD Emerging BYOD Threats
BYOD stands for bring your own
device, and refers to the idea of Code to Remember: H.I.R.E2 Code to Remember: I. - A.N.D.
people bringing their personally- 1. Happy employees. 1. Implementation risks.
owned computing devices. It 2. Lower IT budgets 2. Application risks.
commonly refers to employees 3. Reduced IT support. 3. Network Risks.
bringing along their own devices to 4. Increased employee efficiency 4. Device risks.
the office in order to access corporate 5. Early adoption of new
networks and business data etc. Technologies

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 55

 REVISION BOOKLET FOR EIS || MAY 2022

Internet of Things (IoT) Artificial Intelligence (AI)

Definition- Definition-
It is a system of interrelated computing devices, Ability to use memory, knowledge, experience,
mechanical and digital machines, objects, understanding, reasoning, imagination and
animals or people that are provided with unique judgment to solve problems and adapt to new
identifiers and the ability to transfer data over a situations”. The ability described above when
network. exhibited by machines is called as Artificial
intelligence (AI).
Some Definitions under IoT:
Application of AI-
- Wearables - Smart City ◼ Games playing
- Smart Grids - Industrial IoT ◼ Online assistants
- Connected Car - Connected health ◼ Theorems of mathematics.
- Smart Retails - Smart supply chain ◼ Medical diagnosis, in cancer research.
Predicting the chances of an individual getting
ill by a disease.
Risks of IoT: ◼ Art
◼ Drones and self-driving cars
Impact on Business
Obsolescence of devices
Risks associated with AI-
Analytics & Data storage
Security ◼ AI relies heavily of data it gets.
Autonomy, Privacy & control ◼ AI (robots) carries a security threat
De-standardization ◼ These machines shall not have capability of
Impact on environmental resources thinking out of box

Block Chain

Blockchain is shared, peer-to-peer & decentralized open ledger of transactions system with no trusted third
parties in between. A blockchain generally uses a chain of blocks, with each block representing the digital
information stored in public database

Steps in Block Chain Areas of application Controls – In Blockchain

1.
Transaction initiated.
2. Transaction broadcasted.
3. Validation of transactions.
4. Transaction represented
online as a block.
5. Block added to the block
chain.
6. Block is added to existing
• Communication methods
- Financial Services
shall be developed.
- Healthcare • Data analytics procedures
- Government shall be developed to identify
- Travel Industry & obtain relevant data.
- Economic Forecast • Both internal and external
Auditors shall be engaged in
Risks of Blockchain development.
1. Different risk magnitude. • Monitoring techniques shall
2. Compromise with data. be used to perform ongoing
3. Absence of central monitoring. evaluations.
4. Overload of information.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 56

 REVISION BOOKLET FOR EIS || MAY 2022

Chapter 5: Core Banking System

Introduction → Banking Banking & finance Services

The changes in banking scenario due to moving

over to Core Banking System and IT-based
operations have enabled banks to reach
customers and facilitate seamless transactions.
There has been massive use of technology
across many areas of banking business in India.
Banking is the engine of economic growth
Below are the areas where IT is playing a major
role-

1. Loan processing & sanctioning

2. Safe keeping of security documents
3. Post sanction monitoring & supervision of
borrower’s accounts
4. Accounting of day-to-day transactions,
receipts and payments of cash and cheques
and updating passbooks/statements.
Granting Of Advances
Acceptance of Deposit

Remittances

Collecting
Collections

Clearing
Banks accept Advances granted Remittances Collections instruments on
deposits in various by banks take involve transfer of involve collecting behalf of
forms such as term various forms such funds from one customers of
deposits, savings as overdrafts, proceeds on
place to another. behalf of bank. The
bank deposits, discounting of bills, Eg demand drafts, instruments
current account term loans, etc. customer. They
Mail transfer, can lodge various payable locally
deposits, recurring
Electronic Fund are collected
deposit etc. instruments such
Transfer. through clearing
as cheques, drafts
house mechanism

Debit Cards These includes

Debit Card

Other banking Service

A Letter of Credit (is The Guarantees Issuance of credit

Credit Card
Letters Of Credit

Guarantees

an undertaking by a are required by cards is usually facilitates bank operations,

bank to payee the customers of entrusted to a customers to pay retail banking,
(supplier of goods banks for separate division at any authorized high net worth
and services) to pay at the central outlet as well as individual, risk
to him on behalf of submission to the
buyers of their office of a bank. to withdraw management &
the applicant (the The dues against
buyer) any amount goods/ services to money from an specialized
guarantee the credit cards are ATM from their services.
up to the limit
collected by account
specified in the LC performance.
specified branches

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 57

 REVISION BOOKLET FOR EIS || MAY 2022

Overview of core banking system (CBS)

CBS refer to common IT solution wherein central share database supports the entire banking
applications. Now will study different aspect of CBS:

Characteristics Core features of CBS

Code to Remember:
Code to Remember: P.A.T.I. – C.U.R.E.
A.B.D. – I.C.C. - Processing of standing instruction
• Advanced technology. - Authorizations occur within the application
• Business application. - Transactions are posted immediately.
• Delivery channel. - Interaction with customers
• Integration - Centralized operations
• Centralized business - Updation of databases simultaneously
application. - Real-time processing.
• Customer benefit. - Easy, anytime and every-time access to customers and
vendors.

Modules of CBS CBS IT Environment

Models Definition Application server:

Back Office Back Office is the portion of a company
made up of administration and support
personnel, who are not client-facing.
Data Data warehouses take care of the
Warehouse difficult data management & digesting
large quantities of data & ensuring
accuracy & make it easier for
professionals to analyze.
Automated ATM is an electronic banking outlet that
Teller allows customers to complete basic
Machines transactions without the aid of a branch
(ATM) representative or teller.
Central This means that all bank's branches
Server access applications from centralized data
centers/ servers.
Mobile It uses software, usually called an app.
Banking Mobile banking is available 24-hour basis.
Internet It is an electronic payment system that
Banking enables customers to conduct a range of
financial transactions.
Phone Registration of Mobile number in
Banking account is one of the basic perquisites to
avail Phone Banking.
Branch CBS enables single-view of customer data
Banking across all branches in a bank and thus
facilitate information across the delivery
channels.
The Application server performs necessary
operations & updates account of the customer
Database server:
Database Server of the Bank contains the entire
data of the Bank. This data includes information
about accounts of the customers and master data
Automated teller machine (ATM) channel server:
A file called “Positive Balance File (PBF)” is being
to ATM switch that contains the account balance
of the customer. The Database Server of the Bank
contains the entire data of the Bank.
Internet banking channel server (IBCS):
IBCS software stores the name and password of
the entire internet banking customers.
Internet banking application server (IBAS):
Internet Banking Software which is stored in IBAS
authenticates customer with the login details
stored in the IBCS.
Web server:
It is used to host all web services & internet
related software.
Proxy server:
A client connects to the proxy server, and then
requests a connection, file, or other resource
available on a different server
Anti-virus software server:

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 58


Database Environment
This consists of the centrally located
database servers that store the data
for all the branches of the bank
which includes customer master
data, interest rates, account types
etc. Whenever a customer requests
for a particular service to be
performed, the application server
performs a particular operation it
updates the central database server.
Databases are kept very secure to
prevent any unauthorized changes.
Network security and secure
configurations
1. Multi-layered defense system
through properly configured
proxy servers, firewalls and
intrusion detection systems to
protect network from
malicious attacks and to detect
any unauthorized network
entries.
2. LAN for in-house/onsite ATM &
CBS/branch network to
confirm adequacy of
bandwidth to deal with volume
of transactions so as to
prevent slowing down.
3. To ensure secured network;
proper usage of routers etc.
should be envisaged.
4. Periodic security review of
systems & terminals to assess
the network’s vulnerability &
identify the weaknesses.
5. Identification of risks to ensure
that risks are within the bank’s
risk appetite.
CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal
REVISION BOOKLET FOR EIS || MAY 2022
Technology component of CBS
Cyber Security Application Environment
Comprehensive Cyber Application environment
Security Framework is consist of application servers
prescribed by RBI for Banks that host the different core
to ensure effective banking systems like Flex
information security Cube, bankMate etc. and is
governance. centrally used by different
banks. The access to these
application servers will
generally be routed through
a firewall.
Online Transaction
monitoring for fraud
risk management
Application security Data Centre & Disaster
• Implementation of the Recovery Centre • Risk evaluations are
bank specific email • Core banking systems carried out & risk
domains with anti- consist of a Data profile & regulatory
phishing malware Centre which includes requirements of bank,
software with controls various application effective monitoring
enforced at the email servers. should be done as a
solution. • The bank should adopt part of managing
• Authentications step full-fledged manuals & fraud risk mgmt.
to be added to log- in necessary documents. • There are methods
process, such as a code • Arrangements for the that facilitate fraud
sent to user’s phone or alternate connectivity reporting in CBS
a fingerprint scan, that of banks with the data environment. Proper
helps verify user’s center should be alert system should be
identity and prevent established. enabled to identify any
cybercrimes. • Awareness should be changes in the log
• Training to employees. created among the settings.
• Capturing of the audit employees through
logs. periodic trainings and
mock drills.
59
 REVISION BOOKLET FOR EIS || MAY 2022

Functional architecture of CBS

• A Core Banking Solution is the enterprise resource planning software of a bank. It covers all aspects of
banking operations from a macro to micro perspective.
• A CBS is modular in nature and is generally implemented for all functions or for core functions as decided
by the bank.

Stages in implementation of CBS

 Planning: Planning for implementing CBS should be done as per strategic and business objectives of bank.
 Approval: The decision to implement CBS requires high investment and recurring costs and will impact how
banking services are provided by the bank. Hence, the decision must be approved by the board of directors.
 Selection: Although there are multiple vendors of CBS, each solution has key differentiators. Hence, bank
should select the right solution considering various parameters as defined by the bank to meet their
specific requirements and business objectives.
 Design and Develop/Procure: CBS solutions used to be earlier developed in-house by the bank. Currently,
most of the CBS deployments are procured. There should be appropriate controls covering the design or
development or procurement of CBS for the bank.
 Testing: Extensive testing must be done before CBS is made live. The testing is to be done at different
phases at procurement stage to test suitability to data migration to ensure all existing data is correctly
migrated and testing to confirm processing of various types of transactions of all modules produces the
correct results.
 Implementation: CBS must be implemented as per pre-defined and agreed plan with specific project
milestones to ensure successful implementation.
 Maintenance: CBS must be maintained as required. E.g., program bugs fixed, version changes
implemented, etc.
 Support: CBS must be supported to ensure that it is working effectively.
 Updation: CBS modules must be updated based on requirements of business processes, technology
updates and regulatory requirements.
 Audit: Audit of CBS must be done internally and externally as required to ensure that controls are working
as envisaged.

CBS risks

Operational Risk Market Risk

•It is defined as a risk arising from direct or indirect loss •Refers to the risk of losses in the bank’s trading
to the bank which could be associated with inadequate book due to changes in equity prices, interest
or failed internal process, people and systems rates etc.

Credit Risk Strategic Risk

•It is the risk that an asset or a loan becomes •Can be defined as the risk that earnings decline
irrecoverable in the case of outright default due to a changing business environment

Compliance Risk
•is exposure to legal penalties, financial penalty and
material loss an organization faces when it fails to act in
accordance with industry laws and regulations.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 60

 REVISION BOOKLET FOR EIS || MAY 2022

Internet Banking Process

• To protect the web server from unauthorized use and abuse, the traffic is necessarily to go past a firewall.
• An individual who accesses the website of bank through the browser will be able to access the web server
and there will be a display of the bank’s web page on the screen of the client’s computer
• Webpage will also provide all information generally of interest to the public. Password will not be displayed
in plain text but will only be in an encrypted form.
• The web server forwards the customer details to the internet banking applications server which in turn
accesses the IDBS. For each customer, it would be having details about user ID and password. Information
received from the web server is verified with the data of the customer held in the internet banking (IBAS).
• In case of mismatch between user name & password, message ‘access denied’ would appear giving reason
giving User ID/password incorrect’. After three attempts, customer will be logged out for security reasons.
• On authenticate login, the Internet Banking Application Server (IBAS) sends an acknowledgement to the
webserver. The webserver displays message.
• The IBCS will retrieve the data from the central database server after the customer chooses above facilities.
• Internet banking database server then forwards the customer data to IBAS which processes the
transaction e.g., Statement of account from the central database server is made available to Internet
Banking Database Server (IDBS). The IBCS then sends data to the IBAS. The IBAS then sends same to the
web browser.

Information Technology (IT) Risks

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 61

 REVISION BOOKLET FOR EIS || MAY 2022

Information Security Policies Internal control systems in Bank

Information security is critical to mitigate the risks of The objective of internal control system is to
Information technology. Security shall ensure ensure orderly and efficient conduct of
confidentiality, Integrity and availability of information. business, adherence to management policies,
(a) Information Security Policies, Procedures, and safeguarding assets through prevention and
practices: detection of fraud and error, ensuring
▪ Refers to processes relating to approval and accuracy and completeness of the accounting
implementation of information security. These record and timely preparation of the reliable
policies are the basis upon which detailed procedures financial information and ensuring compliance
and practices are developed and implemented. with the applicable laws and regulations.
(b) User security administration:
▪ Refers to security for various users of information (a) Configuration
systems.
(b) Masters
(c) Application Security:
(c) Transaction
▪ Refers to how security is implemented at various
(d) Reports
aspects of application. This starts right from
configuration, setting of parameters & security for
transactions through various application controls.
(d) Database Security:
▪ Refers to various aspects of implementing security
for database software.
(e) Operating system Security:
▪ Refers to security for operating system software
which is installed in servers & systems which are
connected to the servers. E-commerce Transaction
(f) Network Security:
▪ Refers to how security is provided at various layers of
processing
network and connectivity to the servers.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 62

 REVISION BOOKLET FOR EIS || MAY 2022

Core business processes flow and relevant risks and controls

Type of Facility Process Controls <-> Risks
Current & Savings • Customer approaches the relationship • The credit committee checks
Accounts (CASA) manager to apply for a CASA facility. Financial Ratios, Net-worth, Risk
(Bank जाना है ) factors and its corresponding
• Once the customer agrees for availing the mitigating factors. <–> Credit set up
is unauthorized.
facilities/products of the bank, the
relationship manager request for the • Access rights to authorize the
relevant documents (KYC & relevant credit limit in case of account setup
system should be restricted to
documents of customer (दस्तावेज़ दें ) authorized personnel. <–> Credit
• Documents received from customers are line set up is unauthorized.
handed over to the Credit team / Risk • Access rights to authorize the
team for sanctioning of the facilities/limits customer master in CBS should be
of the customer. (दस्तावेजों को सौंपें to restricted to authorized personnel.
concerned team) • Interest on fund-based facilities is
• Credit team verifies all document’s, assess automatically calculated in the CBS
financial & creditworthiness of borrowers as per the defined rules <–> Master
& updates facilities in customer account. data in CBS not matching with the
(दस्तावेजों की जााँच) pre-disbursement certificate.
• Segregation of Duties to be
• Current / Account savings account along
maintained between the initiator
with the facilities requested are provided
and authorizer of the transaction
to the customer for daily functioning.
for processing transaction in CBS.
(Account is opened in bank)
<–>Unauthorized approval of
• Customers can avail facilities such as
CASA’s transactions.
cheque deposits / withdrawal, Cash
deposit / withdrawal, RTGS, NEFT, ECS etc.
(Bank द्वारा दी जाने वाली सेवाएां)
Issue of Credit • Either the customer approaches the relationship manager to apply for a credit card
Card facility or customer will apply the same through internet banking.
(Process only) • Once the potential customer agrees for availing the facilities/products of the bank,
the relationship manager request for the relevant documents.
• Documents received from the customers are handed over to the credit team for
sanctioning of the facilities/limits of the customers.
• Credit teams verify documents, assess the financial & credit worthiness of borrowers
and issues a credit limit to the customer in CBS and allots a credit card.
Process flow - • Customer will swipe credit card for purchase made by him/her on the POS machine
Authorization (Point of Sale) at merchant’s shop/establishment. (दक ु ान पर card swipe by us)
process of credit
card facility • POS will process the transaction only once the same is authenticated.
• The POS will send authentication request to the merchant’s bank (also referred as
“acquiring bank”) which will then send the transaction authentication verification
details to the credit card network (such as VISA, MASTER CARD) from which the data
will be validated by the credit card issuing bank. Acquirer bank→Card
network→Issuing bank
• Once transaction is validated, approval message is received from credit card issuing
bank to the credit card network which then flows to the merchant’s bank and
approves the transaction in the POS machine. (Approval के बाद, issue bank to POS
merchant). Receipt generated and the sale is completed.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 63

 REVISION BOOKLET FOR EIS || MAY 2022

Type of Facility Process

Process flow of • The transaction data from the merchant is transferred to the merchant’s bank.
clearing and Merchant’s bank clears settlement amount to Merchant after deducting Merchant
settlement process fees. Merchant’s bank, in turn now provides the list of settlement transactions to the
of credit card
facility credit card network which then provides the list of transactions made by the customer
to the credit card issuing bank.
• The credit card issuing bank basis the transactions made, clears the amount to
Merchant’s bank but after deducting interchange transaction fees.
• At the end of billing cycle, card issuing company charges the customer’s credit card
account with those transactions in CBS.
Type of Facility Process Controls <-> Risks
Process flow of • Loans are provided by lender which is a • There is review performed by an
mortgages bank or a mortgage company. Such loans independent team member who
are provided at fixed and flexible ROI. will verify loan details captured in
• Borrower/Customer approach bank for a core banking application with offer
Mortgage Loan mortgage and loan officer explains the letter <–> Incorrect customer detail
The mortgage loan customer about home loan. Customer to fill risk.
is a secured loan loan application and provide KYC • There is another review performed
which is secured on
the borrower’s documents to the loan officer. by an independent team member
property by • Loan officer reviews the loan application who will verify loan amount to be
marking a lien on and sends it to Credit risk team who will disbursed with the core banking
the property as determine customer’s financial eligibility. application to signed offer letter.
collateral • This is done basis the credit score as per <–>Incorrect loan amount.
(additional
security) for the CIBIL rating, income & expense details & • Interest amount is auto calculated
loan. In case rate of Interest at which loan is offered. by the core banking ap- plication
borrower doesn’t • Underwriting team will verify the financial basis loan amount, ROI and tenure.
pay the borrowed (applicant’s credit history) & the <–>Incorrect interest calculation.
money, lender has • System enforced segregation of
first charges on the employment information of the customer.
property Underwriter will ensure that the loan duties exist in the core banking
provided is within the lending guidelines. application where the inputter of
• Details of property selected by customer the transaction cannot approve its
are being forwarded by loan officer to their own transaction and reviewer
legal and valuation team. cannot edit any details submitted
• Legal & valuation team will send their by inputter <–> Unauthorized
report to operations team which will changes to loan master data.
generate letter of offer to customer which
entails all details of loan.
• Customer will sign the letter of offer by
signing the loan agreement. Loan officer
will notarize all the loan documents and
are sent back to lender operation steam.
• Once signed offer letter is received,
operations team will disburse the fund.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 64

 REVISION BOOKLET FOR EIS || MAY 2022

Treasury Process
Below are 3 major categories of treasury operations:

FRONT OFFICE MIDDLE OFFICE BACK OFFICE

The Front Office operations
consist of dealing room
operations wherein the
dealers enter into deal with
the various corporate and
interbank Counter-parties.
The Middle Office includes risk
management, responsibility
for treasury accounting, and
documentation of various
types.
It includes verification by
confirmation, settlement,
checking existence of a valid &
enforceable agreement &
reconciliation of NOSTRO.

The dealers are primarily
responsible to check for
counter-party credit Limits,
eligibility, and other
requirements of the Bank
before entering into the deal
with the customers.
Responsibilities also includes
producing the financial results,
analysis and budget forecasts
for the treasury business unit,
input into the regulatory
reporting.
One of the developments in
the back office has been the
advent (arrival) of Straight-
Through Processing (STP), also
called ‘hands-off’ or exception
processing.

Dealers must ensure that all
risk/credit limits are available
before entering into a deal.
Responsible for monitoring of
counter-party, country, dealer
and market-related limits that
have been set and approved.
Critical operation is FOBO
(Front Office/Back Office)
reconciliation to ensure
completeness and accuracy of
trades/ deals done for the day.

Process flow for bank Treasury operations-

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 65

 REVISION BOOKLET FOR EIS || MAY 2022

Type of Facility Risks Controls

Treasury Process • Unauthorized securities setup in • Appropriate Segregation of duties and
systems such as Front office/Back office review controls around securities
• Inaccurate trade is processed master setup and amendments
• Unauthorized confirmations are • Appropriate Segregation of duties and
processed review controls to ensure the accuracy
• Insufficient securities for settlement. and authorization of trades
• Complete and accurate confirmations
to be obtained from counter-party
• Effective controls on securities and
margins.

Loans and trade finance operations

Customer master creation process

Meaning
Business of lending is main
business of banks. Taking all
consideration, banks lend
money and have some
inherent risk. Hence lending
activity has to necessarily
adhere to certain principles.
The business of lending is
carried on by banks offering
various credit facilities to its
customers.
Types of credit facilities-
Fund Based Credit Facilities
Loans, overdrafts, Term loan etc.
Non-Fund Based Credit Facilities
Include Bank Guarantees and
Letter of Credit
▪ Relationship manager identifies potential customers and approaches
them with the details of the products/facilities.
▪ Once potential customer agrees for availing facilities/products of bank,
the relationship manager request for the relevant documents i.e., KYC.
▪ Documents received the customers are handed over to the credit team
of bank for sanctioning of the facilities/limits of the customers. Credit
team verifies the document’s access the financial and credit worthiness
of the borrowers and issues a sanction letter to the customer.
▪ Sanction letter details the terms of the facilities and the credit limits the
customer is eligible.
▪ Once customer agrees with terms of sanction letter, credit team
prepares a Pre -Disbursement Certificate (PDC) containing the details
of all the facilities & a limit approved for the customer.
▪ The disbursement team verifies the PDC and creates customer account
and master in the Loan Disbursement System. The disbursement team
member also assigns the limits for various products as per PDC.
▪ Once the limits are assigned to the customer, the customer can avail
any of the facilities/products up to the assigned credit limits.

Loans disbursal/facility utilization & income accounting:

▪ Customer may approach bank for availing product/facility as per the sanction letter.
▪ In case of the fund-based loan, the funds are disbursed to customer’s bank accounts. Interest is generally
accrued on a daily basis along with the principal.
▪ In case of bill discounting, the customer is credited the invoice amount excluding the interest amount as per
the agreed rates.
(If the drawer of the bill does not want to wait till the due date of the bill and is in need of money, he may
sell his bill to a bank at a certain rate of discount. The bill will be endorsed by the drawer with a signed and
dated order to pay the bank) - Meaning of Bill discounting.
▪ In case of non-fund-based facilities; the facilities are granted to the customer up to the assigned limits in loan
disbursement system.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 66

 REVISION BOOKLET FOR EIS || MAY 2022

Type of Facility Risks Controls

Loans and • Credit Line setup is unauthorized and not • Credit committee checks that Financial
advances in line with the banks policy. Ratios, Net-worth, Risk factors and its
process
• Credit Line setup is unauthorized & not in corresponding mitigating factors, etc. is
line with the banks policy. in line with Credit Risk Policy.
• Masters defined for the customer are not • Access rights to authorize the credit limit
in accordance with the Pre-Disbursement in Loan Booking system/CBS should be
Certificate. restricted to authorized personnel.
• Credit Line setup can be breached in Loan
disbursement system/ CBS.
• Lower rate of interest/ Commission may
be charged to customer.

Money Laundering
Money Laundering is the process by which the proceeds of the crime and the true ownership of those
proceeds are concealed or made opaque (अस्पष्ट /Not clear) so that the proceeds appear to come from a
legitimate source.

Meaning
Money Laundering is the process by which the proceeds of the crime and the true ownership of those
proceeds are concealed or made opaque (अस्पष्ट /Not clear) so that the proceeds appear to come from a
legitimate source.

Stages
Placement:
First stage involves the placement of proceeds derived from illegal activities, the movement of proceeds
from scene of the crime to a place, or into a form, less suspicious and more convenient for the criminal.

Layering:
This involves the separation of proceeds from illegal source using complex transactions designed to
obscure the audit trail and hide the proceeds. Layering involves sending the money through various
financial transactions to change its form and make it difficult to follow.

Integration:
Integration involves conversion of illegal proceeds into apparently legitimate business earnings through
normal financial or commercial operations.

Anti-Money Laundering using technology

• Negative publicity, damage to reputation and loss of goodwill, legal and regulatory sanctions and
adverse effect on the bottom line are all possible consequences of a bank’s failure to manage the
risk of money laundering.
• Banks face the challenge of addressing the threat of money laundering on multiple fronts as banks
can be used as primary means for transfer of money across geographies.
• With adopting stricter regulations on banks & enhancing their enforcement efforts, banks are using
special fraud and risk management software to prevent and detect fraud.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 67

 REVISION BOOKLET FOR EIS || MAY 2022

Prevention of Money laundering Act (PMLA), 2002

Section 3
Offence of Money laundering
Whosoever directly or indirectly attempts to indulge or
knowingly assists or knowingly is a party or is actually involved
in any process or activity connected with the proceeds of crime
including concealment, possession, acquisition or use and
projecting or claiming it as untainted property shall be guilty
of offence of money laundering.

Section 12 Every reporting entity shall

Offence of Money laundering
Reporting entity to maintain
the records
-Maintain record of all transactions.
-Furnish to director information related to such transactions.
-Maintain record of documents evidencing identify of its clients
And owner-
1. Every information is kept confidential.
2. Records shall be maintained for 5 years after business
relationship ended or account has been closed, whichever Is
later.
3. Central government may, by notification, exempt any
reporting entity from any obligations.

Section 13 Power of directors to impose fine

Offence of Money laundering
Power of directors to
impose fine
1. Director may, either of his own motion or on an application
made by any authority, officer or person, make such inquiry
or cause such inquiry to be made, with regard to the
obligations of the reporting entity, under this Chapter.
2. If at any stage of inquiry or any other proceedings before
him, the Director is of the opinion that it is necessary to do
so, he may direct the concerned reporting entity to get its
records audited by an accountant from a panel of
accountants (By Central Government for this purpose).
3. The expenses of and incidental to, any audit shall be borne
by the Central Government.
4. If Director finds that a reporting entity or its designated
director on the Board or any of its employees has failed to
comply with the obligations under this Chapter, he may-
(a) Issue a warning in writing; or
(b) Direct such reporting entity or its designated Director to
comply with specific instructions; or
(c) Direct such reporting entity or its designated Director to
send reports at such interval on the measures taken; or
(d) By an order, penalty on such reporting entity which shall
not be less than ₹ 10, 000 but may extend to ₹ 1,00,000
for each failure.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 68

 REVISION BOOKLET FOR EIS || MAY 2022

Section 63 Punishment for false information/failure to give Info

Offence of for
Punishment Money
falselaundering 1. Any person willfully and maliciously giving false information;
information or failure to give 2. So, causing an arrest or a search to be made under this Act,
Information shall-
Imprisonment - 2 years
Fine - INR 50,000 or BOTH
3. If any person-
a) Refuses to answer any question put to him by an authority
in the exercise of its powers under this Act;
b) Refuses to sign any statement made by him in course of
any proceedings under this Act, which an authority may
legally require to sign;
c) To whom a summon is issued under section 50 either to
attend to give evidence or produce books of account or
other documents at a certain place and time, omits to
attend or produce books of account or documents at the
place or time; shall pay penalty not less than ₹ 500
which may extend to ₹ 10,000.

Section 70 Offence by the company

Offence of Money laundering
Offence by the company
If the contravention is committed by such entities the officers
in charge of and responsible to the conduct of the business of
such entity at the relevant time are also liable to be proceeded
with and punished.

Information Technology Act, 2000

Information Technology Act
Details about ITA 2000
1. The Act provides legal recognition for transactions carried out
by means of electronic data interchange and other means of
electronic communication.
2. It involves use of alternatives methods of communication and
storage of information, to facilitate electronic filing of
documents with the Government.
3. It provides legal framework for electronic governance by giving
recognition to electronic records & digital signatures.
4. It also deals with the cybercrimes.

IT Act (2008) amended Civil and criminal liability-

1. Incudes both civil and criminal liability.
2. Civil Liability – Pay damages by way of compensation up-to ₹
5 crores
3. Criminal Liability – Imprisonment → 3 years to Life
imprisonment.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 69

 REVISION BOOKLET FOR EIS || MAY 2022

Penalty Clauses Key provisions-

1. Section 43: Penalty and compensation for damage to
computer, computer system, etc.
2. Section 43A: Compensation for failure to protect data.
3. Section 65: Tampering with Computer Source Documents.
4. Section 66: Computer Related Offences.
5. Section 66B: Punishment for dishonestly receiving stolen
computer resource or communication device.
6. Section 66C: Punishment for identity theft.
7. Section 66D: Punishment for cheating by personation by
using computer resource.
8. Section 66E: Punishment for violation of privacy.

Sensitive Personal Data
Information (SPDI)
Reasonable Security Practices and Procedures and Sensitive
Personal Data or Information Rules 2011 formed under section 43A
of the Information Technology Act 2000 define a data protection
framework for the processing of digital data by Body Corporate.
• One of the largest stakeholders of SPDI are include banks
apart from insurance companies, financial institutions,
hospitals, educational institutions, etc.
• Every bank should develop, communicate and host the
privacy policy of the bank.
• The policy should include all key aspects of how they deal
with the personal information collected by the bank.

Banking Regulation Acts

Heads Description
Meaning Banking Regulation Act,1949 is legislation in India that regulates all banking firms in
India. The Act gives the Reserve Bank of India (RBI) the power:
1. To license banks,
2. Regulation over shareholding and voting rights of shareholders.
3. Supervise the appointment of the boards and management
4. Regulate the operations of banks & laying down instructions for audits
5. Issue directives in interests of public good & on banking policy.
6. Imposing penalties.
Negotiable • Negotiable instrument Act→
instrument Act• cheque includes electronic image of truncated cheque and a cheque in the electronic
form. A cheque in the electronic form has been defined as “A mirror image” of a
paper cheque. The definition of a cheque in electronic form contemplates digital
signature with or without biometric signature and asymmetric crypto system.

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 70

 REVISION BOOKLET FOR EIS || MAY 2022

COMMERCE HARBOUR ACADEMY

Student Feedback Form

Dear students,

Thank you for purchasing EIS summary notes for May 2022 examinations. It is
our endeavor to provide you all with good quality notes for examinations and helps
you in clearing the exams with flying colors.

Your assistance in completing this form is greatly appreciated. Your honest feedback
will help us to serve you better and enable us to work on improving our contents.

Click to rate us at https://form.jotform.me/82683025124452

Kindly follow the below links in order to get connected with us-

Join our Telegram Channel : https://t.me/cainternotes_akhilkumarmittal

Join our Facebook Channel : https://www.facebook.com/cacscommercenote
Join our Insta Channel : https://www.instagram.com/commerceharbour_akm/
Mobile Application (Android) : https://bit.ly/3qbHuYz

Kindly RATE US to improve!!

Keep Learning, Keep growing!!!

Best of luck for the future.

CA Akhil Kumar Mittal

Founder- Commerce Harbour Academy

CA Akhil Kumar Mittal || 0-9582333276 || https://t.me/cainternotes_akhilkumarmittal 71