ADVANCED INFORMATION TECHNOLOGY TRAINING PROGRAMME
COURSE MATERIAL MODULE – I I
Board of Studies The Institute of Chartered Accountants of India, New Delhi
The objective of this background material is to provide uniform reference material to the students undergoing 100 hours Advanced Information Technology Training. All attempts have been made to make the discussion simple and comprehensive. Students may note that the material has been prepared with an objective to help them in acquiring requisite knowledge and skills in the subject and gain hands on experience. This is also expected to serve as a source of reference book in their future education and training. In case students have any suggestions to make for further improvement of the material contained herein, they may write to Board of Studies or ITT Section, IT Directorate, ICAI Bhawan, A-29, Sector – 62, Noida. Queries can also be sent to :
[email protected]. All care has been taken to provide the material in a manner useful to the students. However the material has not been specifically discussed by the Council of the Institute or any of its Committees and the views expressed herein may not be taken to necessarily represent the views of the Council or any of its Committees. All rights reserved. No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any forms or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior permission, in writing, from the Institute.
©The institute of Chartered Accountants of India.
© The Institute of Chartered Accountants of India, January 2009
CONTENTS UNIT-3 : COMPUTER ASSISTED AUDIT TECHNIQUES ................................................................... 1 CHAPTER 1. INTRODUCTION TO CAAT ..............................................................................................
1
CHAPTER 2. DATA ANALYSIS AND AUDIT TECHNIQUES .................................................................
10
CHAPTER 3. DATA ANALYSIS USING IDEA .........................................................................................
15
UNIT-4 : CORE BANKING SOLUTION ........................................................................................... 65 CHAPTER 1. CBS BASICS AND ITS WORKING METHODOLOGY ........................................................
67
CHAPTER 2. CBS INTERFACES-THEIR FUNCTIONALITY AND CONTROLS ........................................
89
CHAPTER 3. SYSTEMS AUDIT OF CBS AND ITS INTERFACES .......................................................... 116
UNIT-5 : ENTERPRISE RESOURCE PLANNING .......................................................................... 129 CHAPTER 1. ERP OVERVIEW ............................................................................................................ 131 CHAPTER 2. ERP IMPLEMENTATION................................................................................................. 151 CHAPTER 3. ERP CONTROL AND AUDIT ........................................................................................... 168 CHAPTER 4. E-FILING ........................................................................................................................ 214
UNIT-6 : OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE .............. 219 CHAPTER 1. IT APPLICATION IN CA’S OFFICE .................................................................................. 221 CHAPTER 2. INFORMATION SECURITY IN CA’S OFFICE ................................................................... 258 CHAPTER 3. APPLICATIONS USING MIS AND DSS ............................................................................ 291
UNIT 3:
COMPUTER ASSITED AUDIT TECHNIQUES
CHAPTER
1
INTRODUCTION TO CAAT
LEARNING OBJECTIVES The learning objectives of the CAAT module are:
Understand how to use office automation software for performing various tasks as relevant to services provided by chartered accountant in areas of accounting, assurance and compliance. How to use CAAT/SQL queries for data analysis as required. How to review controls implemented at various levels/layers such as: Parameters, user creation, granting of access rights, input, processing and output controls in enterprise applications
1.0 Introduction Auditors deal with information in myriad ways encompassing the areas of accounting, assurance, consulting and compliance and most of this information is now available in electronic form. This is true not only in case of large and medium enterprises but even in small enterprises. In case there are enterprises who have still not adapted the digital way, then it is an opportunity for Auditors to help such enterprises to ride the digital wave. Hence, it has become critical for Auditors to understand and use information technology as relevant for the services we provide. It is rightly said: “one cannot audit data which is flying in bits and bytes by using the ancient method of riding on a horse back”. We are living in a knowledge era where the skill sets are keys to harnessing the power of technology to be effective as knowledge workers. Computer Assisted Audit Techniques (CAATs) refers to using technology for increasing the effectiveness and efficiency of auditing. CAATs enable auditors to do more with less and add value through the assurance process which is more robust and comprehensive. This chapter provides an overview of the process, approach and techniques which could be used across various technology platforms and in diverse enterprises.
1.1 The all-encompassing Electronic data A great blessing in ancient times was: “May you live in exciting times”. Indeed, we are living in exciting times without even being aware of it. We are experiencing how technology innovations are making our life and living simpler by bridging global boundaries and bringing global information on our finger tips. For enterprises as well as professionals, the question is no longer what technology can do for us but what we can do with technology. The question “do I need to use technology” is no longer relevant instead the relevant decision is about “how do I use technology to remain relevant”. Information technology is all pervasive and more so as the government and regulatory agencies also are using technology platform to provide services to citizens and compelling information to be filed in electronic form. The government at all levels has drawn up ambitious plans to
COMPUTER ASSISTED AUDIT TECHNIQUES implement e-Governance initiatives to improve speed, access and transparency of services. The Information Technology (IT) Act 2000 with IT Amendment Act 2008 and IT rules 2011 provide the regulatory framework and mechanism for recognizing electronic records and electronic transactions thereby facilitating ecommerce and also identifying cybercrimes and providing penalties and compensation for them. Hence, we can expect IT usage to only keep growing in the near future impacting all areas of life more so in our work as professionals.
1.2 Auditors and CAATs As auditors, we come across computers and communication technology as the most common denominator among our clients, both large and small. Further, we use computers and communication technology for providing services to our clients. In today’s complex and rapidly changing technology environment, it is important to master the right techniques which could be used across enterprises and across various technology platforms. Typical of a IT environment are the speed of processing, large capacity of storage, lack of the paper based trails, the radically different way of information processing, the ease of information access, internal controls being imbedded and the ever-present risk of failure of IT and loss of data. All these factors make it imperative for auditors to harness power of technology to audit technology environment by taking into consideration the risks, benefits and advantages. CAATs empower Auditors with the key survival techniques which effective used in any IT environment. CAATs are not specialist tools designed for use by specialist IT auditors but these are common techniques which can be easily mastered to audit in a computerized environment for statutory audit, tax audit and internal audit as also for providing consulting services.
1.3 Auditors and CAATs CAATs are tools for drawing inferences and gathering relevant and reliable evidence as per requirements of the assignment. CAATs provide direct access to electronic information and empower auditors not only to perform their existing audits more efficiently and effectively but also facilitate them in knowing how to create and execute new type of IT related audit assignments. CAATs provide a mechanism to gain access and to analyze data as per audit objective and report the audit findings with greater emphasis on the reliability of electronic information maintained in the computer system. There is higher reliability on the audit process as the source of the information used provides and greater assurance on audit findings and opinion. CAATs are available in specific general audit software designed for this purpose but the techniques of CAATs can be applied even by using commonly used software such as MS Excel and by using query/reporting features of commonly used application software. CAATs can be used to perform routine functions or activities which can be done using computers, allowing the auditors to spend more time on analysis and reporting. A good understanding of CAATs and know where and when to apply them is the key to success. ICAI has published a guidance note on CAAT and publication titled: “Data Analysis for Auditors” which may be referred for more details.
1.4 Need for CAATs In a diverse digital world of clients’ enterprises, the greatest challenges for an Auditor is to use technology to access, analyze and audit this maze of electronic data. CAATs enable auditors to move from the era of ticks of using pencil or pen to the era of clicks by using a mouse. CAATs will help auditors to change focus from timeconsuming manual audit procedures to intelligent analysis of data so as to provide better assurance to clients and also mange audit risks. Some of the key reasons for using CAATs are:
4
ADVANCE INFORMATION TECHNOLOGY TRAINING
INTRODUCTION TO CAAT 1.
Absence of input documents or lack of a visible paper trail may require the use of CAATs in the application of compliance and substantive procedures.
2.
Need for obtaining sufficient, relevant and useful evidence from the IT applications or database as per audit objectives.
3.
Ensuring audit findings and conclusions are supported by appropriate analysis and interpretation of the evidence
4.
Need to access information from systems having different hardware and software environments, different data structure, record formats, processing functions in a commonly usable format.
5.
Need to increased audit quality and comply with auditing standards.
6.
Need to identify materiality, risk and significance in an IT environment.
7.
Improving the efficiency and effectiveness of the audit process.
8.
Ensuring better audit planning and management of audit resources.
1.5 Obtaining audit data In most cases where CAATs are used, it becomes necessary to obtain copy of data in their original format for independent analysis. The data has to be obtained in commonly accepted format. It is important to understand the format in which the data is stored in the application which is being audited. If the data is a native format which is not readable by audit software, then it is necessary to use the reporting feature of application software and export this data to commonly recognizable format of audit software. For example, auditor may not be aware of the data structure/tables of a software developed through a vendor by the client. In such case, auditor may have to study the reporting features and use the export feature to get the data in the required format. It is very important to educate the client about the need to obtain copy of the data as required for audit. Based on the audit scope and relevant audit environment, auditor may have to finalize the required approach for getting the data for audit. This may include installing audit software on client system or using the application software for audit as feasible.
1.6 Key steps for obtaining data 1.
Discuss with client about the requirement of raw data for audit and issue a request letter for getting the requested data in specified form as per the audit objectives.
2.
Discuss with the IT personnel responsible for maintain data/application software and obtain copies of record layout and definitions of all fields and ensure that you have an overall understanding of the data. The record layout should describe each field and provide information about the starting and ending positions and the data type (numeric, alphanumeric, character, etc.).
3.
Print sample list of the first 100 records in the data file and compare this to a printout of the obtained data to confirm they are correct.
4.
Verify data for completeness and accuracy by checking the field types and formats, such as identifying all records with an invalid date in a date field.
ADVANCE INFORMATION TECHNOLOGY TRAINING
5
COMPUTER ASSISTED AUDIT TECHNIQUES 5.
Obtain control totals of all the key data and compare with totals from the raw data to ensure all records have been properly obtained. This can be performed by importing the data in audit software and reviewing the statistics of all the key fields.
1.7 Key capabilities of CAATs CAATs refer to using computer for auditing data as per audit objectives. This requires understanding of the IT environment and most critically the core applications and the relevant database and database structure. CAATs could be used by using the relevant functionalities available in general audit software, spreadsheet software or the business application software. However, broadly the key capabilities of CAATs could be categorized as follows: 1.
File access: This refers to the capability of reading of different record formats and file structures. These include common formats of data such as database, text formats, excel files. This is generally done using the import/ODBC function.
2.
File reorganization: This refers to the features of indexing, sorting, merging, linking with other identified files. These functions provide auditor with an instant view of the data from different perspectives.
3.
Data selection: This involves using of global filter conditions to select required data based on specified criteria.
4.
Statistical functions: This refers to the features of sampling, stratification and frequency analysis. These functions enable intelligent analysis of data.
5.
Arithmetical functions: This refers to the functions involving use of arithmetic operators. These functions enable performing re-computations and re-performance of results.
Precautions in using CAATs CAATs have distinct advantages for Auditors and enable them to perform various types of tests. However, it is important to ensure that adequate precautions are in taken in using them. Some of the important precautions to be taken by Auditors are: 1.
Identify correctly data to be audited
2.
Collect the relevant and correct data files
3.
Identify all the important fields that need to be accessed from the system
4.
State in advance the format the data can be downloaded and define the fields correctly
5.
Ensure the data represent the audit universe correctly and completely.
6.
Ensure the data analysis is relevant and complete.
7.
Perform substantive testing as required.
8.
Information provided by CAATs could be only indicators of problems as relevant and perform detailed testing as required.
6
ADVANCE INFORMATION TECHNOLOGY TRAINING
INTRODUCTION TO CAAT
1.8 Step by step methodology for using CAATs CAATs are very critical tools for Auditors. Hence, it is important to formulate appropriate strategies to ensure their effective use. Some of the key strategies for using CAATs are: 1.
Identify the scope and objectives of the audit. Based on this, auditor can decided about the need and the extent to which CAAT could be used.
2.
Identify the critical data which is being audited as per audit scope and objectives.
3.
Identify the sources of data from the enterprise information system/application software. These could be relating to general ledger, inventory, payroll, sundry debtors, sundry creditors.
4.
Identify the relevant personnel responsible for the data and information system. These personnel could be from the IT department, vendors, managers, etc.
5.
Obtain and review documents relating to data/information systems. This should provide information about data types/data structures and data flow of the system.
6.
Understand the software by having a walk-through right from user creation, grant of user access, configuration settings, data entry, query and reporting features.
7.
Decide what techniques of CAATs could be used as relevant to the environment by using relevant CAAT software as required.
8.
Prepare a detailed plan for analyzing the data. This includes all the above steps.
9.
Perform relevant tests on audit data as required and prepare audit findings which will be used for forming audit report/opinion as required.
1.9 Examples of Tests performed using CAATs CAATs can be used for compliance or substantive tests. As per the audit plan, compliance tests are performed first as per risk assessment and based on the results of the compliance tests; detailed compliance tests could be performed. Some examples of tests which can be performed using CAATs are given below: 1.
Identify exceptions: Identify exceptional transactions based on set criteria. For example, cash transactions above Rs. 20,000.
2.
Analysis of Controls: Identify whether controls as set have been working as prescribed. For example, transactions are entered as per authorised limits for specified users.
3.
Identify errors: Identify data, which is inconsistent or erroneous. For e.g.: account number which is not numeric.
4.
Statistical sampling: Perform various types of statistical analysis to identify samples as required.
5.
Detect frauds: Identify potential areas of fraud. For example, transactions entered on week-days or purchases from vendors who are not approved.
6.
Verify calculations: Re-perform various computations in audit software to confirm the results from application software confirm with the audit software. For e.g.: TDS rate applied as per criteria.
ADVANCE INFORMATION TECHNOLOGY TRAINING
7
COMPUTER ASSISTED AUDIT TECHNIQUES 7.
Existence of records: Identify fields, which have null values. For example: invoices which do not have vendor name.
8.
Data completeness: Identify whether all fields have valid data. For example: null values in any key field such as date, invoice number or value or name.
9.
Data consistency: Identify data, which are not consistent with the regular format. For example: invoices which are not in the required sequence.
10.
Duplicate payments: Establish relationship between two or more tables as required. For example duplicate payment for same invoice.
11.
Inventory obsolescence: Sort inventory based on data of purchase or categories as per specified aging criteria or period and identify inventory which has become obsolete.
12.
Accounts exceeding authorized limit: Identify data beyond specified limit. For example, transactions entered by user beyond their authorized limit or payment to vendor beyond amount due or overdraft allowed beyond limit.
1.10 Analytical Review Procedures The various standards on auditing highlight need for acquiring the required skill-sets to audit in an IT environment and using relevant techniques. Many of the requirements of the auditing standards can be complied by adapting them for use in an IT environment as required. For example: Standard on Auditing (SA) 520Analytical Procedures states: A1. Analytical procedures include the consideration of comparisons of the entity’s financial information with, for example:
Comparable information for prior periods.
Anticipated results of the entity, such as budgets or forecasts, or expectations of the auditor, such as an estimation of depreciation.
Similar industry information, such as a comparison of the entity’s ratio of sales to accounts receivable with industry averages or with other entities of comparable size in the same industry.
A2. Analytical procedures also include consideration of relationships, for example: Among elements of financial information that would be expected to conform to a predictable pattern based onthe entity’s experience, such as gross margin percentages. Most of the analytical procedures can be performed in an IT environment using CAATs which makes the audit process much more effective and efficient.
Summary CAATs enable auditors to use computers as a tool to audit electronic data. CAATs provide auditors access to data in the medium in which it is stored, eliminating the boundaries of how the data can be audited. As auditors start using CAATs, they will be in a better position to have a considerable impact on their audit and auditee as more time is spent on analysis and less time on routine verification. It is important to understand the client IT 8
ADVANCE INFORMATION TECHNOLOGY TRAINING
INTRODUCTION TO CAAT environment and chart out which techniques of CAAT could be used. Initially, time needs to be invested in this Endeavour but once the audit plan is prepared based on the IT environment as per audit scope, re-use becomes easier. However, the audit plan and tests need to be updated based on changes in the IT environment as relevant. Using CAATs provides greater assurance of audit process to the auditor and also to the auditee. The key to using CAAT is recognizing the need, learning how to use CAATs and using them in practical situations.
ADVANCE INFORMATION TECHNOLOGY TRAINING
9
CHAPTER
2
DATA ANALYSIS AND AUDIT TECHNIQUES
ICAI has issued guidelines on CAAT and the various assurance standards highlight the importance of using CAATs as relevant for audit. ISACA has also issued standards and guidelines on auditing and CAATs. Some of the key aspects from these standards and guidelines are given below.
2.0 Need for using CAATs As entities increase the use of information systems to record, transact and process data, the need for the auditors to utilize tools to adequately assess risk becomes an integral part of audit coverage. The use of computer-assisted audit techniques (CAATs) serves as an important tool for the auditor to evaluate the control environment in an efficient and effective manner. The use of CAATs can lead to increased audit coverage, more thorough and consistent analysis of data, and reduction in risk. CAATs include many types of tools and techniques, such as generalized audit software, customized queries or scripts, utility software, software tracing and mapping, and audit expert systems. CAATs may be used in performing various audit procedures including:
Tests of details of transactions and balances
Analytical review procedures
Compliance tests of general controls
Compliance tests of application controls
CAATs may produce a large proportion of the audit evidence developed on audits and, as a result, the auditor should carefully plan for and exhibit due professional care in the use of CAATs.
2.1 Key Factors to be considered in Using CAATs When planning the audit, the IS auditor should consider an appropriate combination of manual techniques and CAATs. In determining whether to use CAATs, the factors to be considered include:
Computer knowledge, expertise, and experience of the IS auditor
Availability of suitable CAATs and IS facilities
Efficiency and effectiveness of using CAATs over manual techniques
Time constraints
DATA ANALYSIS USING IDEA
Integrity of the information system and IT environment
Level of audit risk
2.2 CAATs Planning Steps The major steps to be undertaken by the auditor in preparing for the application of the selected CAATs include the following:
Set the audit objectives of the CAATs, which may be included in the terms of reference for the exercise.
Determine the accessibility and availability of the organization’s IS facilities, programs/systems and data.
Clearly understand composition of data to be processed including quantity, type, format and layout.
Define the procedures to be undertaken (e.g., statistical sampling, recalculation, confirmation).
Define output requirements.
Determine resource requirements, i.e., personnel, CAATs, processing environment (the organization’s IS facilities or audit IS facilities).
Obtain access to the organization’s IS facilities, programs/systems and data, including file definitions.
Document CAATs to be used, including objectives, high-level flowcharts and run instructions.
2.3 Audit evidence and CAATs Audit is primarily said to be the process of collecting and evaluating audit evidence as per audit objectives. Based on the scope and objectives of audit, auditor can obtain the audit evidence by:
Inspection
Observation
Inquiry and confirmation
Re-performance
Recalculation
Computation
Analytical procedures
Other generally accepted methods
2.4 CAATs Documentation Work papers The step-by-step CAATs process should be sufficiently documented to provide adequate audit evidence. Specifically, the audit work papers should contain sufficient documentation to describe the CAATs application, including the details set out in the following sections.
ADVANCE INFORMATION TECHNOLOGY TRAINING
11
COMPUTER ASSISTED AUDIT TECHNIQUES
Planning Documentation should include:
CAATs objectives
CAATs to be used
Controls to be exercised
Staffing and timing
Execution Documentation should include:
CAATs preparation and testing procedures and controls
Details of the tests performed by the CAATs
Details of inputs (e.g., data used, file layouts), testing periods, processing (e.g., CAATs high-level flowcharts, logic) and outputs (e.g., log files, reports)
Listing of relevant parameters or source code
Audit Evidence Documentation should include:
Output produced
Description of the audit analysis work performed on the output
Audit findings
Audit conclusions
Audit recommendations
In audits where CAAT is used, it is advisable that the audit report includes a clear description of the CAATs used in the objectives, scope and methodology section. The description of CAATs used should also be included in the body of the report, where the specific finding relating to the use of CAATs is discussed. This description should not be overly detailed, but it should provide a good overview for the reader.
2.5 Audit Test using CAATs If the data to be audited is available in electronic form, then CAATs could be used for:
Inquiry and confirmation – identifying accounts for which external confirmation is to be obtained. Request letters for confirmation of balances can be printed using CAAT software.
Re-performance: The processing of transactions done by the application software can be re-performed and the resultant data can be compared to verify correctness and completeness. For example: Postings of transactions to personal ledger can be re-performed using the original transaction data base and compared with classified transactions as per ledgers.
12
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA
Re-calculation: All the computations which were done electronically by the application software used in the enterprise can be independently validated by re-performing the computations. For example, Tax deducted at source or VAT charged on sales, interest computation, etc. can be re-computed in CAAT software and validated with the computed totals from the original application software to confirm correctness of processing of transactions.
Computation: using CAAT software, it is possible to compute totals to confirm correctness. For example, the VAT payments made for the year can be total in CAAT software to compare with the total payments as per VAT returns. The interest debited can be computed and compared with actual debit to interest a/c for the year.
Analytical procedures: Based on the data available in electronic format, various analytical procedures can be performed by comparing and relating various aspects of financial and on-financial information.
2.6 Audit Sampling Auditor has to design and select an audit sample and evaluate sample results. Appropriate sampling and evaluation will meet the requirements of ‘sufficient, reliable, relevant and useful evidence’ and ‘supported by appropriate analysis. Auditor should consider selection techniques that result in a statistically based representative sample for performing compliance or substantive testing. When using either statistical or non-statistical sampling methods, auditor should design and select an audit sample, perform audit procedures, and evaluate sample results to obtain sufficient, reliable, relevant and useful audit evidence. Audit sampling is defined as the application of audit procedures to less than 100 percent of the population to enable the IS auditor to evaluate audit evidence about some characteristic of the items selected to form or assist in forming a conclusion concerning the population. Statistical sampling involves the use of techniques from which mathematically constructed conclusions regarding the population can be drawn. Non-statistical sampling is not statistically based, and results should not be extrapolated over the population as the sample is unlikely to be representative of the population.
Design of the Sample When designing the size and structure of an audit sample, IS auditors should consider the specific audit objectives, the nature of the population, and the sampling and selection methods. Auditor should consider the need to involve appropriate specialists in the design and analysis of samples.
Selection of the Sample There are four commonly used sampling methods. Statistical sampling methods are: Random sampling—Ensures that all combinations of sampling units in the population have an equal chance of selection Systematic sampling—Involves selecting sampling units using a fixed interval between selections, the first interval having a random start. Examples include Monetary Unit Sampling or Value Weighted selection where each individual monetary value (e.g., Rs. 1) in the population is given an equal chance of selection. As the individual monetary unit cannot ordinarily be examined separately, the item which includes that monetary
ADVANCE INFORMATION TECHNOLOGY TRAINING
13
COMPUTER ASSISTED AUDIT TECHNIQUES unit is selected for examination. This method systematically weights the selection in favour of the larger amounts but still gives every monetary value an equal opportunity for selection. Another example includes selecting every ‘nth sampling unit Non-statistical sampling methods are: Haphazard sampling—The IS auditor selects the sample without following a structured technique, while avoiding any conscious bias or predictability. However, analysis of a haphazard sample should not be relied upon to form a conclusion on the population Judgmental sampling—The IS auditor places a bias on the sample (e.g., all sampling units over a certain value, all for a specific type of exception, all negatives, all new users). It should be noted that a judgmental sample is not statistically based and results should not be extrapolated over the population as the sample is unlikely to be representative of the population. Auditor should select sample items in such a way that the sample is expected to be representative of the population regarding the characteristics being tested, i.e., using statistical sampling methods. To maintain audit independence, the IS auditor should ensure that the population is complete and control the selection of the sample. For a sample to be representative of the population, all sampling units in the population should have an equal or known probability of being selected, i.e., statistical sampling methods.
14
ADVANCE INFORMATION TECHNOLOGY TRAINING
CHAPTER
3
DATA ANALYSIS USING IDEA
LEARNING OBJECTIVES To gain understanding on Importing different file formats into IDEA. To understand on how to generate field statistics for the database. To understand formatting Data. There are many audit software available in the market. However, for the purpose of learning CAATs, we will be using IDEA software in this chapter and also for performing exercises in the lab. Students may refer to the ICAI publication titled: “Practical application of CAAT –case studies” for more examples and details of CAATs using IDEA Software.
3.0 Importing Data Function Description Important Assistant brings the selected file or files into IDEA database management system. User-friendly Import assistant guides user through a series of steps and instructions for importing the file into the Software. All the functionalities of IDEA can be performed only when the file is available within IDEA. Hence, the first step in data analysis is ensuring that the files to be audited are in selected format acceptable in IDEA and are imported into IDEA. Let us assume you have an Excel or Access file and you want to perform certain idea functionalities on it, then it is important to import these files into IDEA.IDEA facilitates user to import external files in different formats like Access, Excel, dbase or other ODBC/DSN formats into IDEA database. We are explaining below step by step how to import a file into IDEA. If you have access to IDEA Server, you can also import files to IDEA Server. For now, you will have to import a file to your Working Folder. A Working Folder is simply a folder that contains the IDEA databases that you wish to analyze. It is recommended that all the files related to each audit or investigation be stored in a separate folder or directory to simplify file management and housekeeping. Note: The sample files which are used for explaining how to perform various functionalities of idea are available in the C:\Program Files\IDEA\UserFiles\Tutorial\ when IDEA is installed with default settings. You can perform exercises using the relevant sample data files. Please check with your lab instructor about the location of these files. We will be using tutorial/sample files for explaining different functionalities of IDEA in this booklet. You can import files of different format into IDEA. However, for this exercise, we are giving below an example for importing an Access file into IDEA.
COMPUTER ASSISTED AUDIT TECHNIQUES
Step by Step Procedure for Importing Data into IDEA Location
File>Import Assistant >Import to IDEA
Alternatively, on the Operations toolbar, click the Import to IDEA button. Import Assistant dialog box appears as shown in Fig 3.1.1.
Fig. 3.1.1 Import Assistant Location
Step 1: Select the Format
Fig. 3.1.2 Import Assistant Step 2 16
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA (a)
In the Import Assistant Dialog Box, select Microsoft Access from the list.
(b)
Click the Browse button next to the File namebox to select the Microsoft Access database you want to Import.
(c)
Navigate to and select C:\Program Files\IDEA\UserFiles\Tutorial\Customer.MDB.
(d)
Click Open.
(e)
The Select File dialog box closes and the selected file name and path appear in the File namebox inthe Import Assistant dialog box.
(f)
Click Next. The Microsoft Access dialog box appears.
Step 2: Select Tables as shown in Fig 3.1.3
Fig. 3.1.3 Import Assistant Step 3 (g)
In the Select tables box, select Database1. Note: If you import a Microsoft Access file that contains more than one table, you may simultaneously import multiple tables by selecting the associated check boxes. However, any options you select will apply to all imported tables.
ADVANCE INFORMATION TECHNOLOGY TRAINING
17
COMPUTER ASSISTED AUDIT TECHNIQUES (h)
All Character fields will be imported with a length of 255 characters unless changed. This is not likely to be the underlying Character field length. Therefore, leave the Scan records for field length check box selected. Also, accept the default value in the Scan only box in order to scan 10,000 records to determine the maximum field length.
(i)
Accept the default output file name (Customer), and then click OK. When the file is imported, the database name becomes filename-tablename. In this case, the file you imported becomes an IDEA database called Customer-Database.
Step 3: Result - Customer-Database On clicking Ok, the Customer Database is imported into IDEA. The imported database is opened in the Database Window. In the File Explorer Window the imported database is highlighted as shown in Fig 3.1.4
Fig. 3.1.4. Customer Database is imported into IDEA Exercises: 1.
Please perform the following exercises in your lab.
2.
Please import excel file following the above steps.
3.
Please import text delimiter file and notice the different steps.
4.
Please import excel file using ODBC option.
18
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA
3.1 Importing Data Click on field statistics after importing the files and understand the nature of data which is imported.
Function Description You can use the Export Database task to create an external file from an IDEA database so that you can use the data in other applications, such as a spreadsheet package. IDEA exports data in a number of text, database, spreadsheet, and mail merge formats. You can use the Export Database task to create an external file from an IDEA database so that you can use the data in other applications, such as a spreadsheet package. You can also use Copy and Paste to incorporate portions of text or sections of database into other Windows applications. IDEA also supports drag and drop into any other OLE2 container application, such as Microsoft Excel. IDEA exports data in a number of text, database, spreadsheet, and mail merge formats.
Step by step process for exporting files from IDEA. Location
File>Export Database
Fig. 3.1.5 Export Database Location Database Used
Customer-Database1
ADVANCE INFORMATION TECHNOLOGY TRAINING
19
COMPUTER ASSISTED AUDIT TECHNIQUES Export Dialog Box
Fig. 3.1.6. Export Database (a)
In Records to Select, on selecting All will select the entire records. On selecting Range allows the user to select the Starting and Ending record number.
(b)
By default the path is set to C:\Users\Saranya\Documents\IDEA\Samples\Customer-Database1.
(c)
In Export Type, user can select the format in which the current file has to be exported and also name the resultant exported file.
(d)
In Filename allows the user to select the path to which the file has to be exported.
(e)
On clicking Fields, we can select or unselect the fields that have to be exported.
(f)
During Exporting process, condition or criteria can be applied using the criteria button. On clicking this button, Equation Editor Dialog box is opened which facilitates the user to write in query or condition.
(g)
Clicking Ok, exports the active file into given desired format.
Exercise: 1.
Export actual idea file to different formats such as: HTML, Excel, text delimited file and check the results.
3.2 Summarization Learning Objectives: To total the sales transaction by INVOICENO to produce a list of outstanding Sales as well as to identify the number of INVOICENO and the Sales per INVOICENO.
Function Description Summarization accumulates the values of Numeric fields for each unique key. For example, summarizing an Accounts Payable database by account number (the key) and totalling invoice amounts produces a database or 20
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA Results output of outstanding liabilities by supplier. The Summarization task provides:
A list of unique items (keys) in the database
The number of records for each key
Totals of one or more numeric fields for each key
You may select up to eight fields to summarize by or if using one field you can use the Quick Summarization option. If using multiple fields, the Summarization task works faster and is more efficient on a database that has been sorted. You may select any number of Numeric fields to total. The resultant database provides a list of unique key items and the number of records (NO_OF_RECS) for each key from where you can drill down to display the individual records for the key. You can select additional field data to be selected from fields from the first occurrence or the last occurrence. The summarization result grid is limited to 4,000 rows and does not display results beyond 4,000 rows. If you expect your result will have more than 4,000 rows, you must choose to create a database.
Step by Step Procedure for summarization Ensure that Sales Transactions is the active database and the Data property is selected in the Properties window.
Location
Analysis > Summarization
Fig. 3.1.7 Summarization Location (a)
In the Summarization Dialog Box, select the following:
Fields to summarize: INVOICENO
Numeric fields to total: SALES ADVANCE INFORMATION TECHNOLOGY TRAINING
21
COMPUTER ASSISTED AUDIT TECHNIQUES (b)
Click Fields. The Fields dialog box appears. Note that no fields are selected. This stops unnecessary information from being included in the summarized database.
(c)
Click OK to return to the Summarization dialog box.
Select the Use Quick Summarization check box. The Use Quick Summarization check box may be selected as a faster means to summarize your database. However, Quick Summarization may only be used if the database has no more than 4,000 unique keys. In addition, Quick Summarization allows you to select only one field to summarize. There are two types of output from the Summarization task:
Summarization database
Summarization result
Note that as with most tasks in IDEA, you may apply a criterion to the task, for example; only summarize transactions for a specified period. As with all other tasks where you can apply a criterion, if you apply the criterion to the database using the Criteria link in the Properties window, the criterion equation appears in the Criteria text box on the task dialog box. However, you may enter a new criterion or modify an existing one using the Equation Editor as shown in Fig 3.1.8.
Fig. 3.1.8 Summarization (d)
In the Statistics to include area, accept the default selections of Sum.
(e)
Click OK.
View the resultant database and note the following fields:
INVOICENO- List of unique INVOICENO
NO_OF_RECS - Number of records for each INVOICENO
Sales_SUM- Total Sales of the transactions for each INVOICENO
Also note the number of records (989) on the Status bar displayed in the below figure. Note that IDEA 22
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA automatically creates an Action Field link to the parent database (Sales Transactions). It allows you to display the records from the Sales Transactions database by clicking on a value (in blue) in the NO_OF_RECS field as shown in Fig 3.1.9.
Fig. 3.1.9 Summarization Result Exercises: 1.
Use the sample employees file in the sample database of idea and perform summarization on branch and total on salary. Click on the hyperlink of the number of records and check the result.
2.
Use the sample employees file in sample database of idea and perform summarization on country and total on salary and check the result.
3.3 Statistics Learning Objectives
Understanding to view the field statistics for the Numeric fields in the active database.
The statistics is used for reconciling totals, obtaining a general understanding of the ranges of values in the database, and highlighting potential errors and the area of weakness to focus subsequent tasks.
Function Description The Field Statistics property provides statistical information about all Numeric, Date, and Time fields within the active database. The field statistics are available and displayed for all records in the database, with any applied criteria ignored. By default, the Field Statistics window displays the statistics for Numeric fields. Ensure that CustomerDatabase is the active database and the Data property is selected in the Properties window.
ADVANCE INFORMATION TECHNOLOGY TRAINING
23
COMPUTER ASSISTED AUDIT TECHNIQUES
Step by Step Procedure for Statistics Location
In the Properties window, click Field Statistics.
Fig. 3.1.10 Statistics Location (a)
On clicking Field Statistics in property window, IDEA displays below message box.
(b)
Click Yes to generate field statistics for all fields.
Fig. 3.1.11 Statistics (c)
By Default By default, the Field Statistics window displays the statistics for Numeric fields. In this case, field statistics appear for all the available numeric fields. To view field statistics for the Date fields and Time fields in a database, click Date and Time in the Field Type area of the Field Statistics window. In the current database, there are no Date or Time fields.
(d)
If the database contained more than one Date, Numeric, or Time field, multiple date, numeric, or
Time field statistics would appear together on the same screen for easy comparison of values.
24
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA Statistics for Numeric Fields
Fig. 3.1.12 Numeric Statistics (a)
As shown in the above image, active database contains six numeric fields and the statistics for all six numeric fields are displayed in Field Statistics window which allows easy comparison between them.
(b)
Study the field statistics for the all Numeric fields. Note in particular: # of Records # of Zero Items Average Value Minimum Value Maximum Value
COUNTRYNO 1,000
UNIT_PRICE 1,000
QTY 1,000
PROD_CODE AMOUNT PAYMENT_AMT 1,000 1,000 1,000
0
0
49
0
49
49
8.08
8.08
90.07
9627.42
710.36
710.36
3
3.84
0
9598
0.00
0.00
10
9.99
3496
9951
27793.20
27793.20
Below two Images displays statistics for Date and Time fields for current active database. Statistics for Date Fields
Fig. 3.1.13 Date Statistics ADVANCE INFORMATION TECHNOLOGY TRAINING
25
COMPUTER ASSISTED AUDIT TECHNIQUES Statistics for Time Fields
Fig. 3.1.14 Time Statistics Exercise: 1.
Click on field statistics for sample employees and understand profile of data.
2.
Click on field statistics for sample-inventory and understand profile of data.
3.4 Sampling Learning Objectives
To draw a number of records with fixed interval for testing.
To select a random sample of records for testing.
To extracts a random sample with a specified number of records from each of a series of bands.
Function Description Sampling in IDEA is broadly statistical and probability-based. The probability-based sampling techniques are: Systematic, Random and Stratified Random The statistical sampling techniques are: Attribute, Classical Variable and Monetary Unit sampling We will be covering examples of systematic and random sampling only in this training. Students may try other forms of sampling in the lab exercise.
26
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA
Systematic Record Sampling Systematic Record Samplings a method to extract a number of records from a database at equal intervals to a separate database. It is often referred to as interval sampling. There are two methods of determining the sample:
Entering the number of records, in which case IDEA computes the interval size.
Entering the selection interval, in which case IDEA computes the number of records.
IDEA calculates the above parameters on the number of records in the database and defaults to the first to last records. However, we can extract the sample from a range of records, if required.
Step by Step Procedure for performing Systematic Sampling Ensure that Sales Transaction-Sales Trans is the active database and the Data property is selected in the Properties window. Location
Sampling >Systematic.
Alternatively, click the Random Record Sampling button on the Operations toolbar. The Random Record Sampling dialog box appears as shown in Fig 3.1.15
Fig. 3.1.15 Systematic Sampling
ADVANCE INFORMATION TECHNOLOGY TRAINING
27
COMPUTER ASSISTED AUDIT TECHNIQUES
Step 1: Number of Records
Fig. 3.1.16 Number of Records (a)
In the Number of records to select box, enter 100.
(b)
Accept the random number seed provided by IDEA. IDEA uses the random number seed to start the algorithm for calculating the random numbers. If a sample needs to be extended, then entering the same seed but with a larger sample size produces the same original selection plus the required additional records.
(c)
Accept the defaults in the Starting record number to select and the Ending record number to
(d)
Select boxes. IDEA sets the defaults as the first and last records; in this case 1 and 1000.
In the File name box, enter Systematic Sales.
Step 2: Selection Interval
Figure 5.1.17 Selection Interval 28
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA (a)
In Selection Interval tab page, enter 10 for selection interval. This means it picks every 10th records from 1 to 1000 records. Total records picked are 100.
(b)
Click Ok.
Step 3: Result of Systematic Sampling
Fig. 3.1.18 Systematic Result (a)
As displayed in the result, every 10th record is picked from the active database and total numbers of records are 100.
Random Record Sampling Random Record Sampling is a commonly used method of sampling. With it we enter the sample size as well as the range of records from which the sample is to be extracted to a separate database. Then, using a random number seed, IDEA generates a list of random numbers and selects the appropriate records associated with these numbers. Step by Step Procedure for performing Random Sampling Ensure that Sales Transaction-Sales Trans is the active database and the Data property is selected in the Properties window.
ADVANCE INFORMATION TECHNOLOGY TRAINING
29
COMPUTER ASSISTED AUDIT TECHNIQUES Location
Sampling >Random.
Alternatively, click the Random Record Sampling button on the Operations toolbar. The Random Record Sampling dialog box appears as shown in Fig 3.1.19
Fig. 3.1.19 Random Sampling Location
Fig.3.1.20 Random Sampling (a)
In the Number of records to select box, enter 10.
(b)
Accept the random number seed provided by IDEA. IDEA uses the random number seed to start the algorithm for calculating the random numbers. If a sample needs to be extended, then entering the same seed but with a larger sample size produces the same original selection plus the required additional records.
(c)
Accept the defaults in the Starting record number to select and the Ending record number to Select boxes.
30
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA IDEA sets the defaults as the first and last records; in this case 1 and 999. (d)
Leave the Allow duplicate records check box unselected.
(e)
In the File name box, enter Random Sales.
(f)
On clicking Ok total 10 records are extracted from active database.
Random Sampling Result
Fig. 3.1.21 Random Sampling Result Exercises: 1.
Perform sampling on different sample files available in sample database.
2.
Perform stratified sampling using one of the tables in the sample database.
3.5 Stratification Learning Objectives To stratifying the data from the file into bands and gaining the profile of the data. The data can be stratified based using the numeric, date or character field to select a random sample of records for testing. Function Description The process of stratification involves creating bands based on ranges of values (normally from the minimum to the maximum values of one or more fields) and accumulating the records from the database into the appropriate bands. By totaling the number of records and value of each band, you can gain a profile of the data in the database. You can then investigate any deviations from expected trends. You may have up to 1,000 stratification bands. The stratification analysis is also useful for determining high and low cut-off values for testing exceptional items. ADVANCE INFORMATION TECHNOLOGY TRAINING
31
COMPUTER ASSISTED AUDIT TECHNIQUES A numeric stratification analysis can also be created for each unique value or key in a field by selecting that field from the Group by drop down list. For example, you could produce a profile of sales for each salesperson. This can potentially create an extremely large volume of output however the maximum number of groups that will be displayed in the result is 80. If there are more than 80 groups, only the first 80 are displayed. Therefore, there is an option to specify low and high cut-off values to restrict output. Only groups whose total value of transactions is between the specified range are output. To include all items in the stratification analysis, the bands should start less than the minimum value and the upper band greater than the maximum value of all fields. Date and Character stratification are different than Numeric Stratification in the sense that different fields are totaled to the one used for banding. Step by Step Procedure for performing Numeric Stratification Ensure that Sales Transaction-Sales Trans is the active database. Location
Analysis >Stratification.
Fig. 3.1.22 Stratify Location (a)
In the Field to stratify box, select SALES.
(b)
In the Fields to total on box, select SALES.
(c)
Group By USERID.
(d)
Specify the stratification bands:
Change the increment to 10,000.
Click in the < Upper Limit text box of the first row. Note the text box is filled with the value 10,500.
Click the second row of the spreadsheet area. This automatically fills with 10,500to 20,500
32
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA
Highlight the next three rows of the spreadsheet area to take the range to 50,500.
Fig 3.1.23 Stratification Ensure the Create result check box is selected. In the Result name box, enter Stratification Sales. (e)
Click OK.
(f)
The Numeric Stratification result output for the Sales Transactions database becomes active and appears as a link in the Results area of the Properties window. Note that there are 6 accounts in the first band ( >= 500 and < 10,500).
Fig. 3.1.24 Stratification Result
ADVANCE INFORMATION TECHNOLOGY TRAINING
33
COMPUTER ASSISTED AUDIT TECHNIQUES Exercises: 1.
Use sample-employees file and perform numeric stratification on salary with various bands.
2.
Use sample-employees and perform character stratification based on name.
3.6 Sorting Learning Objectives
To create a new database in which its records are physically sorted in a specified order.
Ensure that Sales Transaction-Sales Trans is the active database. Location
Data>Sort.
Fig. 3.1.25 Sorting Location
Function Description The fields you select to sort the records by are known as keys. A sort order may contain up to eight keys. When creating a sort order, the most significant field is selected first (primary key), followed by the next most significant field, and so on down to the least significant field (secondary keys). With the Sort task, a new database is created with the records in the sequence of the key. This new database is a child database and appears in the File Explorer below the main database. Once you have sorted a database, IDEA displays the records in the database in the sort order and updates the list in the Indices area of the Properties window.
34
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA
Step by Step Procedure for performing Sorting (a)
Click on the Field list button (down arrow) on the Field column of the first row of the dialog grid to display a list of all fields in the database. Select the required field.
(b)
The Direction column displays Ascending order for each field selected. To change the order for a field, click the Direction column to activate the Direction list button.
(c)
To add further fields to the sort order, click the next available row in the Field column and select the field and its direction as above. A maximum of eight fields may be entered. Note: If required, you can delete a key from the sort order by selecting the required row and then clicking Delete Key.
(d)
Here DATE field is selected in descending direction.
Fig. 3.1.26 Sort Database (e)
In File name box enter Sorted database.
(f)
Click OK. Date field is sorted in descending direction as shown in the below figure.
ADVANCE INFORMATION TECHNOLOGY TRAINING
35
COMPUTER ASSISTED AUDIT TECHNIQUES
Sorted-Database
Fig. 3.1.27 Sorted database Exercises: 1.
Use Sample-Employees and sort on city.
2.
Use Sample-Employees and sort on First Name, City and Salary.
3.
Duplicate Detection and Gap Detection
3.7 Duplicate Detection Learning Objectives
To test the validity of invoices.
To test for duplicate invoice numbers.
Function Description IDEA includes two key functions to identify exceptions, irregularities, anomalies and errors. These are: Duplicate Detection and Gap Detection These functions assist the user to sift through large volumes of data and help pin-point specific duplicate entries or specific missing entries. These also help the user obtain an assurance on all the data reviewed by it. 36
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA The duplicate or missing items identified can be taken up for testing after running the respective duplicate and gap tests within IDEA. Duplicate Detection and Gap Detection tests are standard passing tests which are run on every database right at the (inception prior to detailed excepting and analytical testing within IDEA. The tests do not require much querying experience and resemble plug-n-play tests. Both tests run largely on formatted sequential data fields like Invoice Number, Purchase Order Number, Cheque Number, etc. Step by Step Procedure for Duplicate Detection Ensure that Sales Transaction-Sales Trans is the active database. Location
Analysis >Duplicate Key >Detection.
Fig. 3.1.28 Identify Duplicates Location (a)
The Duplicate Key Detection dialog box appears.
Fig. 3.1.29 Duplicate Key Detection ADVANCE INFORMATION TECHNOLOGY TRAINING
37
COMPUTER ASSISTED AUDIT TECHNIQUES (b)
Leave the Output Duplicate Records option selected.
(c)
Click Fields and select INVOICENO, INVDATE and USERID.
Fig. 3.1.30 Fields (d)
Click Key. The Define Key dialog box appears
(e)
.In the Field column, select INVOICENO and leave the direction as Ascending.
Fig. 3.1.31 Define Key (f)
Click OK to return to the Duplicate Key Detection dialog box.
(g)
In the File name box, enter Duplicate.
(h)
Click OK to run the task.
Duplicate Result (a)
38
In the resultant database of 8 transactions with DATE, INVOICENO and USERID duplicate values are investigated. ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA (b)
Duplicate file is opened as current active database.
(c)
The given result is sorted based on INVOICENO field in ascending direction.
Fig. 3.1.32 Duplicate Result Exercises: 1.
Use Sample-Employees file and find out duplicates based on name.
2.
Use Sample-Employees and identify duplicates based on fields: First Name and Name.
3.
Use Sample-Employees file and identify duplicates based on Address.
3.8 Gap Detection Learning Objectives
To test for completeness.
To test for gaps in the invoice number sequence.
Ensure that Sales Transaction is the active database. Location
Analysis >Gap Detection.
ADVANCE INFORMATION TECHNOLOGY TRAINING
39
COMPUTER ASSISTED AUDIT TECHNIQUES
Figure 3.1.33 Gap Detection Location Step by Step Procedure for Gap Detection (a)
In the Field to use list box, select INVOICENO.
(b)
In the Output area, ensure the Create result check box is selected.
(c)
In the Result name box, enter Gap Detection Sales.
(d)
On clicking Ok, the result database contains the gaps occurring From: INVOICENO, To: INVOICE and Number in the active database.
Fig. 3.1.34 Gap Detection 40
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA
Fig. 3.1.35 Gap Detection Result Exercise: 1.
Use Sample-Bank Transactions file and identify gaps based on date.
3.9 Aging Learning Objectives To age a selected database from a particular date for up to six specified intervals.These intervals can be days, months, or years.
To age the outstanding debts at the yearend in order to determine provisions required against bad debts.
Function Description Aging function presents aged summaries of data. This summary may be based on the current date or a specified cutoff date. Use the Aging task to age a selected database from a particular date for up to six specified intervals. These intervals can be days, months, or years. For example, you can age the outstanding debts at the yearend in order to determine provisions required against bad debts. The most common use of the Aging task is with Accounts Receivable or Debtor Ledgers. However, also consider using Aging on inventory databases (date of last movement) or on short-term loan databases. The Aging task optionally produces:
A detailed aging database
A key summary database
A Results output
Ensure that Sales Transaction-Sales Trans is the active database.
ADVANCE INFORMATION TECHNOLOGY TRAINING
41
COMPUTER ASSISTED AUDIT TECHNIQUES Location
Analysis >Aging.
Fig. 3.1.36 Aging Location
Step by Step Procedure for performing Aging: (a)
Enter the Aging date to 2012/06/27 i.e yyyy/mm/dd format.
(b)
Set the Aging field to use to DATE.
(c)
Set the Amount field to total to SALES.
(d)
Aging interval in Days. The other options are Months and year.
(e)
The Aging task optionally produces:
A detailed aging database.
A key summary database.
A result output.
(f)
Select only Create result option.
(g)
In the Name box enter Aging Sales.
(h)
On clicking Ok, the below output is displayed.
42
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA
Fig. 3.1.37 Aging Location Aging Result
Fig. 3.1.38 Aging Result Exercise: 1.
Use Sample Bank Transactions file and perform aging by entering the aging date as: 2003/11/06.
ADVANCE INFORMATION TECHNOLOGY TRAINING
43
COMPUTER ASSISTED AUDIT TECHNIQUES
3.10 Data Extraction Learning Objectives
To perform an extraction to identify accounts where the new credit limit has been exceeded.
Function description Extract selected data from a file for further investigation for creating a new file of logically selected records. For example: you can use Direct Extraction to perform a single extraction on a database, or up to 50 separate extractions with a single pass through the database. Step by Step Procedure for Data Extraction Ensure that Sales Transaction is the active database. Location
Data >Extractions >Direct Extraction.
Fig. 3.1.39 Direct Extraction Location
Fig. 3.1.40 Direct Extraction
44
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA (a)
In the File Name column, replace the default file name with Sales Greater than 20,000.
(b)
Click the Equation Editor Button, and then enter the equation SALES >= 20000.
(c)
Click the Validate and Exit button to return to the Extract to File(s) dialog box.
(d)
On clicking Ok creates a new child database with name Sales Greater than 20,000which contain records where Sales is greater than 20,000.
Record Extraction Result
Fig. 3.1.41 Direct Extraction Result Exercises: 1.
Use Sample-Suppliers file and extract supplier details where supplier no. is from 30000 to 90000.
2.
Use Sample-Suppliers file and extract supplier details where country is “Chile”.
3.11 Benford’s Law Learning Objectives
To compare the data with the data pattern predicted by Benford's Law analysis.
Function Description Benford's Law states that digits and digit sequences in a data set follow a predictable pattern. TheBenford's Law task generates a database, and optionally a Results output, that you can analyze to identify possible ADVANCE INFORMATION TECHNOLOGY TRAINING
45
COMPUTER ASSISTED AUDIT TECHNIQUES errors, potential fraud, or other irregularities. If artificial values are present in the selected database, the distribution of the digits may have a different shape, when viewed graphically, than the shape predicted by Benford's Law. A Benford's Law analysis is most effective on data:
Comprised of similar sized values for similar phenomena.
Without built-in minimum and maximum values.
Without assigned numbers, such as bank accounts numbers and zip codes.
With four or more digits.
Step by Step Procedure for using Benford’s Law function Ensure that Sales Transaction is the active database. Location
Analysis >Benford's Law.
Fig. 3.1.42 Benford’s Law Location The analysis counts digit sequences of values in the database and compares the totals to the predicted result according to Benford's Law. Non-zero digits are counted from left to right and values below 10 are ignored.
46
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA
Fig. 3.1.43 Benford’s Law
Steps for Benfords Law (a)
Select the field to analyze. In the Field to analyze drop-down list, select the Numeric field for which you want to analyze with Benford's Law.
(b)
Select the number type. In the Include Values area, select the check box for the required number type (Positive or Negative).
(c)
Optionally, specify the upper and lower boundaries. The upper and lower boundaries define the acceptable range of values where the actual result can appear. Select the Show boundaries check box to include the boundaries in the Results output and resultant database.
(d)
Select the required analysis types. In the Analysis Type area, select the required analysis types, and then accept or change the associated database file names.
(e)
Optionally, create a Results output.
(f)
0n Clicking Ok, we get results for Benford’s First Digit, Second Digit, First Three Digit and First Two Digit.
(g)
In the below image, Benford First Digit result is displayed. To view Second, Third and Fourth Digit result, click on the IDEA files explorer.
ADVANCE INFORMATION TECHNOLOGY TRAINING
47
COMPUTER ASSISTED AUDIT TECHNIQUES
Fig. 3.1.44 Benford’s LawFirst Digit Result Exercise: Use Sample-Bank Transactions file and perform Benford’s Law function on amount.
3.12 Consolidation of Data Learning Objectives
To summarize data and create a report based on many calculations.
To define how your data is displayed and organized.
Function Description Consolidation is the process of combining values from several ranges of data. Data can be consolidated by Pivot Table. Step by Step Procedure for reporting Ensure that Sales Transaction is the active database. Location
48
Analysis>Pivot Table.
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA
Fig. 3.1.45 Pivot Table Location In the Result name box, enter a name for the Pivot Table Results output.
Fig. 3.1.46 Pivot Table Click OK. The Pivot Table Field List dialog box appears. It contains the list of available fields in the database, with their field types in adjacent brackets.
ADVANCE INFORMATION TECHNOLOGY TRAINING
49
COMPUTER ASSISTED AUDIT TECHNIQUES
Fig. 3.1.47 Pivot Table Field List (a)
Create the table by dragging fields to summarize from the Pivot Table Field List dialog box to the following areas: Drop Column Fields Here, Drop Row Fields Here, Drop Data Items Here and Drop Page Fields Here:
(b)
You can drag the same field more than once into the data area creating a new statistic each time - sum, amount, and so on.
(c)
You can add multiple fields to the Column and/or Row area. When more than one field is added to a column or row area the data in the rightmost header column or lowest header row is grouped by data in the preceding row or column.
(d)
You can also select a field from the Pivot Table Field List dialog box, select the area of the pivot table to which you want to add the selected field from the drop-down list, and then click Add To. Once a field has been added to the table, it is highlighted in the Pivot Table Field List dialog box.
(e)
For every field added to the pivot table, its sort order is added to the Indices area of the Properties window. You may delete these indices from the Indices area without affecting the pivot table.
(f)
From the Pivot Table Field List dialog box, click Close.
50
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA Pivot Table Result
Fig. 3.1.48 Pivot Table Result Exercises: 1. Use Sample-Employees file and perform pivot table function with branch as row and salary as column name. 2.
Use Pivot table to find out salary as per country/branch and total of salary.
3.13 Equation Editor Learning Objectives
To create formulae and equations in IDEA.
Functions Use functions to perform more complex calculations and exception testing. You can use them for date arithmetic, text searches, and some statistical operations. They are very similar in style and operation to functions found in other software packages such as Microsoft Excel, Lotus 1-2-3, and dBASE. Each function calculates a result based upon the parameters passed to the function. Parameters are passed in parentheses.
ADVANCE INFORMATION TECHNOLOGY TRAINING
51
COMPUTER ASSISTED AUDIT TECHNIQUES
Fig 3.1.49 Equation Editor Select the type of function you require from the following category list to view the details for the associated functions:
All - Complete list of all functions.
Character - Text manipulation or conversion Numeric - Calculations and statistics
Date and Time - Date and time calculations and conversions
Matching - Matching of multiple and similar items
Conditional - IF statements to select different items
Financial - Financial calculations
Custom - User-defined functions
Entering Functions in Equation Editor Entering a function involves entering the function name along with any necessary parameters. Functions are entered in the Equation area of the Equation Editor. Entering the Function Name To enter the function name in the Equation area, expand the appropriate function category and then doubleclick the required function name. Alternatively, if you know the name of the function, you can type it directly into the Equation area. As you type the function name, the Equation Editor provides a list of possible function names. 52
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA
Entering the Parameters Parameters may be complete equations with references to other functions, such as nested functions, or simple constants. Parameters are separated by a list separator. The list separator is defined in your Windows Regional Settings and is usually a comma or a semi-colon. Most functions require a specific number of parameters. A syntax error occurs if you provide the wrong type of parameter to a function. TYPE
EXPLANATIONS
EXAMPLES
String
Represents text or a character expression. A character expression can contain characters or a Character data field.
"Smith" "123456" "Joe" "Bloggs"
Number
Represents a numeric expression. A numeric expression can contain numeric constants or Numeric data fields.
+
123.45 ACCNT BAL QTY*COST
Time
Represents a time expression. It is displayed in the grid as HH:MM:SS. A time expression can contain a time constant expressed as a string, a numeric constant, "23:59:59" a Time field or a Numeric field. Numeric values are interpreted as the number of TRANS_TIME seconds.
Date
Represents a date expression. A date expression is a character string that is eight characters long and contains a valid date in YYYYMMDD format.
"19960131" TRANS_DATE
3.14 Reporting Learning Objectives
To generate a report for the current active database.
Function Description You can use the reporting feature to generate various types of reports from idea.
Step by Step Procedure for reporting Create a report using the view settings by selecting File >Print >Create Report. Alternatively, click the Create Report button on the Operations toolbar. The Report Assistant dialog box appears. Report Assistant Accept all defaults and select the Allow headings to span multiple lines check box. Click Next.
ADVANCE INFORMATION TECHNOLOGY TRAINING
53
COMPUTER ASSISTED AUDIT TECHNIQUES
Fig. 3.1.50 Report Assistant Step 1: Heading Step Modify the report headings as follows, and then click Next:
Date – Invoice Date
INVOICENO – Invoice Number
NAME – User Name
SALES – Sales
USERID – User Id
54
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA
Fig. 3.1.51 Report Assistant- Heading Step 2: Define Breaks Step (a)
During this step, define if and where control breaks (required for totals in reports) are required.
(b)
Sequence the database records in the following order:
INVOICENO : Ascending
Fig. 3.1.52 Report Assistant - Define Breaks (c)
Click Next.
Note: IDEA displays the records in the report in the order of the index. IDEA displays the index description in the Indices area of the Properties window once you have completed the report. ADVANCE INFORMATION TECHNOLOGY TRAINING
55
COMPUTER ASSISTED AUDIT TECHNIQUES Step 3: Report Breaks Step Create a break and total the Sales field for each INVOICENO. Select the options as in the image below, and then click Next.
Fig. 3.1.53 Report Assistant - Report Breaks Step 4: Grand Totals Step Create grand totals for the Sales field only, set the font style to bold, and then click Next.
Fig. 3.1.54 Report Assistant -Grand Totals
56
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA Step 5: Header/Footer Step Enter/select the following information, and then click Finish.
Print cover page: Select this check box.
Title: Sales Transactions.
Comments: Ordered by User Id and date.
Prepared by: Enter your name or initials.
Header: Enter the name of your organization.
Date/Time: Accept the defaults unless you have particular preferences.
Note: The options you have selected effect how the report is printed. The name entered into the Prepared by field appears on reports accessed via the Print Preview of a Results output.
Fig. 3.1.55 Report Assistant – Header/Footer On clicking finish, you can preview the report generated.
ADVANCE INFORMATION TECHNOLOGY TRAINING
57
COMPUTER ASSISTED AUDIT TECHNIQUES
3.15 Field Manipulation Learning Objectives
To view field definitions, add or delete fields, change field properties such as field name and type.
Function Description You can use this to modify the fields as required. Please note that making changes to a field through Field Manipulation may cause any output based on that field (results, drill-downs, indices, views, etc) to appear incorrect or become invalid. Results may be made valid again by returning the settings to what they were when the result was created. To avoid this, instead of changing a field definition, append a new field to the database with the required definition. For example, instead of changing the type of a field from Character to Numeric, create a new Virtual Numeric field using @Val. Select Data>Field Manipulation. Field Manipulation Dialog Box is opened.
Fig. 3.1.56 Field Manipulation Add a field
Click Append.
Enter the field definition:
Field Name: A unique field name up to 40 characters in length that does not contain spaces or special characters.
Type: Click the Type text box to display the type options, and then select the required type.
Length: The total length of the field in characters. IDEA automatically determines the length for Editable Numeric fields.
Decimal: If applicable, enter the number of decimal places. If the decimal is implied, enter 0. The maximum number of decimals places allowed is six.
Parameter: Click the Parameter field to invoke the Equation Editor.
Tag Name: If you have Smart Analyzer installed, click the
link to add a tag.
58
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA
Description (optional): A brief description of the field. The maximum length of the description is 256 characters.
Click Ok Delete a field
Click in the row corresponding to the field to be deleted.
Click Delete.
Click Yes to confirm the deletion.
Note: As a security feature, by default, native fields cannot be deleted Change a field type Click the Type text box to display the type options, and then select the required type. Notes: • Virtual field types can only be changed to other Virtual field types. For example, a Virtual Character field could be changed to a Virtual Date field. • Field types cannot be changed for Editable, Boolean or Multistate fields; however the data within this field in the database can be changed. Change a field name Click in the Field Name cell of the field name to be changed and enter the new name. Exercise: Use Sample-employees file and modify different field and understand the impact.
ADVANCE INFORMATION TECHNOLOGY TRAINING
59
COMPUTER ASSISTED AUDIT TECHNIQUES
Annexure - Using Audit software: Some Practical Examples These are samples of analysis which can be performed using audit software for various types of audits/reviews. Category
Type of Analysis
Creditors
Payment terms Credit Control Policy Aging of creditors Discount policy Authorised suppliers Authorization Accounting Supplier classification on purchases Analysis of purchases by period
Tax Audit
Financial audit
Review of Authorization Review of discount policy Compliance with tax rates – sales tax, excise duty, etc Verification of financial accuracy Aging of debtors
Filter, Extract, Summarization Stratification, Summarization, Join, relation, filter, extract, sort, count, Total, Compare files Summarization, Sort, Statistics, Total, Summarization Aging, MIS, Periodicity check
Internal Audit
Overall statistical analysis Identification of exception items Duplicate payment for invoices Debtors outstanding > credit period Age-wise analysis of debtors Age-wise analysis of inventory
Statistics, Benford’s Law, Summarization Benford’s Law, Filter, Gap detection Identify duplicates, Sequence, Join, Relation, Aging, Summarization Aging, MIS, Summarization, Statistics Aging, MIS, date difference. total, count
Purchases
Duplicate payments Invalid vendors Duplicate invoices Invalid purchases Payments without receipt of goods
Duplicates, Sequence, Relation Join, Relation, Sort, Summarization, Filter Duplicates, Sequence, Relation Join, Relation, Sort, Summarization, Filter Join, Relation, Compare files, Filter,
60
Identify cash loan\deposits>20000 Identify cash payment > 10000 Review of TDS compliance Analysis of Inventory
CAAT Function Extraction, Date difference Extraction, Date difference, Aging, date difference Stratification, Summarization, Join, Relation, Sort, Filter, Extract, Summarization Sort, Total, Count, Summarization Sort, Relation, Join, Summarization, Sort Aging, MIS, date difference
Sort, Filter, Extract, Export, Index, analytical tool Sort, Filter, Extract, Export, analytical tool Join, Relation, Sort, analytical tool Aging, MIS, Summarization, Count, Total
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA
Inflated prices Excess quantities purchased
Exceptions Filter, Sort, Stratify, Join, Relation Filter, Sort, Stratify, Join, Relation
Payroll
Ghost employees TDS Duplicate direct credits Duplicate home addresses PO Box addresses Work Phone Nos. Work Location Deductions Vacation and sick leave Wage level Terminated employees Overpayment, overtime
Aging
Overdue A.R. and A.P. Favorable credit terms Inventory turnover rates Dormant accounts Records with future, blank or otherwise invalid dates Items past a cutoff date Contracts awarded before contract date Transactions outside of billing period Length in days of various activities
Join, Relation, Summarization, Sort, Statistics Re-computation using analytical tool Identify duplicates, Sequence, Relation Identify duplicates, Sequence, Relation Identify duplicates, Sequence, Relation Identify duplicates, Sequence, Relation Identify duplicates, Sequence, Relation Re-computation using analytical tool Re-computation using analytical tool Join, Relation, Summarization, Statistics Join, Relation, Filter, Statistics Summarization, Statistics, MIS, Join, Relation
Aging, MIS, date difference Aging, MIS, date difference, Stratify, Filter, Summarization, Identify Gaps, date difference Sort, Filter, Sequence, Identify Gaps, Date difference, Statistics, Count Date difference, Aging, Filter, Date difference, Aging, Filter, Summarization, Statistics Aging, Filter, Summarization, Statistics Date difference, Aging, Filter, Summarization,….
Questions 1.
Computer Assisted Audit Techniques (CAATs) refers to using _________for increasing the effectiveness and efficiency of auditing. A.
Technology
B.
Standards
C.
Documentation
D.
Systematic Process
ADVANCE INFORMATION TECHNOLOGY TRAINING
61
COMPUTER ASSISTED AUDIT TECHNIQUES 2.
3.
4.
5.
6.
7.
62
Which of the following statements pertaining to CAAT is true? A.
CAATs are specialist tools designed for use by specialist IT auditors
B.
CAATs refer to common techniques which can be easily mastered to audit in a computerized environment.
C.
CAATs cannot be used for compliance audit.
D.
CAATs can be used for Information systems audit only.
Which of the following statements pertaining to CAAT is incorrect? A.
CAATs are tools for drawing inferences and gathering relevant and reliable evidence.
B.
CAATs provide direct access to electronic information
C.
CAATs provide a mechanism to gain access and to analyze data
D.
CAATs techniques are available in general audit software only.
Which of the following is a key reason for using CAATs? A.
Availability of input documents
B.
Availability of visible paper trail.
C.
Need to access information from systems having different IT environments.
D.
Need to perform audit in lesser time.
Which of the following is a not a benefit of using CAATs? A.
Increased audit quality and comply with auditing standards.
B.
Identify materiality, risk and significance in an IT environment.
C.
Identifying fraud in audit area.
D.
Ensuring better audit planning and management of audit resources.
For effective use of CAATs it is necessary to: A.
Understand programming language of the software being audited.
B.
Obtain source code of the software being audited.
C.
Obtain copy of data in their original format for independent analysis.
D.
Audit data is retained in the original database format.
Which of the following step is important for validating the correctness of data obtained for audit? A.
Issue a letter for getting the requested data in specified form as per the audit objectives.
B.
Obtain copies of record layout and definitions of all fields.
C.
Ensure that auditor has an overall understanding of the data.
D.
Compare the imported in audit software with control total of key data.
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA ANALYSIS USING IDEA 8.
File access in CAATs refers to the capability of::
9.
A.
Reading of different record formats and file structures.
B.
Conversion of data to common formats of data
C.
Using the import/ODBC function.
D.
Reviewing access controls of application software.
File reorganization feature of CAATs refers to:
10.
A.
Functions provide auditor with an instant view of the data from different perspectives.
B.
Indexing, sorting, merging, linking with other identified files.
C.
Using of global filter conditions to select required data based on specified criteria.
D.
Useof sampling, stratification and frequency analysis.
Which of the following statement pertaining precautions in using CAATs is incorrect?
11.
A.
Collect the relevant and correct data files.
B.
Identify all the important fields that need to be accessed.
C.
Ensure the data represents audit universe correctly and completely.
D.
Information provided by CAATs is clear indicator of problems and no further testing is required.
Which of the following is the first step in using CAATs?
12.
A.
Identify the sources of data from the enterprise information system/application software.
B.
Based on scope and objectives of audit, decide about the need and extent to which CAAT could be used.
C.
Identify the critical data which is being audited as per audit scope and objectives.
D.
Identify the relevant personnel responsible for the data and information system.
Which of the following is the final step in using CAATs? A.
Obtain and review documents relating to data/information systems.
B.
Decide what techniques of CAATs could be used as relevant to the environment
C.
Prepare a detailed plan for analyzing the data.
D.
Perform relevant tests on audit data as required and prepare audit findings and include in audit report/opinion.
Answers 1.
A
2.
B
3.
D
4.
C
5.
C
6.
C
7.
D
8.
A
9.
B
10.
D
11.
B
12.
D
ADVANCE INFORMATION TECHNOLOGY TRAINING
63
COMPUTER ASSISTED AUDIT TECHNIQUES
References Below are sample list of references: www.icai.org www.isaca.org www.auditnet.org www.caseware-idea.org www.acl.com www.theiia.org
64
ADVANCE INFORMATION TECHNOLOGY TRAINING
UNIT 4:
CORE BANKING SOLUTION
CHAPTER
1
CBS BASICS AND ITS WORKING METHODOLOGY
LEARNING OBJECTIVES What is Core Banking Solution Technology behind CBS Comparison of TBA (Total Branch Automation) with CBS Data Centre and Network Connectivity Functions of IT Department under CBS environment Modules of CBS Operations of CBS Branch Security and Controls at Data Centre and Branch
1.1 What is Core Banking Solution? Core Banking Solution (CBS) is centralized Banking Application software. It has several components which have been designed to meet the demands of the banking industry. Core Banking Solution is supported by advanced technology infrastructure. It has high standards of business functionality. These factors provide the banks a competitive edge. There are different vendors in the market providing CBS. The software, (CBS) is developed by different software development companies like Infosys, TCS, Iflex Solutions etc., Each of the software has different names: Name of the Vendor
:
Software
Infosys
:
Finacle
TCS
:
Quartz
Iflex Solutions
:
Flex Cube
Apart from the above, some institutions have developed the software in house. The software resides in a Central application server which is located in the Central Office Data Centre. The application software is not available at the branch but can be accessed from the branches. Along with Data base servers and other servers, application server is located at the Central Data Centre. All of the branches of the bank are connected to the Central Data Centre as shown in Fig.1.1.1
CORE BANKING SOLUTION
Fig. 1.1.1. Branches of the bank are connected to the Central Data Centre Core Banking Solution brings significant benefits. (a)
A customer is a customer of the bank and not only of the branch.
(b)
The CBS is capable of being implemented in stages.
Initially basic modules like Savings Account, Current Account, Fixed Deposits, Bills & Remittances, Loans and advances models implemented. Subsequently alternate delivery channels like ATM, Internet banking, RTGS/ NEFT, Mobile Banking, Treasury, Government Business etc., could be added. As servers are on all 24 hours on all days, banking can be done any time and also from anywhere. Data base of customers is updated on line, e.g., amount withdrawn at ATM is deducted from the customer’s balance almost instantly.
1.2 Technology behind Core Banking Solutions As already observed Core Banking describes the banking services provided by a group of networked bank branches. As they are networked, customers can access their accounts and perform certain transactions from any of the bank’s branches. 68
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS BASICS AND ITS WORKING METHODOLOGY Broadly speaking, the customer is no longer a customer of the branch but a customer of the bank. Core banking solutions (CBS) is a combination of an application software and network devices. There is a Central Data Centre. Data Centre is a large data housing infrastructure that provides high band width access to its clients. The Data Centre houses many services, Networking devices, Firewalls and other related equipments. The figure below represents the technology and connectivity details in a very simple structure for the implementation of the CBS. The circled portion in the diagram would normally be in the Data Centre as shown in Fig.1.1.2
Fig. 1.1.2. CBS Network Diagram The servers in the Data Centre could be many e.g., there are application servers, Data Base Servers, Web server, mail server, Report Generating Servers etc. It needs to be specifically emphasised that all the servers though placed in the same Data Centre are not in the same Local Area Network (LAN). Each of the servers are segregated using the concept of Virtual Local Area Network (VLAN). VLAN is a method of creating virtual networks within a physical network. Each virtual network thus created will act a a separate network. This concept has got distinct advantages: Data communication between the 2 VLANs can be controlled as per business requirements. Thus you will observe that in the diagram application server and data base servers are on two different VLANs (In the picture VLAN2 and VLAN3). The various components of a core banking environment would be: A Central Application Server that runs the core banking solutions (CBS). The application is centrally accessed by the branches. There are different core banking solutions available in the market like, Finacle developed by ADVANCE INFORMATION TECHNOLOGY TRAINING
69
CORE BANKING SOLUTION Infosys, Flexcube developed by I-Flex Solutions, Bankmate developed by the HCL Technologies, Quartz developed by TCS. There are other CBS software also some developed in-house by the bankers; others developed by other vendors. Central Data Base Servers that store the data of the bank. It must be noted only this data base server that is centrally located stores the data for the bank which means that the data for all of the branches of the bank are stored in this central data base server. Other infrastructure needed for internet banking and automated teller machine (ATM) operations. Necessary infrastructure to provide security for stored data and data transferred across the network. In the following paragraphs, we shall briefly discuss the various servers and their location and the purpose served. At this juncture let us recapitulate the concept of a server. The server is a sophisticated computer that accepts service requests from different machines which are called clients. The requests are processed by the server and sent back to the clients. There are different types of servers as follows: Application Server, Data Base Server, Anti Virus Server, Web Server, ATM Server, Internet Banking Application Server (IBAS),Internet Banking Data base Server, Proxy Server, Mail Server etc Application server hosts the core banking application like Finacle, Flexcube, Quartz or Bankmate etc. This server has to be a powerful and robust system as it has to perform all the core banking operations. The branch does not have the entire application. It will have only a version which is called the “client version” of the application. The client version of the application is capable of only entering the data at the end point that is branches. The validation is a complete process in the computer so that it ensures that data that is fed in conforms to certain prerequisite conditions e.g., if an operator keys in data for withdrawal of money , the account number of the customer would be entered by the operator naturally. But there would be a built in control so that further processing would be entertained only after the systems verifies that the account number which is now entered is already in the data base i.e., it is an existing customer. After the data is validated at the branch, it would be sent to the application server in the centralised data centre. The application server (which houses the banking software) after receiving the data performs necessary operations and updates the central data base etc., Customer “A” deposits Rs.10000/- is passed on to the data centre. The application server performs necessary operations and this updates the account of the customer “A” in the data base server. The customer may do some other operation in branch “Y”. The process is validated at branch “Y” and the data is transmitted to the application software at the data centre. The results are updated in the data base server at the centralised data centre. Thus it would be observed that whatever operations a customer may do at any of the branches of the bank the accounting process being centralised at the centralised data centre is updated at the centralized data base e. The application software which is in the application server is always to be a latest version as accepted after adequate testing; the application software is never static and would require some changes to be effected either due to any bugs discovered or a change in this process or any other justified reason. Such changes are never made directly into the live application server. These changes are made to a separate server called a test server. The programs are debugged and certified that the program is now amended as required and performs
70
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS BASICS AND ITS WORKING METHODOLOGY as expected. The changed and latest application software will be moved into the application server under proper authority. Earlier version would be archived. The latest copy of the software would always have a back up copy.
Location The application server would be placed in a trusted inside zone in a separate Virtual Local Area Network (VLAN) - please see diagram. There is no direct access to the application server. The communication has to pass through a firewall, properly directed by a switch which is also located behind the firewall.
Data Base Server The Data Base Server of the Bank, as already observed contains the entire data of the Bank. The data would consist of various accounts of the customers, as also certain master data e.g., master data are – base rates FD rates, the rate for loans, penalty leviable under different circumstances, etc., Application software would access the data base server. The data contained in the data base has to be very secure and no direct access would be permitted to prevent unauthorised changes. Strict discipline is followed regarding the maintenance of the data base server. There is a designated role for maintenance of the data base. This individual who performs the role is called the Data Base Administrator. His activities will also be monitored as all changes made would be recorded in a Log. Scrutiny of the log would disclose the type of activities and the effect of such activities. Security aspects of data base server are an audit concern. Apart from the normal application server, the Automated Teller Machine server (ATMS) and Internet Banking Application Server (IBAS) would also access the Data Base Server. However, it would be only through VLAN. It must be noted that whatever be the operation that the customer has performed, etc., at the branch, through ATM, by Internet, mobile banking or any other alternate delivery channels his account at the Centralised Data Base would be updated.
Automated Teller Machines Server This server contains the details of ATM account holders. Soon after the facility of using the ATM is created by the Bank, the details of such customers are loaded on to the ATM server. When the Central Data Base is busy with central end-of-day activities or for any other reason, the file containing the account balance of the customer is sent to the ATM switch. Such a file is called Positive Balance File (PBF). Till the central data base becomes accessible, the ATM transactions are passed and the balance available in the ATM server. Once the central data base server becomes accessible all the transactions that took place till such time as the central data base became un-accessible would be updated in the central data base. This ensures not only continuity of ATM operations but also ensures that the Central data base is always up-to-date. The above process is applicable to stand alone ATM at the Branch level. As most of the ATM are attached to central network the control is through ATM SWITCH only.
Internet Banking Data Base Server Just as in the case of ATM servers, where the details of all the account holders who have ATM facility are ADVANCE INFORMATION TECHNOLOGY TRAINING
71
CORE BANKING SOLUTION stored, the Internet banking data base server stores the user name, password of all the internet banking customers IBDS (Internet Banking Data Base Server) software stores the name and password of the entire internet banking customers (Please note that the ATM server does not hold the PIN numbers of the ATM account holders). For further discussion, please refer to the chapter dealing with ATM. IBDS server also contains the details about the branch to which the customer belongs. The Internet Banking customer would first have to log into the bank’s website. The next step would be to give the user name and password. The Internet Banking software which is stored in the IBAS (Internet Banking Application Server) authenticates the customer with the log in details stored in the IBDS. Authentication process as you know is a method by which the details provided by the customer are compared with the data already stored in the data server to make sure that the customer is genuine and has been provided with internet banking facility.
Location The IBDS is located in a demilitarised zone. It has a separate VLAN that connects a proxy server, mail server, web server and IBAS.
Internet Banking Internet Banking refers to banking transactions routed through the Internet. This facility permits registered customers of the bank to perform banking operations at any time of the day from any computer - now it may also be possible to do it from a cell phone. No doubt, Internet Banking facilitates banking through the medium of internet. However, it also needs specialized software and hardware. The internet as you all know is a public network. Hence proper security features are built into the system to maintain confidentiality and integrity of the data that is being transferred through the internet. Some Banks provide this facility automatically soon after a customer opens an account with them. Some others require a special request from the customer to provide this facility. However, whatever be the method of providing internet facility, there is a process to be followed. The main components of Internet banking system consist of Web Server, Internet Banking Application Server (IBAS), Internet Banking Data Base Server (IBDS), Middleware, and Central Data Base Server.
Anti Virus Software In the pre Core Banking Solution scenario, when Total Branch Automation systems were in force updating the Anti Virus Software was yet another problem. As separate servers not connected to each other or to the Data Centre at the head office were in existence each of the server had to be updated with the latest version of the Anti-Virus Software separately While in theory, it was agreed and presumed that all of the branches would have latest version of the Anti Virus Software, it was practically not so. As each one of the servers had to be updated manually with the latest version, the logistics proved to be inadequate with the result different versions of the Anti Virus Software were in existence in the different servers in the various branches. In the Core Banking Solution as there is a Centralised Data Centre and also as there was a Centralised Data Base server, application server etc., the Anti Virus Software was also available only in the Centralised Data 72
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS BASICS AND ITS WORKING METHODOLOGY Centre. This copy of the Anti Virus Software was updated promptly and regularly at the Data Centre and pushed into all of the servers and in all the systems in the branches by push-pull method Some Banks had, for back up purposes as also for business of the bank continuity planning had decided to have servers in the different branches. All the servers also were updated with the latest Anti Virus Software automatically every day as day beginning operations. This process ensured that there was only one version of the Anti Virus Software and that too the latest one present in all of the bank’s servers unlike in the TBA scenario.
1.3 Comparison of TBA with CBS Total Branch Automation System (TBA) was in existence before Core Banking Solution (CBS) was implemented. TBA itself was deemed a technology development compared to its predecessor ALPMS (Advanced Ledger Printing Machines). In the Total Branch Automation system each branch was performing the branch operations in totality at the respective branch. The final output was transmitted to the head office. The data was transmitted either on a CD or a Floppy. The information on this media was processed at the Central Office for consolidation of accounts and preparation of reports. As each branch was self reliant in as much as all the information regarding the branch operations was available at the server located at the branch. The technology infrastructure at the branch was as follows:
There would be a server which would be either in the Branch Manager’s room or more commonly kept in a separate air conditioned enclosure with a separate entrance, so that entry to the server room can be restricted.
At the most the Systems Administrator may be inside the cabin along with the server.
There would be four or five nodes or more depending upon the need of the branch or the volume of transactions. Each of the nodes would be connected to the server.
The server would have the application systems as also the data base.
The bank as a whole would have one banking software which might have been developed in-house or purchased from an outside vendor. A copy of this software is loaded in each of the servers in all the branches of the bank.
The server also hosts data base of the branch.
The data base would have a master data, and all the details of the transactions entered into.
The master data consists the data relating to standing information like the name, address of the customer interest payable on all Deposits. This would have the details of interest payable for various Deposits with different tenures eg. 8.5% pa, 9% pa 9% for two years and so on.
Additional/ concessional interest for senior citizen, staff members, educational loan for girl child, various concessional rates during festive seasons etc.
ADVANCE INFORMATION TECHNOLOGY TRAINING
73
CORE BANKING SOLUTION Transactions of the customers would be stored account-wise, so that it would have the opening balance and the details of the transactions which have taken place. The application software which is also residing in the server at the branch actually does the banking operations. Eg. A person operating a particular node (also called a client) (which is nothing but the front end machine from which the operations take place, enters the transactions. The customer might have come to withdraw Rs.10,000/-. The operator accesses the machine when he is prompted to give the user ID and password. Once he gives it correctly, a screen would pop up by which he would click the SB A/c and in the SB menu he would type the name of the customer as also the account number. He has now accessed to the specific account of the customer. Next step that he would be doing would to be entering this transaction and request for withdrawal for the customer. In the example specified, he would be typing cash Rs.10,000/- in the appropriate fields. This command executed at the node end (client’s end) is transmitted to the server through the communication channels (or net working cables). At the server level the application accesses the data available of the customer in the data base and if there is balance available gives back the information. The transaction is put through. Once the transaction is put through again this information is retransmitted to the server. The customer’s data base is updated by the application and the customer’s account would be suitably modified. At this point of time, we are only discussing the process and not going into the details of the normal controls which are in place. Eg.
If the customer does not have the required balance at his credit
Is the withdrawal of cash a routine procedure which the person at the counter can authorise through controls built in the system whether the transaction can be entered by the person but would have to be authorised by an individual at a higher level say, the Accounts Officer. These procedures are built into the application software as part of built in controls of the software. This is known as maker-checker system or four-eye principle.
Similarly transactions relating to Current Accounts, Fixed Deposits, Loans, Foreign Exchange (where the branch is authorised to also deal with foreign exchange) would have to be dealt with by different nodes or same node and the data base of the branch is updated. By this process by the end of the day all the transactions which have taken place during the day have all been recorded and correct postings have been made to the respective accounts held in the database which resides in the server. At the end of the day under the authority of the Branch Manager the Branch level Systems Administrator would perform End of Day operations (EOD). The End of Day operations when completed would result in all the entries being posted and a final trial balance and other financial statements (including the complete ledger)(Opening Balance+Transactions leading to the Closing balance would be available). The introduction of the Total Branch Automation hastened processing activities at the branch and also totally eased the time consuming End of Day Operations of preparing a tallied trial balance with all the ledger entries having been posted. A copy of the ledger is available in the system and this would be copied on a CD or a Floppy for outward transmission to the Head Office/ Central Office. 74
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS BASICS AND ITS WORKING METHODOLOGY At the Head Office, the CDs and the floppies received from various branches would form a copy for them to prepare a consolidated ledger/ Balance sheet/ General Ledger
The advantage of the TBA was that maintenance of manual ledgers and day books were dispensed with.
At the end of the day, a neatly printed set of day books and ledgers with totals tallying (!) would be ready after last of the transactions are posted (in the initial stages due to technology snags or due to inadequate resources, the end of day operations were taking even 6-8 hours. However, after ironing out the teething problems, the time frame was considerably reduced.
Disadvantages:
As mentioned in the earlier paragraphs a copy of the software had to be loaded into each of the servers at various branches
As we all know, the program require constant changes either due to bugs in the program or due to changes in the business process or for any other justifiable reasons.
These changes are made at the central office (Computer Planning and Policy Department- CPPD). Copies of this program would have to be made effective at the branches.
The methodology adopted for updating is that a copy of the programme would be taken on a CD or Floppy and passed over to a branch or personally carried by a member of the staff of the CCPD for updating the copy of the programme residing in the server of the branch. Sometimes it was also communicated through e-mail.
While theoretically it seems simple, the problems that have been faced are with the need to change program often. There were different versions of the program available and operational at different branches of the bank. Version control mechanism was not effective.
In addition to changes in programme master data regarding rates of Fixed Deposits, Loans, Penalties, etc., have to take place almost immediately in the entire bank at a single point of time. This was possible only by sending e-mails to the branches and instructing the Branch Managers to get the Systems Administrators of their respective branches to update the masters.
The Branch Managers being busy with operations were not devoting time to personally ensure that these corrections are made properly. This resulted in a situation when modifications were made differently at different branches at different points of time.
Also intentionally some ‘mistakes’ could be committed. This situation led to a great extent of chaotic condition of branch transactions at the head office and not to speak of suspense or sundry accounts created in each branch to ensure the trial balance tallied.
To get over this problematic situation, certain steps were taken to resolve the problems.
For speedy resolution of problems at the branches, it was decided that source code would be made available at the regional office. All bugs would be dealt with at the regional level and corrected copies of the program would be given to the branches much earlier than it was possible earlier when all corrections were made only in the CPPD.
The availability of the source code at the regional office and the different corrections being made by ADVANCE INFORMATION TECHNOLOGY TRAINING
75
CORE BANKING SOLUTION different people on different occasions lead to lack of control of programme changes and implementation of master data.
The availability of source code at the different regional office itself was a matter of serious concern. The source code is the basic code which later becomes an object code. It is not possible easily to change a object code while the source code could be changed by anybody who knows the programming language.
Apart from the serious operational problems and security concerns, there were certain other disadvantages like updation of anti-virus software.
Scalability of the software was restricted. It wasn’t possible to introduce further useful products like ATMs and Internet banking etc. It would have meant a great deal of patch work and it will restrict new products. Already with various versions of program being available (and made necessary) in the total branch automation system, the programme was very weak with different versions having too many patches. To think of enhancing this to add further banking products like ATMs and Internet banking was bound to be impossible. ATM was introduced and work for the account holder of that branch only.
1.4 Data Centre and Network Connectivity: Data Centre houses all the main servers. They are: 1.
Application Server
2.
Database Server
3.
ATM Server
4.
Web Server
5.
Antivirus Server
6.
Internet Banking Application Server
7.
Internet Banking Data Base Server
8.
Proxy Server
9.
Mail Server
Most of the servers are placed behind a firewall. The firewall is generally hardware and it plays the role of preventing unauthorized access. The servers though located in the same place will not be in the same Local Area Network (LAN). These servers are segregated by using the concept of Virtual Area Network (VLAN). VLAN has got its own security. The fig 1.1.3 below shows the network diagram at the data centre.
76
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS BASICS AND ITS WORKING METHODOLOGY
Fig. 1.1.3. Network Diagram at Data Center
Network connectivity In a core banking concept all the systems of the bank are connected to the Central Office by means of a connectivity which may be either a leased line or a dial up line. As the connectivity of the branch bank to the data centre is very critical arrangements was made for back up connectivity. In case the primary connectivity fails, there will be a fall back arrangement with a secondary line. There should be adequate band width capacity to deal with the volume of transactions that are expected to take place. When the band width is not adequate and the transaction load is higher, the system slows down and the efficiency also drops. Hence the banks should ensure that there is adequate band width to manage heavy load of transactions even during peak period like beginning of the month or end of the month/ year Apart from the cables other important components of a network are devices like routers, switches and hubs. Routers enable data transmission over different networks. They are capable of making intelligent decisions to ensure data is transmitted across the network by using the best path. Switches have many ports that are connected to different systems. Switches facilitate data transmission with the network (this switch should not be confused with the ATM switch - discussed later). Virtual networks are capable of being connected only when devises are connected to a switch as shown in Fig 1.1.4.
ADVANCE INFORMATION TECHNOLOGY TRAINING
77
CORE BANKING SOLUTION
Fig. 1.1.4. Virtual Network Diagram The picture above describes how the various servers are connected and where exactly the firewalls, routers and switches are placed. It will be observed that firewalls will always be placed whenever there is an access from outside the network.
Proxy Server A Proxy server always acts in conjunction with a firewall. The Proxy Server provides network security by preventing malicious data from entering the network. In the network diagram, it will be noticed that the Proxy server is placed inside the demilitarized zone wherein the mail server, web server, internet banking application server, are placed.
Domain Controller This is used for authentication. Access to a set of servers is controlled by the Domain Controller. Network connectivity and security thereof plays a very important role in any organization especially in a core banking environment as the entire system is networked. The importance of network connectivity and its security can never be over emphasized. As dependence upon the network being available is crucial, adequate
78
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS BASICS AND ITS WORKING METHODOLOGY arrangements should be made for a fall back. The moment the primary network fails for any reason, the fall back arrangement comes into place due to the steps already taken while establishing the connectivity. The network is vulnerable to “hacking”. The hacking is a process of unauthorized entering a network. To prevent this hacking there have to be many controls in place. It is necessary to constantly monitor the network to ensure that there is no potential possibility of the vulnerability being exploited. All network traffic is required to be tested for vulnerability against hacking, phreaking, malware, spyware etc. There should be a specific team who will have the sole responsibility of constantly testing the network connectivity to ensure that it is secure. There are software tools available which would be utilized to assess the vulnerabilities. The tools when used would highlight any vulnerability discovered. The team in charge of maintaining the network would immediately take adequate steps that the weak points are strengthened. It is also possible that the network can be intruded. In any application and more so in banking applications vulnerability in the network or the possibility of a intrusion into the network are matters of grave concern. It is possible to use certain procedures so that any time an intrusion would be detected and prevented. A simplification of the concept could be that of installing a burglar alarm. Preventive controls have to be in place and it is the responsibility of the bankers to ensure the same. However, it is the duty of an auditor to verify and satisfy himself that the controls are in place and that competent and qualified people have verified and given satisfactory reports. Care should be taken to improve the security on ongoing basis as hackers are employing newer methodologies to attack network and stealing confidential information.
1.5 Functions of IT Department in CBS Environment As explained earlier, in core banking solution environment of Information Technology functions (IT functions) are centralised at the data centre. There are specific roles and responsibilities for different individuals like in all IT Departments. There are certain functions which are incompatible, which means that under no circumstance can one individual perform two different functions as those specific functions are sensitive. These functions have to be performed by two different individuals. This concept is similar to what we are aware of in a purchase function. The officer who is in charge of the purchase would not be the person who would be passing the goods. The person who passes the purchase invoice will be definitely different from these two. The rationale for the separation is that control will be compromised. This is known as segregation of duties and is very important in any computerized function. A brief description of the roles of different individuals in an IT Department is given below:
Security Administration: It is advisable and necessary for all organizations including banking to have a security policy which is approved at the Board level. The officer in charge of the security administration is expected to understand the policies and procedures mentioned in the security policy. He should be able to assess the risks for non compliance. His duties would include deciding on access rules to data and other IT resources.
There will be separate set of people who will be Issuing of user ID passwords and manage it. Monitoring the security architecture constantly with a view to ensuring that there are no weak points which can be exploited is the duty of security administrator. Security administrator should not have any access to transaction level data
System Administration: This particular job is more sensitive. The Systems Administrator has the powers to create, modify and delete users in accessing the system. The individual is to be technically
ADVANCE INFORMATION TECHNOLOGY TRAINING
79
CORE BANKING SOLUTION competent. He is also expected to have a proven record of integrity. His duties would briefly include the following:
User creation
User deletion
Locating a branch code and providing connectivity to the branch
Creation of new products
Defining interest rates for deposit loans and other products.
Be responsible for processing of end of day operations and beginning of day operations.
Be responsible for introducing latest application of the program.
Data base administration: As the very name indicates, the Data Base Administrator is the custodian of the bank’s data. He is responsible for ensuring that access is given to the Central Data Base in a secure manner in line with business requirements. His responsibilities would include
80
Ensuring data integrity
Ensuring data availability
Ensuing security to access data
Importantly ensure recoverability of data in case of system failure
Maintaining size and volume of database and corresponding processes
Network Administration: Networking, generally and more specifically in a core banking environment plays a very significant role. The Network Administrator has the following important responsibilities:
To place routers, switches and hubs at the appropriate places and ensure a secure network configuration.
Sensitive devises like firewalls and intrusion detection systems/ IPS need to be strategically placed to ensure security for the network.
At periodical intervals arrange for vulnerability assessment and penetration tests to take corrective action whenever these tests throw up weak points.
Librarian: Normally we understand that the Librarian is in charge of maintaining the Library, issuing books and receiving them back. In a computerised environment, the Librarian has got similar functions excepting that instead of dealing with books, he will be dealing with software. As we are aware, the software, which is being developed and tested, would be clear as a complete product ready for use by the Project Leader. Such a program then moves from a test environment into the production environment. But there is an intermediary process by which the Project Leader hands over the finished product to the Librarian. The Librarian maintain records of the various versions of the program records all the various versions of the program just as we have different editions of a book and generally a later edition is expected to be important over the earlier one. Similarly, software may have different versions and it is extremely important to remember them and this number is referred to as the version number. The Librarian has the following responsibilities:
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS BASICS AND ITS WORKING METHODOLOGY
Moving the correct version of the software into production environment.
Maintain detailed documentation of all receipts and issues of software.
Keep a record of all licenses obtained for the usage of software.
Be in charge of user manual and system manual
None of these groups of administrators should have access to the database having transaction data. Implementation of maker checker concept will ensure proper segregation of duties.
Changed Management Procedures In the normal course, due to any change in the business process or upgradation of technology or due to program bugs discovered subsequent implementation changes are warranted in hardware, software and communication systems. There needs to be a well documented procedure in place and a strict adherence to such procedure. Changes to hardware and communication systems need to be entered in a register apart from a softcopy of the register being available on the system. The latest copy of the network program should always be available. These documents should always be maintained up to date incorporating all the changes and the dates when such changes have been incorporated.
Application Software There needs to be a control on the various versions of software. At the stage of initial implementation of the software (for the first time software which has been debugged thoroughly moved from the test environment to the production environment) a specific version number should be provided e.g. CBS Version No: 1.1. There needs to be a document which contains details regarding the Version No. and date of implementation. Thereafter for all subsequent procedures, there needs to be a strict procedure to be adhered to. The procedures would be as follows:
There should be a specific request from an authorised person like the Manager of the user department. The request should be approved by the person in charge of the Systems Department.
Changes to programs should necessarily be made in the test environment.
After thoroughly debugging the program, the corrected program would be handed over to the Librarian.
The Librarian would then give the next Version No. for the changed program, e.g. Version No: 1.2 (as compared to the previous Version No:1.1).
The documentation would contain details of the changes made and the date when it was made.
Strict adherence to the procedures and technologies The changes would ensure that the corrected latest version of the program alone is used. If such a procedure is not strictly adhered to, there is every possibility of an earlier version of the program being used, which would result in inaccurate processing.
ADVANCE INFORMATION TECHNOLOGY TRAINING
81
CORE BANKING SOLUTION Organization Structure of the IT Department The standard for the organization structure for the IT Department is the same whether it is a banking environment or any other. The standards stipulate as follows:
Production environment should be different from development environment.
In the development environment all aspects of the program viz., functionality, built in controls, etc., will be tested by both the users as also the programmers. The programmers would test it first and then it would be provided to the user department for them to test it. This version is called the ‘beta version’. Various types of tests like unit test, system test, and integration test conducted at this stage.
After it has been tested by the users also, the Project Leader would hand over the software copy to the Librarian, who after completing the necessary documentation, transfers the program into the production environment. This is also known as user acceptance test (UAT)
No one in the development and testing environments should have access to the production system.
Production system is in a live environment and is accessible only by authorized users.
Under no circumstances, should there be any connectivity between a test server and a production server.
As already discussed, there are certain incompatible functions which under no circumstances should be performed by the same individual. The Matrix provided below highlights the functions which are incompatible and those which are not. Help
Desk
Help Desk Database Admin.
X
Network Admin.
X
Database Admin.
Network Admin.
X
X
Security Admin.
X
X X
X
Security Admin. Tape Librarian
Tape Librarian
X X
X
X
1.6 Operations of CBS Branch A branch in a Core Banking Solution environment is very different from a branch in a total branch automation system, as explained in detail earlier. Branches in a Core Banking Solution do not have independent operation in the sense that a copy of the application software or a copy of the data base of the customer is not separately available in the branch. Branches are connected to the central data centre, wherein there are separate servers housing the application software, data base as also antivirus software. Users at the branch have to be created by the System Administrator at the central data centre after due authorisation by the Branch Manager. Even a Branch Manager will not be able to create his own user access rights as everything is centralised. At the Branch all operations that take place normally in an banking environment do take place; however, all master data are parameterised at the central office e.g., FD rates for various time periods, penalty, interest 82
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS BASICS AND ITS WORKING METHODOLOGY payable for premature closure, rates for different loans, interest rates applicable for staff members for loans and deposits, rates applicable to senior citizens etc., are to be decided centrally and parameterised at the central office. There is no possibility of any changes being made at the Branch as they have no rights to do so. There are certain account level parameters like preferential rates, addresses etc. can be controlled at branch level. The various staff members operating at the branch have been given access rights by creating a User ID by the Central Office and also providing an initial password which necessarily will have to be changed by the individual employees soon after they make the initial log in. There would be a register maintained at the branches, where in each of the individual would have acknowledged their user ID and the recommended format for the register would be as follows: 1. Name of the Employee
2. User ID
3. When created
4. When deactivated
5. Signature of the employee
Maintenance of this register is of utmost importance as it acts as evidence that the respective employees have acknowledged their user IDs. All the transactions performed during the period from the time the account was created to the time it was deactivated would be attributable to the employee in view of the accountability being established, employees would be extremely careful not to disclose their password or share it with others. The minimum level of controls which needs to be in operation would include the following:
A branch should have an extract of the bank’s security policy as applicable to it.
There should be some evidence of having created awareness amongst the employees regarding the existence of the security policy of the bank.
There should be a well written procedure in place to record and document all incidents of security lapses.
There should be regular procedures to create basic IT security awareness amongst employees.
Access Control Procedures
The system should prompt for change of password during the first log in.
There should be a maximum number (usually 3) of failed log in attempts. The rationale for this requirement is to prevent multiple guesses being made by unauthorized user
There should be a procedure for reviving such accounts which should have been deactivated.
All USB ports, the CD Rom drives should all be disabled. This is necessary to both prevent unauthorised data or software being loaded and also to prevent any leakage of data and information. If this facility is not strictly adhered to, the possibility of virus being introduced into the system is very high & there is a chance of data loss/ leakage to unauthorized user.
Server related procedures Generally there should be no servers available at the branch. However in some instances a local server is installed to get over slow connectivity problems. Under such circumstances, the local server serves as a temporary storage. The discipline connected with the local server is as important as any server and there should be a specially designated branch system administrator who would be having a specific password to
ADVANCE INFORMATION TECHNOLOGY TRAINING
83
CORE BANKING SOLUTION access the server. A copy of the password should be kept in a sealed cover under the control of the Branch Manager, so as to enable him to utilize the same should the system administrator of the branch be not available on any day. Physical and environmental controls Moisture and temperature in the room where the server is located should be under control. There should be no inflammable material stored in the server room. In some instances, it is not uncommon to find bundles of paper and some thermo cool boxes being stored safely in the server room which need to be reused immediately There should be a fire extinguisher in the room, which should always be in an active condition with the refills of gas being done at regular intervals or there should be other mechanized process for extinguishing the fire.
Network related procedures Network devises like the router, switches and hubs should be secured. Unused routers, switches and hubs should be protected, if not they could be misused and there could be unauthorised use of handling the system but also leakage of important data. All network cables should also be protected properly. There are instances when these cables are running outside the building without being properly encased. Unprotected cables have the potential for being hacked. ATMs being attached to the Branches
ATM cards which are awaiting to be handed over to the customers should be secured with a lock and key.
There should be regular reconciliation procedures for the stock of ATM cards.
There should be procedures to update core banking solutions with details of cards issued to the customers. This would prevent the possibility of usage of the card before it is issued to the customers.
Frauds do occur when ATM cards and Pin mailers are not kept separately & securely. Especially the ATM cards should be with one officer and the Pin Mailer should be with another officer. Under no circumstances both the ATM cards and Pin Mailers are kept together. When they are kept together any employee can pick up the ATM card and a pin mailer with similar address and try using them fraudulently at the ATM. Such occurrences of fraud have been reported several times.
When ATMs are attached to the branch, there should be procedures for loading cash, recording and reconciliation of cash. The master key of the ATM should be under dual control. The ATM journal rolls should be stored safely in the branch as they form an important document for reconciliation purposes & for detecting any unauthorized use/ transaction
There should be strict procedures for dealing with swallowed card.
There should be clear procedures for dealing with cash which is in the reject bin.
Business Continuity Planning and Disaster Recovery Planning
84
There should be a document detailing the Disaster Recovery procedures as well as Business Continuity Planning.
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS BASICS AND ITS WORKING METHODOLOGY
There should be evidence of having created awareness amongst the employees for action to be taken for DRP and BCP.
There should be evidence of periodic drills having taken place. This would act as a proactive control.
There should be clear documentation and alternate connectivity being established by the banks with the data centre in case of their being a brake down in the primary connectivity.
1.7 Security and Controls at the Data Centre and Branches Branch Branches are not generally in a position to generate new reports locally. Only those already provided in the application would be generated at the data centre. In some core banking environments at the data centre, there is a server normally referred to as “Report Generating Server”. The CBS application generates these reports and stores it in the report generation server. The branches have access to the report generation server and would be in a position to down load the required reports. There is also a practice of a folder being created for each branch in the report generation server. Evaluation of security controls are as already mentioned very different from that in a total branch automation (TBA) environment. In all the reports that may be required for audit is available in the branch for ‘view’ & print only.. Given below is a brief check list for evaluation of security and controls of a branch in the CBS environment. The various aspects which would be covered are as follows: 1.
Information Security Policy
2.
Access Control Procedures
3.
Procedures connected with branch servers
4.
Physical and environmental control for the servers
5.
Network & Communication control
6.
Limited verification of applications
7.
Operations connected with ATM/ Internet Banking
8.
Business Continuity Plan
9.
Change control procedures
10.
Others
In the core Banking scenario, auditors may be given specific access through which he can download the data as per his requirement and export to a excel sheet for further analysis. In certain Bank, various other analytical reports are available from data ware house system which takes the data dump from core banking solution and generates various intelligent reports as per requirements.
Information Security Policy
Does the Bank have a Security Policy? Is a copy available at the Branch? If the whole copy is not available at least those relating to the Branch Operations are available? Any job-cards available?
ADVANCE INFORMATION TECHNOLOGY TRAINING
85
CORE BANKING SOLUTION
Are the employees aware of the existence of the security policy, its contents and the expectation of the management regarding their compliance?
Is there any record maintained of any security lapses? Are security incidents reported?
Are there guidelines available at the branch for reporting such incidents of security handling?
Access Control Procedures Password Management:
Is there a procedure built into the system by which change of password is enforced before password lapses?
Does the system ensure that during the first log in the password is changed?
The original password given is known to the system administrator as he has allotted it. Hence it is absolutely essential that at the first log in using the default password, the process of creating a fresh password should be completed. If this process is not in place the sanctity of having a password is lost.
Verify the procedure adopted for communicating the user ID to new employees. This is generally done by e-mail. But it is necessary to have a hard copy and the signature of the employee obtained on the same.
Is there a procedure in place to ensure that the account gets locked if wrong password is used for say three times? This is to ensure that an unauthorised person would not indulge in accessing the password.
Verify the procedure in place to revive locked accounts. The locked accounts should be capable to being unlocked only by the system administrator at the data centre. Or a centralized process is available to unlock by the same user after authenticating himself via previously set question answer.
User ID Register There should be an user ID register (a hard copy) which should contain details of when the user ID was given and when it was disabled. This information should be signed by the employee. Obtaining the employee’s signature alone establishes accountability and also the time period for which he has been using the user ID. In the absence of such conclusive evidence established, fool proof evidence of accountability in a case of fraud or any other unauthorised activity would be difficult.
Session Activity Is there a procedure to ensure that a system is not open after a certain period of time? Generally the session will not be allowed to be idle for more than ten minutes. This is to ensure that when the session is kept open unauthorised usage will not be made. The users are expected to log off if they are going to be away from their seats for more than a reasonable length of time.
Disabling the drives All external drives like floppy drive, CD Rom drives or USB ports should be disabled in all the systems at the branch. If this procedure is not followed, it is possible both to insert and leak unauthorised information. More importantly also virus may be introduced.
86
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS BASICS AND ITS WORKING METHODOLOGY
Server related procedures In a core banking solution as already mentioned all servers are hosted only at the central data centre. However, in some cases, for the purpose of operational efficiency, a bank may decide to have a server installed at the branch. It should be ensured that the contents of the servers are verified. At the most, it would be acting as an intermediary server to solve connectivity problems. It is not uncommon to find that when the traffic is slow, band width seems insufficient and processing slows down. Some banks have a server at the branch for this purpose. In some other cases, at the time of beginning of the day, the opening balances of the branches are loaded so that if connectivity is lost with the data centre, the bank will be able to continue with the operations till such time such connectivity is reestablished. It should be verified whether there is a specifically designated systems administrator for the server at the branch. His password should be available in a sealed envelope which can be used by the Branch Manager in his absence.
Physical and environmental controls
Ensure that there is some automated system installed to monitor humidity and temperature in the server room.
Are there procedures in place to restrict entry only to authorised persons to the server room. Whether multi factor authentications are in place?
Is there a register being maintained where the name of the person and his signature and time of entry to the server room are entered.
Network
Verify whether all network cables are protected adequately. In some instances, the network cables may be running on the external walls of the building. In such circumstances potential for intrusion is very high and communication passing through those cables is insecure.
Verify that there are no unused ports in router, hubs and switches.
Unused ports should not be available or if available should be adequately protected. If they are not adequately protected an unauthorised node could be connected.
Application level verification
Application needs to be decided to verify whether it permits back dated entries.
Does the system have built in control which ensures that significant parameters like interest on deposits, interest on loan are range bound.
Testing this aspect would ensure that unreasonable parameterization by mistake or intentionally would get introduced.
Verify whether application logs are generated. This needs to be comprehensive enough to provide information regarding user ID for each of the transactions. It should also provide information as to be able to identify node/machine from each transaction was generated.
ADVANCE INFORMATION TECHNOLOGY TRAINING
87
CORE BANKING SOLUTION
Process regarding to ATM Operations attached to the Branch
Are the procedures for storing the ATM cards secure?
Are there procedures in place to reconcile the physical stock of ATM cards, eg., a register should be maintained regarding cards received and cards issued to customers. Cards returned by customers and balance on hand.
Is the branch received pin mailers. Generally the mailers should be sent by secure methods like reputed couriers directly to the customer. Should the Pin mailer and the ATM card be received at the branch and retained their security is a matter of concern. The possibility of matching the pin mailer with the corresponding card by looking at the address could lead to unauthorised and fraudulent transactions.
Are there procedures in place to ensure that the pin mailers and cards are under the safe custody of two different officers?
Procedures for returned PIN mailer & cards to be verified invariably.
Are there procedures in place for updating the main core banking system with the details of the cards issued to the customers?
It is necessary that this procedure should always be in a set of updatedness as otherwise there is a possibility of a customer being denied ATM access as the details of his card are not available in the main data base.
Operations of ATM that are attached to the branch itself
Verify whether there are procedures for cash loading, recording of cash transactions and a final reconciliation of the balance.
Verify whether the ATM master key is under dual control. This is extremely important as encryption process depends upon the security procedure adopted. The encryption key is divided into two parts and each of the officers would be able to load only one half. Hence, if the dual control is effective no one person will know the encryption key.
Verify the procedures for storing the ATM journals. The ATM journals play a very significant role in reconciling the transactions which have taken place in the ATM.
Verify the procedures which are in place for dealing with swallowed cards. Swallowed cards should be kept in safe custody and after proper scrutiny they have to be returned to the established owners of the cards or returned safely to the central office.
Verify the procedures for reconciling the cash in the reject bin.
88
ADVANCE INFORMATION TECHNOLOGY TRAINING
CHAPTER
2
CBS INTERFACES-THEIR FUNCTIONALITY AND CONTROLS
LEARNING OBJECTIVES Automated Teller Machine (ATM) Internet Banking / e-banking Real Time Gross Settlement (RTGS) Cash Management System (CMS)
2.1 Automated Teller Machine Automated Teller Machine (ATM) is a computerised telecommunication devise. Usage of this facility dispenses with the need for a bank teller. This facility provides a customer to access financial transactions in a public place. ATMs may be installed within the branches, away from the branches and at shopping malls also. The facility of ATMs provided by one bank may be utilised by ATM card holders of other banks also, who would have entered into an agreement to share such facility.
ATM Card The ATM card has a magnetic strip. The card contains an unique number and some other security information apart from date of expiry of the card. The ATM card is issued only to existing customers of the bank. The customer has to fill up an application form and submit the filled in form to the branch to which he belongs. The concerned Branch Manager recommends and authorises the issue of an ATM card by forwarding the application to the Central Office which deals with the issue of ATM cards. In view of the severe competition now almost all the banks provide to their customers soon after they open an account with the facility to perform internet banking and possess an ATM Card.
Procedure for issuing ATM Cards At the Central Office, there is a specifically designated computer system which has specific software. The application form received from the customer is the input for the process and the output consists of a file containing data for the preparation of a ATM card. The software checks whether the customer details provided in the application tally with the data contained in the Central Data Base of the Core Banking Solution. Only after the details tally, the output file is generated. The Personal Identification Number (PIN) is generated by the software and directly sent to equipment for printing the Pin Mailer. It is to be noted that the PIN generated is not stored in the memory of any machine.
CORE BANKING SOLUTION As a concurrent process, a natural PIN is generated and stored in the data base of the ATM switch. ATM switch should not be confused with normal switches. ATM switch is a computer with a server attached to it. Data base resides on the server.
Natural Pin There are different methods of generating a natural PIN. The natural PIN is a number. One of the methods adopted is to encrypt the card number. After encryption, the encrypted value of the card number is obtained. This encrypted value is decimalized which in turn will produce a number with several digits. The first four digits of the above number is called natural PIN. The natural PIN (the first four digits of the above mentioned number) is deducted from the PIN value. As mentioned in the earlier paragraphs, the PIN number is generated even while preparing a file for preparation of ATM Cards. The value of the natural PIN is deducted from the PIN value which gives the offset value. PIN No (-) Natural Pin (=) offset value. It will thus be observed that every time the value of the natural PIN is added to the offset value, the PIN of the customer is generated. It is important to note that the PIN number of the ATM customer is not stored in any ATM machine or ATM switch. Only the offset value is stored and only the customer knows the PIN number. The PIN is communicated to the customer by means of delivery of a cover which contains the PIN mailer. As we all know neither the PIN mailer nor the ATM card is sent through ordinary mail but only through trusted couriers. It is a good practice to send the ATM cards to the concerned branches and the PIN mailer by courier to the customer directly.
ATM Operations The ATM generally performs the following functions: (a)
Cash Withdrawal
(b)
Balance Inquiry
(c)
Registering requests for cheque book
(d)
Changing of PIN number
A sample of the ATM network would be as shown in the fig 2.1.1 below:
90
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS INTERFACES-THEIR FUNCTIONALITY AND CONTROLS
Fig. 2.1.1. ATM Network Structure All the ATMs of a particular bank are connected to an ATM switch of the bank and the ATM switch in turn is connected to the server of the bank by means of internet connection. The ATM switch is not like other switches; but it is a server. There is an operating system residing in the server. ATMs may also be connected to the switch by means of a leased line or dial uip line. A single data base of all the customers of the bank resides in the Central Data Base at the Data Centre of the Bank. The data base itself resides in the data base server to the Data Centre. Functioning of the ATM:
The customer swipes his ATM card and information provided in the magnetic strip is read by the machine.
The customer has to key in his Personal Identification Number (PIN), which he has received by means of PIN mailer sent by the bank
The PIN entered is immediately encrypted by the machine called the PIN machine. Sometimes this process is also achieved by means of the software which resides in the ATM server. The encryption may be done by means of a hardware or software. When it is done by the hardware, there is a hardware security model (HSM); if this is done by software, there is a Software Security Model (SSM). HSM or SSM encrypts the PIN entered by the customer by means of an encryption algorithm. This algorithm is loaded into the machine by the officers of the bank. As it is necessary to ensure security, the loading process is done under dual control by two officers each loading one half of algorithm.
When the account number and PIN provided by the customer tally with the data available at the data base of the switch and PIN generated by the PIN machine the customer is authenticated; it means that the customer has been recognized as a genuine customer of the Bank.
ADVANCE INFORMATION TECHNOLOGY TRAINING
91
CORE BANKING SOLUTION
It will be observed that loss of ATM card alone is not a matter of concern such as losing both the ATM card and the PIN information
Once the customer is authenticated the process requested by the customer is initiated, e.g., the customer has asked for cash withdrawal. This request for withdrawal of cash is passed on to the data base of the bank, which is available in the data base server at the central data base. At this juncture, the system verifies whether the customer has adequate balance to enable him to withdraw the cash required. Once it is ascertained that adequate balance is available, the ATM switch which receives the information authorises dispensation of cash required at the ATM machine.
The activity of the cash disposal is facilitated by the ATM switch. The cash is then picked up by the customer.
After the cash has been dispensed and the customer has picked up the cash, the ATM switch communicates with the Central Data Base server so that the cash withdrawal is recorded and the balance is accordingly reduced.
At the ATM: Cash journal and the ATM log are generated recording the process which has taken place. There are also electronic journals which are generated at the ATM. When ATMs are located in remote places, the information with the electronic journal can be retrieved by a process called as Electronic Journal Pulling.
As we all know, there are arrangements between banks by which ATM card of one bank can be processed at the ATM kiosk of another bank. This process is possible within the banks which have entered into an agreement to this effect. The process that follows when the ATM card of a different bank is swiped at the ATM kiosk is slightly different. As the ATM card of another bank is swiped, the information regarding the bank and the customer number are available to the ATM. The information so obtained is directed to the ATM switch of the other bank. The process thereafter is similar to the process discussed in the above paragraphs.
It is possible that a customer did not or could not collect the cash dispensed by the cash dispenser. In such a case, the cash dispensed would be collected in a secure tray for collecting rejected cash. Also the fact that cash was not collected would be reported by the ATM to the switch. The switch in turn would request the host computer for reversal of entry. This would result in the original debit entry passed at the central data base being reversed so that the customer is not debited with an amount he did not or could not collect.
The switch and the host computer log all the events, thus facilitating reconciliation of cash and entries.
In view of the facility of the usage of ATM card of one bank in another bank’s ATM kiosk there are certain other factors of importance. The cash is dispensed by one bank on behalf of another bank. As this operation takes place in all the banks, there is a process of reconciling these cash transactions, so that the respective banks are reimbursed with the net amount due to them.
Verification of the PIN The customer enters his PIN and there is a process which takes place before the PIN is accepted and authentic by the machine. The various steps are as follows: 1.
92
The customer inserts the card and thereafter types the PIN.
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS INTERFACES-THEIR FUNCTIONALITY AND CONTROLS 2.
The encrypted PIN is sent to the ATM switch.
3.
The details of ATM card issued are already in the data base and when the ATM card is inserted the machine verified to see whether the number is in the data base and satisfies itself of its existence.
4.
From the card number natural PIN is generated. As already discussed natural PIN is generated by decimalizing the encrypted value of the card and considering only the first four digits represent the natural PIN.
5.
(a)
The difference between the actual Pin and the natural PIN is stored in the ATM switch as an initial step. Subsequently whenever the customer inserts his ATM and keys his PIN in the machine, the correctness of the PIN is verified by the system by adopting a process as described below: The system has stored the offset value (offset value is the Difference between the actual PIN and the natural PIN)
(b)
When the card is inserted, the card number is encrypted by the HSM or the SSM. The encrypted value is decimalized and the natural PIN is obtained (which is the first four digits of the value obtained by encrypting the card number and decimalizing the same).
6.
This value of the natural PIN obtained is added to the offset value available already in the system. At this stage, the relevant PIN is generated within the system.
7.
The generated PIN as described above is compared with the PIN typed by the customer; if they tally the customer is authenticated.
Knowing the PIN alone will not facilitate a person to access the ATM facility. It is a combined effect of the ATM card and the PIN which permits access to the ATM.
Change of PIN Just as there is a facility for an user of a computer to change his password, it is admissible and possible for an ATM card user also to change his PIN. This may be done for security reasons. The process of changing the PIN is as follows: On the key pad at the ATM, there is a key ‘Change No.’ when this key is pressed the ATM will ask for the old PIN. The customer is to key in his old number and then only key in the new PIN number he proposes to have. By making use of the process of generating the natural PIN and summing it up with the card number, the ATM will be able to arrive at the old number and satisfy itself that the person who wants to change his PIN is an existing customer, who has been given an ATM facility. After thus satisfying, the machine permits the customer to enter his new PIN. As the natural PIN is already available the new offset value is computed and stored. The old offset value is erased. For all future operations making use of the natural PIN and the offset value available, it generates a new PIN with which it able to compare the PIN keyed in by the customer. It is important to note that nowhere in the system is the PIN stored. There is only a process of computing PIN corresponding to the ATM card inserted.
Normal operational problems faced with the ATMs
Cash may not be sufficient. There may be a sudden overdraw of cash contrary to expectations.
ADVANCE INFORMATION TECHNOLOGY TRAINING
93
CORE BANKING SOLUTION
The journal paper roll might have been exhausted and a refill may not have been placed.
If the network connection is lost or there is some other operational problem, the ATMs may not function.
There is a monitoring facility available with the Bank by which information is available as to which ATM has stopped for what reason.
It is possible that a card holder by mistake may key in a wrong PIN. The ATM machine will not give him right to access. Generally all ATMs permit only three chances to commit mistakes and should a fourth attempt be made, the card will be rejected. It is also possible that the card may be stolen. The owner of the card might have instructed the bank to hot list it. Hot listing is similar to countermanding of a cheque. If a card which is hot listed is inserted into an ATM, the machine will swallow the card thus preventing the usage of the card. Evaluation of Control of ATM Operations As already discussed, there are various processes in ATM operations and it is absolutely essential to evaluate the adequacy of controls in each of these areas. In the paragraphs to follow, the controls which have to be in place in the different operations are discussed. The different heads of operations are: 1.
Card and Pin generation
2.
Method of dealing with surrendered and captured cards
3.
Security of the PIN
4.
Control over cash
5.
Minimum records to be maintained for transactions
6.
Method of dealing with lost and stolen cards
7.
ATM switch operations
For evaluating adequacy of controls one should be aware of what controls need to be in place. Card and Pin generation
There should be separate departments and members of staff for card and pin generation.
The pin mailer tape should have card and account number
There should be reconciliation procedure for the number of PIN mailer and cards produced.
This should take into account not only the number of cards and pins produced but also those spoiled.
94
There should be adequate security procedures for (a)
Access to the building
(b)
Stock of blank cards
(c)
Stock of live cards and pin mailers
The pins on the tape should be in an encrypted state. ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS INTERFACES-THEIR FUNCTIONALITY AND CONTROLS
Live cards and pin mailers should be dispatched separately from different locations eg., (a)
ATM card should be dispatched from the Branch and
(b)
Pin mailer should be dispatched from the Central Office.
There should be proper records for all delivered cards.
The returned cards and returned pin mailers should be with two different officers. This procedure is extremely important to avoid any fraud being committed by a person picking up a card and the corresponding pin mailer. This could be easily done with reference to the address being the same on both.
Surrendered and Captured Cards
There should be clear documentation regarding surrendered and captured cards.
There should be documentation for issuing replacement for cards and pin numbers.
There should be procedures for making the captured cards ineffective either by the card holder or by the bank.
Instructions should be in place to inform the customer that the pin mailer should not be returned to the bank.
There should be a register maintained for all surrendered cards. The captured cards in the bin should be opened in the presence of two officers and details thereof entered in a register duly signed by both of them.
The journal roll at the ATM would also be recording details of the captured cards. The captured cards should be removed on a regular basis and reconciled with the journal roll.
The host computer at the data centre should be producing a report on the captured cards.
There should be clear procedures available for reissue of cards or change of the PIN numbers.
There should be a control procedure by which the ATM swallows the customer’s card after the customer has made three failed attempts to key in the correct PIN number.
Security of the PIN There should be a procedure in place to stop the card operation, when the card holder reports to the bank that his PIN has been compromised. The customer should be advised never to disclose the PIN number to any other third party including the Police.
There should be procedures in place for generating a new PIN number on a timely basis should the PIN be lost or stolen.
PIN number should be held in data files only in a encrypted from.
PIN offsets also should always be encrypted.
ADVANCE INFORMATION TECHNOLOGY TRAINING
95
CORE BANKING SOLUTION
There should be a process in place for either hardware encryption or software encryption (HSM Hardware Security Model and SSM - Software Security Model).
There should be procedures in place by which all work and storage areas used for PIN encryption are zeroized after each calculation.
There should be no hard copy available in the system of records of PIN produced.
Control over Cash
There should be documented procedures for cash control and balancing process.
Data roll should automatically record all insertion and withdrawal of cassettes.
There should be records indicating amount of cash inserted into each cassette.
The Bank staff should reconcile duly the following: (a)
Cash inserted
(b)
Cash dispensed
(c)
Cash remaining
(d)
Miffed notes
There should be a procedure to monitor all discrepancies reported.
Individual responsibility for the reconciliation should naturally be a person different from the person responsible for the maintenance of cash.
There should be a procedure to ensure that wrong denomination notes are not inserted into the cassettes.
Daily balancing process should ensure that: (a)
The currency deposited and dispensed should agree with the ATM cumulative total;
(b)
The total of the deposit and withdrawal transactions generated by ATM should also be logged by the host computer and the branch System.
Minimum records to be maintained for transactions
There should be a journal roll fitted to each ATM. The journal roll records all events at the ATM and hence is of great importance.
Hard copies of the journal should be preserved securely.
There should be a built-in procedure to have a soft copy of the journal.
The soft copy is also called an ‘Electronic Journal’. It should not be possible to modify the soft copy. The soft copy should be stored securely.
Only the authorised key holders should be permitted to make weekly check of the journal roll machine record. Verification by the of the record would disclose if there had been any unauthorised opening of the ATM or any operation removal of cassettes.
96
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS INTERFACES-THEIR FUNCTIONALITY AND CONTROLS
Standard methods of dealing with Lost and Stolen Cards
There should be documented procedures to be followed to deal with stolen /lost cards.
An up-to-date file containing all details of reported lost and stolen cards should be available.
The access to this file should be restricted.
There should be a facility to immediately identify when a stolen or lost card is used.
There should be a trigger to reject the transaction or capture the card.
Even when instructions to stop usage of ATM cards are given verbally there should be provision to take action against the same.
There should be a written notification from the card holder about his card being stolen or lost and then only a replacement card issued.
There should be a policy in line with legal provisions relating to the liability for withdrawals made prior to and after notification of a card being stolen or lost.
All reports regarding lost and stolen cards should be retained for a reasonable length of time,
ATM Switch Operations As already mentioned ATM switch consists of a computer with a server attached to the same. Details of the ATM card holders is available at the data base, The details would include (a)
Card No. and corresponding offset value (offset value has already been discussed earlier)
(b)
Details of hot listed cards
(c)
Details of surrendered cards and
(d)
Account balance of customers. (This account balance is also called positive balance file - PBF. This is made available at the ATM switch. Even when the ATM is offline, the balance of the customer is available.
The important control points to be reviewed for audit purposes would include the following:
There should be a Security Guard as also a CCTV (Close Circuit Camera)
A register should be maintained at the entry point.
The server has an operating system. The settings of the operating system need to be reviewed to ensure it is in line with the best practices.
Only the Systems Administrator and none else capable should be capable to access to the operating system.
The ADMIN Password should be kept secure.
The application software, which is in the switch, has details of the maximum number of withdrawals per day, the limit for the withdrawal, number of failed attempts etc., these are parameterized.
The procedure for configuration the parameter should be reviewed. ADVANCE INFORMATION TECHNOLOGY TRAINING
97
CORE BANKING SOLUTION
Only an authorised person should be capable of making these modifications.
Procedures in place for key storage should be reviewed. Security of key used for encryption and decryption purposes should be evaluated.
Review of procedure for hot listing of ATM cards needs to be reviewed.
Examination of the types of logs that are generated and review of such logs is important.
When there is an agreement with other bank’s for usage of their ATMs such agreement should be reviewed especially with reference to customer claims for “money not received but account debited”.
Very importantly, review should be undertaken of procedures in place to deal with another bank / branch reconciliation.
Any undue delay in reconciling these may give rise to mushrooming of unauthorised entries getting masked in the account
2.2 Internet Banking Internet Banking refers to banking transactions routed through the Internet. This facility permits registered customers of the bank to perform banking operations at any time of the day from any computer - now it may also be possible to do it from a cell phone. No doubt, Internet Banking facilitates banking through the medium of internet. However, it also needs specialized software and hardware. The internet as you all know is a public network. Hence proper security features are built into the system to maintain confidentiality and integrity of the data that is being transferred through the internet. Some Banks provide this facility automatically soon after a customer opens an account with them. Some others require a special request from the customer to provide this facility. However, whatever be the method of providing internet facility, there is a process to be followed.
Process The main components of Internet banking system consist of Web Server, Internet Banking Application Server (IBAS), Internet Banking Data Base Server (IBDS), Middleware, and Central Data Base Server. We give below a broad Data flow diagram describing the Internet Banking Process.: Customer Customer using a browser such as Internet Explorer to access the Web
Web Server & Web host
IBAS Internet Banking application Server
IBDS Internet Banking Database Server
De-Militarized Zone (DMZ)
98
Middleware
Central Database Server All data to and from the Core Database server is scanned by Firewall
Trusted Inside Zone
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS INTERFACES-THEIR FUNCTIONALITY AND CONTROLS Web host is a system that has an operating system and runs the services from the Web server. All data to and from the Web server are scanned by the Firewall as shown in Fig 2.2.1(A) and Fig 2.2.1(B) Customer accesses Bank’s website using a browser
Web server sends the Bank’s Webpage to the customer
Customer types Internet Banking user name and password
Web server sends user name and password to IBAS
IBAS requests user name and password of the customer from IBDS
IBDS sends user Name and Password of Customer to IBAS
Customer chooses an IB service say “Account statement view”
Web server presents the facing page of the Customer’s account (assuming customer is authenticated)
Web server forwards the service request to IBAS for processing
IBAS authenticates the customer and intimates the web server
A
Fig 2.2.1(A): Broad Data flow diagram describing the Internet Banking Process
ADVANCE INFORMATION TECHNOLOGY TRAINING
99
CORE BANKING SOLUTION
A IBAS requests customer account information from IBDS
IBDS requests customer account information from Core DB that is accessed via Middleware
Middleware forwards request from IBDS to Core DB
Middleware converts customer account information to suit the requirements of IBDS
IBAS accesses the customer information in IBDS and presents it to the Web Server
Core DB retrieves customer account information and forwards it to the middleware
IBDS temporarily stores customer account information
Web server presents the customer a dynamic web page with the account information
Customer is presented with the requested account statement
Fig 2.2.1(B): Broad Data flow diagram describing the Internet Banking Process 100
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS INTERFACES-THEIR FUNCTIONALITY AND CONTROLS The customer applies to the bank for such a facility. He is provided with an User ID and Password. As is he best practice the password is expected to be changed soon after the first log on.
Internet facility could be used only by accessing the website of the bank. For accessing the website, naturally a browser like internet explorer is used.
The website is hosted in the web server. The web server is in the central data centre of the bank. Access to the web server is permitted only to authorised users.
To protect the web server from unauthorised use and abuse, the traffic is necessarily to go past a firewall. The firewall is designed in such a fashion that only traffic addressed to the web server through the authorised port is permitted.
An individual who accesses the website of bank through the browser will be able to access the web server and there will be a display of the bank’s web page on the screen of the client’s computer.
The web page will also provide all information generally of interest to the public. The web page also will have a specified area wherein a mention of user ID and password will be made. Those who have been provided with the user ID and password would be expected to enter the same.
As we are all aware, the password will not be displayed in plain text but will only be in an encrypted form.
The web server forwards the customer details to the internet banking applications server which in turn accesses the IDBS. The server has already the data base of all the customers who have been provided with internet banking facility. For each customer, it would be having details about user ID and password.
The information received from the web server is verified with the data of the customer held in the internet banking (IBAS).
Should the information not tally, the message ‘access denied’ would appear giving the reason giving the ‘user ID wrong / password wrong’. The customer realising the mistake may rectify the mistake and make another attempt. Normally three such attempts would be permitted. After three attempts, the customer will be logged out for security reasons. If more attempts are permitted, there is a possibility of a person just trying out different combination of user ID and password to break into the system.
Based on the authentication check, the IBAS sends an acknowledgement to the web server. The web server displays the message. Once the authentication process is completed correctly, the customer is provided internet banking facility, which would include: (a)
Password change
(b)
Balance inquiry
(c)
Fund transfer
(d)
Request for cheque book
(e)
Stop payment
(f)
Copy of statement of account and
(g)
ATM / Credit Card related queries
ADVANCE INFORMATION TECHNOLOGY TRAINING
101
CORE BANKING SOLUTION
The customer then chooses one of the services from the list. The service requested is directed by the web server to the IBAS for processing. The IBAS will access the internet banking data base server for further processing.
The IBDS will retrieve the data from the central data base server. The IBDS will be able to access the central data base server only through a middleware and firewall. The middleware is expected to convert the data to suit the requirements of IBDS.
Internet banking data base server then forwards the customer data to the IBAS which processes the transaction eg., The statement of account from the central data base server is made available to the internet banking data base server (IDBS). The IBDS then sends the data to the IBAS. The IBAS then sends the same to the web browser (internet explorer).
The web server generates a dynamic web page for the service requested eg., the accounts statement generated by the web server and presented to the internet explorer (say) the information is provided to the web browser in an encrypted form.
The customer would be able to get the service required eg., viewing of the statement of account or a screen made available for him to request for a cheque book or instructions for ‘stop payment’ etc., After the services provided, the explorer may choose to log out. Depending upon the software, the customer may be permitted to request for more than one service in one session. Some software would automatically log out the customer after one service has been completed and expect him to log in again. It needs to be emphasised that security is a serious concern in internet banking and should be implemented with great care. The security concerns could be: (a)
Privacy issues - customers being able to view accounts other than their own.
(b)
Wrong or fraudulent fund transfers. The transfer requested by the customer may be executed wrongly i.e., instead of one account being credited or debited, a different account may be accessed.
(c)
This weakness could be exploited by customers with fraudulent intentions by making unauthorised access to certain customers’ accounts and transferring to their account.
PROCEDURES FOR EVALUATING CONTROLS In any process of evaluation of controls, one needs to be aware of security concerns in an environment. Main security concerns in Internet Banking are:
Unauthorised access to any of the access points
Incomplete or inappropriate procedure regarding identification of user.
Lack of segregation of duties in the operation facilities, applications and data.
Roles and responsibilities of system administrator not clearly defined.
Firewall not clearly configured and monitoring procedures absent / inadequate.
102
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS INTERFACES-THEIR FUNCTIONALITY AND CONTROLS
Absence of segregation of lives and test environments.
Inadequate network security.
Routers improperly positioned.
Inadequacy of security of web server.
Inadequate security of Internet Banking system.
Inadequate security of Data Base System.
Insufficient built in Application Controls.
User authentication.
Incomplete and cancelled transaction.
Insufficient data security.
Informal / unstructured change management procedure.
Broadly, the audit program should be on following lines
1. Security Policy Verify whether there is a written Internet Banking Security Policy – which should include firewall policy and access policy. Overall policy guidelines should be documented and available. It should cover policy and procedures for all access points to the Internet Banking system. The access points should include: (a)
User System.
(b)
Front end application.
(c)
Router, switch, firewall.
(d)
Application Server.
(e)
Web Server.
(f)
Database Server.
(g)
Network.
(h)
Infrastructure of Internet Banking.
2. User Identification Unauthorized access to other customer accounts will amount to violation of privacy rights. Existing security mechanisms should be verified to ensure this requirement. Even weak password could lead to security lapse.
Internet Banking Application Program should be accessible only to authorised users. In the absence of such discipline, unauthorised changes could be made to application program.
ADVANCE INFORMATION TECHNOLOGY TRAINING
103
CORE BANKING SOLUTION
There should be adequate logs maintained to provide monitoring facility.
Any attempt at penetrating the network should be proactively detected by installing Intrusion detection / prevention systems.
There should be provision to automatically log such attempts and these logs should be reviewed on a daily basis.
3. Access Control to Operation facilities (a)
There should be adequate segregation of duties. Incompatible functions should not be performed by the same individual.
(b)
There should be a procedure in place to ensure that soon after an employee designs his user ID and password are revoked. His logical access should be denied.
4. Roles and Responsibilities of System Administrator System administration is a sensitive function and should be allocated to a specific individual. He needs to have access only to perform system administration function. There should be built in control to report by means of a log if he performs any other function.
5. Firewall It has to be ensured that internet banking services is only through a dedicated Firewall. Periodically penetration tasks (tests to unauthorized enter the network) should be performed to ensure it is not possible If vulnerabilities are highlighted it should be verified whether immediate corrective steps have been taken. There should be approval from appropriate senior management before firewall, routers and other associated systems are changed or upgraded.
6. Segregation of Live and Test Environments Like in all Computer Systems, test environment should be separate from live environment. No testing should be done in the live environment. Live environment is the environment where the live program is running. Such a program would have been thoroughly tested and moved under proper authority from test environment to live environment.
7. Network Security There should be adequate control mechanism in place to ensure that access to both in and out of internal network are controlled. Review whether there is any provision (usage of tools) to monitor suspicious activity.
8. Router Configuration Routers should be properly configured to ensure that network is restricted to only necessary systems and none else.
104
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS INTERFACES-THEIR FUNCTIONALITY AND CONTROLS
9. Web Server Security Web Server should run only required processes and none else. The Web Server would have its own operating system (e.g., Windows 2003) and it should be ensured that all security settings of the operating system are in order.
10. Security of Internet Banking System A list of authorised users should be maintained and the system should not allow access to any other user. Internet Banking system configuration should be well documented. There should be adequate controls in place to ensure that integrity and security of transactions are not affected.
11. Data Base Data Base should be accessible only to the Computer application in the normal course. In addition Data Base administrator has access for maintenance. There should be a log generated if any other access has been made. Personal Identification Number (PIN) of clients which will be stored in the Data Base should be only in encrypted form.
12. Operational Controls - Built in Controls Application should have been tested extensively so that all validity criteria are complied with before a transaction is processed. 13. Operational Controls - User Authentication: User authentication mechanism should be in the place to ensure access is restricted to authorised personnel.
14. Operational Controls - Incomplete and cancelled transactions Procedure for incomplete processing needs to be reviewed. Special attention needs to be paid to study the possibility of a client canceling a transaction which has been entered. E.g., Fund transfer might have been entered and authorised - whether system will permit reversal - needs to be studied.
Operational Controls - Data Security Key management procedures (for encryption) in place must be in line with best practices (Dual control) Review whether critical data like PIN encryption keys should be stored in a physical environment e.g., in a physically secure hardware like HSM (Hardware Security Model). There should be satisfactory restart and recovery procedures in place. Review application testing procedure for its adequacy i.e., conforming to best accepted procedures.
15. Change Management Procedure Ensure there is a formal procedure in place for change management. Special attention needs to be paid for Emergency Procedures..
ADVANCE INFORMATION TECHNOLOGY TRAINING
105
CORE BANKING SOLUTION
16. Library Procedures Documenting and numbering of different version of programs, storing safely different version of programs, moving program from test environment to production environment etc. needs to be reviewed for their adequacy and conformity to standard procedures.
2.3. Real Time Gross Settlement The acronym RTGS stands for “Real Time Gross Settlement”. RTGS system enables transfer of money from one bank to another on a “Real Time” and on “Gross” basis. Real time means that the transactions are settled as soon as they are processed. There is no waiting period. Gross settlement means that this transaction is settled on a one to one basis. There is no bunching with another transaction. The money transfer takes place in the books of the Central Bank of the country - Reserve Bank of India in our country. As the money transfer takes place in the books of the RBI, the payment is final and irrevocable. Difference between Electronic Fund Transfer System (EFT) or National Electronics Fund Transfer System (NEFT) and RTGS: EFT and NEFT are also electronic fund transfer modes. However, they operate on a Deferred Net Settlement (DNS) basis. In DNS basis transactions are settled in batches. Transactions which take place after a particular settlement time would have to wait till the next designated settlement time. In RTGS, transactions are processed continuously throughout the RTGS business time. RTGS system is primarily for large value transactions. As of now, the minimum amount to be remitted through RTGS is Rs.1.00 lakh and there is no upper ceiling. In EFT and NEFT systems, there is no stipulation regarding the minimum and maximum amount. The time taken for the transaction to be effected would be within two hours. The beneficiary bank (Bank which is receiving the amount) has to credit to the beneficiary’s account within two hours of receiving the fund transfer message. The remitting customer would receive an acknowledgment for the money credited to the beneficiary’s account as the remitting bank receives a message from the RBI that the money has been credited to the receiving bank. However, if the money is not credited for any reason, the receiving bank would have to return the money to the remitting bank within two hours. The remitting bank would in turn reverse the original entry - the debit entry in the customer’s account. The essential information that the remitting customer would have to provide to the bank for the remittance to be effected are: (a)
Amount to be remitted
(b)
His account number
(c)
Name of the beneficiary bank
(d)
Name of the beneficiary customer
(e)
Account number of the beneficiary customer
(f)
Sender to receive information if any and
106
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS INTERFACES-THEIR FUNCTIONALITY AND CONTROLS (g)
IFSC Code of receiving branch (IFSC stands for Indian Financial System Code. (Explained later in the Chapter)
The beneficiary customer would be able to obtain the IFSC Code from his branch. This information is also available in the cheque leaf. The beneficiary can inform the remitting customer details regarding Code number and Bank branch. Most of the Banks are providing RTGS service. The latest list of such branches is also available in the RBI Website.
Procedure for tracking the remittance transaction Some banks which have the internet banking facility provide the service on line. The remitting customer would be able get confirmation from his bank either by e-mail or SMS on the Mobile phone.
Real Time Gross Settlement Process The Banks which wish to be recognized for RTGS processing need to apply to the Reserve Bank of India to be recognized as participant banks by the Reserve Bank of India. The various steps involved in the transaction processing of RTGS are as follows:
The customer, who wishes to remit from his account in Bank A to the recipient in Bank B, approaches Bank A.
The transaction is entered in the client machine at the Bank A.
The client machine is connected to a server.
Each of the participants Bank is allotted a code number.
This code number is called Indian Financial System Code (IFSC).
Each of the branches of the participant bank of RTGS is allotted a unique code (RTGS Branch Code).
A combination of these two codes referred to, act as the identification.
R.T.G.S. Technical Environment The Diagram below explains the functional architecture of Next Generation Real Time Gross Settlement System, (NG-RTGS) as shown in Fig.2.3.1
ADVANCE INFORMATION TECHNOLOGY TRAINING
107
CORE BANKING SOLUTION
Fig.2.3.1: Functional Architecture of NG-RTGS
Features of NG-FTGS
Interface with RBI’s CBS
STP capability with Ancillary systems
Advanced MIS tools for report generation
Scalability of system, including efficient and optimal threading time for transaction and capability to handle large volume of transaction
Flexibility to add new transaction types and participant membership types
Future value date settlement
Balance status enquiry from central system
Compliance to international standards including Core principles for SIPS issued by BIS
Multi currency system
Extended business hours
Centralized Anti Money Laundering filtering
Monitoring and control of payment messages
108
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS INTERFACES-THEIR FUNCTIONALITY AND CONTROLS
Fig 2.3.2: Communication Channels
Fig 2.3.3. Design Architecture
ADVANCE INFORMATION TECHNOLOGY TRAINING
109
CORE BANKING SOLUTION
Fig 2.3.4: Settlement Account Structure
Fig 2.3.5 RTGS External Interfaces
110
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS INTERFACES-THEIR FUNCTIONALITY AND CONTROLS
Alerts
Alerts are predefined, parameterized notifications generated by the NG-RTGS automatically and sent to the Participant users.
Format:
Visual, audible or pop-up window: delivered only to the users logged in to the Web interface of the NGRTGS.
Email: delivered by email to the address specified in the user’s RTGS profile
Sample alerts:
User account was blocked due to repetitive failed login attempts
System’s timetable has been updated by the RBI
Suspicious high amount transaction was received by NG-RTGS
MIS Reports
Generated automatically, at predetermined moments (e.g. EOD)
Ad-hoc, upon user request
Format:
XML (ISO camt.053), PDF, Excel (CSV).
Availability:
Online, as file download from the central NG-RTGS
As email attachments for EOD statements
Content:
Analytic reports of the RTGS activity: summary of the transactions, net position, charging reports etc.
Benefits of new messaging System
The standard supports end-to-end inter-operability.
ISO 20022 is more powerful to represent complex data structures (because of its modeling approach and XML data representation.
It offers synergies with other payment instruments and markets allowing for convergence into a single platform.
It reduces the impact of proprietary technology.
It is independent of transport mechanism
It allows easier adoptability to payment system participants to connect to their varied functional systems & channels with low investment.
ADVANCE INFORMATION TECHNOLOGY TRAINING
111
CORE BANKING SOLUTION
Availability of and access to growing pool of technical resources and expertise on technologies used in the standard.
ISO 20022 enables use of inexpensive and widely available tools for basic data manipulation & simplifies integration with XML enabled applications and processes.
Majority of format & business validations can be implanted inside ISO 20022 thus minimizing application level coding requirements.
XML approach allows incremental expansion for scope as and when new business case arrives with no changes to the processing system to accommodate or validate the message
It helps improve straight through processing.
It reduces the impact of maintenance.
Standardized validation processes.
Faster and more flexible development if messages needed to be extended.
Standardized status & error codes.
End-to-end customer references (with more characters than are used today).
Fewer processing errors, due to consistent formatting standards.
Fig.2.3.6: Message transformation in NG-RTGS
112
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS INTERFACES-THEIR FUNCTIONALITY AND CONTROLS
SMS securities settlement scheme In the initial days of RTGS, transactions were manually keyed into the member institutions account system and into the RTGS system. These two independent manual operations often led to data inaccuracies. But today many member institutions have implemented Straight Through Processing (STP) modules. STP implies that the member institutions software system and RTGS software talk to each other through defined interfaces. As a result it is sufficient if data is entered in one system only and it automatically flows into the other. Thus an outward remittance transaction is entered into the member institution’s system (say, a Bank’s Core Banking System) and it is automatically processed and posted into the RTGS PI. Similarly an incoming remittance transaction automatically flows from the RTGS PI to the member institutions accounting system. A special feature of STP is that Uniform Transaction Reference (UTR) number for any outbound RTGS transaction is generated by the STP system. However, such a message has to be necessarily routed through the RTGS Member’s PI to RBI’s IFTP system. Obviously STP system requires that the member institutions internal processes and back office functions are robust and reliable. Incidentally some of the big banks now allow their customers to initiate an RTGS remittance transaction through the bank’s Internet Banking facility also.
Important Security Features of RTGS Unique Transaction Reference (UTR) Number: Every message, sent by the member bank to the RTGS system is allotted a Unique Transaction Reference (UTR) and this number is embedded in the RTGS message itself. This UTR is used by the parties to identify the transaction among them for any enquiry / investigation / complaint. A message without a UTR will be rejected by all systems forming part of the RTGS. Also every message released by the member bank to the RTGS system will be assigned a Sequence Number (SN). The Sequence Number (SN) is continuously incremented with every message. Therefore, any message, received at the RTGS system with a SN, which is not the next expected SN from the concerned member bank, will be rejected by the RTGS System. Handling Duplicate Messages: If the RTGS system receives a duplicate copy of an earlier message (i.e., two messages with the same UTR and contents), then it will be treated as a duplicate. It will not be processed by the RTGS System. In case a response to the earlier message had already been sent, then the same response will be sent again. Also the response will be marked as a potential duplicate emanation. On the other hand, if the contents of the duplicate message (i.e. message with the UTR as an earlier one) are difference from those of the earlier message, then the RTGS system will consider the situation as a breach of security and will disconnect the PI associated with the duplicate message. However, such situations are rare.
2.4 Cash Management System (CMS) Cash Management System (CMS) is a new product developed by banks. The objective of the product is to meet the needs of the customers who have operations all over the country. Such organizations would naturally have collection and payments in various locations. ADVANCE INFORMATION TECHNOLOGY TRAINING
113
CORE BANKING SOLUTION In the normal course, cheques would be collected in one single location and then deposited in the main branch. This causes cash flow problems as there is uncertainty regarding the dates when the cheques would be realised. In view of this uncertainty both scenarios of excess cash and deficit cash were arising. As in receipts by way of cheques a similar situation arises when a high volume of disbursement has to be made e.g., (a)
Salaries for the different branches
(b)
Dividend payments.
To get over these problems of cash management and to make the process of cash management effective, banks have introduced this new product - CMS. The broad features of CMS are as follows:
Multiple collection centres have been authorised to receive the cheques / drafts of the customers.
It is not necessary to open a separate account in each of these centres.
At the client’s main account which is maintained at the pooling centre credit is offered on the same day for all the cheques / drafts deposited and cleared at the branches.
The product also provides Management Information System to customers providing details location wise and also party wise.
If necessary, information can even be provided by e-mail.
Evaluation of Controls of CMS: Parameter settings (Master Settings): There needs to be adequate controls over parameter settings, authorization as also modification of such settings. E.g., Parameters would include: (a)
Clearing cycle
(b)
Credit limit
©
Charges (various slabs)
(d)
Interest ( “ )
Processing Charges: When the bank offers CMS product to the customer, naturally there are associated charges for the same which would include: (a)
DD / Pay Order issue charges
(b)
Courier Charges
(c)
Cheque return charges
(d)
Interest charges for credit offered.
There needs to be a process logic for computing the various charges. Any defect in the logic would lead to income leakage. While evaluating the controls, it is necessary to verify the correctness of the parameters and also test the program logic. It is important to verify the authorization process for creating and modifying parameters.
114
ADVANCE INFORMATION TECHNOLOGY TRAINING
CBS INTERFACES-THEIR FUNCTIONALITY AND CONTROLS In certain circumstances the customer may be offered a credit limit which exceeds the sanctioned limit. This can be done only under proper authorization. Aspects of this nature need to be verified at the time of performing the audit. End of Day Processing: The various amounts collected and different amounts disbursed are all pooled in a designated account. There needs to be a control to ensure the accuracy of such pooling. The CBS product is interfaced with the core banking solution. The charges and other items need to find a place in the general ledger. Mapping of entries need to be verified. It should also be verified whether there is a built in control to prepare an exception report in case of apparently wrong entries e.g., collection charges being credited. Normally the CMS product provides various audit trails which include listing of parameter settings, transaction authorization and waiver charges. While evaluating the trails and performing the audit, the adequacy of audit trials need to be verified.
ADVANCE INFORMATION TECHNOLOGY TRAINING
115
CHAPTER
3
SYSTEMS AUDIT OF CBS AND ITS INTERFACES
LEARNING OBJECTIVES
Introduction to ISA Evaluation of security and Controls in CBS CBS control and Audit of branches Using reporting / SQL feature for analysis, reviewing controls at different layers with case study.
3.1. Introduction to Information Systems Audit Systems auditing is an important aspect in the present context of extensive computerisation. The control objectives and audit objectives always remain the same. However, audit methodology in a computerised environment is distinctly different from that in a manual environment. In 1967, in the United States, a significant event took place in history of systems audit. It is commonly and popularly referred to as the “Equity Funding Case”. The Managers and Directors of Equity Funding Corporation of America, with the idea of increasing the share value of their company profits were falsified by creating bogus insurance policies. Apart from that, other methods were also used. The auditor for the parent company was not the auditor of the insurance company. This was done with the main idea of confusing and confounding the audit process so that over dues could not be detected. These matters were further complicated by the external auditors confirming the existence of the insurance policies (the faked ones)! The confirmation was obtained on the telephone. It was reported that the calls went through the equity fund switch board to the employees who were colluding with the managers and they confirmed the existence of the policies. In 1973, after nearly six years, the fraud was exposed, that too by a disgruntled employee who alerted the authorities. Thereafter the Stock Exchange suspended trading of Equity Fund shares. A leading audit firm with partners who had necessary knowledge and experience to perform audit in a computerised environment was appointed. It was discovered that US $2.00 billion worth of bogus insurance policies were there. Thereafter all the things that happened is history. The fact that came to light was that the original external auditors missed out many clues that there was an apparent fraud. The management to proliferate the bogus insurance policies had used the computers to take advantage of their speed. The computer files contained details of the policies, a mere reading of which would have highlighted the fraud.
SYSTEM AUDIT OF CBS AND ITS INTERFACES The importance of performing systems audit was very much appreciated as the cause for the non detection of the fraud was more because there was lack of knowledge on the part of the auditors. Though some auditors colluded in the equity funding case provocated a well-known authority on the subject of systems audit to comment that the equity funding case contributed a great deal to systems audit! He further said that recognition and development of the systems audit than any other single event. The case had however certain other positive effects too. The management which previously did not want the auditors to be “snooping around” the computer department changed its attitude and welcomed the auditors and their report. The management sought an independent assurance as to whether the information systems on which they rely is dependable in terms of controls, were built into the system or outside. Confidentiality, Integrity and Availability (CIA) are the components of information security. Systems Audit, which verifies the controls in a computerised environment evaluates the controls and provides assurance regarding adequacy. In a banking environment, where all of manual maintenance of accounts have been shifted to computers, the importance of performing systems audit can never be over emphasised. Many controls for information systems and important ones at that are built into computers. Hence as verification of internal controls are of utmost importance, systems audit as distinct from manual audit assumes importance. With the Core Banking Solution being implemented, the computer technology has become more advanced and all of the operations at all of the branches are all networked to the Central Office. The hardware and the communication are distributed and the software is centralised. Audit objectives of performing audit of banks have not undergone any change. However, audit methodology has undergone a ‘sea change’. Reserve Bank of India has in these circumstances issued many circulars which are available in the RBI website - www.rbi.org. The Institute of Chartered Accountants has issued guidelines for performing audit in an information technology environment. As of now, many of them are as guidelines and hence though not mandatory, members are expected to comply with the requirements. One such important guideline came in the name of Gopalakrishnan committee report which is taken as a mandatory guidelines by RBI. In certain cases, the RBI has as a prerequisite instructed that systems audit should be performed before implementation of certain products e.g., internet banking. The bank would not be permitted to commence internet banking operations unless the requisite security and controls have been certified by a competent systems auditor.
3.2 Security and Controls in CBS In any information technology environment, there are certain controls and standards to be adhered to. When specific products like internet banking, ATM. RTGS/ NEFT, and CMS are introduced, there are certain additional controls specific to those systems which have been discussed in the respective chapters. In the following pages, we would be discussing the security and controls which need to be in place. Given below are the broad specifications of controls. Under each head there are other specific controls. The main heads would be (a)
Management Controls
ADVANCE INFORMATION TECHNOLOGY TRAINING
117
CORE BANKING SOLUTION (b)
Organizational Controls
(c)
Operational Controls and
(d)
Application Controls. (Infrastructure controls already covered in previous chapter)
Management Controls Management controls would include (a) formulating a security policy, (b) developing a business continuity planning and (c) laying down procedures for systems development.
Security Policy Security Policy is a document approved at the Board level. Reserve Bank of India mandates that every bank should have a security policy. The contents of the policy at the minimum should cover the following: 1.
Formation of Security Committee/ Steering Committee
2.
Asset Management
3.
Human Resources Management
4.
Physical and Environmental security
5.
Communication and operative management
6.
Access Control
7.
Systems development and Change Management Procedure
Business Continuity Planning There should be a comprehensive document in place taking into consideration critical operations of the bank. Reserve Bank of India mandates on every bank having a Business Continuity Plan in place. From the accounting point of view, one needs to look at it from the “going concern concept”. The existence of a Business Continuity Plan, evidence of testing and evidence of updating are essential. The various likely scenarios of business interruptions should be envisaged and a plan to meet such situations and keep the business going should be documented. There should be evidence of awareness being created among the employees.
Systems Development and Change Management Best practices for development of systems and change management should be documented. Constant monitoring of its being complied with should be in place. The procedures would include program development, program testing, and movement to library, movement from library to production, roles and responsibilities of Computer Team members, highlighting incompatible functions.
Organizational Controls Organizational Controls would include the organization structure of the IT Department, IT Strategies roles and responsibility including incompatible functions would include.
118
ADVANCE INFORMATION TECHNOLOGY TRAINING
SYSTEM AUDIT OF CBS AND ITS INTERFACES
Operational Controls This would include physical access, logical access, environmental controls, evaluation controls in operation systems and evaluation controls of network.
Application Controls The controls would broadly come under the following heads:
Input
Output
Process
Input The input controls would ensure that the data entered is complete and correct. To ensure the same the following built in checks would be in the application software.
Data validation
Reasonableness check
Format check (Mandatory files)
Range check
Process Controls ensure that the software comprehensively covers the business process in the different modules. Process control would also include the existence of built in controls in the system to ensure proper processing of input data so as to provide the required output.
Core Banking Solution The various application modules which would normally form part of the total Core Banking Solution would be (a)
Customer ID generation (create a customer with a specific No.
(b)
Accounts Management. (To ensure that the account opening process is in line with the bank’s laid down procedures. This module will deal with creating savings account, current account, cash credit account, overdraft etc.,
(c)
Savings Bank and Current Accounts
(d)
Fixed Deposits, Recurring Deposits and other Term Deposits.
(e)
Cash Operations Module
(f)
Clearing Module - which would include inward clearing as also outward clearing?
(g)
Bank Guarantee: This module would cover bank guarantees issued by the bank on behalf of the customers in favour of third party’s guaranteeing to fulfill the terms of the guarantee. Guarantees may be in the nature of ADVANCE INFORMATION TECHNOLOGY TRAINING
119
CORE BANKING SOLUTION
(h)
(i)
Performance guarantee or
(ii)
Deferred Payment guarantee.
Bills: Bills involve trade transactions and would include (i)
Clean supply of bills
(ii)
Payment Usance Bills
(iii)
Outward Bills (Cheques)
(iv)
Inward bills
(i)
Letter of Credit: Letter of Credit refers to an arrangement wherein the issuing bank acts on the request and instructions of a customer.
(j)
Remittances: This process involves remittances of money by way of DDs or Money Transfers etc.
(k)
Advances: The banks collect demand deposits and term deposits. Out of the funds collected they maintain Statutory Liquidity Ratio (SLR) and Cash Reserve Ratio (CRR) as per the RBI’s requirements. Out of the balance funds available they lend to priority and non priority sectors.
The functionality of each of the modules has to be comprehensive. l.
Master Maintenance - the core banking solution would need to have master data (i)
Parameter setting for account type and structure settings keeping in view the General Ledger
(ii)
Parameter settings for interest rates applicable. These interest rates would vary for different parties e.g., staff, senior citizens etc.
(iii)
Rates would vary also for the tenor deposits eg. 1 year, 2 years etc.
The parameters should be entered into the system with due care. The updation of the parameters is more important if not more than the original creation. Other examples of critical parameters used by CBS applications would include list of holidays, authorization rights for exceptional transactions, list of deposits, penalty payable in case of default in RD etc., defining various warning, exceptions, error codes, work class of various user, type of user etc.
Operational Parameters Given type wise operational parameters - TDS, Anywhere banking parameters.
Charges Parameters Standing instructions charge, Stop Payment instruction charge, cheque book issues, account closing charges. User Related Password Change Parameters: validity, password history, length, structure etc.
Interest related parameters Term Deposits interest rates, Interest calculation for advances, interest calculated for staff, loan interest calculation for senior citizens – frequency, start date, end date, fised-flexible, simple- compound etc.
120
ADVANCE INFORMATION TECHNOLOGY TRAINING
SYSTEM AUDIT OF CBS AND ITS INTERFACES
Authorization Parameters Authorization of users varies for exceptional transactions.
Log Maintenance Logs are record of activities that have taken place in the system irrespective of the modules. The contents of the log would include:
The activity
The user (system)
Date and Time
These logs need to be preserved carefully as they are the conclusive and relevant evidence to prove that a transaction occurred. Naturally the logs should not be capable of being modified. The logs should be accessible only by the authorised person and by none other. The points discussed above provide an over view of controls that need to be in place in a Core Banking Solution.
3.3 Audit of Core Banking Solution Audit is the process of evaluating the adequacy of controls and also ensuring relevant application modules deal comprehensively with business process. The various aspects to be verified while performing the audit in the Core Banking Solution environment would be: (a)
Review of Security Policy
(b)
Review of Business Continuity Planning & BCP policy
(c)
Review of Systems Development and Change Management Procedures & process
(d)
Network vulnerability Assessment of Effectiveness of Intrusion Detection Systems.
(e)
Evaluation of controls in operating systems.
(f)
Control in databases When any of the services like software development, database management, network management are outsourced, review of the service level agreement to ensure that confidentiality integrity and availability are taken care of is extremely important. Service level agreements should provide for a systems auditability clause. So that Banks will have the right to have systems audit conducted of the third party services.
(g)
Testing of application modules of the Core Banking Solution.
(h)
Review of Systems logs.
(i)
Audit of Internet Banking, Audit of ATM and RTGS/ NEFT also need to be done and these have been considered separately under their respective heads. That means IS Audit of outsourcing activities should form part of IS Audit of Core Banking. ADVANCE INFORMATION TECHNOLOGY TRAINING
121
CORE BANKING SOLUTION
A. Review of Security Policy Reserve Bank of India has mandated that every bank should have a security policy which is approved by the management. The document should be constantly updated. There should be awareness of the contents of the security policy amongst the employees as applicable to different operations. The security policy applies to the entire organization and to all of its employees, customers and also to third parties to whom services have been outsourced. The broad contents of the security policy should be 1. Formulation of a security committee to manage information security within the organization. 2. Asset Management: The policy would deal with the procedure for maintaining proper protection of organizational assets. The assets need to be classified according to their sensitivity and criticality to the organization. 3. Human Resources: This would deal with procedures to be followed in connection with the employees, contractors and third party users. There should be procedures to be followed under the following circumstances. (i)
Prior to employment
(ii)
During employment and
(iii)
On termination or change of employment.
Before employing, background verification should be done. During employment, there should be absolute compliance of the requirements of the security policy. A formal disciplinary procedure for violation of the security requirements should be in place. On termination all access rights to information processing facilities should be removed immediately 4. Physical Environment: Procedures should be in place to ensure unauthorized access, damage or interference is prevented. 5. Communications and Operations Management: Operating procedures should be documented and proper segregation of duties should be implemented, where appropriate, to reduce risk or intentional systems misuse. This would also apply to outsourced third parties. The other aspects would include network security management policy, e-mail policy, firewall security policy, internet policy etc., access control policy, cyber security policy etc. 6. Media Handling: It is important that media should be disposed off securely and safely when no longer required. This would prevent leakage of data specially the sensitive data. 7. Access Control: There should be an Access Control Policy to control access to information which needs to be reviewed based on business and security requirements. There should be a formal user registration and deregistration procedure. Allocation of password should be controlled through a formal management process. There should be a regular review of user access rights at frequent intervals. Users also have their own responsibility and should follow the security practices, e.g., selecting passwords, having a clear desk etc. 122
ADVANCE INFORMATION TECHNOLOGY TRAINING
SYSTEM AUDIT OF CBS AND ITS INTERFACES 8. Network Access Policy: Access rights should be purely on a need to know basis. Groups of information service users and information systems should be segregated on networks. 9. Operating System Access Control: Access to operating system should be controlled by a secure log on procedure. There should be proper monitoring procedures in place. 10. System Acquisition Development and Maintenance: Best practices should be in place for program development, testing, modification, library maintenance and also back up procedures for programs and data. 11. Information Security Incident Management: In spite of best intentions and documentations, there could be a security lapse. Any such incident notices would be required to be reported to the appropriate management channels.
B. Business Continuity Planning A well managed process should have been developed and maintained for business continuity throughout the organization. Thus information security is needed for the organization’s business continuity. Business Continuity Planning should be tested and updated regularly. (a) Compliance with local requirements: There should be appropriate procedures in place to ensure proper compliance and legislative, regulatory and contractual requirements. (b) Review of Business Continuity Planning: The Business Continuity Planning is a process by which the bank ensures the maintenance and recovery of operations. The objectives of Business Continuity Planning would include minimizing financial losses, continue to serve customers without interruption, and keep up the image of the bank. The Business Continuity Planning is distinct from Disaster Recovery Planning (DRP). The Disaster Recovery Planning has the objective to plan to recover from the impact of disaster, to bring back support service and to restore normalcy. The Business Continuity Planning should take into consideration critical business functions and priorities them. The plan should cover the following important & critical processes:
Branch Operations
Administrative Operations
Internet Banking
ATM Operations
RTGS/ NEFT
All other alternate delivery channels
The various disaster scenarios need to be considered and a few examples are given below:
There is no access to the Computer Services Department building and also to the Data Centre.
There is access to the Computer Systems Department building; but Data Centre cannot be accessed.
The main server at the data centre would have gone down though access to systems department is available.
ADVANCE INFORMATION TECHNOLOGY TRAINING
123
CORE BANKING SOLUTION
Computer systems department and data centre site are available but connection to all branches and Head Office is unavailable.
The various likely scenarios need to be envisaged and a plan has to be in place so that the bank’s business operations are carried on without interruption. So, while auditing, we need to verify whether there is a Business Continuity Plan and whether it has been tested and whether it is constantly updated. C. Review of Systems Development and Change Management Procedures: Core Banking Solution software will consist of many modules. System Development refers to the process of developing software which would produce the required output from the input provided of course, using the necessary hardware and communication systems. The systems whether supplied by outsiders or developed in house should meet the deliverables, accepted and approved by the management. The objectives of audit would include reviewing the following: (a)
Whether the systems are implemented with adequate internal controls.
(b)
Whether the business functionality is comprehensive.
In a banking scenario the management may requisition the services of the audit for implementation or while in the process of being implemented. Irrespective of when the audit is going to be done, there needs to be a procedure which is strictly adhered to as far as development of systems. There should be a formal request from an authorised person. The programs after they are developed should be tested in a test environment. The programs would be tested for functionality and adequacy for internal controls. When programs are tested certain inadequacies and deficiencies could be discovered. It would go back to the Programming Team for correction. Again it would be tested. This is an iterative process. It is important that whenever a program is changed to set right a particular situation, the entire program should be tested. This would ensure that the changed program continues to perform in the same manner in all other aspects before the change was implemented. Process of moving a tested program from the Testing Environment to the Production Environment. The Development Department and the Production Department should be separate and isolated. Under no circumstances should any members of the development team have access to the production environment. These aspects have been discussed in detail while discussing the organization structure of a computer department and incompatible functions. A completely tested program from the development department should be moved to the library and the librarian should move the same to the production environment with full documentation being maintained. Change Management: However, well developed software, it could require to be changed. This could arise either due to additional business process requirements or technology changes as also additional bugs being discovered. There should be a formal and well documented procedure in place for changes effected. There should be a register maintained to keep a tag on different versions in the program. These registers could also be maintained on the computer.
124
ADVANCE INFORMATION TECHNOLOGY TRAINING
SYSTEM AUDIT OF CBS AND ITS INTERFACES (d) Network Security: In a core banking solution, as discussed in the earlier chapters, there is a complicated network system. All the servers (Application Server, Data Base Server, Antivirus Server, Web Server, Internet Server etc.,) are all at the data center in a central location. The branches are situated all over the country. ATM kiosks, e-lobby are situated in different places and customers are accessing the facilities from different places. Customers are provided internet banking. In view of all these facilities, we can imagine the complicated network which has to be in place. In view of this network security assumes great importance. Performing the vulnerability assessment of a network, it requires technical knowledge. However, it is necessary that network vulnerability assessment is performed periodically by competent people and a report should be available. Weaknesses in the communication systems which would have been highlighted need to be plugged. Vulnerability assessment is a continuous process. ‘Patches’ (solution for dealing with vulnerabilities discovered) are made available on the net. The network administrator is to constantly be applying the patches. If the patches are not updated and the weak points highlighted by the vulnerability assessment is not attended to immediately the bank’s network is open to exploitation. It can easily be hacked. To prevent such security lapses, it is imminent that vulnerability assessment is performed by competent people. There are certain tools available which properly trained people can use. The systems auditor must verify whether constant network vulnerability assessments have been performed by the competent people. Similarly, it is also important to ensure that intrusion detection and intrusion prevention is taken care of. There are tools again which could be used by competent people, who would evaluate the strength of the network and detect if there are any weak points, which could be exploited by an intruder. (e) Evaluation of Controls in Operating Systems: Operating System is a set of computer programs that manage the hardware and software resources of a computer. Operating systems contain the whole list of policies and the systems administrator administers the policies. It is the responsibility of the system administrator to ensure that all patches applicable to the particular operating system are applied. The systems administrator should also ensure that unnecessary services and facilities are disabled. Applying of patches is an ongoing process. An Administrator Guide is available with every operating system and it provides all important information including implications of security settings. Proper testing is required before applying any patches. (f) Testing Application Systems: This process consists of independently ensuring that computer systems (hardware, software and communication systems) produce the required output from the given input. Each of the modules needs to be tested. The auditor needs to be knowledgeable of the business process of each of the modules e.g., Savings Bank Account, Current Account, Fixed Deposits, Loans, Bills etc., Procedure for testing: The Bank would be required to provide separate systems complete with copy of the Core Banking Solution software, data base, master files etc., The auditor should request the bank to create at least two user IDs and passwords. The software has to be the exact replica of the one running in the live environment i.e., the version number should be the same. The auditor will verify all the application modules one by one to verify the completeness of the functionality, built in controls in the system and controls if any outside the system. Broad guidelines for testing one of the modules viz, Fixed Deposits are provided below:
ADVANCE INFORMATION TECHNOLOGY TRAINING
125
CORE BANKING SOLUTION When the system is switched on, it will ask for the user ID and password. The auditor should give the user ID and password provided by the Bank. He should take necessary steps to change the password, as otherwise the accountability for the usage of the computer would be lost. There will be a screen which would give the option for choosing the module. The FD module could be chosen. A study of the flow of the process for the FD system and the various screens need to be initially studied to get an over view. The FD system cannot be tested straight away as a customer would need to be created. KYC (Know Your Customer) norms required by the Reserve Bank of India need to be complied with. Now the process to be tested is FD system. Choose one customer and create a cheque deposit for the deposit account. Naturally unless the customer is got adequate funds the cheque cannot be honoured. So the program has to verify the same presuming that there are enough funds. Data for the cheque is keyed in the relevant screen. The auditor is always testing to verify whether system will function properly under specific conditions. In principle, a post dated cheque should not be accepted. For testing purposes the auditor can try to enter a cheque with a date which is beyond the system date. Having entered the data on the screen, the user can now press “accept”. If the programme is working properly, the computer would pop up a message “cheque date beyond system date” or similar message to convey that it is a post dated cheque. Whatever be the attempts made, the cheque should not be accepted by the system. Similarly a cheque not belonging to the customer or a cheque belonging to a customer but the customer is having no balance could be one of the many testing conditions. In case an error message is flashed, corrective action needs to be taken and the data is properly entered. However, the system should not accept it unless another individual authorises the same. The entry should wait for authorization. The authorization should be capable of being done only with another user ID and password. This concept is called “maker-checker concept”. This is very essential as this ensures there is dual control. To test the “maker-checker concept”, the auditor can try to authorise a transaction using his user ID and password. The system, if correctly functioning, should not accept the operation. It should flash a message similar to “illegal”. Similarly after an authorization has been completed properly, none of the entries should be amenable to modification. Hence the auditor can try to change any of the fields like maturity date, amount etc., That should not be possible. Presuming there are no errors in logic after passing through certain sequential menus, the FD would be created in the system depending upon the tenure (one year, two years etc.,). The interest rate will be picked up from the master data. One of the earlier screens may require information regarding the customer type. When it expects them, we should provide information regarding the customer like ‘senior citizen’, ‘staff member’ etc. Based upon the customer type and time period of FD, the programme (the CBS software) will look up the parameterised table and choose the correct rate. If parameterization of master data is not correctly done (and also not tested properly), naturally an incorrect rate would be picked up. Under normal circumstances, these basic components of the program would have been tested before releasing the same. However, the auditor who tests these aspects as while changing the rates, errors are likely to crop up.
126
ADVANCE INFORMATION TECHNOLOGY TRAINING
SYSTEM AUDIT OF CBS AND ITS INTERFACES The auditor could test it for other aspects like pre closing of FD, for issuing of duplicate receipt etc., while testing for the pre closing, the auditor would verify whether the logic is working properly like applying the appropriate penalty rate and making proper adjustments against the amount payable to the customer. In the case the application for issue of duplicate FD receipt, the system should verify whether the original FD is in existence and also before issuing a duplicate FD receipt that fact should be noted in the system by “flagging the FD record in the computer system”. If such a procedure is not in place, possibilities of amounts being repaid both on the original as well as on the duplicate cannot be ruled out. This may be discovered much later! This extensive and exhaustive testing of the program depends entirely on the in-depth knowledge of the auditor and his capability to test the system in different conditions. All of the application modules in core banking solution would need to be tested similarly, taking into consideration the respective business process and accepted built in controls. Testing of internet banking, ATM, RTGS as mentioned earlier are not considered here as the same have been dealt with separately. (g) Review of Systems Logs: Logs as already mentioned are reports generated by the system automatically. However, it needs to be mentioned that they generate automatically once it is programmed to do so. Auditors should review the systems logs. The systems logs could be classified as: (a)
Operating System Logs
(b)
Application Logs and
(c)
Data Base Logs
Above are exclusive of logs generated by network devises. Operating System Logs: Depending upon the operating systems (Windows-2000, Windows 2003, Unix etc.) logs are generated containing authentic information related to security. The concerned administration manual of the operating system would provide enough guidance to evaluate security concerns, if any. Application Logs: Application logs are logs generated by the application programs. While developing the programs, decisions are taken regarding the aspects to be reviewed and logs to be prepared. In banks, logs would be generated for loan authorisation, limit creation, preclosure of deposits & all such activities etc., A review of these logs would provide information to the auditor for security evaluation. The system could also be programmed to provide to generate exception reports. An auditor should collect details about exception reports which have been generated. The exception reports could include: (a)
Account opened and closed during the month and
(b)
Loan Arrears and
(c)
Temporary Over Drafts granted etc.,
ADVANCE INFORMATION TECHNOLOGY TRAINING
127
CORE BANKING SOLUTION Date Base Logs: These logs are available only for the computer systems department and could be viewed only by an authorised user like data base administrator. There could be other significant data base logs to review changes at the data base level but not through the application. This is a matter of serious data concern, The log management is essential to ensure that computer security records are stored in sufficient detail for appropriate period of time.
128
ADVANCE INFORMATION TECHNOLOGY TRAINING
UNIT 5:
ENTERPRISE RESOURCE PLANNING
CHAPTER
1
ERP OVERVIEW
LEARNING OBJECTIVES What is ERP concept? Business functions and Business processes Business Modelling ERP and Related Technologies Enterprise Resource Planning using Web 2.0 Open Source ERP Products
1.1 What is ERP Concept? An enterprise is a group of people with a common goal, having certain resources at its disposal to achieve this goal. In an enterprise way, the entire organization is considered as one system and all the departments are its sub-systems. Information regarding all aspects of the organization is stored centrally and is available to all departments. Resources include money, manpower, materials, machines, technologies etc.
Production Planning
Production Human Resources
Research & Development
Marketing Logistic Management Quality Management Finance Sales & Distribution
Fig. 1.1.1 An enterprise wherein there are stand alone Systems with no communication As shown in Fig. 1.1.1, each department will maintain separate databases and design applications as per their functionalities. As shown in Fig.1.1.2, ERP combines all the business requirements of the company together
ENTERPRISE RESOURCE PLANNING into a single, integrated software program that runs off a single database so that the various departments can more easily share information and communicate with each other. This transparency and information access ensures that the departments no longer work in isolation pursuing their own independent goals. Each sub-system knows what others are doing, why they are doing it and what should be done to move the company towards the common goal. The ERP systems help to make this task easier by integrating the information systems, enabling smooth and seamless flow of information across departmental barriers, automating business processes and functions, and thus helping the organization to work and move forward as a single entity.
Production Planning
Production Human Resources
Research & Development
Logistic Management
CENTRAL DATABASE
Marketing Quality Management
Finance Sales & Distribution
Fig. 1.1.2. Enterprise where all Departments communicate to each other in an ERP System
1.2 Business Functions and Business Processes Organizations have different functional areas of operation – marketing and sales, production and materials management, accounting and finance, human resources etc. Each functional area comprises a variety of business functions and business activities. A business process is a collection of activities that make one or more kinds of input and creates an output that is of value to the customer. A business process cuts across more than one business function to get a task done. For example – One of the business functions of the customer service department is to accept the damaged item and to replace or repair it depending upon the severity of the damage, whereas actual repair or replacement of the car is a business process that involves several functional areas and functions within those areas. Sharing data effectively and efficiently between and within functional areas leads to more efficient business processes. Information systems can be designed so that accurate and timely data are shared between functional areas. These systems are called Integrated Information Systems.
132
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP OVERVIEW
1.3 Business Modeling The approach to ERP is to first develop a business model comprising the business processes or activities that are the essence of the business. A business model is not a mathematical model, but a representation of the business as one large system showing the interconnections and interdependencies of the various sub-systems and business processes. In business modeling, the business is modeled as an integrated system, and the processes managing in facilities and materials are the resources. Information, though not described as a resource, is vital in managing all the resources and can, therefore be added as a resource while showing the concept of a business. Thus the business model is a representation of the actual business, the various business functions of the organization, how they are related, their interdependencies, and so on. The business model is represented in the graphical form using flowcharts and flow diagrams. The data model of the system is created from the business model.
Integrated Data Model ERP systems provide an access to the integrated data, to all the employees from the different departments. With the implementation of ERP systems, all the data has to-be-from the integrated database and not from the isolated databases, thus reducing the data redundancy and providing updated and upto the minute information about the entire organization to all the employees. Thus while designing the data model for the ERP system the most important thing is the information integration and the process/procedure automation. The data model should reflect the entire organization and should successfully depict an integrated data structure of the entire organization. Fig. 1.1.3 depicts the data model and its relationship with the Real World.
ADVANCE INFORMATION TECHNOLOGY TRAINING
133
ENTERPRISE RESOURCE PLANNING
REAL WORLD
PROCESSES
Interrelationships & Interdependencies Plant
Material
BUSINESS MODEL
Customer Order
Contract
DATA MODEL
Invoice
PROGRAM MODEL
Tables Fields Views Domains etc…
Program Function Display Screens, etc…
Fig. 1.1.3. Interrelationship between Models
1.4. ERP and Related Technologies 1.
Business Intelligence
2.
Online Analytical Processing (OLAP)
3.
Product Life Cycle Management (PLM)
4.
Supply Chain Management (SCM)
5.
Customer Relationship Management (CRM)
134
ADVANCE INFORMATION TECHNOLOGY TRAINING
DATA & PROGRAM MODEL
ERP OVERVIEW
1.4.1 Business Intelligence Business Intelligence (BI) is a tool that refers to skills, processes, technologies, applications and practices used to facilitate better, accurate and quicker decision making. Business intelligence systems are data-driven Decision Support Systems. In modern businesses, the use of standards, automation and specialized software. Including analytical tools, allows large volumes of data to be extracted, transformed, loaded and warehoused to greatly increase the speed at which information becomes available for decision-making. To maximize the value of the information stored in ERP systems, it is necessary to extend the ERP architectures to include more advanced reporting, analytical and decision support capabilities. This is best accomplished through the application of data warehousing, data mining, OLAP and other analysis, reporting and business intelligence tools and techniques.
1.4.2 Data Warehousing If operational data is kept in the database of the ERP system, it can create lot of problems. As time passes, the amount of data will increase and this will affect the performance of the ERP system. As the volume of the data in the database increases, the performance of the database and the related application degrades. Thus, archiving the operational data once its use is over is a better option. Data warehousing technology is the process of creating and utilizing the company’s historical data i.e. separating the operational data from non-operational data. The primary concept of data warehousing is that the data stored for business analysis can most effectively be accessed by separating it from the data in the operational systems. Data capture and Use
Data Analysis
Informational Systems
Operational Systems
Operational View
Information View
Internal & External Data
Academic Records Payroll Student Finance Financial Accounting
Student Performance Ad-hoc inquiries Data Mining
Fig. 1.1.4. Different Data for Different Uses Data Warehouses can be defined as subject-oriented, integrated, time-variant, non-volatile collections of data used to support analytical decision making. The data in the Warehouse comes from the operational environment and external sources. ADVANCE INFORMATION TECHNOLOGY TRAINING
135
ENTERPRISE RESOURCE PLANNING Subject Orientation Data Warehouses are designed around the major subject areas of the enterprise; the operational environment is designed around applications and functions. Data Warehouses do not contain information that will not be used for informational or analytical processing; operational databases contain detailed data that is needed to satisfy processing requirements but which has no relevance to management or analysis. Integration and Transformation The data within the Data Warehouse is integrated which means that there is consistency among naming conventions, measurements of variables, encoding structures, physical attributes, and other salient data characteristics. As the data is moved to the warehouse, it is transformed into a consistent representation as required. Time Variance Data in Data Warehouse is accurate as of some moment in time, providing an historical perspective. This differs from the operational environment in which data is intended to be accurate as of the moment of access. Non-Volatility Data in the warehouse is static, not dynamic. The only operation that occur in Data Warehouse applications are the initial loading of data, access of data, and refresh of data. For these reasons, the physical design of a Data Warehouse optimizes the access of data, rather than focusing on the requirements of data update and delete processing. In the Data Warehouse model, operational databases are not accessed directly to perform information processing. Rather, they act as the source of data for the Data Warehouse, which is the information repository and point of access for information processing. An Operational Data Store (ODS") is a database designed to integrate data from multiple sources to make analysis and reporting easier. Because the data originates from multiple sources, the integration often involves cleaning, resolving redundancy and checking against business rules for integrity. There are sound reasons for separating operational and informational databases, as described below.
The users of informational and operational data are different. Users of informational data are generally managers and analysts; users of operational data tend to be clerical, operational and administrative staff. Fig. 4 illustrates the fact that different sets of users access the data, using different sets of applications and for different purposes.
Operational data differs from informational data in context and currency. Informational data contains an historical perspective that is not generally used by operational systems.
The technology used for operational processing frequently differs from the technology required to support informational needs.
The processing characteristics for the operational environment and the informational environment are fundamentally different.
Data Warehousing Activities Data Warehousing requires both business and technical expertise and involves the following activities:
136
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP OVERVIEW
Accurately identifying the business information that must be stored in the warehouse
Identifying and prioritizing subject areas to be included in the Data Warehouse.
Managing the scope of each subject area which will be implemented into the Warehouse on an iterative basis.
Developing a scalable architecture to serve as the warehouse’s technical and application foundation, and identifying and selecting the hardware /software/ middleware components to implement it.
Extracting, cleansing, aggregating, transforming and validating the data to ensure accuracy and consistency.
Defining the correct level of summarization to support business decision making.
Establishing a refresh program that is consistent with business needs, timing and cycles.
Providing user-friendly, powerful tools at the desktop to access the data in the Warehouse.
Educating the business community about the realm of possibilities that are available to them through Data Warehousing.
Establishing a data warehouse help desk and training users to effectively utilize the desktop tools.
Establishing processes for maintaining, enhancing and ensuring the ongoing success and applicability of the warehouse.
Data Warehousing Functions Fig. 5 illustrates the flow of data from originating sources to the user, and includes management and implementation aspects. It starts with access mechanisms for retrieving data from heterogeneous operational data sources. That data is replicated via a transformation model and stored in the data warehouse. The definition of data elements in the data warehouse and in the data sources, and the transformation rules that relate them, are referred to as 'metadata'. Metadata is “data about data” and is the means by which the end-user finds and understands the data in the warehouse. The data transformation and movement processes are executed whenever an update to the warehouse data is desired. Different parts of the warehouse may require updates at different times, some at regular intervals such as weekly or monthly, and some on specified dates. There should be a capability to manage and automate the processes required to perform these functions. Particularly in a multi-vendor environment, adopting architecture with open interfaces would facilitate the integration of the products that implement these functions. Quality consulting services can be an important factor in assuring a successful and cost effective implementation.
ADVANCE INFORMATION TECHNOLOGY TRAINING
137
ENTERPRISE RESOURCE PLANNING
Fig. 1.1.5. Data Warehousing Functions Benefits
A data warehouse provides a common data model for all data of interest regardless of the data's source. This makes it easier to report and analyze information than it would be if multiple data models were used to retrieve information such as sales invoices, order receipts, general ledger charges, etc.
Prior to loading data into the data warehouse, inconsistencies are identified and resolved. This greatly simplifies reporting and analysis.
Information in the data warehouse is under the control of data warehouse users so that, even if the source system data is purged over time, the information in the warehouse can be stored safely for extended periods of time.
Because they are separate from operational systems, data warehouses provide retrieval of data without slowing down operational systems.
Data warehouses can work in conjunction with and, hence, enhance the value of operational business applications, notably customer relationship management (CRM) systems.
Data warehouses facilitate DSS applications such as trend reports (e.g., the items with the most sales in a particular area within the last two years), exception reports, and reports that show actual performance versus goals.
Disadvantages
Data warehouses are not the optimal environment for unstructured data.
Because data must be extracted, transformed and loaded into the warehouse, there is an element of latency in data warehouse data.
138
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP OVERVIEW
Over their life, data warehouses can have high costs. Maintenance costs are high.
Data warehouses can get outdated relatively quickly. There is a cost of delivering suboptimal information to the organization.
Application Areas Some of the applications data warehousing can be used for are:
Credit card churn analysis
Insurance fraud analysis
Call record analysis
Logistics management.
1.4.3 Data Mining Data Mining is the process of identifying valid, novel, potentially useful and ultimately comprehensible knowledge from databases that is used to make crucial business decisions. Data mining is the process of extracting patterns from data. As more data are gathered, data mining is becoming an increasingly important tool to transform these data into information. It is commonly used in a wide range of profiling practices, such as marketing, surveillance, fraud detection and scientific discovery. Data mining in relation to Enterprise Resource Planning is the statistical and logical analysis of large sets of transaction data, looking for patterns that can aid decision making. The main reason for the necessity of automated computer systems for intelligent data analysis is the enormous volume of existing and newly appearing data, accumulated each day by various businesses, scientific and governmental organizations around the world that requires processing. Further, automated data mining systems has a much lower cost than hiring an army of highly trained and professional statisticians. While data mining does not eliminate human participation in solving the task completely, it significantly simplifies the job and allows an analyst who is not a professional in statistics and programming to manage the process of extracting knowledge from data.
1.4.4 Online Analytical Processing (OLAP) Online Analytical Processing, or OLAP, is an approach to quickly answer multi-dimensional analytical queries. OLAP is part of the broader category of business intelligence, which also encompasses relational reporting and data mining. The typical applications of OLAP are in business reporting for sales, marketing, management reporting, Business Process Management (BPM), budgeting and forecasting, financial reporting and similar areas. Databases configured for OLAP use a multidimensional data model, allowing for complex analytical and ad-hoc queries with a rapid execution time. OLAP systems use concept of OLAP cube called a multidimensional cube or a hypercube consisting of numeric facts called measures which are categorized by dimensions. The cube metadata is typically created from a set of tables (Facts and Dimensional) in a relational database. Measures are derived from the records in the fact table and dimensions are derived from the dimension tables.
ADVANCE INFORMATION TECHNOLOGY TRAINING
139
ENTERPRISE RESOURCE PLANNING The output of an OLAP query is typically displayed in a matrix (or pivot) format. The dimensions form the rows and columns of the matrix; the measures form the values.
Characteristics of OLAP 1.
Fast: Means that the system is targeted to deliver most responses to users within no time.
2.
Analysis: Means that the system can cope with any business logic and statistical analysis that is relevant for the application and the user, and keep it easy enough for the target user.
3.
Shared: Means that the system implements all the security requirements for confidentiality and if multiple write access is needed, concurrent update locking at an appropriate level.
4.
Multi-Dimensional: Means that the system must provide a multi-dimensional conceptual view of the data, including full support for hierarchies and multiple hierarchies.
5.
Information: Is all of the data and derived information needed, wherever it is and however much is relevant for the application.
OLAP technology is most commonly applied for sales and marketing analysis, financial reporting and consolidation, budgeting and planning, product profitability and pricing analysis, activity based costing, manpower planning and quality analysis.
1.4.5 Product Life cycle Management (PLM) The conditions under which a product is sold will change over time. The product life cycle refers to the succession of stages a product goes through. Product Life cycle Management is the succession of strategies used by management as a product goes through its life cycle. In other words, PLM is the process of managing the entire lifecycle of a product from its conception, through design and manufacture, to service and disposal. PLM integrates people, data, processes and business systems and provides a product information backbone for companies and their extended enterprise. PLM helps organizations in the following areas:
Reduce time-to-market through faster design and validation.
Optimally deploy CAD and prototyping resources to complete critical projects.
Reduce product development and manufacturing costs.
Reduce levels of obsolete component inventory at multiple locations.
Get product design changes into productivity quickly.
1.4.6 Supply Chain Management A supply chain is a network of facilities and distribution options that performs the functions of procurement of materials, transformations of these materials into intermediate and finished products and the distribution of these finished products to customers. Supply chain management (SCM) is the management of a network of interconnected businesses involved in the ultimate provision of product and service packages required by end customers. It is defined as the process of planning, implementing and controlling the operations of the Supply
140
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP OVERVIEW chain as efficiently as possible. SCM includes movement and storage of raw materials, work-in-process inventory, and finished goods from point-of-origin to point-of-consumption. In essence, SCM integrates supply and demand management within and across companies. SCM can be grouped into strategic, tactical and operational levels of activities.
Strategic
Strategic network optimization, including the number, location, and size of warehousing, distribution centers, and facilities.
Strategic partnerships with suppliers, distributors, and customers, creating communication channels for critical information and operational improvements such as cross docking, direct shipping, and third-party logistics.
Product life cycle management, so that new and existing products can be optimally integrated into the supply chain and capacity management activities.
Information technology infrastructure to support supply chain operations.
Where-to-make and what-to-make-or-buy decisions.
Aligning overall organizational strategy with supply strategy.
Tactical
Sourcing contracts and other purchasing decisions.
Production decisions, including contracting, scheduling, and planning process definition.
Inventory decisions, including quantity, location, and quality of inventory.
Transportation strategy, including frequency, routes, and contracting.
Benchmarking of all operations against competitors and implementation of best practices throughout the enterprise.
Milestone payments.
Focus on customer demand.
Operational
Daily production and distribution planning, including all nodes in the supply chain.
Production scheduling for each manufacturing facility in the supply chain (minute by minute).
Demand planning and forecasting, coordinating the demand forecast of all customers and sharing the forecast with all suppliers.
Sourcing planning, including current inventory and forecast demand, in collaboration with all suppliers.
Inbound operations, including transportation from suppliers and receiving inventory.
Production operations, including the consumption of materials and flow of finished goods.
ADVANCE INFORMATION TECHNOLOGY TRAINING
141
ENTERPRISE RESOURCE PLANNING
Outbound operations, including all fulfillment activities, warehousing and transportation to customers.
Order promising, accounting for all constraints in the supply chain, including all suppliers, manufacturing facilities, distribution centers, and other customers.
SCM addresses our clients' challenges through seven service areas as shown in Fig 1.1.6:
Supply Chain Strategy
Supply Chain Planning
Logistics
Procurement
Product Lifecycle Management
Supply Chain Enterprise Applications
Asset management
Fig. 1.1.6. Data Warehousing Functions
1.4.7 Customer Relationship Management (CRM) Customer Relationship Management is a corporate level strategy, focusing on creating and maintaining relationships with customers. It covers methods and technologies used by companies to manage their relationships with clients. There are several different approaches to CRM, with different software packages focusing on different aspects: 1.
Operational CRM
Operational CRM provides support to "front office" business processes, e.g. to sales, marketing and service staff. Interactions with customers are generally stored in customers' contact histories, and staff can retrieve customer information as required. The contact history provides staff members with immediate access to important information on the customer (products owned, prior support calls etc.), eliminating the need to individually obtain this information directly from the customer. Reaching to the customer at right time at right place is preferable. Operational CRM processes customer data for a variety of purposes: 142
Managing campaigns ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP OVERVIEW
Enterprise Marketing Automation
Sales Force Automation
Sales Management System
2.
Analytical CRM
Analytical CRM analyzes customer data for a variety of purposes:
Designing and executing targeted marketing campaigns
Designing and executing campaigns, e.g. customer acquisition, cross-selling, up-selling, add on-selling
Analyzing customer behavior in order to make decisions relating to products and services (e.g. pricing, product development)
Management information system (e.g. financial forecasting and customer profitability analysis)
Analytical CRM generally makes heavy use of data mining and other techniques to produce useful results for decision-making. It is at the analytical stage that the importance of fully integrated CRM software becomes most apparent - the more information available to analytical software, the better its predictions and recommendations will be. 3.
Sales Intelligence CRM
Sales Intelligence CRM is similar to Analytical CRM, but is intended as a more direct sales tool. Features include alerts sent to sales staff regarding:
Cross-selling/Up-selling/Switch-selling opportunities
Customer drift
Sales performance
Customer trends
Customer margins
Customer alignment
4.
Campaign Management
Campaign management combines elements of Operational and Analytical CRM. Campaign management functions include:
Targeting groups formed from the client base according to selected criteria
Sending campaign-related material (e.g. on special offers) to selected recipients using various channels (e.g. e-mail, telephone, SMS, post)
Tracking, storing, and analyzing campaign statistics, including tracking responses and analyzing trends
5.
Collaborative CRM
Collaborative CRM covers aspects of a company's dealings with customers that are handled by various departments within a company, such as sales, technical support and marketing. Staff members from different ADVANCE INFORMATION TECHNOLOGY TRAINING
143
ENTERPRISE RESOURCE PLANNING departments can share information collected when interacting with customers. For example, feedback received by customer support agents can provide other staff members with information on the services and features requested by customers. Collaborative CRM's ultimate goal is to use information collected by all departments to improve the quality of services provided by the company. Producers can use CRM information to develop products or find new market. CRM facilitates communication between customers, suppliers and partner. 6.
Consumer Relationship CRM
Consumer Relationship System (CRS) covers aspects of a company's dealing with customers handled by the Consumer Affairs and Customer Relations contact centers within a company. Representatives handle in-bound contact from anonymous consumers and customers. Early warnings can be issued regarding product issues (e.g. item recalls) and current consumer sentiment can be tracked (voice of the customer). 7.
Simple CRM
It is a relatively new spinoff of the traditional CRM model first appearing in 2006. At their core, CRM tools are designed to manage customer relationships. As described above there are countless supplemental features and capabilities. Simple CRM systems breakdown the traditional CRM system to focus on the core values, i.e managing contacts and activities with customers and prospects. These systems are designed to create the most value for the immediate end user rather than the organization as a whole. They often focus on satisfying the needs of a particular marketplace niche, organizational unit, or type of user rather than an entire organization. 8.
Social CRM
Beginning in 2007, the rapid growth in social media and social networking forced CRM product companies to integrate "social" features into their traditional CRM systems. Some of the first features added were social network monitoring feeds (e.g. Twitter timeline). Other emerging features include messaging, sentiment analysis, and other analytics. CRM experts agree that online social communities and conversations have significant consequences for companies, and must be monitored for real-time marketplace feedback and trends.
1.5 Enterprise Resource Planning using Web 2.0 Enterprise systems of today cater to technologies and business practices that liberate the workforce from the constraints of legacy communication and productivity tools like email. They are perceived as critical tools expected to provide business managers with access to the right information at the right time through a web of inter-connected applications, services and devices. In the global dynamic and vibrant market space, the need arise for an effective collaboration for virtual integration and interaction between partners, customers, suppliers, stakeholders, professionals and employees. Enterprises look forward to strategic investment in new innovative, novel business models engraved on new robust technologies that make accessible the collective intelligence of many, translating to a huge competitive advantage in the form of increased innovation, productivity and agility. An Enterprise Resource Planning (ERP) system for an enterprise aims to provide optimized solutions to enterprises in leveraging their business process management activities at reduced cost and maximum operational efficiency. The ERP systems are on the outlook for quick return on investment (ROI) through new efficient and strategic business enabling technologies. The big focus is on partnering in the marketplace over the network (customer communities, cloud sourcing, and crowd sourcing), looking for major new opportunities for low cost growth, and to do more with less. 144
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP OVERVIEW Web 2.0 techniques as coined by Andrew McAfee with the acronym SLATES as:
Search: the ease of finding information through keyword search which makes the platform valuable.
Links: guides to important pieces of information. The best pages are the most frequently linked to.
Authoring: the ability to create constantly updating content over a platform that is shifted from being the creation of a few to being the constantly updated, interlinked work.
Wikis- the content is iterative in the sense that the people undo and redo each other's work.
Blogs- the content is cumulative in that posts and comments of individuals are accumulated over time.
Tags: categorization of content by creating tags that are simple, one-word descriptions to facilitate searching and avoid rigid, pre-made categories.
Extensions: automation of some of the work and pattern matching by using algorithms for recommendations.
Signals: the use of RSS (Really Simple Syndication) technology to notify users with any changes of the content by sending e-mails to them.
Fig 1.1.7: Business Technology
ADVANCE INFORMATION TECHNOLOGY TRAINING
145
ENTERPRISE RESOURCE PLANNING Adapted from: blogs.zdnet.com/Hinchcliffe/images/ew2_outlook_2009.png. The Web 2.0 technology framework integration into an Enterprise Resource Planning system enables using services built around Service Oriented Architecture (SOA) and Web Oriented Architecture (WOA). The technical Impacts of upgrading legacy application to Web are; web as a platform, harnessing collective intelligence, data as the core, end of the software release cycle, light weight programming models, and software as a service(SaaS) along with rich user experience(RIA). The two decisive features of the framework are "Network as platform" and "Architecture of participation". (a) Network as platform: is used for computing, allowing users to run software-applications entirely through a browser, own the data and exercise control over that data. The enterprise of today is not to meet the demands of twelve markets of millions but to a million markets of twelve. (b) Architecture of participation: that encourages users to add value to the application as they use it. The concept of Web-as-participation-platform captures these characteristics; rich user experience, user participation, dynamic content, metadata, web standards and scalability with openness, freedom and collective intelligence. The companies have recognized that user interaction, in and of itself, represents value to their services. The service's users are a network and can leverage that network to significantly strengthen the service. The benefits and value additions on its ERP systems using web 2.0 characteristics are:
Low cost investment.
Increased customer satisfaction.
Rich and user-friendly interface.
Reduced re-investment cost.
Solutions and services using new advanced technologies.
Faster turn-around time by using latest and fastest technologies.
Faster and timely data updates and data refreshes.
Easy access for customers and users from any remote place through web.
(i) Revenue and growth- New revenue streams can be built and present revenue streams enhanced through community and social networking. In particular, the cost containment of the last few years has given way to business-side interest in innovation-based growth and revenue. The rapid growth and innovation in the Web space is seen as something that companies need to emulate. (ii) Web-based economies of scale- Companies realize that they can dramatically cut the cost of capital equipment and people by using a Web-based delivery model to communities of their customers. Business to Consumer (B2C) companies is planning to support tens of millions of customers with just hundreds of employees. (iii) Flexible employment models- The use of contract and agency staff for delivery allows flexibility and agility. Agency and contract staff can be thought of as another, specialized community and can be supported with Web 2.0 techniques, similar to customers.
146
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP OVERVIEW Community creation as evangelism and support- Customers are a business's best sales, marketing, support and development organization. The creation of communities effectively outsources these cost centres, at zero cost. Indeed, with the inclusion of targeted advertising to the community, many of the present cost centres may become profit centres. (iv) Community leader advantage- Community dynamics are such that the first successful community is by far the most powerful and the organization that owns this community is the one which controls the space. If an organization's competitors are first in the community space they will have very significant competitive advantage. These are five areas in which Web 2.0 techniques can be used in working with customer communities to provide Business to Community. To summarize the technology features of an enterprise system on time Today's Enterprise(Web 2.0)
Yesterday's Enterprise
Flat Organization Ease of Organization Flow Agility Flexibility User-driven technology Bottom up Distributed Teams are global Fuzzy boundaries, open borders Transparency Information systems are emergent Folksonomies Simple Open On Demand Short time-to-market cycles
Hierarchy Friction Bureaucracy Inflexibility IT-driven technology / Lack of user control Top down Centralized Teams are in one building / one time zone Tailored and boundaries Need to know Information systems are structured and dictated Taxonomies Overly complex Closed/ proprietary standards Scheduled Long time-to-market cycles
Source: msdn.microsoft.com/en-us/library/bb735306.aspx Despite a more-challenging economic environment, more small and midsize businesses (SMBs) are obtaining the benefits of efficiency and the information advantage that ERP suites can deliver. A survey by Dataquest insight on ERP suite trends and characteristics recommends the following:
Differentiate go-to-market strategies by addressing more-focused line-of-business and vertical-market requirements of SMBs. Focus on the vertical markets with the highest concentration of users. Investigate complementary areas and invest in partnerships and/or development funds to seed further revenue opportunities.
ADVANCE INFORMATION TECHNOLOGY TRAINING
147
ENTERPRISE RESOURCE PLANNING
Address subtle distinctions in ERP systems across small, lower- mid- and upper-midmarket businesses in go-to-market strategies to maximize revenue opportunity.
Incorporate SaaS, Web 2.0 and service-oriented architecture (SOA) enablement into product plans, which have grown in their influence and awareness within the SMB market.
SMB ERP suite should take note of business model migration from product-centric to service-centric initiatives and evaluate new delivery models that can achieve quicker and more-tailored deployments.
Proactively engage users being targeted across the SMB spectrum via user groups and feedback mechanisms (focus groups, advisory committees, and so forth) to do a better job segmenting and targeting distinctive submarkets and their requirements, as well as understanding the nuances in servicing SMBs.
Emphasize clear direct communication with users with respect to updated product road maps and persist partners to update on an annual basis.
1.6 Open Source ERP Products Companies availing ERP services always face the hassle of paying a large sum of money for license fees, implementation, modification and deployment. However ERP open source helps to remove this drawback. The companies can download the software programs at free of cost and use them. Some of the features of Open Source ERP are as follows: 1.
Cutting down the costs.
2.
Reducing dependence on the vendors.
Limitations of Open Source ERP 1.
Increased complexities
2.
Legal complexities
3.
Unsuitable for conventional applications
Selected List of Open ERP Software's are as in Table 1.1.1: Title
Functionalities
Openbravo ERP Software
Openbravo ERP encompasses a broad Openbravo ERP is a Web based http://www.openb range of functionalities such as ERP for SME built on proven ravo.com/ finance, supply chain & manufacturing. MVC & MDD framework. Built on Java and Javascript, SQL and PL/SQL and XML.
SQL-Ledger ERP Software
Accounting/ERP system for SQL-Ledger is platform http://www.sqlmanufacturers, retail and service independent and runs on any ledger.org businesses. SQL-Ledger® ERP is a Mac or Windows computer double entry accounting/ERP system.
148
Technical / Platform
ADVANCE INFORMATION TECHNOLOGY TRAINING
Website
ERP OVERVIEW Accounting data is stored in a SQL database server. The entire system is linked through a chart of accounts. Each item in inventory is linked to income, expense, and inventory and tax accounts. PostBooks ERP Software
Accounting, CRM package for small to midsized businesses. 1. Accounting (general ledger, accounts receivable and payable, bank reconciliation, financial reporting) 2. Sales (quotes, order entry, sales reporting, shipping) 3. CRM (universal address book, incident management, opportunity management, to-do lists, project management) 4. Purchasing (purchase orders, receiving, vendor reporting) 5. Product Definition (items, infinitelevel bills of material) 6. Inventory (multiple locations, other advanced warehouse features) 7. Light Manufacturing (work orders, strong support for make-to-order) 8. OpenRPT open source report writer
Built with the open source http://www.xtuple. PostgreSQL database, and the com/postbooks open source Qt framework for C++. ERP client runs on Linux, Mac, and Windows (built with open source Qt framework).
OpenERP Software
OpenERP is a modular system and has modules for Accounting and Finance, CRM, Human Resources, Inventory (Stock) Manufacturing, Purchase and procurement Sales and Marketing. The latest version of Ubuntu (8.04) has version 4.2 called TinyERP.
OpenERP has a server and client http://www.opens install for Windows, Mac and ourceaccountings Linux variations. The main Linux oftware.com distributions have OpenERP in their repositories ready for an easy install. Platform: Windows, Linux, FreeBSD, OpenSolaris Database: PostgreSQL
fireERP Software
Powerful and free ERP, CRM, JFire is entirely free/open-source https://www.jfire.o eBusiness and SCM /SRM solution for software, uses the latest rg business enterprises. technologies (J2EE 1.4, JDO 2.0, Eclipse RCP 3.3) and is designed to be highly customizable.
ADVANCE INFORMATION TECHNOLOGY TRAINING
149
ENTERPRISE RESOURCE PLANNING Current Versions: Tough Trader (0.9.4-beta) ERP5ERP Software
ERP5 Finance is a complete accounting and finance solution designed with and certified by chartered accountants. ERP5 is suitable for small to large multinational organizations in the private or public sector.
It is mainly developed in the http://www.erp5.c Python programming language om/solution/erp5and the source code is freely solution-erp available under the GNU General Public License.
Project-open ERP Software
PO integrates areas such as CRM, sales, project planning, project tracking, collaboration, timesheet, invoicing and payments.
Web-based project management http://www.project & project portfolio management -open.org/ system for service and consulting companies with 2-200 employees
Table 1.1.1. List of Open ERP Software's
150
ADVANCE INFORMATION TECHNOLOGY TRAINING
CHAPTER
2
ERP IMPLEMENTATION
LEARNING OBJECTIVES Implementation Life Cycle Issues on ERP Implementation ERP Implementation -Traps ERP Security Audit “Enterprise Computing is on the road to operational efficiency on thin budgets.” ERP is the process of integrating all the business functions and processes in an organization to achieve numerous benefits. It is especially important for companies which are "intimately connected" to their vendors and customers, and use electronic data interchange (EDI) to process sales transactions electronically. Therefore, the implementation of ERP is exceptionally beneficial to businesses such as manufacturing plants that mass-produce products with little changes.
2.1 Implementation Life Cycle The flowchart in the figure below depicts several activities that must be performed before implementing an ERP system. Step 1: Managers must conduct a feasibility study of the current situation to assess the organization's needs by analyzing the availability of hardware, software, databases, and in-house computer expertise, and make the decision to implement ERP where integration is essential. They must also set goals for improvement and establish objectives for the implementation, and calculate the break-even points and benefits to be received from this expensive IT investment. Step 2: The second major activity involves educating and recruiting end users to be involved throughout the implementation process. Step 3: Managers form a project team or steering committee that consists of experts from all functional areas to lead the project. Step 4: After a decision is made to implement ERP, a team of system consultants will be hired to evaluate the appropriateness of implementing an ERP system, and to help select the best enterprise software provider and the best approach to implementing ERP. In most situations, the consultant team also recommends the modules that are best suited to the company's operations (manufacturing, financials, human resources, logistics, forecasting, etc.), system configurations, and Business-to-Business applications such as supply-chain management, customer relationship management, e-procurement, and e-marketplace.
ENTERPRISE RESOURCE PLANNING Step 5: Adequate employee and manager training must be provided to all business, stakeholders, including managers, end users, customers, and vendors, before the system is implemented. Such training is usually customized and can be provided by either internal or outside trainers. Step 6: The system installation process will address issues such as software configuration, hardware acquisition, and software testing. Step 7: Data and information in the databases must be converted to the format used in the new ERP system and servers and networks need to be upgraded. A post implementation review is recommended to ensure that all business objectives established during the planning phase are achieved. Needed modifications are tackled during this phase too.
Fig 2.1.1 Activity flowchart before ERP implementation. 152
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP IMPLEMENTATION
2.2 Issues on ERP Implementation Implementing an ERP causes massive change that needs to be carefully managed to reap the benefits of an ERP solution. Critical issues that must be carefully considered to ensure successful implementation include fundamental issues, organizational change process, people, and implementation cost and time and employee morale. The pertinent issues are:
1. Fundamental Issues Implementation of an ERP system can be long, costly, and labor-intensive and can affect an organization's bottom line if done incorrectly. To ensure the success of any ERP implementation project, a project team consisting of an ERP consultant, internal auditing, and IT staff familiar with the company's business operations should be established and their role must be defined. (a) Role of Manager: Managers must consider the fundamental issues of system integration by analyzing the organization's vision and corporate objectives.
Does management fully understand its current business processes, and can it make implementation decisions in a timely manner?
Is management ready to undertake drastic business process reengineering efforts to yield dramatic outcomes?
Is management ready to make any changes in the structure, operations, and cultural environment to accommodate the options configured in the ERP system?
Is the organization financially and economically prepared to invest heavily in an ERP implementation?
(b) Role of an Auditor: Auditors play a proactive role in helping the organization laying the foundation for an initiative's success with their knowledge of internal control practices, compliance requirements, and business processes. In particular, internal auditors can:
Document abbreviations and their function.
Identify documents used in the organization's daily operations.
Compile a list of the organization's master data sets.
List the internal controls that are applied and adopted during each business process stage.
Create a list of currently used and recently generated management information reports.
(c) Top Management Commitment: Management needs to exploit future communication and computing technology issues in order to integrate the ERP system with e-business applications in their organization to decide on the key related implementation and business issues. Due to enormous impact on the competitive advantage of the company, top management must consider the strategic implications of implementing an ERP solution keeping in mind the size of the company and the modules installed. Management must ask several questions before embarking on project.
Does the ERP system strengthen the company's competitive position? How might it erode the company's competitive position?
ADVANCE INFORMATION TECHNOLOGY TRAINING
153
ENTERPRISE RESOURCE PLANNING
How does ERP affect the organizational structure and the culture? What is the scope of the ERP implementation -- only a few functional units or the entire organization?
Are there any alternatives that meet the company's needs better than an ERP system?
If it is a multinational corporation, the management should be concerned about whether it would be better to roll the system out globally or restrict it to certain regional units?
2. Organizational Change Process ERP implementation requires organizations to reengineer their key business processes reengineering of the existing processes, integration of the ERP with other business information systems, selection of right employees, and training of employees on the new system. (a) Reengineering of the existing Process: Implementing an ERP system involves reengineering the existing business processes to the best business process standard which at the end must conform to the ERP model. ERP systems are built on best practices that are followed in the industry, though the cost and benefits of aligning with an ERP model and customizing could be very high. The more the customization, the greater the implementation costs. (b) Integration of ERP with other BIS: The benefits of an ERP application are limited unless it is seamlessly integrated with other information systems. Some of the major concerned areas would be:
Integration of ERP Modules
Integration of E-Business Applications
Integration with Legacy Systems
(c) Selection of Right Employees: Companies intending to implement an ERP system must be willing to dedicate some of their best employees to the project for a successful implementation. Internal resources on the project should exhibit the ability to understand the overall needs of the company and should play an important role in guiding the project efforts in the right direction. Companies should consider comprehensive guidelines while selecting internal resources for the project. Lack of proper understanding of the project needs and the inability to provide leadership and guidance to the project by the company's internal resources is a major reason for the failure of ERP projects. (d) Training Employees: Training and updating employees on ERP is a major challenge as it is extremely complex and demanding. It is difficult for trainers or consultants to pass on the knowledge of ERP package to the employees in a short period of time. This knowledge transfer gets hard if the employees lack computer literacy or have computer phobia. In addition to being taught ERP technology, employees have to be taught their new responsibilities.
3. Implementation Cost and Time (a) Implementation Cost: Even though the price of prewritten software is cheap compared with in-house development, the total cost of implementation could be three to five times the purchase price of the software. The implementation costs would increase as the degree of customization increases. After training the selected employees, strategies such as bonus programs, company perks, salary increases, continual training and education, and appeals to company loyalty work to retain them. Other intangible strategies such as flexible work hours, telecommuting options, and opportunities to work with leading-edge technologies are also being used. 154
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP IMPLEMENTATION (b) Implementation Time: ERP systems come in modular fashion and do not have to be implemented entirely at once. ERP packages are very general and need to be configured to a specific type of business and may follow a phase-in approach with one module implemented at a time. Some of the most commonly installed modules are Sales and Distribution (SD), Materials Management (MM), Production and Planning, (PP), and Finance and Controlling (FICO) modules. The length of implementation is affected by the number of modules being implemented, the scope of the implementation, the extent of customization, and the number of interfaces with other applications. The more the number of units, the longer the implementation time. Further as the scope of implementation grows from a single business unit to multiple units spread out globally, the duration of implementation increases.
4. Employee Morale Employees working on an ERP implementation project put in long hours (as much as 20 hours per day) including seven-day weeks and even holidays. Even though the experience is valuable for their career growth, the stress of implementation coupled with regular job duties could decrease their morale rapidly. Leadership from upper management and support and caring acts of project leaders would certainly boost the morale of the team members. Other strategies, such as taking the employees on field trips, could help reduce the stress and improve the morale. ERP solutions are revolutionizing the way companies produce goods and services. They are a dream come true in integrating different parts of a company and ensuring smooth flow of information across the enterprise quickly. ERP systems bring lot of benefits to organizations by tightly integrating various departments of the organization. ERP systems are very large and complex and require a careful planning and execution of their implementation. They are not mere software systems; they affect how a business conducts itself. The top contributor for a successful ERP implementation is strong commitment from upper management, as an implementation involves significant alterations to existing business practices as well as an outlay of huge capital investments. The other important factors are the issues related to reengineering the business processes and integrating the other business applications to the ERP backbone. Upper management plays a key role in managing the change an ERP brings into an organization. Organizational commitment is paramount due to possible lengthy implementation and huge costs involved. Integrating different software packages poses a serious challenge, and the integration patchwork is expensive and difficult to maintain. Selecting and managing consultants pose a continuous challenge due to the shortage of skilled consultants in the market. Organizations could reduce the total cost of implementation if they reduce customization by adapting to the ERP's built in best practices as much as possible. Selecting the right employees to participate in the implementation process and motivating them is critical for the implementation's success. Finally, it is important to train the employees to use the system to ensure the proper working of the system. An ERP implementation is a huge commitment from the organization, causing several lakhs of rupees and can take up to several years to complete. However, when it is integrated successfully, the benefits can be enormous. A welldesigned and properly integrated ERP system allows the most updated information to be shared among various business functions, thereby resulting in tremendous cost savings and increased efficiency.
2.3 ERP Implementation -Traps Even the most experienced organizations in information technology domain have had futile experiences in the implementation of the Enterprise Resource Planning (ERP) systems. This article highlights some of the issues which are presumed consequential to failures, they are by no means the most important, but they are missed in many implementations. ADVANCE INFORMATION TECHNOLOGY TRAINING
155
ENTERPRISE RESOURCE PLANNING (a) Change Management and Training. This was mentioned as the major problem with implementations. Changing work practices to fit the system is a major difficulty. Also mentioned were training across modules and starting training sooner. (b) To Business Process Re-engineering (BPR) or not to BPR. It is difficult to draw the line between changing Business Processes to suit the system or retaining Business Processes and paying the cost, in rupees and time, to change the system. As time and cost squeeze the implementation, the usual path is to not modify the system, but to change the way people work. This feeds back into Change Management and Training. (c) Poor Planning. Planning covers several areas such as having a strong business case, to the availability of users to make decisions on configuration, to the investing in a plan that captures all the issues associated with implementing it. (d) Underestimating IT skills. As most people are upgrading from old technology, the skills of the staff need to be upgraded as well. The upgrade is also going to place significant demands on a team who are geared to maintain an old but stable environment. Usually this effort is underestimated. (e) Poor Project Management. Very few organizations have the experience in house to run such a complex project as implementing a large-scale integrated solution. It usually requires outside contractors to come in and manage such a major exercise. It can be a fine line between abdicating responsibility and sharing responsibility. Many consulting firms do a disservice to their clients by not sharing the responsibility. (f) Technology Trials. The effort to build interfaces, change reports, customize the software and convert the data is normally underestimated. To collect new data, and clean the data being converted, will also require an effort that is beyond what is normally expected. (g) Low Executive Buy-in. Implementation projects need senior executive involvement to ensure the right participation mix of business and IT, and to resolve conflicts. (h) Underestimating Resources. Most common budget blow outs are change management and user training, integration testing, process rework, report customization and consulting fees. (i) Insufficient Software Evaluation. This involves the surprises that come out after the software is purchased. Organizations' usually do not do enough to understand what, and how the product works before they sign on the bottom line. The Bleeding Edge ERP is so massive and integrated that reporting and linking to other systems (either your own or your customers and suppliers) can be much more difficult than you expect. Companies looking at ERP need to examine how they accept online feeds from a customer, or a customers' customer, and examine the technological enablers as well as the implications of these technologies inside of the Business. These lead to a list of likely problems with an ERP system.
The cost is likely to be underestimated
The time and effort to implement is likely to be underestimated
The resourcing from both the Business and IT is likely to be higher than anticipated
The level of outside expertise required will be higher than anticipated
The changes required to Business Processes will be higher than expected.
156
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP IMPLEMENTATION
Scope control will be more difficult than expected
There will never be enough training - particularly across different modules
Most important of all, and the single biggest failure point for ERP implementations, is the need for change management. The need for change management is not likely to be recognized until it is too late. The changes required to corporate culture are likely to be grossly underestimated. It is going to be hard enough to cope with the technical issues without having to address major people issues as well.
2.4 ERP Security Audit Enterprise Resource Planning (ERP) is an enterprise-wide information system designed to coordinate all the resources, information, and activities needed to complete business processes such as order fulfillment or billing. Many firms rely on ERP systems to implement business processes and integrate financial data across their value chains. This reliance increases the importance of ERP system security in protection of a firm's information assets. In recent years, the audit of ERP security has gained importance and begun receiving an increasing percentage of firms' audit budgets. However, the audit of ERP security remains a complex, lengthy and costly task due to a confluence of factors. ERP systems are inherently complex systems spanning many functional areas and processes along a firm's value chain. They are designed to provide flexible solutions to business problems. The sheer number of possibilities available for configuring an ERP system implies many potential security configurations. However, ERP systems pay little attention to potential conflicts and problems in those security configurations. Deployment and implementation of ERP systems also pay little attention to security implications, as the main purpose is to solve business problems within time and budget. In post implementation stages, auditors have access to rudimentary ERP tools and capabilities for auditing security configurations. There are also shortages of staff members trained in the ERP security. Unfortunately, the increased enthusiasm on this subject has been met with complex and costly challenges. Many companies and audit firms are not yet prepared to tackle the need for a rigorous ERP security audit. Major challenges in auditing ERP Security are given as follows: (a) Complexity of ERP systems: Complexity of ERP systems leads to security vulnerabilities. ERP systems must be able to process a wide array of business transactions and implement a complex security mechanism that provides granular-level access to users. For example, in SAP R/3, hundreds of authorization objects are used to allow access to various actions in the system. A small or medium-sized organization may have 100 transactions that are commonly used, and each transaction typically requires at least two authorization objects. If the company has 200 end users who fill a total of 20 different roles and responsibilities, there are approximately 800,000 (100*2*20*200) ways to configure security in the ERP-and this scenario excludes other complexity factors, such as multiple transactions sharing the same authorization objects, an authorization object having up to 10 fields that can be assigned to various values, and the possibility of using position-based security. The point of this illustration is that the inherent complexity of an ERP system increases the complexity of security configurations and leads to potential security vulnerabilities. Flaws, errors and Segregation-Of-Duty (SOD) conflicts become more likely. Consider a scenario in which a security administrator has to grant read-only access to transaction X, which requires him/her to assign 10 authorization objects to the role. At a later point in time, management decides to grant write access to transaction Y, which implies assigning five more authorization objects. One of the objects is common to ADVANCE INFORMATION TECHNOLOGY TRAINING
157
ENTERPRISE RESOURCE PLANNING both transactions and determines the write capability. Although these two changes are seemingly independent, due to the shared authorization object granting write privileges, the unintended consequence is a potential SOD conflict. An ERP system does not automatically check for these kinds of security vulnerabilities. Unless the security administrator is well trained and employs rigorous positive and negative testing, he/she is likely to miss the unintended consequence of allowing write access to both transactions X and Y. As the number of potential configurations and authorization objects increases, it becomes increasingly difficult and costly to analyze the security implications of ERP configurations, such as the unintentional creation of SOD conflicts. (b) Lack of ERP Tools: ERP tools for security audit are inadequate. Most of the security tools available in ERP packages are not designed to facilitate efficient and effective audit of ERP security. The main emphasis of ERP tools is on security configuration and maintenance. Recently, there has been an increase in the number of third-party product offerings assisting with ERP security and SOD reviews. However, many users complain that those tools often generate false positives and create more work for auditors. (c) Customization of ERP Systems: The customization of ERP systems to firms inhibits the development of standardized security solutions. Every ERP implementation contains some level of customization specific to the firm undertaking the implementation. However, customization makes it difficult to develop a standard approach or methodology for conducting ERP security audits. (d) Manpower: There is a shortage of manpower trained in ERP security. Most ERP training programs are designed for implementation efforts. They offer very little on ERP security and audit. Thus, there is a shortage of auditors who are trained in ERP security. (e) Inadequate attention towards security: Implementers pay inadequate attention to ERP security during deployment. Many companies do not pay adequate attention to security implications of ERP configurations during the deployment and implementation of ERP systems. Implementation teams are usually tasked with finishing the implementation projects on time and within budget. They do not pay adequate attention to security implications since it increases implementation time and budget. Due to limited emphasis on security implications, ERP security becomes too lax, making post implementation problem identification and remediation very costly. (f) Conventional Approach: Most ERP security audits today are performed using a manual approach. There is little automation beyond the use of native tools that come standard with ERP packages. Unfortunately, the bottleneck of the manual approach is the limitation of the native security reporting tools found in most ERP products. These native tools are not designed to facilitate a large-scale audit effort, but rather to help security administrators perform occasional validation of the accuracy of security configuration. They allow reporting on only a single transaction per query, which may be adequate for a security administrator who works full time and handles each transaction request individually; however, it is not as practical for an IT auditor who is expected to perform the audit in a limited period of time and must test a large number of transactions. Although some IT auditors are able to utilize technology to perform this process more efficiently than others, as long as the process is based on the same philosophy of manual extraction followed by analysis, it continues to be an incredibly tedious and time-consuming task. The manual method is also prone to human errors. In today's business life, ERP is recognized as an effective tool which supports most of the business systems that maintain the data needed for a variety of business functions such as Manufacturing, Supply Chain Management, Financials, Projects, Human Resources and Customer Relationship Management in a single database. On the other hand, auditing of ERP security is also a demanding area which requires proper attention. Though many steps have 158
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP IMPLEMENTATION already been taken by various researchers worldwide, but for smooth and efficient functioning of business tasks in a better manner, there is still a need of many more initiatives to be taken in this direction.
2.5 Introduction to Tally.ERP 9 Tally.ERP 9 is the world's one of the fastest and most powerful concurrent multi-lingual business accounting and inventory management software. Tally.ERP 9, designed exclusively to meet the needs of small and medium businesses, is a fully integrated, affordable and comparatively reliable software. Tally.ERP 9 is easy to buy, quick to install, and easy to learn and use. Tally.ERP 9 is designed to automate and integrate all your business operations, such as sales, finance, purchasing, inventory, and manufacturing. With Tally.ERP 9, accurate, up-to date business information is literally at your fingertips anywhere. The powerful new features and blazing speed and power of Tally.ERP 9 combine with enhanced MIS, Multi-lingual, Data Synchronization and Remote capabilities help you simplify all your business processes easily and cost-effectively.
Features of Tally.ERP 9 The Tally.ERP 9 encompasses the following salient features:
Simplicity: Tally.ERP 9 is simple, easy to setup and use. It also allows easy keyboard operations. It requires basic knowledge of accounts and English to use it.
Speed: Tally.ERP 9 provides the capability to generate instant and accurate reports, which assists the management to take timely and correct decisions for the overall productivity and growth of the company.
Power: Tally.ERP 9 allows the user to maintain multiple companies and with unlimited levels of classification & grouping capabilities. It also allows drill down facility from report level to transaction level.
Flexibility: Tally.ERP 9 provides flexibility to generate instant reports for any given period (month/year) or at any point of time besides providing the facility to toggle between accounting & inventory reports of the same company or between companies.
Scalability: Tally.ERP 9 suits to any style of business needs and eliminates the necessity for a business to change its style of operation, in order to adapt to the application.
Concurrent multi-lingual capability: Tally.ERP 9 offers you the exclusive capability of maintaining your accounts in many Indian languages and few international languages, viewing them in another language and printing them in yet another Indian language.
Real time processing: Immediate posting & updation of books of accounts as soon as the transactions are entered, thereby facilitating instant statements & reports. It also facilitates real-time multi-user environment.
Accounting without codes: Tally.ERP 9 allows accounting with the regular names (the way you spell them or use in normal parlance) without any account codes.
2.6 Technological Features in Tally.ERP 9 It is a given that businesses grow either from being small / simple to larger / complex. Needing to cope up with scaling up business operations both internally and externally and bringing in much needed flexibility is a key requirement for any business. The enabling technology that makes this possible is detailed as below sections:
ADVANCE INFORMATION TECHNOLOGY TRAINING
159
ENTERPRISE RESOURCE PLANNING
2.6.1 Quick and Easy installation Tally.ERP 9 has a simple, menu-driven installation procedure. The user can install the program files on any drive if the hard disk has partitions. The user can also specify the name and directory location of the program files. Tally.ERP 9 uses minimum hard disk space in the local drive. Its installation on the local disk takes just a few seconds.
2.6.2 Codeless User Interface As a business user, your vendors or customers are not codes but are entities that have a distinct name and identity. So why add Customer ID/code to them to create uniqueness. Let us take an example of customers who have the same name for their business for instance Ganesh Enterprises. Now while referring to them will you say account no 3456 Ganesh enterprises or account no 3457. What you would actually do is distinguish them by their area of operation, e.g. Ganesh Enterprises New Bazaar Street and Ganesh enterprises Gandhi Nagar. This not only overcomes the issue of speed and human error. Rapid incremental search without the introduction of new data elements is facilitated as well. For instance while typing Ganesh enterprises all business that begins with Ganesh is displayed and you can narrow on the choice very quickly.
2.6.3 Multiple aliases across languages In business you may refer to the same item differently based on the context be it stocks, ledger accounts, locations, employees, categories, groups and so on. Tally's multi-referential system allows multiple names to refer to the same entity.
2.6.4 Extendible Units of Measure A stock unit can be purchased, stocked, manufactured or sold in different units of measure. These measures are just simple units or are a derivative of specific units. Translation of units across each definition is easy and intuitive. There are instances where the stocking unit and the transaction unit are different; this is possible by defining the multiplication factor at the time of at the transaction i.e. time of sale or Physical Stock take.
2.6.5 Unlimited Grouping and Classification In business recasting accounting data is common place especially when reports are to be generated from a particular view of the business be it a geographical location, a product line, a department a function. This aspect needs to be configured at the time of setting up the COA or the relevant entities and brings in unnecessary rigidity. This rigidity is inherited even in the transactions and imposes restriction on reports that are generated. With Tally the flexibility to sub classify, re-classify entities removes this rigidity that is imposed at the transaction level also at the report really necessary and this aspect of being able to classify, reclassify items, groups & categories, godowns, ledger groups, cost categories, centers, budgets etc.
2.6.6 Unlimited multi-user support A multi-user version of Tally.ERP 9 can be installed on a network, having any number of computers with different operating systems such as Win 95, 98, NT, 2000, XP, Vista, Windows 7, Windows 8, etc..
2.6.7 Graphical analysis of data Tally.ERP 9 provides graphical analysis of data which helps the user to perform deeper analysis. The user can 160
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP IMPLEMENTATION generate graphical analysis reports such as Sales Register, Purchase Register, Ledgers, Funds Flow, Cash Flow, Stock Item Registers and so on. This helps the management to quickly judge performance and be better prepared for difficult times.
2.6.8 Flexible and Extendible reporting This is essentially ensuring that reports are not limited to specified financial years or periods thus allowing, generating total expenses for a particular period extending beyond multiple financial periods. This actually translates into eliminating concepts of day end processing, month end processing or posting to control accounts etc and keeping the accounting data free from such artificial bifurcations. Given this flexibility users are able to generate reports across 2 to 3 financial years an example to illustrate this business need is tracking civil construction project expenses across financial years. You can also track inventory levels, expenses for each project.
2.6.9 Data Reliability and Automatic recovery Tally provides a high level of reliability of data with several technologies built into it. The data does not get corrupted even if there is a sudden machine shutdown or network breakdown or power cut. This is ensured using the concept of transaction atomicity which is supported by the object oriented storage. Tally uses data integrity checks intensively to detect any change to your data by external means. Any corruption happening in this way will be instantly detected as the program operates the data with a timely warning to you. Besides providing a warning, Tally provides you a unique capability to recover from most corruptions by allowing you to simply rewrite the data. The corrupted data is then discarded and you can continue with normal operations, at the most re-entering the corrupted transactions or masters only.
2.6.10 internal backup/ restore Tally.ERP 9 has an in-built, user-friendly ‘backup and restore’ option. It helps the user to take a backup of one or more companies or all companies, in a single directory, in the local hard disk, or in any external media. 2.6.11 Import/ Export of data Any transaction can be exported and imported to other software after suitably altering the current structures to accept the Tally.ERP 9 data structure. Data can also be imported to Tally.ERP 9 by writing a Tally Definition Language program. The data which is to be exported from Tally.ERP 9 can be in XML, HTML or ASCII format.
2.6.12 Split Company Data Tally.ERP 9 allows users to maintain a company for any number of financial years. Once the books of accounts have been completed for the earlier financial years, the user can split the company data into multiple companies as per financial periods required. Tally.ERP 9 also has a feature to split company data. The user can specify the date from which the company has to be split and Tally.ERP 9 will split the company to form two companies as per periods specified. Once the data has been split, the closing balance of the first period (first company) becomes the opening balance for the next period (second company).
2.6.13 HTTP-XML based data interchange Tally uses a recursive object oriented data structure which can naturally and easily be expressed as XML. Tally can export your data in XML format and can also import data coming in XML format. This is a fundamental capability of
ADVANCE INFORMATION TECHNOLOGY TRAINING
161
ENTERPRISE RESOURCE PLANNING the program and can be easily used to extract data for third party applications or to pump in data from third party applications as long as it is compliant with the schema of a voucher or master. The process can be automated since Tally can run as an HTTP (Hyper text transfer protocol) server and can process requests for import or export in HTTP-XML to this server from other applications. Even third party web applications written in ASP, PHP, and Java etc. can talk to your Tally running as an HTTP server and provide real-time information or remote data input. The third party application can send a request to Tally to get any report in XML or even in HTML formats. Even new reports can be added by defining them in TDL (Tally Definition Language). In the same way, a master or a voucher can be created in XML and sent to Tally server as an HTTP-XML request and will be processed and stored by Tally.
2.6.14 References The concept of a document being correlated to transactions other than its document number is a concept that allows for one to one, many to one, many to many adjustment of payments/receipt against invoices/loans/other transactions. Work may not flow in sequence, for instance Purchase Order > Advance > Invoice > Receipt of Goods > Goods Return > Payment What actually happens is material is received, purchase orders are regularized, prices are re-negotiated, goods are received in multiple batches, multiple POs are processed into a single receipt note or multiple debit notes are raised for price adjustments etc. or payments are staggered based on delivery, All of this cannot be referred against a single document number and hence the need to separate reference nos. against document numbers bring about flexibility in the document flow and references at the same time.
2.6.15 Tally Fit Technology Where names of accounts, party ledger accounts run beyond a certain length you are required to find abbreviations and sometimes these abbreviations that are not intuitive and becomes code based. With Tally fit technology the characters are reduced in breadth and user is allowed to input additional characters which would make the account name, entity complete and readable.
2.6.16 Multi-directory for company management The user can create multiple directories / folders to store data. The data stored in these directories can be accessed directly in Tally.ERP 9, by specifying the path.
2.6.17 User-defined security levels Tally.ERP 9 offers high levels of security. Users can define multiple levels of security according to their requirements. Every authorised user in the company can have an individual password, with rights to use specific features only. The user with the administrator level password will have full access and can set controls for other users.
2.6.18 Tally Audit Feature The Tally.ERP 9 audit feature provides the user with administrator rights and the capability to check the entries made by the authorised users and alter these entries, if necessary. Once the entries are audited, Tally.ERP 9 displays the altered entries, if any, along with the name of the user, who has altered the entry, and the date and time of the alteration.
162
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP IMPLEMENTATION
2.6.19 Tally Vault Tally.ERP 9 offers a data encryption option called Tally Vault. Without the valid Tally- Vault password, the data cannot be accessed. Tally.ERP 9 follows the DES (Data Encryption Standard) encryption method to safeguard the data. 2.6.20 ODBC data access Tally provides an ODBC (Open database connectivity) driver natively which allows other applications like MS-Excel (which can use an ODBC data source) to directly pick up data from Tally running as an ODBC server. This data is again real-time data and can be refreshed by such applications any time as long as Tally is running. You can pick and choose the available information and design your own reports in tools like Excel. The type of data available on ODBC from Tally can be extended using TDL (Tally definition Language).
2.6.21 Data Synchronization Synchronization is the process of exchanging Tally.ERP 9 data between two or more locations. This process enables a branch office to send its data to the head office, over the Internet or a private network. Tally.ERP 9 has the ideal solution for those who have their data in Tally 7.2 and now want to use Tally.ERP 9. 2.6.22 Data Migration Capability Tally.ERP 9 provides a migration tool which helps the user to migrate the data easily to the latest version and continue with day-to-day transactions. Data of all the previous versions, e.g. Tally 4.5, 5.4, 6.3, 7.2, 8.1, 9 can be migrated to Tally.ERP 9. Data of old version can be migrated to new version, but data of new version cannot be migrated to old version. 2.6.23 Multilingual capability Tally.ERP 9 is the world's first accounting and inventory software with multilingual capability. Currently, Tally.ERP 9’s multilingual capability extends to 12 languages which include nine Indian languages (Hindi, Gujarati, Punjabi, Tamil, Telugu, Marathi, Kannada, Malayalam and Bengali), Bahasa Melayu and Bahasa Indonesia. Tally.ERP 9 enables you to enter data in one language and have it transliterated into different languages. You can generate invoices, purchase orders or delivery notes in the language of your choice after entering data for the same in any of the nine specified languages. Also, the phonetic keyboard allows you to spell the term phonetically based on how it sounds and Tally.ERP 9 displays the data in the language selected after transliteration. 2.6.24 Direct web browser access While working on Tally.ERP 9, the user can directly log on to the Tally website, provided he/ she have access to the Internet. The website lists details of all the facilities offered by Tally.ERP 9. The user can also download the latest release of Tally.ERP 9 as and whenever it is available. The Tally website also offers Tally Chat, by which a user can communicate with a Tally representative and get required information. 2.6.25 Web Publishing and Email Facility Companies which want to publish reports and price lists on their website can do so directly from Tally.ERP 9. It also facilitates the mailing of any Tally.ERP 9 report or document.
ADVANCE INFORMATION TECHNOLOGY TRAINING
163
ENTERPRISE RESOURCE PLANNING
2.6.26 Tally.NET Tally.NET is an enabling framework which establishes a connection through which the remote user can access the Client's data without copying / transferring the data. In other words, the remote user can access the company data, provided the Company is open and connected on Tally.NET.
Fig. 2.1.2. Tally.NET (a) Tally.NET Features Tally.NET is a default feature available in the product and provides the following host of capabilities.
Connect companies from Tally.ERP 9
Create and maintain Remote Users
Synchronization of data (via Tally.NET)
Remote access of data by authorised Remote User(s)
Use online help and support from Tally or the browser
Use Control Centre for centralised Account Management
Remote availability of Auditors' Edition of Tally License
2.6.27 Remote Access Tally.ERP 9 provides remote capabilities to access the data from anywhere and anytime. The account administrator can create user id’s, authorise and authenticate them to access data remotely. The Remote users created under the security level Tally.NET Auditor or Tally.NET User can login, audit and access data from a remote location using another instance of Tally.ERP 9 running in Licensed or Educational mode. The data is transferred between the remote location and the server using a secured mechanism called encryption.
164
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP IMPLEMENTATION
Fig. 2.1.3. Remote Access 2.6.28 Control Centre Tally.ERP 9 provides a powerful feature named Control Centre to its users, which works as an interface between the user and Tally.ERP 9 installed at different sites, it enables the user to centrally configure and administer Site / User belonging to an account. The Control Centre encompasses the following features
Manage Licenses
Central Configuration
Manage Users
Manage Company Profile
Manage Accounts (using My Tally.NET Accounts)
Change Passwords
Jobs and Recruitments
Activity History
ADVANCE INFORMATION TECHNOLOGY TRAINING
165
ENTERPRISE RESOURCE PLANNING Advantages of Control Centre The Advantages of Control Centre are represented in the following diagram
Fig. 2.1.4. Control Centre The Advantages of Control Centre are: 1.
Create users with predefined Security levels
2.
Centrally configure and manage your Tally.ERP 9
3.
Surrender, Confirm or Reject activation of a Site
4.
Maintain Account related information
2.6.29 Auditor’s Edition A developing economy, widening tax net and increasing compliance requirements make an auditor's role critical. A Chartered Accountant as an entrepreneur is exposed to various operational risk factors viz., time, increasing travel & people costs, limited availability of skilled manpower, intense audit periods. This alleviate these circumstances, Tally.ERP 9 offers Auditors’ Edition, which provides Audit & Compliance capabilities for Chartered Accountants. The Auditors’ Edition provides the Chartered Accountants with Tax Audit and Statutory Compliance tools which equips him / her to retrieve the required information on the basis on which he form an opinion.
166
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP IMPLEMENTATION Tally.ERP 9 - Auditors' Edition is designed to help CAs to transform their practice and streamline their client’s businesses. The Auditors' Edition also helps to increase audit efficiency, reduce time and effort, and increase opportunity for providing additional bill-able services. Advantages of Auditors' Edition of Tally.ERP 9
Secure remote access to client data
At-a-glance dashboard showing voucher / ledger correctness and verification status
Easy identification of errors by way of exceptions
Special audit and compliance menus
Generate annexure for Tax Audit under Sec 44AB Using Auditors’ Edition of Tally.ERP 9, a Chartered Accountant can provide services to their clients in the following scenarios. o
Audit at CA’s office by accessing local data
o
Audit at Client’s place by accessing local data
o
Audit Remotely by accessing Client’s data from anywhere.
ADVANCE INFORMATION TECHNOLOGY TRAINING
167
CHAPTER
3
ERP CONTROL AND AUDIT
LEARNING OBJECTIVES Management and Controls in Tally.ERP 9 Security Management in Tally.ERP 9 Data Management in Tally.ERP 9
3.1 Tally.NET and Remote Capabilities 3.1.1 Overview of Tally.NET Tally.NET is an enabling framework which establishes a connection through which the remote user can access the client's data without copying / transferring the data. In other words, the remote user can access the company data, provided the Company is open and connected on Tally.NET. Using Tally.NET features, the user can create remote users (IDs), authorize & authenticate them for accessing the connected (available) companies. The remote users can be mapped to a particular user and assigned security controls based upon their security levels (viz., Tax Auditor / Administrator, Standard User etc.). The remote user can further create sub-ids under him to assign tasks based on their security levels. The user making the company available and a person accessing the data behave as clients to Tally.NET, thereby rendering a secure exchange system. Tally.NET Features Tally.NET is a default feature available in the product and provides the following host of capabilities.
Connect companies from Tally.ERP 9
Create and maintain Remote Users
Synchronization of data (via Tally.NET)
Remote access of data by authorised Remote User(s)
Use online help and support from Tally or the browser
Use Control Centre for centralised Account Management
Remote availability of Auditors' Edition of Tally License
As discussed above, Tally.NET is enabled in Tally.ERP 9 but however, certain configurations are required to be setup for enabling Company data to get connected. Follow the steps given below:
ERP CONTROL AND AUDIT 1.
Configuring Tally.NET features
2.
Creating and Authorizing Remote Users
3.1.2 Configure Tally.NET Features To configure Tally.NET follow the steps shown: Go to Gateway of Tally > F11: Features > F4: Tally.NET Features
The Tally.NET Features screen appears.
In the Registration Details section o
In the Connect Name field provide a specific name with which the company is displayed on Tally.NET servers.
o
Provide the name of the contact person in the field Contact Person Name.
o
Provide the Mobile/Telephone numbers of contact person in the field Contact Number
The name of the contact person and the contact number are published along- with Company Name, Account ID and Serial Number in the List of Companies screen.
In the Connect for Remote Access section, o
Allow to Connect Company is set to Yes, in case you want the company to be connected for remote access.
o
Contact on Load is set to Yes, when you want the company to be connected automatically for remote access on loading.
o
Press Enter to accept.
The completed Tally.NET Features screen is displayed as shown in Fig 3.1.1:
Fig. 3.1.1 Tally.NET Features
ADVANCE INFORMATION TECHNOLOGY TRAINING
169
ENTERPRISE RESOURCE PLANNING
Accept to save the Configurations
You must set Security Controls to “Yes” while creating/altering a company, in order to enable Tally.NET in Tally.ERP 9.
3.1.3 Connect Company on Tally.NET To connect the company on Tally.NET, Go to Gateway of Tally > press F4: Connect.
Fig. 3.1.2 Connected to Tally.NET A message “Company connected successfully” is displayed in the Calculator panel. In the same way to disconnect a Company from Tally.NET, Go to Gateway of Tally,
170
Press F4: Disconnect
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT
Fig. 3.1.3. Disconnected from Tally.NET A message “Company disconnected successfully” is displayed in the calculator panel.
3.1.4 Create Remote Users Tally.ERP 9 allows you to connect from a remote location and access your data. The Remote users are broadly classified into two security levels, namely:
Tally.NET User: can access data from a remote location.
Tally.NET Auditor: can audit data from a remote location, subject to using Auditor’s Edition of Tally.ERP 9.
To create the remote users: Go to Gateway of Tally
Click “K: Control Centre” button or press Ctrl + K.
The Login as Remote Tally.NET User screen is displayed.
Enter the required Account ID in the Your E-Mail ID field and Password in Your Tally.NET Password field. The password is sent by e-mail separately to the email address provided while activating Tally.ERP 9.
Fig. 3.1.4. Login as Tally.NET User
ADVANCE INFORMATION TECHNOLOGY TRAINING
171
ENTERPRISE RESOURCE PLANNING
Press Enter
The Control Centre screen appears as shown:
Fig. 3.1.5. Control Centre
Select My Tally.NET Accounts, the My Tally.NET Accounts
Screen appears
Select the required Account ID and press Enter.
The Control Centre for the selected Account ID screen appears
Select User Management and press Enter.
The User Management screen appears:
Fig. 3.1.6 User Management - List of Users 172
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT To create Remote Users, execute the following steps:
Select Standard User from the list of Security Level.
Type any valid email ID in the Tally.NET ID field and press Enter. Please note that a Tally.Net ID has to be a valid email ID only. It cannot be a simple user name like “pankaj”, “swapnil”, “gauri”, etc.
Set Yes to Tally.NET User in case you want this user to access data remotely
Based on your requirement, select the required status from the list of Status.
Similarly you can create the required Tally.NET User.
Fig. 3.1.7 User Management
Accept to save the new Tally.NET User that has been created
The company’s system administrator should authorise Tally.NET User ID and connect to Tally.NET and allow remote access. A brief write-up about each feature of the Control Centre is discussed under the section Features of the Control Centre
3.1.5 Authorise Remote Users Once the Company is registered and connected, the system administrator can authorise users created under Tally.NET User security level to access by logging in from a remote location. To authorise the remote users to login follow the steps shown: ADVANCE INFORMATION TECHNOLOGY TRAINING
173
ENTERPRISE RESOURCE PLANNING Authorise Remote User Go to Gateway of Tally > Press Alt + F3
The Company Info. menu appears
Select Security Control > Users and Password
The List of Users for Companies screen is displayed as shown in Fig 3.1.8.
Fig. 3.1.8. List of Users for Company
Select Tally.NET User from the list of Security List.
Enter the same email ID which was typed in remote user creation in control centre e.g. “[email protected]” in Name of User field. Once the security level is selected as Tally.Net User, the user name field will accept a user name as an email ID only. It will not accept a plain user name like pankaj, swapnil, gauri, as stated above. Set Allow Remote Access to Yes, in order to allow Tally.NET User created earlier to access data from a remote location
Set Allow Local TDLs to Yes or No as per requirement. If set to No, local TDL available in the remote users machine will not be loaded.
Type mobile number of the respective user in Mobile Number field. This mobile number shall be used for sending and receiving sms to and from Tally. Mobile number is optional.
Select End of List.
174
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT
Fig. 3.1.9 Creation of Users
Accept to Authorise the Tally.NET User.
3.1.6 Remote Access Tally.ERP 9 provides remote capabilities to access the data from anywhere. The account administrator can create user IDs, authorise and authenticate them to access data remotely. The Remote users created under the security level Tally.NET Auditor or Tally.NET User can login, audit and access data from a remote location using another instance of Tally.ERP 9 running in Licensed or Educational mode. The data transferred between the remote location and the server is transferred using a secured mechanism called encryption. 3.1.6.1 Login as Remote User
Start Tally.ERP 9 at the remote location
In the Company Info screen
Select Login as Remote User Or.
Select Login as Remote Tally.NET User in the Startup screen.
ADVANCE INFORMATION TECHNOLOGY TRAINING
175
ENTERPRISE RESOURCE PLANNING
Fig. 3.1.10 Login as Remote Tally.NET User
Press Enter.
The Login As Remote Tally.NET User screen is displayed.
Enter your user ID, i.e. email address registered with Tally.Net and set in Tally Company, in Your Email ID field.
Enter the password emailed in Your Tally.NET Password
Press Enter.
The Select Remote Company screen is displayed, showing the list of remote companies accessible by the remote user.
176
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT
Fig. 3.1.11 Lists of Remote Companies
Select the required company and press Alt+O or click O: Open or press Enter.
The Gateway of Tally for the selected company appears displaying the Remote User Details
Fig. 3.1.12. Remote Company To view or print the reports select the required options available.
ADVANCE INFORMATION TECHNOLOGY TRAINING
177
ENTERPRISE RESOURCE PLANNING
3.2 Management and Controls 3.2.1 Concept of Control Centre Tally.ERP 9 provides a powerful feature named Control Centre to its users, which works as an interface between the user and Tally.ERP 9 installed at different sites. It enables the user to centrally configure and administer Site / User belonging to an account. 3.2.1.1 Features of Control Centre The Control Centre encompasses the following features
Manage Licenses
Central Configuration
Manage Users
Manage Company Profile
Manage Accounts (using My Tally.NET Accounts)
Change Passwords
Jobs and Recruitments
Activity History
3.2.1.2 Advantages of Control Centre With the help of Control Centre, you will be able to
Create users with predefined Security levels
Centrally Configure & manage your Tally.ERP 9
Surrender, Confirm or Reject activation of a Site
Maintain Account related information
Manage Licenses and Activity History
Manage Jobs and Recruitments
Create users with predefined Security levels Using the Control Centre feature, the Account Administrator can create users and map them to a predefined security level and authorise them to access a Site / Location linked to that Account. Further the system administrator can also create Remote users and allow / disallow them to remotely access the data. The predefined security levels in Tally.ERP 9 are:
Owner
Data Entry
Tally.NET User
Tally.NET Auditor
178
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT
Centrally configure and manage your Tally.ERP 9 The Control Centre provides the flexibility to make changes to product configurations in the Tally.ini (Configuration file) and apply them to immediate effect without restarting the application. The following master configurations set can be made from the Control Centre
Add / Modify the Tally.ini parameters
Assign TDL’s to a site or all the sites under an account
Permit or Deny changes to the local configurations
The master configurations set created is applied initially to the account centrally which is inherited by the site(s) on updation of license, based on the site level permissions by the Account Administrator.
Surrender, Confirm or Reject activation of a Site The Account Administrator is authorised to surrender, confirm a site license or Reject the request received on activation from another site.
Maintain Account related information Control Centre allows maintain information about the organisation. Based on the requirements, the Account Administrator can merge multiple accounts into one or split an account into multiple accounts for easy and better management. Before we start using Control Centre in Tally.ERP 9, it is recommended to understand the process of installation of Tally.ERP 9 as explained.
3.2.2 Installing & Activating Tally.ERP 9 Tally.ERP 9 software installation is a simple and one time activity. You can install program files on any drive (if the hard disk has partitions) or specify a directory for installation. You can also specify the location of the data directory. 3.2.2.1 Installing Tally.ERP 9 To install Tally.ERP 9:
Insert the Tally.ERP 9 Installation CD in the computer's CD drive
Select My Computer on Desktop
Select CD drive
Run Install.exe > Specify Path (for Program files and data directory)
Click Install
After Installation a message Installation Successful is displayed. Click OK.
On successful installation of Tally.ERP 9, a shortcut is placed on the desktop, a folder titled Tally.ERP 9 is created in the selected drive and all the files required to run Tally.ERP 9 are stored in this default folder. ADVANCE INFORMATION TECHNOLOGY TRAINING
179
ENTERPRISE RESOURCE PLANNING In the same way, you can install Tally.ERP 9 Multi-User. In Multi-User installation, select the required programs (Tally.ERP 9 / License Server) to install at Server and client locations and specify other required details. 3.2.2.2 Activating Tally.ERP 9 License On successful installation of Tally.ERP 9, the Licensing Operations Startup screen appears on your computer, once you start Tally.ERP 9. Step 1: Activate License To activate license, follow the steps given below:
Select Activate License, the Activate License screen appears as shown in Fig 3.1.13
Fig. 3.1.13. Startup screen The Activate License has two options which allow you to activate the license based on your requirements.
First time activation for your organization: allows you to activate a single site license.
Activation of an additional Site for your organization: allows you to activate the next or consecutive site licenses for your organization.
Fig. 3.1.14 Activate License 180
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT
Select First time activation for your organization
The Activate License Form appears, Enter the required License Serial Number in the Serial Number field
Enter the required Activation Key in the Activation Key field
Enter your E-Mail ID in the E-Mail ID of Administrator field
Repeat the Email-ID in the Repeat (E-Mail ID of Administrator) field
Fig. 3.1.15. Activation Form Unique account identification is created using this E-Mail Id and the license serial number is linked to this account. The License Key, Password and Account related information are mailed to the E-Mail Id provided in the activation form.
Press Enter, Tally.ERP 9 searches for the availability of Internet Connectivity on your computer
If Internet Connection is Available, Tally.ERP 9 displays a message Congratulation! Your activation Request has been processed
The Tally_lck.lic file is created and placed in the default Tally.ERP 9 directory
You can also Activate License in Offline Mode, if Internet Connection is not available. To activate License in Offline Mode, generate the License File Offline and paste the license file onto the system where internet is available and Tally.ERP 9 is installed, go to the licensing menu, select send External request, the license file will be generated, copy the file and paste it where the license is to activated. Step 2: Unlock License File
Access your mail and retrieve the unlock key
In the Startup screen, select Unlock License
Type the Unlock Key in unlock field and press Enter
On successfully unlocking the license file, Tally.ERP 9 displays the message ADVANCE INFORMATION TECHNOLOGY TRAINING
181
ENTERPRISE RESOURCE PLANNING Congratulations! Your License is successfully activated.
Start Tally.ERP 9, the License Serial Number and Account ID are displayed under the Version and Licensing sections of the information panel respectively.
In the same way, you can activate license for Multi-Site, by selecting Activation of an Additional Site for your Organisation in the Activate License screen and providing Site Name, Site Administrator Email ID and other related details. 3.2.2.3 Launch Tally.ERP 9 Start Tally.ERP 9 by choosing any one of the methods discussed earlier. On starting Tally.ERP 9 the Gateway of Tally screen appears displaying the Edition and Users are under Version block, and the Serial Number and Account ID under License block of the Information panel.
Fig. 3.1.16. Gateway of Tally
3.2.3 Logging to Control Centre To start Control Centre follows the steps shown: Go to Company Info menu or Gateway of Tally 1.
Press K: Control Centre or press Ctrl + K
Fig. 3.1.17. Start Control centre 2.
The Login As Remote Tally.NET User screen appears as show in Fig.3.1.8
Enter the User ID in Your E-Mail ID field.
Enter the password emailed in Your Tally.NET Password field.
182
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT
Fig. 3.1.18. Start Control Centre Based on the authentication received from Tally.NET you can access the Control Centre. Depending on the requirement, you can enter the Account/ Site Administrator's Id to administer an Account/Site respectively. You can also provide the other User Id to access the support centre and access other areas of the control centre based on the permissions assigned. In case, you have forgotten the Password, provide the Account/Site/User ID in Your E-Mail ID and press F5. The new password will be emailed to the respective E-Mail ID.
3.4.4 Managing Accounts using Control Centre After logging in, the Control Centre screen will appear as shown in Fig 3.1.19:
ADVANCE INFORMATION TECHNOLOGY TRAINING
183
ENTERPRISE RESOURCE PLANNING
Fig. 3.1.19. Control centre The Control Centre screen displays the options available which are briefly described below
My Tally.NET Account : Use this option to configure, activate / deactivate sites, create users and assign security levels and manage your Account details. The My Tally.NET Account has the following suboptions: o
Licensing & Configuration enables you to configure and surrender a site belonging to an account. The configuration set can be created for each site by the Account / Site administrator. Further, the Account Administrator may allow or restrain the site administrator from making any changes to the con- figuration set locally.
o
User Management enables you to administer users belonging to an account by assign security levels with predefined permissions to enable remote access, assign users to a site and maintain the active users as required.
o
Profile Management enables you to enter the essential information related to the Account/Site ID.
o
Change Account Admin enables you to change the Account Administrator’s ID. To change the account ID, the account administrator should provide the existing account ID and the new account ID.
Change My Profile enables you to manage the Tally.NET User’s profile by providing the required details for further communications.
Change My Password this option enables you to change password at your convenience.
184
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT 3.4.4.1 My Tally.NET Accounts
Select My Tally.NET Accounts and press Enter
On selecting My Tally.NET Accounts, the My Tally.NET Accounts screen appears as shown in Fig 3.1.20.
Fig. 3.1.20 My Tally.NET Accounts The My Tally.NET Accounts screen displays the User ID against Tally.NET ID field, the Account ID, Security Level, permission to access Tally.NET, Site ID (for Multi Site only), permission to administer the Account and the account status. It also displays the Account IDs associated with your Account, based on your requirement you may disassociate your Account ID. Site ID will not appear when you have a Single Site Account. To disassociate from another account, select the required o Account ID and press Alt+D. The Account/Site Administrator ID cannot be disassociated from associated accounts. The My Tally.NET Accounts screen for Multi-Site will appear as shown in Fig.3.1.21:
ADVANCE INFORMATION TECHNOLOGY TRAINING
185
ENTERPRISE RESOURCE PLANNING
Fig. 3.1.21 My Tally.NET Accounts - Multi Site
Select the required Site Account ID and press Enter, the Control Centre of an Account appears as shown in Fig 3.1.22
Fig. 3.1.22. Control Centre of an Account
186
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT You can use this option to configure, activate / deactivate sites, create users and assign security levels and manage your Account details. The options available are briefly explained below:
Licensing & Configuration: Allows you to configure and activate / deactivate a site
User Management: You can create Remote Users and assign security controls
Profile Management: Maintain details related to your account
My Activity History: Display the list of accounts where your ID is used
Change Account Admin: Allows the Account Administrator to change the Account Administrator's User ID.
3.4.4.2 Licensing & Configuration The Account administrator can configure and surrender a site belonging to an account. The configuration set can be created for each site by the Account / Site administrator. Further, the Account administrator can allow or restrain the site administrator from making any changes to the configuration set locally. The Licensing & Configuration screen displaying the information related to each site / license serial number and the date on which the site was created.
Fig. 3.1.23. Licensing & Configuration By default, the status is Active, based on your requirement you can surrender the license by selecting Surrender from the list of Status. The license status is briefly explained for your benefit:
Active: indicates that the site is in operation
Surrender: indicates that the site has been surrendered.
ADVANCE INFORMATION TECHNOLOGY TRAINING
187
ENTERPRISE RESOURCE PLANNING 3.4.4.3 General Configuration To create configuration set for a Site, follow the steps given below In the Licensing & Configuration screen
Click on F6: Show Config or press F6
The General Config and TDL Config fields appear as shown in Fig 3.1.24
Fig. 3.1.24 Licensing & Configuration
188
In the General Config field, press Alt+C to create configuration o
The General Configuration Management screen appears
o
Enter the required configuration name in Name of Configuration field. The configuration parameters are saved with the configuration name provided in the account.
o
Set “Want to set client/server configuration” to “Yes” to create a fresh set of configuration.
o
In “Tally is acting as” field, select the required behaviour from the list of Client / Server list. Tally.ERP 9 will act as Server / Client / Both based on the parameter selected.
o
Set “Enable ODBC server” to “Yes”, when you want to transfer data from any third party application to Tally.ERP 9 or Vice Versa.
o
Enter the required port number in Port field.
o
Set “Can be overridden locally” to “Yes”, when you want the above parameters to be changed / modified by the site administrator locally.
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT o
In Disallow Request section, specify the required Server Name/ IP Address/URL in from field to deny a request from the Server/IP Address/ URL.
o
Similarly, specify the required Server Name/ IP Address/URL in To field to deny a request to Server/IP Address/URL
o
In Allow Request section, specify the required Server Name/ IP Address/ URL in “From” field to allow a request from the Server/IP Address/URL.
o
Similarly, specify the required Server Name/ IP Address/URL in “To” field to allow a request to Server/IP Address/URL.
Fig. 3.1.25. Licensing & Configuration o
Press Enter to save the General Configuration
o
Select the specified configuration package in the General Configuration field.
To View/Alter General Configuration In the Licensing & Configuration screen
Click F7: Gen Config List or press F7
Select the required configuration from the List of General Configs
The General Configuration Management screen will appear, you can make the required changes as per your requirements. ADVANCE INFORMATION TECHNOLOGY TRAINING
189
ENTERPRISE RESOURCE PLANNING The Select Item screen appears
Fig. 3.1.26. Licensing & Configuration 3.4.4.4 User Management You can administer users belonging to an account by assigning security levels with predefined permissions in order to enable remote access, assign users to a site and maintain the active users as required. To administer the users within an account follow the steps shown: In the Control Centre screen 1.
Select User Management and press Enter
2.
By default, the Security Level for the User ID, Permission to access Tally.NET and the Status is displayed.
3.
To Create the required user:
190
Select the required Security Level from the list of Security Level
Enter the required E-Mail ID in the Tally.NET ID field.
Set Tally.NET User field to “Yes” when you want the user to access data from a anywhere using Tally.NET.
In the Status field, select the required status from list of Status which are explained below: 1.
Active: Set the status to active when you want the user to be in operational mode.
2.
Deleted: Set the status to “Deleted” when you want the user to be removed permanently.
3.
In-active: Set the status to “In-Active” when you want the user to be non-operational mode. You can change the status to Active later on as and when required.
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT
Fig. 3.1.27. User Management
Accept to save the user created. Default users such as Account Administrator or Site Administrator is assigned the security levels of Owner. However, based on the requirements, you can change the security level.
To create a user: Select the required Security Level from list of Security Level or press Alt+C to create a new security level.
Owner: has the capability to manage Sites/Users belonging to an account. The Owner is not permitted to change Account / Site Admin ID, Site Status and Account Profile.
Standard User: Created with predefined permissions. All users other than the Owner are created under this security level.
Enter the required E-Mail ID in the Tally.NET ID field. Using the E-Mail ID provided a Tally.NET ID is created and the Password emailed.
Set Tally.NET User field to “Yes”, if you want the user to access data from a remote location using Tally.NET.
In the Status field, select the required status from list of Status which are explained below o
Active: Set the status to “Active” when you want the user to be in operational mode.
o
Deleted: Set the status to “Deleted” when you want the user to be removed permanently.
ADVANCE INFORMATION TECHNOLOGY TRAINING
191
ENTERPRISE RESOURCE PLANNING o
In-active: Set the status to “In-active” when you want the user to be non- operational mode. You can change the status to Active as and when required.
Similarly, you can create other users as required. From the above screen, you can change the Tally.NET ID for any user other than Account/Site Administrators. However, you will not able to change the status to Delete or In-Active for Account/Site Administrator. To change the User ID, type the new user id in the Tally.NET ID field. The User Management screen also displays the number of Tally.NET Users created for an account. To view in Detailed mode, In the User Management screen
Click F1: Detailed or press Alt+F1
The User Management screen appears displaying the user details as shown in Fig 3.1.28
Fig. 3.1.28. User Management Multi Site
192
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT To view the Security Level List In the User Management screen
Click F8:Sec Level List or press F8
The Select Items screen appears, select the required security level from the List of Security Levels
The Security Levels screen appears as shown in Fig 3.1.29
Fig. 3.1.29. User Management Multi Site
By default, the Standard User is authorised to access the Support Centre only, based on your requirement select the access controls from the list of Access Rights as shown in Fig 3.130.
Fig. 3.1.30 User Management Multi Site
Accept to save the access rights assigned to the security level. ADVANCE INFORMATION TECHNOLOGY TRAINING
193
ENTERPRISE RESOURCE PLANNING Create Security Levels An authorised user can create security levels and assign the Access Rights to the user in order to allow the user to perform certain tasks within the account. The security levels created are then assigned to the users belonging to the account. To create a security level and assign access controls follow the steps shown:
Press Alt+C in the Security Level field, the Security Level Management screen appears
Type the required security level name in the Name of Security Level o
In Allow the Following Facilities, select the required access rights from the list of Access Rights shown in Fig 3.1.31
Fig. 3.1.31 Create Security Levels
Accept to save the security level created. To alter an existing security level, place the cursor in Security Level field and press Ctrl+Enter or press F8: Sec Level List, select the required security level to make necessary changes. The Owner security level is assigned all the access rights and cannot be modified.
194
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT 3.4.4.5 Profile Management The user can enter the essential information related to the Account/Site ID in Profile management. To enter the details regarding the organisation follow the steps shown: In the Control Centre screen
Select Profile Management and press Enter
The Profile Management screen appears o
By default the E-Mail ID of the Account Administrator appears in the Account ID field.
o
Select the required account type from the list of Account Types
o
Enter the details related to the Account as shown in Fig 3.1.32.
Fig. 3.1.32. Profile Management
Accept to save the information.
Change Account Admin To change the Account Administrators ID follow the steps shown: In the Control Centre screen
Select Change Account Admin
The Change Account Admin screen appears
ADVANCE INFORMATION TECHNOLOGY TRAINING
195
ENTERPRISE RESOURCE PLANNING
Fig. 3.1.33 Change Account Admin
Enter the required Account Administrators ID in the Old Account Admin ID field
Enter the new Account Administrators ID in the New Account Admin ID field
Accept the create a new Account Administrators ID
The new Account Administrators ID can be created only by an existing account administrator. Change My Profile You can manage the Tally.NET User's profile by providing the required details for further communications. To change the user profile the user has to follow the steps shown: In the Control Centre screen
Select My Profile
The Change My Profile screen appears displaying the Tally.NET ID
In the Salutation field select the required salutation from the list of Salutation.
Enter the required name in the Name field.
Enter the required Mobile Number in the Mobile field.
Fig. 3.1.34 Change Profile
Accept to save the profile Change Password.
To change the Password follows the steps shown: In the Control Centre screen 196
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT
Select My Password or press Alt+W
Fig. 3.1.35 Change Password The Change Password screen appears with the Username.
Enter the current password in Old Password field.
Enter the new password in New Password field.
Repeat the new password in Repeat field for the purpose of confirmation.
Fig. 3.1.36 Change Password
Accept to change the password.
3.3 Security Management in Tally.ERP9 3.3.1 Security Controls Tally.ERP 9 allows you to create multiple levels of security as per requirements and authorize users with ADVANCE INFORMATION TECHNOLOGY TRAINING
197
ENTERPRISE RESOURCE PLANNING individual passwords and rights to access specific functionality only. The user with an Administrator level password is authorised for full access to all features and set access controls for other users. To activate the Administrator level Password: Go to Company Info. > Create
Type Company Name, Address and other related details
Set the feature Use Security Control to Yes
Specify Administrator Name, password and repeat
Save the screen
If the company is already created:
Load Company > Alt+F3 (Cmp Info) > Alter
Fig. 3.1.37 Company Info screen
Set the feature Use Security Control to Yes
Specify Administrator Name, password and repeat
Save the screen
198
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT
Fig. 3.1.38 Company Alteration screen Exit Tally.ERP 9, after accepting the modifications implemented in the Security Control fields. Now, attempt to open Tally.ERP 9. Tally.ERP 9 opens the Company Login screen where you will be asked to enter the User Name and Password. The Company Login screen is displayed as shown.
Fig. 3.1.39 Company Login screen The password is case sensitive. Any variation in the case will not allow you to login to Tally.ERP 9.User ID is not case sensitive. ADVANCE INFORMATION TECHNOLOGY TRAINING
199
ENTERPRISE RESOURCE PLANNING To create multiple levels of passwords:
Create the Administrator level password as explained earlier.
Press Alt+F3 (Cmp Info) > Security Control > Types of security
Specify Name of Security Level
Select Owner in the field “Use Basic Facilities of”
Specify the value for Days allowed for Back Dated vouchers. (The no. of days the user is allowed to go back to enter vouchers from the date of last entry).
Specify the value for Cut-off date for Back Dated vouchers (The last date upto which the user can go back to enter transactions) E.g. 31.03.2014 if books are finalized till this date.
In the Disallow the following Facilities column, specify the Type of access o
(i.e. Full Access, Alter, Create, Create/Alter, Display, Display/Print etc.)
In the field Allow the following Facilities, specify the required details
Save the screen.
Tally.ERP 9 allows you to create any number of levels.
Select Users and Passwords under the Security Control
Specify Name of the user, password and level
Save the screen
Create Users and Passwords
Use Alt+F3 and view the Company Info menu.
Press Enter on Security Control and a sub-menu is displayed as shown in Fig 3.140.
Fig. 3.1.40. Security Control 200
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT
The menu allows you to define access under Users and Passwords.
User Name: Preethi.
Password: preethi.
Security Level: Owner.
Enter the other information as shown. The List of Users of Company screen is displayed as shown in Fig 3.1.41.
Fig. 3.1.41. List of Users for Company
Press Y or Enter to accept.
3.3.2 Types of Security In Security Control menu, click Types of Security. The screen is displayed as shown in Fig 3.1.42.
Fig. 3.1.42. Security Levels for Company
Under List of Security Levels, the default value is Data Entry, Tally.NET User and Tally.NET Auditor
Press the Down Arrow Key to create a new security level. ADVANCE INFORMATION TECHNOLOGY TRAINING
201
ENTERPRISE RESOURCE PLANNING
Enter Preethi in the List of Security Level field.
Press Enter to view the Security Levels screen.
3.3.2.1 Name of Security Level By default, the name (Preethi) is displayed, which you have created. Press Enter to go the Level Definition screen, where the following fields are displayed. Use Basic Facilities of By default, this field displays Owner. However, the other option, i.e., Data Entry is also available. The list does not display when you are at the field. Press O and begin to type the word for the list to display.
Select Owner from the Security List.
Days Allowed for Back-Dated Vouchers This is the duration for which the users, at this level, are allowed to alter back-dated vouchers. Specifying zero will indicate that back-dated vouchers are not allowed. This is effective only if you disallow back-dated entries in the Disallow Column.
Retain the Default as 0.
Cut-off date for Back-Dated Vouchers Specify the dates before which users of this profile or security level cannot create or alter vouchers. This is an additional control over the previous Days Allowed. It is useful in cases where, for example, you have completed your Tax Assessment for a period and no changes are desired in the data for that period.
Leave blank.
Allow to Connect Company If this option is set to Yes, the user classified under this security level can connect to a Company with a valid Tally.NET subscription. Use Tally.NET Authentication If this option is to be set to Yes, if we wish to create a security level for remote login users. This should be set to “No” for local users. Use Tally.NET Auditor Authentication If this option is set to Yes, the auditor can access the client’s data remotely and perform an audit. However, a user not having the auditor’s license will not be able to perform an audit by setting this option to Yes. The Tally.NET options will be available in the Security Levels screen, only when the Tally.NET Features are activated in F11: Tally.NET Features. The screen is further divided into two broad columns with two sub-columns. The left of the screen is to disallow access to the various options of the system, while the right of the screen denotes the security level for different facilities. 202
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT The sub-columns are Types of Access and List of Reports under both Allow and Disallow facilities. Enter the Type of Access which you wish to give and the option sought to be controlled. Once the entry is completed, select End of List from Type of Access field to complete the allocation. Once the settings have been entered, the screen for Level definition is displayed as shown in Fig 3.1.43.
Fig. 3.1.43. Security Level Definitions Accept the above settings and the screen Security Levels for Company is displayed. Follow the same procedure if you want to create another Security level. Else, Accept and return to the Security Control Menu.
Only the Administrator can assign users and their passwords.
ADVANCE INFORMATION TECHNOLOGY TRAINING
203
ENTERPRISE RESOURCE PLANNING
3.3.3 Password Policy
Fig 3.1.44 Password policy for company Password policy feature allows a user to set more controls about use of passwords by other users. As it is evident from the above figure, many controls can be set for use of passwords. 3.3.2.2 TallyVault Tally.ERP 9 offers a data encryption option called Tally Vault, with the help of which you can encrypt the company data by setting a password. It is extremely important not to forget the TallyVault password, as forgetting the Tally vault password may land up the users in serious trouble. Activate TallyVault You can activate the Tally Vault facility at the time of creating a new Company or when altering an existing one. For a new Company: Go to Company Info. > Create
Enter the Name of the Company and other related details
Enter the Tally Vault Password and repeat the same
Save the screen
204
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT For an existing Company: Go to Company Info. > Press Alt+F3 (Cmp Info) > Change TallyVault
Type New Password and repeat
Save the screen
Fig. 3.1.45. Change TallyVault Password 3.3.2.3 Tally Audit Feature Tally audit feature provides the capability to check the accuracy and correctness of the entries made by authorized users. It allows you to alter the entries if required. Once you audit the entries, Tally.ERP 9 displays all the altered entries with the user's name, that altered the entry, along with the date of alteration. The audit trail is also available in the day book where the administrator can view the alterations made. To activate Tally Audit You can activate the Tally Audit feature during the creation of the Company. If your company is already created, Go to Gateway of Tally > Click Alt+F3 (Cmp Info) > Alter
Select company from List of Companies
Set the feature Use Security Control to Yes
Specify the Administrator Name & Password
Repeat the entry of the password
Activate the parameter Use Tally Audit Features to Yes
Save the entries made in the Company Alteration screen
ADVANCE INFORMATION TECHNOLOGY TRAINING
205
ENTERPRISE RESOURCE PLANNING
Fig. 3.1.46. Company Alteration screen – Audit Features
To effect the changes, shut the company Universal Enterprises and open it again. To audit Transactions / Masters (Login Tally.ERP 9 as an Administrator) Go to Gateway of Tally > Display > Statements of Accounts. The menu is displayed as shown in Fig 3.1.47.
Fig. 3.1.47 Tally Audit Path 206
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT
Select Tally Audit
Select Voucher Types, Masters or Users.
View the vouchers that are not audited.
Select F7 (Accept one) and audit an entry or select Alt+F7 (Accept all) to audit all entries.
The Tally Audit Listing screen is displayed as shown in Fig 3.1.48.
Fig. 3.1.48 Tally Audit Listing Screen To audit entries that has been altered If any entry that is audited is altered by another user, then Tally.ERP 9 displays the entry in the Tally Audit report.
Click F12: (Configure), set the parameter Show Entered / Altered By to Yes.
You will find a list of all entries that are altered with the names of users who entered/altered it along with the date of alteration. Follow a disciplined verification of the list so that it is periodically cleared and only vouchers which are of concern remain. To view the Ledger Audit list, select Masters from the Tally Audit menu. A screen showing the ID (Identification number of ledgers), Ledger Names is displayed. Make changes to any two Ledger Accounts. These changes are reflected in the list of new or altered Ledger Accounts. Notice that their IDs do not change, which is a useful feature for tracking ledgers. Information about the user who changed the accounts and the date of change is available. If you are satisfied with the changes made in the ledger, click F7: Accept One or Alt+F7: Accept All. This accepts the ledger as valid and removes the old one from the list.
3.4 Data Management in Tally.ERP 9 3.4.1 Data Backup & Restore Since the data on a computer is vulnerable, it is important to take regular back-ups of data. Tally.ERP 9 has a flexible back-up mechanism for taking a backup of the data onto virtually any storage medium. The commonly used media are CD, DVD, hard disc, pen drive and so on, installed either locally or on a network. ADVANCE INFORMATION TECHNOLOGY TRAINING
207
ENTERPRISE RESOURCE PLANNING Tally.ERP 9 provides you with the capability of taking a backup of one or more companies or all companies in a single directory. 3.4.1.1 Backup Data At the Gateway of Tally, use Alt+F3 to get to the option, Backup. In the Backup screen, the source of the backup and the destination (where it has to be stored) have to be mentioned. To change either the source or the destination paths, use the backspace key and change the paths as required. For example, to backup the data to a directory - Tally.ERP 9 backup in the D Drive, change the destination path to D:\TallyBackup as shown.
Fig. 3.1.49. Company Backup - Specification of Destination Path The process of backing up data begins when at least one company is selected.
208
Select the company Universal Enterprises.
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT
Fig. 3.1.50 Company Backup - Selection of Company To stop selecting companies, select the option End of List which appears at the top of the selection list. This option is active only when at least one company has been selected for backup.
Fig. 3.1.51. Company Backup screen - Completed screen ADVANCE INFORMATION TECHNOLOGY TRAINING
209
ENTERPRISE RESOURCE PLANNING
Press Y or Enter to accept the screen.
The backup file is stored with the name TBK900.001.
3.4.1.2 Backup Administration An appropriate backup mechanism needs to be devised depending on the volume of data. One of the methods would be to maintain a backup directory in the local hard disk or the server (external storage media such as the pen drive or external hard disc). Sub-directories could be maintained for every day of the week under the main backup directory and regular data backups depending on the day of the week could be created in the following manner. Monday - D:\TallyBackup\Monday. Tuesday - D:\TallyBackup\Tuesday. Wednesday-D:\Tally Backup\Wednesday, and so on.
Tally.ERP 9 backup facility is NOT limited to the hard disk drive alone. 3.4.1.3 Restore data Go to Gateway of Tally > Alt+F3 > Restore
Select Destination (specify path)
Select Source (specify path)
Select the Company / Companies for data restore
Save the screen.
Fig. 3.1.52. Company Restore Screen 210
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT
3.4.2 Splitting Financial Years Tally.ERP 9 allows you to maintain a company for any number of financial years. Once the books of accounts are completed for previous financial years and if the need arises, you can split the company data into multiple companies as per financial periods required. In other words, Tally.ERP 9 offers a feature to split your company data. You can specify the date from which the company has to be split and Tally.ERP 9 will split the company to form two new companies according to the periods specified. Once the data has been split, the closing balance of the first period (first company) becomes opening balance for the next period (second company). To split the data:
Load the company that has to be split.
Select Alt+F3 (Cmp Info) > Split Company Data.
Select Company.
Specify the date in Split from (this is the starting date of the new period)
Save the screen.
Tally.ERP 9 splits your company data according to the specified periods.
Fig. 3.1.53 Splitting of Company Data Screen Before actually splitting of company data into two parts, one can verify the company data for any possible errors. A separate menu “Verify Company Data” is given for this purpose. A company shall be split successfully only if there are no errors in the data.
3.4.3 Import / Export of Data Tally.ERP 9 allows you to import data from as well as export data to other software. You can import and export in ASCII, Excel and XML formats. XML is now the most widely used format of exporting data in the world. Any type of transaction can be exported to another application after suitably altering their current structures to accept Tally.ERP 9 data. The reverse is also possible with the help of a TDL program to accept data from other software. Data can be imported into Tally.ERP 9 either in XML or DBF formats. Export Tally.ERP 9 Reports to MS Excel Tally.ERP 9 now comes with the functionality, wherein all reports can be exported to Microsoft Excel spreadsheet. This feature enables you to export any report generated by Tally.ERP 9 into Excel. ADVANCE INFORMATION TECHNOLOGY TRAINING
211
ENTERPRISE RESOURCE PLANNING Subsequently, you can generate graphical representations of the data for better visual presentation. This process of export can be explained with a few simple steps, as shown. Go to Gateway of Tally > Balance Sheet The following screen is displayed in Fig 3.1.54.
Fig. 3.1.54. Export Option in Tally.ERP 9
Click Export.
Select Restricted (ASCII only).
Select Excel (Spreadsheet) in Format.
Type the name of file for Output File Name as required.
Specify other details.
212
ADVANCE INFORMATION TECHNOLOGY TRAINING
ERP CONTROL AND AUDIT
Fig. 3.1.55. Report Generation Screen for Excel
Click Yes for Export.
By default, the exported report in Excel format is saved in the Tally.ERP 9 folder. Open this file to view the report.
Fig. 3.1.56. Report in Excel Imported from Tally.ERP 9
ADVANCE INFORMATION TECHNOLOGY TRAINING
213
CHAPTER
4
E-FILING
LEARNING OBJECTIVES eVAT Returns in Tally.ERP 9 eTDS in Tally.ERP 9 eTCS in Tally.ERP 9 E-Filing of Returns refers to the process of electronically filing your tax returns through the Internet.
Salient Features of eFiling
Reduces compliance cost for deductors
Offers convenience of time & place to tax payers
Reduces interface between assessee and tax officials
Helps to correlate deduction of taxes against deposit of the deducted tax in the Government A/c
Helps to correlate deduction of tax by the deductors with the corresponding credits claimed by the deductees
Tally.ERP 9 provides e-Filing capabilities for the following Statutory compliances:
eVAT Returns
eTDS Returns
eTCS Returns
4.1 eVAT Returns There are two ways of filing eVAT Returns namely,
Return Online: Fill up the details online and submit returns
Upload as Excel File: select Alt+E from the required Return/Form/Annexure to export to .xls format and then upload the same
Go to Gateway of Tally > Display > Statutory Reports > VAT Reports > E-VAT Annexures > EVAT Purchases
E-FILING
Fig. 4.1.1. eVAT Purchases Exporting screen The exported file will be saved in the path specified in the output file name. Similarly, you can export other annexures required for eFiling.
4.2 eTDS Returns Tally.ERP 9 allows you to export the ETDS Forms in NSDL compliant formats as well as facilitates printing of TDS Forms in Physical Form. The ETDS forms available in Tally.ERP 9 are Form 26, Annexure to 26, Form 27, Annexure to 27, Form 26Q, Annexure to 26Q, Form 27Q, Annexure to 27Q.
Export ETDS Forms To export ETDS Forms, go to Gateway of Tally > Display > Statutory Reports > TDS Reports > E-Return
Fig. 4.1.2 TDS E-Return Menu
Select E-TDS and press Enter, the eTDS Forms menu is displayed.
ADVANCE INFORMATION TECHNOLOGY TRAINING
215
ENTERPRISE RESOURCE PLANNING
Fig. 4.1.3 eTDS Forms Menu
Select 26Q and press Enter
In the Exporting eTDS Forms Printing configuration screen, enter the required information as shown in Fig 4.1.4
Fig. 4.1.4 eTDS Forms Printing Configuration screen
Press Y or Enter to export eTDS Form 26Q
The exported file will be saved in the path specified in the output file name. The file can be validated through NSDL’s freely downloadable utility called ‘File Validation Utility’. This can be used to verify whether the ETDS return filed by the deductors conforms to the prescribed format. For more details, refer NSDL’s website 216
ADVANCE INFORMATION TECHNOLOGY TRAINING
E-FILING (http:// www.tin-nsdl.com/eTDSfvu.asp). Similarly, you can export other eTDS forms.
4.3 eTCS Returns Tally.ERP 9 allows you to export the ETCS Forms in NSDL compliant formats. The ETCS forms available in Tally.ERP 9 are Form 27E and Form 27EQ. Export ETCS Forms To export ETCS Forms, go to Gateway of Tally > Display > Statutory Reports > TCS Reports > ETCS Forms
In the Exporting eTCS Forms Printing configuration screen, enter the required information as shown in Fig 4.1.5.
Fig. 4.1.5 Exporting eTCS Forms
Press Y or Enter to export eTCS Form 27EQ
The exported file will be saved in the path specified in the output file name. The file can be validated through NSDL’s freely downloadable utility called ‘File Validation Utility’. This can be used to verify whether the ETCS return filed by the deductors conforms to the prescribed format. For more details, refer NSDL’s website (http:// www.tin-nsdl.com/eTDSfvu.asp). Similarly, you can export other eTCS forms. ADVANCE INFORMATION TECHNOLOGY TRAINING
217
UNIT 6:
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE
CHAPTER
1
IT APPLICATION IN CA’s OFFICE
LEARNING OBJECTIVES Understand the nature of services provided by a CA firm Understand what is office automation Understand the importance of automation in a CA firm Understand the key applications used in a CA firm Understand how to use office automation software for performing various tasks as relevant to services provided by CA in areas of accounting, assurance and compliance. Understand how to use e-Filing application for various regulations like VAT, IT, Service tax, ROC, etc. Understand the controls which can be configured for known risks Understand the applications available to CAs for meeting their day to day requirements
TASK STATEMENTS
Understand the types of services provided by a CA firm and co-relate the same to applications used in a CA’s office. Use K-DOC software to create systematic records of documents, email, templates, knowledge base for easy reference and re-use. Use e-Secretary software Contact Management and Correspondence Automation & Tracking Solution. Use office applications for carrying out various services provided by a CA firm. Use ICAI-ROC software to manage secretarial requirements and generate forms as per MCA 21 requirements. Auto file e-returns, share records, minutes & meetings, Resolutions, Annual return forms and maintenance of registers etc.
KNOWLEDGE STATEMENTS
Office applications help CAs to provide services in an efficient and effective manner. ICAI-ROC software contains pre-defined forms and templates as per requirements of MCA. This helps to meet the statutory requirements in an efficient manner. K-DOC software helps management to retain soft copies of the working papers in secured manner. Further, it also retains links to the hard copy working papers. eSecretary software helps CAs to maintain contacts, templates for various correspondence, print labels & envelopes and send individual mails to bulk clients
Now, let us go through the above in detail.
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE
1.0 Nature of Services provided by a CA Firm A CA firm is a firm of CAs who render their professional services to the client for a fee. It is important to understand the nature of services provided as the IT applications will depend on the same. Following are the key services provided by a CA firm: 1.1.
Auditing
1.1.1. Statutory audit 1.1.2. Internal / Management audit 1.1.3. Tax Audit 1.2.
Taxation related services
1.3.
Advisory / consulting services in:
1.3.1. Corporate finance and Merchant Banking 1.3.2. Information Technology (a)
Identification of suitable ERP
(b)
Identification of ERP implementation partner
(c)
ERP implementation
(d)
ERP – Post implementation review
(e)
Information Systems (IS) Audit
1.3.3. Company Law matters 1.4.
Others
1.4.1. Investigation or forensic services Let us discuss each of the services provided briefly:
1.1
Audit
Audit is methodical examination and review of the books of account, policies, procedures etc and issue opinion. Management is responsible for preparing and maintaining the books of accounts whereas auditor is responsible for reviewing and issuing opinion the financial statements. Following are 3 types of audit which are regularly performed by CAs:
1.1.1 Statutory Audit Shareholders invest their money in the corporate entity while the day to day operations are managed by the Board of Directors (BOD). Those who run the business with shareholders’ money are accountable to them. Hence, there is need of an independent agency that verifies the books of account and provides report to the shareholders commenting on the true and fair view of the state of affairs of the business. Such independent agency is called statutory auditor.
222
ADVANCE INFORMATION TECHNOLOGY TRAINING
IT APPLICATIONS IN CA’s OFFICE All the companies registered under the Companies Act, 1956, whether public or private and whether having a share capital or not are required maintaining proper books of accounts under the provisions of section 209 of the Companies Act, 1956. Companies have also to get their Books of accounts audited as required under section 224 of the Act. These are the mandatory requirements as per Companies Act. Following are the key points which should be noted with respect to statutory audit:
Statutory auditor is appointed in the Annual General Meeting (AGM) and hold the office till conclusion of next AGM.
Statutory audit is carried out as per the application accounting standards and auditing standards.
The main objective of the statutory audit is to get an opinion on the financial statements of the organization stating whether the financial statements are giving true and fair view of the affairs of the organization.
Scope of the statutory audit is defined by the Companies Act and cannot be altered by mutual consent of the auditor and management.
Qualifications of the statutory auditor are prescribed in the companies act, 1956.
The financial statement audit is very critical as it provides information about the state of affairs to its stakeholders. This has become more critical especially after series of frauds which have come to light in last few years.
1.1.2 Internal Audit As per Institute of Internal Auditors (IIA), internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Internal auditor is appointed by the management of the organization and the scope of audit is also determined by the mutual consent of auditor and management. There is no fixed qualification for the internal auditor. The main purpose of the internal audit is ensuring compliance to the policies and procedures of the organization and gain assurance on the following:
Financial reporting
Operations of the organization’
Compliance to the applications rules and regulations
An internal auditor follows a risk based approach whereby the risk assessment is performed and key risks are identified, both at the entity level and process level. Such key risks are validated with various key stakeholders and the audit universe is defined. It is not possible to audit all the risks in one year and hence the risks are prioritized and audit calendar is drawn which specifies the audit areas and timing. Internal auditor performs audits as per audit calendar and provides the following in internal audit report:
Design and operating deficiencies observed in the policies and processes of the organization.
ADVANCE INFORMATION TECHNOLOGY TRAINING
223
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE
Root cause for the gaps observed
Risk / implications of the gaps noted
Recommendations to mitigate the risks emanating from the observations noted
It can be observed that internal auditor plays a very crucial role as he is not just auditor but also advisor whereby he is expected to provide recommendations to plug the gaps. These gaps may be in the policies or processes of the organization or in the IT infrastructure / applications used by management. In view of this, it is critical for the internal audit to be knowledgeable about the basics of IT.
1.1.3 Tax Audit AS per Section 44AB of the Income Tax Act, every person carrying on business or profession is required to get his accounts audited by a chartered accountant before the "specified date" and furnish by that date the report of such audit, if the total sales, turnover or gross receipts exceed Rs.60 laces in the case of business and gross receipts exceed Rs.15 lacs in the case of profession.
1.2
Taxation related services
CAs has good knowledge of taxation and provides services related to Direct Taxes like Income Tax Act and Indirect Taxes like Sales Tax, Service Tax etc. CAs also helps management to do effective tax planning thus minimizing the incidence of tax. Further, CAs prepares, submit the tax returns and also represent their clients before the taxation authorities for assessments, appeals etc. At times, services of CAs are also required by tax department for auditing taxation cases especially where department is of view that revenue is getting escaped and they do not have internal capability to verify the same.
1.3
Advisory / consulting services
In today’s complex and dynamic business environment, CAs provide following key consulting / advisory services:
1.3.1 Corporate Finance and Merchant Banking A CA has good knowledge of accounts, finance and taxation. He plays an advisor / consultant role to the organizations, especially for small and medium organizations that do not have their own team and take help of external practicing CAs for the following:
Arranging working capital / cash credit limits from banks
Credit syndication
Private placement (of both shares and debt instruments)
Arranging Inter Corporate Deposits (ICDs)
Discounting of bills
Lease syndication
Sale and Lease back
224
ADVANCE INFORMATION TECHNOLOGY TRAINING
IT APPLICATIONS IN CA’s OFFICE
Prepare feasibility / Project Report
Perform Financial Due Diligences and report on the financial health of the investee company so that investor can make an informed decision about investment
Structure the Merger and Acquisition deal - how the acquirer should pay the amount to seller / investee company
Business restructuring
Advisor to clients for Public issue of securities – this involve in-depth knowledge of the guidelines, rules and regulations of Securities and Exchange Board of India (SEBI).
1.3.2 Company law / legal matters
Setting up of New Company
Setting-up of units in Software Technology Park of India
Advisory on Foreign Exchange Management Act (FEMA)
1.3.3 Investigation and Forensic services
Fraud Awareness workshops
Fraud risk assessments
1.3.4 Information Technology Service offering from CAs in IT domain has picked momentum since mid-1990s. CAs have good knowledge of the business processes and with training of the ERP application, they are able to provide the following services: (a)
Identification of suitable ERP
Selecting the right ERP is not an easy job it need good understanding of the requirement of the organization and also the features available in different ERPs. It is observed that many organizations choose an ERP solely because the same has been implemented or being implemented by their competitor. It is very critical decision to choose right ERP as it involves the time and money to implement an ERP. Because of the presence of multiple ERPs in the market, management is normally confused as to which ERP is most suitable to them. This is because almost each ERP vendor claims that they meet the needs of the management. CAs who have good knowledge of the business and processes of the client, study the requirement and advises management as to which ERP meets most of the requirements of the organization. None of the ERP will be able to meet all needs of the organization. Management should select an ERP where the gaps between business requirements vs. functionalities available in the ERP are minimum. (b)
Identification of ERP implementation partner
Once an ERP has been identified, next question is who should be the implementation partner as management cannot implement the ERP. This is because each ERP is unique and has its own navigation and setups. CA understands the nature of client’s industry, processes. They also understand the ERP and modules selected to be implemented by their client.
ADVANCE INFORMATION TECHNOLOGY TRAINING
225
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE For selecting the appropriate implementation partner, the following are evaluated:
Application name and modules to be implemented
Overall implementation experience of the implementation partner
Implementation experience of the implementation partner in relevant industry
Approach and methodology to be adopted
Success or failure of the implementation partner in the past
Cost of licenses and Implementation fees charged by implementation partner
After analyzing the above, the implementation partner whose approach is best, has good success ratio in the past and whose costs are balanced, should be awarded the implementation job. (c)
Implement ERP
This is a very specialized service. For this, the CA should have in-depth knowledge of the ERP, its configurations / setups etc and they should understand the industry, company’s processes. A team of consultants is required for implementing any ERP as it is not possible for a single person to master all modules of any single ERP. There are some ERPs where there is modular specialization and hence a separate consultant is required for each and every module while in some other ERPs, lesser number of consultants is required as one person can implement multiple modules. As part of implementation of ERP, CA performs the following key tasks: (i)
Understand the current (AS IS) process
(ii)
Define the To-Be process
(iii)
Map the To-Be process in application and identify gaps
(iv)
Determine the level of customizations required
(v)
Train the key users
(vi)
Prepare the data migration plan to migrate the data from legacy application to the selected ERP.
(vii)
Perform Pilot run
(viii) Migrate data (ix)
Go-live
(x)
Post live support
It should be noted that success of the implementation is measured not just by the go live date but how the management team is able to sustain the ERP implementation. (d)
Post implementation review
While implementing an ERP, the primary focus is to go live. While doing this, there may be possibilities that the access rights which are provided to various users are not in line with their job roles and responsibilities. Further, certain default value of the configuration settings / setups might be enabled which may pose some
226
ADVANCE INFORMATION TECHNOLOGY TRAINING
IT APPLICATIONS IN CA’s OFFICE control weaknesses. Considering this, management is advised to get the post implementation review done. CAs are in better position to offer this service as they in a good position to understand the roles and responsibilities of various users in the organization and hence identify the vulnerabilities emanating from excessive access rights assigned to certain users or lack of Segregation of Duties (SoD). Further, as stated above, each configuration setting / setup has some implications. Hence it is very important to review the key configuration settings while doing the post implementation review. Following are some of the key steps which are performed as part of the post implementation review:
Understand the business process of the company
Understand how the business processed are mapped in the application
Identify control objectives and risks
Identify the mitigating controls
Review the configuration settings / setups
Review access rights
Identify the control deficiencies
Provide recommendations (correct configuration settings / setups)
(e)
Information Systems (IS) audit
This covers not only the ERP system but also the entire architecture of the IT which includes the database, servers, application, operating system etc. As part of this, auditor has to understand the IT architecture, map the business processes and then perform critical evaluation of the risks as applicable to the IT and the mitigating control in the nature of configuration settings, setups, parameters etc. On review of services provided by a CA firm, it is observed that knowledge of Information Technology (IT) is important for CA except in case of certain services like company law matters, taxation matters etc. Let us understand some of the reasons as to why it is important for CA to have good knowledge of IT: (i)
Wide use of IT application at client locations
It is a massive task to provide the above mentioned services and require effort of various teams specializing in audit, tax, information systems etc. Today, almost every business house use certain complicated IT applications. In case of audits, it is very important for CAs to understand the application, map the process and then identify the control weaknesses. In case of statutory audits, it helps the auditor to evaluate whether reliance can be placed on the controls. Else, he/she will have to perform the substantive audit procedures which are time consuming. In case of internal audit, management expects the auditor to identify both business and technology risks. Management expects auditor to identify key control weaknesses due to inappropriate configuration settings / setups, access rights and Segregation of Duties and recommendations to improve the same. This is only possible provided auditor has good understanding of the IT.
ADVANCE INFORMATION TECHNOLOGY TRAINING
227
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE There are certain industries (like Telecom) which are technology heavy and it is very difficult for the auditor to audit ignoring the IT applications. For example, there are millions of transactions of recharge (in case of prepaid customers) of small denominations or there are millions of invoices of small denominations in case of postpaid customers. It is humanly not possible for the auditor to verify such transactions manually. Further, even if he test check some sample, he cannot get comfort on the whole population of transactions. He has to review the applications and verify the application controls. (ii)
Engagement documentation
Depending upon the type of engagement, there would be lot of documentation which might be stored considering the relevant rules and regulations. An auditor provides audit opinion in case of statutory audit and assurance on internal controls in case of internal audit. In either case, he has to retain the documentary evidences supporting the work performed and report issued. Today most of the documentary evidences obtained are digital in nature. Hence, it is very difficult to manually perform various tasks / provides services and retains documentation effectively. Automation would help the CAs to provide the above said services efficiently and effectively.
2. Office Automation 2.1 Meaning of Office automation There is no prescribed definition of office automation. It refers to use of various applications in office to create and store the documentation / information in soft copy format, use software / applications to automatically perform tasks (accounting, preparing trial balance, financial statements etc.) and electrically transmit the data or information to others through use of internet / telecommunications technology like use of email, fax machine etc. It should be noted that the degree of automation in office automated equipments may vary from organization to organization. Work is being performed by the human beings. This may be automated, manual or semiautomatic. Office equipments help the staff to perform the services in an efficient and effective manner. The extent of automation depends on the need and financial budget of the organization. Today, even a small firm uses Personal Computer (PC) and printer with certain basic software / application like Microsoft Word, MS Excel, MS Power Point etc. for day to day routine work. With this, the typewriters used in the past are done away with.
2.2 Evolution of Office automation Office automation has evolved over a period of time. It started with the use of certain basic applications like typewriters for typing official letters, copy machines for coping the documents and fax machines to send the written message to business partners. Slowly and slowly, with advancement of technology and internet, sophisticated applications evolved which helped the management to efficiently manage the business. There are various types of office automation and purpose of each of the machines is different. Today’s business environment is much different from earlier times. For example, till around 2007, CAs used to file manual tax returns. They used to perform lot of calculations manually or with the help of some applications but tax returns were filled and submitted manually in the respective department. Today, there are sophisticated applications where they input the required details. System computes the taxable income, calculate the liability 228
ADVANCE INFORMATION TECHNOLOGY TRAINING
IT APPLICATIONS IN CA’s OFFICE and also electronically submit the income tax return. CA or his staff need not visit the income tax department to submit the return. Further, for transmitting the information or document, it is not necessary to take print out and send the same by courier or send the same over fax. Data / documents in electronic form can be sent with the help of email. This saves lot of time of the staff and brings efficiency. Considering the today’s business environment, office automation is not limited just limited to typing or coping documents electrically but also include the following:
Capture the data in the applications by way of scanning or manually punching the data
Perform calculations and handling numerical data in database or in excel sheets
Word processing
Task management
Electronic approval of transactions
Storing the data in electronic / digital form
Electronically transmit the information or documents
2.3 Important aspects to be considered for office automation (a)
Common network
Various applications deployed should be on the same network as employees in the office can access the entire automated applications provided they are on the same network. If not, employees on different network will have to login and process data. This will be complicated both for the employees and for the IT to maintain the IT. (b)
Integration
Office equipments may not be effective if they are stand alone. Integration is the key to achieve efficiency so that various tasks can be performed with minimum intervention of the staff. However, it may not always be possible that all the office equipments / applications are integrated as they are made by different manufacturers and may also be using different technology. In such cases, there should be some interface between various applications so that data can be transmitted between various applications automatically or with minimum intervention of the employees. Else, employees will have feed data manually which is onerous and prone to humane errors. (c)
Training
As the applications are made by different manufacturers and may be using different technology, it is important that employees are trained to use the equipments / applications. Else, organization may not be able to realize the benefits of automation and investment in office automation equipments would be waste. This is commonly seen in various organizations. For example, management has invested in a sophisticated printer cum copying machine which can scan the document and automatically send the email to concerned person, print the document and automatically staple the documents etc. However, employees normally rely on the help being provided by person standing at the copy machine rather than taking interest to learn the features of machine and how to use the machine. In such situations, it is observed that employees scan the document and take the
ADVANCE INFORMATION TECHNOLOGY TRAINING
229
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE file on pen drive and then send the mail with scanned copy of the document as an attachment. Further, employees print the document and then look around for stapler to staple the document. Considering the above, Training the employees on the office applications is important. (d)
Security
Security of the office applications and data / information contained therein is of utmost importance. Else, data may get in the hands of wrong persons and may be utilized by them for their personal benefit. Hence, security of the applications should be ensured. We will discuss this later in detail. (e)
Automation of all / key services
All services offered by the firm should be covered in automation or at least the key services. For example, the resource allocation and scheduling is automated for audit but not for tax services team. With this, it will be difficult to track the time availability of employees, especially those who are involved in both the services. (f)
Access rights
Access to the automated office equipments / application should be defined on the basis of need to know and need to do.
Applications used in CA’s office Considering the nature of services provided by a CA firm, following software and hardware equipments are required in a CA’s office:
Software
(a)
Client Management
(b)
Resource allocation and scheduling
(c)
Financial Accounting (i)
Sales module
(ii)
Purchasing module
(iii)
Accounts Receivable (AR) module
(iv)
Accounts Payable (AP) module
(v)
General Ledger (GL) module
(vi)
Fixed Assets (FA) module
(vii) Cash Management / Bank Reconciliation (viii) Expense Management (d)
Human Resource (HR) and Payroll (i)
HR Management System
230
Hiring and recruitment ADVANCE INFORMATION TECHNOLOGY TRAINING
IT APPLICATIONS IN CA’s OFFICE
Induction
Training
(ii)
Timesheets
(iii)
Payroll
(iv)
Performance Management System
(v)
Benefits administration
(vi)
Leave Management Self Service
(vii) Self Service (e)
Document Management System
(f)
Knowledge Management
(g)
E-filing
Hardware / infrastructure
Copy, scanning and printing machine
Fax machine
Pbx
Personal Computers (PC) / laptops
Application server
Email server
Network (wired / wireless)
Local Area Network (LAN)
Wide Area Network (WAN)
Metropolitan Area Network
Applications arranged by ICAI
The above stated applications are generally required for any service rendering organization including a CA firm. However, the cost of such applications is high and small and medium sized firms may not be able to afford such cost. Hence, ICAI has made certain arrangement with external vendors and arranged to provide the following applications for its members:
ICAI-XBRL software
Payroll
Billing and Accounting
K-DOC
ADVANCE INFORMATION TECHNOLOGY TRAINING
231
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE
e-Secretary
ICAI-ROC
ICAI Tax Suite
Brief explanation of each of the above said applications / IT components are as follows:
3.1
Software
3.1.1 Client Management Survival of the firm depends on the services. To be competitive, it is critical for the CA firm to understand the client needs, identify them and track the responses. This is important to gain client confidence and improve their confidence level. It is very difficult to manage this manually, especially in case where the client is big and has multi location presence. Technology plays an important role. Let us understand this in detail.
Client Needs management
While the client needs can be managed and tracked manually on excel sheets but this is time consuming and subject to human errors. Seamless automation is the need of almost every professional firm to be competitive in the market. There are 3 stages of the sales cycle: (a)
Get needs
(b)
Determine solution to client needs
(c)
Communicate to client.
Changes would need to be made by the person working on the solution as per need of the client. Following information may be stored at one place which helps to fasten the solution process:
History of the organization, office locations etc.
Key processes in various industries and associated risks
Approach and methodology
Thought leadership document samples
Brief note on various tools and technologies to be deployed in various types of assignments
Contact details of employees worked on same or similar areas in the past
Following are some of the advantages offered by the Client Management application:
Avoid duplication: Client management application helps management in avoiding duplication of efforts. i.e. if an employee is already in touch with a new client, other manager / director will be able to see details online. In its absence it may be possible that various manager / directors may work on the same client need due to lack of communication between employees.
Easy monitoring and tracking: the details of the client needs and respective solution are available in the application. Various reports can be generated to review the client needs / opportunities client wise, city wise, amount wise etc.
232
ADVANCE INFORMATION TECHNOLOGY TRAINING
IT APPLICATIONS IN CA’s OFFICE
Compliance to the risk management policy: various parameters of the risk management policy of the firm may be incorporated in the application whereby each manager / director is responsible to answer the relevant questions as per the risk management policy. The opportunity / solution are submitted to the relevant person as per the final risk rating and reviewer would be able to see the complete details online.
Online approval workflow: The application provides the mechanism to approve the solution as per the approval workflow of the organization (depending on the risk perceived in the opportunity). The application also captures the complete audit trail of the solution submitted and approved with the date and time stamp.
Sharing of revenue between employees: This application also help the management to allocate the revenue to the credit of the right employee as the application captures the person who identified the opportunity, who worked on the solution and how the revenue share should be done between teams / offices working on the client engagement.
This application is operational in nature but is important from the management point of view as it contain details of all the client needs and opportunities pursued by the firm.
3.1.2 Resource allocation and scheduling Employees are assets for the firm and their effective utilization determines the profitability of the firm. It is generally observed that employees in professional firms are overloaded as they work on multiple assignments at the same time. Further, many assignments are delayed due to non-availability of right resources. This is primarily due to shortage of manpower and ineffective manpower planning and allocation of resources. We have seen certain firms performing the resource allocation on excel sheets. This is convenient but it leads to lot of chaos as multiple versions of the excel sheet float in the organization. It is difficult to have effective change management of the excel sheets because multiple people have access to make modifications. As a result, managers assign resources to some of their projects while the engagement may not have started. Further, some other assignment which is in need of right person may suffer due to absence of staff. This affects the profitability and client satisfaction. Resource planning and scheduling application helps the management in following ways:
Map the employees against their skill set.
With role based access, one or limited persons may be made responsible for the resource allocation. Based on the deadline of the engagements, manager / director submit request to the resource allocation manager who in turn update the request in application and assign resources subject to availability and as per the skill set requirement.
Employees may be linked with the HR database. As a result, the employees who have left the company will not be allowed to be allocated to assignments after their release date. Further, application does not allow the allocation of resource beyond the expected release date of the employee in case he is serving the notice period.
Application provides the visibility of time allocation of employees and their availability.
ADVANCE INFORMATION TECHNOLOGY TRAINING
233
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE The advantage of this application is that it makes the resource allocation a structured process and avoids confusion / duplicate allocate of some person against multiple assignments. Following is a sample report of the application which provide clear visibility on the allocation and availability of employees:
This application is also operational in nature but has great impact on the profitability of the firm.
3.1.3 Financial Accounting application The main purpose of finance and accounts application is to help management to record various transactions like sales, purchases, expenses, revenue, accruals, assets, liabilities and provide timely information to management for decision making. Routine transactions are recorded on day to day basis and financial reports like Profit and Loss account, balance sheets, and Cash Flow statements are prepared as per need of the management. This application is critical from the internal management and statutory reporting as the key reports are prepared based on the output from the financial accounting application. Following diagram demonstrate the relation between various modules of financial application and HRMS.
234
ADVANCE INFORMATION TECHNOLOGY TRAINING
IT APPLICATIONS IN CA’s OFFICE
Accounts Payable
Purchasing
Sales
Accounts Receivable
Cash Management
General Ledger
Expense Management
Fixed Assets
HRMS and Payroll
The key modules in any financial accounting system include the following: (i)
System Administration
This module is very critical from the security point of view as it governs the behavior of the application. System Administrator has full privileges in the application. Setup, configurations setting performed by the system administrator have direct impact on the behavior of the application. For example, an application may provide the flexibility whereby the creator of the Journal entry can also approve the same but this would depend on the configuration setting in the system administration module. If the configuration is enabled, the application would allow user creating the journal entry to approve as well, provided the automated approval workflow of the application is used for approving Journal entries. Further, user management (allocation of roles / responsibilities and access rights) is the key component on system administration and is covered in the security administration module. In addition to the functional example given above, there are lots of setups which are critical for the successful running of the application. These setups / options are part of the system administration module and hence it is very important that the access rights of the SA module should be restricted to one person. (ii)
General ledger
GL module is the centre point of the financial accounting application as any transactions having financial impact carried out in any other module will reflect in the GL module. This module contains some important areas like: ADVANCE INFORMATION TECHNOLOGY TRAINING
235
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE
Company setup,
Chart of Accounts,
Currency conversion rates,
Periods,
Period status,
Financial calendar etc.
This module is used to record manual journal entries. Such journal entries may be input manually or through excel sheet upload in the application. In case of integration application (ERPs), GL module is integrated with other modules like AP, AR, FA etc and hence transactions entered in these modules are finally posted in the GL module. There is one way flow of entries from AP, AR or FA module to GL. The transactions do not flow from GL to other modules. Considering the setups /options in the GL module, it is advised that persons having access to other modules should not have write access to the GL module. They may have read access to review the transactions processed and posted in GL module. This module is critical from financial reporting point of view as the trial balance is generated from this module which forms the basis of financial statements. Books of account can be maintained in manual. However, automated GL application helps the management to:
Track and retain the audit trail of the transaction
Define common currency rates obtained from the bank which are used by all user processing transactions in the application
Audit logs can be enabled on certain key fields of key table. This will help management to investigate if any transactions were carried out by any user after the GL period closure date. For example, a user may re-open a closed period and process transactions. Such cases will be captured if audit log is enabled. Further, system will also provide the system date and transaction date.
Enable certain security rules in chart of accounts by which inappropriate postings may not take place. For example, sales and marketing expenses are associated with the sales and marketing team. Hence, even if by mistake, a user selects the supply chain or accounting department cost centre, system would not allow posting if the security rules are defined.
Please note that above are sample functionalities of the automated application. Such controls may be difficult to implement in books of account maintained manually, some of the key controls which can be enabled in the application:
Balancing of Journal entries – application can force the Journal entries to be balanced. In case system allows unbalanced journal entries, a suspense account may be specified where system will pass the entry for the difference amount. This will prevent situation of unbalanced trial balance.
Journal entry workflow – Journal entries may be approved either in the application or outside the application. Complete audit trail of the journal entry would be retained in case of electronic approval of
236
ADVANCE INFORMATION TECHNOLOGY TRAINING
IT APPLICATIONS IN CA’s OFFICE journal entries. Further, system will prevent the journal entries being approved by unauthorized person as the journal entries will be automatically submitted to person authorized as per the approval workflow matrix defined in the application.
Automatic sequence number of documents – system provides functionality where the document numbers may be auto generated or manually defined. In case of auto numbering, system assigns the immediate available next number.
Auto reversal – certain types of journal entries (for example, month end provisions, accruals) need to be reversed on the first day of next month. Such entries may be booked using the reversible Journal voucher which automatically reverses the entries at the first day of next month. This avoids the risk of non-reversal as in case of manual journal, there is possibility of human error.
Comparison with budgets – in case the budgeting functionality is being used, system will compare the journal entry against the budget. Following are possible in such cases: o
System may provide a warning message but allow booking of journal entry.
o
System does not allow booking of journal entry unless journal is approved by an additional person as per management need.
Invalid account code combinations – a chart of account is combination of various segments like company code, department, cost centre, product code etc. various account code combinations at the segment level may be defined. With this, system will not allow creation of invalid account code combinations.
(iii)
Purchasing
This application / module may not be much relevant for the CA firm except to capture and process the purchase orders raised on others to avail services of external consultants or procure the general / stationary items. Purchase orders are prepared in this application / module so that goods can be procured or services can be availed. This application provides the following functionalities:
Evaluation of vendors
Maintain profile of vendors
Rating of vendors
Raise Purchase Requisitions (PR) for goods or services
Invite and analyze quotations from vendors
Raise Purchase Orders (PO) on vendors for goods or services
Receipt of goods or services
Goods or services may be availed without PO. However, it is recommended to raise PO for purchase of each and every goods or services as the application retain complete trail from the requisition to payment. From the control perspective, following controls can be enabled through configurations in the application:
Price tolerance limits – this feature will compare the price of the item / service being procured against the standard cost. If the difference exceeds the tolerance limit, system will prompt message and such difference should be approved by an authorized person. ADVANCE INFORMATION TECHNOLOGY TRAINING
237
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE
Quantity tolerance - this feature will compare the quantity of the item / service being received against the PO. If the difference exceeds the tolerance limit, system will prompt message and such difference should be approved by an authorized person.
Payables accrual account – as and when goods / services are received, accrued liabilities is credited to this account. When the invoice is booked, the liability is created in vendor’s account and this account is reversed. This, balance in this account can be monitored to track the purchases for which invoices have not been received from vendor.
Supplier on hold – suppliers can be put on hold if there any issues in the quality of their service. With this, application will prevent rising of any further PO on such supplier or even payment may be stopped as required by management.
Access to PO – access to particular types of Pos carrying sensitive information may be restricted to person creating the PO. Access to other Pos which are routine in nature can be provided general users who are required to process the purchase order.
Approval workflow – Purchase orders can be approved either manually or through the automated workflow of application. In case of manual workflow, there is risk of unauthorized approval. However, in case of automated approval, PO would be submitted to authorized person for approval as per the approval workflow matrix defined in the system. Further, system will retain the audit trail of approval with details of user ID and date and time stamp.
Receipt of goods / services without PO – there is risk that goods / services may be accepted with approved PO in place. With this, firm is liable to pay the vendor as the goods / services have been availed. This can be prevented with the help of application where GRN / SRN can be made mandatory for certain types of goods / services. System will not allow booking of receipt for such goods / services in absence of PO.
Automatic sequence number of documents – system provides functionality where the document numbers may be auto generated or manually defined. In case of auto numbering, system assigns the immediate available next number.
Duplicate vendor code – this may result in splitting of transaction like booking of PO / GRN in one code and invoice in another code. System may be configured to give warning message to user in case the name of customer is same / similar to other customers existing in the system on the basis of certain parameters like their pin code, Permanent Account Number, company registration number etc.
(iv)
Sales
A CA firm provides services to its clients. This application may be integrated with the Opportunities Management application to generate sales orders. This application provides the following functionalities:
Evaluation of customer
Maintain profile of customer
Assign credit limits to customers
Raise Sales Order (SO)
238
ADVANCE INFORMATION TECHNOLOGY TRAINING
IT APPLICATIONS IN CA’s OFFICE
Track delivery of service against SO
Revenue recognition
From the control perspective, following controls can be enabled through configurations in the application:
Credit limits – this is essential parameter while defining the customers. Checking of credit limit may be ignored in manual system. System may be configured to verify the credit limit before entering further sales order or rendering service.
Automatic sequence number of documents – system provides functionality where the document numbers may be auto generated or manually defined. In case of auto numbering, system assigns the immediate available next number.
Approval workflow – Sales orders can be approved either manually or through the automated workflow of application. In case of manual workflow, there is risk of unauthorized approval. However, in case of automated approval, SO would be submitted to authorized person for approval as per the approval workflow matrix defined in the system. Further, system will retain the audit trail of approval with details of user ID and date and time stamp.
Price lists and discounts –standard chargeable rates can be defined in the application with the range of discounts which can be given. Any discount over and above the standard should be authorized by designated person as per the approval matrix of the organization.
Accuracy of invoice – there is risk of unauthorized changes to the sales invoice in manual system. For example, user may allow discount over and above the SO amount. However, in case of application, control can be enabled where system will not allow manual intervention and sales invoice would be generated and printed as per the quantity and rates defined in the sales order.
Duplicate customer code - this may result in splitting of transaction like booking of SO in one code and debit / credit note in another code. System may be configured to give warning message to user in case the name of customer is same / similar to other customers existing in the system on the basis of certain parameters like their pin code, Permanent Account Number, company registration number etc.
(v)
Accounts Payable
Once PO has been raised and goods have been received or services have been availed, purchase invoice received from vendor is to be accounted and paid. This is the sub-ledger where the total of payables as on a particular date should match with payables as per General Ledger. In case the balance does not match, the reconciliation is prepared and reasons for the open items are investigated. This application / module can be used for the following:
Account purchase invoice received from vendors
Process debit / credit note
Pay vendors
Write back credit balance in vendors account
ADVANCE INFORMATION TECHNOLOGY TRAINING
239
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE From the control perspective, following controls can be enabled through configurations in the application:
2/3/4 way matching - purchase invoice received from vendor may be compared against PO in case of 2 way match, PO and Good Receipt Note (GRN) / Service Receipt Note (SRN) in case of 3 way match and PO, GRN/SRN and Inspection note in case of 4 way match. This will prevent booking of liability in excess of the goods / service received.
Invoice tolerance – invoice amount may be more than the PO / GRN / SRN amount for various reasons. In case of manual booking, it may be possible to by-pass the controls and book an invoice in excess of the PO amount. However, control can be enabled through application which provides approval of invoice by specified person in case of invoice amount in excess of the PO amount beyond certain limit. This is referred to as invoice tolerance. It may be defined in absolute amount or in percentage.
Apply advance before payment –advance payments are made to certain vendors as per the terms of contract / PO. However, invoice may be paid without adjusting advance paid. Application provides the following functionalities: o
Warning for adjustment of advance - in this case, a warning message is displayed. However, user may prefer to ignore the warning message.
o
Compulsory adjustment - system will not allow user to book invoice / make payment without adjustment of advance amount. Thus, preventing payment of invoices without adjustment of advance amount.
Automatic sequence number of documents – system provides functionality where the document numbers may be auto generated or manually defined. In case of auto numbering, system assigns the immediate available next number.
Approval workflow – Sales orders can be approved either manually or through the automated workflow of application. In case of manual workflow, there is risk of unauthorized approval. However, in case of automated approval, SO would be submitted to authorized person for approval as per the approval workflow matrix defined in the system. Further, system will retain the audit trail of approval with details of user ID and date and time stamp.
Pay un-approved invoices – it is possible in case invoices are accounted manually. However, application may be configured to pay only approved purchase invoices.
(vi)
Accounts Receivable
Once the services have been rendered to clients and invoices raised, this module can be used for the following:
Process debit / credit notes
Account for collection from clients
Write-off debit balance in customer’s account
This is the sub-ledger where the total of receivables as on a particular date should match with payables as per General Ledger. In case the balance does not match, the reconciliation is prepared and reasons for the open items are investigated.
240
ADVANCE INFORMATION TECHNOLOGY TRAINING
IT APPLICATIONS IN CA’s OFFICE From the control perspective, following controls can be enabled through configurations in the application:
Write-off of debit balance in customer account- this should be done as per the approval matrix in place. However, it may be by-passed in case of manual processing. However, application may be configured to submit the write-off request to specified persons as per the approval matrix, depending upon the amount of write off. Further, audit trail of the approval will be retained in the application.
Automatic sequence number of documents – system provides functionality where the document numbers may be auto generated or manually defined. In case of auto numbering, system assigns the immediate available next number.
Customer on hold –in case of delay / default in payment, customer may be put on hold. This will prevent entering further sales order for the same customer or rendering service against existing sales order.
Approval of credit note – application may be configured to submit the credit note for approval to designated person depending upon the amount as per approval matrix. Further, audit trail of the approval will be retained in the application.
(vii) Fixed Assets This application may not be much relevant for CAs their office don’t have much of fixed assets. However, each and every consultant is provided with laptops, blackberry etc. These items may be the assets of the organization and hence may be recorded and tracked with application. This is the sub-ledger where the total of Fixed assets as per Fixed assets module as on a particular date should match with FA as per General Ledger. In case the balance does not match, the reconciliation is prepared and reasons for the open items are investigated. This application provides the following functionalities:
Recording of fixed assets
Assets transactions like purchase, sale, write-off etc.
Depreciation (both as per Companies Act and Income Tax Act)
Generate Fixed Assets Register (FAR)
Parent child relation of the assets
From the control perspective, following controls can be enabled through configurations in the application:
Master record of Fixed Assets– there are certain details of fixed assets which should not be altered once the asset has been capitalized. For example, purchase cost, asset specifications, installation date, put to use date etc. Any such change will impact the depreciation and profit / loss on sale / write-off at a later date. Such fields are made non-editable an assets record has been saved and asset capitalized.
Depreciation – this is normal wear and tear of the asset which is charged to profit and loss account on periodic basis. Depreciation depends on the cost of asset, depreciation method and rate of depreciation. Any unauthorized in the depreciation method and rate will change the amount of depreciation and will lead to misleading financial reporting. Such fields are made non-editable an assets record has been
ADVANCE INFORMATION TECHNOLOGY TRAINING
241
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE saved and asset capitalized. Further, once the depreciation has been calculated for a period, system will not calculate depreciation for the same period again.
Approval for write-off – this should be done as per the approval matrix in place. However, it may be bypassed in case of manual processing. However, application may be configured to submit the write-off request to specified persons as per the approval matrix, depending upon the amount of write off. Further, audit trail of the approval will be retained in the application.
Automatic sequence number of documents – system provides functionality where the document numbers may be auto generated or manually defined. In case of auto numbering, system assigns the immediate available next number.
Tracking of asset lying with employees – assets are linked with the employee code or location. This helps the organization to track the assets lying at a particular office / location or assets lying with the employees.
(viii) Bank Reconciliations Bank Reconciliation Statement (BRS) is prepared to reconcile the balance as per cash book and as per bank statement. It is prepared as on a particular date and there are differences between balance as per cash book and bank statement due to timing differences. Considering the size and number of transactions, it is difficult to prepare BRS manually. Hence, application provides the functionality to prepare BRS automatically. However, application only highlights the open or reconciling items separately. Management has to designate a person to verify such open items and prepare the BRS. For this, Bank transactions file is obtained from bank in pre-defined format and records as per books of account (Cash book) in the financial accounting application are matched using unique key. Transactions which match in both the cash book and bank statement are cleared. Remaining transactions appear as open transactions in the Bank Reconciliation Statement. This automated method of bank reconciliation saves lot of manual effort as there are multiple banks and it is time consuming to prepare bank reconciliations statements manually. (ix)
Expense Management
This is a critical area for a professional firm. Expenses are incurred by employees while performing services. Such expenses may be chargeable to client as per agreement with the client. Chargeable expenses are to be billed to the client and non-chargeable expenses are to be charged to profit and loss account. iExpense module available in most of the ERPs provides the entire lifecycle of the expense claims from submission of expense claims to final payment including the following:
Eligibility of expense limits – category-wise
Submit expense statements
Electronic approval of expense statements as per approval matrix
Storing digital form of the documentary evidences
Trigger / alerts for timely payment
Updating of project cost
242
ADVANCE INFORMATION TECHNOLOGY TRAINING
IT APPLICATIONS IN CA’s OFFICE
Auto billing to client
From the control perspective, following controls can be enabled through configurations in the application:
Approval workflow – Sales orders can be approved either manually or through the automated workflow of application. In case of manual workflow, there is risk of unauthorized approval. However, in case of automated approval, SO would be submitted to authorized person for approval as per the approval workflow matrix defined in the system. Further, system will retain the audit trail of approval with details of user ID and date and time stamp.
Avoid duplication – once the expense statements are approved, they update the project cost. The duplicate expense statement, submitted more than once may be identified on review of the project cost from the application.
Avoid expense approval exceeding the eligible limit – the eligible expense limit (for example, rate per kilo meter in case of conveyance, rate per day in case of hotel etc.) can be configured in the application. System would automatically calculate the eligible amount for employee. In case employee has incurred excess amount, the same would need to be approved by authorized person as per approval matrix of the firm.
Billing of expenses as per contract with client – expenses can be flagged as billable or non billable. System will automatically determine the billable expenses. In case of any error in submitting expenses, responsibility lies with approver to correct the error.
3.1.4 HR and Payroll applications The HR application covers the entire lifecycle from identification of human resource need to retirement including the following:
Capture need for Human resources and track open positions
Manage HR records o
Create employee master records
Recruitment o
Manage job vacancies
o
Track applicants’
o
Manage interviews
o
Manage offers
Training and induction
HR administration including the following:
o
HR policies
o
Email notifications to employees
Self service functions
ADVANCE INFORMATION TECHNOLOGY TRAINING
243
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE
Leave management including the following: o
Leave calendar
o
Submission and approval of leave as per approval matrix
o
Updation of leave balance
Time and attendance management o
Capture daily attendance
o
Where online attendance is not available, submission and approval of timesheet as per approval matrix
o
Updation of project cost sheet for time spent by employees
Appraisal and Performance management o
Define Key Performance Indicators (KPIs)
o
Notifications for timely completion of appraisals
o
Manage promotions, increments etc.
Benefits management
payroll
Let us discuss the key HR application / modules in detail. (a)
HR Management System
This is the basic information about the employee which is utilized by all other modules in HR application. It acts as central database of employees. As the information is at one place and utilized by other modules, it eliminates the duplication errors and reduce redundancy. The data captured in the employee master includes the following:
Personal Details
Contact details including emergency contact details
Details of dependents
Salary structure
Employee designation and reporting structure
Qualification
Training needs
Bank account details for crediting salary
From the control perspective, following controls can be enabled through configurations in the application:
244
Avoid duplicate employees in database - System may be configured to give warning message to user in case the name of employee is same / similar to other employee existing in the system on the basis of certain parameters like their pin code, Permanent Account Number etc.
ADVANCE INFORMATION TECHNOLOGY TRAINING
IT APPLICATIONS IN CA’s OFFICE
Automatic sequence number of documents – system provides functionality where the employee numbers may be auto generated or manually defined. In case of auto numbering, system assigns the immediate available next number.
Access rights – employee record is very sensitive and hence access rights can be assigned for creating, modifying, deleting or viewing employee records.
(b)
Recruitment
This is the process of hiring employees as per management need and skill set required. It covers various stages from identifying need for employee to make an offer to employee, including the following:
Capture skill set and number of employees needed
Identify potential candidates
Schedule interviews
Record interview results
Shortlist interviews
Selection and offer
(c)
Timesheet system
Timesheets are important for any organization in the service industry. Timesheets help the management to capture and track the time spent by their resources on various projects. Timesheets are critical especially for the resources who are provided to clients on time and material basis while in case of fixed fee contracts, timesheets help the management the analyze the profitability of the project. Further, timesheets are crucial for service rendering organizations to ensure that the payroll is accurate. Incorrect or unauthorized timesheet would lead to payroll errors. This could lead to employee dissatisfaction or you could be wasting money on overpaying certain people (as in such cases, employee may not revert to management for excess payment). Further, since timesheet is a written record the time spent by employees, it avoids disputes between the management and employees especially in cases where employees are entitled to overtime. Timesheet application provides the following features / functionalities:
Capture attendance with accurate time details
Timesheet submission and approval
Updation of project cost based on time spent by employees on various projects
From the control perspective, following controls can be enabled through configurations in the application:
Error free capture of time details - Timesheets may be recorded in the excel sheets with pre-formatted fields but it may be prone to human errors. Automated time punching system captures the in and out time of employees. Time details of employees cannot be altered or modified by unauthorized users.
Approval workflow – Further, in case of manual time sheets, the evidence of approval of time sheets would be available in the form of paper approvals, email approvals etc. A well organized Timesheet ADVANCE INFORMATION TECHNOLOGY TRAINING
245
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE system has capability to record the time with related approvals (with date and time stamp of person approving the time). Such documented record helps to avoid disputes with employees in cases where employee is entitled to overtime. (d)
Performance Management System (PMS)
Today, the role of HR has undergone a sea change. HR plays a critical role in facilitating and improving the performance of the employees by building a conducive work environment and providing maximum opportunities to the employees for participating in organizational planning and decision making process. Following features / functionalities are provided by PMS:
Capture the Key Performance Indicators - Employee appraisals are very important in today’s environment of cut throat competition as the variable pay, bonus and increments are based on the performance of last year. PMS support to formalize the process by recording the expectations set and agreed with the employees at the beginning of the year on various parameters as per company HR policy and allowing a platform to employees to perform performance appraisals. The appraisals are performed by the supervisors, managers etc as per the agreed frequency. The appraisal results are maintained in the PMS application which help management to identify the performance of various employees, their training needs etc.
Automated alerts for pending appraisals – email alerts are sent to appraiser and appraise for the pending appraisals.
Prepare summary or bell curve analysis of all employees – once all the appraisals are completed, detailed analysis can be made with the help of reports. These reports will indicate number of employees with applicable ratings. Corrections to appraisals or additional points can be provided after analyzing the appraisal results.
From the control perspective, following controls can be enabled through configurations in the application:
Transparent appraisal process – appraisals are performed online where the KPIs expected and actual performance is documented clearly. PMS automatically calculate the overall score of the employee based on weightage provided to individual parameters defined in the PMS. This help to build employee morale and confidence in the appraisal process.
Changes not possible to concluded appraisals – once the appraisals have been concluded with concurrence of the appraiser, appraise and reviewer, system can be configured to freeze the appraisal so that no changes can be made later on.
(e)
Payroll
Payroll is a periodic process and involves payroll administration and payroll accounting. Payroll system provides following features:
The payroll application automates the calculation of salary for taking inputs from the timesheet application, leaves from Leave Management System and salary details from the HR master data.
Payroll system deducts the taxes as per the applicable rates. Other deductions like contribution to Provident Fund, Pension fund etc are indicated in the employee master.
246
ADVANCE INFORMATION TECHNOLOGY TRAINING
IT APPLICATIONS IN CA’s OFFICE
Once the salary is calculated, the salary pay slips are generated which are available to employees; salary is remitted and accounted by accounts department.
Generate various reports on payroll.
From the control perspective, following controls can be enabled through configurations in the application:
Access rights – employee payroll information is very sensitive and hence access rights can be assigned in such a way that an employee can see only his details, not others. Further, access rights to process payroll can be assigned to limited people.
Accuracy of payroll calculation – manual calculation of payroll is time consuming and prone to human error. Payroll application helps in accuracy of payroll calculation.
Calculation of payroll only for eligible employees – application can be configured in such a way that salary is processed only for employees who are not end dated in the system and an employee is assigned to them in the employee master.
(f)
Leave Management System
Leave is one of the factor determining the attendance and hence the payroll of employees. Hence, it is critical to maintain proper record of the leaves available to employees and leaves availed by them. Various types of leaves (like sick leave, casual leave, maternity leave etc.) are credited to the employees as per the leave policy the company. This application captures the following:
Leave calendar with details of optional leaves
Leave Accrual as per leave policy
Advance Leave Rules
Leave Carry Forward Rules
Leave balance
From the control perspective, following controls can be enabled through configurations in the application:
Reduce administrative burden on HR – this is operational control but bring efficiency in the process as employee punch in their own leave requests and are approved by their supervisors. This leads to reduced paper work and least involvement of HR.
Approval workflow – In case of manual workflow, there is risk of unauthorized approval of employee request. However, in case of automated approval, employee request would be submitted to authorize person for approval as per the approval workflow matrix defined in the system. Further, system will retain the audit trail of approval with details of user ID and date and time stamp.
Excess leave – employee cannot avail. If they do, their leave balance would go in negative and this would be treated as leave without pay. This will affect payroll of the employee.
(g)
Self Service
Many of the administrative tasks are automated with the help of this module. Some of such tasks are:
Submission of leave as per leave policy ADVANCE INFORMATION TECHNOLOGY TRAINING
247
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE
Approval of leave as per approval matrix.
Submission of leave and approval as per approval matrix
Update personal information
Update tax investments to be made at the beginning of the year
View salary slips, leave balance
From the control perspective, following controls can be enabled through configurations in the application:
Access rights – employee record is very sensitive and hence access rights can be assigned in such a way that an employee can see only his details, not others.
Reduce administrative burden on HR – this is operational control but bring efficiency in the process as employee punch in their own requests and are approved by their supervisors. This leads to reduced paper work and least involvement of HR.
Approval workflow– In case of manual workflow, there is risk of unauthorized approval of employee request. However, in case of automated approval, employee request would be submitted to authorized person for approval as per the approval workflow matrix defined in the system. Further, system will retain the audit trail of approval with details of user ID and date and time stamp.
(h)
Benefits administration
This system helps management to administer and track various benefits which the employees are entitled to like insurance, pension plan, med claim etc.
3.1.5 Document Management System There are two types of data which is available in a CA office:
Client data / documents
Own data / documents
Let us understand these in detail. Client data / documents These are the data / documents which CA has gathered during the course of engagement. Following are some of the key documents / information obtained during the course of engagement: Permanent Audit File Following are some of the key data documented in the Permanent Audit File which are obtained once but updated on yearly basis:
Copies of clients’ incorporation documents like Memorandum of Association (MoA), Articles of Association (AoA) etc.
Organization chart
Client’s accounting manual
248
ADVANCE INFORMATION TECHNOLOGY TRAINING
IT APPLICATIONS IN CA’s OFFICE
Chart of Accounts – broad categories, COA numbering logic etc.
Copies of important contracts or long term lease agreements
Internal control documentation
List of books of accounts maintained and their location
Current Audit File Following are some of the key documents prepared / obtained during the course of engagement which pertain to current year audit.
Audit plan detailing the tasks and related timelines
Work Programs / Standard Audit Procedures
Key Risk Areas and Audit approach
Copies of documentary evidences in support of the audit procedures performed like approval for certain critical journal entries, calculation of director’s remuneration, excise records etc.
Trial Balance, Financial Statements and schedules with notes to accounts
Bank Reconciliation Statements
Copies of Balance confirmation with Debtors, creditors etc.
Stock valuation details
Critical journal entries booked
Critical issues and their disposal
Own data / documents This would include the following: o
Contact details of the client
o
Client Acceptance Questionnaire
o
Engagement Acceptance Questionnaire
o
Engagement letters with clients
o
Business Analysis Framework
The above said documents may be documented in hard or soft copy. In the hard copy documents, it is possible to make certain back dated changes after the finalization of accounts and issuance of the opinion on financial statements. It may be very difficult to establish whether the documentary evidences were gathered and documented during the course of audit or after the issuance of opinion on financial statements. Further, it is difficult to retain the hard copy files over a period of time as this consumes enough space depending on the size of documents. In addition, as and when new copies or documents are inserted in the file, these need to be cross referred manually in the working paper file which is onerous and prone to errors. Considering these, nowadays, organizations prefer to retain the documentary evidences in the soft copy like email trail approvals,
ADVANCE INFORMATION TECHNOLOGY TRAINING
249
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE scanned copies of the documents, MS word / excel for various calculations etc. The Document Management System also offers additional features which are as follows:
Role based access can be provided. With this, only the authorized team members will be able to update the data in the application.
The application captures the complete audit trail with the details of user ID and date and time stamp for creation / modifications to the data.
The file can archived after Issuing opinion on financial statements. With this, the engagement team will not be able to make any modifications or changes to any of the working papers after the archival date. They can only view the working papers.
It is easy, convenient and cost effective to maintain the documents in soft copy as against hard copy.
In case the engagement teams are working from multiple location, they can view the audit plan, work programs, progress of audit, documents gathered, critical observations online. Further, teams can also update the documentation for any other remote location.
In case of Internal Audit engagements, application provides functionality to document the work program, steps performed and exceptions noted during the audit. Application has the functionality to produce the audit report as per the layout defined in the application.
This is an operational application but provides lot of convenience and saves lot of documentation time of the team.
3.1.6 Knowledge Management (KM) Training the staff is one of the key requirements of professional firms. Further, this is not one time exercise. It is ongoing. There are two types of training:
Classroom training - in this type of training, trainer has got the some training material on his laptop. This is normally a presentation based training where trainer displays the presentation and he explains the same. He might take help of network to login in some application and explain the features.
E-learning – in this type of training, user logon on the training server with a user ID and password. Access to such trainings is restricted. User is supposed to read the contents of the training in a sequential manner. This training may not be undertaken at one go. User may login again and again. At the end of training, there are some multiple choice questions. In some cases, trainee is supposed to appear for an examination / test at the end of training.
In addition to training, there are various articles, presentations, proposals, past reports which may be kept at one common place. Employees may logon to the KM server and search for the relevant document. Considering this, the functions and features offered by the KM application are:
ability to upload the documents
categorization of document according to content
Search facility as per need of employees. System would only those documents for which user has read authorization.
250
ADVANCE INFORMATION TECHNOLOGY TRAINING
IT APPLICATIONS IN CA’s OFFICE
Personalize the user interface according to user choice
From the control perspective, following controls can be enabled through configurations in the application:
Access right – training material and other documents posted on the KM application are proprietary information of the organization. Hence, confidentiality of the information needs to be maintained. Considering this, access may be provided on a need to know and need to do basis.
Data in ‘read’ format – the user should not be able to modify the data. Hence, application can be configured to present the data in read only format.
Audit trail – organizations need details of the exam / test appeared by the user and result. System keeps compete audit trail with the number of attempts and final outcome of the test.
3.2
Hardware / infrastructure
After having discussed the software / applications used in a CA firm, now let us understand the hardware / equipments / infrastructure where software / applications are stored. These are:
3.2.1 Personal computers (PC) / Laptops Laptops (also called notebooks) are light weight computers and are widely used by employees especially in the professional firms. It is very convenient to exchange the files with the help of pen drive / external had disk and internet is also easily accessible with the help of data cards. Laptops can store huge amount of data and can be easily carried by employees wherever they go. PCs are kept in office, primarily being used by the back office staff. Further, PCs are used by junior staff that has not been provided with laptop while at work. PCs / Laptops in professional firms contain lot of data / information obtained by the engagement team while at client work.
3.2.2 Application server An application server is server designed for running specific applications. A small application may consume smaller space while a bigger application may consume the entire RAM and ROM of the server. The application server may run certain kind of applications like MS office or desktop publishing where users access the programs through login to the application server. Application Server provides a runtime that supports effective deployment and management of high-performance server-based business applications. These applications are able to service requests from remote client systems. With this, the information travels back and forth between the application server and client. Generally, the application is installed on the application server and users access the same through client.
3.2.3 Email server This server allows people to send mails to others on the internet and also receive mails from other mail servers. The advantage is that the mails can be sent or received from others in any part of the globe in few seconds. Organizations can use standard email programs like Lotus Notes, Microsoft exchange etc or use any of the email servers in public domain. It is advisable to use some standard email programs rather than email server in the public domain. Local Area Network (LAN) (Source: Background Material – Information Systems Audit, Volume I)
ADVANCE INFORMATION TECHNOLOGY TRAINING
251
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE LAN is a network that is limited in size and generally situated within a single building or office. LAN is useful in sharing IT resources like applications, printers, files etc. Since LAN is a network, it connects multiple computers and even multiple LANs. Some of the characteristics of a LAN are:
High data transmission speed
Permanently connected
Low error rates
High security
Owned and maintained by the organization
3.2.4 Wide Area Network (WAN) A WAN is a data communications network that spans over a relatively broad geographic area and that often uses transmission facilities provided by telecom companies. Since it covers a wider area, WAN consist of multiple LANs. Following are the characteristics of WAN:
Compared to LAN, its transmission speed is low
Most WANs are not owned by one organization. They work under collective or distributive ownership and management.
WAN uses public or private networks.
Routers are used to connect LAN to a WAN.
Since the confidential data pass through the network, it is essential to ensure that the data available on the network is safe and secure. The risks are peculiar in case of wireless technology. Hence, first let us understand what the wireless technology is and why this technology is being used.
3.2.5 Wireless network The wired network uses cable wires to communicate with the network devices. The networks that are established by using digital wireless communications are generally called wireless LANs. In these, short range radio is used a medium of communication. One such short range wireless network is Bluetooth technology that connects keyboards, printers and other devices to computer. In wireless LANs, every computer has radio modem and antenna with which it can communicate with other systems. We generally see the people using the wireless network at public places like airport longue, hotels, and coffee shops without any wire connecting their laptops to the network port. This is wireless technology. It can be used in office, home as well. Following are some of the key benefits of the wireless network: (a)
Convenience - It is convenient as the user need not be tied to his office desk and need not use wire to connect the laptop with the network router.
(b)
Free mobility - User can freely move and use the network in any location within the defined coverage area. For example, couple of employees is working as a team in a conference room. In case of wired
252
ADVANCE INFORMATION TECHNOLOGY TRAINING
IT APPLICATIONS IN CA’s OFFICE network it may be difficult to work as there might be limitation on the number of network ports. However, they can easily hook on the wireless network. (c)
Easy installation - Its setup and installation is easy as the wires need not be used to connect the network devices.
(d)
Cost effective - It can be cost effective depending upon the number of users and coverage area as the cost of wire is done away with.
The receiving network equipment must be appropriately configured to use the wireless network.
3.2.6 Private Branch Exchange (PBX) It is a telephone system used in office, commonly referred to as intercom. It consists of one main box at the reception and various phones at different tables in the office connected with this box. There can be one phone number with hunting line facility or multiple numbers. Further, staff in the office can communicate through each other with the help of extension number which is internal number.
Multiple Choice Questions 1.
2.
3.
4.
Which of the following services is not provided by a CA firm: (a)
Audit
(b)
Tax return filing
(c)
Identification of suitable ERP
(d)
Appearing in High court for criminal cases
The main purpose of the internal audit is ensuring compliance to the policies and procedures of the organization and gain assurance on: (a)
Financial reporting
(b)
Operations of the organization’
(c)
Compliance to the applications rules and regulations
(d)
All of the above
___________ application is used to track and monitor potential clients and proposals status: (a)
Accounting Receivable
(b)
Sales
(c)
Knowledgement Management
(d)
Opportunities Management
Data in the Knowledge management application is maintained in un-editable format as: (a)
Training material represent the approach and methodology and viewpoints of the firm which should not be modified by user.
ADVANCE INFORMATION TECHNOLOGY TRAINING
253
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE
5.
6.
7.
(b)
User may make some unauthorized changes to training material and past proposals etc
(c)
User may make unauthorized changes to the training test / examination results
(d)
All of the above
____________ captures and maintain the attendance of each employee on daily basis: (a)
Leave Management System
(b)
Self Service
(c)
Timesheet
(d)
None of above
Which of the following application is used to flag whether the expenses submitted by employees are chargeable to client or not? (a)
Self Service
(b)
Expense Management
(c)
Accounts Payable
(d)
Benefits administration
State whether the following statement is true or false: “2 way match control is performed in the accounts receivable module to compare the sales order amount and invoice amount”
8.
9.
10.
(a)
True
(b)
False
Which of the following controls are enabled in the Accounts Payable application / module of ERP: (a)
Invoice tolerance
(b)
Pay un-unapproved invoice
(c)
Adjustment of advance paid
(d)
All of the above
Tracking of delivery of service against the sales order is performed in which of the following application: (a)
Accounts Receivable
(b)
Sales
(c)
Opportunities Management
(d)
None of the above
State which of the following statements is correct: (a)
254
Balances are posted from AP, AR and FA module to General Ledger. ADVANCE INFORMATION TECHNOLOGY TRAINING
IT APPLICATIONS IN CA’s OFFICE
11.
(b)
Balances from GL, FA and AR are posted to AP module
(c)
Balances from AP, AR and GL are posted to FA module
(d)
Balances from FA, GL and AP module are posted to AR module
State whether the following statement is true or false: Basic setup like Chart of Accounts, currency conversion, financial calendar setup in GL module of an ERP are applicable to all other modules of the ERP.
12.
13.
14.
15.
16.
(a)
True
(b)
False
Allocation of employees to various assignments and their availability are performed in which of the following application: (a)
Timesheet
(b)
Resource allocation and scheduling
(c)
Leave management
(d)
Self service
Which of the following applications is used to book purchase invoices received from vendors” (a)
Purchasing
(b)
Expense Management
(c)
Accounts Payable
(d)
General Ledger
Which of the following applications is used to process manual journal entries for accruals and provisions: (a)
Accounts Payable
(b)
General Ledger
(c)
Accounts Receivable
(d)
Expense Management
For selection of the ERP implementation partner, which of the following tasks are performed by the management: (a)
Implementation experience of the implementation partner in relevant industry
(b)
Approach and methodology to be adopted
(c)
Overall implementation experience of the implementation partner
(d)
All of the above
Post implementation review is primarily focused on:
ADVANCE INFORMATION TECHNOLOGY TRAINING
255
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE
17.
18.
(a)
Identifying bugs in the application
(b)
Identify control weaknesses and absence of segregation of duties
(c)
Review of technical architecture of the application
(d)
None of the above
Purchase order and receipts information flow from purchasing module for invoice booking and matching in which of the following module: (a)
Expense management
(b)
General ledger
(c)
Accounts payable
(d)
None of the above
State whether the following statement is true or false: Manual adjustment entries booked in GL module flow from GL module to sub ledger modules like AP, AR and FA.
19.
(a)
True
(b)
False
State whether the following statement is true or false: Document number generated in the automatic sequence numbering can be changed by user.
20.
(a)
True
(b)
False
Purpose of changing the status of customer ‘on hold’ is to ensure that: (a)
No more sales orders are entered for that customer
(b)
Rendering of service is not allowed for that customer
(c)
No sales invoices are raised for that customer’
(d)
All of the above
Answers 1. d
2.d
3. d
4. d
5. c
6.b
7. b
8. d
9 .b
10. a
11. a
12. b
13. c
14. b
15 .d
16 .b
17 .c
18. b
19 .b
20. d
References: The books / articles may be referred for further reading.
256
ADVANCE INFORMATION TECHNOLOGY TRAINING
CHAPTER
2
INFORMATION SECURITY IN CA’S OFFICE
LEARNING OBJECTIVES To understand the meaning of “Data” and “Information” To understand the importance of Information Security To understand which information assets need to be secured? To understand the goals of information security To understand the meaning of risk, threat, attack and vulnerability To understand as to what can go wrong in absence of security or control measures To understand the Best practices to be adopted to avoid security breaches TASK STATEMENTS Understand key concepts of Confidentiality, Integrity and Availability of information Identify key risks at an overall IT infrastructure and at application level View the risks applicable to any application from the point of view of configurations, input, processing, output, access controls and segregation of duties. Review some of the key controls suggested and deployed by organizations globally. KNOWLEDGE STATEMENTS Understanding the meaning and importance of information security helps organizations to deploy adequate security measures to avoid loss of information. Controls mitigating the risk of information security may be incorporated in the processes by organizations.
2.0 Information Security 2.1 Introduction After having understood the IT applications being used in a CA’s office, let us understand the information security concerns associated with these applications / infrastructure. Before we proceed to information security, let us first understand what information is and what the difference between data and information is. Data may be anything but which is raw and is without processing. Example of data may include sales, transactions data but the data should be factual. Once the data is processed, it provided some meaningful results to the user. This processed data is information. The data or information may reside on server or network of the organization. Information security is protection of information assets from threats to preserve their value. In today’s life, almost everybody work on the network.
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE It can be either the organization’s network or internet (public network). Internet is very convenient but this convenience may be at the cost of security of the data or information. Since the data is in soft copy format, there is risk of someone stealing the confidential information. Even if the data is in hard copy format, the data may miss-utilized by someone against the interest of the firm. It is critical that the data should be kept in lock and key.
2.2 Why Information Security? To understand the importance of information security, it is first important to understand the importance of information and what may happen if the confidentiality or integrity of information is compromised. Information security is important both for the organization and also for the individuals working in the organization. However, the nature and importance of data available with individuals or organization varies. For example, individuals have bank account and credit card and make online bill payment. Considering this, the confidential information is the bank account details, credit card details etc. Organizations hold multiple sensitive information like employee salary details, employee’s bank account details, Bill of Material, etc. Security of such information is important because if the confidentiality of such information is compromised, the recipient of information may use it for his / her personal benefit. Further, failure to maintain security over the customers’ confidential business information may also affect organization’s goodwill and brand image. In the past, Organizations used to conduct business and send documentary evidences by post / fax etc. Today, the situation has changed whereby computer applications allow organizations to communicate with each other due to its convenience and speed. Earlier sensitive information was kept in lock and key as the information used to be hard copy format. However, with digitization and wide use of computers and internet, the need for information security has increased. Since such critical business data is available on network which multiple people in the organization have access, it is in management’s interest to ensure that the data does not fall into wrong hands. Considering this, the network security is of immense importance. Further, Computers are used by almost every person in the organization for various routine business operations such as purchase, sale, inventory control, payroll, transaction processing etc. if appropriate security measures are not taken, data may be downloaded by users and used against the interest of the firm. For example, user may share the client’s confidential data with the competitors. Considering this, it is in management interest to ensure that the employees are provided access to the data on need to do and need to know basis. In case of non availability of the information systems for any reason, business operations suffers a lot and almost come to an halt as either the manual systems are non existing or are not in a position to deal with the situation. This may prove to be very costly to the organization as the non productive time of its resources involves cost. It may also lead to loss of business. Further, it also cost the organization to restore the systems.
2.3 Which information assets need to be secured? There are two types of data which is available in a Chartered Accountant (CA) office:
Client data / documents
Own data / documents
Any data or information which is confidential in nature should be secured. Further, any data or information which may be modified, destroyed or misused by others needs to be secured. For this, it is essential to
258
ADVANCE INFORMATION TECHNOLOGY TRAINING
INFORMATION SECURITY IN CA’s OFFICE consider all sources from where the data or information can be retrieved. Once the sources are identified, first the physical security of the computer hardware like servers needs to be ensured. Physical security involves use of lock and key for critical computer hardware. I.e. use of lock and key on the cabin in which computer server is stored. Unauthorized persons should not be able to access the server. Once the physical security is ensured, organization needs to ensure logical access security on network as a lot of data is stored in the network in soft copy format. As regards which information needs to be secured, it will depend on the criticality of the information. For this, management needs to do the risk assessment and define the criticality level for each information assets so that appropriate security mechanisms may be adopted.
2.4 Goals of Information Security Purpose of information security is to retain security of the information. The main goals of information security are:
Confidentiality (C),
Integrity (I)
Availability (A)
These are commonly referred to as CIA in information security parlance. In addition, authenticity and nonrepudiation are also relevant from the information security point of view. The goals of information security are explained as under: Confidentiality – It means the information available in the organizational applications should be safe from unauthorized access. i.e. information should not be available to unauthorized users. The extent and level of confidentiality would depend on the nature of information. The level of confidentiality would be more in case of critical information and lesser in other cases. For e.g. credit card details of customer are very sensitive and critical and hence banks are expected to ensure that confidentiality of such credit card details is not compromised. Similarly, auditors are expected to ensure confidentiality of the information gathered during the course of audit. Failure to ensure confidentiality of the sensitive information may lead to loss of reputation and business. Integrity – it means information available in the organization should not be altered or modified by unauthorized personnel. Any unauthorized modification or alteration to the information may have financial and reputational loss. In case the data is modified by any authorized person and is detected by management, the only options are either to restore the data from backups or re-create the whole data which will be time consuming and will have financial cost for such effort. Availability – information should be available for use when needed. Availability of information might be affected due to denial of service attack or some other reasons. Let us assume that a company is hit by fire or flood and has lost its computers and data. In such case, the company has the option to restore the data from backup if stored at some safe place. Else, the data will not be available and would adversely affect business of the company. Authentication – Information may be available to multiple users. The computer systems should be able to identify the user making the request through user id and password. ADVANCE INFORMATION TECHNOLOGY TRAINING
259
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE Non repudiation – it means someone cannot deny something. For example, in case of email sent over internet, the sender cannot deny having sent a message and receiver cannot deny receiving the message.
3.0 Information security risks, threats, attacks and vulnerabilities Information security and risks would depend on the type of network (wired or wireless), application, hardware equipments etc. Let us first understand the meaning of risks, threats, attacks and vulnerabilities as these terms are widely used in the information security. Risk means what will happen if something goes wrong. Risk may be financial, operational or reputational in nature. Risk is the possibility or probability of a threat, damage or loss due to internal or external vulnerabilities. Risk cannot be avoided. It can at the most be minimized. Vulnerability is any weakness or flaw in the hardware, software which leaves the system open for exploitation or susceptible to attack. It would be difficult to say that an application is absolutely fool proof. There are some loopholes or weaknesses which may be exploited by somebody to gain unauthorized access. This exposure to attack is vulnerability. Attack is the action taken by attacker against the target with intention of doing harm. It is an attempt to gain or make unauthorized access to information or destroy it. Threat is potential for occurrence of a harmful attack on the information assets which may impact their confidentiality, integrity and availability. Threat may be from internal or external persons. Internal persons may be employees of the company and external persons may be terrorists, hackers etc. The threats can be broadly classified as Natural and Man-made.
3.1 Natural threats (Source: ISA background material Vol I – ICAI) Threats to facilities and environment from natural causes include:
Natural disasters such as earthquakes, foods, volcanoes, hurricanes and tornadoes.
Extreme variations in temperature such as heat or cold, snow, sunlight etc.
Humidity, vapors, smoke and suspended particles
Insects and organisms such as rodents, termites and fungi
3.2 Man made threats (Source: ISA background material Vol I – ICAI) These can be intentional or unintentional. Some examples are:
Fire to negligence and human action
War and bomb threats
Equipment failure
Failure of air-conditioning Humidifiers, Heaters
260
ADVANCE INFORMATION TECHNOLOGY TRAINING
INFORMATION SECURITY IN CA’s OFFICE
Food particles and residues, undesired activities like smoking in computer facilities, structural damage due to human action / inaction and negligence.
Electrical and Electromagnetic Interface (EMI) from generators and motors
Radiation
Chemical / liquid spills or gas leaks due to human carelessness or negligence.
3.3 Exposures (Source: ISA background material Vol I – ICAI) Some examples of exposures from violation of environmental controls:
A fire could destroy valuable computer equipment and supporting infrastructure and organizational data. Usually the use / storage of thermocol or Styrofoam material, inflammable material used for construction of the server cabin, false ceiling aggravate the probability of fire and loss due to fire.
Water leakages can induce shocks and short circuits.
EMI (Electromagnetic Interface) from generators can damage integrity of contents on magnetic media.
Fungi formation on tapes can lead to tapes and disks not being readable.
Sudden surge in power or other voltage fluctuations can damage computer equipment
Chemical or liquid spills from a nearby unit may seep into the IPF (Information Processing Facility) thereby damaging equipment.
Damage of keyboards or other computer equipment can be caused by accidental dropping of beverage, liquid etc.
Continuous process systems bear the risk of internal component damage due to improper air conditioning or high humidity.
Lightening may burn communication devices and computing equipment due to improper earthing or grounding.
4.0 Risks/ threats / vulnerabilities applicable to respective software and hardware After having understood the information security and its importance, now let us see the risks or security concerns to the respective IT assets in a CA’s office. For this purpose, the information assets have been categorized as follows: 4.1 Wireless network, Client Server architecture and communication systems 4.2 Software applications 4.3
Hardware like PBX, Printer, fax machines, laptops, mobile phones, tablet computers etc.
ADVANCE INFORMATION TECHNOLOGY TRAINING
261
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE
4.1 Risks/ threats / vulnerabilities applicable to Wireless network, Client Server architecture and communication systems 4.1.1 Wireless network A network is connection of several computers. They may be connected by wire in case of wired network and wireless technology uses radio-active waves to transmit data between the connecting network devices like laptop, computers. A wireless network is vulnerable to following key attacks:
Denial of service – this attack is easy to launch but difficult to address. This attack is done by sending more requests than can be handled by machine. There are tools available which make it simple to run a program and generating multiple requests. This attack was very popular in 1980 and 1990s but not much now. This attack is done by getting connection to some port on the network.
This attack leads to loss of network availability. The electronic threats are more serious but less obvious. Some of them are described below:
Connection flooding – this is the oldest type of attack where an attacker sends more data than what a communication system can handle, thereby preventing the system from receiving any other legitimate data. Even if an occasional legitimate packet reaches the system, communication is seriously degraded.
Ping of death – it is possible to crash, reboot or kill a large number of systems by sending a ping of a certain size from a remote machine. This is a serious problem, mainly because it can be reproduced very easily, and from a remote machine. Ping is an ICMP protocol which request a destination to return a reply intended to show that the destination system is reachable and functioning. Since ping requires recipient to respond to its ping request, all that the attacker needs to do is to send a flood of ping to the intended victim.
Traffic redirection – a router is a device that forwards traffic on its way through intermediate networks between a source host’s network and a destination’s. So if an attacker can corrupt the routing, traffic will disappear.
DNS attacks – these are actually attacks based on the concept of Domain Name Server (DNS) which is a table that converts domain name like www.icai.org into network addresses like 202.54.74.130, a process called resolving the domain name or name resolution. By corrupting a name server or causing it to cache spurious entries, an attacker can redirect the routing of any traffic, or ensure that packets intended for a particular host never reach their destination.
Man in the middle attack - is similar to session hijacking, in which one entity intrudes between the two others. The difference between man in the middle attacked and hijacking is that a man in the middle usually participates from the start of the session, whereas a session hijacking occurs after the session has been established. The difference is largely semantic and not particularly significant.
Session hijacking – is intercepting and carrying on a session begun by another entity. In this case, the attacker intercepts the session of one of the two entities that have entered into a session and carry it over in the name of that entity. For example, in an e-commerce transaction, just before a user places his order and gives his address, credit card number etc., and the session could be hijacked by an attacker.
262
ADVANCE INFORMATION TECHNOLOGY TRAINING
INFORMATION SECURITY IN CA’s OFFICE
Eavesdropping and wiretapping - an attacker can pick the content of communication passing in unencrypted form. The term eavesdropping implies overhearing without expending any extra effort. For example, an attacker (or a system administrator) is eavesdropping by monitoring all traffic passing through a node. The administrator might have legitimate purpose, such as watching for inappropriate user of resources. A more hostile term is wiretap, which means intercepting communications through some effort. Passive wiretapping is just “listening”, almost like eavesdropping. But active wiretapping means injecting something into communication stream. A wiretap can be done in such a way that neither the sender nor the receiver of a communication will know that the contents have been intercepted.
Microwave signal tapping – microwave signals are broadcast through the air, making them accessible to outsiders. An attacker can intercept a microwave transmission by interfering with the line of sight between sender and receiver. It is also possible to pick up the signal from an antenna located close to the legitimate antenna.
Satellite signal interception – in satellite communication, the potential for interception is even greater than the microwave signals. However, because satellite communications are heavily multiplexed, the cost of extracting a single communication is rather high.
Spoofing and Masquerading – spoofing means to deceive or to play hoax on a network by one of the following:
IP Spoofing : to deceive for the purpose of gaining access to someone else’s resources (for example, to fake an internet address so that one looks like a certain kind of trusted internet user).
Email Spoofing: to change an email header so that the message appears to have originated from someone or somewhere other than the actual source.
Web spoofing: to playfully satirize a website.
In all cases of spoofing something is being forged. It may, for example, be an email ID or an IP address, etc. Masquerading means disguising or impersonating. The attacker pretends to be an authorized user of a system withers to gain access or get greater privileges than he is authorized for. Masquedering may be attempted by using a stolen login id and password through security gaps in programs or through by-passing the authentication mechanism. The attempt may come from within an organization, say from an employee or from an outsider through some connection to the public network. Weak authentication provides one of the easiest points of entry for a masquerader. Once attacker has been authorized for entry, they may get full access to the organization’s critical data and (depending on the privilege level they pretend to have) may be able to modify and delete software and or make changes.
Theft of device– wireless device is small in nature and hence easily susceptible to be stolen.
Malicious code – malicious hackers who are unauthorized users gain access to the system or break the system and release viruses, worms, Trojan horse, logic bombs etc on the network which damage the file and make the system unavailable.
Further, weak firewalls in the wireless network may be circumvented by the hackers to get connected the network and steal confidential information or damage the data as stated above.
ADVANCE INFORMATION TECHNOLOGY TRAINING
263
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE 4.1.2 Client Service Architecture (Source: Background material on ISA, Volume 1 of ICAI) A client is a requester of services and server is provider of services. Client / Server architecture of a computer network is the one in which many clients in remote mode request and receive service from centralized server known as the host computer. Client computer is an interface to user to request service from server and display results once service provide the service. Servers wait for request to come from client and then respond. Ideally, a server provides a standardized transparent interface to clients so that clients need not be aware of the specifics of the system (i.e. hardware and software) that is providing the service. Clients may often be situated at workstations or personal computers or laptops while server may be located on the server, usually on more powerful machines. It is an environment in which the application processing is divided between client workstations and servers. It implies the use of desktop computers / laptop interfacing with servers in a network in contrast to processing everything in a centralized machine. For example, in a CAs office, a client user can request and access client file on the central server and update the same. Multiple users can access and update the file at the same time. Similarly, multiple users may raise invoices on the clients. Server would store all the invoices. Because both the client and server computers are considered intelligent devices, the client server model is completely different from old “mainframe” model, which utilizes a centralized mainframe computer that performs all the tasks for its associated “dumb” terminals. The file server network based architecture is replaced by a data server. To query the database server, Database Management System (DBMS) is used. The basic components of client / server system are:
Client
Server
Robust and good communication system
GUI based operating system
Open database connectivity drivers (ODBC) and Application Programming Interfaces (APIs)
Risks in a client server environment are as follows: 1. Unauthorized access – access rights may not have been provided on a need to do and need to do basis. As a result, users who should not have access to the computing environment have access for the same. Due to this, the user may read the confidential information in case he / she have only the read access. If the user has write access, he / shay may modify the data thereby affecting the integrity of data. 2. Audit log or trail – in case the user has access at the database / operating system level, such user may also modify / delete the audit log / trail. 3. Availability of the computing environment–server may not be available (due to any threat / vulnerability which we will discuss later) for use by users thereby affecting the operations of the company. The applications in CA’s office which operate in client server architecture are vulnerable to multiple risks. We will discuss these risks later.
264
ADVANCE INFORMATION TECHNOLOGY TRAINING
INFORMATION SECURITY IN CA’s OFFICE 4.1.3 Communication sub-system vulnerabilities (Source: Background material on ISA, Volume 1 of ICAI) Data is communicated between users in the office and with the outside world. Generally, internet is used for this. While the data is being communicated, there are various risks which are as follows:
Eavesdropping and wiretapping – explained above.
Microwave signal tapping – explained above.
Satellite signal interception – explained above
Impersonation – in many instances, an easy way to obtain information about a network is to impersonate another person or process. An impersonator may foil authentication by any of the following means:
Guessing – an attacker can guess the identity and authentication details of the target, by using common passwords, words in a dictionary, variations of user name, default passwords etc.
Eavesdropping and wiretapping – when the account and authentication details are passed on network without encryption, they are exposed to anyone observing the communication on the network. These authentication details can be reused an impersonator until they are changed.
Avoidance – a flawed operating system may be such that the buffer for typed characters in a password is of fixed size, counting all characters typed, including backspaces for correction. If a user types more characters than the buffer can hold, the overflow causes the operating system to by-pass password comparison and act as if a correct authentication has been supplied. Such flaws or weaknesses can be exploited by anyone seeking unauthorized access.
Nonexistent authentication – an attacker can circumvent or disable the authentication mechanism at the target computer. If two computers trust each other’s authentication, an attacker may obtain access to one system through an authentication weakness (such as guessed password and then transfer to another system that accepts the authenticity of a user who comes from a system on its trust list) the attacker may also use the system that has some identities requiring no authentication. For example, some systems have “Guest” or “anonymous” accounts to allow outsiders to access things the system wants to release to the public. These accounts allow access to unauthorized users.
Well known authentication – most vendors often sell computers with one system administration account installed, having a default password or the system comes with demonstration or test account with no required password. Some administrators fail to change the password or delete these accounts causing vulnerability.
Spoofing and Masquerading– explained above.
Session hijacking – explained above.
Man-in-the middle attack- explained above.
Message confidentiality threats (Source: Background material on ISA, Volume 1 of ICAI)
ADVANCE INFORMATION TECHNOLOGY TRAINING
265
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE An attacker can easily violate message confidentiality (and perhaps integrity) because of the public nature of networks. Eavesdropping and impersonation attacks can lead to a confidentiality or integrity failure. Here we consider several other vulnerabilities that can affect confidentiality. 1. Misdelivery – message mis-delivery happens due to congestion at network elements which makes the buffers overflow and packets get dropped. Sometimes messages are not delivered because of some flaw in the network hardware or software. Most frequently, messages are lost totally, which is an integrity or availability issue. Occasionally, however, a destination address will be modified or someone other than the intended recipient. All of these “random” events are uncommon. More frequent than network flaws are human errors, caused by typing a wrong address. 2. Exposure – the content of message may be exposed in temporary buffers, at switches, routers, gateways and intermediate hosts throughout the network and in the workspaces of processes that build, format, and present the message. A malicious attacker can use any of these exposures as part of general or focused attack on message confidentiality. 3. Traffic analysis – sometimes not only is the message sensitive but the fact that it exists is also sensitive. For example, if a wartime enemy sees a large amount of network traffic between headquarters and a particular unit, the enemy may be able to infer that significant action is being planned involving that unit. In a commercial setting, messages sent from the president of a company to the president of its competitor could lead to speculation about a takeover or a conspiracy to fix prices. Message integrity threats (Source: Background material on ISA, Volume 1 of ICAI) In most cases, the integrity or correctness of a communication is more important than its confidentiality. Some of the threats which could compromise integrity are:
Changing some part or all of the content of message
Replacing a message entirely, including the date, time and sender / receiver identification.
Reusing (replaying) an old message
Combining pieces of different messages into one false message
Changing the source of a message
Redirecting a message
Destroying or deleting a message
These attacks can be perpetrated in the ways already stated including:
Active wiretap
Trojan horse
Impersonation
Compromised host or workstation
266
ADVANCE INFORMATION TECHNOLOGY TRAINING
INFORMATION SECURITY IN CA’s OFFICE
5.0
Risks APPLICABLE TO Software applications used in a CA’s office
Risks to applications may be viewed from the following aspects:
Configurations / setups
Input
Processing
Output
Access rights
Segregation of Duties (SoD)
Now let us look at the risks applicable to the respective applications as identified in previous chapter.
5.1 Client Management This application primarily manages client relations, opportunities and assignments. The risks associated with this application more of operational rather than financial. The biggest risk due to any problem in this application is the risk of loss of client and / or business. The key risks are as follows:
Unauthorized access – access rights may not have been provided on a need to know and need to do basis. As a result, the access to the application may not be restricted to authorized users. With this, the user may make unauthorized changes to leads, opportunities, proposals etc. Due to this, there is risk of: o
Compromising confidentiality of the opportunities related information.
o
Further, if the user has write access, such user may make unauthorized changes to proposal may be accepted against the risk management policy of the firm
o
Sales credit of the employees may be changed impact behavior of the application. For example, proposals may be approved without
o
Changes to the configurations / setup which may going through the risk management steps.
The above may lead to data integrity issues. This may result in misleading reporting of the opportunities and hence the monitoring of opportunities may be misleading.
The approval workflow may not be mapped as per the authorization matrix. unauthorized approval of opportunities.
There may be absence of Segregation of Duties as the user may identify, enter and approve opportunities.
This may lead to
5.2 Resource allocation and scheduling This application manages resources. The risks associated with this application are more of operational in nature as any problem with this application would lead to chaos in resources allocation and would affect profitability of the assignments. Following are the key risks:
ADVANCE INFORMATION TECHNOLOGY TRAINING
267
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE
Unauthorized access – access rights may not have been provided on a need to know and need to do basis. As a result, the access to the application may not be restricted to authorized users. With this, the user may make unauthorized changes to resource skill set and their allocation. The above may lead to data integrity issues. Further, this may result in misleading reporting of the assignment profitability.
Absence of resource allocation application may lead to chaos in resource allocation and scheduling. As a result, some of the engagements may be delayed leading to customer dissatisfaction. Further, employees who have left the company may be assigned to some assignments.
5.3 Financial Accounting application This is the key financial application. Hence, the risks associated with this application are financial in nature. Risks associated with each of the module are explained as follows: 5.3.1 General Ledger
Inaccurate journal entries are posted to the GL, resulting in misstatements in account balances as the journal entries may not be balanced.
Balancing amount of the unbalanced journal entries may be posted to suspense account which may not be reviewed periodically. With this, there is risk of inappropriate journal entries being posted to GL leading to inappropriate financial reporting.
Accuracy and disclosure of the consolidated financial statements may be misstated if inter-company journal entries are not eliminated during consolidation.
Journal entries may be approved by unauthorized person in case the approval workflow is not mapped properly as per the delegation of authority matrix.
Any unauthorized changes to the chart of account definitions may lead to inconsistent transactions and data integrity issues.
Modification to journal entries posted from sub ledger to GL may lead to unreconciled differences.
Unauthorized access – – access rights may not have been provided on a need to know and need to do basis. As a result, the access to the application may not be restricted to authorized users. With this, confidentiality of the financial information may be compromised. Further, if the user has write access, such user may make unauthorized changes to the data such as:
268
o
User may open the financial period and process transactions.
o
User may make unauthorized changes to the configurations / setups.
o
User may make unauthorized changes to the retained earnings, foreign exchange gain / loss account specified in the GL setup. As a result, transactions may be posted to inappropriate account specified by such user leading to account balance misstatement.
o
Reversible journal entries may not be reversed completely and accurately in the next month.
o
Any unauthorized changes to mapping of accounts in consolidation may lead to misstatement in financial reporting.
ADVANCE INFORMATION TECHNOLOGY TRAINING
INFORMATION SECURITY IN CA’s OFFICE The above may lead to data integrity issues. This may result in misleading financial reporting.
There may be absence of Segregation of Duties. Due to this, the user may: o
Create and approve journal entries.
o
Create chart of account and process journal entries
o
Open the closed period and process transactions
Journal entries may be posted to future period instead of current period, if both the current and future periods are open.
Posting errors may not be reviewed and cleared periodically leading to misstatement in financial reporting.
5.3.2 Purchasing
Purchase Orders (PO) may not be sequentially numbered. This may lead to duplicate purchase orders being entered.
Absences of automatic check like same date, vendor number, item no etc. As a result, system may allow inputting the same PO more than once.
Basic fields like item description, quantity, price, delivery terms etc. required for PO may not be mandatory in the system. As a result, PO may not be processed completely and accurately.
Long pending PO may not be reviewed periodically. Due to this, invalid POs may exist in the system.
PO may not be voided by system after not being fulfilled in a given period. Due to this, invalid PO may exist in the system.
Authority limits for approval of PO may not be appropriately mapped in the application. This may lead to unauthorized approval of PO.
Ability to create or modify vendor master may not be restricted to authorized users. Due to this, there is risk of unauthorized creation or changes to the vendor master.
Ability to create or modify PO is not restricted to authorized users. Due to this, there is risk of unauthorized creation or changes to the PO.
There may be lack or absence of Segregation of Duties in the access rights provided to users. Due to this, user may: o
Create and approve the purchase requisition. Due to this, there is risk of unauthorized or invalid purchase requisitions.
o
Users may be able to create and approve PO. Due to this, there is risk of unauthorized or invalid purchase orders. In addition, users may be able to create purchase requisition and approve PO.
o
Create / approve PO in the system and perform receipt of goods / services. With this, there is risk of book fictitious or dummy accrual liability for goods / services not received.
ADVANCE INFORMATION TECHNOLOGY TRAINING
269
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE This may lead to existence of unauthorized POs in the application.
Ability to receipt goods or services may not be restricted to authorized users. This may lead to receipt of unauthorized goods or services, thereby creating liability on the organization.
Receipt tolerance limits may not be properly mapped in the application. As a result, system may allow receipt of goods or services in excess of ordered quantity.
Application may be configured to allow receipt without purchase order. Due to this, user may be able to perform receipts without a valid purchase order, thereby creating liability on the organization.
PO may be raised on invalid / blacklisted vendor if such vendors are not put on hold / blocked.
5.3.3 Accounts Payable
All invoices received from vendor may not be processed or invoices received may be processed inaccurately.
A purchase invoice may be booked more than once if the system is not configured to prevent duplicate vendor invoice on the basis of date and invoice number.
Purchase invoice may be entered for an amount exceeding the PO / GRN amount if the 2/3 way match option has not been enabled. This would result in recognizing excess liability.
Incorrect entry of price, quantity, vendor name, account code etc may be permitted in absence of system checks.
Accounting system may accept entries where the debit and credit do not match. In such cases, the difference may be posted to the suspense account (if permitted by application). This increases the burden on accounts payable team to review and clear the suspense account periodically.
System may allow matching a purchase order more than once in absence of system controls as the matched POs are not marked as matched. With this, such Purchase orders are again available for matching.
Vendor invoice number field may not be mandatory in the application. With this, the same invoice may be entered more than once by leaving the vendor invoice number as blank in subsequent invoice booking.
Balance as per Accounts Payable may not match with the General ledger and such differences may not be reconciled. This may lead to excessive liability booking.
Access to book vendor invoices may not be restricted. With this, there is risk of unauthorized invoice booking.
There may be absence of segregation of duties as the users may be able to:
270
o
Perform receipt and book vendor invoice. With this, there may be risk of booking fictitious / excessive vendor invoices.
o
Open AP period and process invoices
o
Book purchase invoices and process payment
ADVANCE INFORMATION TECHNOLOGY TRAINING
INFORMATION SECURITY IN CA’s OFFICE o
Create vendor and process invoices
o
Create vendor and process payments
With this, there is risk of dummy invoice booking and payment.
Audit log may not be enabled on the vendor master. With this, any unauthorized changes to vendor master may not be detected.
Purchase invoices may be paid more than once if the system does not mark the invoices as paid on payment as such invoices are available for payment again.
5.3.4 Sales
Sales orders may not be recorded completely and accurately as sales orders may not be sequentially numbered.
A manual or system check may not be in place to identify duplicate or missing sales orders.
Sales orders may not be processed accurately as the basic critical data like customer code, item code, price, delivery terms may not be mandatory in the system.
Unauthorized adjustments to customer balances may result in misstatement of customer and revenue balances.
Charge out rates to clients may be changed due to unauthorized discounts and rebates which may result in revenue loss to the company.
Credit limits assigned to customers may not be appropriate. This may result in providing services over and above their eligible limit.
History of cancelled or deleted sales orders may not be available in absence of audit trail.
Sales Orders may not be appropriately scheduled leading to delay in delivery.
Access to enter sales orders may not be restricted to authorized users. With this, there is risk of unauthorized changes to credit limit and price of orders through discounts / rebates leading to financial loss to the company.
Sales orders may not be sequentially numbered. With this, the invalid or duplicate sales orders may not be detected.
Sales orders may not approved by unauthorized personnel leading to inappropriate AR balances and revenue recognition.
There is absence of SOD as the user may: o
Enter sales orders and approve
o
Enter sales orders and raise sales invoices
o
Raise sales invoices and account collections
With the above, there is risk of inappropriate revenue recognition and the receivable balance may be misstated.
Application may allow changing the sales prices at the time of raising sales invoices. With this, there is risk of inappropriate revenue recognition. ADVANCE INFORMATION TECHNOLOGY TRAINING
271
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE
Application may allow users to change the sales order quantity after invoicing and collection. With this, there will be data integrity issues in the application.
5.3.5 Accounts receivable
AR balances may not be reconciled with GL. This may lead to inaccurate financial reporting.
AR transactions may be entered in an inappropriate period which may impact financial reporting.
Duplicate customers may go undetected if the application controls are not in place or the potential duplicate customer report is not reviewed periodically.
Incorrect accounting rules could result in inaccurate revenue recognition.
Customer receipts may not be appropriately entered and applied affecting the AR balances.
Conversion of foreign currency transactions may not be accurately done leading to inaccurate financial reporting.
Mandatory fields may not be defined for creation of customer receipts like receipt number, customer name, currency code, transaction number, receipt amount etc. This may lead to inappropriate receipts affecting AR balances.
Customer invoices may not be generated accurately and timely leading to incorrect revenue recognition and AR balances.
Credit notes may not be applied to the appropriate customer invoice leading to inaccurate aging of customer balances.
Access to invoice adjustments / write-off may not be restricted to authorized users. With this, there is risk of unauthorized adjustments / write off of customer balances leading to inappropriate financial reporting.
Sales invoices may not approved by unauthorized personnel leading to inappropriate AR balances and revenue recognition.
Approval limits for customer invoices, write-off / adjustments may not be appropriated mapped in the system. This may lead to unauthorized approval of invoices, adjustments or write-offs.
There may be absence of segregation of duties as the user may:
o
Create / modify customer master and process invoice
o
Process sales invoices and collections.
o
With this, there is risk of unauthorized changes to the customer credit limit, inappropriate revenue recognition and possibility of bad debts.
Exception reports for invoicing over specified amount or discounts over a specified percentage may not be reviewed. This may lead to inappropriate revenue recognition and financial reporting.
5.3.6 Fixed assets
272
Capital expenditure form may not be sequentially numbered and accounted for. This may lead to missing capital expenditure to be accounted or duplicate accounting of capital expenditure.
ADVANCE INFORMATION TECHNOLOGY TRAINING
INFORMATION SECURITY IN CA’s OFFICE
Capital expenditure request may not be approved as per delegation of authority matrix as the same is not appropriately mapped in the system. This may lead to unauthorized approval of capital expenditure.
Access to fixed assets master may not be restricted. With this, there is risk of unauthorized changes to the asset master like cost of asset, date of put to use, location etc. This may result in inappropriate depreciation calculation affecting asset balances and financial reporting.
There may be absence of segregation of duties as the single user may: o
Maintain asset master and process depreciation
o
Maintain asset master and process disposals
o
Maintain fixed assets and is also responsible for their custody.
o
With this, there is risk of unauthorized changes to asset master and depreciation leading to inappropriate financial reporting.
Periodic physical count of fixed assets may not be compared with the fixed assets register (FAR) leading to differences between the two. i.e. asset may exist in FAR but in reality or vice versa. This may impact financial reporting.
Balance as per the Fixed Assets Register and General Ledger may not be reconciled leading to unreconciled differences between the two.
Multiple failure attempts to login the application may not be logged. With this, the unauthorized users may be able to login and this may not be detected in absence of log.
5.3.7 Expense Management System
Eligibility of expense as per the designation may not be appropriately captured in the application. With this, application may allow excess claims by employees.
In case the automated approval workflow of the application is used, there is risk of inappropriate approval as the approval matrix may not be properly mapped in the application. For example, application may allow submitting the expense statement for approval to a subordinate employee.
Audit log may not be enabled or the log report may not be reviewed by an independent person. Due to this, any unauthorized changes to the expenses may go undetected.
Billable expenses may not be charged to the clients.
5.4 HR and Payroll Systems 5.4.1 HR Management System This application maintains the basic details of employees i.e. employee master. Further it covers HR related areas like recruitment, training, exit management etc. This application provides some input to the payroll. Otherwise, it is more of an operational application / module. The key risks are:
Application may allow duplicate employee id in the absence of system check on the basis of Permanent Account Number, Phone Number, Pin code etc.
Access may not be provided on a need to know and need to do basis. With this, there is risk of unauthorized changes to: ADVANCE INFORMATION TECHNOLOGY TRAINING
273
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE o
Key financial details of employee like bank account number
o
Permanent account number
o
Salary details like Basic, HRA, allowances etc
o
Last working date in case employee has left the company
In case automated approval workflow of the application is being, there is risk that the approval matrix may not be properly mapped in the application> With this, there is risk of unauthorized approval of the offers made to potential employees, their background check or reference check etc.
Reference check and background check of employees may not be performed if not required as per configuration settings in the application. With this, there is risk of inappropriate persons being recruited.
Exit interviews may not be conducted for the employees leaving the organization. With this, the concern of employees may not be known or documented.
Audit log may not be enabled or enabled but log may not be reviewed. With this, any unauthorized changes the employee master may not be detected.
5.4.2 Timesheet
Minimum hours eligible for counting presence for the day may not be identified in the application. With this, there is risk of excess salary being paid. For example, if the organization has a rule that if the employee has not worked at least for 160 hours in a month, his salary should not be process. However, system may pass on the details to payroll for calculation of salary in case the same has not been configured in the application.
Access may not be provided on a need to know and need to do basis. With this, there is risk of unauthorized changes to timesheet, which may lead to excess payment of salary or salary payment for time not worked by the employee.
There may be lack of segregation of duties as the same person may create and approve his own time sheet. This may lead to fraudulent payment of salary.
Application may allow for submission of timesheet for approval to a junior employee as the approval matrix may not be appropriately mapped in the application.
Audit log may not be enabled or enabled but log may not be reviewed. With this, any unauthorized changes the timesheet may not be detected.
Reconciliation may not be performed between the timesheet system and leave management system to identify the cases where leave has been approved and availed but the timesheet has been submitted as present on the project. This may lead to excess payment of salary.
5.4.3 Performance Management System
Performance appraisal may not be set as mandatory in the application. With this, system will not enforce compulsory performance appraisal for each employee.
Reminders may not be set in the application in case of delays. With this, the employees and their managers may not be reminded by the application for their performance appraisal.
274
ADVANCE INFORMATION TECHNOLOGY TRAINING
INFORMATION SECURITY IN CA’s OFFICE
Access may not be provided on a need to know and need to do basis. With this, there is risk of unauthorized changes to performance appraisal of the employee. This may lead to excess payment of bonus and increment to the employee.
There may be absence of segregation of duties as the single user may maintain employee master and performance appraisal.
Audit log may not be enabled or enabled but log may not be reviewed. With this, any unauthorized changes the employee performance may go undetected. Due to this, extra bonus or increment may be paid to the employees as these are linked with the performance..
5.4.4 Payroll and Benefits Administration
Headcount reconciliation may not be performed between employees as per the HR master, employees as per timesheet and employees for whom salary is processed. This may lead to processing salary for employees who have left the organization.
Different components of salary like basic salary, HRA, allowances and deductions may not be computed accurately leading to excess payment of salary.
Deductions like income tax rates, PF rates etc. may not be appropriately captured in the application which may lead to deduction at lower rates leading to penalty on the organization on account of statutory compliances.
Installments of loan may not be recovered from employees.
Amount recoverable from employees may not be adjusted at the time of full and final settlement of employees (in case of exit employees). This may result in loss to the company.
The budgeted salary and actual salary may not be compared which may throw some apparent gaps in calculation of salary.
Application may not have control over duplicate processing of salary for the same employee in the same month. This may lead to financial loss to the company.
Application may not identify the eligibility of employees for overtime. With this, the overtime may be processed for non eligible employees leading to excess payment of salary.
Access may not be provided on a need to know and need to do basis. With this, there is risk of unauthorized changes to basic salary, HRA, allowances of the employees. This may lead to payment of excess salary.
There may be absence of segregation of duties as the single user may:
o
Maintain employee master and process salary
o
Maintain employee master and process timesheets
o
Maintain employee master and perform performance appraisals
With the above, there is a risk that the employee may change his salary figures. Due to this, excess salary may be processed for him or any other employee for whom he changes data. Further, such user may change the bank account details of the other employees. With this, the salary may be transferred to inappropriate bank account leading to fraud. ADVANCE INFORMATION TECHNOLOGY TRAINING
275
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE
Audit log may not be enabled or enabled but log may not be reviewed. With this, any unauthorized changes the employee master and payroll details, as stated above, may go undetected.
There is risk of unauthorized approval of salary in case the automated workflow of the application used for approval of salary as the authorization matrix may not be mapped properly.
There is risk of excess payment as the application may not be able to identify cases where same employee is claiming conveyance allowance and expenses on his own car.
5.4.5 Leave Management System
Application may allow carry forward of leave against the company policy if the same has not been properly updated in the application. For example, as per company policy, leave in excess of 30 days should be forfeited but application may allow carry forward in excess of 30 days.
Accrual of salary at periodic interval may not be accurate. This may lead to excess leave being credited to the employees.
Alert may not go to the employees who have not availed compulsory leaves.
Compulsory leave may not get deducted at the year-end if not availed.
Paternity leave may be applied multiple times a year.
Female employees may avail paternity leave or male employees may avail maternity leave.
Duplicate payment of leave encashment may not be prevented by application.
Application may allow excess leave encashment and may not be detected.
Excess leave may taken by employee may not be adjusted at the time of full and final settlement
System may not calculate the leave accurately for employees joining during the year.
Limit may not be set in application for number of times the employee can avail maternity / paternity leave.
Leave encashment may not be approved by authorized person.
Leave accumulation in excess of company policy may be allowed in absence of correct configuration.
Auto approval of leave if the same are not approved by respective manager. This defeats the purpose of approval of leaves.
Back dated approval or cancellation of leaves may be allowed.
Audit log may not be enabled or enabled but log may not be reviewed. With this, any unauthorized changes the leave and related excess payment may go undetected.
5.4.6 Self Service The approval matrix may not be appropriately mapped in the application. Due to this, an employee may submit his request, for example, leave, expenses etc to his subordinate. This may lead to unauthorized approval of the request for leave, expenses etc.
276
ADVANCE INFORMATION TECHNOLOGY TRAINING
INFORMATION SECURITY IN CA’s OFFICE
5.5 Document Management System
Access rights may not be provided on a need to know and need to do basis. With this, there is risk of authorized access which may compromise the confidentiality of the client information.
Manager rights may not be properly mapped. Due to this, work of a subordinate may be approved by another subordinate.
Application may not have a check to see if there are any sections which have not been approved by manager / Partner. With this, there is risk of some critical issue not being considered for issuing opinion.
Audit log may not be enabled or enabled but log may not be reviewed. With this, any unauthorized changes to the critical issues section may go undetected.
Application may allow carrying out back dated changes. As a result, changes may be made in the application after issue of the opinion in case of audit engagement or after archival of the file.
5.6 Knowledge Management System
Access rights may not be provided on a need to know and need to do basis. With this, there is risk of authorized access which may compromise the confidentiality of methodology of the firm.
Application may allow changes to the examination results stored in the application.
Audit log may not be enabled or the log report may not be reviewed. With this, there is risk of unauthorized changes may go undetected.
5.7 Hardware equipments 5.7.1 Laptops The key risks pertain to physical and logical access. The risks are as follows:
Laptops being small in size, are susceptible to theft. With this, there is risk of loss of laptop, more importantly the risk of confidential information going in the wrong hands.
Hard disk of the laptop may not be encrypted. With this, the data / information on the hard disk may be retrieved by person stealing the laptop.
The logical access control mechanism may be weak. i.e. user id and password may not be strong. With this, there is risk of unauthorized access even though laptop may be present in the office premises.
5.7.2 Printer There is risk of confidentiality and unavailability of printer. The key risks are as follows:
Printer may be located at such a place that outsiders have access to the same. With this, the confidential document printed through the printer may go in the hands of outsiders. With this, confidentiality of information may not be maintained.
Nowadays, sophisticated printers allow configuring access rights. With this, one user may not be able to take print of the other users’ document. However, such feature may not be enabled. Due to this, anyone can print the documents in queue.
Physical access controls over the location of the printer may not be strong. There may be risk of theft of the printer.
ADVANCE INFORMATION TECHNOLOGY TRAINING
277
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE 5.7.3 Mobile handsets including Blackberry Mobile phones are basic necessity for any individual. Mobile phones are used for making and receiving calls, sending short messages, To do notes, store contacts list, calculators, alarms etc. In addition, the smart phones or black berry also offers features to use the emails, internet browsing etc. Considering these, the key risks applicable to mobile handsets including blackberry are:
Risk of theft of mobile handset as such handsets is small in size and can be easily stolen.
If the password is not used, the person stealing the handset will have full access to the SMS, contact details, emails etc. Hence, the confidentiality of client data may be compromised.
Risk of date stored on the mobile hand to be affected by virus.
Since the internet browsing facility is available on the blackberry, there is risk of downloading unauthorized software which may against the policy of the firm.
5.7.4 Tablets Tablet computer is larger than a mobile handset and smaller & light in weight as compared to laptop. The data in the tablet is being punched through the touch screen rather than a physical key as in case of laptop. The key risks associated with the tablet are as follows:
Risk of theft of tablet computer as this device is small in size and can be easily stolen.
If the data on tablet computer is not encrypted, the confidentiality of the information stored on tablet may be compromised.
If the anti-virus is not updated, there is risk of tablet computer being affected by virus.
Since the internet browsing facility is available on the tablet computer, there is risk of downloading unauthorized software which may against the policy of the firm.
5.7.5 PBX, application server, email server PBX is equipment used to connect the telephones in an office. The risk is that an intruder may hear the conversation between the users. Further, now, the phones offer features of voice mail, call forward, auto answering etc. Hence, the intruder may also get access to confidential voice messages. The risks to the physical hardware are primarily physical access, logical access and availability, as discussed above for the printer and laptop. Other risks to the software, communicate devices have been explained in section above.
6.0
Best practices
6.1 Network and communication
Security Policy – comprehensive security policy should be developed and users should be made aware of the key policies like password, backup etc.
Password controls
Use complex password.
Password should not be easy to guess.
278
ADVANCE INFORMATION TECHNOLOGY TRAINING
INFORMATION SECURITY IN CA’s OFFICE
Password should be changed periodically
Password should not be shared.
Change default passwords for the privileged IDs supplied with the network or server.
Redundancy – allow a function to be performed on more than one node. More than one server should be used instead of one single server.
Link encryption – encryption should occur at the Data link Layer of OSI model and decryption should occur at the Date Link Layer of the receiving host.
End-to-End Encryption – it can be applied by a hardware device between the user and host or by software running on the host computer. In both cases, encryption is permitted at the higher layers, usually application or presentation layer.
Encrypt all traffic over the network.
Monitor network performance.
Use latest updated anti-virus software.
Implement strong Intruder Detection System (IDS) and firewalls and reviews the logs regularly.
Allow access only to the addresses filtered by firewalls.
Limit use of administrator user id.
Use of social networking sites should be avoided or minimized.
Web based applications should be set to force use of SSL.
6.2 Application software (a)
General Ledger
Configurations should enabled so that: o
Only balanced journal entries are posted
o
Suspense account should be reviewed periodically and transactions in account should be cleared at the earliest.
Inter-company balances should be eliminated during consolidation
Approval workflow matrix of the application should be reviewed periodically.
Access rights should be defined on need to know and need to do basis. Further access rights should be reviewed periodically.
Appropriate segregation of duties should be ensured.
(b)
Purchases
Automatic numbering of the purchasing documents should be used.
Mandatory fields for the Purchase order, Goods Receipt Note (GRN) / Service Receipt Note (SRN) should be identified and mapped in application.
Long pending POs should be reviewed periodically. ADVANCE INFORMATION TECHNOLOGY TRAINING
279
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE
Approval workflow matrix of the application should be reviewed periodically.
Access rights should be defined on need to know and need to do basis. Further access rights should be reviewed periodically.
Appropriate segregation of duties should be ensured.
Quantity tolerance limits should be defined for receipt of goods or services.
Receipt of goods or services should not be allowed without purchase order except in case of certain items like transport, electricity, rent etc.
(c)
Accounts Payable
Vendor invoice number should be mandatory to book any purchase invoice.
Appropriate mechanisms should be in place to identify potential duplicate vendor invoice no.
2/3/4 way match (as per management need) should be enabled in the application.
System should be configured to not accept unbalanced transactions.
Reconciliation should be performed between the balance as per GL and AP and the open items should be resolved at the earliest.
Approval workflow matrix of the application should be reviewed periodically.
Access rights should be defined on need to know and need to do basis. Further access rights should be reviewed periodically.
Appropriate segregation of duties should be ensured.
Invoice tolerance limits should be defined and enabled.
Audit log should be enabled on the key fields and log report should be reviewed by an independent person on periodic basis.
(d)
Sales
Automatic numbering of the purchasing documents should be used.
Mandatory fields for the Sales Order, sales invoice etc. should be identified and mapped in application.
Long pending sales orders should be reviewed periodically.
Approval workflow matrix of the application should be reviewed periodically.
Access rights should be defined on need to know and need to do basis. Further access rights should be reviewed periodically.
Appropriate segregation of duties should be ensured.
Credit limits assigned to the customer should be reviewed periodically.
Invoices with discounts / rebates exceeding a particular threshold should be approved by an additional person.
Sales invoice should be auto generated from the system without any manual intervention.
280
ADVANCE INFORMATION TECHNOLOGY TRAINING
INFORMATION SECURITY IN CA’s OFFICE (e)
Accounts Receivable
System should be configured to not accept unbalanced transactions.
Reconciliation should be performed between the balance as per GL and AR and the open items should be resolved at the earliest.
Approval workflow matrix of the application should be reviewed periodically.
Access rights should be defined on need to know and need to do basis. Further access rights should be reviewed periodically.
Appropriate segregation of duties should be ensured.
Audit log should be enabled on the key fields and log report should be reviewed by an independent person on periodic basis.
Approval for credit notes / write-off exceeding a particular threshold should be approved by a senior person.
Debtors aging report should be reviewed periodically and old balances should be analyzed.
(f)
Fixed Assets
Automatic numbering of the capital requisition form, asset documents should be used.
Mandatory fields for the fixed assets addition, deletion etc. should be identified and mapped in application.
Reconciliation should be performed between the FAR and physical verification report of fixed assets. Differences should be analyzed and adjusted in the books of account.
Reconciliation between balances as per GL and FA should be performed periodically and reconciling items should be cleared ASAP.
Approval workflow matrix of the application should be reviewed periodically.
Access rights should be defined on need to know and need to do basis. Further access rights should be reviewed periodically.
Appropriate segregation of duties should be ensured.
(g)
Expense Management
Approval workflow matrix of the application should be reviewed periodically.
Expense eligibility limits for various grades should be reviewed periodically.
Access rights should be defined on need to know and need to do basis. Further access rights should be reviewed periodically.
Appropriate segregation of duties should be ensured.
Audit log should be enabled and log report should be reviewed by an independent person on periodic basis.
ADVANCE INFORMATION TECHNOLOGY TRAINING
281
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE (h)
HR Management system
Access rights should be defined on need to know and need to do basis. Further access rights should be reviewed periodically.
Appropriate segregation of duties should be ensured.
Audit log should be enabled and log report should be reviewed by an independent person on periodic basis.
Application should be configured to prevent duplication of employee records.
Approval workflow matrix of the application should be reviewed periodically.
(i)
Timesheet
Head count reconciliation should be performed on monthly basis.
Application should be configured to not to accept timesheet if the time on daily basis / monthly basis is below particular threshold as per management need.
Access rights should be defined on need to know and need to do basis. Further access rights should be reviewed periodically.
Appropriate segregation of duties should be ensured.
Audit log should be enabled and log report should be reviewed by an independent person on periodic basis.
Application should be configured to prevent duplication of employee records.
Approval workflow matrix of the application should be reviewed periodically.
Reconciliation should be performed between attendances as per timesheet system; employee master and leave management system and the difference should be resolved at the earliest.
(j)
Performance Management System
Reminder alerts should be enabled for missing / delayed performance appraisals.
Access rights should be defined on need to know and need to do basis. Further access rights should be reviewed periodically.
Appropriate segregation of duties should be ensured.
Audit log should be enabled and log report should be reviewed by an independent person on periodic basis.
Application should be configured to prevent duplication of employee records.
Approval workflow matrix of the application should be reviewed periodically.
(k)
Payroll and Benefits Administration
Access rights should be defined on need to know and need to do basis. Further access rights should be reviewed periodically.
Appropriate segregation of duties should be ensured.
282
ADVANCE INFORMATION TECHNOLOGY TRAINING
INFORMATION SECURITY IN CA’s OFFICE
Audit log should be enabled and log report should be reviewed by an independent person on periodic basis.
Application should be configured to prevent duplication of employee records.
Approval workflow matrix of the application should be reviewed periodically.
Reconciliation should be performed between attendances as per timesheet system; employee master and leave management system and the difference should be resolved at the earliest.
Head count reconciliation should be performed on monthly basis.
Components of salary like basic pay, HRA etc. should be reviewed periodically to ensure completeness and accuracy.
(l)
Leave Management System
Access rights should be defined on need to know and need to do basis. Further access rights should be reviewed periodically.
Appropriate segregation of duties should be ensured.
Audit log should be enabled and log report should be reviewed by an independent person on periodic basis.
Application should be configured to prevent duplication of employee records.
Approval workflow matrix of the application should be reviewed periodically.
Alerts / notification should be enabled for approval of leave submitted by employees.
System check over maternity leave, paternity leave, leave accrual etc should be verified periodically.
(m)
Self Service
Access rights should be defined on need to know and need to do basis. Further access rights should be reviewed periodically.
Appropriate segregation of duties should be ensured.
Approval workflow matrix of the application should be reviewed periodically.
Alerts / notification should be enabled for approval of requests submitted by employees.
(n)
Document Management System
Access rights should be defined on need to know and need to do basis. Further access rights should be reviewed periodically.
Appropriate segregation of duties should be ensured.
Audit log should be enabled and log report should be reviewed by an independent person on periodic basis.
Changes to the file after archival should not be allowed.
Approval workflow matrix of the application should be reviewed periodically.
Back dated changes should not be allowed. ADVANCE INFORMATION TECHNOLOGY TRAINING
283
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE (o)
Knowledge Management System
Access rights should be defined on need to know and need to do basis. Further access rights should be reviewed periodically.
Audit log should be enabled and log report should be reviewed by an independent person on periodic basis.
(p)
Hardware like Printer, Laptops, Tablet computers and Mobile handsets etc
Servers should be stored in a separate room under lock and key.
There should be a log of persons accessing the server
Environmental controls should be considered like the following: o
Air conditioner should be installed to control the temperature in server room
o
Server room should be dust free
o
Fire extinguishers should be available in the server room.
There should be user ID and password for each user to print their own document. i.e. one user should not be able to print others’ document.
Wired locks should be tagged with table to protect the theft of laptops from office premises.\
Hard disk of the laptops should be encrypted.
Backup should be taken periodically and restored at particular frequency.
User ID and password controls should be strong for accessing laptops and printers.
Audit log should be enabled to capture the unauthorized access attempts.
Passwords should be changed periodically.
Passwords used should not be easy to guess and not disclosed to others.
PBX box should be stored in lock and key, when not used.
Password controls
Use complex password.
Password should not be easy to guess.
Password should be changed periodically
Password should not be shared.
Call logging option should be enabled and call log report should be reviewed periodically.
Mobile phones, table computers should not be left open on the table as they are susceptible to theft.
Security patches should be updated.
Any program or document downloaded from internet should be scanned for virus.
284
ADVANCE INFORMATION TECHNOLOGY TRAINING
INFORMATION SECURITY IN CA’s OFFICE
7.0 1.
2.
3.
4.
5.
Multiple Choice Questions The Ping of Death, connection flooding and traffic redirection are network vulnerabilities called _________ attacks that result in loss of network availability. (source: ISA Background material, Vol I – ICAI) (a)
Dumpster of Data
(b)
Denial of signal
(c)
Dumping of service
(d)
Denial of service
The auditor checklist to check controls on network security requires to take special considerations on (source: ISA Background material, Vol I – ICAI) (a)
Management and change controls at network devices
(b)
Event logging and monitoring of logical access paths
(c)
Only a
(d)
Both a and b
Data is ________ data and information is __________ data: (a)
Raw, processed
(b)
Processed, raw
(c)
Raw, raw
(d)
Processed, processed
Main goals of information security are: (a)
Confidentiality
(b)
Integrity
(c)
Availability
(d)
All of above
______________ is the weakness or flaw in the hardware, software which leaves the system open for exploitation: (a)
Attack
(b)
Risk
(c)
Vulnerability
(d)
None of the above
ADVANCE INFORMATION TECHNOLOGY TRAINING
285
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE 6.
7.
8.
9.
10.
11.
286
Examples of man made threats are: (a)
War and bomb threats
(b)
Earthquake, flood, volcano
(c)
Only (a)
(d)
Both (a) and (b)
In Client Server architecture, client is __________ of service and server is ____________ of service: (a)
Requester, provider
(b)
Provider, requester
(c)
Requester, requester
(d)
Provider, provider
The attacker pretends to be an authorized user of a system withers to gain access or get greater privileges than he is authorized for. This is an example of: (a)
Masquerading
(b)
Spoofing
(c)
Eavesdropping
(d)
Wiretapping
Traffic analysis is an example of: (a)
Message integrity threats
(b)
Message confidentiality threats
(c)
Both (a) and (b)
(d)
None of the above
_________ leads to loss of network availability (a)
Eavesdropping
(b)
Wiretapping
(c)
Denial of service
(d)
Spoofing
______________ is a mechanism to prove that it is actually the sender who has sent the message (source: ISA Background material, Vol I – ICAI): (a)
Integrity
(b)
Confidentiality
(c)
Authentication
(d)
Non-repudiation ADVANCE INFORMATION TECHNOLOGY TRAINING
INFORMATION SECURITY IN CA’s OFFICE 12.
13.
14.
15.
16.
17.
__________ means that the information should not be modified or altered by unauthorized users: (a)
Confidentiality
(b)
Integrity
(c)
Availability
(d)
Non repudiation
2/3 way matching control is applicable to _________ application: (a)
Timesheet
(b)
Accounts payable
(c)
Accounts receivable
(d)
General ledger
Best way to avoid duplicate vendors in the system is to use ______________ as unique field: (a)
Permanent account number
(b)
Address
(c)
Phone number
(d)
Pin code
__________ is the most appropriate control check to avoid payment of salary to more number of persons that eligible / desired: (a)
Head count reconciliation
(b)
Audit log
(c)
Access control
(d)
Segregation of duties
Enablement of audit log is most critical financial control in ________ application: (a)
Opportunities Management
(b)
Performance management
(c)
Self service
(d)
HR and Payroll
Risk of unauthorized changes is not / least applicable in case of: (a)
Printer
(b)
General ledger application
(c)
Accounts Payable application
(d)
Timesheet
ADVANCE INFORMATION TECHNOLOGY TRAINING
287
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE 18.
19.
20.
A message authentication code is used to protect against (source: ISA Background material, Vol I – ICAI):: (a)
Changes to the content of message
(b)
Traffic analysis
(c)
Release of message contents
(d)
Password being transmitted
Congestion at network due to buffer overflows and packet dropping leads to a message confidentiality threat named ((source: ISA Background material, Vol I – ICAI): (a)
Missing traffic
(b)
Communication delivery
(c)
Mis delivery
(d)
Late delivery
The logging of events like user requesting access, incorrect login attempts and terminal id at the boundary of an application are done by using ((source: ISA Background material, Vol I – ICAI): (a)
Transaction trails
(b)
Access controls
(c)
Audit trail
(d)
Backup trail
Answers 1. d
2. d
3.. a
4. d
5. c
6.c
7. a
8. a
9 .d
10. c
11. d
12 .b
13. b
14. a
15. a
16. d
17. a
18. a
19. c
20. c
References Following books / articles may be referred for further reading: 1.
Volume I and II of Information Systems Audit issued by the Institute of Chartered Accountants of India
2.
Information Systems Audit by Ron Weber.
288
ADVANCE INFORMATION TECHNOLOGY TRAINING
CHAPTER
3
APPLICATIONS USING MIS AND DSS
LEARNING OBJECTIVES To understand the applications arranged by ICAI which are useful in day to day life for CAs. To understand how to use e-Secretary and K-Doc application TASK STATEMENTS Use K-DOC software to create systematic records of documents, email, templates, knowledge base for easy reference and re-use. Use e-Secretary software Contact Management and Correspondence Automation & Tracking Solution. KNOWLEDGE STATEMENTS K-DOC software helps management to retain soft copies of the working papers in secured manner. Further, it also retains links to the hard copy working papers. eSecretary software helps CAs to maintain contacts, templates for various correspondence, print labels & envelopes and send individual mails to bulk clients
3.0 Introduction In today’s business environment, it is difficult to render services without IT applications. At the same time, IT applications available in the market are costly as they involve one time license cost and then recurring yearly cost for maintenance. Considering this, the Committee for Capacity Building of CA Firms and Small & Medium Practitioners is a non-standing Committee of the Institute of Chartered Accountants of India formed under regulatory provisions of Chartered Accountants Act, 1949, has made certain arrangements with various vendors to provide certain applications at minimum cost. Some of the applications which are listed below are available for CAs for their use. These applications are supported by external vendors. These applications help CAs to meet the day to day requirements. Let us briefly understand these applications.
3.1.1 ICAI XBRL Software It is a solution for converting financial information of the Company in XBRL format as per MCA mandate. It improves the quality and accuracy of data obtained from various companies. Further, it reduces the potential errors from manual entry and transfer information automatically. In addition, this software helps increases the speed at which financial decisions can be made by analysts, investors, etc.
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CAs OFFICE
3.1.2 Billing and Accounting software This is the complete package to manage the billing requirements of a CA firm on cash system of accounting. The application provides the facility to generate bills, receipts, vouchers, and client outstanding.
3.1.3 Payroll It is Payroll management software which helps to record attendance, process salary, arrears, gratuity, reimbursements etc. and includes the following:
Recruitment management – stores and searches resumes scheduling interviews.
Time and Attendance – it is integrated with time and attendance devices, leave allotment, encashment, leave application and approval system.
Meets statutory requirements of various Acts like Provident Fund, ESI, TDS deductions etc.
HR office and Communication management
Employee information Portal – It provides the facility to view the salary slips, apply leave etc through a self-login.
3.1.4 K-DOC application
It is a solution for structured file management and knowledge management.
K-Doc helps to create systematic records of the documents, emails etc for easy reference and re-use.
K-DOC integrates seamlessly with Microsoft Office and comes with plug-ins for Word, Excel, Outlook and eliminates hindrances, occurring due to scattered documents and loose files.
K-DOC compels users to save documents in secure K-DOC repository, thus assuring centralized management.
3.1.5 ICAI-ROC application
It is a MCA-21 compliance software and has the following features:
Generates forms as per MCA 21 requirement
Pick up data directly from MCA site
Pre-drafted resolutions
Maintains Minute Book
Calculation of Filing fees
Preparation of Memorandum of Articles
Consolidation / splitting of share certificates
Share certificate printing
Annual return preparation etc.
Preparation of statutory registers
290
ADVANCE INFORMATION TECHNOLOGY TRAINING
APPLICATION USING MIS AND DSS
3.1.6 ICAI-Tax Suite It is a compliance software which meets the compliance requirements of Income Tax, TDS, Audit Reports, Project Report/ CMA, Form Manager, AIR (Annual Information Return), Service Tax and Document Management and will help the Practitioners & CA Firms.
3.1.7 eSecretary It is correspondence automation & management software that is seamlessly integrated with Microsoft Office. It helps in managing secretarial and organizational tasks, thus increasing efficiency and enhancing productivity in the office environment. eSecretary provides following core features:
Contact Management – Basic Information Management, Profiling and Categorization etc.
Correspondence Management-Organizing Outgoing and Incoming letters and other documents.
Simplified Mail/Email Merge with Microsoft® Word with tracking of past group communication for re-use.
Greeting Management including sending greeting letters or emails individually or in bulk but still personalized.
Correspondence Automation including letter and emails generation etc.
Email Management-Easy Archival of important emails for organizational record etc.
Template Management including formats, stationery and emails templates etc.
Address Labels/Envelops Printing. Standard size and wide choice customizing through Microsoft Word.
The above applications are available on the www.icai.org.in website and can be downloaded. Details of the vendors supporting these applications are also there on the site.
3.2
Detailed review of two sample applications
We will study key features of the following two applications in detail: 2.1
eSecretary
2.2
K-Doc
Before this, it is advised to download and install the applications.
3.2.1 e-Secretary application Following is the home page as shown in Fig 3.1.1
ADVANCE INFORMATION TECHNOLOGY TRAINING
291
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CAs OFFICE
Fig 3.1.1 Home page e-Secretary Following are the 4 main options in e-Secretary application:
Contact Management - This option assists user in creating new contacts
Correspondence - This option assists user in creating new letters and templates. Provision is also made for editing and saving the documents present outside eSecretary
Templates - This option assists user in viewing and editing the existing templates including many other utilities.
Merge / Call out - This option assists user in viewing the Mailing, E-mailing and Call-Out list including many other utilities.
Let us see these options in detail. To create New Contact access Contact screen from New Tab of Welcome Screen and to view all contacts access contact management from View Tab of Welcome Screen. On click of ‘New Contact” we get the following screen: Fill the contact details as shown below in Fig 3.1.2:
292
ADVANCE INFORMATION TECHNOLOGY TRAINING
APPLICATION USING MIS AND DSS
Fig 3.1.2 Fill Contact Details Fill the contact details and save the record as shown in Fig 3.1.3
Fig 3.1.3 Save Contact Details ADVANCE INFORMATION TECHNOLOGY TRAINING
293
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CAs OFFICE Once we save the record, this contact would be stored in the database. To view the contacts, click on ‘view’ option from the top menu bar as show in Fig 3.1.4
Fig 3.1.4 View Contact Details Double click on any record and you get the following screen as shown in Fig 3.1.5
Fig 3.1.5 View any record
294
ADVANCE INFORMATION TECHNOLOGY TRAINING
APPLICATION USING MIS AND DSS Click on document and you can store any document related to the contact as shown in Fig 3.1.6
Fig 3.1.6 Store any document related to contact You can store the birth date, anniversary date etc for greeting. For this, click on the ‘Greetings’ button and you get the following screen as shown in Fig 3.1.7
Fig 3.1.7 Greeting Button ADVANCE INFORMATION TECHNOLOGY TRAINING
295
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CAs OFFICE Templates There are multiple ready templates which are provided along with the application, although new templates can be defined and stored. To view the existing templates, click on the option “Ready Templates” on welcome screen. There are two types of templates:
Hazel templates – these are the templates which are provided by the software vendor.
CCBCAF templates – these templates are provided by the ICAI. These templates are widely used by its members in day to day life.
Fig 3.1.8 Templates Click on CCBCAF templates, the following screen appears as shown in Fig 3.1.9
296
ADVANCE INFORMATION TECHNOLOGY TRAINING
APPLICATION USING MIS AND DSS
Fig 3.1.9 List of Templates These templates are in read only form. To use these templates, copy the templates as current templates and make necessary modifications. For the purpose of testing, we have copied 2 templates which would appear as follows as shown in Fig 3.1.10
ADVANCE INFORMATION TECHNOLOGY TRAINING
297
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CAs OFFICE
Fig 3.1.10 Template for Testing Double click the template and use as required. Correspondence For creating the new correspondence, application provides 3 options:
Templates
Blank document
Outside document
Click on new correspondence and you get the following screen:
298
ADVANCE INFORMATION TECHNOLOGY TRAINING
APPLICATION USING MIS AND DSS
Fig 3.1.11 Correspondence Double click one template the next screen will appear which needs to be filled by user as shown in Fig 3.1.12
Fig 3.1.12 Fill by User ADVANCE INFORMATION TECHNOLOGY TRAINING
299
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CAs OFFICE Click on save and open. The document opens as shown in Fig 3.1.13
Fig 3.1.13 Open document Mail / email merge This option is used for creating, printing and sending bulk individual mails. For this, select the ‘Merge / Call out’ option under ‘New’ Tab. You get the following screen as shown in Fig 3.1.14
300
ADVANCE INFORMATION TECHNOLOGY TRAINING
APPLICATION USING MIS AND DSS
Fig 3.1.14 New Tab For printing the label / envelop, select the label / envelop option in the top menu bar as shown in Fig 3.1.15
Fig 3.1.15 Menu bar
ADVANCE INFORMATION TECHNOLOGY TRAINING
301
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CAs OFFICE
2.2 K-DOC application As stated above, this application is used for file and knowledge management. Following is the home page as shown in Fig 3.1.16:
Fig 3.1.16 K-DOC application Home page There are 3 options:
New – To create new file or document
View – To view an existing document
Archive – To cut and paste the completed and old document in a different (archived) folder.
K-DOC application helps to create documents Word, Excel etc. Click on “New word file. System provides the following screen to enter the following details as shown in Fig 3.1.17
302
ADVANCE INFORMATION TECHNOLOGY TRAINING
APPLICATION USING MIS AND DSS
Fig 3.1.17 Create Document The above screen captures the complete details about the file name, author, date of creation, status etc. ‘Subject” field is the file name. Since this application can be used in multi – user environment, this application provides functionality where the reviewer / supervisor can write certain notes for the subordinate. Such notes are captured in the Notes section. To get the same, click on “Add Notes’ button at the bottom of the above screen as shown in Fig 3.1.18.
ADVANCE INFORMATION TECHNOLOGY TRAINING
303
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CAs OFFICE
Fig 3.1.18 Add Notes
Copy Documents For copying the documents from external disk into the application, click on the copy document option on the welcome page. System will ask for selecting the file so that the same can be selected and copied in the application. See the screen below as shown in Fig 3.1.19
304
ADVANCE INFORMATION TECHNOLOGY TRAINING
APPLICATION USING MIS AND DSS
Fig 3.1.19 Copy Documents With the copy function, the file remains on the external disk and also in the application. However, if the user intends to retain the file only in application, then the user should select the option “Move Document” on welcome page. With this, the document is moved from base location to the application. Templates 2 types of templates are provided by the application:
Hazel templates – these are the templates which are provided by the software vendor.
CCBCAF templates – these templates are provided by the ICAI. These templates are widely used by its members in day to day life. Click on ICAI templates and you get the following screen as shown in Fig 3.1.20
ADVANCE INFORMATION TECHNOLOGY TRAINING
305
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CAs OFFICE
Fig 3.1.20 CCBCAF templates Double click any of the documents and the same would be available for edit in word / excel as appropriate. To view the documents, click on ‘view’ on welcome page. Following screen appears as shown in Fig 3.1.21
306
ADVANCE INFORMATION TECHNOLOGY TRAINING
APPLICATION USING MIS AND DSS
Fig 3.1.21 Click on View Click on working documents. System provides complete details of the user who created, who accessed last, date, time etc.
Fig 3.1.22 User Details ADVANCE INFORMATION TECHNOLOGY TRAINING
307
OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CAs OFFICE
The details of the document can be selected and those properties are available for view as shown in Fig 3.1.23
Fig 3.1.23 Details of Documents Select the fields which are required in the view. Only those fields are available for regular view. Once we select the ok button, the following screen appears as shown in Fig 3.1.24
308
ADVANCE INFORMATION TECHNOLOGY TRAINING
APPLICATION USING MIS AND DSS
Fig 3.1.24 Select Field The documents which are completed can be transferred to another folder by way or archive option. Profile of the documents / folders is same as working documents as shown above. References:
Details of applications may be seen at www.icai.org.in
ADVANCE INFORMATION TECHNOLOGY TRAINING
309
