Enterptise Information System

UNIT -1 AUTOMATED BUSINESS PROCESSES
Definition of EIS:
An Enterprise Information System (EIS) may be defined as any kind of
information system which improves the functions of an enterprise business
processes by integration.
Example:
❖ Order from customer.
Customer Service Department
❖ Warehouse triggered to pick.
Keeping track of all activities
❖ Accounting department notified for invoicing.
❖ Debtors department keeps track of payment.
Business Process:
A Business Process is an activity or set of activities that will accomplish
a specific organizational goal. Business processes are designed as per vision and
mission of top management. Business processes are reflection of entities’
management thought process. The success or failure of an organization is
dependent on how business processes have been designed and implemented.
Business Process Management (BPM)
It helps an organization achieve 3E’s for business processes, namely
Effectiveness, Efficiency and Economy. BPM is a systematic approach to
improving these processes.
Categories of Business Processes:
❖ Operational Processes (or Primary Processes)
Operational or Primary Processes deal with the core business and value
chain. These processes deliver value to the customer by helping to produce a
product or service. Operational processes represent essential business
activities that accomplish business objectives e.g. purchasing, manufacturing,
and sales. Also, Order to Cash cycle (O2C) and Purchase to Pay (P2P) cycles
are associated with revenue generation.
❖ Supporting Processes (or Secondary Processes)
Supporting Processes back core processes and functions within an
organization. Examples of supporting or management processes include
Accounting, Human Resource (HR) Management and workplace safety.
1|Page CA CMA R Yuvaraj

One key differentiator between operational and support processes is that
support processes do not provide value to customers directly. However, it
should be noted that hiring the right people for the right job has a direct
impact on the efficiency of the enterprise.
❖ Management Processes
Management Processes measure, monitor and control the activities
related to business procedures and systems. Examples of management
processes include internal communications, governance, strategic
planning, budgeting, and infrastructure or capacity management. Like
supporting processes, management processes do not provide value directly
to the customers. However, it has a direct impact on the efficiency of the
enterprise.
Automated Business Process
Business Process Automation (BPA):
It is the technology-enabled automation of activities or services that
accomplish a specific function and can be implemented for many different
functions of company activities including sales, management, operations, supply
chain, human resources, information technology, etc. In other words, BPA is the
tactic a business uses to operate efficiently and effectively. It consists of
integrating applications and using software applications throughout the
organization. BPA is the tradition of analyzing, documenting, optimizing and
then automating business processes.
Factors affecting BPA Success
The success of any Business Process Automation shall only be achieved
when BPA ensures the following:
➢ Confidentiality: To ensure that data is only available to persons who have
right to see the same;
➢ Integrity: To ensure that no unauthorized amendments can be made in the
data;
➢ Availability: To ensure that data is available when asked for; and
➢ Timeliness: To ensure that data is made available at the right time.

Benefits of Automating Business Process:
Quality and Consistency
Time Saving
Visibility
Improved Operational Efficiency
Governance and Reliability
Reduced Turnaround Time
Reduced Costs
Which Business Processes should be automated?
❖ Processes involving high-volume of tasks or repetitive tasks
❖ Processes requiring multiple people to execute tasks
For example - Help desk services
❖ Time-sensitive processes
online banking system, railway/aircraft operating and control
systems etc.
❖ Processes involving need for compliance and audit trail
For example- invoice issue to vendors.
❖ Processes having significant impact on other processes and systems
the marketing department may work with sales department.
Automating these processes results in sharing information resources and
improving the efficiency and effectiveness of business processes.
Challenges involved in Business Process Automation
❖ Automating Redundant Processes – Chosen unsuitable automation project
❖ Defining Complex Processes – Reengineering of business process
❖ Staff Resistance - Reducing their decision making
❖ Implementation Cost – Expensive of acquisition/development cost
BPA Implementation:
Let us discuss the key steps as follows:
Step 1: Define why we plan to implement a BPA?
Ans: will provide justification for implementing BPA.
Step 2: Understand the rules / regulation under which enterprise needs to comply
with?
Ans: The underlying issue is that any BPA created needs to comply with
applicable laws and regulations.

Step 3: Document the process, we wish to automate
Ans: The current processes which are planned to be automated need to be
correctly and completely documented at this step.
Step 4: Define the objectives/goals to be achieved by implementing BPA
Ans: This enables the developer and user to understand the reasons for going for
BPA. The goals need to be precise and clear.
Step 5: Engage the business process consultant
Ans: Once the entity has been able to define the above, the entity needs to appoint
an expert, who can implement it for the entity
Step 6: Calculate the RoI (Return on Investment) for project
Ans: The answer to this question can be used for convincing top management to
say ‘yes’ to the BPA exercise.
Step 7: Developing the BPA
Ans: Once the top management grants their approval, the right business solution
has to be procured and implemented or developed and implemented covering the
necessary BPA.
Step 8: Testing the BPA
Ans: Before making the process live, the BPA solutions should be fully tested.
RISK AND ITS MANAGEMENT:
Various terminologies relating to risk and its management are as follows:
Asset: Asset can be defined as something of value to the organization e.g.,
information in electronic or physical form, software systems, employees.
Threat: Any entity, circumstance, or event with the potential to harm the
software system or component through its unauthorized access, destruction,
modification, and/or denial of service is called a Threat.
Vulnerability: Vulnerability is the weakness in the system safeguards that
exposes the system to threats.
Exposure: An exposure is defined as an extent of loss an enterprise has to face
when a risk materializes. It is not just the immediate impact, but the real harm
that occurs in the long run. For example: loss of business, failure to perform the
system’s mission, loss of reputation, violation of privacy and loss of resources
etc.

Likelihood: Likelihood of the threat occurring is the estimation of the probability
that the threat will succeed in achieving an undesirable event.
Attack: An attack is an attempt to gain unauthorized access to the system’s
services or to compromise the system’s dependability.
Types of Risks
Business Risks: Business risk is a broad category which applies to any event or
circumstances related to business goals. Businesses face all kinds of risks ranging
from serious loss of profits to even bankruptcy and are discussed below:
❖ Strategic Risks- Ex: Global Market Condition.
❖ Financial Risks- Ex: Interest rates, credit risk
❖ Regulatory (Compliance) Risks- Ex: Violation of laws.
❖ Operational Risks- Ex: risk of loss resulting from inadequate or failed
internal processes.
❖ Hazard Risk: Ex: Natural disasters.
❖ Residual Risk: An organization’s management of risk should consider
these two areas - Acceptance of residual risk and Selection of safeguards.
Even when safeguards are applied, there is probably going to be some
residual risk.
Technology Risks:
❖ Downtime due to technology failure
❖ Frequent changes or obsolescence of technology
❖ Multiplicity and complexity of systems
❖ Different types of controls for different types of technologies/systems
❖ Proper alignment with business objectives and legal/regulatory
requirements
❖ Dependence on vendors due to outsourcing of IT services
❖ Vendor related concentration risks
❖ Segregation of Duties (SoD)
❖ External threats leading to cyber frauds/ crime
❖ Higher impact due to intentional or unintentional acts of internal
employees
❖ New social engineering techniques employed to acquire confidential
credentials
❖ Need for governance processes to adequately manage technology and
information security
❖ Need to ensure continuity of business processes in the event of major
exigencies

Data related risks:
❖ Data Diddling - the change of data
❖ Bomb - Bomb is a piece of bad code deliberately planted by an insider or
supplier of a program.
❖ Christmas Card
❖ Worm
❖ Rounding Down
❖ Salami Techniques
❖ Trap Doors
❖ Spoofing
❖ Asynchronous Attacks
➢ Data Leakage
➢ Subversive Attacks
➢ Wire-Tapping
➢ Piggybacking
Risk Management Strategies:
Risk Management is the process of assessing risk, taking steps to reduce
risk to an acceptable level and maintaining that level of risk. Risk management
involves identifying, measuring, and minimizing uncertain events affecting
resources.
The following risk management strategy in isolation or combination as required:
❖ Tolerate/Accept the risk.
❖ Terminate/ Eliminate the risk.
❖ Transfer/ Share the risk.
❖ Treat/mitigate the risk.
Enterprise Risk Management (ERM):
It may be defined as a process affected by an entity’s Board of Directors,
management and other personnel, applied in strategy setting and across the
enterprise, designed to identify potential events that may affect the entity, and
manage risk to be within its risk appetite, to provide reasonable assurance
regarding the achievement of entity objectives.
Enterprise Risk Management (ERM) Framework:
ERM is a risk-based approach which includes the methods and processes
used by organizations to manage risks. ERM provides a framework for risk
management which involves:

❖ identifying potential threats or risks.
❖ determining how big a threat or risk is, what could be its consequence, its
impact, etc.
❖ implementing controls to mitigate the risks.
ERM framework consists of eight interrelated components as follows:
❖ Internal Environment
❖ Objective Setting
❖ Event Identification
❖ Risk Assessment
❖ Risk Response
❖ Control Activities
❖ Information and Communication
❖ Monitoring
CONTROLS:
Control is defined as policies, procedures, practices and organization
structure that are designed to provide reasonable assurance that business
objectives are achieved and undesired events are prevented or detected and
corrected. The main objectives of information controls are safeguarding of assets,
maintenance of data integrity, effectiveness in achieving organizational
objectives, and efficient consumption of resources. Controls include things like
practices, policies, procedures, programs, techniques, technologies, guidelines,
and organizational structures
IT CONTROLS
GENERAL APPLICATION
CONTROLS CONTROLS

General Controls
❖ Information Security Policy
❖ Administration, Access, and Authentication
❖ Separation of key IT functions
❖ Management of Systems Acquisition and Implementation
❖ Change Management
❖ Backup, Recovery and Business Continuity
❖ Proper Development and Implementation of Application Software
❖ Confidentiality, Integrity and Availability of Software and data files
❖ Incident response and management
❖ Monitoring of Applications and supporting Servers
❖ Value Added areas of Service Level Agreements (SLA)
❖ User training and qualification of Operations personnel
Application Controls
❖ Application Controls are controls which are implemented in an
application to prevent or detect and correct errors.
❖ These are designed to ensure completeness, accuracy, authorization and
validity of data capture and transaction processing
For example: In banking, application software ensures that only transactions of
the day are accepted by the system, withdrawals are not allowed beyond limits,
etc.
Features of effective IT controls

❖ The ability to execute and plan new work.
❖ Development projects that are delivered on time and within budget.
❖ Ability to allocate resources predictably.
❖ Consistent availability and reliability of information and IT services.
❖ The ability to protect against new vulnerabilities and threats and to
recover.
❖ The efficient use of a customer support center or help desk.
❖ Heightened security awareness.

Framework of Internal Control as per Standards on Auditing
An Internal Control System -
❖ facilitates the effectiveness and efficiency of operations.
❖ helps ensure the reliability of internal and external financial reporting.
❖ assists compliance with applicable laws and regulations.
❖ helps safeguarding the assets of the entity.
As per SA315, the five components of any internal control as they relate to a
financial statement audit are explained below;
Control Environment
❖ It is the set of standards, processes, and structures that provide the basis for
carrying out IC.
❖ The Board of Directors and Senior Management establish the tone at the top
regarding the importance of IC.
❖ The control environment comprises the integrity and ethical values of the
organization.
I. Risk Assessment
➢ Risk Assessment involves a dynamic and iterative process for identifying and
assessing risks.
➢ Identification of threats and vulnerabilities in the system.
II. Control Activities

➢ Control activities are performed at all levels of activity.
➢ They may be preventive or detective in nature.
➢ It is a range of manual and automated activities such as authorizations and
approvals, verifications, reconciliations and business performance reviews.
➢ Internal auditors are also concerned with administrative controls to achieve
effectiveness and efficiency objectives.
III. Information and Communication

➢ Information is necessary for the entity to carry out internal control
Responsibilities.
➢ Communication is the continual process of providing, sharing, and obtaining
necessary information.

IV. Monitoring of Controls
➢ Monitoring of Controls is an ongoing cyclical process.
➢ Separate evaluations conducted periodically will vary in scope and frequency
depending on assessment of risks.
Limitations of Internal Control System

IC can provide an entity with only reasonable assurance and not absolute
assurance. IC systems are subject to certain inherent limitations, such as:
➢ The cost of an internal control does not exceed the expected benefits to be
derived.
➢ Circumvention of IC through collusion with employees or with parties
outside the entity.
➢ The reasonable potential for human error such as – due to carelessness,
distraction, mistakes of judgment and misunderstanding of instructions.
➢ The possibility that a person responsible for exercising an IC could abuse that
responsibility. for example, a member of management overriding an internal
control.
➢ Manipulations by management with respect to transactions required in the
preparation of financial statements.
RISKS AND CONTROLS FOR SPECIFIC BUSINESS PROCESSES

I. Business Processes
II. Procure to Pay (P2P)
III. Order to Cash (O2C)
IV. Inventory Cycle
V. Human Resources
VI. Fixed Assets
VII. General Ledger
I. Business Processes - Risks and Controls
 These controls can be manual, automated or semi-automated provided the
risk is mitigated.
 It can be:
Preventive - Prevent risks from actualizing
Detective - Detect the risks as they arise
Corrective - Facilitate correction
 Controls should be checked at three levels, namely ;
10 | P a g e CA CMA R Yuvaraj
Step 1: Configuration
Step 2: Masters
Step 3: Transaction
1. Configuration
 Configuration refers to the way a software system is set up. Ex: User
activation and deactivation.
 When any software is installed, values for various parameters should be
set up (configured) as per policies. Ex: Creation of Customer Type,
Vendor Type, year-end process.
 The various modules of the enterprise such as Purchase, Sales, Inventory,
Finance, User Access etc. must be configured. Ex: Mapping of accounts
to front end transactions like purchase and sales
 Configuration will define how software will function and what menu
options are displayed. Ex: User Access, privileges and Password
Management
2. Masters
 Masters refer to the way various parameters are set up for all modules of
software, like Purchase, Sales, Inventory, and Finance etc.
 The masters are set up first time during installation and these are changed
whenever the business process rules or parameters are changed.
Example:
Vendor Master - Credit period, vendor bank account details, etc.
Customer Master - Credit limit, Bill to address, Ship to address, etc.
Material Master - Material type, Material description, Unit of measure.
Employee Master - Employee name, designation, salary details, etc
 Any changes to these data have to be authorized by appropriate
personnel.
For example - The Customer Master will have the credit limit of the
customer. When an invoice is raised, the system will check against the
approved credit limit and if the amount invoiced is within the credit limit,
the invoice will be created, if not the invoice will be put on “credit hold”
till proper approvals are obtained.
3. Transactions
 Transactions refer to the actual transactions entered through menus and
functions in an application software, through which all transactions are
initiated, authorized or approved.
For example: Sales transactions, Purchase transactions, Stock transfer
transactions, Journal entries and Payment transactions.
 Implementation or review of specific business process can be done from
risk or control perspective.
II. Procure to Pay (P2P) – Risks and Controls

 Procure to Pay (Purchase to Pay or P2P) is the process of obtaining and
managing the raw materials needed for manufacturing a product or
providing a service.
 It involves the transactional flow of data that is sent to a supplier of the
order and payment for the product or service.
 Using automation, it should be possible to have a seamless procure to
pay.
III. Order to Cash (O2C) – Risks and Controls
 Order to Cash (OTC or O2C) is a set of business processes that involve

receiving and fulfilling customer requests for goods or services.
 An O2C cycle that consists of sub-processes including:
1. Customer Order: Customer order received is documented;
2. Order fulfillment: Order is fulfilled or service is scheduled;
3. Delivery Note: Order is shipped to customer or service is performed;
4. Invoicing: Invoice is created and sent to customer;
5. Collections: Customer sends payment /Collection; and
6. Accounting: Payment is recorded in general ledger.
IV. Inventory Cycle – Risks and Controls
 The Inventory Cycle is a process of accurately tracking the on-hand

inventory levels for an enterprise.
 An inventory system should maintain accurate record of all stock
movements to calculate the correct balance of inventory.
 To businesses that buy, store and sell inventory; it focuses on the process
of understanding, planning and managing inventory levels, from
purchasing through more-efficient auditing.
 The typical phases of the Inventory Cycle for Manufacturers are as
follows:
1. The Ordering phase: The amount of time it takes to order and receive
raw materials.
2. The Production phase: The WIP phase relates to time it takes to convert
the raw material to finished goods ready for use by customer.
3. The finished goods and delivery phase: The finished goods that remain
in stock and the delivery time to the customer. The inventory cycle is measured
in number of days.
V. Human Resources – Risks and Controls

The Human Resources (HR) life cycle refers to human resources management
and covers all the stages of an employee’s time within a specific enterprise.
1. Recruiting and On-boarding:
• It is the process of hiring a new employee.
• The role of the human resources department in this stage is to assist
in hiring.
• This might include placing the job ads, selecting candidates
• On-boarding is the process of getting the successful applicant set
up in the system as a new employee.
2. Orientation and Career Planning:
• Orientation is the process by which the employee becomes a
member of the company’s work force through learning his/her new
job duties, establishing relationships with co-workers and
supervisors.
• Career planning is the stage at which the employee and his/her
supervisors work out her long-term career goals with the company.
3. Career Development:
• Career development opportunities are essential to keep an
employee engaged with the company over time.
• The company also assesses the employee’s work history and
performance at this stage to determine whether he has been a
successful hire.
4. Termination or Transition:
• Some employees will leave a company through retirement after a
long and successful career. Others will choose to move on to other
opportunities or be laid off. Whatever the reason, all employees
will eventually leave the company.
• The role of HR in this process is to manage the transition by
ensuring that all policies and procedures are followed, carrying out
an exit interview.
VI. Fixed Assets – Risks and Controls
 It ensures that all the fixed assets of the enterprise are tracked for the
purposes of financial accounting, preventive maintenance, and theft
deterrence.
 It ensures that record maintains details of location, quantity, condition,
and maintenance and depreciation status. Typical steps of fixed assets
process are as follows:
1. Procuring an asset
2. Registering or adding an asset
3. Adjusting the Assets
4. Transferring the Assets
5. Depreciating the Assets
6. Disposing the Assets
VII. General Ledger – Risks and Controls
 General Ledger (GL) process refers to the process of recording the

transactions in the system to finally generating the reports from financial
transactions entered in the system.
 The input for GL Process Flow is the financial transactions and the
outputs are various types of financial reports such as balance sheet, profit
and loss a/c, funds flow statement, ratio analysis, etc. The typical steps in
general ledger process flow are as follows:
1. Entering financial transactions into the system
2. Reviewing Transactions
3. Approving Transactions
4. Posting of Transactions
5. Generating Financial Reports.
2 CHAPTER 2
FINANCIAL AND
ACCOUNTING SYSTEMS
LEARNING OUTCOMES
After reading this chapter, you will be able to -

Understand about working of Financial and Accounting System.
 Grasp the knowledge about Integrated and Non-Integrated

Systems.
 Comprehend about business process modules.
 Acknowledge about Reporting Systems, Data Analytics,
Business Intelligence and Fundamentals of XBRL.
 Comprehend about regulatory and compliance
requirements and their correlation with financial and
accounting systems.
© The Institute of Chartered Accountants of India

2.2 ENTERPRISE INFORMATION SYSTEMS
Integrated & Non Integrated System
Business Process Modules and Their Integration with

Financial & Accounting Systems
Reporting Systems and Management Information Systems
Data Analytics and Business Intelligence
Business Reporting and Fundamentals of XBRL
Applicable Regulatory & Compliance Requirements
2.1 INTRODUCTION
This chapter is meant for providing an insight to Financial and Accounting
Systems, its working, audit and its use for business management and
development. Financial and Accounting Systems forms an integral part of any
business and acts as a backbone for it. Financial and Accounting systems may
include other aspects of business management like human resource, inventory,
Customer Relationship Management (CRM), etc. After going through this chapter,
a student is expected to understand about–
♦ What is a system?
♦ What is an ERP System?
♦ What is a Financial and Accounting system?
♦ How to use it for different purposes like accounting, auditing, business
management, etc.?
♦ How to assess risks and controls of any Financial and Accounting System?

FINANCIAL AND ACCOUNTING SYSTEMS 2.3
In the process of learning about Financial and Accounting systems, there can be
different angles to view the same thing and to understand it in a better way; we shall
be viewing Financial and Accounting Systems from many different angles. At time of
understanding the system from one angle, another angle must be kept in mind and
cannot be ignored. Chartered Accountants are supposed to be experts in financial as
well as accounting systems. Financial and Accounting Systems does not necessarily
mean Software or Computerized Systems only. It may include many other aspects
also.
Fig. 2.1.1 depicts different perspectives of the same view through different Professionals.
Fig. 2.1.1: Different perspectives from different Professionals

Different Requirements from Different Persons
♦ Accountant’s View – Balance Sheet and Profit & Loss Account must be
prepared easily without putting much time / efforts.
♦ Auditor’s View – Balance Sheet and Profit & Loss Account must be correct
at any point of time.
♦ Business Manager / Owner’s View – They need right information at right
point of time for right decision making.
It is the job of any Financial and Accounting System to cater to needs of all the users
simultaneously. Hence, we shall discuss Financial and Accounting Systems from all
the possible angles.

2.2 ERP AND NON-INTEGRATED SYSTEMS

2.2.1 What is a System?
What is a system and how this word relates to Financial and Accounting aspect,
this is important for us to understand. Many a times this word is mistakenly
understood as something relating to computer/software/information technology
etc. Here, it is suggested to make this point very clear that a system may or may
not be related with computer/software/information technology etc.
Software/Computer/Hardware may or may not form part of overall system.
Dictionary meaning of the word System is -
“A set of principles or procedures as per which something is done; an organized
scheme or method.”
or
“A set of things working together as parts of a mechanism or an interconnecting
network; a complex whole.”
The word “System” can be explained in a simple way as, “a set of detailed
methods, procedures and routines created to carry out a specific activity, perform
a duty, or solve a problem”. It is an organized, purposeful structure that consists
of interrelated and interdependent elements (components, entities, factors,
members, parts etc.). These elements continually to influence one another
(directly or indirectly) to maintain their activity and the existence of the system, to
achieve the goal of the system. All systems generally-
(a) have inputs, outputs and feedback mechanisms;
(b) maintain an internal steady-state despite a changing external environment;
and
(c) have boundaries that are usually defined by the system observer.
Systems may consist of sub-systems also which are a part of a larger system.
Systems stop functioning when an element is removed or changed significantly.
Together, they allow understanding and interpretation.
Human body is natural and a complete system. We know about the word “Eco
System”. Every human body is a part of Ecosystem. An ecosystem includes all the
living things (plants, animals and organisms) in each area, interacting with each
other, and with their non-living environments (weather, earth, sun, soil, climate,
and atmosphere). In an ecosystem, each organism has its’ own niche or role to
play. In another example, a business is said to be a system as it contains input

such as people, machine, money, materials etc. which undergo different processes
such as production, marketing, finance etc. and produces output like goods and
services depending on the nature of business.
In this chapter, we are discussing system for business finance and accounting.
A system includes defined methods and process to perform an activity. So
basically, processes are important components in any system.
2.2.2 What is a Process?
In the systems engineering arena, a Process is defined as a sequence of events
that uses inputs to produce outputs. This is a broad definition and can include
sequences as mechanical as reading a file and transforming the file to a desired
output format; to taking a customer order, filling that order, and issuing the
customer invoice.
From a business perspective, a Process is a coordinated and standardized flow of
activities performed by people or machines, which can traverse functional or
departmental boundaries to achieve a business objective and creates value for
internal or external customers.
2.2.3 Concepts in Computerized Accounting Systems
As we are discussing about Financial & Accounting Systems, it is necessary to
discuss some concepts to understand Financial and Accounting systems in a better
way.
I. Types of Data
Every accounting systems stores data in two ways: Master Data and Non-Master
Data (or Transaction Data) as shown in the Fig. 2.2.1.
Data
Master Non Master
Fig. 2.2.1: Types of Data

♦ Master Data: Relatively permanent data not expected to change frequently.
♦ Non-Master Data: Non-permanent data and expected to change
frequently.

A. Master Data: As defined above, master data is relatively permanent data

that is not expected to change again and again. It may change, but not again and
again. In accounting systems, there may be following type of master data as
shown in the Fig. 2.2.2.
Master Data
Accounting Master Inventory Master Payroll Master Statutory Master

Data Data Data Data
Fig. 2.2.2: Types of Master Data in Financial and Accounting Systems
a. Accounting Master Data – This includes names of ledgers, groups, cost

centres, accounting voucher types, etc. For example Capital Ledger is
created once and not expected to change frequently. Similarly, all other
ledgers like sales, purchase, expenses and income ledgers are created once
and not expected to change again and again. Opening balance carried
forward from previous year to next year is also a part of master data and
not expected to change.
b. Inventory Master Data – This includes stock items, stock groups, godowns,
inventory voucher types etc. Stock item is something which are bought and
sold for business purpose, trading goods. For example- If a person is into
the business of dealing in white goods, stock items shall be Television,
Fridge, Air Conditioner, etc. For a person running a medicine shop, all types
of medicines shall be stock items for him/her.
c. Payroll Master Data – Payroll is another area connecting with Accounting
Systems. Payroll is a system for calculation of salary and recording of
transactions relating to employees. Master data in case of payroll can be
names of employees, group of employees, salary structure, pay heads, etc.
These data are not expected to change frequently. For example- Employee
Master Data created in the system will remain as it is for a longer period of
time, his/her salary structure may change but not frequently, pay heads
associated with his/her salary structure will be relatively permanent.
d. Statutory Master Data – This is a master data relating to statute/law. It
may be different for different type of taxes. For example- Goods and Service
Tax (GST), Nature of Payments for Tax Deducted at Source (TDS), Tax
Collected at Source (TCS) etc. This data also shall be relatively permanent.

We don’t have any control on this data as statutory changes are made by
Government and not by us. In case of change in tax rates, forms, categories;
we need to update/change our master data.
All business process modules must use common master data.
B. Non-Master Data: It is a data which is expected to change frequently,
again and again and is not a permanent data. For example- Amounts recorded in
each transaction shall be different every time and expected to change again and
again. Date recorded in each transaction is expected to change again and again
and will not be constant in all the transactions.
Example 2.1: To understand the concept of master data and non-master data in a
simple way, let us co-relate this with ourselves using following example.
Our Personal Master Data – Our Name, Name of Parents, Address, Blood Group,
Gender, Date of Birth, etc. is a personal master data and not expected to change.
Our address may change, but not frequently.
Our Personal Non-Master Data – Contrary to this, there may be some information
about us which may fall in the category of non- master data, i.e. not a permanent
data. For example- Date of Birth is master data but age is a non- master data,
weight is a non-master data, our likes, dislikes again is a non-master data.
C. Why Master and Non-Master Data?
Basic objective of accounting system is to record input in the form of transactions
and generate output in the form of reports as shown in the Fig. 2.2.3.
Transactions Processing Reports
Fig. 2.2.3: Objective of Accounting System

Let us consider a simple transaction of capital introduction in business in cash
₹ 1,00,000. This transaction is recorded as under in Table 2.2.1.
Table 2.2.1: Data Sample Transaction
Receipt No.1 Date: 01st Apr., 2017
Cash Dr. 1,00,000

To Capital Cr. 1,00,000
Narration: (Being capital introduced in business)

Above information is stored in Accounting Information Systems in two ways, in

the form of Master Data and Transaction Data. Let us understand what is stored
in the system through Table 2.2.2.
Table 2.2.2: Data Stored in Forms
Master Data Non-Master Data

Voucher Type (i.e. Receipt Voucher in this Voucher Number (i.e. 1 in this case).
case).
Debit Ledger Name (i.e. Cash in this case). Debit Ledger Amount (i.e. ` 1,00,000
in this case).
Credit Ledger Name (i.e. Capital in this case). Credit Ledger Amount (i.e. `1,00,000
in this case).
Date (i.e. 01st Apr., 2017 in this case).
Narration.
Please note:
♦ Master data is generally not typed by the user; it is selected from the available
list. For example- Debit Ledger name is selected from the available list of
ledgers. If ledger is not created, user needs to create it first to complete the
voucher entry.
♦ Master data entry is usually done less frequently say, once a year or when there is a
need to update. For example - prices are contracted with Vendors after deliberations
and the agreed prices are updated in the Vendor master when new prices are
negotiated. Generally, these are not done as frequently as the transactions with the
Vendor itself. Effective controls over master data entry would be a ‘four eye’ check,
where there is another person who independently checks whether the master data
entry is accurately done in the financial system of the company.
♦ Non-master data is typed by the user and not selected from available list as it
is a non-permanent and it keeps on changing again and again.
♦ Sometimes transactional data could also be selected from a drop down list of
inputs available to the user. For example, when a GRN (Goods Receipt Note) is
created by the Stores/Warehouse personnel, they might only select the open
purchase orders available in the system and input actual quantities received. In
this case, many fields required to complete the transaction is pre-filled by the
system and the user is not allowed to edit those fields.
♦ Master data is selected from the available list of masters (e.g. Ledgers) to
maintain standardization as we need to collect all the transactions relating to

one master data at one place for reporting. For example- all cash transactions
are collected in Cash Ledger for reporting purpose all transactions relating to
capital are collected in Capital Ledger for reporting purpose.
♦ While inputting the information, user is forced to select master data from the
available list just to avoid confusion while preparing reports. For example -
same ledger name may be written differently.
II. Voucher Types
In accounting language, a Voucher is documentary evidence of a transaction.
There may be different documentary evidences for different types of transactions.
For example- Receipt given to a customer after making payment by him/her is
documentary evidence of amount received. A sales invoice or a purchase invoice,
are also documentary evidences of transaction. Journal voucher is a documentary
evidence of a non-cash/bank transaction. In accounting, every transaction, before
it is recorded in the accounting system, must be supported by a documentary
proof. In computer language, the word voucher has got a little different meaning.
Voucher is a place where transactions are recorded. It is a data input form for
inputting transaction data. In accounting, there may be different types of
transactions; hence we use different voucher types for recording of different
transactions. Generally following types of vouchers are used in accounting
systems as shown in Table 2.2.3.
Table 2.2.3: Voucher Types
Module – Accounting
S. Voucher Type Use
No.
1 Contra For recording of four types of transactions as under.
a. Cash deposit in bank.
b. Cash withdrawal from bank.
c. Cash transfer from one location to another.
d. Fund transfers from our one bank account to our
own another bank account.
2 Payment For recording of all types of payments. Whenever the
money is going out of business by any mode
(cash/bank). E.g. Payment of salary and rent.
3 Receipt For recording of all types of receipts. Whenever the
money is being received into business from outside by
any mode (cash/bank). E.g. Interest received from bank.

4 Journal For recording of all non-cash/bank transactions. E.g.

Depreciation, Provision, Write-off, Write-back, Discount
given/received, Purchase/Sale of fixed assets on credit, etc.
5 Sales For recording all types of trading sales by any mode
(cash/bank/credit).
6 Purchase For recording all types of trading purchase by any mode
(cash/bank/credit).
7 Credit Note For making changes/corrections in already recorded
sales/purchase transactions.
8 Debit Note For making changes/corrections in already recorded
sales/purchase transactions.
9 Memorandum For recording of transaction which will be in the system but
will not affect the trial balance. In other words, memorandum
vouchers are used to record suspense payments, receipt,
sales, purchase etc. conveyance expenses.
Module –Inventory
10 Purchase Order For recording of a purchase order raised by a vendor.
11 Sales Order For recording of a sales order received from a customer.
12 Stock Journal For recording of physical movement of stock from one
location to another. E.g. Inter-Godown Transfer.
13 Physical Stock For making corrections in stock after physical counting.
14 Delivery Note For recording of physical delivery of goods sold to a
customer.
15 Receipt Note For recording of physical receipt of goods purchased from a
vendor.
Module – Payroll
16 Attendance For recording of attendance of employees.
17 Payroll A payroll voucher is used to record all employee–related
transactions. It includes all the computation for respective
pay-heads for salary calculation of employees.
In some financial systems, instead of the word “Voucher”, the word “Document” is
used. Above Table 2.2.3 shows an illustrative list of some of the voucher types.
Different system may have some more voucher types. Also, user may create any
number of new voucher types as per requirement. For example- In Table 2.2.3,
only “Payment” voucher type is mentioned to records payments. But user may

create two different voucher types for making payment through two different
modes, i.e. Cash Payment and Bank Payment.
III. Voucher Number
A Voucher Number or a Document Number is a unique identity of any
voucher/document. A voucher may be identified or searched using its unique
voucher number. Let us understand some peculiarities about voucher numbering.
• Voucher number must be unique.
• Every voucher type shall have a separate numbering series.
• A voucher number may have prefix or suffix or both, e.g. ICPL/2034/17-18.
In this case “ICPL” is the prefix, “17-18” is the suffix and “2034” is the actual
number of the voucher.
• All vouchers must be numbered serially, i.e. 1,2,3,4,5,6 and so on.
• All vouchers are recorded in chronological order and hence voucher
recorded earlier must have an earlier number, i.e. if voucher number for a
payment voucher having date as 15th April, 2017 is 112, voucher number for
all the vouchers recorded after this date shall be more than 112 only.
IV. Accounting Flow
In Introduction part, we have discussed accounting flow from the angle of an
accountant. Now, we are going to discuss accounting flow from the angle of
software.
Transactions
Humans
Voucher Entry
Posting
Balancing Software
Trial Balance
Profit & Loss Account Balance Sheet
Fig. 2.2.4: Flow of Accounting

As shown in the Fig. 2.2.4 regarding the flow of accounting, in all there are seven
steps in accounting flow, out of which only first two steps require human
intervention. Remaining five steps are mechanical steps and can be performed by
software with high speed and accuracy. Also, these five steps, i.e. Posting,
Balancing, Trial Balance preparation, Profit and Loss Account preparation and
Balance Sheet preparation are time consuming jobs and require huge efforts.
In very few cases, voucher entry may be automated and performed by software
automatically. For example- Interest calculation and application on monthly basis
by a bank can be done by software automatically at the end of the month. But
largely, voucher entry has to be done by a human being only.
V. Types of Ledgers
In accounting, we have studied that there are three types of ledger accounts, i.e.
Personal, Real and Nominal. But as far as Financial and Accounting Systems are
concerned, ledgers may be classified in two types only Ledger having Debit
Balance and Ledger having Credit Balance. Why this is so? Let us understand
with the help of the Fig. 2.2.5.
Ledgers
Debit Balance Credit Balance
Asset Expense Income Liability
Profit & Loss Account
Balance Sheet
Fig. 2.2.5: Types of Ledgers

Please note –
♦ Basic objective of accounting software is to generate two primary
accounting reports, i.e. Profit & Loss Account and Balance Sheet. Ledger
grouping is used for preparation of reports, i.e. Balance Sheet and Profit &
Loss Account.

♦ Hence every ledger is classified in one of the four categories, i.e. Assets,
Expense, Income or Liability. It cannot be categorized in more than one
category. The examples of Ledger account are as follows:
(a) Assets includes Cash, property plant and equipment, accounts
receivable etc.
(b) Expense includes salary, insurance, utilities etc.
(c) Income includes sales, interest income, rent income and other
operating income etc.
(d) Liabilities includes Debt/loans, accounts payable, outstanding
expenses etc.
♦ Difference between Total Income and Total Expenses, i.e. Profit & Loss, as
the case may be, is taken to Balance Sheet. So, everything in accounting
software boils down to Balance Sheet. Balance Sheet is the last point in
accounting process.
♦ Income and Expense ledgers are considered in Profit and Loss Account
and Asset and Liability ledgers are considered in Balance Sheet.
♦ Accounting software does not recognize any ledger as Personal, Real or
Nominal; instead it recognizes it as an Asset, Liability, Income or Expense
Ledger.
VI. Grouping of Ledgers
At the time of creation of any new ledger, it must be placed under a particular
group. There are four basic groups in Accounting, i.e. Income, Expense, Asset,
Liability. There may be any number of sub groups under these four basic groups.
Grouping is important as this is way to tell software about the nature of the
ledger and where it is to be shown at the time of reporting.
For example- Cash ledger is an asset ledger and should be shown under current
assets in Balance Sheet. If we group cash ledger under indirect expenses, it shall
be displayed in profit and loss account as expenditure. Liabilities are recorded on
the balance sheet and measure the obligations that a company needs to make.
Liabilities include loans, accounts payable, deferred revenues, and accrued
expenses. In the similar way, Income includes Direct income and Indirect income.
The direct income can include Apprentice Premium, factory income and indirect
incomes include Bad Debts and Commission Received by company. Software
cannot prevent incorrect grouping of ledger.

2.2.4 Technical Concepts

As nowadays, almost all the Financial and Accounting Systems are computerized,
it is necessary to understand how does it work? We are going to understand
technical concepts from the perspective of a non-technical person or a layman
who does not understand technicalities and does not want to go into technical
details.
A. Working of any software (Refer Fig. 2.2.6)
User
Front End Front End
Back End
Fig.2.2.6: Types of software

(i) Front End and Back End
These two words are used by software people again and again. Let us understand
these two words in a simple language.
♦ Front End – It is part of the overall software which actually interacts with
the user who is using the software.
♦ Back End – It is a part of the overall software which does not directly
interact with the user but interact with Front End only.
If a user wants to have some information from the system, i.e. Balance Sheet
♦ User will interact with Front End part of the software and request front end
to generate the report.
♦ Front End will receive the instruction from user and pass it on to the back end.
♦ Back End will process the data, generate the report and send it to the front
end. Front end will now display the information to user.
♦ This is how the process gets completed each and every time.
To understand this concept in a better way, let us try to co-relate this with a
situation in a restaurant as shown in the Fig. 2.2.7.

Customer (User)
Waiter (Front End) Waiter (Front End)
Cook (Back End)
Fig. 2.2.7: An Illustrative Situation (For a customer in a Restaurant)

♦ A customer will place an order with waiter (Front End) and not with a cook
(Back End) directly.
♦ Waiter will receive the order and pass it, to the cook in the kitchen.
♦ Cook will process the food as per requirement and had it over to the waiter.
♦ Waiter will serve the food to the customer.
(ii) Why separate Front End and Back End Software? Why not only one?
Reasons behind this can be summarized as under in the Table 2.2.4.
Table 2.2.4: Front End and Back End for Situation (cited in Fig. 2.2.7)
Reason Restaurant Software
Domain A waiter is expert in handling Front end software is meant

Expertise customers; a cook is expert in for handling requests from
cooking. These two jobs are users. Back end software is
separate and should not be meant for storing and
mixed with each other. Both handling the data.
the jobs must be performed
with topmost quality.
Presentation Waiter can present himself as Front end software interacting
well as the food in a better with a user is meant for
way. Everybody likes good presenting information in
presentation. One cannot proper format, different
expect a presentable cook as colours, bold, italic letters,
he/she works in kitchen. tables, charts, etc. Back end
software is not meant for it
and it can’t be expected also.

User Waiter handles processed Front end software should

Experience food and not raw material. guide a user to the desired
Whole process of getting report or feature. Front end
desired food from ordering to software handles processed
billing should be smooth and data and not raw data like
user experience should be back end does. User interface
very good. This is supposed to of the front-end software
be done by well-trained needs to be intuitive, i.e.
waiter. This cannot be minimum use of help should
expected from a cook. be sought by user.
Speed After placing an order, Using single software for both
customer expects a quick the aspects would
delivery of food, nobody likes unnecessarily increase the
waiting period. This is possible load and slow down the
only with segregation of speed. Separate back end
duties. Waiter will handle the software is used for handling
customers only. Cook will keep data only. This reduces the
on cooking only. Repeating load and increases speed of
the same activity again and operations.
again increases expertise and
efficiency.
Language A waiter needs to be polished Front end speaks in the
and polite. He/she needs to language understood by the
understand language of the user and understands
customer and speak to the language spoken by the
customer in the language in Backend. Back end speaks in
which the customer is technical language not
comfortable. Cook must do understood by a layman. Front
nothing with this aspect as he end can speak in both
is not interacting with languages- user’s language
customers. His job is to and technical language.
prepare best quality food only.
(iii) Application Software

As discussed in the previous chapter, application software performs many
functions such as receiving the inputs from the user, interprets the instructions
and performs logical functions so a desired output is achieved. Examples of
application software would include SAP, Oracle Financials, MFG Pro etc.

In most software, there are three layers which together form the application
namely; an Application Layer, an Operating System Layer and a Database
Layer. This is called Three Tier architecture.
o The Application Layer receives the inputs from the users and performs
certain validations like, if the user is authorized to request the transaction.
o The Operating System Layer carries these instructions and processes them
using the data stored in the database and returns the results to the
application layer.
o The Database Layer stores the data in a certain form. For a transaction to
be completed, all the three layers need to be invoked. Most application
software is built on this model these days.
B. Installed Applications v/s Cloud-based Applications
There are the two ways (as shown in the Table 2.2.5) of using a software
including Financial & Accounting Software.
o Installed Applications: These are programs that are installed on the hard
disc of the user’s computer.
o Cloud Applications: Web Applications are not installed on the hard disc of
the user’s computer and are installed on a web server and accessed using a
browser and internet connection. As technology and internet connectivity
improved virtually, all web-based applications have moved to cloud-based
applications. These days many organizations do not want to install Financial
Applications on their own IT infrastructure. For many organizations, the
thought process is that it is not their primary function to operate complex IT
systems and to have a dedicated IT team and hardware which requires
hiring highly skilled IT resources and to maintain the hardware and software
to run daily operations. The costs may become prohibitive. Thus,
organizations increasingly are hosting their applications on Internet and
outsource the IT functions. There are many methods through which this can
be achieved. Most common among them being SaaS (Software as a Service)
or IaaS (Infrastructure as a Service) of Cloud Computing.
(The details of Cloud Computing Service models are discussed in the
Chapter 4 of the study material.)

Table 2.2.5: Installed and Cloud Based Applications

Particulars Installed Application Cloud Based Application
Installation and As software is installed on Installation on user
Maintenance hard disc of the computer computer is not required.
used by user, it needs to be Update and maintenance
installed on every computer are defined responsibility
one by one. This may take lot of service provider.
of time. Also, maintenance
and updating of software
may take lot of time and
efforts.
Accessibility As software is installed on As software is available
the hard disc of the user’s through online access, to
computer, user needs to go use the software a browser
to the computer in which the and an internet connection
software is installed. use the are needed. It can be used
software. It cannot be used from any computer in the
from any other computer. world. Access to the
software becomes very easy.
Also, it can be used 24 x 7.
Mobile Using the software through Mobile application
Application mobile application is difficult becomes very easy as data
in this case. is available 24x7. As
technology evolves, mobile
technology is becoming an
industry norm that makes
cloud based application
future oriented.
Data Storage Data is physically stored in Data is not stored in the
the premises of the user, i.e. user’s server computer. It is
on the hard disc of the user’s stored on a web server.
server computer. Hence user Ownership of data is
will have full control over the defined in Service Level
data. Agreement (SLA). SLA
defines the rights,
responsibilities and
authority of both service
provider and service user.

Data Security As the data is in physical Data security is a challenge

control of the user, user shall in case of cloud based
have the full physical control application as the data is
over the data and he/she can not in control of the user or
ensure that it is not accessed owner of data. As time
without proper access. evolves; SLAs provide for
details of back-up, disaster
recovery alternatives being
used by service provider.
Performance A well written installed Access is dependent on
application shall always be speed of internet. Slow
faster than web application, internet slows access to
reason being data is picked information and may slow
from local server without operations.
internet.
Flexibility It shall have more flexibility The success of cloud based
and controls as compared to applications is that they
web application. It is very allow flexibility against
easy to write desktop both Capital Expenditure
applications that take (CAPEX) and Operating
advantage of the user’s Expense (OPEX) to the user.
hardware (such as: scanners, User can scale up
cameras, Wi-Fi, serial ports, operations as per need.
network ports, etc.). Installed
applications have the dis-
advantage of higher Capital
Expenditure (CAPEX) in
comparison to cloud based
application.
2.2.5 Non-Integrated System

A Non-Integrated System is a system of maintaining data in a decentralized way.
Each department shall maintain its own data separately and not in an integrated
way. This is the major problem with non-integrated systems.
Human Resource Accounting Marketing
Production Purchase Logistics Quality Control

Fig. 2.2.8: Non-Integrated Systems

The Fig. 2.2.8 shows a typical non-integrated environment where all the
departments are working independently and using their own set of data. They
need to communicate with each other, but still they use their own data. This
results in two major problems - Communication Gaps and Mismatched Data.
Communication between different business units is a major aspect for success of
any organization.
Example 2.2: Let us consider an example of mismatched master data. A customer
record created by different departments for one customer named Ms. Jayshree
Jadhao shown in following Table 2.2.6 showing the same customer name written
differently.
Table 2.2.6: Example 2.2 Explanation
Sr. No. Name Sr. No. Name
1 JayashriJadhav 10 JayshriJadhaw
2 JayashreeJadhav 11 JayshreeJadhaw
3 JayshriJadhav 12 JayashriJadhao
4 JayshreeJadhav 13 JayashreeJadhao
5 JayashriJadhaw 14 JayshriJadhao
6 JayashreeJadhaw 15 JayshreeJadhao
7 JaishriJadhav 16 JaishreeJadhav
8 JaishriJadhao 17 JaishreeJadhao
9 JaishriJadhaw 18 JaishreeJadhaw
In the above case, we have considered first name and last name only. Had we used
middle name also, few more permutations would have been possible. This may lead
to total confusion in an organization at the time of inter-department communication.
2.2.6 Enterprise Resource Planning (ERP) Systems
It is an overall business management system that caters need of all the people
connected with the organization. Every organization uses variety of resources in
achieving its organization goals. ERP is an enterprise-wide information system
designed to coordinate all the resources, information, and activities needed to
complete business processes such as order fulfilment or billing.
Accounting and Finance function is considered as backbone for any business.
Hence, Financial & Accounting Systems are an important and integral part of ERP
systems. ERP system includes so many other functions also. An ERP system

supports most of the business system that maintains in a single database the data,
needed for a variety of business functions such as Manufacturing, Supply Chain
Management, Financials, Projects, Human Resources and Customer Relationship
Management.
An ERP system is based on a common database and a modular software design.
The common database can allow every department of a business to store and
retrieve information in real-time. The information should be reliable, accessible, and
easily shared. The modular software design should mean a business can select the
modules they need, mix and match modules from different vendors, and add new
modules of their own to improve business performance.
Ideally, the data for the various business functions are integrated. In practice, the
ERP system may comprise a set of discrete applications, each maintaining a discrete
data store within one physical database.
The term ERP originally referred to how a large organization planned to use
organizational wide resources. In the past, ERP systems were used in more larger
industrial types of companies. However, the use of ERP has changed and is
extremely comprehensive, today the term can refer to any type of company, no
matter what industry it falls in. In fact, ERP systems are used in almost any type of
organization – large or small.
For a software system to be considered as ERP, it must provide an organization
with functionality for two or more systems. While some ERP packages exist that
cover only two functions for an organization, like- QuickBooks: Payroll &
Accounting; most ERP systems cover several functions.
Today’s ERP systems can cover a wide range of functions and integrate them into
one unified database. For instance - functions such as Human Resources, Supply
Chain Management, Customer Relationship Management, Financials,
Manufacturing functions and Warehouse Management were all once stand-alone
software applications, usually housed with their own database and network, today,
they can all fit under one umbrella – the ERP system. Some of the well-known ERPs
in the market today include SAP, Oracle, MFG Pro, and MS Axapta etc.
An ERP System is that system which caters all types of needs of an organization and
provides right data at right point of time to right users for their purpose. Hence,
definition of ideal ERP system may change for each organization. But generally, an
ideal ERP system is that system where a single database is utilized and contains all
data for various software modules. Fig. 2.2.9 shows different departments
connecting with each other through central database.

Accounts
Human
Admin Resource
CENTRAL
DATABASE
Purchase Marketing
Production
Fig. 2.2.9: Different Departments connected through Central Database

Data Warehouse is a module that can be accessed by an organization’s customers,
suppliers and employees. It is a repository of an organization’s electronically stored
centralized data. Data warehouses are designed to facilitate reporting and analysis.
This classic definition of the data warehouse focuses on data storage.
The process of transforming data into information and making it available to the user
in a timely manner to make a difference is known as Data Warehousing. The means
to retrieve and analyze data, to extract, transform and load data, and to manage the
data dictionary are also considered essential components of a data warehousing
system. An expanded definition of data warehousing includes business intelligence
tools; tools to extract, transform, and load data into the repository; and tools to
manage and retrieve metadata. In contrast, the data warehouses are operational
systems which perform day-to-day transaction processing.
2.2.7 Benefits of an ERP System
♦ Information integration: The reason ERP systems are called integrated is
because they possess the ability to automatically update data between
related business functions and components. For example - one needs to
only update the status of an order at one place in the order-processing
system and all the other components will automatically get updated.
♦ Reduction of Lead-time: The elapsed time between placing an order and
receiving it is known as the Lead-time. The ERP Systems by virtue of their
integrated nature with many modules like Finance, Manufacturing, Material
Management Module etc.; the use of the latest technologies like EFT (Electronic
Fund Transfer), EDI (Electronic Data Interchange) reduce the lead times and
make it possible for the organizations to have the items at the time they are
required.
♦ On-time Shipment: Since the different functions involved in the timely
delivery of the finished goods to the customers- purchasing, material

management production, production planning, plant maintenance, sales

and distribution – are integrated and the procedures are automated; the
chances of errors are minimal and the production efficiency is high. Thus, by
integrating the various business functions and automating the procedures
and tasks, the ERP system ensures on-time delivery of goods to the
customers.
♦ Reduction in Cycle Time: The Cycle time is the time between placement of
the order and delivery of the product. In an ERP System; all the data,
updated to the minute, is available in the centralized database and all the
procedures are automated, almost all these activities are done without
human intervention. This efficiency of the ERP systems helps in reducing the
cycle time.
♦ Improved Resource utilization: The efficient functioning of different
modules in the ERP system like manufacturing, material management, plant
maintenance, sales and distribution ensures that the inventory is kept to a
minimum level, the machine down time is minimum, the goods are
produced only as per the demand and the finished goods are delivered to
the customer in the most efficient way. Thus, the ERP systems help the
organization in drastically improving the capacity and resource utilization.
♦ Better Customer Satisfaction: Customer satisfaction means meeting or
exceeding customers‘ requirement for a product or service. With the help of
web-enabled ERP systems, customers can place an order, track the status of the
order and make the payment while sitting at home. Since all the details of the
product and the customer are available to the person at the technical support
department also, the company is able to better support the customer.
♦ Improved Supplier Performance: ERP systems provide vendor management
and procurement support tools designed to coordinate all aspect of the
procurement process. They support an organization in its efforts to effectively
negotiate, monitor and control procurement costs and schedules while
assuring superior product quality. The supplier management and control
processes are comprised of features that will help the organization in
managing supplier relations, monitoring vendor activities and managing
supplier quality.
♦ Increased Flexibility: ERP Systems help the companies to remain flexible by
making the company information available across the departmental barriers
and automating most of the processes and procedures, thus enabling the
company to react quickly to the changing market conditions.

♦ Reduced Quality Costs: Quality is defined in many different ways-

excellence, conformance to specifications, fitness for use, value for the price
and so on. An ERP System’s central database eliminates redundant
specifications and ensures that a single change to standard procedures takes
effect immediately throughout the organization. It also provide tools for
implementing total quality management programs within an organization.
♦ Better Analysis and Planning Capabilities: Another advantage provided
by ERP Systems is the boost to the planning functions. By enabling the
comprehensive and unified management of related business functions such
as production, finance, inventory management etc. and their data; it
becomes possible to utilize fully many types of Decision Support Systems
(DSS) and simulation functions, what-if analysis and so on; thus, enabling
the decision-makers to make better and informed decisions.
♦ Improved information accuracy and decision-making capability: The
three fundamental characteristics of information are Accuracy, Relevancy
and Timeliness. The information needs to be accurate, relevant for the
decision-maker and available to the decision-makers when she/he requires
it. The strength of ERP Systems- integration and automation help in
improving the information accuracy and help in better decision-making.
♦ Use of Latest Technology: ERP packages are adapted to utilize the latest
developments in Information Technology such as open systems,
client/server technology, Cloud Computing, Mobile computing etc. It is this
adaptation of ERP packages to the latest changes in IT that makes the
flexible adaptation to changes in future development environments
possible.
Example 2.3: Table 2.2.7 provides some examples of Free and Open Source ERP
Software.
Table 2.2.7: Free and Open Source ERP software
S. No. ERP Software S. No. ERP Software
1 Adempiere, a Java based ERP- 11 OpenBlueLab
System which started as a fork of
Compiere
2 Compiere, a Java based ERP-System 12 Openbravo, a Java based
ERP-System
3 Dolibarr, a PHP based ERP system 13 OpenERP (formerly Tiny ERP)

4 ERP5, a Python based ERP system 14 Opentaps (Java based)

5 GNU Enterprise 15 OrangeHRM
6 GRR (software), a PHP/MySQL - 16 Postbooks from XTuple
based, web-accessed free ERP
system
7 JFire, a Java based ERP-System from 17 SQL-Ledger
NightLabs
8 Kuali Foundation 18 Stoq
9 LedgerSMB 19 WebERP
10 OFBiz
2.3 RISKS AND CONTROLS IN AN ERP

ENVIRONMENT
(The general discussion on “Risk, its Management and related controls for
various business processes” has been provided in Chapter – 1 of the study
material.)
The risks being discussed here are specific to ERP systems used.
2.3.1 Introduction
Major feature of an ERP System is Central Database. As the complete data is
stored centrally at one place, ensuring safety of data and minimising risk of loss
of data is a big challenge. In Non-Integrated System, data is stored by each
department separately; hence the risk is low in such an environment. In an ERP
environment, two major risks are faced by any organization:
♦ Due to central database, all the persons in an organization access the same
set of data on a day to day basis. This again poses the risk of leakage of
information or access of information to non-related people. For example- A
person from sales department checking salary of a person in production.
♦ Again, as there is central database, all users shall use the same data for
recording of transactions. Hence, there is one more risk of putting incorrect
data in the system by unrelated users. For example- a person in Human
Resource Department recording a purchase order. This is a risk due to
central database only and controls are needed to minimise such type of
risks.

2.3.2 Risks and Controls related to ERP Implementation

ERP system implementation is a huge task and requires lot of time, money and
above all patience. The success or failure of any ERP or saying it in terms of
payback or ROI of an ERP, is dependent on its successful implementation and
once implemented proper usage.
Tables 2.3.1(A,B,C,D,E) provide extensive discussion on the risks related to various
aspects including – People, Process, Technological, Implementation and Post
implementation issues that arise during implementation and related controls
respectively.
1. People Aspect: Employees, Management, implementation team,
consultants and vendors are the most crucial factor that decides the success or
failure of an ERP System.
Table 2.3.1(A): Risks and corresponding Controls related to People
Aspect Risk Associated Control Required
Change will occur in the Proper training of the users with
employee’s job profile in well documented manuals.
terms of some jobs becoming Practical hands on training of the
irrelevant and some new jobs ERP System should be provided so
created. that the transition from old
system to ERP system is smooth
and hassle free.
Change The way in which organization It requires ensuring that a project
Management functions will change, the charter or mission statement
planning, forecasting and exists. The project requirements
decision-making capabilities are to be properly documented
will improve, information and signed by the users and
integration happening etc. senior management.
Changing the scope of the This requires clear defining of

project is another problem. change control procedures and
holds everyone to them.
Training Since the greater part of the Training is a project-managed
training takes place towards activity and shall be imparted to
the end of the ERP the users in an organization by
implementation cycle, the skilled consultants and
management may curtail the representatives of the hardware

training due to increase in the and package vendors.

overall cost budget.
Staff As the overall system is This can be controlled and

Turnover integrated and connected minimized by allocation of
with each other department, it employees to tasks matching their
becomes complicated and skill-set; fixing of compensation
difficult to understand. package and other benefits
Employee turnover – qualified accordingly- thus keeping the
and skilled personnel leaving employees happy, contented and
the company - during the minimizing the staff turnover.
implementation and transition
phases can affect the
schedules and result in
delayed implementation and
cost overrun.
Top ERP implementation will fail if The ERP implementation shall be
Management the top management does not started only after the top
Support provide the support and grant management is fully convinced
permission for the availability and assure of providing the full
of the huge resources that are support.
required during the transition.
Consultants These are experts in the The consultants should be
implementation of the ERP assigned a liaison officer - a senior
package and might not be manager – who can familiarize
familiar with the internal them with the company and its
workings and organizational working.
culture.
2. Process Aspect: One of the main reasons for ERP implementation is to

improve, streamline and make the business process more efficient, productive and
effective.
Table 2.3.1(B): Risks and corresponding Controls related to Processes
Program There could be a This requires bridging the information
Management possibility of gap between traditional ERP-based
information gap functions and high value operational
between day-to-day management functions, such

program management applications can provide reliable real-

activities and ERP- time information linkages to enable
enabled functions like high-quality decision making.
materials and
procurement planning,
logistics and
manufacturing.
Business BPR means not just This requires overhauling of
Process change – but dramatic organizational structures,
Reengineering change and dramatic management systems, job
(BPR) improvements. descriptions, performance
measurements, skill development,
training and use of IT.
3. Technological Aspect: The organizations implementing ERP systems should
keep abreast of the latest technological developments and implementation which is
required to survive and thrive.
Table 2.3.1(C): Risks and corresponding Controls related to Technological Aspect
Software ERP systems offer a Care should be taken to incorporate
Functionality myriad of features and the features that are required by the
functions, however, not all organization and supporting
organizations require additional features and functionality
those many features. that might be required at a future
Implementing all the date.
functionality and features
just for the sake of it can
be disastrous for an
organization.
Technological With the advent of more This requires critical choice of
Obsolescence efficient technologies technology, architecture of the
every day, the ERP system product, ease of enhancements, ease
also becomes obsolete as of upgrading, quality of vendor
time goes on. support.
Enhancement ERP Systems are not Care must be taken while selecting
and Upgrades upgraded and kept up-to- the vendor and upgrade/support
date. Patches and contracts should be signed to
upgrades are not installed minimize the risks.

and the tools are

underutilised.
Application These processes focus on By bringing to the light the sheer
Portfolio the selection of new number of applications in the current
Management business applications and portfolio, IT organizations can begin
the projects required in to reduce duplication and
delivering them. complexity.
4. Implementation Aspect: Many times, ERP implementations are withdrawn

because of the following factors.
Table 2.3.1(D): Risks and corresponding Controls related to Implementation Aspect
Lengthy ERP projects are lengthy that Care must be taken to keep
implementation takes anywhere between 1 to 4 the momentum high and
time years depending upon the size enthusiasm live amongst the
of the organization. Due to employees, so as to minimize
technological developments the risk.
happening every day, the
business and technological
environment during the start
and completion of the project
will never be the same.
Employee turnover is another
problem.
Insufficient The budget for ERP It is necessary to allocate
Funding implementation is generally necessary funds for the ERP
allocated without consulting implementation project and
experts and then then allocate some more for
implementation is stopped contingencies.
along the way, due to lack of
funds.
Data Safety As there is only one set of Back up arrangement needs to
data, if this data is lost, whole be very strong. Also, strict
business may come to stand physical control is needed for
still. data.
Speed of As data is maintained This can be controlled by
Operation centrally, gradually the data removing redundant data, using

size becomes more and more techniques like data

and it may reduce the speed warehousing and updating
of operation. hardware on a continuous basis.
System Failure As everybody is connected to This can be controlled and
a single system and central minimized by having proper
database, in case of failure of and updated back up of data
system, the whole business as well as alternate hardware /
may get affected badly. internet arrangements. In case
of failure of primary system,
secondary system may be
used.
Data Access Data is stored centrally and all Access rights need to be
the departments access the defined very carefully and to
central data. This creates a be given on “Need to know”
possibility of access to non- and “Need to do” basis only.
relevant data.
5. Post Implementation Aspect: ERP operation and maintenance require a

lifelong commitment by the company management and users of the system.
Table 2.3.1(E): Risks and corresponding Controls related to post-
implementation Aspect
Lifelong Even after the ERP implementation, there This requires a strong
commitment will always be new modules/versions to level of commitment and
install, new persons to be trained, new consistency by the
technologies to be embraced, refresher management and users of
courses to be conducted and so on. the system.
2.3.3 Role Based Access Control (RBAC) in ERP System

In computer systems security, Role-Based Access Control is an approach to
restricting system access to authorized users. RBAC sometimes referred to as
Role-Based Security is a policy neutral access control mechanism defined around
roles and privileges that lets employees having access rights only to the
information they need to do their jobs and prevent them from accessing
information that doesn't pertain to them. It is used by most enterprises and can
implement Mandatory Access Control (MAC) or Discretionary Access Control
(DAC).

• MAC criterias are defined by the system administrator, strictly enforced by

the Operating System and are unable to be altered by end users. Only users
or devices with the required information security clearance can access
protected resources. A central authority regulates access rights based on
multiple levels of security. Organizations with varying levels of data
classification, like government and military institutions, typically use MAC to
classify all end users.
• DAC involves physical or digital measures and is less restrictive than other
access control systems as it offers individual’s complete control over the
resources they own. The owner of a protected system or resource sets
policies defining who can access it.
The components of RBAC such as role-permissions, user-role and role-role

relationships make it simple to perform user assignments. RBAC can be used to
facilitate administration of security in large organizations with hundreds of users
and thousands of permissions. Roles for staff are defined in organization and
permission to access a specific system or perform certain operation is defined “As
per the Role assigned”. For example- a junior accountant in accounting
department is assigned a role of recording basic accounting transactions and an
executive in human resource department is assigned a role of gathering data for
salary calculations on monthly basis, etc.
Types of Access
While assigning access to Master Data, Transaction Data and Reports to different
users; following options are possible.
(i) Create – Allows to create data;
(ii) Alter – Allows to alter data;
(iii) View – Allows only to view data; and
(iv) Print – Allows to print data.
Example 2.4: Let us consider a small case study for better understanding of Role
Based Access and Controls in Financial and Accounting Systems. Indradhanu
Consulting Private Limited, a company dealing in project management is having
different users as given in the Table 2.3.2 under.

Table 2.3.2: Users Database of Indradhanu Consulting Private Limited

(Illustrative)
S. Employee Designation Allow Access To Dis-allow access to
No. Name
1 Swapnil Director Complete access to all Creation / Alteration
Ghate the reports, masters
and transactions but
limited to viewing
purpose only. No need
to give any alteration
or creation access.
2 CA. Pankaj CFO Same as Director but in Creation / Alteration
Deshpande some cases, creation or (with few exceptions)
alteration access to
masters and
transactions may be
given.
3 Mayura Head HR Full access to all HR All non-related
Rahane related masters and masters, transactions
transactions, e.g. and reports.
Creation and alteration
of employees, pay
heads, salary structures,
leave types etc.
Creation and alteration
of leave and salary
calculations etc.
4 Amit Head- Full access to all All non-related
Shriwas Accounts accounting masters, masters, transactions
transactions and and reports.
reports.
5 Sachi Accountant Only voucher entry and Reports like Balance
Dongre viewing accounting Sheet, Profit & Loss
master data. access to ledger
creation or
alteration.

6 Tanushree Head- Full access to customer All non-related

Daware Marketing master data, masters, transactions
transaction history, and reports.
purchase habits of
customers may be
given. Only view access
for sales data.
7 Sujay Manager- Full access to taxation All non-related
Kalkotwar Taxation reports, tax related masters, transactions
transactions, Access to and reports.
Balance Sheet and
Profit & Loss Account is
also needed as tax
figures affect these
reports.
8 Aditi Head- Full Access to Purchase All non-related
Kurhekar Purchases Order, Goods Receipt masters, transactions
Note and Purchase and reports.
Vouchers should be
given. View access to
vendor master data is
also needed.
9 Gayatri Data Entry Very limited access Access to accounting
Rathod Operator should be given. master data creation
or alteration, access
to reports like
balance sheet, profit
& loss accounts.
10 Sanjay Cashier Cash payment and cash All master and
Somkuwar receipt vouchers only. transaction data
(other than cash),
Backdated voucher
entry.
11 Surbhee Stores Creation, Alteration of All non-related
Chincholkar Incharge Inventory master data, masters, transactions
Inventory transactions, and reports.
Inventory reports, etc.

2.4 AUDIT OF ERP SYSTEMS

The fundamental objectives of audit of controls do not change in an ERP
environment. When evaluating controls over ERP systems, decisions must be
made regarding the relevance of operational internal control procedures to
Information Technology (IT) controls. Specific control procedures for audit
objectives must be tested. ERP systems should produce accurate, complete, and
authorized information that is supportable and timely. In a computing
environment, this is accomplished by a combination of controls in the ERP
System, and controls in the environment in which the ERP system operates,
including its operating system. Controls are divided into General Controls and
Application Controls.
• General Controls include controls over Information Technology
management controls addressing the information technology oversight
process; Information Technology infrastructure, security management and
software acquisition; monitoring and reporting information technology
activities; business improvement initiatives; and development and
maintenance. These controls apply to all systems − from mainframe to
client/server to desktop computing environments. General controls can be
further divided into Management Controls and Environmental Controls.
o Management Controls deal with organizations, policies, procedures,
planning, and so on.
o Environmental Controls are the operational controls administered
through the computer centre/computer operations group and the
built-in operating system controls.
• Application Controls pertain to the scope of individual business processes
or application systems. Individual applications may rely on effective
operation of controls over information systems to ensure that interface data
are generated when needed, supporting applications are available and
interface errors are detected quickly.
Some of the questions auditors should ask during an ERP audit are pretty much the
same as those that should be asked during development and implementation of the
system:
♦ Does the system process as per GAAP (Generally Accepted Accounting
Principles) and GAAS (Generally Accepted Auditing Standards)?
♦ Does it meet the needs for reporting, whether regulatory or organizational?

♦ Were adequate user requirements developed through meaningful interaction?

♦ Does the system protect confidentiality and integrity of information assets?
♦ Does it have controls to process only authentic, valid, accurate transactions?
♦ Are effective system operations and support functions provided?
♦ Are all system resources protected from unauthorized access and use?
♦ Are user privileges based on what is called “role-based access?”
♦ Is there an ERP system administrator with clearly defined responsibilities?
♦ Is the functionality acceptable? Are user requirements met? Are users
happy?
♦ Have workarounds or manual steps been required to meet business needs?
♦ Are there adequate audit trails and monitoring of user activities?
♦ Can the system provide management with suitable performance data?
♦ Are users trained? Do they have complete and current documentation?
♦ Is there a problem-escalation process?
Auditing aspects in case of any ERP system can be summarized as under:
(i) Auditing of Data
• Physical Safety – Ensuring physical control over data.
• Access Control – Ensuring access to the system is given on “need to
know” (a junior accountant need not view Profit & Loss Account of the
business) and “need to do basis” (HR executive need not record a
Purchase Order).
(ii) Auditing of Processes
• Functional Audit – This includes testing of different functions /
features in the system and testing of the overall process or part of
process in the system and its comparison with actual process. For
example-. Purchase Process, Sales Process, Salary Calculation Process,
Recruitment Process, etc. Auditor may check this process in the system
and compare it with actual process. It is quite possible that all the
aspect present in the actual process may not be integrated in the ERP
system. There may be some manual intervention.
• Input Validations – This stands for checking of rules for input of data
into the system. For example- a transaction of cash sales on sales

counter must not be recorded in a date other than today (not a future
date or a back date), amount field must not be zero, stock item field
shall not be empty, etc. Input validations shall change according to
each data input form.
2.5 ERP CASE STUDY OF A CHARTERED

ACCOUNTANT FIRM
As everybody is familiar with working environment in a Chartered Accountant
(CA) firm, let us consider possibility of implementing ERP system in a CA Firm.
Example 2.5: Nirman Infrastructures Pvt. Ltd. a client of Ghate Deshpande & Co.
(a CA Firm) receives a notice for scrutiny assessment from Income Tax
Department. Following shall be the events in normal case.
(i) Client informs about receipt of notice to CA. Pankaj Deshpande (Partner) on
phone and sends the copy of notice to CA Firm.
(ii) Notice is received at CA firm, read and understood. A task for giving reply
to Income Tax Department is allotted to Sachi Dongre, an article clerk.
(iii) Sachi asks for some original documents (PAN, Memorandum of Articles,
Agreements etc.) from client for working. These documents need to be
returned to client after the work.
(iv) Sachi works on this task, prepares the reply and submits it with Income Tax
Department. Also, she updates CA. Pankaj Deshpande about it.
(v) Bill is prepared by Mayura and approved by CA. Pankaj Deshpande.
(vi) Bill is submitted with client.
(vii) Documents are returned to client.
(viii) Cheque received from client against the bill submitted.
(ix) Receipt is recorded in books of accounts.
This is how a simple case is handled in a CA Firm. Let us now discuss important
points regarding this case. In case of any ERP System, two aspects are very
important – Communication (Internal and External) and Documentation.
Refer Fig. 2.5.1 to understand the workflow of CA Firm using Integrated System.
♦ Communication in this case is starting from client.
♦ Instead of client calling his CA, he should put the information as a service
request in the central database maintained by CA Firm.

♦ As soon as service request is put by client into the system, one or more
partner should be informed by the system about new service request.
♦ Partner shall convert this request into the task and allot it to one of the
assistant.
♦ On allotment of task to the assistant, client must be updated about this task
allotment.
♦ Article assistant shall contact client for requirement of information regarding
work.
♦ Client shall submit the document through the system and update the
information in central database.
♦ Article shall complete the work and send it for approval of his boss.
♦ After approval of work by article, client shall be automatically informed
about it through the system only.
♦ Information shall be passed on to accounts department for preparation of
bill for this assignment.
♦ Bill shall be raised from the system and sent to client through email.
♦ Client shall pay the fees and receipt is recorded in the same system.
Nirman (Client)
CA. Pankaj (Partner)

Task Allotment
Task Reporting
Request for Billing

Sachi (Article) Mayura (Accountant)
Task Reporting
Fig. 2.5.1: Example 2.5 of a CA Firm Workflow

In this whole process, two important aspects, i.e. Communication and

Documentation are taken care of in the best possible manner. Instead of a person
communicating with each other, system is communicating automatically after
every updation. Fig. 2.5.2 showing different people connected to central database.
In case of an Integrated System, there shall be only one system of communication
with others. But in case of non-integrated system; people use multiple modes for
communication like making a phone call, sending SMS, Email, WhatsApp or
personal meeting. But the major problem with these multiple option is that there
is no inter-connectivity between these modes and hence track of the overall
process is not available.
Partner
Accountant
Client
CENTRAL
DATABASE Admin
Article
Fig. 2.5.2: Different people connected to Central Database
2.6 BUSINESS PROCESS MODULES AND THEIR

INTEGRATION WITH FINANCIAL AND
ACCOUNTING SYSTEMS
2.6.1 What is a Business Process?
A Business Process consists of a set of activities that are performed in
coordination in an organizational and technical environment. These activities
jointly realize a business goal. Each business process is enacted by a single
organization, but it may interact with business processes performed by other
organizations. To manage a process-
♦ The first task is to define it. This involves defining the steps (tasks) in the
process and mapping the tasks to the roles involved in the process.
♦ Once the process is mapped and implemented, performance measures can
be established. Establishing measurements creates a basis to improve the
process.
♦ The last piece of the process management definition describes the
organizational setup that enables the standardization and adherence to

the process throughout the organization. Assigning enterprise process

owners and aligning employees’ performance reviews and compensation to
the value creation of the processes could accomplish this.
Process management is based on a view of an organization as a system of
interlinked processes which involves concerted efforts to map, improve and
adhere to organizational processes; whereas traditional organizations are
composed of departments and functional stages, this definition views
organization as networks or systems of processes. Process orientation is at the
core of BPM. Hence, It is important to get understand clearly that distinction of
the traditional functional organizations and process organization.
2.6.2 Business Process Flow
As discussed earlier, a Business Process is a prescribed sequence of work steps
performed to produce a desired result for an organization. A business process is
initiated by a kind of event, has a well-defined beginning and end, and is usually
completed in a relatively short period. Organizations have many different
business processes such as completing a sale, purchasing raw materials, paying
employees and vendors, etc. Each of the business processes has either a direct or
indirect effect on the financial status of the organization. The number and type of
business processes and how the processes are performed would vary across
enterprises and is also impacted by automation. However, most of the common
processes would flow a generic life cycle.
Example 2.6: Accounting Process Flow
Accounting or Book-keeping cycle covers the business processes involved in
recording and processing accounting events of a company. It begins when a
transaction or financial event occurs and ends with its inclusion in the financial
statements. A typical life cycle of an accounting transaction may include the
following transactions as depicted in Fig. 2.6.1:
Source Financial Statement Closing Entries

Document
THE ACCOUNTING Adjusted Trial Balance

Journal
PROCESS FLOW
Ledger Trial Balance Adjustments
Fig. 2.6.1: Accounting Process Flow

(a) Source Document: A document that captures data from transactions and events.
(b) Journal: Transactions are recorded into journals from the source document.
(c) Ledger: Entries are posted to the ledger from the journal.
(d) Trial Balance: Unadjusted trial balance containing totals from all account
heads is prepared.
(e) Adjustments: Appropriate adjustment entries are passed.
(f) Adjusted Trial balance: The trial balance is finalized post adjustments.
(g) Closing Entries: Appropriate entries are passed to transfer accounts to
financial statements.
(h) Financial statement: The accounts are organized into the financial statements.
(Many examples like Order to Cash Process Flow (O2C) and Procure to Pay Process
Flow (P2P) have already been discussed in detail in Chapter 1 of the study
material).
2.6.3 ERP - Business Process Modules (BPM)

A. Business Categories of BPM
There are three different nature and types of businesses that are operated with
the purpose of earning profit. Each type of business has distinctive features.
• Trading Business – Trading simply means buying and selling goods without
any modifications, as it is. Hence inventory accounting is a major aspect in
this case. Purchase and sales transactions cover major portion of
accounting. This industry requires accounting as well as inventory modules.
• Manufacturing Business – This type of business includes all aspects of
trading business plus additional aspect of manufacturing. Manufacturing is
simply buying raw material, changing its form and selling it as a part of
trading. Here also, inventory accounting plays a major role. This type of
industry requires accounting and complete inventory along with
manufacturing module.
• Service Business – This type of business does not have any inventory. It is
selling of skills/knowledge/efforts/time. For example- Doctors, Architects,
and Chartered Accountants are the professionals into service business.
There may be other type of business into service, i.e. courier business,
security service, etc. This industry does not require inventory module.

B. Functional Modules of ERP

Business process may change as per type of business. There may be different
business units within a business. Hence, different modules are possible in an
integrated system. There may be modules defined as under. Fig. 2.6.2 shows
different business process modules in ERP System. There may be some other
modules also. Different types of industries require different modules.
a. Financial
k. CRM Accounting
b. Controlling
j. Supply
Chain c. Sales &
Distribution
i. Project
Systems ERP
d. Human
MODULES Resource
h. Plant
Maintenance e. Production
Planning
g. Quality f. Materials
Management Management
Fig. 2.6.2: ERP Modules

a. Financial Accounting Module
This module is the most important module of the overall ERP System and it connects
all the modules to each other. Every module is somehow connected with this module.
The key features of this module are as under:
♦ Tracking of flow of financial data across the organization in a controlled
manner and integrating all the information for effective strategic decision
making.
♦ Creation of Organizational Structure (Defining Company, Company Codes,
business Areas, Functional Areas, Credit Control, Assignment of Company
Codes to Credit Controls).

♦ Financial Accounting Global Settings (Maintenance of Fiscal Year, Posting

Periods, Defining Document types, Posting keys, Number ranges for
documents).
♦ General Ledger Accounting (Creation of Chart of Accounts, Account groups,
Defining data transfer rules, Creation of General Ledger Account).
♦ Tax Configuration & Creation and Maintenance of House of Banks.
♦ Account Payables, accounts receivable, fixed assets, general ledger and cash
management, etc. (Creation of Vendor Master data and vendor-related finance
attributes like account groups and payment terms).
♦ Account Receivables (Creation of Customer Master data and customer-related
finance attributes like account groups and payment terms).
♦ Asset Accounting.
♦ Integration with Sales and Distribution and Materials Management.
b. Controlling Module
This module facilitates coordinating, monitoring, and optimizing all the processes in
an organization. It controls the business flow in an organization. This module helps in
analysing the actual figures with the planned data and in planning business
strategies. Two kinds of elements are managed in Controlling Module − Cost
Elements and Revenue Elements. These elements are stored in the Financial
Accounting module.
Key features of this module are as under:
• Cost Element Accounting: This component provides overview of the costs and
revenues that occur in an organization. The cost elements are the basis for cost
accounting and enable the user the ability to display costs for each of the
accounts that have been assigned to the cost element. Examples of accounts
that can be assigned are Cost Centres, Internal Orders, WBS (Work Breakdown
Structures).
• Cost Centre Accounting: This provides information on the costs incurred by
the business. Cost Centres can be created for such functional areas as
Marketing, Purchasing, Human Resources, Finance, Facilities, Information
Systems, Administrative Support, Legal, Shipping/Receiving, or even Quality.
Some of the benefits of Cost Centre Accounting are that the managers can set
budget / Cost Centre targets; Planning; Availability of Cost allocation methods;
and Assessments / Distribution of costs to other cost objects.

• Activity-Based-Accounting: This analyses cross-departmental business processes

and allows for a process-oriented and cross-functional view of the cost centres.
• Internal Orders: Internal Orders provide a means of tracking costs of a specific
job, service, or task. These are used as a method to collect those costs and
business transactions related to the task. This level of monitoring can be very
detailed but allows management the ability to review Internal Order activity for
better-decision making purposes.
• Product Cost Controlling: This calculates the costs that occur during the
manufacture of a product or provision of a service and allows the management
the ability to analyse their product costs and to make decisions on the optimal
price(s) to market their products.
• Profitability Analysis: This allows the management to review information with
respect to the company’s profit or contribution margin by individual market
segment.
• Profit Centre Accounting: This evaluates the profit or loss of individual,
independent areas within an organization.
c. Sales and Distribution Module
Sales and Distribution is one of the most important modules that has a high level of
integration complexity. Sales and Distribution is used by organizations to support
sales and distribution activities of products and services, starting from enquiry to
order and then ending with delivery.
Pre-Sales Sales Order Inventory

Activities Processing Sourcing
Payment Billing
Delivery
Fig. 2.6.3: Sales and Distribution activities with ERP

Sales and Distribution can monitor a plethora of activities that take place in an
organization such as products enquires, quotation (pre-sales activities), placing

order, pricing, scheduling deliveries (sales activity), picking, packing, goods issue,
shipment of products to customers, delivery of products and billings. In all these
processes, multiple modules are involved such as FA (Finance & Accounting), CO
(Controlling), MM (Material Management), PP (Production Planning), LE (Logistics
Execution), etc.; which shows the complexity of the integration involved.
Key features of Sales and Distribution Module are discussed as under:
♦ Setting up Organization Structure: Creation of new company, company
codes, sales organization, distribution channels, divisions, business area, plants,
sales area, maintaining sales offices, storage location;
♦ Assigning Organizational Units: Assignment of individual components created in
the above activities with each other per design like company code to company, sales
organization to company code, distribution channel to sales organization, etc.;
♦ Defining Pricing Components: Defining condition tables, condition types,
condition sequences;
♦ Setting up sales document types, billing types, and tax-related components; and
♦ Setting up Customer master data records and configuration.
Sales and Distribution Process (Referring Fig. 2.6.3)
♦ Pre-Sales Activities: Include prospecting of customers, identifying prospective
customers, gathering data, contacting them and fixing appointments, showing
demo, discussion, submission of quotations, etc.
♦ Sales Order: Sales order is recorded in our books after getting a confirmed
purchased order from our customer. Sales order shall contain details just like
purchase order. For example- Stock Item Details, Quantity, Rate, Due Date of
Delivery, Place of Delivery, etc.
♦ Inventory Sourcing: It includes making arrangements before delivery of
goods; ensuring goods are ready and available for delivery.
♦ Material Delivery: Material is delivered to the customer as per sales order. All
inventory details are copied from Sales Order to Material Delivery for saving
user’s time and efforts. This transaction shall have a linking with Sales Order.
Stock balance shall be reduced on recording of this transaction.
♦ Billing: This is a transaction of raising an invoice against the delivery of
material to customer. This transaction shall have a linking with Material Delivery
and all the details shall be copied from it. Stock balance shall not affect again.

♦ Receipt from Customer / Payment: This is a transaction of receiving amount

from customer against sales invoice and shall have a linking with sales invoice.
d. Human Resource (HR) Module
This module enhances the work process and data management within HR department of
enterprises. Right from hiring a person to evaluating one’s performance, managing
promotions, compensations, handling payroll and other related activities of an HR is
processed using this module. The task of managing the details and task flow of the most
important resource i.e. human resource is managed using this module.
The most important objective of master data administration in Human Resources is
to enter employee-related data for administrative, time-recording, training and
payroll purposes. Payroll and Personnel departments deal with Human Resource of
the organization. This department maintains total employee database. Wage, time
and attendance related information comes to this department. They also prepare
wage sheet for workmen; handle Provident Fund, ESI related formalities. This is
perhaps the only module, which exchange very few information with other modules.
Concerning manpower, its requirement and utilization is one of the major chunks of
profit for an organization. So, in this regard, every aspect of business transaction is taken
care of by defining the master shifts master, Provident Fund (PF) ESI (Employees’ State
Insurance) master, leave, holiday, loans, employee master, operations and sub-
operations masters etc., and also, the various input transaction such as Attendance Entry,
Leave, holiday, Earning/Deduction entry, Advances etc., and finally, different types of
Payroll reports, which can be of various types according to specified company standard.
Fig. 2.6.4 shows processes involved in Human Resource Department.
Record Time Pay via Payroll

Recruit Hire and Expenses processes
Maintain Personal
Personnel Maintain Data and Family Recording
Development Benefits Plan Member/Dependent Education
Information
Change of Leave of
Change of Pay Position Termination
Absence
Personnel Actions
Fig. 2.6.4: Processes in Human Resource Department

♦ The module starts with the employee and workmen master.

♦ Employees are being a part of a department, so there will be provision of
department and designation master. The job of this module is to record the
regular attendance of every employee.
♦ Usage of magnetic card or finger print recognition devices will help to
improve the attendance system and provide an overall security in terms of
discarding proxy attendance.
♦ Moreover, if the attendance related information can be digitised, then the
major portion of monthly salary can be automated. But the authority should
study the feasibility of this kind of system.
♦ This module will also deal with the financial entries like advance or loan to
employees.
♦ From Holiday master provided with the module, the user could feed all
possible holidays at the beginning of a year, so leave related information
can be automated. This module will generate monthly wage sheet from
which the salary payment can be made and respective accounts will be
updated.
♦ All figures will be protected under password. Only authorized person will be
eligible to access information from this module.
e. Production Planning (PP) Module
Production Planning (PP) Module is another important module that includes
software designed specifically for production planning and management. This
module also consists of master data, system configuration and transactions to
accomplish plan procedure for production. PP module collaborates with Master
Data, Sales and Operations Planning (SOP), Distribution Resource Planning (DRP),
Production Planning, Material Requirements Planning (MRP), Capacity Planning,
Product Cost Planning and so on while working towards production management
in enterprises.
♦ Master Data –This includes the material master, work centres, routings and
bill of materials.
♦ SOP - Sales and Operations Planning (SOP) provides the ability to forecast
sales and production plans based on historical, current and future data.
♦ DRP - Distribution Resource Planning (DRP) allows companies the ability to
plan the demand for distribution centres.

♦ Production Planning –This includes material forecasting, demand

management, long term planning and master production scheduling (MPS).
♦ MRP - Material Requirements planning relies on demand and supply
elements with the calculation parameters to calculate the net requirements
from the planning run.
♦ Capacity Planning –This evaluates the capacity utilized based on the work
centres available capacity to show capacity constraints.
♦ Product Cost Planning –This is the process of evaluating all the time values
and value of component materials to determine the product cost.
Fig. 2.6.5 discusses Production Planning Module.
Issue of Raw Conversion Stock

Conversion
Material into Finished Transfer to
into WIP
from stores Goods Godown
Fig. 2.6.5: Process in Production Planning Module

Conversion into Work In Process (WIP) may include more than one step. Also,
conversion into Finished Goods may include packing process also.
f. Material Management (MM) Module
Material Management (MM) Module as the term suggests manages materials
required, processed and produced in enterprises. Different types of procurement
processes are managed with this system. Some of the popular sub-components in
MM module are vendor master data consumption based planning, purchasing,
inventory management, invoice verification and so on. Material Management also
deals with movement of materials via other modules like logistics, Supply Chain
Management, sales and delivery, warehouse management, production and
planning. Fig. 2.6.6 shows overall purchase process.
♦ Purchase Requisition from Production Department: Production
department sends a request to purchase department for purchase of raw
material required for production.
♦ Evaluation of Requisition: Purchase department shall evaluate the
requisition with the current stock position and purchase order pending
position and shall decide about accepting or rejection the requisition.
♦ Asking for Quotation: If requisition is accepted, quotations shall be asked
to approve vendors for purchase of material.

♦ Evaluation of Quotations: Quotations received shall be evaluated and

compared.
♦ Purchase Order: This is a transaction for letting an approved vendor know
what we want to purchase, how much we want to purchase, at what rate we
want to purchase, by what date we want the delivery, where we want the
delivery. Hence, a typical purchase order shall have following information.
o Description of stock items to be purchased.
o Quantity of these stock items.
o Rate for purchases.
o Due Date by which material is to be received.
o Godown where material is to be received.
Purchase Requisition Evaluation of Purchase Asking for

from Production Request by Purchase Quotation from
Department Department Approved Vendors
Evaluation of Placing an order for Receipt of Material by

Quotations Approved Quotation Stores
Recording of
Issue of Material to Release of Payment
Purchase Invoice by
Production to Vendor
Accounts
Fig. 2.6.6: Process showing Overall Purchase Process

♦ Receipt of Material: This is a transaction of receipt of material against
purchase order which is commonly known as Material Receipt Note (MRN)
or Goods Receipt Note (GRN). This transaction shall have a linking with
Purchase Order. Information in Purchase Order is automatically copied to
Material Receipt Voucher for saving time and efforts of user. Stock is
increased after recording of this transaction.
♦ Issue of Material: Material received by stores shall be issued to production
department as per requirement.
♦ Purchase Invoice: This is a financial transaction. Trial balance is affected
due to this transaction. Material Receipt transaction does not affect trial
balance. This transaction shall have a linking with Material Receipt

Transaction and all the details of material received shall be copied

automatically in purchase invoice. As stock is increased in Material Receipt
transaction, it will not be increased again after recording of purchase
invoice.
♦ Payment to Vendor: Payment shall be made to vendor based on purchase
invoice recorded earlier. Payment transaction shall have a linking with purchase
invoice.
Please note that Purchase Order and Material Receipt are not part of financial
accounting and does not affect trial balance. But these transactions are part of
overall Financial and Accounting System.
g. Quality Management Module
Quality Management (QM) Module helps in management of quality in
productions across processes in an organization. This module helps an
organization to accelerate their business by adopting a structured and functional
way of managing quality in different processes. Quality Management module
collaborates in procurement and sales, production, planning, inspection,
notification, control, audit management and so on. Fig. 2.6.7 shows processes in
Quality Management Module.
♦ Quality Planning: Quality planning is the process of planning the
production activities to achieve the goals of meeting the customer
requirements in time, within the available resources.
♦ Quality Control: It is a system for ensuring the maintenance of proper
standards in manufactured goods, especially by periodic random inspection
of the product. It involves the checking and monitoring of the process and
products with an intention of preventing non-conforming materials from
going to the customer. Various result areas are identified for each process
and studies are conducted to verify whether those results are being
achieved.
♦ Quality Assurance: Quality assurance concentrates on identifying various
processes, their interactions and sequence, defining the objectives of each
process, identifying the key result areas and measures to measure the
results, establishing the procedures for getting the required results,
documenting the procedures to enable everyone to follow the same,
educating the people to implement the procedures, preparing standard
operating instructions to guide the people on work spot, monitoring and

measuring the performance, taking suitable actions on deviations and

continuously improving the systems.
♦ Quality Improvement: Quality improvement is a never-ending process. The
customer’s needs and expectations are continuously changing depending
on the changes in technology, economy, political situation, ambitions and
dreams, competition, etc.
Plan Quality
Quality Management Plan Quality Management Plan

Quality Checklist
Quality Metrics Quality Metrics
Perform Quality
Perform Quality Assurance Quality Control
Measurements
Control
Work Performance
Change Requests
Information
Deliverables
Perform Integrated Approved Change Requests

Direct & Manage
Change Control
Project Execution
Fig. 2.6.7: Process in Quality Management Module

Quality Management Process includes the following:
♦ Master data and standards are set for quality management;
♦ Set Quality Targets to be met;
♦ Quality management plan is prepared;
♦ Define how those quality targets will be measured;
♦ Take the actions needed to measure quality;
♦ Identify quality issues and improvements and changes to be made;
♦ In case any change is needed in the product, change requests are sent;

♦ Report on the overall level of quality achieved; and

♦ Quality is checked at multiple points, For example- inwards of goods at
warehouse, manufacturing, procurement, returns.
h. Plant Maintenance Module
Plant Maintenance (PM) is a functional module which handles the maintaining of
equipment and enables efficient planning of production and generation schedules.
This application component provides us a comprehensive software solution for all
maintenance activities that are performed within a company. It supports cost-
efficient maintenance methods such as risk-based maintenance or preventive
maintenance, and provides comprehensive outage planning and powerful work order
management.
Objectives of Plant Maintenance Module
(i) To achieve minimum breakdown and to keep the plant in good working
condition at the lowest possible cost.
(ii) To keep machines and other facilities in a condition that permits them to be
used at their optimum (profit making) capacity without any interruption or
hindrance.
(iii) To ensure the availability of the machines, buildings and services required
by other sections of the factory for the performance of their functions at
optimum return on investment whether this investment be in material,
machinery or personnel.
Fig. 2.6.8 is showing processes in Plant Maintenance.
♦ Equipment Master is a repository of the standard information that one
needs related to a specific piece of equipment.
♦ Equipment/Plant Maintenance provides a variety of reports to help us to
review and manage information about our equipment and its maintenance.
♦ Plant Maintenance (PM) Reports are used to review and manage
information about preventive maintenance schedules and service types
within any maintenance organization.
Different PM reports are required to review PM information, such as: status of
service types for a piece of equipment; maintenance messages; the frequency of
occurrence for selected service types; and all equipment transactions.

Information on Type of Machines

from Production Planning and Information on Item/Parts
Control (PPC) (PPC) from Inventory PPC
Equipment Master Equipment/Plant Maintenance Data

History Database
Yearly PM Schedule
Plant Master
PM Reminder PM Schedule Monthly Maintenance Equipment/Plant

Report Report PM Report History Report Master Report
Fig. 2.6.8: Process in Plant Maintenance

i. Project Systems Module
This is an integrated project management tool used for planning and managing
projects and portfolio management. It has several tools that enable project
management process such as cost and planning budget, scheduling,
requisitioning of materials and services, execution, until the project completion.
Fig. 2.6.9 shows process in Project Systems.
Project System is closely integrated with other ERP modules like Logistics, Material
Management, Sales and Distribution, Plant Maintenance, and Production Planning
module etc. Before a project is initiated, it is required that project goal is clearly
defined and the activities to be structured. The Project Manager has a task to ensure
that these projects are executed within budget and time and to ensure that resources
are allocated to the project as per the requirement.
Project Request
Project Progress and Reporting
Fig. 2.6.9: Processes in Project Systems

In Project System, each process has a defined set of tasks to be performed known
as process flow in Project Lifecycle. When a project request is received, a project
is created and it undergoes the following steps in project process flow/lifecycle.
j. Supply Chain Module
A Supply Chain is a network of autonomous or semi-autonomous business
entities collectively responsible for procurement, manufacturing, and distribution
activities associated with one or more families of related products. This module
provides extensive functionality for logistics, manufacturing, planning, and
analytics involving the activities like inventory, supply chain planning, supplier
scheduling, claim processing, order entry, purchasing, etc. In other words, a
supply chain is a network of facilities that procure raw materials, transform them
into intermediate goods and then finished products, and then finally deliver the
products to customers through a distribution system or a chain.
You can optimize your supply chain for months in advance; streamline processes
such as supply network, demand, and material requirement planning; create
detailed scheduling; refine production integration and maximize transportation
scheduling. Fig. 2.6.10 shows processes in the supply chain.
Raw Materials Supplier Manufacturing
Consumer Customer/Retailer Distribution
Fig. 2.6.10: Processes in Supply Chain
In Supply Chain Management System, any product which is manufactured in a

company, first reaches directly from manufacturer to distributors where
manufacturer sells the product to the distributor with some profit of margin.
Distributors supply that product to retailer with his/her profit and then finally
customers receive that product from retailer. This is called Supply Chain
Management System which implies that a product reaches from manufacturer to
customer through supply.

k. Customer Relationship Management (CRM)

Customer Relationship Management is a system which aims at improving the
relationship with existing customers, finding new prospective customers, and
winning back former customers. This system can be brought into effect with
software which helps in collecting, organizing, and managing the customer
information. Information in the system can be accessed and entered by
employees in different departments, such as sales, marketing, customer service,
training, professional development, performance management, human resource
development, and compensation. Details on any customer contacts can also be
stored in the system. The rationale behind this approach is to improve services
provided directly to customers and to use the information in the system for
targeted marketing.
CRM manages the enterprise’s relationship with its customers. This includes
determining who the high-value customers are and documenting what
interactions the customers have had with the enterprise. Only large ERP packages
have a CRM module. The CRM module uses the existing ERP tables as the source
of its data. This is primarily the Contact, Customer, and Sales tables. CRM does
not exchange transactions with other modules as CRM does not have
transactions. Implementing a CRM strategy is advantageous to both small-scale
and large-scale business ventures. Key benefits of a CRM module are as under.
♦ Improved customer relations: One of the prime benefits of using a CRM is
obtaining better customer satisfaction. By using this strategy, all dealings
involving servicing, marketing, and selling out products to the customers
can be carried out in an organized and systematic way. Better services can
be provided to customers through improved understanding of their issues
and this in turn helps in increasing customer loyalty and decreasing
customer agitation. In this way, continuous feedback from the customers
regarding the products and services can be received. It is also possible that
the customers may recommend the product to their acquaintances when
efficient and satisfactory services are provided.
♦ Increase customer revenues: By using a CRM strategy for any business, the
revenue of the company can be increased. Using the data collected,
marketing campaigns can be popularized in a more effective way. With the
help of CRM software, it can be ensured that the product promotions reach
a different and brand new set of customers, and not the ones who had
already purchased the product, and thus effectively increase the customer
revenue.

♦ Maximize up-selling and cross-selling: A CRM system allows up-selling

which is the practice of giving customers premium products that fall in the
same category of their purchase. This strategy also facilitates cross selling
which is the practice of offering complementary products to customers,
based on their previous purchases. This is done by interacting with the
customers and getting an idea about their wants, needs, and patterns of
purchase. The details thus obtained will be stored in a central database,
which is accessible to all company executives. So, when an opportunity is
spotted, the executives can promote their products to the customers, thus
maximizing up-selling and cross selling.
♦ Better internal communication: Following a CRM strategy helps in building
up better communication within the company. The sharing of customer data
between different departments will enable them to work as a team. This is
better than functioning as an isolated entity, as it will help in increasing the
company’s profitability and enabling better service to customers.
♦ Optimize marketing: CRM enables to understand the customer needs and
behavior in a better way, thereby allowing any enterprise to identify the
correct time to market its product to the customers. CRM will also give an
idea about the most profitable customer groups, and by using this
information, similar prospective groups, at the right time will be targeted. In
this way, marketing resources can be optimized efficiently and time is not
wasted on less profitable customer groups.
2.6.4 Integration with Other Modules
Any ERP System is like a human body. There are different units and each unit
relates to another units. All the units must work in harmony with other units to
generate desired result. Following points are important for integration of modules
with Financial and Accounting System:
♦ Master data across all the modules must be same and must be shared with
other modules whereever required.
♦ Common transaction data must be shared with other modules whereever
required.
♦ Separate voucher types to be used for each module for easy identification of
department recording it.
♦ Figures and transaction may flow across the department, For example- closing
stock value is taken to Trading Account as well as Balance Sheet. Correct

closing stock value is dependent on two things, complete and correct

accounting of inventory transactions and appropriate method of valuation
of closing stock. Closing stock quantity is required by Purchase Department,
Stores Department, Accounts Department, and Production Department.
Similarly, salary figures are used by Human Resource Department and
Accounts Department simultaneously. Hence, it is necessary to design the
system accordingly.
I. Integration Points
Some of the points regarding integration with other modules are discussed here.
(i) Material Management Integration with Finance and Controlling (FICO)
It is integrated in the area like Material Valuation, Vendor payments, Material
costing etc. Whenever any inventory posting is done, it updates the General
Ledger (GL) accounts online in the background. Logistics invoice verification will
create vendor liability in vendor account immediately on posting the document.
Any advance given against the purchase order updates the Purchase Order
history. For every inventory posting, there is corresponding Controlling document
to update profit centre accounting reporting.
(ii) Human Resource Module Integration with Finance and Controlling
Attendance and leave record is used for calculation of salary on monthly basis.
Salary is also a part of financial accounting. Hence, salary processed and
calculated by Human Resource Module shall be integrated with Finance &
Controlling Module.
(iii) Material Management Integration with Production Planning (PP)
It is integrated in the areas like Material Requirement Planning, Receipts/issues
against production orders, Availability check for stocks etc. Material requirement
Planning is based on Stocks, expected receipts, expected issues. It generates
planned orders or purchase requisitions which can be converted to purchase
orders/Contracts. Inventory Management is responsible for staging of the
components required for production orders. The receipt of the finished products
in the Warehouse is posted in Inventory Management.
(iv) Material Management Integration with Sales and Distribution (SD)
It is integrated in the areas like Delivery, Availability Check, Stock transfers
requirements etc. As soon as a sales order is created, it can initiate a dynamic
availability check of stocks on hand. When the delivery is created, the quantity to

be delivered is marked as “Scheduled for delivery”. It is deducted from the total

stock when the goods issue is posted. Purchase order can be directly converted to
delivery for a stock transfer requirement.
(v) Material Management Integration with Quality Management (QM)
It is integrated with QM for Quality inspection at Goods Receipt, In-process
inspection etc. In the case of a goods movement, the system determines whether
the material is subject to an inspection operation. If so, a corresponding activity is
initiated for the movement in the Quality Management system. Based on quality
parameters, vendor evaluation is done.
(vi) Material Management Integration with Plant Maintenance (PM)
The material/service requirement is mentioned in Maintenance order. This leads
to generation of Purchase Requisition. This PR will be converted to Purchase
Order by MM. The goods for a PO will be awarded to Maintenance by MM. The
spares which were reserved for maintenance order will be issued by MM against
the reservation number.
Example 2.7: Let us consider a case of an ice-cream manufacturing company to
see various examples of ERP modules.
A. Material Management Module
a. Placing a purchase order for purchase of raw material like milk, dry
fruits, milk powder, butter, essence, sugar, etc. to an approved vendor.
b. Receiving raw material at stores.
B. Production Module
a. Seeking raw material from stores.
b. Converting raw material into Work In Progress (WIP) and WIP into
finished goods.
c. Sending the finished goods to cold room.
C. Supply Chain Module
a. Distributing finished goods, i.e. ice cream to the customers.

b. Keeping a track of all deliveries.
c. Planning and scheduling of all deliveries.

D. Finance & Accounting

a. Recording of all financial transactions.
b. Payments to vendors.
c. Collections from customers.
E. Human Resource Module
a. Keeping record of all human resource related activities.
b. Attendance, leave, salary calculations, joining and leaving of
employees.
F. Sales & Distribution
a. Performing pre-sales activities.
b. Recording sales orders.
c. Keeping track of all customer related transactions till collection
against invoices.
2.7 REPORTING SYSTEM AND MANAGEMENT

INFORMATION SYSTEMS (MIS)
2.7.1 Reporting System
A Report simply means presentation of information in proper and meaningful
way. We have already discussed about system earlier in this chapter. So, basically
reporting system is a system of regular reporting on the pre-decided aspects.
The basic purpose of any Financial and Accounting system is to give right
information at right point of time to right people for right decision making. Two
basic reports, i.e. Balance Sheet and Profit & Loss Account are used for basic
analysis of financial position and financial performance. But only these two
reports are not sufficient for all types of decision making. Hence, we need a
proper reporting system to serve the purpose.
Companies generally have a finance function which monitors the financial
position monthly. Key reports are analysed by management to determine if
appropriate financial decisions are made at the right time. For example,
comparing actual revenue by region and comparing to budgets to ensure
forecasts are met. These periodic reviews also ensure financial hygiene is kept and
no mis-statements creep in, in the preparation of year-end financial reports.

Companies especially the large listed corporations publish their annual reports to
public at large providing many insights as to their operations, their future and
their social responsibilities too. MD&A (Management Discussion & Analysis)
section in these annual reports discusses how management have prepared the
financial position, their interpretation of the company’s performance, the industry
in which they operate and provide critical guidance on where the company is
heading.
2.7.2 Management Information System (MIS)
An MIS report is a tool that managers use to evaluate business processes and
operations. There are different kinds of MIS reports and that may be used to
visually present different kinds of information.
I. What is an MIS Report?
Assume that you are the manager of a medium-sized company’s customer service
department. Your staff takes phone calls and emails from over 300 customers
every day. For the most part, they do a very good job, but recently, customers
have started to complain that it takes too long to get their questions answered.
Upper management at your company is concerned about this and wants to know
what they can do to fix the problem. But before they decide, they need you to
give them more information. How will you do this?
This is where MIS reports come in. Business managers at all levels of an
organization, from assistant managers to executives, rely on reports generated
from these systems to help them evaluate their businesses’ daily activities or
problems that arise, make decisions, and track progress. MIS reporting is used by
businesses of all sizes and in every industry.
II. Who uses MIS Reports?
MIS automatically collect data from various areas within a business. These
systems can produce daily reports that can be sent to key members throughout
the organization. Most MIS can also generate on-demand reports that allow
managers and other users of the system to generate an MIS report whenever they
need it. Many large businesses have specialized MIS departments, whose only job
is to gather business information and create MIS reports. Some of these
businesses use sophisticated computing technology and software to gather
information. However, the method of collecting information does not have to be
that complex. Smaller businesses often use simple software programs and
spreadsheets for their MIS reporting needs.

There can be as many types of MIS reports as there are divisions within a
business. For example, information about sales revenue and business expenses
would be useful in MIS reports for finance and accounting managers. Warehouse
managers would benefit from MIS reports about product inventory and shipping
information. Total sales from the past year could go into an MIS report for
marketing and sales managers.
III. Type of Information in a MIS Report
Example 2.8: In our pretend manager example, you’ve been asked to present
information about your department’s customer service calls. An MIS report for
this would likely contain data such as:
♦ The number of calls your staff takes;
♦ The number of emails that come in each day;
♦ The average amount of time it takes to answer a phone call or email; and
♦ The number of questions that your staff answers correctly vs. the number
that are incorrect.
To make this information most useful, you also need to ensure that it meets the
following criteria:
♦ Relevant - MIS reports need to be specific to the business area they
address. This is important because a report that includes unnecessary
information might be ignored.
♦ Timely - Managers need to know what’s happening now or in the recent
past to make decisions about the future. Be careful not to include
information that is old. An example of timely information for your report
might be customer phone calls and emails going back 12 months from the
current date.
♦ Accurate - It’s critical that numbers add up and that dates and times are
correct. Managers and others who rely on MIS reports can’t make sound
decisions with information that is wrong. Financial information is often required
to be accurate to the dollar. In other cases, it may be OK to round off numbers.
♦ Structured - Information in an MIS report can be complicated. Making that
information easy to follow helps management understand what the report is
saying. Try to break long passages of information into more readable blocks
or chunks and give these chunks meaningful headings.

Example 2.9: Let us take a case of MIS Report regarding control over cash
balance. The objective of this MIS report is to have control over cash balance and
accounting of cash transactions. A simple report of weekly cash report is depicted
in the Table 2.7.1.
Table 2.7.1: Image of weekly cash report
Indradhanu Consulting Private Limited
Weekly Cash Report
Date Physical Cash System Difference

Cash
Opening Total Total Closing
Balance Receipts Payments Balance
1/7/2017 40,200 13,043 15,403 37,840 37,840 -
2/7/2017 37,840 45,760 33,443 50,157 50,157 -
3/7/2017 50,157 45,300 23,009 72,448 72,448 -
4/7/2017 72,448 32,333 34,200 70,581 70,581 -
5/7/2017 70,581 7,600 8,131 70,050 70,100 50
6/7/2017 70,050 56,400 17,050 109,400 109,400 -
7/7/2017 109,400 60,000 30,100 139,300 139,300 -
This report can be further improved by adding date wise denomination of notes
as shown under in the Table 2.7.2.
Table 2.7.2: Improved version of Sales MIS Report of weekly cash
Denominations 2000 500 100 50 20 10 5 2 1 Coins Total
1/7/2017
Quantity 10 20 25 60 60 111 2 5 10 0
Value 20,000 10,000 2,500 3,000 1,200 1,110 10 10 10 - 37,840
For a sales oriented business, Sales MIS Report can be designed as under in Table 2.7.3.

Table 2.7.3: Sales MIS Report

Month Demos Shown Sales
No. Value Collection
Apr-17 38 12 148,800 129,600
May-17 42 13 161,200 140,400
Jun-17 33 15 186,000 162,000
Jul-17 45 21 260,400 226,800
Aug-17 50 22 272,800 237,600
Sep-17 26 14 173,600 151,200
Oct-17 29 10 124,000 108,000
Nov-17 44 28 347,200 347,200
Dec-17 32 21 260,400 226,800
Jan-18 43 16 198,400 172,800
Feb-18 53 27 334,800 291,600
Mar-18 47 20 248,000 216,000
Total 482 219 2,715,600 2,410,000
Unattended Prospects 48
2.8 DATA ANALYTICS AND BUSINESS

INTELLIGENCE
Data Analytics is the process of examining data sets to draw conclusions about
the information they contain, increasingly with the aid of specialized systems and
software. Data analytics technologies and techniques are widely used in
commercial industries to enable organizations to make more-informed business
decisions and by scientists and researchers to verify or disprove scientific models,
theories and hypotheses.
As a term, Data Analytics predominantly refers to an assortment of applications,
from basic Business Intelligence (BI), reporting and Online Analytical Processing
(OLAP) to various forms of advanced analytics. In that sense, it’s similar in nature
to business analytics, another umbrella term for approaches to analysing data -
with the difference that the latter is oriented to business uses, while data analytics
has a broader focus. The expansive view of the term isn’t universal, though: in
some cases, people use data analytics specifically to mean advanced analytics,
treating Business Intelligence as a separate category.

Data Analytics initiatives can help businesses increase revenues, improve

operational efficiency, optimize marketing campaigns and customer service
efforts, respond more quickly to emerging market trends and gain a competitive
edge over rivals - all with the goal of boosting business performance. Depending
on the particular application, the data that is analysed can consist of either
historical records or new information that has been processed for real-time
analytics uses. In addition, it can come from a mix of internal systems and external
data sources.
2.8.1 Types of Data Analytics Applications
At a high level, Data Analytics methodologies include Exploratory Data Analysis
(EDA), which aims to find patterns and relationships in data, and Confirmatory
Data Analysis (CDA), which applies statistical techniques to determine whether
hypotheses about a data set are True or False. EDA is often compared to detective
work, while CDA is akin to the work of a judge or jury during a court trial - a
distinction first drawn by statistician John W. Tukey in 1977 in his book
Exploratory Data Analysis. Data Analytics can also be separated into Quantitative
Data Analysis and Qualitative Data Analysis.
♦ Quantitative Data Analysis: This involves analysis of numerical data with
quantifiable variables that can be compared or measured statistically.
♦ Qualitative Data Analysis: The qualitative approach is more interpretive - it
focuses on understanding the content of non-numerical data like text,
images, audio and video, including common phrases, themes and points of
view.
At the application level, Business Intelligence and Reporting provide business
executives and other corporate workers with actionable information about key
performance indicators, business operations, customers and more. In the past, Data
queries and reports typically were created for end users by BI developers working in
IT or for a centralized BI team. Now, organizations increasingly use self-service BI
tools that let executives, business analysts and operational workers run their own
adhoc queries and build reports themselves. More advanced types of Data Analytics
include–
♦ Data Mining, which involves sorting through large data sets to identify
trends, patterns and relationships;
♦ Predictive Analytics, which seeks to predict customer behaviour,
equipment failures and other future events; and

♦ Machine Learning, an artificial intelligence technique that uses automated

algorithms to churn through data sets more quickly than data scientists can
do via conventional analytical modelling.
Big Data Analytics applies data mining, predictive analytics and machine learning
tools to sets of big data that often contain unstructured and semi-structured data.
Text mining provides a means of analysing documents, emails and other text-
based content. Fig. 2.8.1 shows the process of converting raw data into knowledge
leading to Intelligent Decisions.
INTELLIGENT
INTELLIGENCE DECISIONS
and VISION
KNOWLEDGE
INTELLIGENCE
INFORMATION KNOWLEDGE in the right
DATA plus foresight situations drives
or intuition better decisions
INFORMATION becomes
DATA in plus insight intelligence
context becomes
becomes knowledge
information
Fig. 2.8.1: Process of converting raw data into knowledge

Some Application areas of Data Analytics are as follows:
♦ Data Analytics initiatives support a wide variety of business uses. For
example, banks and credit card companies analyse withdrawal and spending
patterns to prevent fraud and identity theft.
♦ E-commerce companies and marketing services providers do click stream
analysis to identify website visitors who are more likely to buy a product or
service based on navigation and page-viewing patterns.
♦ Mobile network operators examine customer data to forecast so that they
can take steps to prevent defections to business rivals; to boost customer
relationship management efforts. Other companies also engage in CRM
analytics to segment customers for marketing campaigns and equip call
centre workers with up-to-date information about callers.

♦ Healthcare organizations mine patient data to evaluate the effectiveness of

treatments for cancer and other diseases.
2.8.2 Inside the Data Analytics Process
Data Analytics applications involve more than just analysing data. Particularly on
advanced analytics projects, much of the required work takes place upfront, in
collecting, integrating and preparing data and then developing, testing and
revising analytical models to ensure that they produce accurate results. In
addition to data scientists and other data analysts, analytics team often include
data engineers, whose job is to help get data sets ready for analysis.
Data Collection: The analytics process starts with data collection, in which data
scientists identify the information they need for an analytics application and then
work on their own or with data engineers and IT staffers to assemble it for use.
Data from different source systems may need to be combined via data integration
routines transformed into a common format and loaded into an analytics system,
such as a Hadoop cluster, NoSQL database or data warehouse. In other cases, the
collection process may consist of pulling a relevant subset out of a stream of raw
data that flows into, say, Hadoop and moving it to a separate partition in the
system so it can be analysed without affecting the overall data set.
Find and Fix Data Quality Problem: Once the data that’s needed is in place, the
next step is to find and fix data quality problems that could affect the accuracy of
analytics applications. That includes running data profiling and data cleansing
jobs to make sure that the information in a data set is consistent and that errors
and duplicate entries are eliminated. Additional data preparation work is then
done to manipulate and organize the data for the planned analytics use, and data
governance policies are applied to ensure that the data hews to corporate
standards and is being used properly.
At that point, the data analytics work begins in earnest. A data scientist builds an
analytical model, using predictive modelling tools or other analytics software and
programming languages such as Python, Scala, R and SQL. The model is initially
run against a partial data set to test its accuracy; typically, it’s then revised and
tested again, a process known as “training” the model that continues until it
functions as intended. Finally, the model is run in production mode against the
full data set, something that can be done once to address a specific information
need or on an ongoing basis as the data is updated.
Building Analytical Model: In some cases, analytics applications can be set to
automatically trigger business actions. For example, stock trades by a financial

services firm. Otherwise, the last step in the data analytics process is
communicating the results generated by analytical models to business executives
and other end users to aid in their decision-making. That usually is done with the
help of data visualization techniques, which analytics teams use to create charts
and other info graphics designed to make their findings easier to understand.
Data visualizations often are incorporated into BI dashboard applications that
display data on a single screen and can be updated in real time as new
information becomes available.
2.8.3 Business Intelligence (BI)
Business Intelligence (BI) is a technology-driven process for analysing data and
presenting actionable information to help corporate executives, business
managers and other end users make more informed business decisions. BI
encompasses a wide variety of tools, applications and methodologies that enable
organizations to collect data from internal systems and external sources, prepare
it for analysis, develop and run queries against the data, and create reports,
dashboards and data visualizations to make the analytical results available to
corporate decision makers as well as operational workers.
Reasons for Business Intelligence
BI enables organizations to make well-informed business decisions and thus can
be the source of competitive advantages. This is especially true when we can
extrapolate information from indicators in the external environment and make
accurate forecasts about future trends or economic conditions. Once business
intelligence is gathered effectively and used proactively, we can make decisions
that benefit our organization before the competition does.
The ultimate objective of business intelligence is to improve the timeliness and
quality of information. Business intelligence reveals to us –
♦ The position of the firm in comparison to its competitors.
♦ Changes in customer behaviour and spending patterns.
♦ The capabilities of the firm.
♦ Market conditions future trends, demographic and economic information.
♦ The social, regulatory and political environment.
♦ What the other firms in the market are doing.

Example 2.10: Fig. 2.8.2 showing example that Business Intelligence uses data
from different sources and helps to finds answers to various questions as shown
on right hand side.
INFORMATION BUSINESS INTELLIGENCE

Add a product line How many
products sold $
Change a product
10,000 last
price
month in TV ad
Product Database
Change advertising areas?
timetable
If inventory
Increase radio levels drop 10%
budget what customers
might shop
Advertising Database elsewhere?
Increase customer Can customer

credit limit profile changes
support a high-
Change customer priced product?
salary level
Customer Demographic
Database
ONLINE TRANSACTION PROCESSING ONLINE ANALYTICAL PROCESSING
Fig. 2.8.2: Depicting Example 2.10 of Business Intelligence
BI data can include historical information, as well as new data gathered from
source systems as it is generated, enabling BI analysis to support both strategic
and tactical decision-making processes. Initially, BI tools were primarily used by
data analysts and other IT professionals who ran analyses and produced reports
with query results for business users. Increasingly, however, business executives
and workers are using BI software themselves, thanks partly to the development
of self-service BI and data discovery tools.
Benefits of Business Intelligence
♦ BI improves the overall performance of the company using it. The potential
benefits of business intelligence programs include –
o accelerating and improving decision making;
o optimizing internal business processes;

o enhancing communication among departments while coordinating

activities;
o increasing operational efficiency;
o driving new revenues; and
o gaining competitive advantages over business rivals.
♦ BI systems can also help companies identify market trends and spot
business problems that need to be addressed.
♦ BI systems help in enhancing customer experience, allowing for the timely
and appropriate response to customer problems and priorities.
Business Intelligence Technology
Business Intelligence combines a broad set of data analysis applications, including
ad hoc analysis and querying, enterprise reporting, Online Analytical Processing
(OLAP), mobile BI, real-time BI, operational BI, cloud and software as a service BI,
open source BI, collaborative BI and location intelligence.
BI technology also includes data visualization software for designing charts and
other info-graphics, as well as tools for building BI dashboards and performance
scorecards that display visualized data on business metrics and key performance
indicators in an easy-to-grasp way. BI applications can be bought separately from
different vendors or as part of a unified BI platform from a single vendor.
BI programs can also incorporate forms of advanced analytics, such as data
mining, predictive analytics, text mining, statistical analysis and big data analytics.
In many cases, though, advanced analytics projects are conducted and managed by
separate teams of data scientists, statisticians, predictive modellers and other skilled
analytics professionals, while BI teams oversee more straightforward querying and
analysis of business data.
Business Intelligence data typically is stored in a data warehouse or smaller data marts
that hold subsets of a company’s information. In addition, Hadoop systems are
increasingly being used within BI architectures as repositories or landing pads for
BI and analytics data, especially for unstructured data, log files, sensor data and
other types of big data. Before it is used in BI applications; raw data from different
source systems must be integrated, consolidated and cleansed using data
integration and data quality tools to ensure that users are analysing accurate and
consistent information.

In addition to BI managers, Business Intelligence team generally include a mix of

BI architects, BI developers, business analysts and data management
professionals; business users often are also included to represent the business
side and make sure its needs are met in the BI development process. To help with
that, a growing number of organizations are replacing traditional waterfall
development with Agile BI and data warehousing approaches that use Agile
software development techniques to break up BI projects into small chunks and
deliver new functionality to end users on an incremental and iterative basis. Doing
so can enable companies to put BI features into use more quickly and to refine or
modify development plans as business needs change or new requirements
emerge and take priority over earlier ones.
Business intelligence is sometimes used interchangeably with business analytics;
in other cases, business analytics is used either more narrowly to refer to
advanced data analytics or more broadly to include both BI and advanced
analytics.
2.9 BUSINESS REPORTING AND

FUNDAMENTALS OF XBRL
2.9.1 Business Reporting
Business Reporting or Enterprise Reporting is the public reporting of operating
and financial data by a business enterprise or the regular provision of information
to decision-makers within an organization to support them in their work.
Reporting is a fundamental part of the larger movement towards improved
business intelligence and knowledge management. Often implementation
involves Extract, Transform, and Load (ETL) procedures in coordination with a data
warehouse and then using one or more reporting tools. While reports can be
distributed in print form or via email, they are typically accessed via a corporate
intranet.
With the dramatic expansion of information technology, and the desire for
increased competitiveness in corporations, there has been an increase in the use
of computing power to produce unified reports which join different views of the
enterprise in one place. This reporting process involves querying data sources
with different logical models to produce a human readable report. For example- a
computer user has to query the Human Resources databases and the Capital
Improvements databases to show how efficiently space is being used across an
entire corporation.

Organizations conduct a wide range of reporting, including financial and

regulatory reporting; Environmental, Social, and Governance (ESG) reporting (or
sustainability reporting); and increasingly integrated reporting.
Organizations communicate with their stakeholders about:
♦ mission, vision, objectives, and strategy;
♦ governance arrangements and risk management;
♦ trade-offs between the shorter- and longer-term strategies; and
♦ financial, social, and environmental performance (how they have fared
against their objectives in practice).
Why is Business Reporting Important?
Effective and transparent business reporting allows organizations to present a
cohesive explanation of their business and helps them engage with internal and
external stakeholders, including customers, employees, shareholders, creditors,
and regulators.
High-quality business reporting is at the heart of strong and sustainable
organizations, financial markets, and economies, as this information is crucial for
stakeholders to assess organizational performance and make informed decisions
with respect to an organization’s capacity to create and preserve value. Value in
this context is not necessarily limited to monetary value, but can also comprise of
social, environmental, or wider economic value. As organizations fully depend on
their stakeholders for sustainable success, it is in their interest to provide them
with high-quality reports. For example, effective high-quality reporting reduces
the risk for lenders and may lower the cost of capital.
Many organizations are increasingly complex, and have larger economic,
environmental, and social footprints. Thus, various stakeholder groups are
demanding increased Environmental, Social and Global (ESG) information, as well
as greater insight into how these factors affect financial performance and
valuations.
High-quality reports also promote better internal decision-making. High-quality
information is integral to the successful management of the business, and is one
of the major drivers of sustainable organizational success.
2.9.2 Fundamentals of XBRL
XBRL (eXtensible Business Reporting Language) is a freely available and global
standard for exchanging business information. XBRL allows the expression of

semantic meaning commonly required in business reporting. The language is

XML-based and uses the XML syntax and related XML technologies such as XML
Schema, XLink, XPath, and Namespaces. One use of XBRL is to define and
exchange financial information such as a financial statement. The XBRL
Specification is developed and published by XBRL International, Inc. (XII).
I. What is XBRL?
XBRL is an open international standard for digital business reporting, managed by
a global not for profit consortium, XBRL International. XBRL is used around the
world, in more than 50 countries. Millions of XBRL documents are created every
year, replacing older, paper-based reports with more useful, more effective and
more accurate digital versions.
In a nutshell, XBRL provides a language in which reporting terms can be
authoritatively defined. Those terms can then be used to uniquely represent the
contents of financial statements or other kinds of compliance, performance and
business reports. XBRL let the reporting information move between organizations
rapidly, accurately and digitally.
XBRL is a standard-based way to communicate and exchange business
information between business systems. These communications are defined by
metadata set out in taxonomies, which capture the definition of individual
reporting concepts as well as the relationships between concepts and other
semantic meaning. Information being communicated or exchanged is provided
within an XBRL instance.
The change from paper, PDF and HTML based reports to XBRL ones is a little bit
like the change from film photography to digital photography, or from paper
maps to digital maps. The new format allows you to do all the things that used to
be possible, but also opens up a range of new capabilities because the
information is clearly defined, platform-independent, testable and digital. Just like
digital maps; digital business reports in XBRL format, simplify the way that people
can use, share, analyse and add value to the data.
II. What does XBRL do?
Often termed “bar codes for reporting”, XBRL makes reporting more accurate and
more efficient. It allows unique tags to be associated with reported facts,
allowing:
♦ people publishing reports to do so with confidence that the information
contained in them can be consumed and analysed accurately.

♦ people consuming reports to test them against a set of business and logical
rules, to capture and avoid mistakes at their source.
♦ people using the information to do so in the way that best suits their needs,
including by using different languages, alternative currencies and in their
preferred style.
♦ people consuming the information to do so confident that the data
provided to them conforms to a set of sophisticated pre-defined definitions.
III. What is XBRL Tagging?
XBRL Tagging is the process by which any financial data is tagged with the most
appropriate element in an accounting taxonomy (a dictionary of accounting
terms) that best represents the data in addition to tags that facilitate
identification/classification (such as enterprise, reporting period, reporting
currency, unit of measurement etc.). Since all XBRL reports use the same
taxonomy, numbers associated with the same element are comparable
irrespective of how they are described by those releasing the financial statements.
Comprehensive definitions and accurate data tags allow preparation, validation,
publication, exchange, consumption; and analysis of business information of all
kinds. Information in reports prepared using the XBRL standard is interchangeable
between different information systems in entirely different organizations. This
allows for the exchange of business information across a reporting chain. People
that want to report information, share information, publish performance
information and allow straight through information processing all rely on XBRL.
In addition to allowing the exchange of summary business reports, like financial
statements, and risk and performance reports, XBRL has the capability to allow
the tagging of transactions that can themselves be aggregated into XBRL reports.
These transactional capabilities allow system independent exchange and analysis
of significant quantities of supporting data and can be the key to transforming
reporting supply chains.
IV. Who uses XBRL?
The international XBRL consortium is supported by more than 600 member
organizations, from both the private and public sectors. The standard has been
developed and refined over more than a decade and supports almost every kind
of conceivable reporting, while providing a wide range of features that enhance
the quality and consistency of reports, as well as their usability. XBRL is used in
many ways, for many different purposes, including by:

(i) Regulators
• Financial regulators that need significant amounts of complex
performance and risk information about the institutions that they
regulate.
• Securities regulators and stock exchanges that need to analyse the
performance and compliance of listed companies and securities, and need
to ensure that this information is available to markets to consume and
analyse.
• Business registrars that need to receive and make available publicly a
range of corporate data about private and public companies, including
annual financial statements.
• Tax authorities that need financial statements and other compliance
information from companies to process and review their corporate tax
affairs.
• Statistical and monetary policy authorities that need financial
performance information from many different organizations.
(ii) Companies
• Companies that need to provide information to one or more of the
regulators mentioned above.
• Enterprises that need to accurately move information around within a
complex group.
• Supply chains that need to exchange information to help manage risk
and measure activity.
(iii) Governments
• Government agencies that are simplifying the process of businesses
reporting to government and reducing red tape, by either
harmonizing data definitions or consolidating reporting obligations
(or both).
• Government agencies that are improving government reporting by
standardizing the way that consolidated or transactional reports are
prepared and used within government agencies and/or published into
the public domain.

(iv) Data Providers

• Specialist data providers that use performance and risk information
published into the market place and create comparisons, ratings and
other value-added information products for other market participants.
(v) Analysts and Investors
• Analysts that need to understand relative risk and performance.
• Investors that need to compare potential investments and understand
the underlying performance of existing investments.
(vi) Accountants
• Accountants use XBRL in support of clients reporting requirements
and are often involved in the preparation of XBRL reports.
V. Important features of XBRL
♦ Clear Definitions: XBRL allows the creation of reusable, authoritative
definitions, called taxonomies that capture the meaning contained in all the
reporting terms used in a business report, as well as the relationships
between all the terms. Taxonomies are developed by regulators, accounting
standards setters, government agencies and other groups that need to
clearly define information that needs to be reported upon. XBRL doesn’t
limit what kind of information is defined: it’s a language that can be used
and extended as needed.
♦ Testable Business Rules: XBRL allows the creation of business rules that
constrain what can be reported. Business rules can be logical or
mathematical, or both and can be used, for example, these business rules
can be used to:
• stop poor quality information being sent to a regulator or third party,
by being run by the preparer while the report is in draft.
• stop poor quality information being accepted by a regulator or third
party, by being run at the point that the information is being received.
Business reports that fail critical rules can be bounced back to the
preparer for review and resubmission.
• flagging or highlighting questionable information, allowing prompt
follow up, correction or explanation.
• create ratios, aggregations and other kinds of value-added
information, based on the fundamental data provided.

♦ Multi-lingual Support: XBRL allows concept definitions to be prepared in

as many languages as necessary. Translations of definitions can also be
added by third parties. This means that it’s possible to display a range of
reports in a different language to the one that they were prepared in,
without any additional work. The XBRL community makes extensive use of
this capability as it can automatically open up reports to different
communities.
♦ Strong Software Support: XBRL is supported by a very wide range of
software from large and small vendors, allowing a very wide range of
stakeholders to work with the standard.
2.10 APPLICABLE REGULATORY AND

COMPLIANCE REQUIREMENTS
2.10.1 What is Regulatory Compliance?
In general, Compliance means conforming to a rule, such as a specification,
policy, standard or law. Regulatory Compliance describes the goal that
organizations aspire to achieve in their efforts to ensure that they are aware of
and take steps to comply with relevant laws, policies, and regulations. Due to the
increasing number of regulations and need for operational transparency,
organizations are increasingly adopting the use of consolidated and harmonized
sets of compliance controls. This approach is used to ensure that all necessary
governance requirements can be met without the unnecessary duplication of
effort and activity from resources.
Regulatory compliance is an organization’s adherence to laws, regulations,
guidelines and specifications relevant to its business. Violations of regulatory
compliance regulations often result in legal punishment, including interest,
penalty, and prosecution in some cases.
Broadly, we can classify the compliance and regulatory requirements in two types
as under.
a. General – Applicable to all irrespective of anything.
b. Specific – Applicable to specific type of businesses only.
Example 2.11: Income Tax compliance is applicable to all subject to basic
exemption limit. But compliance regarding GST, Labour Law, Company Law, etc.
are applicable to specific type of businesses / entities only.

2.10.2 Regulatory Compliance and Accounting Systems

Regulatory compliance and accounting systems are closely connected with each
other. Most of the regulatory compliance requires accounting data and
accounting data comes from accounting systems. E.g. Income tax returns are
prepared based on accounting data only. There may be two approaches for
making compliances requiring accounting data.
a. Using same software for accounting and tax compliance; and
b. Using different software for accounting and tax compliance.
Software is needed for tax compliances as almost all the tax compliance today is
through electronic mode only. If separate software is used for accounting and tax
compliance, we need to put data in tax compliance software either manually or
electronically. There are some pros and cons of both the approaches as discussed
in the Table 2.10.1.
Table 2.10.1: Pros and Cons of having single software for
Accounting and Tax Compliance
S. No. Particulars Accounting & Tax Only Tax Compliance
Compliance Software Software
1 Ease of software Less – as this is integrated More – as this is used
operation system of accounting and tax only for one single
compliance, everything purpose, i.e. tax
connected with other and compliance, it is less
making changes at one place complicated and bound to
may affect other aspects also. be easy.
2 Features and Less – as this system is not More – as this is an
facilities an exclusive system for tax exclusive and specifically
compliance, it may have designed system for tax
limited features for tax compliance, naturally more
compliance. features and facilities shall
exist in this system.
3 Time and efforts Less – as this is an More – as this is a
required integrated system, time separate software, data
required to transfer data to from accounting software
compliance software is need to put in this for
zero. preparation of returns.
This may take extra time
and efforts.

4 Accuracy More – as this is an Less – as there are two

integrated system and separate systems,
hence accounting data and reconciliation with
tax compliance data shall accounting data is
always be same. No need to needed, and possibility of
transfer data to compliance mismatch of data is
software and reconcile the always there.
data.
5 Cost More – if tax compliance Less – as this is specific
feature is not available in purpose software, there
accounting system, getting shall be less complications
it customized may require and the cost also shall be
some amount of cost which less.
may be higher than buying
separate software.
ILLUSTRATION 2.1
XYZ a leading publication house of Delhi was facing many issues like delay in
completing the order of its customers, manual processing of data, increased lead
time, inefficient business processes etc. Hence, the top management of XYZ
decided to get SAP - an ERP system implemented in the publication house.
Using the proper method of vendor selection, Digisolution Pvt. Ltd. was selected
to implement SAP software in XYZ publication house. To implement the software,
the IT team of Digisolution Pvt. Ltd. visited XYZ’s office number of times and met
its various officials to gather and understand their requirements. With due
diligence, the SAP software was customized and well implemented in the
publishing house.
After the SAP implementation, the overall system became integrated and well
connected with other departments. This raised a concern in the mind of few
employees of XYZ worrying about their jobs’ security leading to quitting of jobs.
The top management of XYZ showed its concern on this issue and wanted to
retain few of its employees.
Answer the following questions:
1. Imagine that you are core team member of Digisolution Pvt. Ltd. While
customizing the Sales and Distribution Module of SAP software, you need to
know the correct sequence of all the activities involved in the module.

Identify the correct option that reflects the correct sequence of the
activities.
(i) Material Delivery
(ii) Billing
(iii) Pre-Sales Activities
(iv) Sales Order
(v) Payments
(vi) Inventory Sourcing
Choose the correct sequence from the following
(a) (i) - (iii) – (ii) – (iv) – (v)- (vi)
(b) (ii) – (iv)- (vi) – (iii) – (i) – (v)
(c) (iii)- (iv) – (vi)- (i) –(ii) – (v)
(d) (iv)- (i) – (iii), (v), (ii), (vi)
2. In purview of above situation, which of the following control can be helpful
to management of XYZ publishing house to retain its employees and
stopping them to leave the company?
(a) Training can be imparted to employees by skilled consultant.
(b) Allocation of employees to task matching their skill set, fixing of
compensation package.
(c) Management should stop the implementation of ERP.
(d) Backup arrangement is required.
3. The SAP software was successfully implemented by XYZ publication house
after overcoming many challenges. The risk associated with “Patches and
upgrades not installed and the tools being underutilized” belongs to
__________ risk.
(a) Technological
(b) Implementation
(c) People
(d) Process

SOLUTION
Question Answer Question Answer

No. No.
1. (c) (iii)- (iv) – (vi)- (i) 2. (b) Allocation of employees to
–(ii) – (v) task matching their skill
set, fixing of compensation
package
3. (a) Technological
ILLUSTRATION 2.2
Unique Services, a well-established firm of Chartered Accountants with nine branches
at different locations in Delhi, deals in accounting, auditing and taxation assignments
like – return filing, corporate taxation and planning, company formation and
registration of foreign companies etc. The firm has its own ERP software. The firm
decided to come up with Real Estate Regulatory Authority (RERA) registration which
requires upgradation in its software. Hence, the principal partner of the firm asked its
associate partner to prepare a list of various clients dealing in construction and
development of flats, commercial properties etc.
The firm’s management took care to select the vendor to upgrade their ERP software
which will act as an online assistant to its clients providing them the complete details
about registration and filling of various forms and resolving their frequently asked
questions. The firm also wanted a safe and secure working environment for their
employees to filing various forms under RERA Act on behalf of clients using digital
signature. The management also instructed its employees to mandatorily use Digital
Signature of clients for fair practices and any dishonesty found in this regard may
lead to penal provisions under various act including IT Act, 2000.
Answer the following questions:
1. In purview of case scenario, Unique Services requires to make changes in its
software for its users for RERA related matters. Identify the part of the
overall software which actually interacts with the users using the software?
(a) Back end
(b) Front end
(c) Middle layer
(d) Reports

2. The firm decided to have an online assistant for its clients to provide
complete details regarding taxation, registration and filling of various forms
and solve their queries. This is an example of _________ application.
(a) Installed application
(b) Web Application
(c) Cloud Based Application
(d) Direct Application
3. While filling the tax for its client ABC, the firm Unique Services enters the
detail of its TDS and GST in the requisite forms. Identify from the following
which type of master data it belongs to?
(a) Accounting Master Data
(b) Inventory Master Data
(c) Statutory Master Data
(d) Payroll master Data
SOLUTION
No. No.
1. (b) Front end 2. (c) Cloud Based
Application
3. (c) Statutory
Master data
SUMMARY
A. Integrated & Non-Integrated System
Central database is the main characteristics of an ERP system. In case of non-
integrated systems, separate database is maintained by each department
separately. Central database is accessed by all the departments for their data needs
and communication with other departments. Processes are defined and followed in
ERP system. ERP system contains different modules for different purposes. These
modules are connected to other modules as per requirements. Mismatch of master
data and communication gaps between departments / business units are two major
problems of non-integrated systems. Data is stored in two parts, master data and

transaction data. Master data is that data which is not expected to change
frequently. Voucher in manual accounting is a documentary evidence of
transaction. In case of software, it also a place, input form where transaction data is
input into the system. Grouping of ledgers is extremely important as reports are
prepared based on grouping only. Software consists of two parts, front end and
back end. Front end is used to interact with user and back end is used to store the
data.
B. Business process modules and their integration with financial and
accounting systems
Business process modules are developed according to need of specific industries.
Various modules like Financial Accounting, Controlling, Sales and Distribution,
Materials Management, Human Resources etc., are there in an ERP System. These
modules are integrated with other modules depending on the nature of transaction.
Financial and Accounting Systems are small and medium levels may or may not have
inventory accounting.
C. Reporting System and MIS, Data Analytics and Business Intelligence
Business reporting or enterprise reporting is the public reporting of operating
and financial data by a business enterprise. With the dramatic expansion of
information technology, and the desire for increased competitiveness in
corporations, there has been an increase in the use of computing power to
produce unified reports which join different views of the enterprise in one place.
High-quality reports also promote better internal decision-making.
D. Business Reporting & Fundamentals of XBRL
XBRL (eXtensible Business Reporting Language) is a freely available and global
standard for exchanging business information. XBRL is used by Government,
Companies, Regulators, Data Providers, Accountants, Analysts and Investors also.
E. Applicable regulatory and compliance requirements
Compliance means conforming to a rule, such as a specification, policy, standard
or law. Regulatory compliance is an organization’s adherence to laws, regulations,
guidelines and specifications relevant to its business. Violations of regulatory
compliance regulations often result in legal punishment, including interest,
penalty and prosecution in some cases. There may be two types of compliances,
General and Specific.

TEST YOUR KNOWLEDGE

Theoretical Questions
1. As an Auditor, prepare a checklist of the questions that you would ask while
performing an ERP Audit. (Refer Section 2.4)
2. Determine the reasons for the importance of Business Reporting. Identify
the global standard for exchanging business information and discuss it in
detail. (Refer Section 2.9.1 and 2.9.2)
3. An enterprise ABC Ltd. intends to acquire software for Accounting as well as
Tax compliance. Prepare a list of pros and cons of having single software for
Accounting and Tax compliance. (Refer Table 2.10.1)
4. An article joined an Audit firm where he was briefed on various steps
involved during Accounting Process Flow. Explain these steps involved in the
process. (Refer Section 2.6.2)
5. The Material Management (MM) Module in ERP systems manages materials
required, processed and produced in enterprises. Discuss the steps involved
in overall purchase process. (Refer Section 2.6.3[B(f)])
6. Explain the term “Business Intelligence” with example. (Refer Section 2.8.3)
7. As a manager of a telecom service provider, you are concerned with MIS
Report about your department’s customer service calls. Determine the
various criterions that the information in the report should meet so that the
report becomes useful for you. (Refer Section 2.7.2[III])
8. Explain the term “Data Analytics” and recognize its application areas in
today’s world. (Refer Section 2.8)
9. Explain the different ways in which the Regulators can use eXtensible
Business Reporting Language (XBRL) for various purposes.
(Refer Section 2.9.2)
10. Discuss the key features of Controlling Module in an Enterprise Resource
Planning (ERP). (Refer Section 2.6.3[B(b)])
11. Nowadays, many organizations are switching over to ‘Cloud Applications' as
the organizations do not want to indulge themselves in maintenance of their
own IT infrastructure to run their businesses. You, being an IT consultant, list

out some of the advantages and disadvantages of using these Cloud

applications. (Refer Table 2.2.5)
12. Central database is the main feature of an Enterprise Resource Planning
(ERP) System. As the complete data is stored at one place, ensuring safety of
data and minimizing risk of loss of data is a big challenge. As an IT expert,
discuss various risks involved during ERP implementation.
(Refer Table 2.3.1[D])
13. Discuss in brief the following terms:
(a) Regulatory Compliance (Refer Section 2.10.1)
(b) Three tier Architecture of Application Software(Refer Section 2.2.4 [iii])
(c) Role-based Access Control (RBAC) in ERP (Refer Section 2.3.3)
14. Customer Relationship Management (CRM) is a system which aims at
improving relationship with customers. Briefly explain key benefits of CRM
Module of ERP. (Refer Section 2.6.3[B(k)])
15. A business organization is shifting from traditional accounting system to
computerized accounting system. The organization needs to store the data that
is relatively permanent and not expected to change frequently in accounting
system. As a financial expert, suggest the types of data used in computerized
accounting system. (Refer Section 2.2.3)

CHAPTER
3
INFORMATION
SYSTEMS AND ITS
COMPONENTS
LEARNING OUTCOMES
After reading this chapter, you will be able to -

 Comprehend the knowledge about various components of an
Information System and its working.
 Appreciate nuances of Application Systems, Operating
Systems, Database Systems, Networking and Communication
Systems.
 Grasp various types of threats and their mitigating controls to
minimize the impact.
 Understand types of controls and audit aspects of various
systems.
 Comprehend about an organization structure and individual
roles and responsibilities.

People
Hardware
Computer
System
Software
Components Data
Resources
Networking and
Communication
System
Preventive
Information
Systems (IS) Objectives of
Detective
Controls
Corrective
Environmental
Controls'
Physical
Classification
Nature of IS Access
Resources
Logical
Access
Management Control
Framework
Application Control
IS Functions Framework

INFORMATION SYSTEMS AND ITS COMPONENTS 3.3
3.1 INTRODUCTION
Over the past few centuries, the world has moved on from connection amongst
individuals to more of connection amongst systems. We now have systems that are
constantly exchanging information about various things and even about us, many
a times without human intervention. This inter-networking of physical devices,
vehicles, smart devices, embedded electronics, software, sensors or any such device
is often referred to as IoT (Internet of Things).
What is interesting about various emerging technologies is that at its core we have
some key elements, namely, People, Computer Systems (Hardware, Operating
System and other Software), Data Resources, Networking and Communication
System. In this chapter, we are going to explore each of those key elements.
3.2 INFORMATION SYSTEMS

Information System (IS) is a combination of people, hardware, software,
communication devices, network and data resources that processes (can be storing,
retrieving, transforming information) data and information for a specific purpose.
The system needs inputs from user (key in instructions and commands, typing,
scanning) which will then be processed (calculating, reporting) using technology
devices such as computers, and produces output (printing reports, displaying
results) that will be sent to another user or other system via a network and a
feedback method that controls the operation.
The main aim and purpose of each Information System is to convert the data into
information which is useful and meaningful. An Information System depends on
the resources of people (end users and IS specialists), hardware (machines and
media), software (programs and procedures), data (data and knowledge bases), and
networks (communications media and network support) to perform input,
processing, output, storage, and control activities that transform data resources
into information products. The Information System model highlights the
relationships among the components and activities of information systems. It also
provides a framework that emphasizes four major concepts that can be applied to
all types of information systems. An Information System model involves following
steps well depicted in the Fig. 3.2.1:
♦ Input: Data is collected from an organization or from external environments
and converted into suitable format required for processing.

♦ Processing: A process is a series of steps undertaken to achieve desired

outcome or goal. Information Systems are becoming more and more
integrated with organizational processes, bringing more productivity and
better control to those processes.
♦ Output: The system processes the data by applying the appropriate
procedure on it and the information thus produced is stored for future use or
communicated to user.
♦ Storage: The storage of data shall be done at the most detailed level
possible. Regular backups should be stored in a geographically different
locations to avoid impact on both the original data storage and the backup
data storage due to any major disasters such as flooding or fires etc.
INPUT PROCESSING OUTPUT
(Business problems in the (Software, Programs, (Solution to problems in
form of data, information, people, the form of reports,
instructions, opportunities) communication, graphics, calculations,
equipment) voices)
STORAGE
(Memory for storing and
retrieving information
FEEDBACK
(Information, new ideas, expertise, and customer feedback)
Fig. 3.2.1: Functions of Information Systems

♦ Feedback: Apart from these activities, information system also needs
feedback that is returned to appropriate members of the enterprises to help
them to evaluate at the input stage.
These basic activities of an information system that are defined above, helps
enterprise in making decisions, control operations, analyze problems and creates
new products or services as an output.
3.3 COMPONENTS OF INFORMATION SYSTEMS

With the help of information systems enterprises and individuals can use computers
to collect, store, and process, analyze, and distribute information. There are
different types of information systems, i.e. Manual (paper and pencil) information

system, Informal (word of mouth) information system, Formal (written procedures)

information system and Computer based information system. This chapter mainly
focuses on Computer Based Information System. A Computer based Information
system is a combination of people, IT and business processes that helps
management in taking important decisions to carry out the business successfully.
Information Systems are networks of hardware and software that people and
organizations use to create, collect, filter, process, transform and distribute data.
Information Systems are interrelated components working together to collect,
process, and store and disseminate information to support decision-making,
coordination, control, analysis and visualization in an organization. An Information
System comprises of People, Hardware, Software, Data and Network for
communication support shown in Fig. 3.3.1.
Here, people mean all those who operate, manage, maintain and use the system
i.e. system administrator, IS personnel, programmers and end users i.e. the persons,
who can use hardware and software for retrieving the desired information. The
hardware means the physical components of the computers i.e. server or smart
terminals with different configurations like corei3/corei5/corei7/corei9 processors
etc. and software means the system software (operating systems), application
software (different type of computer programs designed to perform specific task)
and utility software (e.g. tools). The data is the raw fact which is input to the system.
It may be alphanumeric, text, image, video, audio, and other forms. The network
means communication media (Internet, Intranet, Extranet etc.).
Fig. 3.3.1: Components of Information Systems

3.3.1 People Resources
While thinking about Information Systems, it is easy to get too focused on the
technological components and forget that we must look beyond these tools at the

whole picture and try to understand how technology integrates into an

organization. A focus on people involved in Information Systems is the next step.
From the helpdesk to the system programmers all the way up to the Chief Executive
Officer (CEO), all of them are essential elements of the information systems. People
are the most important element in most Computer-based Information Systems. The
people involved include users of the system and information systems personnel,
also all the people who manage, run, program, and maintain the system.
In the ever-changing world, innovation is the only key, which can sustain long-run
growth. More and more firms are realizing the importance of innovation to gain
competitive advantage. Accordingly, they are engaging themselves in various
innovative activities. Understanding these layers of information system helps any
enterprise grapple with the problems it is facing and innovate to perhaps reduce total
cost of production, increase income avenues and increase efficiency of systems.
3.3.2 Computer System – Hardware and Software
Computer System is considered as a combination of Hardware and Software well
depicted in Fig. 3.3.2.
Fig. 3.3.2: Components of Computer System

We shall now discuss these components and their sub-parts in detail.
I. Hardware
Hardware is the tangible portion of our computer systems; something we can
touch and see i.e. the physical components of technology. It basically consists of
devices that perform the functions of input, processing, data storage and output
activities of the computer. Computers, keyboards, hard drives, iPads and flash
drives are all examples of Information Systems’ hardware.
(i) Input Devices are devices through which we interact with the systems and
include devices like Keyboard for text-based input; Mouse, Joysticks, Light pens

and other pointing devices for position-based input; Scanners and Bar Code, MICR
readers, Webcams Stylus/ touch screen for image-based input and Microphone for
audio-based input.
(ii) Processing devices are used to process data using program instructions,
manipulate functions, perform calculations, and control other hardware devices.
Examples include Central Processing Unit (CPU), Mother board, Network Card,
Sound Card etc.
The most common device is CPU which is the actual hardware that interprets and
executes the program (software) instructions and coordinates how all the other
hardware devices work together. It is like the brain of the computer which is built
on a small flake of silicon containing the equivalent of several million transistors.
We can think of transistors as switches which could be “ON” or “OFF” i.e. taking a
value of 1 or 0. It consists of following three functional units:
• Control Unit (CU): CU controls the flow of data and instruction to and from
memory, interprets the instruction and controls which tasks to execute and when.
• Arithmetic and Logical Unit (ALU): It performs arithmetic operations such
as addition, subtraction, multiplication, and logical comparison of numbers:
Equal to, Greater than, Less than, etc.
• Processor Registers: Registers are part of the computer processor which is
used to hold a computer instruction, perform mathematical operation as
storage address, or any kind of data. These are high speed, very small memory
units within CPU for storing small amount of data (mostly 32 or 64 bits).
Registers could be accumulators (for keeping running totals of arithmetic
values), address registers (for storing memory addresses of instructions),
storage registers (for storing the data temporarily) and miscellaneous (used
for several functions for general purpose).
(iii) Data Storage Devices refers to the memory where data and programs are
stored. Various types of memory are depicted in Fig. 3.3.3.
Fig. 3.3.3: Types of Memory

(a) Primary/Main Memory: Also known as Main Memory or Internal Memory, it

is directly accessed by the processor using data bus. It is volatile or non-
volatile in nature and being small in storage capacity, hence cannot be used
to store data on a permanent basis. Primary memory is mainly of two types –
Random Access Memory (RAM) and Read Only Memory (ROM), the
difference of which is provided below in the Table 3.3.1.
Table 3.3.1: RAM vs ROM
Aspect Random Access Read Only Memory (ROM)

Memory (RAM)
Data Retention Volatile in nature means Non-volatile in nature
Information is lost as (contents remain intact even
soon as power is turned in absence of power).
off.
Persistence The purpose is to hold These are used to store small
program and data while amount of information that is
they are in use. rarely changed during the life
of the system for quick
reference by CPU. For
example – Basic Input/Output
System (BIOS).
Information Information can be read Information can be read only
Access as well as modified. and not modified.
Storage These are responsible for These are generally used by
storing the instructions manufacturers to store data
and data that the and programs like translators
computer is using at that that is used repeatedly, that is
present moment, that is why it is a Permanent
why it is a Temporary memory.
memory.
Impact Volatile memory such as Non-volatile memory has no
RAM has high impact on impact on system's
system's performance. performance.
Cost Volatile memory is Non-volatile memory is
costly per unit size. cheap per unit size.
Speed RAM speed is quite high. ROM speed is slower than
RAM.

Capacity RAM memory is large ROM is generally small and

and high capacity. of low capacity.
To bridge the huge differences of speed between the Registers and Primary
memory, the Cache Memory is introduced.
Cache memory is a smaller, extremely fast memory type built into a
computer’s Central Processing Unit (CPU) and that acts as a buffer
between RAM and the CPU. Cache Memory stores copies of the data from the
most frequently used main memory locations so that CPU can access it more
rapidly than main memory.
The differences between Processor Registers and Cache Memory are provided
below in the Table 3.3.2.
Table 3.3.2: Processor Registers vs Cache Memory
Processor Registers Cache Memory
These are high speed It is fast memory built into a computer’s CPU
memory units within CPU and is used to reduce the average time to
for storing small amount access data from the main memory. The data
of data (mostly 32 or 64 that is stored within a cache might be values
bits). that have been computed earlier or duplicates
of original values that are stored elsewhere.
The registers are the only Cache memory is an interface between CPU
Memory Units most and Main storage. It is not directly accessible
processors can operate for operations.
on directly.
(b) Secondary Memory: Secondary memory devices are non-volatile, have
greater capacity (they are available in large size), greater economy (the cost
of these is lesser compared to register and RAM) and slow speed (slower in
speed compared to registers or primary storage). Examples include Hard disk,
Pen drive, Memory card etc. Table 3.3.3 provides the key differences between
Primary Memory and Secondary Memory.
Table 3.3.3: Primary Memory vs Secondary Memory
Aspect Primary/Main Memory Secondary Memory
Basic Primary memory is directly Secondary memory is not
accessible by directly accessible by CPU.
Processor/CPU.

Data Instructions or data to be Data to be permanently stored is

currently executed are kept in secondary memory.
copied to main memory.
Volatility Primary memory is usually Secondary memory is non-
volatile. volatile.
Formation Primary memories are made Secondary memories are made
of semiconductors. of magnetic and optical material.
Access Accessing data from Accessing data from secondary
Speed primary memory is faster. memory is slower.
Access Primary memory is accessed Secondary memory is accessed
by the data bus. by input-output channels.
Size The computer has a small The computer has a larger
primary memory. secondary memory.
Expense Primary memory is costlier Secondary memory is cheaper
than secondary memory. than primary memory.
Memory Primary memory is an Secondary memory is an external
internal memory. memory.
With respect to CPU, the memory is organized as follows (as shown in the Fig.
3.3.4):
• Registers that have small capacity, high cost, very high speed are placed
inside the CPU.
• Cache memory is placed next in the hierarchy followed by Primary
memory.
• Secondary memory is the farthest from CPU (large capacity, low cost,
low speed).
Processor Cache Primary Secondary

Registers Memory Memory Memory
Fig. 3.3.4: Computer Memory hierarchy
(iv) Output Devices: Computer systems provide output to decision makers at all
levels in an enterprise to solve business problems, the desired output may be in

visual, audio or digital forms. Output devices are devices through which system
responds. Visual output devices like - a display device visually conveys text,
graphics, and video information. Information shown on a display device is called
soft copy because the information exists electronically and is displayed for a
temporary period. Display devices include CRT monitors, LCD monitors and
displays, gas plasma monitors, and televisions. Some types of output are textual,
graphical, tactile, audio, and video.
• Textual output comprises of characters that are used to create words,
sentences, and paragraphs.
• Graphical outputs are digital representations of non-text information such as
drawings, charts, photographs, and animation.
• Tactile output such as raised line drawings may be useful for some individuals
who are blind.
• Audio output is any music, speech, or any other sound.
• Video output consists of images played back at speeds to provide the
appearance of full motion.
Most common examples of output devices are Speakers, Headphones, Screen
(Monitor), Printer, Voice output communication aid, Automotive navigation system,
Video, Plotter, Wireless etc.
II. Software
Software is defined as a set of instructions that tell the hardware what to do.
Software is not tangible; it cannot be touched. Software is created through the
process of programming. When programmers create software, what they are really
doing is simply typing out lists of instructions that tell the hardware what to
execute. Without software, the hardware would not be functional. Software can be
broadly divided into two categories: Operating System Software and Application
Software as shown in the Fig. 3.3.2.
(a) Operating System Software
An Operating System (OS) is a set of computer programs that manages computer
hardware resources and acts as an interface with computer applications programs.
The operating system is a vital component of the system software in a computer
system. Operating systems make the hardware usable and manage them by
creating an interface between the hardware and the user. Application programs
usually require an operating system to function that provides a convenient
environment to users for executing their programs. Computer hardware with

operating system can thus be viewed as an extended machine, which is more

powerful and easy to use. Some prominent Operating systems used nowadays are
Windows 7, Windows 8, Mac OS, Linux, UNIX, etc.
All computing devices run on an operating system. For personal computers, the
most popular operating systems are Microsoft’s Windows, Apple’s OS X, and
different versions of Linux. Smart phones and tablets run on operating systems as
well, such as Apple’s iOS, Google Android, Microsoft’s Windows Phone OS, and
Research in Motion’s Blackberry OS.
A variety of activities are executed by Operating systems which include:
♦ Performing hardware functions: Operating System acts as an intermediary
between the application program and the hardware by obtaining input from
keyboard, retrieve data from disk and display output on monitors.
♦ User Interfaces: Nowadays, Operating Systems are Graphic User Interface
(GUI) based which uses icons and menus like in the case of Windows. GUI
objects include icons, cursors, and buttons that change color, size, or visibility
when the user interacts with them. A GUI displays objects that convey
information and represent actions that can be taken by the user.
♦ Hardware Independence: Every computer could have different
specifications and configurations of hardware. Operating System provides
Application Program Interfaces (API), which can be used by application
developers to create application software independent of the hardware
configuration of their system, thus obviating the need to understand the inner
workings of OS and hardware. Thus, OS provides hardware independence.
♦ Memory Management: Operating System allows controlling how memory is
accessed and maximizes available memory and storage. Operating System
also provides Virtual Memory by carving an area of hard disk to supplement
the functional memory capacity of RAM. Virtual Memory is an imaginary
memory area supported by some operating systems (for example, Windows)
that combines computer’s RAM with temporary space on the hard disk. If a
computer lacks in required size of RAM needed to run a program or
operation, Windows uses virtual memory to move data from RAM to a space
called a paging file. Moving data to and from the paging file frees up RAM to
complete its work. Thus, Virtual memory is an allocation of hard disk space to
help RAM.

♦ Task Management: This facilitates users to do Multitasking i.e. to work with

more than one application at a time and Time sharing i.e. allowing more
than one user to use the system. For example - playing MP4 music, surfing
internet through Google Chrome and working in MS Word Document
simultaneously is a perfect example of Multitasking. Time-sharing is a
technique which enables many users through various terminals to use
particular computer system at the same time. In this, the processor’s time is
shared among multiple users simultaneously.
♦ Networking Capability: Operating systems can provide systems with
features and capabilities to help connect different computer networks. Like
Linux and Windows 10 give user an excellent capability to connect to internet.
♦ Logical Access Security: Operating systems provide logical security by
establishing a procedure for identification and authentication using a User ID
and Password. It can log the user access thereby providing security control.
♦ File management: The operating system keeps a track of where each file is
stored and who can access it, based on which it provides the file retrieval.
(b) Application Software
Example 3.1: Consider the following examples:
• As the personal computer proliferated inside organizations, control over the
information generated by the organization began splintering. Say the
customer service department creates a customer database to keep track of
calls and problem reports, and the sales department also creates a database
to keep track of customer information. Which one should be used as the
master list of customers?
• As another example, someone in sales might create a spreadsheet to calculate
sales revenue, while someone in finance creates a different one that meets
the needs of their department. However, it is likely that the two spreadsheets
will come up with different totals for revenue. Which one is correct? And who
is managing all this information?
To resolve these issues, various specific purpose applications were created.
Application Software is the category of programs that do some useful processing

or task for the user. This includes all the computer software that causes a computer
to perform useful tasks beyond the running of the computer itself. It is a collection
of programs which address a real-life problem of its end users which may be

business or scientific or any other problem. Application Suite like MS Office 2010
which has MS Word, MS Excel, MS Access, etc.; Enterprise Software like SAP;
Content Access Software like Media Players, Adobe Digital etc. are some examples
of Application Software.
3.3.3 Data Resources

You can think of data as a collection of facts. For example, your street addresses,
the city you live in, a new phone number are all pieces of data. Like software, data
is also intangible. By themselves, pieces of data are not very useful. But aggregated,
indexed and organized together into a database; data can become a powerful tool
for businesses. For years, business houses have been gathering information with
regards to customers, suppliers, business partners, markets, cost, and price
movement and so on. After collection of information for years’ companies have
now started analyzing this information and creating important insights out of data.
Data is now helping companies to create strategy for future. This is precisely the
reason why we have started hearing a lot about data analytics in past few years.
♦ Data: Data, plural of Datum, are the raw bits and pieces of information with no
context that can either be quantitative or qualitative. Quantitative data is
numeric, the result of a measurement, count, or some other mathematical
calculation. Qualitative data is descriptive. “Ruby Red,” the color of a 2013 Ford
Focus, is an example of qualitative data. By itself, data is not that useful. For it to
be useful, it needs to be given context. For example - “15, 23, 14, and 85″ are the
numbers of students that had registered for upcoming classes that would-be
information. Once we have put our data into context and have aggregated and
analyzed it, we can use it to make decisions for our organization.
♦ Database: A set of logically inter-related organized collection of data is
referred as Database. They store both operational data (produced by an
organization's day to day operations) and non-operational data (used for
education, research etc.). The goal of many Information Systems is to
transform data into information to generate knowledge that can be used for
decision making. To do this, the system must be able to take data, put the
data into context and provide tools for aggregation and analysis.
♦ Database Management Systems (DBMS): DBMS may be defined as a

software that aid in organizing, controlling, and using the data needed by the
application program. They provide the facility to create and maintain a well-
organized database. These systems are primarily used to develop and analyze
single-user databases and are not meant to be shared across a network or

Internet but are instead installed on a device and work with a single user at a
time. Various operations that can be performed on these files include adding
new files to database, deleting existing files from database, inserting data in
existing files, modifying data in existing files, deleting data in existing files,
and retrieving or querying data from existing files. DBMS packages generally
provide an interface to view and change the design of the database, create
queries, and develop reports. Commercially available DataBase Management
Systems are Oracle, MySQL, SQL Servers and DB2 etc. whereas Microsoft
Access and Open Office Base are examples of personal DBMS.
Advantages of DBMS
♦ Permitting Data Sharing: One of the major advantages of a DBMS is that the
same information can be made available to different users.
♦ Minimizing Data Redundancy: In a DBMS, duplication of information or
redundancy is, if not eliminated, carefully controlled or reduced i.e. there is no
need to repeat the same data repeatedly. Minimizing redundancy significantly
reduce the cost of storing information on storage devices.
♦ Integrity can be maintained: Data integrity is maintained by having accurate,
consistent, and up-to-date data. Updates and changes to the data only must be
made in one place in DBMS ensuring Integrity.
♦ Program and File consistency: Using a DBMS, file formats and programs are
standardized. The level of consistency across files and programs makes it easier
to manage data when multiple programmers are involved as the same rules and
guidelines apply across all types of data.
♦ User-friendly: DBMS makes the data access and manipulation easier for the
user. DBMS also reduces the reliance of users on computer experts to meet
their data needs.
♦ Improved security: DBMS allows multiple users to access the same data
resources in a controlled manner by defining the security constraints. Some
sources of information should be protected or secured and only viewed by
select individuals. Using passwords, DBMS can be used to restrict data access
to only those who should see it. Security will only be improved in a database
when appropriate access privileges are allotted to prohibit unauthorized
modification of data.
♦ Achieving program/data independence: In a DBMS, data does not reside in
applications, but database program and data are independent of each other.

♦ Faster Application Development: In the case of deployment of DBMS,

application development becomes fast. The data is already therein databases,
application developer must think of only the logic required to retrieve the
data in the way a user needs.
Disadvantages of DBMS
♦ Cost: Implementing a DBMS in terms of both system and user-training can
be expensive and time-consuming, especially in large enterprises. Training
requirements alone can be quite costly.
♦ Security: Even with safeguards in place, it may be possible for some
unauthorized users to access the database. If one gets access to database,
then it could be an all or nothing proposition.
3.3.4 Networking and Communication Systems
In today’s high-speed world, we cannot imagine an information system without an
effective and efficient communication system, which is a valuable resource which
helps in good management. Telecommunication networks give an organization the
capability to move information rapidly between distant locations and to provide
the ability for the employees, customers, and suppliers to collaborate from
anywhere, combined with the capability to bring processing power to the point of the
application. All of this offers firm important opportunities to restructure its business
processes and to capture highly competitive ground in the marketplace. Through
telecommunications, this value may be:
(i) an increase in the efficiency of operations;
(ii) improvements in the effectiveness of management; and
(iii) innovations in the marketplace.
A network is a group of devices connected to each other and a Computer Network
is a collection of computers and other hardware interconnected by communication
channels that allow sharing of resources and information. Where atleast one
process in one device can send/receive data to/from at least one process residing
in a remote device, then the two devices are said to be in a network.
Network and Communication System: These consist of both physical devices and
software that links the various pieces of hardware and transfers the data from one
physical location to another. Computers and communications equipment can be
connected in networks for sharing voice, data, images, sound and video. A network
links two or more computers to share data or resources such as a printer.

Every enterprise needs to manage its information in an appropriate and desired

manner. For this, an enterprise must know its information needs; acquire that
information and organize it in a meaningful way, assure information quality and
provide software tools so that users in the enterprise can access the information
that they require.
Each component, namely the computer in a computer network is called a ‘Node’.
Computer networks are used for exchange of data among different computers and
to share the resources like CPU, I/O devices, storages, etc. without much of an
impact on individual systems. In real world, we see numerous networks like
Telephone/ mobile network, postal networks etc. If we look at these systems, we
can analyze that network could be of two types:
♦ Connection Oriented networks: Wherein a connection is first established
between the sender and the receiver and then data is exchanged like it
happens in case of telephone networks.
♦ Connectionless Networks: Where no prior connection is made before data
exchanges. Data which is being exchanged in fact has a complete contact
information of recipient; and at each intermediate destination, it is decided
how to proceed further like it happens in case of postal networks.
These real-world networks have helped model computer networks. Each of these
networks is modeled to address the following basic issues:
♦ Routing: It refers to the process of deciding on how to communicate the data
from source to destination in a network. In this, data is transferred in the form
of data packets using an Internet Protocol or IP address.
♦ Bandwidth: It refers to the amount of data which can be sent across a
network in given time. The lesser the bandwidth, lesser is the data transferred
and slower the website loads.
♦ Contention: It refers to the situation that arises when there is a conflict for
some common resource in a network. For example, network contention could
arise when two or more computer systems try to communicate at the same
time.
♦ Resilience: It refers to the ability of a network to recover from any kind of
error like connection failure, loss of data etc.
The following are the important benefits of a computer network:
♦ Distributed nature of information: There would be many situations where
information must be distributed geographically. For example- In the case of

Banking Company, accounting information of various customers could be

distributed across various branches but to make Consolidated Balance Sheet
at the year-end, it would need networking to access information from all its
branches.
♦ Resource Sharing: Data could be stored at a central location and can be
shared across different systems. Even resource sharing could be in terms of
sharing peripherals like printers, which are normally shared by many systems.
For example- In the case of a Core Banking System, Bank data is stored at a
Central Data Centre and could be accessed by all branches as well as ATMs.
♦ Computational Power: The computational power of most of the applications
would increase drastically through load balancing when the processing is
distributed amongst computer systems. For example: processing in an ATM
machine in a bank is distributed between ATM machine and the central
Computer System in a Bank, thus reducing load on both.
♦ Reliability: Many critical applications should be available 24x7, if such
applications are run across different systems which are distributed across
network, then the reliability of the applications would be high. For example-
In a city, there could be multiple ATM machines so that if one ATM fails, one
could withdraw money from another ATM.
♦ User communication: Networks allow users to communicate using e-mail,
newsgroups, video conferencing, etc.
Telecommunications may provide these values through the following impacts:
(a) Time compression: Telecommunications enable a firm to transmit raw data
and information quickly and accurately between remote sites.
(b) Overcoming geographical dispersion: Telecommunications enable an
organization with geographically remote sites to function, to a degree, as
though these sites were a single unit. The firm can then reap benefits of scale
and scope which would otherwise be unobtainable.
(c) Restructuring business relationships: Telecommunications make it possible
to create systems which restructure the interactions of people within a firm
as well as a firm’s relationships with its customers. Operational efficiency may
be raised by eliminating intermediaries from various business processes.

3.4 INFORMATION SYSTEMS’ CONTROLS

The increasing use of Information Technology in organizations has made it
imperative that appropriate information systems are implemented in an
organization. IT should cover all key aspects of business processes of an enterprise
and should have an impact on its strategic and competitive advantage for its
success. The enterprise strategy outlines the approach, it wishes to formulate with
relevant policies and procedures to achieve business objectives. The basic purpose
of information system controls in an organization is to ensure that the business
objectives are achieved; and undesired risk events are prevented, detected and
corrected. This is achieved by designing and effective information control
framework which comprise policies, procedures, practices, and organization
structure that gives reasonable assurances that the business objectives will be
achieved.
Whenever a threat exploits a vulnerability, it gives rise to a risk. However, risk can
never be completely eliminated, but only mitigated as there is always a component
of inherent risk. Some of the critical controls that may lack in a computerized
environment are as follows:
♦ Lack of management understanding of IS risks and related controls;
♦ Absence or inadequate IS control framework;
♦ Absence of weak general controls and IS controls;
♦ Lack of awareness and knowledge of IS risks and controls amongst the
business users and even IT staff;
♦ Complexity of implementation of controls in distributed computing
environments and extended enterprises;
♦ Lack of control features or their implementation in highly technology driven
environments; and
♦ Inappropriate technology implementations or inadequate security
functionality in technologies implemented.
Internal controls can be classified into various categories to illustrate the interaction
of various groups in the enterprise and their effect on information systems on
different basis. Refer Fig. 3.4.1:

Preventive Control
Detective Control
Corrective Control
Environmental Control
Physical Access Control
Logical Access Control
Management Control Framework

Application Control Framework
Fig. 3.4.1: Classification of IS Controls

3.4.1 Classification based on “Objective of Controls”
The controls as per the time that they act, relative to a security incident can be
classified as under:
(A) Preventive Controls: These controls prevent errors, omissions, or security
and malicious incidents from occurring. They are basically proactive in nature.
Examples include simple data-entry edits that block alphabetic characters
from being entered in numeric fields, access controls that protect sensitive
data/ system resources from unauthorized people, and complex and dynamic
technical controls such as anti-virus software, firewalls, and intrusion
prevention systems. Preventive controls can be implemented in both manual
and computerized environment for the same purpose. Only, the
implementation methodology may differ from one environment to the other.
Example 3.2: Some examples of preventive controls are as follows:
Employing qualified personnel; Segregation of duties; Access control;
Vaccination against diseases; Documentation; Prescribing appropriate books
for a course; Training and retraining of staff; Authorization of transaction;
Validation, edit checks in the application; Firewalls; Anti-virus software
(sometimes this act like a corrective control also) etc. and Passwords. The
above list contains both of manual and computerized preventive controls.

The main characteristics of Preventive controls are given as follows:

• A clear-cut understanding about the vulnerabilities of the asset;
• Understanding probable threats;
• Provision of necessary controls for probable threats from materializing.
Example 3.3: The following Table 3.4.1 shows how the purpose of preventive
controls is achieved by using manual and computerized controls.
Table 3.4.1: Preventive Controls
Purpose Manual Control Computerized Control

Restrict unauthorized Build a gate and post a Use access control
entry into the security guard. software, smart card,
premises. biometrics, etc.
Restrict Keep the computer in a Use access control, viz.
unauthorized entry secured location and allow User ID, password,
into the software only authorized person to smart card, etc.
applications. use the applications.
(B) Detective Controls: These controls are designed to detect errors, omissions
or malicious acts that occur and report the occurrence. In other words,
Detective Controls detect errors or incidents that elude preventive controls.
They are basically investigative in nature. For example, a detective control
may identify account numbers of inactive accounts or accounts that have
been flagged for monitoring of suspicious activities. Detective controls can
also include monitoring and analysis to uncover activities or events that
exceed authorized limits or violate known patterns in data that may indicate
improper manipulation. For sensitive electronic communications, detective
controls indicate that a message has been corrupted or the sender’s secure
identification cannot be authenticated.
The main characteristics of Detective controls are given as follows:
• Clear understanding of lawful activities so that anything which deviates
from these is reported as unlawful, malicious, etc.;
• An established mechanism to refer the reported unlawful activities to
the appropriate person or group, whistle blower mechanism;
• Interaction with the preventive control to prevent such acts from
occurring; and
• Surprise checks by supervisor.

Example 3.4: Some examples of Detective Controls are as follows:

Review of payroll reports; Compare transactions on reports to source
documents; Monitor actual expenditures against budget; Use of automatic
expenditure profiling where management gets regular reports of spend to
date against profiled spend; Hash totals; Check points in production jobs;
Echo control in telecommunications; Duplicate checking of calculations; Past-
due accounts report, the Internal Audit functions; Intrusion Detection System;
Cash counts and Bank reconciliation and Monitoring expenditures against
budgeted amount.
(C) Corrective Controls: It is desirable to correct errors, omissions, or incidents
once they have been detected. These controls are reactive in nature. These
vary from simple correction of data-entry errors, to identifying and removing
unauthorized users or software from systems or networks to recovery from
incidents, disruptions, or disasters. Generally, it is most efficient to prevent
errors or detect them as close as possible to their source to simplify
correction. These corrective processes also should be subject to preventive
and detective controls because they represent another opportunity for errors,
omissions, or falsification. Corrective controls are designed to reduce the
impact or correct an error once it has been detected.
The main characteristics of the corrective controls are as follows:
• Minimizing the impact of the threat;
• Identifying the cause of the problem;
• Providing Remedy to the problems discovered by detective controls;
• Getting feedback from preventive and detective controls;
• Correcting error arising from a problem; and
• Modifying the processing systems to minimize future occurrences of
the incidents.
Example 3.5: Corrective controls may include the use of default dates on
invoices where an operator has tried to enter the incorrect date. For example-
“Complete changes to IT access lists if individual’s role changes” is an example
of corrective control. If an accounts clerk is transferred to the sales
department as a salesman, his/her access rights to the general ledger and
other finance functions should be removed and he/she should be given
access only to functions required to perform his sales job.

Some other examples of Corrective Controls are submitting corrective journal

entries after discovering an error; a Business Continuity Plan (BCP);
Contingency planning; Backup procedure; Rerun procedures; System reboot;
Change input value to an application system; and Investigate budget variance
and report violations.
3.4.2 Classification based on “Nature of Information System
Resources”
These are as follows:
(A) Environmental Controls: These are the controls relating to IT environment
such as power air-conditioner, Uninterrupted Power Supply (UPS), smoke
detector, fire-extinguishers, dehumidifiers etc. Tables 3.4.2 (A,B,C,D) enlist all
the controls against the environmental exposures like Fire, Electrical
Exposures, Water Damage, and Pollution damage and others with their
corresponding controls respectively.
I. Fire: It is a major threat to the physical security of a computer installation.
Table 3.4.2(A): Controls for Fire Exposure
♦ Smoke Detectors: Smoke detectors should be positioned at places

above and below the ceiling tiles. Upon activation, these detectors
should produce an audible alarm and must be linked to a monitored
station (for example, a fire station).
♦ Norms to reduce Electric Firing: To reduce the risk of electric firing, the
location of the computer room should be strategically planned and
should not be in the basement or ground floor of a multi-storey
building. Less wood and plastic material should be used in computer
rooms. To reduce the risk of electric fire occurring and spreading,
wiring should be placed in the fire-resistant panels and conduit. This
conduit generally lies under the fire-resistant raised floor in the
computer room. Fireproof Walls, Floors and Ceilings surrounding the
Computer Room and Fire-resistant office materials such as waste
baskets, curtains, desks, and cabinets should be used.
♦ Fire Extinguishers: Manual fire extinguishers can be placed at strategic
locations. Fire Alarms, Extinguishers, Sprinklers, Instructions / Fire
Brigade Nos., Smoke detectors, and Carbon-dioxide based fire
extinguishers should be well placed and maintained.
♦ Fire Alarms: Both automatic and manual fire alarms may be placed at
strategic locations and a control panel may be installed to clearly

indicate this. Besides the control panel, master switches may be

installed for power and automatic fire suppression system. A gas-
based fire suppression system is preferable, however, depending upon
the situation, different fire suppression techniques like Dry-pipe
sprinkling systems, water-based systems, halon etc., may be used.
When a fire alarm is activated, a signal may be sent automatically to
permanently manned station.
♦ Regular Inspection and Raising awareness: Regular inspection by Fire
Department Officials should be conducted. The procedures to be
followed during an emergency should be properly documented. Fire
Exits should be clearly marked, and all the staff members should know
how to use the system in case of emergency.
♦ Documented and Tested Emergency Evacuation Plans: Relocation plans

should emphasize human safety but should not leave information
processing facilities physically unsecured. Procedures should exist for a
controlled shutdown of the computer in an emergency. In all
circumstances, saving human life should be given paramount importance.
II. Electrical Exposures: These include risk of damages that may be caused
due electrical faults which may occur due to very short pulse of energy in a
power line. These include non-availability of electricity, spikes (temporary
very high voltages), fluctuations of voltage and other such risk.
Table 3.4.2(B): Controls for Electrical Exposure
♦ Electrical Surge Protectors: The risk of damage due to power spikes can
be reduced using Electrical Surge Protectors that are typically built into
the Uninterrupted Power System (UPS).
♦ Un-interruptible Power System/Generator: In case of a power failure,
the UPS provides the backup by providing electrical power from the
battery to the computer for a certain span of time. Depending on the
sophistication of the UPS, electrical power supply could continue to flow
for days or for just a few minutes to permit an orderly computer
shutdown.
♦ Voltage regulators and circuit breakers: These protect the hardware
from temporary increase or decrease of power.
♦ Emergency Power-Off Switch: When the need arises for an immediate
power shut down during situations like a computer room fire or an
emergency evacuation, an emergency power-off switch at the strategic

locations would serve the purpose. They should be easily accessible and
yet secured from unauthorized people.
III. Water Damage: Water damage to a computer installation can be the

outcome of water pipes burst. Water damage may also result from other
resources such as cyclones, tornadoes, floods etc.
Table 3.4.2(C): Controls for Water Exposure
♦ Water Detectors: These should be placed under the raised floor, near
drain holes and near any unattended equipment storage facilities.
♦ Strategically locating the computer room: To reduce the risk of
flooding, the computer room should not be located in the basement
of ground floor of a multi-storey building.
♦ Some of the major ways of protecting the installation against water
damage are as follows:
• Wherever possible have waterproof ceilings, walls and floors;
• Ensure an adequate positive drainage system exists;
• Install alarms at strategic points within the installation;
• In flood-prone areas, have the installation above the upper floors
but not at the top floor;
• Water proofing; and
• Water leakage Alarms.
IV. Pollution Damage and others: The major pollutant in a computer

installation is dust. Dust caught between the surfaces of magnetic tape / disk
and the reading and writing heads may cause either permanent damage to
data or read / write errors.
Table 3.4.2(D): Controls for Pollution Damage Exposure
♦ Power Leads from Two Substations: Electrical power lines are
exposed to many environmental dangers such as water, fire, lightning,
cutting due to careless digging etc. To avoid these types of events,
redundant power links should feed into the facility so that
interruption of one power supply does not adversely affect electrical
supply.

♦ Prohibitions against Eating, Drinking and Smoking within the

Information Processing Facility: These activities should be
prohibited from the information processing facility especially food
and beverages to protect the systems from rodents which could
damage the electrical wirings and cables and also to prevent fire
caused due to smoking. This prohibition should be clear, e.g. a sign
on the entry door.
(B) Physical Access Controls: The Physical Access Controls are the controls
relating to physical security of the tangible resources and intangible
resources stored on tangible media etc. Such controls include Access control
doors, Security guards, door alarms, restricted entry to secure areas, visitor
logged access, CCTV monitoring etc. Refer the Table 3.4.3.
Table 3.4.3: Controls for Physical Exposures
I. Locks on Doors
• Cipher locks (Combination Door Locks): Cipher locks are used in low
security situations or when many entrances and exits must be usable all
the time. To enter into a secured room, a person presses a four-digit
number and the door will unlock for a predetermined period, usually 10
to 30 seconds.
• Bolting Door Locks: In this, a special metal key is used to gain entry
and to avoid illegal entry, the keys should not be duplicated.
• Electronic Door Locks: A magnetic or embedded chip-based plastics
card key or token may be entered into a reader to gain access in these
systems.
II. Physical Identification Medium: These are discussed below:
• Personal Identification Numbers (PIN): A secret number assigned to
an individual, in conjunction with some means of identifying the
individual, serves to verify the authenticity of the individual. The visitor
will be asked to log on by inserting a card in some device and then enter
their PIN via a PIN keypad for authentication. His/her entry will be
matched with the PIN number available in the security database.
• Plastic Cards: These cards are used for identification purposes.
Customers should safeguard their card so that it does not fall into
unauthorized hands.

• Identification Badges: Special identification badges can be issued to

personnel as well as visitors. For easy identification purposes, their color
of the badge can be changed. Sophisticated photo IDs can also be
utilized as electronic card keys.
III. Logging on Facilities: These are given as under:
• Manual Logging: All visitors should be prompted to sign a visitor’s log
indicating their name, date and time of visit, company represented, their
purpose of visit, and person to see. Logging may happen at both fronts
- reception and entrance to the computer room. A valid and acceptable
identification such as a driver’s license, business card or vendor
identification tag may also be asked for before allowing entry inside the
company.
• Electronic Logging: This feature is a combination of electronic and
biometric security systems. The users logging can be monitored, and
the unsuccessful attempts being highlighted.
IV. Other means of Controlling Physical Access: Other important means
of controlling physical access are as follows:
• Video Cameras: Cameras should be placed at specific locations and
monitored by security guards. Refined video cameras can be activated
by motion. The video supervision recording must be retained for
possible future play back.
• Security Guards: Extra security can be provided by appointing guards
aided with CCTV feeds. Guards supplied by an external agency should
be made to sign a bond to protect the organization from loss.
• Controlled Visitor Access: A responsible employee should escort all
visitors who may be friends, maintenance personnel, computer vendors,
consultants, and external auditors.
• Bonded Personnel: All service contract personnel, such as cleaning
people and off-site storage services, should be asked to sign a bond.
This may not be a measure to improve physical security but to a certain
extent can limit the financial exposure of the organization.
• Dead Man Doors/Man trap: These systems encompass a pair of doors
that are typically found in entries to facilities such as computer rooms
and document stations. The first entry door must close and lock for the
second door to operate with the only one person permitted in the

holding area. It helps to manage traffic and prohibits the intruder from
escaping the facility quickly.
• Non–exposure of Sensitive Facilities: There should be no explicit
indication such as presence of windows of directional signs hinting the
presence of facilities such as computer rooms. Only the general location
of the information processing facility should be identifiable.
• Computer Terminal Locks: These locks ensure that the device to the
desk is not turned on or disengaged by unauthorized persons.
• Controlled Single Entry Point: All incoming personnel can use
controlled Single-Entry Point. A controlled entry point is monitored by
a receptionist. Multiple entry points increase the chances of
unauthorized entry. Unnecessary or unused entry points should be
eliminated or deadlocked.
• Alarm System: Illegal entry can be avoided by linking alarm system to
inactive entry point and the reverse flows of enter or exit only doors, to
avoid illegal entry. Security personnel should be able to hear the alarm
when activated.
• Perimeter Fencing: Fencing at boundary of the facility may also
enhance the security mechanism.
• Control of out of hours of employee-employees: Employees who are
out of office for a longer duration during the office hours should be
monitored carefully. Their movements must be noted and reported to
the concerned officials frequently.
• Secured Report/Document Distribution Cart: Secured carts, such as
mail carts must be covered and locked and should always be attended.
(C) Logical Access Controls: These are the controls relating to logical access to
information resources such as operating systems controls, application software
boundary controls, networking controls, access to database objects, encryption
controls etc. Logical access controls are implemented to ensure that access to
systems, data and programs is restricted to authorized users to safeguard
information against unauthorized use, disclosure or modification, damage, or
loss. The key factors considered in designing logical access controls include
confidentiality and privacy requirements, authorization, authentication, and
incident handling, reporting and follow-up, virus prevention and detection,
firewalls, centralized security administration, user training and tools for
monitoring compliance, intrusion testing and reporting. Logical access controls

are the system-based mechanisms used to designate who or what is to have

access to a specific system resource and the type of transactions and functions
that are permitted. Table 3.4.4 provides the controls for Technical Exposures.
Table 3.4.4: Controls for Technical Exposures
I. User Access Management: This involves the administration within a
system for giving individual users the access to the tools they require at
the right time. This is an important factor that involves following:
• User Registration: Information about every user is documented.
Some questions like why and who is the user granted the access; has
the data owner approved the access, and has the user accepted the
responsibility? etc. are answered. The de-registration process is also
equally important.
• Privilege management: Access privileges are to be aligned with job
requirements and responsibilities are to be minimal w.r.t. their job
functions. For example, an operator at the order counter shall have
direct access to order processing activity of the application system.
Similarly, a business analyst could be granted the access to view the
report but not modify which would be done by the developer.
• User password management: Passwords are usually the default
screening point for access to systems. Allocations, storage,
revocation, and reissue of password are password management
functions. Educating users is a critical component about passwords
and making them responsible for their password.
• Review of user access rights: A user’s need for accessing
information changes with time and requires a periodic review of
access rights to check anomalies in the user’s current job profile, and
the privileges granted earlier.
II. User Responsibilities: User awareness and responsibility are also
important factors discussed below:
• Password use: This includes mandatory use of strong passwords to
maintain confidentiality.
• Unattended user equipment: Users should ensure that none of the
equipment under their responsibility is ever left unprotected. They
should also secure their PCs with a password and should not leave it

accessible to others. While leaving the premises from work, care

should be taken to always lock the system.
III. Network Access Control: Network Access controls refers to the
process of managing access for use of network based services like
shared resources, access to cloud based services, remote login,
network and internet access. The protection can be achieved through
the following means:
• Policy on use of network services: An enterprise-wide policy
applicable to internet service requirements aligned with the business
need for using the Internet services is the first step. Selection of
appropriate services and approval to access them should be part of
this policy.
• Enforced path: Based on risk assessment, it is necessary to specify
the exact path or route connecting the networks e.g. internet access
by employees will be routed through a firewall and proxy.
• Segregation of networks: Based on the sensitive information
handling function; say a VPN connection between a branch office
and the head-office, this network is to be isolated from the internet
usage service thereby providing a secure remote connection.
• Network connection and routing control: The traffic between
networks should be restricted, based on identification of source and
authentication access policies implemented across the enterprise
network facility.
• Security of network services: The techniques of authentication and
authorization policy should be implemented across the
organization’s network.
• Firewall: A Firewall is a system that enforces access control between
two networks. To accomplish this, all traffic between the external
network and the organization’s Intranet must pass through the
firewall that will allow only authorized traffic between the
organization and the outside to pass through it. The firewall must be
immune to penetrate from both outside and inside the organization.
In addition to insulating the organization’s network from external
networks, firewalls can be used to insulate portions of the
organization’s Intranet from internal access also as per the
organizations network usage policy.

• Network Encryption: Network encryption is defined as the process

of encrypting data and messages transmitted or communicated over a
computer network. Encrypting date means the conversion of data into
a secret code for storage in databases and transmission over networks.
Two general approaches - Private key and Public key encryption are
used for encryption.
• Call Back Devices: It is based on the principle that the key to
network security is to keep the intruder off the Intranet rather than
imposing security measure after the criminal has connected to the
intranet. The call back device requires the user to enter a password
and then the system breaks the connection. If the caller is authorized,
the call back device dials the caller’s number to establish a new
connection. This limits the access only from authorized terminals or
telephone numbers and prevents an intruder masquerading as a
legitimate user. This also helps to avoid the call forwarding and man-
in-the middle attack.
IV. Operating System Access Control: Operating System (O/S) is the
computer control program that allows users and their applications
to share and access common computer resources, such as processor,
main memory, database, and printers. Major tasks of O/S are Job
Scheduling; Managing Hardware and Software Resources;
Maintaining System Security; Enabling Multiple User Resource
Sharing; Handling Interrupts and Maintaining Usage Records.
Operating system security involves policy, procedure and controls
that determine, ‘who can access the operating system,’ ‘which
resources they can access’, and ‘what action they can take’. Hence,
protecting operating system access is extremely crucial and can be
achieved using following steps.
• Automated terminal identification: This will help to ensure that a
specified session could only be initiated from a certain location or
computer terminal.
• Terminal log-in procedures: A log-in procedure is the first line of
defense against unauthorized access as it does not provide
unnecessary help or information, which could be misused by an
intruder. When the user initiates the log-on process by entering
user-id and password, the system compares the ID and password to
a database of valid users and accordingly authorizes the log-in.

• Access Token: If the log on attempt is successful, the operating

system creates an access token that contains key information about
the user including user-id, password, user group and privileges
granted to the user. The information in the access token is used to
approve all actions attempted by user during the session.
• Access Control List: This list contains information that defines the
access privileges for all valid users of the resource. When a user
attempts to access a resource, the system compasses his or her user-
id and privileges contained in the access token with those privileges
granted to the user as mentioned in the access control list. If there
is a match, the user is granted access.
• Discretionary Access Control: The system administrator usually
determines who is granted access to specific resources and
maintains the access control list. However, in distributed systems,
resources may be controlled by the end-user. Resource owners in
this setting may be granted discretionary access control, which
allows them to grant access privileges to other users. For example,
the controller who is owner of the general ledger grants read only
privilege to the budgeting department while accounts payable
manager is granted both read and write permission to the ledger.
• User identification and authentication: The users must be
identified and authenticated in a foolproof manner. Depending on
risk assessment, more stringent methods like Biometric
Authentication or Cryptographic means like Digital Certificates
should be employed.
• Password management system: An operating system could
enforce selection of good passwords. Internal storage of password
should use one-way hashing algorithms and the password file
should not be accessible to users.
• Use of system utilities: System utilities are the programs that help
to manage critical functions of the operating system e.g. addition or
deletion of users. Obviously, this utility should not be accessible to
a general user. Use and access to these utilities should be strictly
controlled and logged.
• Duress alarm to safeguard users: If users are forced to execute
some instruction under threat, the system should provide a means

to alert the authorities. The design of the duress alarm should be

simple enough to be operated under stressful situations.
• Terminal time out: Log out the user if the terminal is inactive for a
defined period. This will prevent misuse in absence of legitimate user.
• Limitation of connection time: Define the available time slot. Do
not allow any transaction beyond this time. For example, no
computer access after 8.00 p.m. and before 8.00 a.m. or on a
Saturday or Sunday.
V. Application and Monitoring System Access Control: Applications are
most common assets that access information. Users invoke the
programmes or modules of application to access, process and
communicate information. Hence, it is necessary to control the accesses
to application. Some of the controls are as follows:
• Information Access restriction: The access to information is
prevented by application specific menu interfaces, which limit access
to system function. A user can access only to those items, s/he is
authorized to access. Controls are implemented on access rights like
read, write, delete, and execute to users, and further to ensure that
sensitive output is sent only to authorized terminals and locations.
• Sensitive System isolation: Based on the critical constitution of a
system in an enterprise, it may even be necessary to run the system
in an isolated environment. Monitoring system access is a detective
control, to check if preventive controls discussed so far are working.
If not, this control will detect/report any unauthorized activities.
• Event logging: In Computer systems, it is easy and viable to
maintain extensive logs for all types of events. It is necessary to
review if logging is enabled and the logs are archived properly. An
intruder may penetrate the system by trying different passwords and
user ID combinations. All incoming and outgoing requests along
with attempted access should be recorded in a transaction log. The
log should record the user ID, the time of the access and the terminal
location from where the request has been originated.
• Monitor System use: Based on the risk assessment, a constant
monitoring of some critical systems is essential. Define the details of
types of accesses, operations, events, and alerts that will be
monitored. The extent of detail and the frequency of the review

would be based on criticality of operation and risk factors. The log

files are to be reviewed periodically and attention should be given
to any gaps in these logs.
• Clock Synchronization: Event logs maintained across an enterprise
network plays a significant role in correlating an event and
generating report on it. Hence, the need for synchronizing clock time
across the network as per a standard time is mandatory.
VI. Controls when mobile: In today’s organizations, computing facility
is not restricted to a certain data center alone. Ease of access on the
move provides efficiency and results in additional responsibility on
the management to maintain information security. Theft of data
carried on the disk drives of portable computers is a high-risk factor.
Both physical and logical access to these systems is critical.
Information is to be encrypted and access identifications like
fingerprint, eye-iris, and smart cards are necessary security features.
3.4.3 Classification based on “Information Systems Functions”

Auditors might choose to factor systems in several different ways. Auditors have
found two ways to be especially useful when conducting information systems
audits, as discussed below. Fig. 3.4.2 and Fig. 3.4.3 provide overview of The
Management Control Framework and Application Control Framework respectively.
A. The Management Control Framework
Managerial functions must be performed to ensure the development,
implementation, operation, and maintenance of information systems in a planned
and controlled manner in an organization. These functions provide a stable
infrastructure in which information systems can be built, operated, and maintained
on a day-to-day basis.
I. Top Management Controls
The controls adapted by the management of an enterprise are to ensure that the
information systems function correctly, and they meet the strategic business
objectives. The management has the responsibility to determine whether the
controls that their enterprise system has put in place are sufficient so that the IT
activities are adequately controlled. The scope of control here includes framing
high-level IT policies, procedures, and standards on a holistic view and in
establishing a sound internal controls framework within the organization. The high-
level policies establish a framework on which the controls for lower hierarchy of the

enterprise. The controls flow from the top of an organization to down; the
responsibility still lies with the senior management. Top management is responsible
for preparing a master plan for the information systems function. The senior
managers who take responsibility for IS function in an organization face many
challenges. The major functions that a senior management must perform are
Planning, Organizing, Leading and Controlling.
(a) Planning – This includes determining the goals of the information systems
function and the means of achieving these goals which could either be a short
term or long term one. The steering committee shall comprise of
representatives from all areas of the business, and IT personnel that would be
responsible for the overall direction of IT. The steering committee should
assume overall responsibility for activities of information systems function.
(b) Organizing – There should be a prescribed IT organizational structure with
documented roles and responsibilities and agreed job descriptions. This
includes gathering, allocating, and coordinating the resources needed to
accomplish the goals that are established during planning function. Unless
Top management performs the organizing function properly, the Information
systems function is unlikely to be effective and efficient.
(c) Leading – This includes the activities like motivating, guiding, and
communicating with personnel. The purpose of leading is to achieve the
harmony of objectives, i.e. a person’s or group’s objectives must not conflict
with the organization’s objectives. The process of leading requires managers
to motivate subordinates, direct them and communicate with them.
(d) Controlling – This includes comparing actual performance of the information
systems functions with their planned performance as a basis for taking any
corrective actions that are needed. This involves determining when the actual
activities of the information system’s functions deviate from the planned
activities.
II. Systems Development Management Controls
Systems Development Management has responsibility for the functions
concerned with analyzing, designing, building, implementing, and
maintaining information systems. System development controls are targeted
to ensure that proper documentations and authorizations are available for
each phase of the system development process. It includes controls at
controlling new system development activities. The activities discussed below
deal with system development controls in an IT setup.

(a) Problem definition and Feasibility assessment: Information Systems can

be developed to help resolve problems or to take advantage of
opportunities. All the stakeholders must reach to agreement on the
problem and should understand the possible threats associated with
possible solutions/systems related to asset safeguarding, data integrity,
system effectiveness, and system efficiency. The feasibility assessment is
done to obtain a commitment to change and to evaluate whether cost-
effective solutions are available to address the problem or opportunity
that has been identified. All solutions must be properly and formally
authorized to ensure their economic justification and feasibility. This
requires that each new solution request to be submitted in written form
by stakeholders to systems professionals who have both the expertise and
authority to evaluate and approve (or reject) the request.
(b) Analysis of existing system: Designers need to analyze the existing
system that involves two major tasks:
• Studying the existing organizational history, structure, and culture
to gain an understanding of the social and task systems in place,
the ways these systems are coupled, and the willingness if
stakeholders to change.
• Studying the existing product and information flows as the
proposed system will be based primarily on current product and
information flows. The designers need to understand the strengths
and weaknesses of existing product to determine the new system
requirements and the extent of change required.
(c) Information Processing System design: This phase involves following
activities:
• Elicitation of detailed requirements: Either ask the stakeholders for
their requirement in case they are aware about it or discover the
requirement through analysis and experimentation in case
stakeholders are uncertain about their need.
• Design of data/information flow: The designers shall determine the
flow of data/information and transformation points, the frequency
and timing of the data and information flows and the extent to
which data and information flows will be formalized. Tools such as
DFD can be used for this purpose.

• Design of Database and user interface: Design of database involves

determining its scope and structure, whereas the design of user
interface determines the ways in which users interact with a system.
• Physical design: This involves breaking up the logical design into
units which in turn can be decomposed further into implementation
units such as programs and modules.
• Design of the hardware/software platform: In case the hardware
and software platforms are not available in the organization, the
new platforms are required to be designed to support the proposed
system.
(d) Hardware/Software acquisition and procedures development: To
purchase the new application system or hardware, a request for a
proposal must be prepared, vendor proposals are sought, and final
decisions is made based on evaluation. During procedures development,
designers specify the activities that users must undertake to support the
ongoing operation of the system and to obtain useful output.
(e) Acceptance Testing and Conversion: Acceptance Testing is carried out to
identify errors or deficiencies in the system prior to its final release into
production use. The conversion phase comprises the activities undertaken
to place the new system in operation.
(f) Operation and Maintenance: In this phase, the new system is run as a
production system and periodically modified to better meet its objectives.
A formal process is required to identify and record the need for changes
to a system and to authorize and control the implementation of needed
changes. The maintenance activities associated with these systems need
to be approved and monitored carefully.
III. Programming Management Controls
Program development and implementation is a major phase within the systems
development life cycle. The primary objectives of this phase are to produce or
acquire and to implement high-quality programs. Refer Table 3.4.5.
Table 3.4.5: Program Development Life Cycle
Phase Controls
Planning This phase estimates the resources required for software
development, acquisition, and implementation. The importance
and complexity of planning decision can vary based on factors

such as size of software to be developed and uncertainty relating

to user requirement or support technology.
Design In this, programmers seek to specify the structure and operation
of programs that will meet the requirements articulated. Any
systematic approach to program design like structured design
approach or object-oriented design is adopted. The design of
program depends on the type of programming language that has
been or will be used to implement the program.
Coding Programmers must choose a module implementation and
integration strategy (like Top-down and Bottom-up approach), a
coding strategy (that follows percepts of structured
programming) and a documentation strategy to ensure program
code is easily readable and understandable.
Testing Three types of testing can be undertaken in this phase:
♦ Unit Testing which focuses on individual program modules;
♦ Integration Testing which focuses on groups of program
modules; and
♦ Whole-of-Program Testing which focuses on whole
program to determine whether it meets the requirement.
These tests are to ensure that a developed or acquired program
achieves its specified requirements.
Operation Management establishes formal mechanisms to monitor the
and status of operational programs so that maintenance needs can be
Maintenance identified on a timely basis. Below are three types of maintenance:
♦ Repair Maintenance – in which logic errors detected in the
system are corrected;
♦ Adaptive Maintenance – in which the program is modified
to meet changing user requirements; and
♦ Perfective Maintenance - in which the program is tuned to
decrease the resource consumption and improve processing
efficiency.
The Control phase that runs in parallel to all other phases during software
development or acquisition is to monitor progress against plan and to ensure that
software released for production use is authentic, accurate, and complete.
Techniques like Work Breakdown Structures (WBS), Gantt Charts and PERT

(Program Evaluation and Review Technique) Charts can be used to monitor

progress against plan. The Control phase has two major purposes:
• Task progress in various software life-cycle phases should be monitored
against plan and corrective action should be taken in case of any deviations.
• Control over software development, acquisition, and implementation tasks
should be exercised to ensure software released for production use is
authentic, accurate, and complete.
IV. Data Resource Management Controls
In organizations, the data is a critical resource that must be managed properly and
therefore, accordingly, centralized planning and control are implemented. For data
to be managed better; users must be able to share data; data must be available to
users when it is needed, in the location where it is needed, and in the form in which
it is needed. Further, it must be possible to modify data easily if the change is
required and the integrity of the data must be preserved.
If data repository system is used properly, it can enhance data and application
system reliability. It must be controlled carefully, however, because the
consequences are serious if the data definition is compromised or destroyed.
Careful control should be exercised over the roles by appointing senior,
trustworthy persons, separating duties to the extent possible and maintaining
and monitoring logs of the data administrator’s and database administrator’s
activities. Data integrity is defined as maintenance, assurance, accuracy,
consistency of data and the control activities that are involved in maintaining
it are as under:
(a) Definition Controls: These controls are placed to ensure that the
database always corresponds and comply with its definition standards.
(b) Existence/Backup Controls: These controls ensure the existence of the
database by establishing backup and recovery procedures. Backup refers
to making copies of the data so that these additional copies may be used
to restore the original data after a data loss. Backup controls ensure the
availability of system in the event of data loss due to unauthorized
access, equipment failure or physical disaster; the organization can
retrieve its files and databases. Various backup strategies like dual
recording of data; periodic dumping of data; logging input transactions
and changes to the data may be used.
(c) Access Controls: These controls are designed to prevent unauthorized
individual from viewing, retrieving, computing, or destroying the entity's

data. User Access Controls are established through passwords, tokens

and biometric controls; and Data Encryption controls are established by
keeping the data in database in encrypted form.
(d) Update Controls: These controls restrict update of the database to
authorized users in two ways either by permitting only addition of data
to the database or allowing users to change or delete existing data.
(e) Concurrency Controls: These controls provide solutions, agreed-upon
schedules, and strategies to overcome the data integrity problems that
may arise when two update processes access the same data item at the
same time.
(f) Quality Controls: These controls ensure the accuracy, completeness, and
consistency of data maintained in the database. This may include
traditional measures such as program validation of input data and batch
controls over data in transit through the organization.
V. Security Management Controls
Information security administrators are responsible for ensuring that information
systems assets categorized under Personnel, Hardware, Facilities, Documentation,
Supplies Data, Application Software and System Software are secure. Assets are
secure when the expected losses that will occur over some time, are at an
acceptable level. The Environmental Controls, Physical Controls and Logical Access
Controls are all security measures against the possible threats. However, despite the
controls on place, there could be a possibility that a control might fail. Disasters
are events/incidents that are so critical that has capability to hit business continuity
of an entity in an irreversible manner.
When disaster strikes, it still must be possible to recover operations and mitigate
losses using the controls of last resort - A Disaster Recovery Plan (DRP) and
Insurance.
• DRP deals with how an organization recovers from a disaster and comes back
to its normalcy. The plan lays down the policies, guidelines, and procedures
for all Information System personnel. A comprehensive DRP comprise four
parts – an Emergency Plan (actions to be undertaken immediately when a
disaster occurs), a Backup Plan (specifies the type of backup to be kept,
frequency of taking backup, the procedures for making backup etc.), a
Recovery Plan (to restore full IS capabilities) and a Test Plan (to identify
deficiencies in the test plan). Business Continuity Plan (BCP) as compared

to a DRP mainly deals with carrying on the critical business operations in the
event of a disaster so as to ensure minimum impact on the business.
• Insurance is a contract, represented by a policy, in which an individual or
entity receives financial protection or reimbursement against losses from an
insurance company. Adequate insurance must be able to replace Information
Systems assets and to cover the extra costs associated with restoring normal
operations.
VI. Operations Management Controls
Operations management is responsible for the daily running of hardware and
software facilities so that production application systems can accomplish their work
and development staff can design, implement and maintain application systems.
Operations management typically perform controls over the functions as discussed
below:
(a) Computer Operations: The controls over computer operations govern the
activities that directly support the day-to-day execution of either test or
production systems on the hardware/software platform available.
(b) Network Operations: Data may be lost or corrupted through component
failure. To avoid such situation, the proper functioning of network operations,
monitoring the performance of network communication channels, network
devices, and network programs and files are required.
(c) Data Preparation and Entry: Irrespective of whether the data is obtained
indirectly from source documents or directly from say customers, keyboard
environments and facilities should be designed to promote speed and
accuracy and to maintain the wellbeing of keyboard operators.
(d) Production Control: This includes the major functions like receipt and
dispatch of input and output; job scheduling; management of service-level
agreements with users; transfer pricing/charge-out control; and acquisition
of computer consumables.
(e) File Library: This includes the management of not only machine-readable
storage media like magnetic tapes, cartridges, and optical disks of an
organization but also its fixed storage media.
(f) Documentation and Program Library: This involves that documentation
librarians ensure that documentation is stored securely; that only authorized
personnel gain access to documentation; that documentation is kept up-to-
date and that adequate backup exists for documentation. There should also

be adequate versioning of documents depending on the updates. The

documentation may include reporting of responsibility and authority of each
function; definition of responsibilities and objectives of each function;
reporting responsibility and authority of each function; policies and
procedures; job descriptions and Segregation of Duties.
(g) Help Desk/Technical support: This assists end-users to employ end-user
hardware and software such as micro-computers, spreadsheet packages,
database management packages etc. and provided the technical support for
production systems by assisting with problem resolution.
(h) Capacity Planning and Performance Monitoring: Regular performance
monitoring facilitates the capacity planning wherein the resource deficiencies
must be identified well in time so that they can be made available when they
are needed.
(i) Management of Outsourced Operations: This has the responsibility for
carrying out day-to-day monitoring of the outsourcing contract.
VII. Quality Assurance Management Controls
Quality Assurance management is concerned with ensuring that the –
♦ Information systems produced by the information systems function achieve
certain quality goals; and
♦ Development, implementation, operation and maintenance of Information
systems comply with a set of quality standards.
Quality Assurance (QA) personnels should work to improve the quality of
information systems produced, implemented, operated, and maintained in an
organization. They perform a monitoring role for management to ensure that –
♦ Quality goals are established and understood clearly by all stakeholders;
♦ Compliance occurs with the standards that are in place to attain quality
information systems, and
♦ Best practices in the industry are also incorporated during the production of
information systems including detailed knowledge transfer sessions, quality
matrix etc.

THE MANAGEMENT CONTROL FRAMEWORK
Top Mgt. Systems Development Mgt. Programming Data Resource Mgt. Controls: Data Security Mgt. Quality
Controls: Controls: Responsible for Mgt. Controls: To must be available to users at a Functions Assurance
Functions functions like analyzing, acquire & location and form in which it is Controls: Ensure Mgt.
performed designing, building, implement high- needed, data is modifiable & data that IS assets are Controls:
by Senior implementing, maintaining IS. quality programs. integrity is preserved etc. Includes secure, To
Management This includes Problem Includes phases controls like Definition Controls to recoverable achieve
that includes definition and Feasibility Planning that comply with database definition, after disaster quality
Planning to Assessment to find possible estimates the Existence Controls ensure existence occurs. Includes goals & IS
determine solutions and their economic required of database after data loss, Access DRP (how to comply
goals of justification to resolve resources for s/w Controls prevent unauthorized recover from with set of
information problems, Analysis of existing development, access, Update Controls to restrict disaster & quality
systems system to study the existing Design involves update of database to authorized returns to standards.
function and structure, culture of the systematic users only, Concurrency controls normalcy) &
means of system, existing product & approach to overcome data integrity problems & Insurance
achieving information flows, program design, Quality Controls ensure accuracy, (protection
goals; Information processing Coding use Top- completeness, & data consistency. against losses).
Organizing to system design involving down, Bottom-up
Gather, elicitation of detailed approach, Testing
allocate, requirements, design of data to ensure Operations Mgt. Controls: Responsible for daily running of h/w and
coordinate flow, database, user interface, developed software computer, n/w operations, file library etc. Includes Computer
resources to physical design, h/w and s/w program achieves Operations to directly support daily execution of test or production
accomplish platform etc., H/w & S/w its goals, systems on h/w or s/w platform, Network Operations involve
goals, acquisition & procedures Operation & functioning of n/w operations, monitoring communication channels,
Leading to development wherein Maintenance that devices etc., Data Preparation & Entry include keyboard environments
Motivate, vendors are selected based on could be Repair, designed to promote speed/accuracy to maintain wellbeing of
communicate evaluation criterion, Adaptive, & operators, Production Controls include functions like receipt/dispatch
with Acceptance testing/ Perfective of I/O; job scheduling; mgt. of SLAs etc., File Library includes mgt. of
personnel; conversion to identify Maintenance & storage media, Documentation and Program Library ensures
and deficiencies in the system Control phase documentation stored securely; up-to-date & adequate backup exists,
Controlling before its release, Operation that monitor Technical support assist end-users to employ h/w & s/w, Capacity
to compare and Maintenance in which progress against Planning & Performance Monitoring to identify resource deficiencies,
actual with new system run as production all phases using and Mgt. of Outsourced Operations involve monitoring contracts.
planned system & maintenance WBS, Gantt
performance. activities monitored carefully. Charts, PERT. Fig. 3.4.2: The Management Control Framework

THE APPLICATION CONTROL FRAMEWORK
Boundary Controls: Involves Input Controls: Ensure Processing Controls: To Database Controls: To protect integrity
access control mechanism. accuracy of data to be compute classify, sort and of database when app. s/w act as
This involves Cryptographic inputted into application summarize data. This includes interface b/w user & database. This
Controls to transform data system. This includes Processor Controls to reduce includes Access Controls to prevent
into codes that are Data Code Control to expected losses from errors & unauthorized access & use of data,
meaningless for a non- reduce user error during irregularities associated with Integrity Controls to ensure accuracy,
authenticated person, Access data feeding, Batch processors, Real Memory completeness, and uniqueness of
Controls that involves 3 steps: Controls to prevent/ Controls to detect/correct instances, Application S/w Controls
Identification, Authentication, detect errors in batch, errors that occur in memory cells that involve Update and Report
Authorization; PIN is a Validation of Data input and to protect areas of memory Controls, Concurrency Controls that
random number stored in Controls detect errors in assigned to a program from handles cases of concurrency and
database, Digital Signatures transaction data before illegal access, VM Controls that deadlock, Cryptographic Controls used
to establish authenticity of e- data are processed & maps VM addresses into real to maintain data integrity, File Handling
documents, Plastic Cards to Audit Trail Controls to memory addresses, App. S/w Controls to prevent accidental data
store information required in log events from time Control to validate checks to destruction on storage medium and
an identification process and data are captured and identify errors during data Audit Trail Controls to log events in
Audit Trail Controls to log of passed to other processing & Audit Trail Ctrls database definition or database itself.
user gaining system access. subsystem. that log events b/w data I/O.
Communication Controls: Discuss exposures in communication Output Controls: Ensure data delivered to users is presented, formatted,
subsystem, controls over physical components, & channel access delivered consistently. It includes Inference Controls to prevent compromise
controls. Physical Component Ctrsl to mitigate effects of exposures, of statistical database, Batch output production and distribution controls
Line Error Ctrl to detect/correct error of attenuation/distortion, Flow include controls over file spooling, printing controls, report distribution
Controls to control rate at which data flows b/w users, Link Controls controls, storage controls etc., Batch Report Design controls to ensure
to manage link b/w 2 nodes in a network, Topological Controls to compliance with control procedures laid during the output, Online output
specify location & way nodes are linked, Channel Access Controls to production and Distribution Controls deal with establishing the output at
handle contention in channel, Control over Subversive threat require source, distributing, communicating, receiving, viewing, retaining and
data to be rendered useless in case of intrusion, Internetworking destructing output and Audit Trail Controls to maintain log of events that
Controls to control n/w connecting devices and Audit Trail Controls occur b/w the time content of output is determined to disposal of output.
to log events from dispatch time of a message to its receival.
Fig. 3.4.3: The Application Control Framework

B. The Application Control Framework

The objective of application controls is to ensure that data remains complete,
accurate and valid during its input, update and storage. The specific controls could
include form design, source document controls, input, processing and output
controls, media identification, movement and library management, data back-up
and recovery, authentication and integrity, legal and regulatory requirements. Any
function or activity that works to ensure the processing accuracy of an application
can be considered as application control. For example, a counter clerk at a bank is
required to perform various business activities as part of his/her job description
and assigned responsibilities. S/he can relate to the advantages of technology
when he is able to interact with the computer system from the perspective of
meeting his job objectives. Application System Controls involve ensuring that
individual application systems safeguard assets (reducing expected losses),
maintain data integrity (ensuring complete, accurate and authorized data)
and achieve objectives effectively and efficiently from the perspective of users
of the system from within and outside the organization.
An Audit Trail should record all the material events that occur within the boundary
subsystem to analyze and search for error or irregularities. Audit Trail Controls
attempt to ensure that a chronological record of all events that have occurred in a
system is maintained. This record is needed to answer queries, fulfill statutory
requirements, detect the consequences of error, and allow system monitoring and
tuning. Two types of audit trails that should exist in each subsystem are as follows:
♦ An Accounting Audit Trail to maintain a record of events within the
subsystem.
♦ An Operations Audit Trail to maintain a record of attempted or actual
resource consumption associated with each event in the subsystem.
I. Boundary Controls
The major controls of the boundary system are the access control mechanisms that
links the authentic users to the authorized resources, they are permitted to access.
The boundary subsystem establishes the interface between the would-be user of a
computer system and the computer itself. Major Controls at the Boundary
subsystem are as follows:
(a) Cryptographic Controls: These are designed to protect the privacy of data
and prevent unauthorized modification of data by scrambling data. These
deal with programs for transforming data into cipher text that are
meaningless to anyone, who does not possess the authentication to access

the respective system resource or file. A cryptographic technique transforms

(encrypts) data (known as cleartext) into cryptograms (known as ciphertext)
and its strength depends on the time and cost to decipher the ciphertext by
a cryptanalyst. Three techniques of cryptography that are used are
Transposition (permute the order of characters within a set of data),
Substitution (replace text with a key-text) and Product Ciphers
(combination of transposition and substitution).
(b) Access Controls: These controls restrict the use of computer system
resources to authorized users, limit the actions authorized users can take
with these resources and ensure that users obtain only authentic
computer system resources. The access control mechanism involves three
steps: Identification, Authentication and Authorization.
o User’s identification is done by user itself by providing his/her
unique user id allotted to him/her or account number.
o Authentication mechanism is used for proving the identity with the
help of a password which may involve personal characteristics like
name, birth date, employee code, designation or a combination of
two or more of these. Biometric identification including thumb or
finger impression, eye retina etc. and information stored in
identification cards can also be used in an authentication process.
o Authorization refers to the set of actions allowed to a user once
authentication is done successfully. For example – Read, Write,
Print, etc. permissions allowed to an individual user.
An access control mechanism is used to enforce an access control policy
which are mainly of two types - Discretionary Access Control and
Mandatory Access Control policies (already discussed in Chapter 2).
(c) Personal Identification Numbers (PIN): As already discussed before, we
may recall that it is a form of remembered information used to
authenticate users like verification of customers in electronic fund
transfer systems. PIN is like a password assigned to a user by an
institution, a random number stored in its database independent to a
user identification details. Several phases of the life cycle of PINs include
the steps that are (a) Generation of the PIN; (b) Issuance and delivery of
PIN to users; (c) Validation of the PIN upon entry at the terminal device;
(d) Transmission of the PIN across communication lines; (e) Processing

of the PIN; (f) Storage of the PIN; (g) Change of the PIN; (h) Replacement
of the PIN; and (i) Termination of the PIN.
A PIN may be exposed to vulnerabilities at any stage of the life cycle of
PIN and therefore, controls need to be put in place and working to reduce
exposures to an acceptable level.
(d) Digital Signatures: Establishing the authenticity of persons and
preventing the denial of message or contracts are critical requirements
when data is exchanged in electronic form. A counterpart known as
Digital Signature (a string of 0’s and 1’s) is used as an analog signature
for such e-documents. Digital Signatures are not constant like analog
signatures – they vary across messages and cannot be forged.
(e) Plastic Cards: We may recall that while PIN and Digital Signatures are
used for authentication purposes, plastic cards are used primarily for
identification purpose. This includes the phases namely - application for
a card, preparation of the card, issue of the card, use of the card and card
return or card termination.
(f) Audit Trail Controls: This maintains the chronology of events that occur
when a user attempts to gain access to and employ systems resources. The
events associated with both types of audit trail control are given below in
Table 3.4.6:
Table 3.4.6: Audit Trail Controls - Boundary Control
Accounting Audit Trail Operations Audit Trail
All material application-oriented events occurring This includes the details
within the boundary subsystem should be recorded like resource usage
that may include the data related to identity of the from log-on to log-out
would-be user of system; authentication information time and log of
supplied; resources requested/provided or denied; resource consumption.
terminal Identifier and Start/Finish Time; number of
Sign-on attempts; & Action privileges allowed/denied.
II. Input Controls

Data that is presented to an application as input data must be validated for
authorization, reasonableness, completeness, accuracy, and integrity. These
controls are responsible for ensuring the accuracy and completeness of data and
instruction input into an application system. Input controls are important and
critical since substantial time is spent on input of data, involve human intervention

and are, therefore error and fraud prone. These are of following types as shown in
the Fig. 3.4.4:
D. Audit Trail Controls
Fig. 3.4.4: Classification of Input Controls

In systems that use physical source documents to initiate transactions, careful
control must be exercised over these instruments. Source document fraud can be
used to remove assets from the organization. For example- an individual with
access to purchase orders and receiving reports could fabricate a purchase
transaction to a non-existent supplier. In the absence of other compensating
controls to detect this type of fraud, the system would create an account payable
and subsequently write a cheque for payment. To control against this type of
exposure, an organization must implement control procedures over source
documents to account for each document.
(a) Data Code Controls: These controls are aimed at reducing the user error
during data feeding. Two types of errors - Transcription and Transposition
errors can corrupt a data code and cause processing errors. Any of these
errors can cause serious problems in data processing if they go undetected.
These simple errors can severely disrupt operations.
• Transcription Errors: It is a special type of data entry error that is
commonly made by human operators or by Optical Character
Recognition (OCR) programs. These can be Addition errors (when an
extra digit is added to the code); Truncation Errors (when a digit is
removed from the code) and Substitution Errors (replacement of a
digit in a code with another).
• Transposition Errors: It is a simple error of data entry that occurs when
two digits that are either individual or part of larger sequence of
numbers are reversed (Transpose) when posting a transaction. For
example, a sales order for customer 987654 that is transposed into
897654 will be posted to the wrong customer’s account. A similar error
in an inventory item code on a purchase order could result in ordering
unneeded inventory and failing to order inventory that is needed.

(b) Batch Controls: Batching is the process of grouping together transactions

that bear some type of relationship to each other. Various controls can be
exercises over the batch to prevent or detect errors or irregularities. To
identify errors or irregularities in either a physical or logical batch, three types
of control totals are as follows:
• Financial Totals: Grand totals calculated for each field containing
monetary amounts. For example - the total salary paid to employees of
an organization can be totaled using DA, TA, house allowance, medical
and PF etc.
• Hash Totals: Grand totals calculated for any code on a document in the
batch, e.g., the source document serial numbers can be totaled.
• Document/Record Counts: Grand totals for number of documents /
record in batch.
(c) Validation of Data Input Control: Input validation controls are intended to
detect errors in the transaction data before the data are processed. These
errors need to be corrected and if not corrected, the same should be written
immediately to an error file. Some of these controls include the following:
• Field check: It involves programmed procedures that examine the
characters of the data in the field. This includes the checks like Limit
Check (against predefined limits), Picture Checks (against entry into
processing of incorrect/invalid characters), Valid check codes (against
predetermined transactions codes, tables) etc.
• Record Check: This includes the reasonableness check of whether the
value specified in a field is reasonable for that particular field; Valid
sign to determine which sign is valid for a numeric field and Sequence
Check to follow a required order matching with logical records etc.
• Batch Check: This includes the checks like the transaction type if all
input records in a batch are of particular type; sequence check if input
records are in a particular order or not etc.
• File Check: This includes file’s version usage; internal and external
labeling; data file security; file updating and maintenance authorization
etc.
(d) Audit Trail Controls: This maintains the chronology of events from the time
data and instructions are captured and entered into an application system

until the time they are deemed valid and passed onto other subsystems within
the application system (Refer Table 3.4.7).
Table 3.4.7: Audit Trail Controls - Input Controls
This must record the origin, contents, and Some of the data that might
timing of transaction entered into be collected include time to
application system, thus involving the key in a source document or
details regarding the identity of the an instrument at a terminal;
person (organization) who was the source number of read errors made
of the data and who entered the data into by an optical scanning device;
the system; the time and date when the number of keying errors
data was captured; the identifier of the identified during verification;
physical device used to enter the data into frequency with which an
the system; the account or record to be instruction in a command
updated by the transaction; the standing language is used; and time
data to be updated by the transaction; the taken to invoke an instruction
details of the transaction; and the number using different input devices
of the physical or logical batch to which like light pen or mouse.
the transaction belongs.
III. Communication Controls
These discuss exposures in the communication subsystem, controls over physical
components, communication line errors, flows and links, topological controls,
channel access controls, controls over subversive attacks, internetworking controls,
communication architecture controls, and audit trail controls. Some communication
controls are as follows:
(a) Physical Component Controls: In the communications subsystem, the
physical components shall have characteristics that make them reliable
and incorporate features and controls that mitigate the possible effects
of exposures. Major physical components that affect the reliability of
communication subsystem are Transmission media, Communication
lines, Modem, Port protection devices, Multiplexers, and Concentrators
etc.
(b) Line Error Controls: Whenever data is transmitted over a communication
line, it can be received in error because of attenuation, distortion, or noise
that occurs on the line. These errors must be detected and corrected.

(c) Flow Controls: Flow controls are needed because two nodes in a network
can differ in terms of the rate at which they can be sent, receive, and process
data. For example- data transmission between mainframe and
microcomputers may become erroneous because of difference in their speed
and storage capacity. Flow controls will be used therefore to prevent the
mainframe flooding the microcomputer and as a result, data being lost.
(d) Link Controls: In Wide Area Network (WAN), line error control and flow
control are important functions in the component that manages the link
between two nodes in a network. The way these link-management
components operate is specified via a protocol.
(e) Topological Controls: A communication network topology specifies the
location of nodes within a network, the ways in which these nodes will
be linked, and the data transmission capabilities of the links between the
nodes. The network must be available for use at any one time by a given
number of users that may require alternative hardware, software, or
routing of messages.
(f) Channel Access Controls: Two different nodes in a network can compete to
use a communication channel simultaneously, leading to the possibility of
contention for the channel existing. Therefore, some type of channel access
control techniques like polling method (defining an order in which a node
can gain access to a channel capacity) or contention method (nodes in
network must compete with each other to gain access to a channel) must be
used.
(g) Controls over Subversive threats: Firstly, the physical barriers are needed
to be established to the data traversing into the subsystem. Secondly, in
case the intruder has somehow gained access to the data, the data needs
to be rendered useless when access occurs.
(h) Internetworking Controls: Different internetworking devices like bridge,
router, gateways are used to establish connectivity between
homogeneous or heterogeneous networks. Therefore, several control
functions in terms of access control mechanisms, security and reliability
of the networks are required to be established.
(i) Audit Trail Controls: This maintains a chronology of the events from the time
a sender dispatches a message to the time a receiver obtains the message.
Few examples of data item that might be kept in both types of audit trail is
shown in Table 3.4.8.

Table 3.4.8: Audit Trail Controls - Communication Controls

This includes collection of the data like This includes the details like
unique identifier of the source, number of messages that have
destination and each node that traverses traversed each link and each node;
the message; unique identifier of the queue lengths at each node;
person or process authorizing dispatch of number of errors occurring on
the message; time and date at which the each link or at each node; number
message was dispatched and received by of retransmissions that have
the sink node; time and date at which occurred across each link; log of
node in the network was traversed by the errors to identify locations and
message; message sequence number; and patterns of errors; log of system
the image of the message received at restarts; and message transit times
each node traversed in the network. between nodes and at nodes.
IV. Processing Controls

The processing subsystem is responsible for computing, sorting, classifying, and
summarizing data. Its major components are the Central Processor in which
programs are executed, the real or virtual memory in which program instructions
and data are stored, the operating system that manages system resources, and the
application programs that execute instructions to achieve specific user
requirements. Some of these controls are as follows:
(a) Processor Controls: Table 3.4.9 enlists the Controls to reduce expected
losses from errors and irregularities associated with Central processors.
Table 3.4.9: Processor Controls
Control Explanation
Error Occasionally, processors might malfunction because of

Detection design errors, manufacturing defects, damage, fatigue,
and electromagnetic interference, and ionizing radiation. The
Correction failure might be transient (that disappears after a short
period), intermittent (that reoccurs periodically), or
permanent (that does not correct with time). For the transient
and intermittent errors, re-tries and re-execution might be
successful, whereas for permanent errors, the processor must
halt and report error.

Multiple It is important to determine the number of and nature of the

Execution execution states enforced by the processor. This helps
States auditors to determine which user processes will be able to
carry out unauthorized activities, such as gaining access to
sensitive data maintained in memory regions assigned to the
operating system or other user processes.
Timing An operating system might get stuck in an infinite loop. In
Controls the absence of any control, the program will retain use of
processor and prevent other programs from undertaking
their work.
Component In some cases, processor failure can result in significant
Replication losses. Redundant processors allow errors to be detected and
corrected. If processor failure is permanent in multicomputer
or multiprocessor architectures, the system might
reconfigure itself to isolate the failed processor.
(b) Real Memory Controls: This comprises the fixed amount of primary storage
in which programs or data must reside for them to be executed or referenced
by the central processor. Real memory controls seek to detect and correct
errors that occur in memory cells and to protect areas of memory assigned to a
program from illegal access by another program.
(c) Virtual Memory Controls: Virtual Memory exists when the addressable
storage space is larger than the available real memory space. To achieve this
outcome, a control mechanism must be in place that maps virtual memory
addresses into real memory addresses. When an executing program
references virtual memory addresses, the mechanism then translates these
addresses into real memory addresses.
(d) Application Software Controls: These perform validation checks to identify
errors during processing of data. These are required to ensure both the
completeness and the accuracy of data being processed. Normally, the
processing controls are enforced through database management system that
stores the data. However, adequate controls should be enforced through the
front-end application system also to have consistency in the control process.
(e) Audit Trail Controls: This maintains the chronology of events from the time
data is received from the input or communication subsystem to the time data

is dispatched to the database, communication, or output subsystems. Table

3.4.10 shows the Audit Trail Controls of Processing Controls.
Table 3.4.10: Audit Trail Controls - Processing Controls
This includes the data items like- to trace This includes a
and replicate the processing performed on a comprehensive log on
data item that enters into the processing hardware consumption –
subsystem, to follow triggered transactions CPU time used,
from end to end by monitoring input data secondary storage space
entry, intermediate results and output data used, and communication
values, to check for existence of any data facilities used and
flow diagrams or flowcharts that describe comprehensive log on
data flow in the transaction, and whether software consumption –
such diagrams or flowcharts correctly compilers, subroutine
identify the flow of data and to check libraries, file
whether audit log entries recorded the management facilities
changes made in the data items at any time and communication
including who made them. software used.
V. Database Controls
These controls are used within an application software to maintain the integrity of
data, to prevent integrity violations when multiple programs have concurrent
access to data, and the ways in which data privacy can be preserved within the
database subsystem.
(a) Access Controls: These controls in database subsystem seek to prevent
unauthorized access to and use of the data. A security policy has to be
specified followed by choosing an access control mechanism that will
enforce the policy chosen. If database is replicated, the same access
control rules must be enforced by access control mechanism at each site.
(b) Integrity Controls: These are required to ensure that the accuracy,
completeness, and uniqueness of instances used within the data or
conceptual modeling are maintained. Integrity Constraints are
established to specify the type of relationship and consistency among
rows (tuple) in relationship.
(c) Application Software Controls: When application software acts as an
interface to interact between the user and the database, the DBMS

depends on application software to pass across a correct sequence of

commands and update parameters so that appropriate actions can be
taken when certain types of exception condition arise. This is achieved
through Update Controls that ensure that changes to the database reflect
changes to the real-world entities and associations between entities that
data in the database is supposed to represent and Report Controls that
identify errors or irregularities that may have occurred when the
database has been updated.
(d) Concurrency Controls: These are required to address the situation that
arises either due to simultaneous access to the same database or due to
deadlock.
(e) Cryptographic Controls: (Already discussed under Boundary Controls)
These controls can be well used for protecting the integrity of data stored
in the database using block encryption.
(f) File Handling Controls: These controls are used to prevent accidental
destruction of data contained on a storage medium. These are exercised
by hardware, software, and the operators or users who load/unload
storage media.
(g) Audit Trail Controls: The audit trail maintains the chronology of events that
occur either to the database definition or the database itself as shown in
Table 3.4.11.
Table 3.4.11: Audit Trail Controls - Database Controls
This includes the data items to confirm whether This maintains a
an application properly accepts, processes, and chronology of resource
stores information, to attach a unique time stamp consumption events
to all transactions, to attach before-images and that affects the
after-images of the data item on which a database definition or
transaction is applied to the audit trail, any the database.
modifications or corrections to audit trail
transactions accommodating the changes that
occur within an application system, and to not
only test the stated input, calculation, and output
rules for data integrity; but also should assess the
efficacy of the rules themselves.

VI. Output Controls

These controls ensure that the data delivered to users will be presented, formatted,
and delivered in a consistent and secured manner. Output can be in any form, it
can either be a printed data report or a database file in a removable media. Various
Output Controls are as follows:
(a) Inference Controls: These are used to prevent compromise of statistical
databases from which users can obtain only aggregate statistics rather
than the values of individual data items. These are restriction controls
which limit the set of responses provided to users to try to protect the
confidentiality of data about persons in the database.
(b) Batch Output Production and Distribution Controls: Batch output in the
form of tables, graphs or images etc. is produced at some operations
facility and distributed to users of the output. This includes several
controls like Report program execution Controls to ensure that only
authorized users are permitted to execute batch report programs and
these events are logged and monitored; Spooling file Controls so that the
user(s) can continue working while a queue of documents waiting to be
printed on a particular printer to ensure that the waiting files to get printed
shall not be subject to unauthorized modifications; Printing Controls to
ensure that output is made on the correct printer, and unauthorized
disclosure of printed information does not take place; Report collection
Controls to ensure that report is collected immediately and secured to avoid
unauthorized disclosure and data leakage; User/Client service Review
Controls to ensure user should obtain higher quality output and detection of
errors or irregularities in output; Report distribution Controls ensuring that
the time gap between generation and distribution of reports is reduced, and
a log is maintained for reports that were generated and to whom these were
distributed; User output Controls to be in place to ensure that users review
output on a timely basis; Storage Controls to ensure proper perseverance of
output in an ideal environment, secured storage of output and appropriate
inventory controls over the stored output and Retention and Destruction
Controls in terms of deciding the time duration for which the output shall be
retained and then destroyed when not required.
(c) Batch Report Design Controls: Batch report design features should
comply with the control procedures laid down for them during the output
process. The information incorporated in a well-designed batch report

shall facilitate its flow though the output process and execution of
controls.
(d) Online output production and Distribution Controls: It deals with the
controls to be considered at various phases like establishing the output
at the source, distributing, communicating, receiving, viewing, retaining
and destructing the output. Source controls ensure that output which can
be generated or accessed online is authorized, complete and timely;
Distribution Controls to prevent unauthorized copying of online output
when it was distributed to a terminal; Communication Controls to reduce
exposures from attacks during transmission; Receipt Controls to evaluate
whether the output should be accepted or rejected; Review Controls to
ensure timely action of intended recipients on the output; Disposition
Controls to educate employees the actions that can be taken on the online
output they receive; and Retention Controls to evaluate for how long the
output is to be retained and Deletion Controls to delete the output once
expired.
(e) Audit Trail Controls: The audit trail maintains the chronology of events that
occur from the time the content of the output is determined until the time
users complete their disposal of output because it no longer should be
retained. The data items that need to be considered are provided in Table
3.4.12.
Table 3.4.12: Audit Trail Controls - Output Controls
This includes what output This maintains the record of resources consumed
was assimilated for by components in the output subsystem to
presentation to the users; assimilate, produce, distribute, use, store and
what output was then dispose of various types of output like graphs,
presented to the users; who images etc., to record data that enables print times,
received the output; when response times and display rates for output to be
the output was received; determined and to manage the information that
and what actions were enables the organization to improve the timelines
subsequently taken with of output production and reduce the number of
the output. resources consumed in producing output.

3.5 INFORMATION SYSTEMS’ AUDITING

Computers are used extensively to process data and to provide information for
decision-making. However, uncontrolled use of computers can have a widespread
impact on a society. Because computers play a large part in assisting us to process
data and to make decisions, it is significant that their use is in controlled manner.
3.5.1 Need for Control and Audit of Information Systems
Factors influencing an organization toward controls and audit of computers and
the impact of the information systems audit function on organizations are depicted
in the Fig. 3.5.1.
Fig. 3.5.1: Factors influencing an organization toward control and Audit of

computer-based Information Systems
Let us now discuss these reasons in detail (Refer Fig. 3.5.1):
1. Organizational Costs of Data Loss: Data is a critical resource of an
organization for its present and future processes. If the data is accurate, its
ability to adapt and survive in a changing environment increases significantly.
If such data is lost, an organization can incur substantial losses.
2. Cost of Incorrect Decision Making: Making high-quality decisions are
dependent on both – the quality of the data and quality of the decision rules
that exist within computer-based information systems. While making
strategic decisions, some errors may be allowed by management considering
the long-run nature of strategic planning decisions whereas highly accurate
data would be required while making operational control decisions by the
managers. These operational controls taken by managers involve detection,
investigations and correction of the processes. Incorrect data can also have

adverse impact on the other stakeholders having an interest in the

organization.
3. Costs of Computer Abuse: Computer abuse is defined as any incident
associated with computer technology in which the user suffered or could have
suffered loss and a perpetrator by intention made or could have made gain.
Unauthorized access to computer systems, malwares, unauthorized physical
access to computer facilities, unauthorized copies of sensitive data, viruses,
and hacking can lead to destruction of assets (hardware, software, data,
information etc.).
4. Value of Computer Hardware, Software and Personnel: These are critical
resources of an organization, which has a credible impact on its infrastructure
and business competitiveness. The intentional or unintentional loss of
hardware, the destructions or corruption of software, and non-availability of
skilled computer professionals in some countries; an organization might be
unable to continue their operations seamlessly.
5. High Costs of Computer Error: In a computerized enterprise environment
where many critical business processes are performed, a data error during
entry or process would cause great damage. For example - small data error
during an operational flight can lead to loss of human lives; an error in any
financial system can make an organization liable for penalty etc.
6. Maintenance of Privacy: Today, data collected in a business process
contains private information about an individual too. These data were also
collected before computers but now, there are many instances in which
privacy of individuals has been eroded beyond acceptable levels.
7. Controlled evolution of computers’ Use: Use of Technology and reliability
of complex computer systems cannot be guaranteed and the consequences
of using unreliable systems can be destructive. Governments, professional
bodies, pressure groups, organizations and individual persons all must be
concerned with evaluating and monitoring how we deploy computer
technology.
Information Systems Auditing is defined as the process of attesting objectives
(those of an external auditor) that focus on asset safeguarding, data integrity and
management objectives (those of an internal auditor) that include effectiveness and
efficiency both. This enables organizations to better achieve some major objectives
that are depicted in the Fig. 3.5.2.

Fig. 3.5.2: Information Systems Auditing Objectives

Let us now discuss these objectives in detail.
a. Asset Safeguarding Objectives: The information system assets like
hardware, software, facilities, people, data files, system documentation,
information etc. must be protected by a system of internal controls from
unauthorized access. These assets are often concentrated in one or small
number of locations such as single disk. Therefore, asset safeguarding is an
important objective for many organizations to achieve.
b. Data Integrity Objectives: It is a fundamental attribute of IS Auditing. Data
has certain attributes – completeness, reliability, transparency, and accuracy.
The importance to maintain integrity of data of an organization is required
all the time, else an organization may suffer loss of competitive advantage. It
is also important from the business perspective of the decision maker,
competitive and the market environment.
c. System Effectiveness Objectives: Evaluating effectiveness implies
knowledge of user needs. Effectiveness of a system is done to evaluate
whether a system reports information in a way that facilitates its users in
decision- making or not. Auditors must be aware of the characteristics of
users and decision-making environment so that objectives of the system to
meet business and user requirements are met.
d. System Efficiency Objectives: An efficient information system uses
minimum resources to achieve its required objectives, therefore the use of
various information system resources like machine time, peripherals, system
software and labor must be optimally utilized along with the impact on its
computing environment. Before upgradation of the systems are done,

Auditor assist management in knowing whether available capacity of the

resources is exhausted or not.
3.5.2 Tools for IS Audit
Today, organizations produce information on a real-time, online basis. Real-time
recordings need real-time continuous auditing to provide continuous assurance
about the quality of the data. Continuous auditing enables auditors to significantly
reduce and perhaps to eliminate the time between occurrence of the client’s events
and the auditor’s assurance services thereon. Errors in a computerized system are
generated at high speeds and the cost to correct and rerun programs are high. If
these errors can be detected and corrected at the point or closest to the point of
their occurrence, the impact thereof would be the least. Continuous auditing
techniques use two bases for collecting audit evidence. One is the use of embedded
modules in the system to collect, process, and print audit evidence and the other
is special audit records used to store the audit evidence collected.
Types of Audit Tools: Different types of continuous audit techniques may be used.
Some modules for obtaining data, audit trails and evidence may be built into the
programs. Audit software is available which could be used for selecting and testing
data. Many audit tools are also available; some of them are described below:
(i) Snapshots: Tracing a transaction in a computerized system can be performed
with the help of snapshots or extended records. The snapshot software is built
into the system at those points where material processing occurs which takes
images of the flow of any transaction as it moves through the application.
These images can be utilized to assess the authenticity, accuracy, and
completeness of the processing carried out on the transaction. The main
areas to dwell upon while involving such a system are to locate the snapshot
points based on materiality of transactions when the snapshot will be
captured and the reporting system design and implementation to present
data in a meaningful way.
(ii) Integrated Test Facility (ITF): The ITF technique involves the creation of a
dummy entity in the application system files and the processing of audit test
data against the entity as a means of verifying processing authenticity,
accuracy, and completeness. This test data would be included with the normal
production data used as input to the application system. In such cases, the
auditor must decide what would be the method to be used to enter test data
and the methodology for removal of the effects of the ITF transactions.

(iii) System Control Audit Review File (SCARF): The SCARF technique involves
embedding audit software modules within a host application system to
provide continuous monitoring of the system’s transactions. The information
collected is written onto a special audit file- the SCARF master files. Auditors
then examine the information contained on this file to see if some aspect of
the application system needs follow-up. In many ways, the SCARF technique
is like the snapshot technique along with other data collection capabilities.
(iv) Continuous and Intermittent Simulation (CIS): This is a variation of the
SCARF continuous audit technique. This technique can be used to trap
exceptions whenever the application system uses a database management
system. During application system processing, CIS executes in the following
way:
• The DBMS reads an application system transaction. It is passed to CIS.
CIS then determines whether it wants to examine the transaction
further. If yes, the next steps are performed or otherwise it waits to
receive further data from the database management system.
• CIS replicates or simulates the application system processing.
• Every update to the database that arises from processing the selected
transaction will be checked by CIS to determine whether discrepancies
exist between the results it produces and those the application system
produces.
• Exceptions identified by CIS are written to an exception log file.
The advantage of CIS is that it does not require modifications to the
application system and yet provides an online auditing capability.
(v) Audit Hooks: There are audit routines that flag suspicious transactions. For
example, internal auditors at Insurance Company determined that their
policyholder system was vulnerable to fraud every time a policyholder
changed his or her name or address and then subsequently withdrew funds
from the policy. They devised a system of audit hooks to tag records with a
name or address change. The internal audit department will investigate these
tagged records for detecting fraud. When audit hooks are employed, auditors
can be informed of questionable transactions as soon as they occur. This
approach of real-time notification displays a message on the auditor’s
terminal.

3.5.3 Audit Trail

We may recall that Audit Trails are logs that can be designed to record activity at
the system, application, and user level. When properly implemented, audit trails
provide an important detective control to help accomplish security policy
objectives. Many operating systems allow management to select the level of
auditing to be provided by the system. This determines ‘which events will be
recorded in the log’. An effective audit policy will capture all significant events
without cluttering the log with trivial activity.
(i) Audit Trail Objectives: Audit trails can be used to support security objectives
in three ways:
• Detecting Unauthorized Access: Detecting unauthorized access can
occur in real time or after the fact. The primary objective of real-time
detection is to protect the system from outsiders who are attempting
to breach system controls. A real-time audit trail can also be used to
report on changes in system performance that may indicate infestation
by a virus or worm. Depending upon how much activity is being logged
and reviewed; real-time detection can impose a significant overhead on
the operating system, which can degrade operational performance.
After-the-fact, detection logs can be stored electronically and reviewed
periodically or as needed. When properly designed, they can be used
to determine if unauthorized access was accomplished or attempted
and failed.
• Reconstructing Events: Audit analysis can be used to reconstruct the
steps that led to events such as system failures, security violations by
individuals, or application processing errors. Knowledge of the
conditions that existed at the time of a system failure can be used to
assign responsibility and to avoid similar situations in the future. Audit
trail analysis also plays an important role in accounting control. For
example, by maintaining a record of all changes to account balances,
the audit trail can be used to reconstruct accounting data files that were
corrupted by a system failure.
• Personal Accountability: Audit trails can be used to monitor user
activity at the lowest level of detail. This capability is a preventive
control that can be used to influence behavior. Individuals are likely to
violate an organization’s security policy if they know that their actions
are not recorded in an audit log.

(ii) Implementing an Audit Trail: The information contained in audit logs is

useful to accountants in measuring the potential damage and financial loss
associated with application errors, abuse of authority, or unauthorized access
by outside intruders. Logs provide a valuable evidences to auditors in
assessing both the adequacies of controls in place and the need for additional
controls. Audit logs, however, can generate data in overwhelming detail, and
therefore, at times, important information can easily get lost among the
superfluous detail of daily operations. Thus, poorly designed logs can be
dysfunctional.
3.6 AUDITING OF INFORMATION SYSTEMS

CONTROLS
3.6.1 Auditing Environmental Controls
Related aspects are given as follows:
(a) Role of IS Auditor in auditing Environmental Controls: The attack on the
World Trade Centre in 2001 has created a worldwide alert bringing focus on
business continuity planning and environmental controls. Audit of
environmental controls should form a critical part of every IS audit plan. The
IS auditor should satisfy not only the effectiveness of various technical
controls but also the overall controls safeguarding the business against
environmental risks.
(b) Audit of Environmental Controls: Audit of environmental controls requires
the IS auditor to conduct physical inspections and observe practices. Auditing
environmental controls requires knowledge of building mechanical and
electrical systems as well as fire codes. The IS auditor needs to be able to
determine if such controls are effective and if they are cost-effective. Auditing
environmental controls requires attention to these and other factors and
activities, including:
• Power conditioning: The IS auditor should determine how frequently
power conditioning equipment, such as UPS, line conditioners, surge
protectors, or motor generators, are used, inspected and maintained
and if this is performed by qualified personnel.
• Backup power: The IS auditor should determine if backup power is
available via electric generators or UPS and how frequently they are
tested. S/he should examine maintenance records to see how frequently

these components are maintained and if this is done by qualified

personnel.
• Heating, Ventilation, and Air Conditioning (HVAC): The IS auditor
should determine, if HVAC systems are providing adequate temperature
and humidity levels, and if they are monitored. Also, the auditor should
determine if HVAC systems are properly maintained and if qualified
persons do this.
• Water detection: The IS auditor should determine if any water
detectors are used in rooms where computers are used. S/he should
determine how frequently these are tested and if these are monitored.
• Fire detection and suppression: The IS auditor should determine if fire
detection equipment is adequate, if staff members understand their
function, and if these are tested. S/he should determine how frequently
fire suppression systems are inspected and tested, and if the
organization has emergency evacuation plans and conducts fire drills.
• Cleanliness: The IS auditor should examine data centers to see how
clean they are. IT equipment air filters and the inside of some IT
components should be examined to see if there is an accumulation of
dust and dirt.
3.6.2 Auditing Physical Security Controls
(a) Role of IS Auditor in auditing Physical Access Controls: Auditing physical
access requires the auditor to review the physical access risk and controls to
form an opinion on the effectiveness of the physical access controls. This
involves the following activities:
• Risk Assessment: The auditor must satisfy him/herself that the risk
assessment procedure adequately covers periodic and timely assessment
of all assets, physical access threats, vulnerabilities of safeguards and
exposures there from.
• Controls Assessment: The auditor based on the risk profile evaluates
whether the physical access controls are in place and adequate to protect
the IS assets against the risks.
• Review of Documents: It requires examination of relevant documentation
such as the security policy and procedures, premises plans, building plans,
inventory list and cabling diagrams.

(b) Audit of Physical Access Controls: Auditing physical security controls

requires knowledge of natural and man-made hazards, physical security
controls, and access control systems.
(i) Sitting and Marking: Auditing building sitting and marking requires
attention to several key factors and features, including:
o Proximity to hazards: The IS auditor should estimate the
building’s distance to natural and manmade hazards, such as
Dams; Rivers, Lakes, and Canals; Natural gas and petroleum
pipelines; Water mains and pipelines; Earthquake faults; Areas
prone to landslides; Volcanoes; severe weather such as hurricanes,
cyclones, and tornadoes; Flood zones; Military bases; Airports;
Railroads and Freeways. The IS auditor should determine if any
risk assessment regarding hazards has been performed and if any
compensating controls that were recommended have been
carried out.
o Marking: The IS auditor should inspect the building and
surrounding area to see if building(s) containing information
processing equipment identify the organization. Marking may be
visible on the building itself, but also on signs or parking stickers
on vehicles.
(ii) Physical barriers: This includes fencing, walls, barbed/razor wire,
bollards, and crash gates. The IS auditor needs to understand how these
are used to control access to the facility and determine their
effectiveness.
(iii) Surveillance: The IS auditor needs to understand how video and human
surveillance are used to control and monitor access. He or she needs to
understand how (and if) video is recorded and reviewed, and if it is
effective in preventing or detecting incidents.
(iv) Guards and dogs: The IS auditor needs to understand the use and
effectiveness of security guards and guard dogs. Processes, policies,
procedures, and records should be examined to understand required
activities and how they are carried out.
(v) Key-Card systems: The IS auditor needs to understand how key-card
systems are used to control access to the facility. Some points to
consider include work zones: whether the facility is divided into security
zones and which persons are permitted to access which zones whether

key-card systems record personnel movement; what processes and

procedures are used to issue keycards to employees? etc.
3.6.3 Auditing Logical Access Controls
(a) Role of IS Auditor in Auditing Logical Access Controls: Auditing Logical
Access Controls requires attention of IS Auditors to several key areas that include
the following:
(I) Network Access Paths: The IS auditor should conduct an independent
review of the IT infrastructure to map out organization’s logical access paths.
This will require considerable effort and may require use of investigative and
technical tools, as well as specialized experts on IT network architecture.
(II) Documentation: The IS auditor should request network architecture and
access documentation to compare what was discovered independently
against existing documentation. The auditor will need to determine why any
discrepancies exist. Similar investigations should take place for each
application to determine all the documented and undocumented access
paths to functions and data.
(b) Audit of Logical Access Controls
(I) User Access Controls: User access controls are often the only barrier
between unauthorized parties and sensitive or valuable information. This
makes the audit of user access controls particularly significant. Auditing user
access controls requires keen attention to several key factors and activities in
four areas:
(i) Auditing User Access Controls: These are to determine if the controls
themselves work as designed. Auditing user access controls requires
attention to several factors, including:
♦ Authentication: The auditor should examine network and system
resources to determine if they require authentication, or whether
any resources can be accessed without first authenticating.
♦ Access violations: The auditor should determine if systems,
networks, and authentication mechanisms can log access
violations. These usually exist in the form of system logs showing
invalid login attempts, which may indicate intruders who are
trying to log in to employee user accounts.
♦ User account lockout: The auditor should determine if systems
and networks can automatically lock user accounts that are the

target of attacks. A typical system configuration is one that will

lock a user account after five unsuccessful logins attempts within
a short period.
♦ Intrusion detection and prevention: The auditor should
determine if there are any IDSs or IPSs that would detect
authentication-bypass attempts. The auditor should examine
these systems to see whether they have up-to-date configurations
and signatures, whether they generate alerts, and whether the
recipients of alerts act upon them.
♦ Dormant accounts: The IS auditor should determine if any
automated or manual process exists to identify and close dormant
accounts. Dormant accounts are user (or system) accounts that
exist but are unused. These accounts represent a risk to the
environment, as they represent an additional path between
intruders and valuable or sensitive data.
♦ Shared accounts: The IS auditor should determine if there are any
shared user accounts; these are user accounts that are routinely (or
even infrequently) used by more than one person. The principal risk
with shared accounts is the inability to determine accountability for
actions performed with the account.
♦ System accounts: The IS auditor should identify all system-level
accounts on networks, systems, and applications. The purpose of
each system account should be identified, and it should be
determined if each system account is still required (some may be
artifacts of the initial implementation or of an upgrade or
migration). The IS auditor should determine who has the
password for each system account, whether accesses by system
accounts are logged, and who monitors those logs.
(ii) Auditing Password Management: The IS auditor needs to examine
password configuration settings on information systems to determine
how passwords are controlled. Some of the areas requiring examination
are- how many characters must a password have and whether there is
a maximum length; how frequently must passwords be changed;
whether former passwords may be used again; whether the password is
displayed when logging in or when creating a new password etc.

(iii) Auditing User Access Provisioning: Auditing the user access

provisioning process requires attention to several key activities,
including:
♦ Access request processes: The IS auditor should identify all user
access request processes and determine if these processes are
used consistently throughout the organization.
♦ Access approvals: The IS auditor needs to determine how
requests are approved and by what authority they are approved.
The auditor should determine if system or data owners approve
access requests, or if any accesses are ever denied.
♦ New employee provisioning: The IS auditor should examine the
new employee provisioning process to see how a new employee’s
user accounts are initially set up. The auditor should determine if
new employees’ managers are aware of the access requests that
their employees are given and if they are excessive.
♦ Segregation of Duties (SOD): The IS auditor should determine if
an organization makes any effort to identify segregation of duties.
This may include whether there are any SOD matrices in existence
and if they are actively used to make user access request
decisions.
♦ Access reviews: The IS auditor should determine if there are any
periodic access reviews and what aspects of user accounts are
reviewed; this may include termination reviews, internal transfer
reviews, SOD reviews, and dormant account reviews.
(iv) Auditing Employee Terminations: Auditing employee terminations
requires attention to several key factors, including:
♦ Termination process: The IS auditor should examine the
employee termination process and determine its effectiveness.
This examination should include understanding on how
terminations are performed and how user account management
personnel are notified of terminations.
♦ Access reviews: The IS auditor should determine if any internal
reviews of terminated accounts are performed, which would
indicate a pattern of concern for effectiveness in this important
activity. If such reviews are performed, the auditor should

determine if any missed terminations are identified and if any

process improvements are undertaken.
♦ Contractor access and terminations: The IS auditor needs to
determine how contractor access and termination is managed and
if such management is effective.
(II) User Access Logs: The IS auditor needs to determine what events are
recorded in access logs. The IS auditor needs to understand the capabilities
of the system being audited and determine if the right events are being
logged, or if logging is suppressed on events that should be logged.
♦ Centralized access logs: The IS auditor should determine if the
organization’s access logs are aggregated or if they are stored on
individual systems.
♦ Access log protection: The auditor needs to determine if access logs can
be altered, destroyed, or attacked to cause the system to stop logging
events. Especially for high-value and high-sensitivity environments, the IS
auditor needs to determine if logs should be written to digital media that
is unalterable, such as optical WORM (Write Once Read Many) media.
♦ Access log review: The IS auditor needs to determine if there are
policies, processes, or procedures regarding access log review. The
auditor should determine if access log reviews take place, who performs
them, how issues requiring attention are identified, and what actions
are taken when necessary.
♦ Access log retention: The IS auditor should determine how long access
logs are retained by the organization and if they are back up.
(III) Investigative Procedures: Auditing investigative procedures requires
attention to several key activities, including:
♦ Investigation policies and procedures: The IS auditor should
determine if there are any policies or procedures regarding security
investigations. This would include who is responsible for performing
investigations, where information about investigations is stored, and to
whom the results of investigations are reported.
♦ Computer crime investigations: The IS auditor should determine if
there are policies, processes, procedures, and records regarding
computer crime investigations. The IS auditor should understand how
internal investigations are transitioned to law enforcement.

♦ Computer forensics: The IS auditor should determine if there are

procedures for conducting computer forensics. The auditor should also
identify tools and techniques that are available to the organization for
the acquisition and custody of forensic data. The auditor should identify
whether any employees in the organization have received computer
forensics training and are qualified to perform forensic investigations.
(IV) Internet Points of Presence: The IS auditor who is performing a
comprehensive audit of an organization’s system and network system needs
to perform a “points of presence” audit to discover what technical information
is available about the organization’s Internet presence. Some of the aspects
of this intelligence gathering include:
♦ Search engines: Google, Yahoo!, and other search engines should be
consulted to see what information about the organization is available.
Searches should include the names of company officers and
management, key technologists, and any internal-only nomenclature
such as the names of projects.
♦ Social networking sites: Social networking sites such as Facebook,
LinkedIn, Myspace, and Twitter should be searched to see what
employees, former employees, and others are saying about the
organization. Any authorized or unauthorized “fan pages” should be
searched as well.
♦ Online sales sites: Sites such as Craigslist and eBay should be searched
to see if anything related to the organization is sold online.
♦ Domain names: The IS auditor should verify contact information for
known domain names, as well as related domain names. For instance,
for the organization mycompany.com; organizations should search for
domain names such as mycompany.net, mycompany.info, and
mycompany.biz to see if they are registered and what contents are
available.
♦ Justification of Online Presence: The IS auditor should examine
business records to determine on what basis the organization
established online capabilities such as e-mail, Internet-facing web sites,
Internet e-commerce, Internet access for employees, and so on. These
services add risk to the business and consume resources. The auditor
should determine if a viable business case exists to support these
services or if they exist as a “benefit” for employees.

3.6.4 Auditing The Management Control Framework

The auditor’s primary objective in examining the management control framework
for the information system function is to evaluate whether management manages
well. If high-quality management controls are not in place and working reliably;
Application Controls are unlikely to be effective.
Though there are many concerns, however, some key areas that auditors should
pay attention to while evaluating management controls at each level in an
organization are provided below:
I. Auditing Top Management Controls
The major activities that senior management must perform are – Planning,
Organizing, Leading and Controlling. The role of auditor at each activity is
discussed below:
♦ Planning: Auditors need to evaluate whether top management has
formulated a high-quality information system’s plan that is appropriate to the
needs of an organization or not. A poor-quality information system is
ineffective and inefficient leading to losing of its competitive position within
the marketplace.
♦ Organizing: Auditors should be concerned about how well top management
acquires and manages staff resources.
♦ Leading: Generally, the auditors examine variables that often indicate when
motivation problems exist or suggest poor leadership – for example, staff
turnover statistics, frequent failure of projects to meet their budget and
absenteeism level to evaluate the leading function. Auditors may use both
formal and informal sources of evidence to evaluate how well top managers
communicate with their staff.
♦ Controlling: Auditors should focus on subset of the control activities that
should be performed by top management – namely, those aimed at ensuring
that the information systems function accomplishes its objectives at a global
level. Auditors must evaluate whether top management’s choice to the means
of control over the users of IS services is likely to be effective or not.
II. Auditing Systems Development Management Controls
♦ Auditors can conduct following three types of reviews/audits of the systems
development process as discussed in the Table 3.6.1:

Table 3.6.1: Types of Audit during System Development Process
Concurrent As a member of the system development team, the auditors

Audit need to assist the team in improving the quality of systems
development for the specific system they are building and
implementing. They shall ensure that needed controls are built
into the system to produce high-quality systems.
Post - Auditors seek to help an organization learn from its
implement experiences in the development of a specific application
ation Audit system. In addition, they might be evaluating the current status
of the system in terms of attaining asset safeguarding, data
integrity, system effectiveness and system efficiency objectives
so that the decision on whether the system needs to be
scrapped, continued, or modified in some way can be taken.
General Auditors evaluate the quality of overall systems development
Audit process. This review allows them to make judgments on the
likely quality of individual application systems developed by
the system development management subsystem, the control
risk associated with this subsystem, and to determine whether
the extent of substantive testing needed to form an audit
opinion about management’s assertions relating to the systems
effectiveness and efficiency, can be reduced or not. An external
auditor is more likely to undertake general audits rather than
concurrent or post-implementation audits of the systems
development process. Internal auditors generally participate in
the development of material application systems or undertake
post-implementation review of the system.
III. Auditing Programming Management Controls

Some of the major concerns that an Auditor should address under different activities
involved in Programming Management Control Phase are provided in Table 3.6.2.
Table 3.6.2: Auditing Programming Management Controls
Phase Key Areas

Planning ♦ They should evaluate whether nature of and extent of
planning are appropriate to different types of software that
are developed or acquired.

♦ They must evaluate how well the planning work is being

undertaken.
Control ♦ They must evaluate whether the nature of an extent of control
activities undertaken are appropriate for the different types
of software that are developed or acquired.
♦ They must gather evidence on whether the control
procedures are operating reliably. For example - they might
first choose a sample if past and current software
development and acquisition projects carried out at different
locations in the organization, they are auditing.
Design ♦ Auditors should find out whether programmers use some
type of systematic approach to design.
♦ Auditors can obtain evidence of the design practices used by
undertaking interviews, observations, and reviews of
documentation.
Coding ♦ Auditors should seek evidence –
• On the level of care exercised by programming
management in choosing a module implementation and
integration strategy.
• To determine whether programming management
ensures that programmers follow structured
programming conventions.
• To check whether programmers employ automated
facilities to assist them with their coding work.
Testing ♦ Auditors can use interviews, observations, and examination of
documentation to evaluate how well unit testing is
conducted.
♦ Auditors are primarily concerned with the quality of
integration testing work carried out by information systems
professionals rather than end users.
♦ Auditors primary concern is to see that whole-of-program
tests have been undertaken for all material programs and that
these tests have been well-designed and executed.

Operation ♦ Auditors need to ensure effective and timely reporting of

and maintenance needs that occur so that maintenance is carried
Maintenance out in a well-controlled manner.
♦ Auditors should ensure that management has implemented a
review system and assigned responsibility for monitoring the
status of operational programs.
IV. Auditing Data Resource Management Controls

♦ Auditors should determine what controls are exercised to maintain data
integrity. They might also interview database users to determine their level of
awareness of these controls.
♦ Auditors might employ test data to evaluate whether access controls and
update controls are working.
♦ Auditors might interview the Data Administrator (DA) and Database
Administrator (DBA) to determine the procedures used by them to
monitor the database environment.
♦ Auditors need to assess how well the DA and DBA carry out the functions
of database definition, creation, redefinition, and retirement.
V. Auditing Security Management Controls
♦ Auditors must evaluate whether security administrators are conducting
ongoing, high-quality security reviews or not;
♦ Auditors need to evaluate the performance of BCP controls. The BCP
controls are related to having an operational and tested IT continuity
plan, which is in line with the overall business continuity plan and its
related business requirements to make sure IT services are available as
required and to ensure a minimum impact on business in the event of a
major disruption.
♦ Auditors check whether the organizations audited have appropriate, high-
quality disaster recovery plan in place or not; and
♦ Auditors check whether the organizations have opted for an appropriate
insurance plan or not.
VI. Auditing Operations Management Controls
♦ Auditors should pay concern to see whether the documentation is maintained
securely and that it is issued only to authorized personnel.

♦ Auditors can use interviews, observations, and review of documentation to

evaluate -
• the activities of documentation librarians;
• how well operations management undertakes the capacity planning ad
performance monitoring function;
• the reliability of outsourcing vendor controls;
• whether operations management is monitoring compliance with the
outsourcing contract; and
• Whether operations management regularly assesses the financial
viability of any outsourcing vendors that an organization uses.
VII. Auditing Quality Assurance Management Controls
♦ Auditors might use interviews, observations, and reviews of documentation
to evaluate how well Quality Assurance (QA) personnel perform their
monitoring role.
♦ Auditors might evaluate how well QA personnel make recommendations for
improved standards or processes through interviews, observations, and
reviews of documentation.
♦ Auditors can evaluate how well QA personnel undertake the reporting
function and training through interviews, observations, and reviews of
documentation.
3.6.5 Auditing The Application Control Framework
Based on the evaluation of management controls over the IS functions in an
organization, auditors might decide to evaluate application system further. In case
the external auditors have evaluated the reliability of management controls, the
next step is to determine the adequacy of application controls. From various
concerns that an auditor might have while auditing the application controls over
the IS functions, some key areas that they should pay attention to while evaluating
application controls at each level in an organization are provided below:
I. Auditing Boundary Controls
♦ Auditors need to determine how well the safeguard assets are used and
preserve data integrity.

♦ For any application system in particular, auditors need to determine

whether the access control mechanism implemented in that system is
sufficient or not.
♦ Auditors need to ensure that careful control must be exercised over
maintenance activities, in case of hardware failure.
♦ Auditors need to address three aspects to assess cryptographic key
management -
• How keys will be generated?
• How they will be distributed to users?
• How they will be installed in cryptographic facilities?
♦ Auditors need to understand which approach has been used to implement
access control so that they can predict the likely problems they will
encounter in the application systems they are evaluating.
II. Auditing Input Controls
♦ Auditors must understand the fundamentals of good source document
design so as to analyze what and how the data will be captured and by
whom, how the data will be prepared and entered into the computer
systems and how the document will be handled, stored and filed.
♦ Auditors must be able to examine the data-entry screens used in an
application system and to come to judgement on the frequency with
which input errors are likely to be made and the extent to which the
screen design enhances or undermines effectiveness and efficiency.
♦ Auditors must evaluate the quality of the coding systems used in
application system to determine their likely impact in the data integrity,
effectiveness, and efficiency objectives.
♦ Auditors need to comprehend various approaches used to enter data into
an application system and their relative strengths and weaknesses.
♦ Auditors need to check whether input files are stored securely and backup
copies of it are maintained at an offsite location so that recovery remains
unaffected in case system’s master files are destroyed or corrupted.
III. Auditing Communication Controls
♦ Auditors shall adopt a structured approach to examine and evaluate
various controls in the communication subsystem.

♦ Auditors need to collect enough evidence to establish a level of assurance

that data transmission between two nodes in a wide area network is
being accurate and complete.
♦ Auditors need to look whether adequate network backup and recovery
controls are practiced regularly or not. These controls may include
automatic line speed adjustments by modems based on different noise-
levels, choice of network topology, alternative routes between sender and
receiver etc., to strengthen network reliability.
♦ Auditors must assess the implementation of encryption controls to
ensure the protection of privacy of sensitive data.
♦ Auditors must assess the topological controls to review the logical
arrangement of various nodes and their connectivity using various
internetworking devices in a network.
IV. Auditing Processing Controls
♦ Auditors should determine whether user processes are able to control
unauthorized activities like gaining access to sensitive data.
♦ Auditors should evaluate whether the common programming errors that
can result in incomplete or inaccurate processing of data has been taken
care or not.
♦ Auditors should assess the performance of validation controls to check
for any data processing errors.
♦ Auditors need to check for the checkpoint and restart controls that enable
the system to recover itself from the point of failure. The restart facilities
need to be implemented well so that restart of the program is from the
point the processing has been accurate and complete rather than from
the scratch.
V. Auditing Database Controls
♦ Auditors should check for the mechanism if a damaged or destroyed
database can be restored in an authentic, accurate, complete, and timely
way.
♦ Auditors should comprehend backup and recovery strategies for
restoration of damaged or destroyed database in the event of failure that
could be because of application program error, system software error,
hardware failure, procedural error, and environmental failure.

♦ Auditors shall evaluate whether the privacy of data is protected during

all backup and recovery activities.
♦ Auditors should check for proper documentation and implementation of
the decisions made on the maintenance of the private and public keys
used under cryptographic controls.
♦ Auditors should address their concerns regarding the maintenance of
data integrity and the ways in which files must be processed to prevent
integrity violations.
VI. Auditing Output Controls
♦ Auditors should determine what report programs are sensitive, who all
are authorized to access them and that only the authorized persons are
able to execute them.
♦ Auditors should review that the action privileges that are assigned to
authorized users are appropriate to their job requirement or not.
♦ Auditors must evaluate how well the client organizations are provided
controls in terms of alteration of the content of printer file, number of
printed copies etc.
♦ Auditors should determine whether the report collection, distribution
and printing controls are well executed in an organization or not.
3.7 DATA RELATED CONCEPTS

3.7.1 Database Models
Databases can be organized in many ways, and thus take many forms. A Database
Model is a type of data model that determines the logical structure of a database
and fundamentally determines in which manner data can be stored, organized and
manipulated. Let’s now look at the database model hierarchy given as under:
• Database: This is a collection of Files/Tables.
• File or Table: This is a collection of Records, also referred as Entity.
• Record: This is a collection of Fields.
• Field: This is a collection of Characters, defining a relevant attribute of Table
instance.
• Characters: These are a collection of Bits.

This hierarchy is shown in the Fig. 3.7.1:
Fig. 3.7.1: Hierarchy of Data

Some prominent database models are provided in the Table 3.7.1 below.
Table 3.7.1: Database Models
Hierarchical Network Relational Database Object Oriented
Database Model Database Model Data Base
Model Model(OODBM)
Records/Nodes This structure This allows collection of It is based on the
are logically views all records in a tabular concept that the
organized into a records in structure where each world can be
hierarchy of sets; wherein record contains some modeled in terms
relationships in each set is fields defining the of objects and
an inverted tree composed of nature of the data their interactions.
pattern. an owner stored in that table. A This provides a
record and record is one instance of mechanism to
one or more a set of fields in a table. store complex
Main terms used in this data such as
member
model are Relation images, audio and
records.
defined as a table with video, etc.
columns and rows;
Named columns of the
table as Attributes

(fields) and Domains as

set of values the
attributes can take.
The top parent The network All relations adhere to In this, the data is
record that “own” model some basic rules - First, modeled and
other records is implements the ordering of columns created as
called Parent one-to-one, is immaterial in a table. objects. It
Record/ Root one-to-many, Second, there cannot be combines
Record which many-to-one identical record in a different aspects
may have one or and the table. And third, each of object-oriented
more child many-to- record will contain a programming
records, but no many single value for each of language into a
child record may relationship its attributes. DBMS like
have more than types. complex data
one parent types, multi
record. valued attributes
(e.g. address field
can have many
values like house
number, location,
zip code etc.).
Each node is The network A relational database OODBMS helps

related to the model can contains multiple programmers
others in a represent tables, with all the make objects
parent-child redundancy in tables connected by which are an
relationship. data more one or more common independently
Thus, the efficiently fields. For each table, functioning
hierarchical data than in the one of the fields is application or
structure hierarchical identified as a Primary program,
implements one- model. Refer Key, which is the unique assigned with a
to-one and one- Example 3.7. identifier for each specific task or
to-many record in the table. If role to perform.
relationships. the primary key of one Refer Example 3.9.
Refer Example table is used in another
3.6. table to access the
former, it is called
Foreign Key. Popular
examples of relational

databases are Microsoft

Access, MySQL, and
Oracle. Refer Example
3.8.
Example 3.6: Consider an equipment database shown in Fig. 3.7.2 that has building
records, room records, equipment records, and repair records. The database
Fig. 3.7.2: Hierarchical Database Model

structure reflects the fact that repairs are made to equipment located in rooms that
are part of buildings. Entrance to this hierarchy by the DBMS is made through the
root record i.e., Building. The building records are the root to any sequence of
room, equipment, and repair records. Room records are the parents of equipment
records and at the same time, Room records are also children of the parent record,
Building. There can be many levels of node records in a database.
Example 3.7: Suppose that in our database, it is decided to have these records -
Repair Vendor (RV) records for the companies that repair the equipment,
Equipment Records (ER) for the various machines we have, and Repair Invoice (RI)
records for the repair bills for the equipment. Suppose four Repair Vendors have
completed repairs on equipment items 1,2,3,4,5,6,7 and 8. These records might be
logically organized into the sets shown in Fig. 3.7.3. Notice these relationships:
• One-to-One relationship: RV-1 record is the owner of the RI-1 record.
• One-to-Many relationship: RV-2 record is owner of the RI-2 and RI-3 records.
• Many-to-Many relationship: Many ER can be owned by many RI records. RV-
3 record is the owner of RI-4 and RI-5 records, and the ER-7 is owned by both
the RI-5 and RI-6 records because it was fixed twice by different vendors.
• Many-to-One relationship: Equipments 7 and 8 are owned by RI-6 because
the repair to both machines were listed on the same invoice by RV-4.

Repair Repair Repair Repair

Vendor 1 Vendor 2 Vendor 3 Vendor 4
Repair
Repair Repair Repair Repair Repair
Invoice 6
Invoice 1 Invoice 2 Invoice 3 Invoice 4 Invoice 5
Equip 1 Equip 2 Equip 3 Equip 4 Equip 5 Equip 6 Equip 7 Equip 8
Fig. 3.7.3: Example of Network Database Model
• Equipment 6 record does not own any record now because it is not required
to be fixed yet.
Example 3.8: A company manufactures black and blue ball pens and stores its data
using relational database wherein the data is stored in table structures defined below
in table 3.7.2.
Table 3.7.2: Description of Example 3.8
Table 1: Product_table that Table 2: Invoice_table has the description
contains the detail of all products. of invoices. Invoice table has Invoice_code,
Each product is assigned a unique Quantity(Qty) and total amount
code represented as Prd_code in (Total_Amt) with respect to products sold.
the table. Each invoice has unique number as
Invoice_code.
Prd_code Description Price Prd_code Invoice_code Qty Total_Amt
P001 Black pen ` 50 P001 2304 10 ` 500
P002 Blue pen ` 70 P002 2306 20 ` 1400
Both tables Product_table and Invoice_table have a relationship through the

common attribute - Prd_code. Prd_code is the Primary (unique) key in
Product_table and it acts as key of relationship (foreign key) with Invoice_table. For
a specific Invoice_code, the description of product and price can be retrieved from
Product_table.

Example 3.9: Refer the Fig. 3.7.4. The light rectangle indicates that ‘Engineer’ is an
object possessing attributes like ‘date of birth’, ‘address’, etc. which is interacting
with another object known as ‘civil jobs’. When a civil job is executed commenced,
it updates the ‘current job’ attribute of the ‘Engineer’ object, because ‘civil job’
sends a message to the latter object.
Objects can be organized by first identifying them as a member of a class/subclass.
Different objects of a particular class should possess at least one common attribute.
The dark rectangles indicate ‘Engineer’ as a class and ‘Civil Engineer’ and ‘Architect’ as
both subclasses of ‘Engineer’. These subclasses possess all the attributes of ‘Engineer’
over and above each possessing at least one attribute not possessed by ‘Engineer’. The
line intersecting particular object classes represents the class of structure.
Secondly, objects can be identified as a component of some other object. ‘Engineer’
is components of a ‘Civil Job Team’ which may have one to more than one number
of member(s). An ‘Engineer’ may not be a member of the ‘Civil Job Team’ and may
not be a member of more than one team. The dotted line intersecting particular
object classes represents the part of structure. Apart from possessing attributes,
objects as well as possess methods or services that are responsible for changing
their states. Like the service ‘Experience’ as a Civil Engineer or Architect for the
object ‘Engineer’ calculates how much experience the engineers of these particular
two subclasses have as professionals.
Civil Job Team
Part of Structure
Engineer
Engineer ID No.
Date of Birth
Address Civil Jobs
Employment Date
Current Job
Experience
Civil Engineer Architect
Class of Structure
Fig. 3.7.4: An object-oriented database design

3.7.2 Big Data

A new buzzword that has been capturing the attention of businesses lately is Big
Data. The term refers to such massively large data sets that conventional database
tools do not have the processing power to analyze them. For example, Flipkart must
process over millions of customer transactions every hour during the Billion Day
Sale. Storing and analyzing that much data is beyond the power of traditional
database-management tools. Understanding the best tools and techniques to
manage and analyze these large data sets is a problem that governments and
businesses alike are trying to solve. This is an interesting space to explore from a
career perspective since everything is nothing more than data. In fact, we are
nothing more than data points in databases on various companies.
Some examples of industries that use big data analytics include the hospitality
industry, healthcare companies, public service agencies, and retail businesses.
Benefits of Big Data Processing are as follows:
(a) Ability to process Big Data brings in multiple benefits, such as-
• Businesses can utilize outside intelligence while taking decisions.
• Access to social data from search engines and sites like Facebook,
Twitter is enabling organizations to fine tune their business strategies.
• Early identification of risk to the products/services, if any.
(b) Improved customer service
• Traditional customer feedback systems are getting replaced by new
systems designed with Big Data technologies. In these new systems, Big
Data and natural language processing technologies are being used to
read and evaluate consumer responses.
(c) Better operational efficiency
• Integration of Big Data technologies and data warehouse helps an
organization to offload infrequently accessed data, this leading to
better operational efficiency.
3.7.3 Data Warehouse
As organizations have begun to utilize databases as the centre piece of their
operations, the need to fully understand and leverage the data they are collecting
has become more and more apparent. However, directly analyzing the data that is
needed for day-to-day operations is not a good idea; we do not want to tax the

operations of the company more than we need to. Further, organizations also want
to analyze data in a historical sense: How does the data we have today compare
with the same set of data of last month, or last year? From these needs arose the
concept of the data warehouse. The process of extracting data from source systems
and bringing it into the data warehouse is commonly called ETL, which stands for
Extraction, Transformation, and Loading. The process is described below and
shown in the Fig. 3.7.5:
♦ In the first stage, the data is Extracted from one or more of the organization’s
databases. This stage involves extracting the data from various sources such
as ERP systems used, databases, flat files including plain text files, Excel
spreadsheet etc.
♦ In the second stage, the data so extracted is placed in a temporary area called
Staging Area where it is Transformed like cleansing, sorting, filtering etc. of
the data as per the information requirements.
♦ The final stage involves the Loading of the transformed data into a data
warehouse which itself is another database for storage and analysis.
♦ The information loaded on to the data warehouse could further be used by
different data marts which are nothing but databases pertaining to specific
departmental functions like Sales, Finance, Marketing etc. from where the
information is used for further reporting and analyzes to take informed
decision by the management.
However, the execution of this concept is not that simple. A data warehouse should
be designed so that it meets the following criteria:
 It uses non-operational data. This means that the data warehouse is using a
copy of data from the active databases that the company uses in its day-to-
day operations, so the data warehouse must pull data from the existing
databases on a regular scheduled basis. Relevance and nature of the data in
the data warehouse depend on the time the jobs are scheduled to pull data
from the active databases.
 The data is time-variant. This means that whenever data is loaded into the
data warehouse, it receives a time stamp which allows for comparisons
between different time periods.
 The data is standardized. Because the data in a data warehouse usually
comes from several different sources, it is possible that the data does not use
the same definitions or units. For example- Events table in a our Student Clubs
database lists the event dates using the mm/dd/yyyy format (e.g.,

01/10/2013). A table in another database might use the format yy/mm/dd

(e.g.13/01/10) for dates. For the data warehouse to match up dates, a
standard date format would have to be agreed upon and all data loaded into
the data warehouse would have to be converted to use this standard format.
 There are two primary schools of thought when designing a data warehouse:
Bottom-Up and Top- Down.
• The Bottom-Up Approach starts by creating small data warehouses,
called Data Marts to solve specific business problems. As these data
marts are created, they can be combined into a larger data warehouse.
• The Top-Down Approach suggests that we should start by creating an
enterprise-wide data warehouse and then, as specific business needs
are identified, create smaller data marts from the data warehouse.
Fig. 3.7.5: Centralized view of Data Warehouse

 Benefits of Data Warehouse
Organizations find data warehouses quite beneficial for several reasons
• The process of developing a data warehouse forces an organization to
better understand the data that it is currently collecting and, equally
important, what data is not being collected.
• A data warehouse provides a centralized view of all data being collected
across the enterprise and provides a means for determining data that is
inconsistent.
• Once all data is identified as consistent, an organization can generate
one version of the truth. This is important when the company wants to

report consistent statistics about itself, such as revenue or number of

employees.
• By having a data warehouse, snapshots of data can be taken over time.
This creates a historical record of data, which allows for an analysis of
trends.
• A data warehouse provides tools to combine data, which can provide
new information and analysis.
3.7.4 Data Mining
Data Mining is the process of analysing data to find previously unknown trends,
patterns, and associations to make decisions. It involves extracting useful data as
per the requirement from a collection of raw facts. To start with, one can use the
simplest yet powerful tool, Microsoft Excel for data mining. Other examples of data
mining tools include Oracle Data mining, R-language etc. Generally, data mining is
accomplished through automated means against extremely large data sets, such as
a data warehouse. The examples of data mining are- an analysis of sales from a
large grocery chain that might determine that milk is purchased more frequently
the day after it rains in cities with a population of less than 50,000; The analysis of
the popularity of a particular recharge scheme introduced by the
telecommunication provider among people of a specific age group, gender and the
peak call hours’ location wise; A bank may find that loan applicants whose bank
accounts show particular deposit and withdrawal patterns are not good credit risks;
A baseball team may find that collegiate baseball players with specific statistics in
hitting, pitching, and fielding make for more successful major league players.
Fig. 3.7.6: Steps involved in Data Mining

The steps involved in the Data Mining process are as follows (Refer Fig. 3.7.6):
a. Data Integration: Firstly, the data are collected and integrated from all the
different sources which could be flat files, relational database, data warehouse
or web etc.

b. Data Selection: It may be possible that all the data collected may not be
required in the first step. So, in this step we select only those data which we think
is useful for data mining.
c. Data Cleaning: The data that is collected are not clean and may contain errors,
missing values, noisy or inconsistent data. Thus, we need to apply different
techniques to get rid of such anomalies.
d. Data Transformation: The data even after cleaning are not ready for mining as
it needs to be transformed into an appropriate form for mining using different
techniques like - smoothing, aggregation, normalization etc.
e. Data Mining: In this, various data mining techniques are applied on the data to
discover the interesting patterns. Techniques like clustering and association
analysis are among the many different techniques used for data mining.
f. Pattern Evaluation and Knowledge Presentation: This step involves
visualization, transformation, removing redundant patterns etc. from the
patterns we generated.
g. Decisions / Use of Discovered Knowledge: This step helps user to make use of
the knowledge acquired to take better informed decisions.
In some cases, a data-mining project is begun with a hypothetical result in mind. For
example, a grocery chain may already have some idea that buying patterns change
after it rains and want to get a deeper understanding of exactly what is happening. In
other cases, there are no pre-suppositions and a data-mining program is run against
large data sets to find patterns and associations. Table 3.7.3 provides the basic
differences between Database, Data Warehouse and Data Mining.
Table 3.7.3: Differences between Database, Data Warehouse & Data Mining
DATABASE DATA WAREHOUSE DATA MINING

This stores real time This store both the This analyses data to find
information. For historic and transactional previously unknown trends.
example-In a data. For example- In the For example- In the same
telecommunication same telecommunication telecommunication sector,
sector, the database sector, information in a information will be analysed
stores information data warehouse will be by data mining techniques to
related to monthly used for product find out call duration with
billing details, call promotions, decisions respect a particular age group
records, minimum relating to sales, cash from the entire data available.
balance etc. back offers etc.

It’s function is to It’s function is to report It’s function is to extract useful

record. and analyse. data.
Examples include Examples include Examples include R-Language,
MySQL, MS Access. Teradata, Informatica. Oracle data mining.
3.8 ORGANIZATION STRUCTURE AND

RESPONSIBILITIES
Organizations require structure to distribute responsibility to groups of people with
specific skills and knowledge. The structure of an organization is called an
Organization Chart. Organizing and maintaining an organization structure
requires that many factors be considered. In most organizations, the organization
chart is a living structure that changes frequently, based upon several conditions.
Short and long-term objectives: Organizations sometimes move departments
from one executive to another so that departments that were once far from each
other (in terms of the organizational chart structure) will be near each other. This
provides new opportunities for developing synergies and partnerships that did not
exist before the reorganization (reorg). These organizational changes are usually
performed to help an organization meet new objectives that require new
partnerships and teamwork that were less important before.
♦ Market conditions: Changes in market positions can cause an organization
to realign its internal structure to strengthen itself. For example, if a
competitor lowers its prices based on a new sourcing strategy, an
organization may need to respond by changing its organizational structure
to put experienced executives in-charge of specific activities.
♦ Regulation: New regulations may induce an organization to change its
organizational structure. For instance, an organization that becomes highly
regulated may elect to move its security and compliance group away from IT
and place it under the legal department, since compliance has much more to
do with legal compliance than industry standards.
♦ Available talent: When someone leaves an organization (or moves to
another position within the organization), particularly in positions of
leadership, a space opens in the organization chart that often cannot be filled
right away. Instead, senior management will temporarily change the structure
of the organization by moving the leaderless department under the control
of someone else. Often, the decisions of how to change the organization will

depend upon the talent and experience of existing leaders, in addition to each
leader’s workload and other factors. For example, if the director of IT program
management leaves the organization, the existing department could
temporarily be placed under the IT operations department, in this case
because the director of IT operations used to run IT program management.
Senior management can see how that arrangement works out and later
decide whether to replace the director of IT program management position
or to do something else.
3.8.1 Roles and Responsibilities
The topic of roles and responsibilities is multidimensional; it encompasses positions
and relationships on the organization chart, it defines specific job titles and duties,
and it denotes generic expectations and responsibilities regarding the use and
protection of assets. Several roles and responsibilities fall upon all individuals
throughout the organization. Some of them are discussed below:
♦ Owner: An owner is an individual (usually but not necessarily a manager) who
is the designated owner-steward of an asset. Depending upon the
organization’s security policy, an owner may be responsible for the
maintenance and integrity of the asset, as well as for deciding who is
permitted to access the asset. If the asset is information, the owner may be
responsible for determining who may access and make changes to the
information.
♦ Manager: A manager, in the general sense, is responsible for obtaining

policies and procedures and making them available to their staff members.
They should also to some extent responsible for their staff members’
behavior.
♦ User: User is an individual (at any level of the organization) who uses assets
in the performance of their job duties. Each user is responsible for how s/he
uses the asset and does not permit others to access the asset in his/her name.
Users are responsible for performing their duties lawfully and for conforming
to organization policies.
These generic roles and responsibilities should apply across the organization chart
to include every person in the organization.

3.8.2 Job Titles based on Responsibilities

A Job Title is a label that is assigned to a job description. It denotes a position in
the organization that has a given set of responsibilities and which requires a certain
level and focus of education and prior experience.
In an organization, Executive Management includes executive managers, the
senior managers and executives who are responsible for developing the
organization’s mission, objectives, and goals, as well as policy. Executive managers
are responsible for enacting security policy, which defines (among other things) the
protection of assets. Executive managers set objectives and work directly with the
organization’s most senior management to help make decisions affecting the
future strategy of an organization. Table 3.8.1 describes in detail the functioning of
Executive Management in organization.
Table 3.8.1: Executive Management in an organization
CIO (Chief This is the most senior executive in an organization who

Information works with IT and computer system to support
Officer) orgnizations’ goals.
CTO (Chief The CTO is usually responsible for an organization’s overall

Technology technology strategy. Depending upon the purpose of the
Officer) organization, this position may be separate from IT.
CSO (Chief A CSO is responsible for all aspects of security, including

Security Officer) information security, physical security, and possibly
executive protection (protecting the safety of senior
executives).
CISO (Chief This position is responsible for all aspects of data-related

Information security that includes incident management, disaster
Security Officer) recovery, vulnerability management, and compliance.
CPO (Chief This position is found in organizations that collect, store

Privacy Officer) and protect sensitive information for large numbers of
persons.

Fig. 3.8.1 provides an illustrative overview of positions that report to CIO in general.
CHIEF INFORMATION OFFICER (CIO)
SOFTWARE NETWORK DATA SECURITY SYSTEMS GENERAL SERVICE

DEVELOPMENT MANAGEMENT MANAGEMENT OPERATIONS MANAGEMENT OPERATIONS DESK
Network Security Systems Operations Help Desk

Systems Architect Database Analyst
Architect Architect Architect Architect Manager
Systems Analyst Technical
Network Database Security Systems Operations
Engineer Engineer Engineer Analyst Support
Software Developer Administrator Analyst
& Programmer
Network Database Security Storage Controls
Software Tester Administrator Analyst Analyst Engineer Analyst
Telecom User Account Systems Systems

Engineer Manager Administrator Operator
Security Data Entry

Auditor Operator
Media
Librarian
Fig. 3.8.1: Positions under CIO (illustrative)

(a) Software Development: Positions in software development are involved in

the design, development, and testing of software applications. Based on that,
Table 3.8.2 describes the various positions in software development.
Table 3.8.2: Positions in Software Development
Systems Systems Analyst Software Software
Architect Developer & Tester
Programmer
This position is A systems analyst is This position This position
usually involved with the design develops tests changes
responsible for of applications, including application in programs
the overall changes in an software. In made by
information application’s original organizations that software
systems design, develop technical utilize purchased developers.
architecture in requirements, program application
the organization. design, and software test software,
This may or may plans. In cases where developers often
not include organizations license create custom
overall data applications developed interfaces,
architecture as by other companies, application
well as interfaces systems analysts design customizations,
to external interfaces to other and custom
organizations. applications. reports.
(b) Data Management: Positions in data management as shown in Table 3.8.3

are responsible for developing and implementing database designs and for
maintaining databases.
Table 3.8.3: Positions in Data Management
Database This position develops logical and physical designs of data
Architect models for applications as well as an organization’s overall data
architecture.
Database This position builds and maintains databases designed by the
Administrator database architect. The DBA monitors the databases, tunes
(DBA) them for performance and efficiency and troubleshoots
problems and also ensures that data is protected from
unauthorized access by making it available only to users as per
the job roles.

Database This position performs tasks that are junior to the database
Analyst administrator, carrying out routine data maintenance and
monitoring tasks.
(c) Network Management: Positions in network management are responsible

for designing, building, monitoring, and maintaining voice and data
communications networks, including connections to outside business
partners and the Internet.
• Network Architect: They are involved in the creation of plans and
overall layout of the communication network focusing on the aspect on
information security as well.
• Network Engineer: This position builds and maintains network devices
such as routers, switches, firewalls, and gateways.
• Network Administrator: This position performs routine tasks in the
network such as making minor configuration changes and monitoring
event logs.
• Telecom Engineer: Positions in this role work with telecommunications
technologies such as data circuits, phone systems, and voice email
systems.
(d) Systems Management: Positions in systems management are responsible
for architecture, design, building, and maintenance of servers and operating
systems. Various positions in system management are shown in Table 3.8.4.
Table 3.8.4: Positions in Systems Management
Systems Architect Systems Storage Systems
Engineer Engineer Administrator
This position is responsible for This position is This position This position is
the overall architecture of responsible is responsible for
systems (usually servers), both for designing, responsible performing
in terms of the internal building, and for maintenance
architecture of a system, as maintaining designing, and
well as the relationship servers and building, and configuration
between systems and design server maintaining operations on
of services such as operating storage systems.
authentication, e-mail, and systems. subsystems.
time synchronization.

(e) General Operations: Positions in operations are responsible for day-to-day

operational tasks that may include networks, servers, databases, and
applications.
• Operations Manager: This position is responsible for overall
operations that are carried out by others. Their main functions include
planning, operations process, strategy, staffing of resources as per their
skill sets, performance monitoring and improvement along with
establishing operations shift schedules.
• Operations Analyst: This position may be responsible for the
development of operational procedures; examining the health of
networks, systems, and databases; setting and monitoring the
operations schedule; and maintaining operations records.
• Controls Analyst: This position is responsible for monitoring batch
jobs, data entry work, and other tasks to make sure that they are
operating correctly.
• Systems Operator: This position is responsible for monitoring systems
and networks, performing backup tasks, running batch jobs, printing
reports, and other operational tasks.
• Data Entry operator: This position is responsible for keying batches of
data from hard copy sources.
• Media Librarian: This position is responsible for maintaining and
tracking the use and whereabouts of backup tapes and other media.
(f) Security Operations: Positions in security operations are responsible for
designing, building, and monitoring security systems and security controls,
to ensure the confidentiality, integrity, and availability of information systems.
Refer Table 3.8.5 given below:
Table 3.8.5: Positions in Security Operations
Security S/he is responsible for the design of security controls and systems
Architect such as authentication, audit logging, intrusion detection systems,
intrusion prevention systems, and firewalls.
Security S/he is responsible for designing, building, and maintaining security
Engineer services and systems that are designed by the security architect.

Security S/he is responsible for examining logs from firewalls, intrusion

Analyst detection systems, and audit logs from systems and applications and
issuing security advisories to others in IT.
User S/he is responsible for accepting approved requests for user access
Account management changes and performing the necessary changes at the
Manager network, system, database, or application level. in larger
organizations, the user account management is performed in security
or even in a separate user access department.
Security S/he is responsible for performing internal audits of IT controls to ensure
Auditor that they are being operated properly.
(g) Service Desk: Positions at the service desk are responsible for providing front
line support services to IT and IT’s customers.
• Help desk Analyst: This position is responsible for providing front line
user support services to personnel in the organization.
• Technical Support Analyst: This position is responsible for providing
technical support services to other IT personnel, and perhaps also to IT
customers.
3.9 SEGREGATION OF DUTIES

Information systems often process large volumes of information that is sometimes
highly valuable or sensitive. Measures need to be taken in IT organizations to
ensure that individuals do not possess sufficient privileges to carry out potentially
harmful actions on their own. Checks and balances are needed, so that high-value
and high-sensitivity activities involve the coordination of two or more authorized
individuals. The concept of Segregation of Duties (SoD), also known as Separation
of Duties, ensures that single individuals do not possess excess privileges that could
result in unauthorized activities such as fraud or the manipulation or exposure of
sensitive data.
The concept of segregation of duties has been long-established in organization
accounting departments where, for instance, separate individuals or groups are
responsible for the creation of vendors, the request for payments, and the printing
of checks. Since accounting personnel frequently handle checks and currency, the
principles, and practices of segregation of duties controls in accounting
departments are the norm. For example-the person approving the purchase orders
should not be allowed to make payment and pass entries in the books at the same
time.

3.9.1 Segregation of Duties Controls

Preventive and detective controls should be put into place to manage segregation
of duties matters. In most organizations, both the preventive and detective controls
will be manual, particularly when it comes to unwanted combinations of access
between different applications. However, in some transaction-related situations,
controls can be automated although they may still require intervention by others.
3.9.2 Some Examples of Segregation of Duties Controls
♦ Transaction Authorization: Information systems can be programmed or
configured to require two (or more) persons to approve certain transactions.
Many of us see this in retail establishments where a manager is required to
approve a large transaction or a refund. In IT applications, transactions
meeting certain criteria (for example, exceeding normally accepted limits or
conditions) may require a manager’s approval to be able to proceed.
♦ Split custody of high-value assets: Assets of high importance or value can
be protected using various means of split custody. For example, a password
to an encryption key that protects a highly-valued asset or sensitive data can
be split in two halves, one half assigned to two persons, and the other half
assigned to two persons, so that no single individual knows the entire
password. Banks do this for central vaults, where a vault combination is split
into two or more pieces so that two or more are required to open it.
♦ Workflow: Applications that are workflow-enabled can use a second (or
third) level of approval before certain high-value or high-sensitivity activities
can take place. For example, a workflow application that is used to provision
user accounts can include extra management approval steps in requests for
administrative privileges.
♦ Periodic reviews: IT or internal audit personnel can periodically review user
access rights to identify whether any segregation of duties issues exist. Care
should also be taken to ensure that the access privileges are reviewed and
updated with the changing job roles. The access privileges for each worker
can be compared against a segregation of duties control matrix.
When SoD issues are encountered during a segregation of duties review,
management will need to decide how to mitigate the matter. The choices for
mitigating a SoD issue include -
♦ Reduce access privileges: Management can reduce individual user privileges
so that the conflict no longer exists.

♦ Introduce a new mitigating control: If management has determined that

the person(s) need to retain privileges that are viewed as a conflict, then new
preventive or detective controls need to be introduced that will prevent or
detect unwanted activities. Examples of mitigating controls include increased
logging to record the actions of personnel, improved exception reporting to
identify possible issues, reconciliations of data sets, and external reviews of
high-risk controls.
ILLUSTRATION 3.1
In 2017, XYZ Systems had shifted to the SQL Server Relational Database
Management System from the previously used IBM Information Management
System which used a hierarchical database model to create a well-organized
database to store organizational data.
On acquiring a good number of global clients and keeping in view the increased
number, complexity of the overseas transactions and the management’s need for
periodic performance analysis; XYZ Systems planned to leverage the benefit of data
warehouse whereas the research team suggested the implementation of Big data.
However, XYZ Systems did not implement suitable security controls and hence
recently faced data security breach which led to the unauthorized manipulation of
certain confidential data. This resulted in XYZ Systems paying a substantial amount
as compensation and loss of a major client.
Consequently, XYZ Systems has now implemented varied controls starting from
strict password management to high level access controls and monitoring
mechanism ensuring that there are no further data security issues.
Answer the following Questions:
1 The XYZ Systems initially used IBM Information Management system which
used a hierarchical database model. Which type of relationship is not
supported by such database model?
(i) One-to-One
(ii) Many-to-One
(iii) One-to-Many
(iv) None of the above
2 The XYZ Systems recently shifted to the SQL Server DBMS from the IBM
Information Management system that it previously used. Under which aspect,
the SQL Server differs from IBM Information Management System?
(i) One-to-one relationship

(ii) One-to-many relationship

(iii) Relational Database structure
3 Which among the following is not an advantage of the SQL Server DBMS?
(i) Data Sharing
(ii) Data Redundancy
(iii) Program and File consistency
4 To ensure that the communication between their private network and public
network is secured, one of the step taken by XYZ Systems are to install
firewall. The installation of firewall is __________type of control.
(i) Preventive
(ii) Corrective
(iii) Detective
5 XYZ Systems made its access privileges more stringent so as to prevent
unauthorized users gaining entry into secured area and also minimum entry
granted to users based on their job requirements. Which of the following
Logical Access control covers this aspect?
(i) Operating System Access Control
(ii) Network Access Controls
(iii) User Access Management
(iv) Application and Monitoring System control
6 Based on the risk assessment by the audit team, the management of XYZ
Systems decided to specify the exact path of the internet access by routing
the internet access by the employees through a firewall and proxy. This is
referred to as_______.
(i) Encryption
(ii) Enforced Path
(iii) Call Back Devices
(iv) None of these

SOLUTION
No. No.
1 (ii) Many-to-One 2 (iii) Relational
Database structure
3 (ii) Data Redundancy 4 (i) Preventive
5 (iii) User Access 6 (ii) Enforced Path
Management
ILLUSTRATION 3.2
Bianc Computing Ltd. has implemented a set of controls including those with
respect to security, quality assurance and boundary controls to ensure that the
development, implementation, operation and maintenance of information systems
takes place in a planned and controlled manner. It has also ensured that logs are
designed to record activity at the system, application, and user level.
Along with the implementation of controls and maintenance of logs, it has
approached a leading firm of IS auditors to conduct a comprehensive audit of its
controls. Within the organization also, it has opened new job roles and has hired
people with the required skill sets for the same.
Answer the following Questions:
1 The team of network engineers of Bianc Computing Ltd. recommended
certain controls to be implemented in the organization to bridge the rate of
data reception and transmission between two nodes. Which types of controls
are being referred to here?
(i) Link Controls
(ii) Flow Controls
(iii) Channel Access Controls
(iv) Line Error Controls
2 Which control is used to ensure that the user can continue working, while
the print operation is getting completed? This is known as ___________.
(i) Printing Controls
(ii) Spooling File Control

(iii) Spoofing File Control

(iv) Print-Run-to Run Control Totals
3 Bianc Computing Ltd. has also opened up new job roles and has hired persons
with the required skill sets for the same as given below.
Job Role Person Responsible

1. Developing logical and physical (a) Operations Manager
designs of data models
2. Providing front line user support (b) Security Analyst
services
3. Staffing of resources for upcoming (c) Database Architect
projects.
4. Examining logs from firewalls, and (d) Help Desk Analyst
providing security advisories
5. Performing maintenance and (e) Systems Analyst
configuration operations on systems.
6. Build and maintain network devices (f) System Administrator
such as routers, switches etc.
7. Developing technical requirements, (g) Network Engineer
program design, and software test plans
Identify the right match to the job roles assigned and the responsible persons
for the job role.
(i) 1(c), 2(d), 3(a), 4(b), 5(f), 6(g), 7(e)
(ii) 1(d), 2(b), 3(c), 4(g), 5(f), 6(a), 7(e)
(iii) 1(e), 2(b), 3(c), 4(g), 5(a), 6(f), 7(d)
(iv) 1(g), 2(f), 3(e), 4(d), 5(c), 6(b), 7(a)
SOLUTION

No. No.
1 (ii) Flow Controls 2 (ii) Spooling File Control
3 (i) 1(c), 2(d), 3(a), 4(b),

5(f), 6(g), 7(e)

SUMMARY
In the present contemporary world, apart from change the thought-provoking
terminology is business which is a driving force behind change and how to insight
into trade is a dynamic called integration. Organizations of the 1990 were
concentrated on the re-engineering and redesign of their business processes to
endorse their competitive advantage. To endure in the 21st century, organizations
have started paying attention on integrating enterprise-wide technology solutions
to progress their business processes called Business Information Systems (BIS).
Now, every organization integrates part or all of its business functions together to
accomplish higher effectiveness and yield. The thrust of the argument was that
Information Technology (IT), when skillfully employed could in various ways
differentiate an organization from its competition, add value to its services or
products in the eyes of its customers, and secure a competitive advantage in
comparison to its competition.
Although information systems have set high hopes to companies for their growth
as it reduces processing speed and helps in cutting cost but most of the research
studies show that there is a remarkable gap between its capabilities and the
business-related demands that senior management is placing on it. We learnt how
any enterprise to be effective and efficient must use Business Process Automation
(BPA), which is largely aided by Computers or IT. Information systems, which forms
the backbone of any enterprise comprises of various layers such as: Application
software, Database Management Systems (DBMS), System Software, Operating
Systems, Hardware, Network Links and People-Users.
This Chapter has provided an overview on the importance of information systems in an
IT environment and how information is generated. There has been a detailed discussion
on Information System Audit, its need, and the method of performing the same. Chapter
outlines the losses that an organization may face, incase, it does not get it audited.
TEST YOUR KNOWLEDGE

Theory Questions
1. Information System Model is responsible to convert the data into information
which is useful and meaningful to the user. Explain all steps involved in
Information System Model. (Refer Section 3.2)
2. Briefly discuss the components of Computer based Information Systems.
(Refer Section 3.3)

3. Discuss the term ’Operating System’ and various operations performed by it.
(Refer Section 3.3.2 [Point II])
4. Database Management Systems (DBMS) is a software that aids in organizing,
controlling and using the data needed by the application program However,
there are many advantages and disadvantages associated with it. Discuss them.
5. Discuss Boundary Controls under the Application Control Framework in detail.
(Refer Section 3.4.3B[I])
6. Discuss Corrective Controls with the help of examples. Also, discuss their broad
characteristics in brief. (Refer Section 3.4.1[Point C])
8. Describe the term Preventive Controls and provide suitable examples. Also,
discuss their broad characteristics in brief. (Refer Section 3.4.1[Point A])
9. Discuss in brief the following terms:
(i) Snapshots (Refer Section 3.5.2)
(ii) Audit Hooks (Refer Section 3.5.2)
10. Recognize various factors influencing an organization towards control and audit
of computers. (Refer Section 3.5.1)
11. Data warehouse and Data Mining are terms related to better management of
information to enable quicker and effective decision-making in organizations.
Critically evaluate the statement. (Refer Section 3.7.3 & 3.7.4)
12. Explain the concept of Segregation of Duties (SoD) controls and its examples.
13. An internet connection exposes an organization to the harmful elements of
the outside world. As a network administrator, which Network Access controls
will you implement in the organization to protect from such harmful
elements? (Refer Section 3.4.2[C-III])
14. A company XYZ is developing a software using the program development life
cycle methodology and applying control, phases in parallel to the
development phases to monitor the progress against plan. Being an IT
developer, design the various phases and their controls for program
development life cycle. (Refer Table 3.4.5)
15. Discuss the key activities which require special attention for auditing the user
access provisioning. (Refer Section 3.6.3[(b - I)]

Enterptise Information System

Uploaded by

Copyright:

Available Formats

Enterptise Information System

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Enterptise Information System

Uploaded by

Copyright:

Available Formats

UNIT -1 AUTOMATED BUSINESS PROCESSES

1|Page CA CMA R Yuvaraj

2|Page CA CMA R Yuvaraj

3|Page CA CMA R Yuvaraj

4|Page CA CMA R Yuvaraj

5|Page CA CMA R Yuvaraj

6|Page CA CMA R Yuvaraj

7|Page CA CMA R Yuvaraj

Features of effective IT controls

8|Page CA CMA R Yuvaraj

II. Control Activities

III. Information and Communication

9|Page CA CMA R Yuvaraj

Limitations of Internal Control System

RISKS AND CONTROLS FOR SPECIFIC BUSINESS PROCESSES

 Controls should be checked at three levels, namely ;

II. Procure to Pay (P2P) – Risks and Controls

III. Order to Cash (O2C) – Risks and Controls

 Order to Cash (OTC or O2C) is a set of business processes that involve

 The Inventory Cycle is a process of accurately tracking the on-hand

V. Human Resources – Risks and Controls

VII. General Ledger – Risks and Controls

 General Ledger (GL) process refers to the process of recording the

After reading this chapter, you will be able to -

 Grasp the knowledge about Integrated and Non-Integrated

© The Institute of Chartered Accountants of India

Integrated & Non Integrated System

Business Process Modules and Their Integration with

Reporting Systems and Management Information Systems

Data Analytics and Business Intelligence

Business Reporting and Fundamentals of XBRL

Applicable Regulatory & Compliance Requirements

© The Institute of Chartered Accountants of India

Fig. 2.1.1: Different perspectives from different Professionals

© The Institute of Chartered Accountants of India

2.2 ERP AND NON-INTEGRATED SYSTEMS

© The Institute of Chartered Accountants of India

Master Non Master

Fig. 2.2.1: Types of Data

© The Institute of Chartered Accountants of India

A. Master Data: As defined above, master data is relatively permanent data

Accounting Master Inventory Master Payroll Master Statutory Master

Fig. 2.2.2: Types of Master Data in Financial and Accounting Systems

a. Accounting Master Data – This includes names of ledgers, groups, cost

© The Institute of Chartered Accountants of India

Transactions Processing Reports

Fig. 2.2.3: Objective of Accounting System

Receipt No.1 Date: 01st Apr., 2017

Cash Dr. 1,00,000

© The Institute of Chartered Accountants of India

Above information is stored in Accounting Information Systems in two ways, in

Master Data Non-Master Data

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

4 Journal For recording of all non-cash/bank transactions. E.g.

© The Institute of Chartered Accountants of India

Profit & Loss Account Balance Sheet

Fig. 2.2.4: Flow of Accounting

© The Institute of Chartered Accountants of India

Debit Balance Credit Balance