Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

HOW TO USE THESE NOTES

1. First of all, read the chapter thoroughly from study material provided by the
Institute Of Chartered Accountants Of India.
2. After reading one chapter from the study material, revise the chapter
immediately from these notes.
3. After that, whenever you wish to revise the chapter, you will get it within 2 to
5 minutes.
4. With the help of these notes, entire syllabus of MICS can be revised within 11/2
hours. This way you can revise the syllabus of MICS 4 to 5 times in
examination period.

SEQUENCE OF STUDY
In our opinion, to get best understanding & easy and fast getting of chapters, the
following sequence (according to study mat.) should be followed :-
PHASE CHAPTER NO.
1 6 to 10
2 11, 12 & 19
3 13 & 14
4 18, 15, 16 & 17
5 3, 4 & 5
6 1&2

REQUEST FROM ME
If these notes prove to be helpful to you (even very little), I shall think that my efforts
are successful. I request you to give your feedback to me about these notes. I shall
appreciate your feedback, your criticism & your suggestions. It will help me to
improve these notes & write notes on some more subjects also. You can contact me
at:

Web.: www.aeccsca.blogspot.com
e-mail i.d. – [email protected]

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page i of 123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

INDEX
PHASE CHAPTER NO. IN CHAPTER NAME PAGE
STUDY MATERIAL NO.
I 6 Enabling Technologies 1 to 2
7 System Development Process 3 to 6
8 System Design 7
9 System‟s Acquisition, Software 8 to 9
Development & Testing
10 System Implementation & 10
Maintenance
II 11 Design of Computerised Commercial 11
Applications
12 Enterprise Resource Planning – 12 to 14
Redesigning Business
19 CASE Tools & Digital Technology 15 to 16
III 13 General Controls in EDP Set-up 17 to 19
14 Application Controls in EDP Set-up 20 to 21
IV 18 Information Security 22 to 23
15 Detection of Computer Frauds 24 to 25
16 Cyber Laws & Information 26 to 27
Technology Act, 2000
17 Audit of Information System 28 to 29
V 3 Basic Concepts of MIS 30 to 31
4 System‟s Approach & Decision 32
Making
5 Decision Support & Executive 33
Information System
VI 1 Basic Concepts of System 34 to 35
2 Transaction Processing System 36
VII Chapter wise important point summary for ready 37 to 67
reference at the time of Examination
VIII Questions & Answers Zone (47 Very IMP FAQ) Chapter wise 68 to 121

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page ii of 123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Chapter-6
ENABLING TECHNOLOGIES
Traditional Computing Model

Mainframe Personal File-Server

Architectur Computers Architecture
e
 Dumb Terminal  Independent PC  Dumb Server
 Non GUI  No sharing of Smart Terminal
 Higher Costs data & resources  Supports GUI
 Support every  Network Traffic
hardware platform  Sends Entire File
 Max. 12 Users

Client Server (C/S) Model - (Cost Reduction Technology)

 It‟s a form of distributed processing
 Divides processing work between server & work-station
 Server-Global Task; Client-Local Task
 Send only requested data
Advantages of C/S
1. Cost Reduction 7. Easy to add new hardware
2. Improved flow of information 8. Takes less people to maintain
3. Direct access to data 9. User Friendly GUI
4. Increased data integrity & security 10. SQL capability
5. Better Connectivity 11. Data protection & security
6. Increased Productivity 12. Access to multiple servers
Example of C/S :- Online Banking, Call-Centre, E-Comm., Internet
Elements of C/S
1. Data Storage 4. Operating System
2. DBMS 5. User Interface
3. Application Software 6. Display Devices

Components of C/S

Client Server Middleware Fat-Client (2 Tier) Network

(User of services) -File Server (Distributed Software) Fat-Server (3 Tier) Network
-Non-GUI -Database 4 Layers Hardware
-GUI Server 1.Service Devices
-OOUI -Transaction 2.Back End
Server Processing
-Web Server 3.Network OS
4. Transport Stacks

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page - 1 - of 123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
Middleware – It is a distributed software that allows client & server to connect
Service Layer – Carries coded data from software application.
Back End Processing – Encapsulate network instructions.
Network OS – Adds additional instructions.
Transport Stacks – Transfers data packets to the designated receiver.
Considerations for C/S Security
1. Disabling Floppy Drives
2. Disk-less workstations
3. Automatic booting
4. Network Monitoring
5. Data Encryption
6. Authontication System (Log-in ID & Password)
7. Smart Card System
8. Access only to required task.
9. All access points should be known.
C/S Risks

Technological Operational Economic Political

- Installation Phobia - Success Probability - Susceptible to - Mgmt. & end
- Obsolescence - Cope-up with hidden cost user satisfaction
Changing needs - Higher cost in
short run
Server Centric Model
C/S with dumb terminals.
Processing is done on server, client does the data entry & gets display of information.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page - 2 - of 123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Chapter-7
SYSTEM DEVELOPMENT PROCESS

 Process of examining of business situation with the intent of improving it.

System Analysis System Design

System Development Life Cycle (Traditional Approach)

Preliminary Investigation
Requirement Analysis
System Analysis (Present & Proposed)
Design of System
Acquisition & Development of software
System Testing
Implementation & Maintenance

Reasons for failure to achieve system development objectives

1. Lack of senior management support
2. Changing user needs
3. Difficult to design strategic system (Because they are unstructured)
4. Incompatibility of staff with new technology.
5. No proper standard & method of project management & system development
6. Over-worked or under-trained development staff
7. Resistance to change
8. Lack of user participation in development
9. Inadequate testing & training.
System Development Approaches
1. Traditional Approach
 Activities are performed in sequence
 Work performed in each stage are reviewed by managers & users
 It takes years to develop, analyse & implement.
2. Prototyping Approach
 Used to develop smaller systems
 Useful when system requirement is not known or difficult to determine
 Developed in small parts (prototypes) & at lesser cost
 Developed prototypes are refined & either turned into final system or scrapped to
develop a new real system
Four Steps
a) Identifying information system requirement
b) Develop the initial prototype
c) Test & Revise
d) Obtain user‟s approval
Advantages
Less time consuming, Active user participation, More reliable Less costly

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page - 3 - of 123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
3. End User Development Approach
 End user is responsible for system development
 Low-cost technology
 Decline in standards & controls
 Reduction in quality assurance
 Unrelated & incomplete systems
 No experienced staff
4. Top Down Approach
 High Degree of top mgmt. involvement
Stages:
1) Analyse the objectives & goals of the entity
2) Identify the functions. e.g. – Production, Marketing, R & D
3) Ascertain the major activities, decisions & functions
4) Find out the information requirement
5) Prepare information processing program
5. Bottom Up Approach
 Starts from Supervisory management (Used to design various sub-systems)
 Identification of life stream systems that are essential for day to day activities
 Identify basic transactions, file-requirements & programs and develop system for
each such life stream
 Integration of data & such systems
 Addition of decision models & planning models
 Involvement of supervisory management.
6. Systematic Approach
 Used in small organizations in which no MIS personnel is involved.
Steps:
1) Identify requirements
2) Locate suitable software & hardware
3) Implement the system
Reasons for Project Failure
 Under estimation of time
 Lack of senior mgmt. participation
 Under estimation of resources
 Under estimation of size & scope of project
 Inadequate control
 Inadequate planning
 Changing system specifications
System Development Methodology
 Formalized, standardized & documented set of activities used to manage system
development project. Division of project into small modules.
 Deliverables (Specific report & documentation) must be produced periodically
 Approval of development process by users, managers & auditors (Sign Offs)
 System Testing
 Proper Training
 Prevent unauthorised changes to complete program by formalizing system
modifications.
 Post implementation review.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page - 4 - of 123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Preliminary Investigation
Investigation
1. Starts when a problem / opportunity is identified by
user or manager.
2. Clarify & understand he project request. Review of Conducting
3. Determine the size of the project Internal documents Interviews
4. Determine the feasibility of alternative approaches
5. Determine their costs & benefits
6. Final report to the management with recommendations.

Feasibility

Technical Economic Operational Schedule Legal

Hardware & Evaluation of Support of Time required for Fulfills all
Software all the increm- workers, development & the statutory
(no. of users) ental costs & customers implementation obligations
benefits & suppliers & financial
reporting
Requirement Analysis
 Determining user needs
 Study of application area in depth
 Assessing the strengths & weaknesses of present system
 Reporting to management
 Fact Finding Techniques
1. Documents 2. Questionnaire 3. Interviews 4. Observations

Input forms, Output forms, Organization Manual / Chart

System Analysis

Present System Proposed System

1. Review historical aspects 1. Determine the objectives
2. Analyse Inputs 2. Study the specifications
3. Review data files used 3. Determine the required output
4. Review Methods & Procedures
5. Analyse Outputs
6. Review internal controls
7. Study the existing physical &
logical system
8. Overall analysis
System Development Tools
1. System Flow Chart (Documents flow of system & information processing procedures)
Presented by variety of symbols & connecting arrows.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page - 5 - of 123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
2. Data Flow Diagram (Flow of data within an organisation)
[Data sources & destinations, Data flows, Transformation process, Data Stores]
Symbols in DFD – Data Source & Destination
Data Flow
Transformation Process
= Data Storage
3. Lay out forms & screens (Pre printed forms)
Used to design source document, output, display.
4. System Components Matrix
Highlights basic activities of a system. e.g. – Input, Processing, Output & Storage
5. CASE Tools (Automation of anything that human do to develop systems)
6. Data Dictionery (Computer file containing descriptive information about the data items)
It contains information about each data item stored in the system, file in which it
is stored, program that modifies it, authorised users & unauthorised persons.
It is updated with every change in data item.
Gives an audit trail to the auditor & helping aid in investigation.
Category of Tools
1. System Components & Flows
2. User Interface
3. Data attributes & relationships
4. Detailed system process

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page - 6 - of 123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Chapter-8
SYSTEMS DESIGN

1. Review System‟s Requirements Logical Physical

2. Developing a model Design Design
3. Reporting to Management
Output Input Processing
Storage Procedure Personnel
Displayed
Output (Report, Document, Message)
Printed
Objectives
1. Convey Information (Past, Current & Future Projections)
2. Signal important events
3. Trigger an action
4. Confirmation of an action
Determinants of Designing
1. Content (Piece of data included in output, it must be objective)
2. Form (Refers the way of presenting content – Text / Graphical / Audio)
3. Volume (Amount of data output required – High Speed Printer / Monitor)
4. Timeliness (Daily / Weekly / Monthly or on real time basis)
5. Media (Paper / Display / Audio / Video)
6. Format (Manner in which data are arranged – Tabular / Graphic)

Input (Efficient data capture, effective coding & appropriate data entry methods)
Guidelines for form designing
1. Easy to fill (logical division, proper flow, captioning)
2. Purposeful
3. Accurate completion
4. Attractive
Characteristics of good coding scheme
[Code: - Brief no./title/symbol used instead of lengthy/ambiguous description]
1. Unique Code
2. Brief
3. Convenient
4. Expandability (compatible with future growth)
5. Suggestive
6. Permanence
Coding Schemes
1. Classification codes (Used to classify record in a particular class)
2. Function codes (Used to describe a function e.g. – sold, delivered)
3. Significant digit subset codes (Permanent Account No.)
Entire code is divided into meaningful parts.
4. Mnemonic Code (Linking with description e.g. MBA, C.A., C.S.)
5. Hierarchical Classification / Progressive Code
Data Storage Individual File System & DBMS
Design of data communication (Simple & Cost effective)
System Manual: (Contains Description, Flow, Output, Input, Persons responsible)

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page - 7 - of 123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Chapter-9
System’s Acquisition, Software Development & Testing

Acquisition of Hardware
1. Latest possible technology.
2. Speeds & capabilities.
3. Software Considerations.
4. Compatibility to future expansion.
5. Vendor selection & machine selection
Acquisition of software (Pre-packaged Application Software)
(Sources may be computer manufacturer, software houses, retail stores, user groups)
Advantages
1. Rapid Implementation 3. Low Risk
2. Quality 4. Lower Cost (No hidden costs)
Steps for selection of a computer system
1. Prepare design specification. 2. Distribute request for proposal (RFP)
3. Analysis of proposals. 4. Contact present users of proposed system
5. Conduct Benchmark Test. 6. Select the equipment/system.
(Actual testing of the system)
Evaluation & Ranking of Proposals (Factors)
1. Capability & Quality System Maintenance
2. Cost-Benefit Analysis System Development Support
3. Cost of maintenance Training
4. Compatibility Back-up
5. Services provided by the vendor Complement Hardware / Software
Method of Evaluation
1. Checklists (Subjective Method)
2. Point-scoring analysis
3. Public evaluation reports (consultancy agency, present users, financial statement
analysis, credit rating agency)
Development of Software
Stages [Program Development Life Cycle]
1. Program Analysis. [Analyse the output required, input available & processing]
2. Program Design. [Planning the basic layout of the program e.g. Flow Charts, etc.]
3. Program Coding [Flow Charts converted into program statements. Eg:- Interpreter or
Compiler] Coded instructions are entered into a magnetic media that constitutes source language.
Then it is translated into machine language. It should be simple, short & require less processing
time.
4. Debug the program. [including walkthrough, tests & review of program codes]
5. Thorough testing of the program.
6. Documentation.
7. Program maintenance.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page - 8 - of 123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
Tools
1. Program Flow Charts. (Graphical Format) Represents program logic
2. Pseudo Code. (English-Like statements)
3. Structure Chart. (Similar to organization chart ; No program logic)
4. 4GL Tools. (Automation of manual task)
5. Object Oriented Programming & Designing Tools.

System Testing
a. Preparation of realistic test data.
b.Parallel operation with the existing system.
c. Thorough checking of the results.
d.Review of the results.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page - 9 - of 123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Chapter – 10
System Implementation & Maintenance

System Implementation

Equipment Installation Training Personnel Conversion Procedure Post-Implementation

Evaluation

 Installation Checklist.  System operator Conversion Strategy

 Site Preperation. training. [Trouble- 1) Direct changeover (Straight  Evaluate whether the
[Space occupied by shooting list i.e. list forward dropping old system & new system is working
equipment & people. of probable errors & using the new one. Thorough properly & the users are
Proper control for their remedies] testing is required before this satisfied.
temperature, dust &  User training. conversion)  Current adjustment in
humidity.] 2) Parallel conversion (Running both new system.
 Equipment check-out. old & new system)  Proposed adjustments in
3) Gradual conversion.[Combined case of future
features of (1) & (2) ] development.
4) Modular prototype conversion. Dimensions
5) Distributed conversion. [One entire
1) Development
conversion is done at one site.]
evaluation. [on schedule
Activities Involved
& within budget]
1) Procedure conversion.
2) Operation evaluation.
2) File conversion.
3) Information evaluation.
3) System conversion.
4) Scheduling personnel & equipment.
5) Alternative plans in case of
equipment failure.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 10 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Chapter -11
Design Of Computerised Commercial Applications
Accounts Payable System
Details of amount payable for goods & services received from vendors.
1) Due date.
2) Rate of discount/interest.
3) Optimum utilization of money to maximize return. Inputs :- Challans, Bills, etc. ; goods receipt
note.
Payroll Accounting System
1) Working hours through attendance cards. Payroll master file – Contains personal
2) Calculation of Gross Earning. data of each employee, their basic pay,
3) Computing deductions. payment due & actual payment.
4) Net amount payable.
Inventory Control System {Raw Material, WIP & Finished goods}
1) Optimum level of inventory to :- Inventory master file – Contains quantity
i. Avoid “Stock-Out” position. of each item, their location, quantity
ii. Avoid undue blockage of Working Capital. ordered, re-order point & vendor details
iii. Minimize „Carrying & Storage Cost‟.
2) Back-Order file. [updated for sales orders that cannot be filled because of stock-outs.]
3) Various inventory levels, current stock.
4) Vendor details.
Sales Order Processing
A/c‟s Receivable master file – Contains
1) Co-ordination with accounting department & customer details, credit limit, credit
inventory department. rating and balance due.
2) Back-order file.
Cost Estimation
Cost for each order is determined by using “Standard Costing”.
Financial Accounting
1) Entering transactions & keeping track of various balances.
2) Trial Balance, Profit & Loss A/c and Balance Sheet.
3) Regular processing & year-end processing.
Share Accounting
1) Maintain an updated list of share-holder along with their personal details.
2) Inputs :- Share transfer form along with certificates.
3) Dividend warrant, splitting & consolidation of shares, mailing annual report & notices of
various meetings.

Common Points in all of the above applications

1) Batch Processing / Online Processing depending upon the requirement of the concern.
2) Various sources & details of input.
3) Contents & Format of output generated.
4) User of output.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 9

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 11 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Chapter – 12
Enterprise Resource Planning – Redesigning Business

Integrated software solution to all the functions of an organization.

Definition
ERP is a fully integrated business management system covering all functional areas.
Eg :- Logistics, Production, Finance, Accounting & Human Resource.
It organizes & integrates the above-stated operations to make optimum use of resources &
maximize return. It does the same thing but in a different manner.
Benefits
1) Assists employees & managers. 6) Reduction of paper document.
2) Production scheduling. 7) Timeliness.
3) Optimum capacity utilization. 8) Accuracy.
4) Reduce Inventory. 9) Quick response.
5) Better services to customers. 10) Competitive advantage.
Whole being greater than the sum of its parts.

Characterstics
1. Integration of all organization processes.
2. Flexibility.
3. Modular & open system architure.
4. Comprehensive. [Wide range of business organizations]
5. Beyond the company.
6. Best Business Practices.
7. Use of EFT, EDI, Internet, Intranet, E-Comm., etc.
Business Process Re-engineering [BPR]
BPR is the fundamental re-thinking & re-designing of processes [not enhancing or improving] to
achieve dramatic improvement.
Business Engineering = BPR + Information Technology
Re-thinking of business processes to improve speed, quality & output.
Business Modelling
 Consists of Core Business Processes/Activities & their inter-linking in a diagrammatic form.
 Planning – Top down approach.
Execution – Bottom up approach.
 Readymade Business Modeling Templates are also available in the market.

MODULES MODULES
ERP
COMPONENT COMPONENT COMPONENT COMPONENT

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 12 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Method Of Implementing ERP

Before implementation ERP must be divided into modules & components. It must be
customized as per the requirement. Implementation must be formalized.
 Identifying the needs for implementing ERP.
 Evaluating the present situation. ERP Vendors
 Deciding the proposed situation.
1) Baan (The Baan Company)
 Re-engineering of processes.
2) Oracle (Oracle)
 Evaluation of various alternative ERP packages.
3) R/3 (SAP)
 Finalizing the ERP package.
4) System 21 (JBA)
 Installation of required Hardware & Network.
 Hiring the ERP consultants.
 User training.
 Final implementation of ERP package.
Determination of ERP package
1. Flexibility. [Ability to change according to future requirements]
2. Comprehensive. [Applicable to all industries]
3. Integration.
4. Beyond the company. [Supports processes with customers, suppliers, banks, etc.]
5. Best Business Practices. [Best Business Practices stored in ERP knowledge base]
6. New technology.
Implementation Guidelines
1. Analyse the corporate needs.
2. Business Process Re-engineering.
3. Establishment of good network.
4. Leadership & Motivation.
5. Appointment of Project Manager.
6. Hiring of consultants.
7. Selection of suitable package.
8. Training.
9. Final implementation.
10. List down the Critical Success Factors (CSF‟s)at departmental level.
11. Numeric values assigned to CSF‟s is called Key Performance Indicators (KPI‟s).
Life after implementation
Positives Negatives
1. Increased productivity. 1. Job redundancy.
2. Automation of processes. 2. No secrecy of departmental data.
3. Improvement in KPI‟s. 3. Loss of control & authorization.
4. Elimination of manual work.
5. Total integration.
6. Real-time information.
7. Improved networking features.
ERP Audit
 Necessary for ensuring the proper functioning of ERP package.
 May be specific or general.
 Evaluation of security, authorization & control.
 ERP audit trail.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 13 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Modules of ERP software package

1. Financials. [Financial Accounting, General Ledger, Accounts Receivable/Payable, fixed
Assets Accounting, etc.]
2. Controlling. [Cost Centre Accounting & profitability analysis]
3. Investment Management. [Budgeting, Appropriation, Depreciation forecast]
4. Treasury. [Cash, Fund & Market risk management]
5. Integrated Enterprise Management. [Accounting data prepared by subsidiaries are
automatically incorporated for corporate reporting. It has 3 modules :-
Enterprise Controlling – Enterprise Controlling – Enterprise Controlling –
Consolidated Statements Profit Centre Allocation Executive Information
System
 Automatic consolidation  Consolidated figures are  EC-CS & EC-PCA are
of various branches & allocated to respective integrated & inter-firm
subsidiaries. profit centres. comparision are made
 Inter-branch transfers  Inter-branch transfers are for decision making.
are eliminated. considred.
6. Sales & Distribution. [Product billing on a real-time basis. Sales, calls, quotations, inquiries,
marketing, competitors & their products. Pricing is carried out automatically & verification of
availability checks.]
7. Product Data management (PDM) [Creating & managing product data throughout product life-
cycle]
8. Product planning & control.
9. Material management. [Purchasing, Inventory, Warehousing & Invoice verification]
10. Human Resource Management. [Employee master data, Recruitment management, Selection &
Training]
11. Payroll Accounting.
12. Internet & Intranet.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 14 of 123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Chapter – 19
CASE Tools and Digital Technology

CASE Technology

Tools Workbenches Environment

Supports individual process activities Supports set of related activities Supports almost all the activities

Editors Compilers File Integrated Process Centered

Compactors Environment Environment

Analysis & Programming Testing

Design

General Purpose Large Specific

Multi-method Single Workbenches Workbenches
Workbenches Workbenches

CASE Tools
 Concerned with creation & maintenance of system software
 Automated tools to solve specific problems
Integrated CASE Tools
 Specialised CASE Tools are combined together to form an integrated CASE Tool.
 5 Levels :-
1. Platform Integration
Integration of all the tools/workbenches run on the same platform. Platforms may be a
computer / network / operating system.
2. Data Integration
 Process of exchange of data by CASE Tool.
 3 Levels
i. Shared Files :- All the tools recognise a single file format.
ii. Shared Data Structures :- Make use of shared data structures including
programme/design language information.
iii. Shared Repository :- Integrated around a object management system.
3. Presentation Integration
Tool use a common standard presentation for user interaction.
[Window System, Comparable Functions and Interaction Integration]

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 15 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

4. Control Integration
Mechanism to control the integration of other CASE Tools.
5. Process Integration
Integrates the knowledge about processes, their phases, their constraints, etc. to support
their activities.
Typical Components of a CASE Workbench
1. Diagram Editor.
2. Analysis, Checking & Correction.
3. Query Language.
4. Data Dictionary.
5. Report Generator.
6. Import/Export facility.

CASE Workbenches

Programming 4GL Workbench Analysis & Testing Meta-CASE

Workbench Design Workbench Workbench
Workbench
Set of tools to Produce Supports the Helpful in Used to generate
support program interactive analysis & testing of other CASE
development. application design stage of systems before Tools.
which extracts software. implementation.
e.g. :- information 5 aspects :-
 Language from DBMS & e.g. :- e.g. :-
1. Data Model.
Compiler. present it to the  Diagram  Test Manager
2. Frame Model.
 Structured end user. editor.  Oracle
3. Diagrammatic
Editor.  Data File compactor
notation
 Linker. Updates DBMS dictionary.  Report
4. Textual
 Loader. with changes  Forms generator
presentation
 Cross- made by the end definition  Simulators,
5. Report
Refrencer. user. tools. etc.
structures
 Interactive  Import
debugger, e.g. :- Export
etc.  Query Facility.
Language  Code
 Form design generators,
tools. etc.
 Spread-sheet
Report
generator,
etc.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 16 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Chapter – 13
General Controls in EDP Set –up
1. Operating System Control
 Main functions of operating system are language translation, allocation of Computer
resources, job-scheduling, multi-tasking & lots more.
 Objectives of Operating System Control
Protection
Of From
Operating System Itself
Operating System Its environment
Operating System Users
Users Each other
Users Themselves

OS Control

OS Security Threats to OS Controlling against Controlling Audit

integrity Virus, etc. Trail
1. Log on 1. Accidental. 1. Virus. Objectives –
procedure. [User [Hardware [Penetrates OS] 1. Detecting
ID & Password] failure, Os 2. Worm. unauthorized
After Log-on, failure] [Occupies idle access. [Real
Access Token is 2. Intentional. memory] time /
created by OS for [Abused 3. Logic Bomb. subsequently]
each session. authority & [triggered by 2. Analyzing the
2. Access Token. intruders] pre-determined reasons for such
[Contains user 3. Computer virus. event] event.
ID, password & 4. Back Door. 3. Personal
privileges [Unauthorised accountability.
granted] access]
3. Access Control 5. Trojan Horse.
List. [List of [Captures ID‟s
privileges to all & passwords]
the users] Controlled by :-
4. Discretionary
access control. 1. Anti-Virus
[One valid user program
can assign to 2. Anti-Viral
other at his program/vaccine
discretion] [Run
continuously on
a computer
system to detect
virus]
2. Data Management Control
AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415
CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 17 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Access Controls Back-up Controls

 Flat File System – Easy to control.  Back up may be in magnetic disc or in
 DBMS – 5 control features :- magnetic tape.
1. User View – Privileges to required users  4 features :-
only. 1. Back-up
2. Database Authorization Table – Contain 2. Transaction Log – Provides an audit trail.
actions a user can take. 3. Checkpoint – Several checkpoints in 1
3. User Defined Procedures – Series of hour.
personal questions. 4. Recovery Module
4. Data Encryption
5. Biometric Devices – Finger Prints, Voice
Prints, etc.
3. Organisation Structure Control
i. Separating System Development from Computer Operations.
ii. Separating System Development from Maintenance.
iii. Separating Database Administration from other functions.
iv. Separating Data Library from Operations.
v. An Alternative Structure for System Development.
4. Computer Centre Security & Control [It may be accidental or incidental.]
Risks Controls
1. Fire Damage 1) Disaster Recovery Plan
2. Water Damage i. Emergency Plan
3. Energy Variations ii. Back-up Plan
4. Pollution Damage iii. Recovery Plan
5. Unauthorised Intrusion iv. Test Plan
2) Insurance of Hardware &
Data

5. System Development Controls 6. System Maintenance Control

i. System Authorisation – Evaluation of the i. Maintenance Authorisation, Testing &
system before the development. Documentation.
ii. Users Specifications – Active ii. Source Program Library (SPL) Controls
involvement of user during the – Documentation of retrieval, change,
development phase. obsolescence, etc. of program in SPL.
iii. Technical Design – Documentation of iii. Password Control in SPL
user specifications and development iv. Audit Trail & Management Report
process. v. Program Version Number
iv. Internal Audit Participation vi. Message Sequence Numbering
v. Program Testing
vi. User acceptance
7. Internet & Intranet Controls
 2 types of risks :-
i. Component Failure – Communication Line, Hardware & Software.
ii. Subversive Threats – Unauthorised Intrusion.
a) Invasive Tap – Can read & modify data.
b) Inductive Tap – Can read only.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 18 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

 Subversive Attacks – Insert / Delete / Modify / Alter the sequence / Discard / Delay
Messages.
 Control features :-
1) Firewall
 Controls the communication between two networks. Insulates the organisation‟s
network from external networks.
 2 Types :-
i. Network-level Firework – Low cost & low security level.
ii. Application Level Firewall – Costly & higher security level.
2) Controlling Denial of Service Attacks

Connecting SYN Receiving

User
SYN/ACK
Server Server
ACD

SYN ACK ACD

 Receiving Server is blocked due to non
receiving of ACD packets and the legitimate
user is prohibited from communicating. Computer
Hacker
3) Encryption [Clear text  Cipher text  Clear text]
 Conversion of data into secret codes for storage / transmission.
 2 types :-
i. Private Key Encryption – Single key used by both sender and receiver.
ii. Public Key Encryption – Public key is used to encrypt the data and private key is
used to decrypt the data.
4) Message Translation Log
Record of all incoming & outgoing messages.
5) Call Back Devices
Calls back only the valid user to establish the connection.
8. Personal Computer Controls
Risks Controls
1. Incompatibility of Hardware / Software. 1. Centralizing PC purchase
2. Poor Data Security 2. Physical locking of hardware
3. Decentralisation of processing 3. Regulating the use of floppy
4. Computer Virus 4. Proper training
5. No thorough testing. 5. Virus prevention
6. Weak access control 6. Proper Back-up arrangement – Floppy,
7. Inadequate Back-up procedures Dual Internal Hard Disks, External Hard
Disk, Tape Back-up.
7. Multi-level password control.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 19 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Chapter-14
Application Controls in EDP Set-up

Input Controls
1. Source Document Control
Pre-numbered ; Used in Sequence ; Periodical Audit
2. Data Coding Control
i. Transcription Error (addition / truncation / substitution)
ii. Transposition Error (e.g. 38276-83276)
Measure – Check Digit (11-module check digit)
3. Batch Control
i. Batch Transmittal Sheet – It is prepared by user department & submitted along with
batch of source document. It contains Batch no., Date, Transaction Code, Batch Totals.
[Batch Totals = Record Count, Hash Total & Control Total]
ii. Batch Control Log – Contains the details of all the batches processed during a period.
4. Validation control

Field Interrogation Record Interrogation File Interrogation

 Examines the characters i. Sequence Check  It ensures that the
in the field. ii. Completeness Check required file is being
i. Limit Check iii. Combination Check processed.
ii. Data Type Check iv. Redundant Data check i. Internal Label Check
(alphabetic / numeric) v. Password ii. Version Check
iii. Valid Code Check vi. Authorisation iii. Expiration Date Check –
iv. Check Digit Prevents deletion before
v. Arithmetic Check expiry.
vi. Cross Check
5. Input Error Correction
i. Immediate Correction – at the time of input
ii. Create an Error File – correction at a later time
iii. Reject the Entire Batch – processing is done when all the records are made correct.
Processing Controls
1. Run-to-Run Control
 Monitors the batch as it moves from one programmed procedure(run) to another.
 Ensures that the batch is processed correctly and completely at each run.
 Recalculates control totals; Transaction Codes; Sequence Checks.

2. Operator Intervention control

Control of various tasks in which active involvement of operator is required.
AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415
CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 20 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

3. Audit Trail Control

 Proper documentation of all the transactions.
(i) Transaction Logs (Log of all successful transactions)
(ii) Transaction Listings
(iii)Error Listings (List of unsuccessful transactions)
(iv) Log of Automatic Transactions
(v) Listing of Automatic Transactions
(vi) Unique Transactions Identifiers
Output Controls
 Ensures that output is not lost / corrupted and their privacy is maintained.
1) Tape & Disk Output Controls
Parity Bit Checking (Hardware Controls)
Check Digits (Software Controls)
ECHO Check
2) Printed Output Controls
i. Verification of output [Output directly / indirectly related to inputs and exception reports]
ii. Distribution of output
iii. Procedure for acting on exception reports
Real time system output are exposed to disruption, destruction, corruption, etc.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 21 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Chapter – 18
Information Security
 Information Security means protection of valuable information within the organisation by
applying various standards, measures, practices & procedures.
Objective of Information Security
1. Protecting the interest of the users of the information.
2. Protecting the Information System.
3. Protecting the communication.
 The security objective is met when the following conditions are satisfied :-
(i) Availability – Information is available whenever required.
(ii) Confidentiality – Disclosed only to authorised persons.
(iii) Integrity – Protected against unauthorised modifications.
Sensitive information
Strategic Plans; Business Operations (List of client‟s name & add.); Financial Information.
Principles of Information Security
1. Accountability – It must be formalized & communicated. Use of proper audit trail.
2. Awareness
3. Multi-disciplinary – Technological and non-technological issues.
4. Cost Effectiveness
5. Integration – Security system must be co-ordinated.
6. Re-assessment – Periodical changes.
7. Timeliness – Monitoring & timely response.
8. Social factors – Respecting rights / interests of others.
3 types of Information Protection
1. Preventative Information Protection
(i) Physical (e.g. locks and guards, floppy access lock)
(ii) Logical / Technical (e.g. passwords & authentications, etc.)
(iii) Administrative (e.g. Security awareness)
2. Restorative Information Protection
Timely restoration of lost information after occurance of the event.
3. Holistic Protection
Planning for unexpected and unknown events to happen.
Approach to implement Information Security.
1) Designing Security Policy that defines acceptable behaviors and reactions in case of
violations.
2) Proper communication of Roles & Responsibilities to individuals –
Individuals Responsibilities
Executive Management Overall responsibilities
IS Security Professionals Design & Implementation of
security policy.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 22 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Data Owners Maintaining accuracy & integrity

Process Owners Ensuring appropriate security
embedded in there IS.
Technology Providers Assist in implementation of
Information Security System.
Users Follow the set procedures.
IS Auditors Independent assurance.

3) Designing of Information System Security Framework after the policy has been approved by
the governing body.
4) Timely Implementation of Information Security System after designing of framework.
5) Continuous Monitoring, disciplinary & corrective actions.
6) Adequate Training, Education & Awareness program to ensure proper functioning of
Information Security.
Security Administrator
 Responsible for controlling and co-ordinating the activities related to security aspects.
 Ensures adequate Information Security; Sets Policies; Investigates; Advices; Trains the users;
Monitors the activities related to Information Security.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 23 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Chapter – 15
Detection of Computer Frauds
Computer fraud means obtaining unfair advantage over another person, computer, or
organisation using computer, computer network or computer resources.

Computer Fraud includes

 Theft, unauthorised access, modification, copy or destruction of software, sensitive &
confidential information.
 Theft of money using computer.
 Theft, destruction of computer hardware.
 Financial / reputational damage to a business using computer.
Examples of Computer Frauds
 Investment fraud (offering high rate of return)
 Secret market fraud (pretends & influence that there is a confidential market for a particular
financial instrument offering a high rate of return)
 Pyramid Schemes (offer high return on contribution & invariably collapse)
 Hacking (unauthorised access / modification to data / software)
 Cracking (Hacking with malicious intention)
 Abuse of computer system by employees (for personal purpose)
 Software piracy (unlicensed copy of software)
Primary Risks to business

Internal Threats External Threats

1. Input [alter computer input] 1. Removal of information
 Collusive fraud (Banking Fraud) 2. Destruction of integrity
 Disbursement Fraud (payment against 3. Interference with web pages
false bills) 4. Virus by e-mail
 Payroll fraud (fictitious employees) 5. Interception of e-mail
 Cash receipt fraud 6. Interception of EFTs
2. Processor [unauthorised use of computer
system / services / time]
3. Computer Instructions [tampering with
the software]
4. Data [altering / damaging / copying
company‟s data]
5. Output [misuse of printed / displayed
output]
6. e-mail [altering the content]
Reasons for Internet Fraud
 Unregulated (no license fee, no central authority)
 Low cost
 Global reach
 Difficult to distinguish genuine from fraud
 No verification system for genuineness of information

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 24 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Preventing Computer Fraud

 Adequate system security & regulation thereof.
 Adequate appointment procedure for new joinees.
 Proper action against fraudulent employees.
 Manage the employees eager to take revenge.
 Education & training regarding security & fraud prevention measures.
 Developing a strong internal control system
 Segregation & rotation of duties
 Restriction on computer / data access
 Encrypt data & programs
 Protect telephone lines
 Protect the system from virus
 Control on use of laptop, floppy drives, etc.

Detection methods
 Conduct audit at regular interval
 Appointment of Computer security officer
 Hiring of computer consultants
 Maintenance of System activity log
 Fraud detection software
 Computer forensic tools – In this technique deleted files are recovered. Exact copy of disk
is taken through disk imaging technique & investigation is done without the knowledge of
the fraudster. [Disk Imaging & Analysis Technique]

Security methods
 Take proper insurance cover
 Keeping back-up at remote location
 Develop contingency plan
 Using special software to monitor the activities

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 25 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Chapter-16
Cyber Laws and Information Technology Act, 2000

Objectives of the Act

 Grant legal recognition to electronic transactions.
 Legal recognition to digital signature
 Facilitate electronic filing of documents.
 Facilitate electronic storage of data
 Facilitate EFTs
 Recognition to books of account in electronic form
Scope of this Act
Extend to all over India and also to any offence committed thereunder outside India.

Definitions
Asymmetric Crypto System
Key Pair consisting of a private key (for creating digital signature) and a public key (to verify
the digital signature).
Digital Signature
Authentication of electronic record by means of an electronic method.
Secure System {Hardware, Software & Procedure}
 Is secure from unauthorized access
 Provide a reasonable level of reliability
 Suited in performing the intended functions.
 Adhere to generally accepted security procedures.
Power of CG to make rules in respect of digital signature
1. Type of digital signature
2. Manner and format for affixing it.
3. Manner & procedure to identify the originator.
4. Control procedures to ensure security & confidentiality.
5. Any other matter to give legal effect to digital signature.
License Issues digital certificates
Controller Certifying Authority

Damage to Computer, Computer system, Computer network, Computer hardware etc.

 Accesses or secures access to
 Downloads or copies any data from such Computer
 Introduces or causes to introduce any virus into the Computer System
 Damages or causes to damage any Computer Network
 Denies or causes denial access to such Computer Resource etc.
 Provides assistance to access to (Compensation upto Rs. 1 Cr.)
 Tampering or manipulating

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 26 of 123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Penalties
 Failure to furnish information upto Rs.1.5 lakh for each failure
 Failure to file return upto Rs.5000/- per day
 Failure to maintain books upto Rs.10000/- per day
 Hacking with computer system upto 2 lakhs/imprisonment upto 3yrs./both
 Misrepresentation upto 1 lakh/imprisonment upto 2yrs/both
 Breach of confidentiality upto 1 lakh/imprisonment upto 2yrs/both

Order of Opportunity
controller or Within 45 days Appeal to Cyber of being within 6 mths
adjudicating (+) extention Appellate heard
authority Tribunal

Order of CAT
Appeal to HC Within 60 days (Set aside, confirm,
(May be on Q. of modify the order
law / fact) (+)60 days appealed against)

Compounding of offences
 Either before or after institution of adjudication
 Compounded by Controller or Adjudicating Officer
 Similar contravention can not be compounded within 3 yrs.
Power of CG to make rules (Sec 87)
 By notification in the official gazette and in the electronic gazette
 Matters to be specified in the rules
 Manner of authentication by means of digital signature
 Electronic form of filing, issue, payment etc.
 Type and manner of affixing digital signature.
 Qualification, disqualification and terms & conditions of service of controller etc.
 Standards to be observed by controller
 Form and manner of application for license.
 Form for application for issue of digital certificate. etc.

Steps to create Digital Signature

 Electronic record is converted into “Message Digest” using mathematical function known as
“Hash Function” which freezes the electronic record.
 Private Key attaches itself to the message digest.
Liabilities of Companies
 Every person who was in-charge / responsible for day-to-day activity & the company shall be
deemed to be guilty of such offense & shall be liable to be punished & proceeded against.
 Every Manager, Director, Officer with whose connivance such offense was committed shall
also be liable.
 No liability if he proves his innocence.

 Controller shall act as repository for all digital signatures issued under this act.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 27 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Chapter-17
Audit of Information Systems

IS Auditor must ensure that provisions are made for:

 An adequate audit trail  Govt. policies & procedures are adhered
 Control over the accounting  Training
 Handling exceptions  Evaluation criteria of system
 Testing  Adequate control over the network
 Control over changes to the system  Adequate security procedures
 Authorization procedures  Back up & recovery procedures

Computer auditing approach different from manual auditing

 Electronic evidence
 Computer terminology
 Automated processes
 Exposed to new risks
 Reliance on adequacy of controls
Scope & Objectives of IS Audit
 Computerised system & applications
 Information processing facilities
 System development
 Management of IS
 Client/server, telecommunications, and intranets
Computer Security
 Accidental/Intentional damage, unauthorised access, modification, theft etc.
 Control procedures to prevent fraud (antivirus, encryption, firewalls, back up & recovery)
 Complete review of the entire system & procedures
 Test of controls & ensuring proper implementation
 Rectification of security weaknesses
Program development, acquisition & modification
 Reviewing the existing internal control & its evaluation.
 Reviewing the reasons for such development/modification
 Analysis of system specifications.
 Interviewing development personnel, managers & users
 Identifying unauthorised instructions (reprocessing & parallel simulation techniques)
Parallel Simulation Technique (Source Code Comparision) – Compares the current source
code with the original one to detect unauthorized modification.
 Ascertaining that programs are properly tested.
 Thorough review of all the documentation
Audit of Computer processing
 Understand & evaluate the processing controls.
 Ensure that they are practically followed
 Periodical review of all the controls
 Elimination of control deficiencies.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 28 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

 Test data processing – Processes a series of correct & incorrect data and reverse the effect
of test data after auditing.
Concurrent Audit Techniques
(Continuous monitoring of system and input on a real time basis)
1. Integrated test facility (fictitious records) – No need to reverse the test transactions & the user
is unaware of this process of testing.
2. Snapshot Technique – Snapshot data is stored in a separate file & is reviewed by auditor
3. System control audit review file (SCARF) – Collects data of special transactions e.g.
exceeding certain amount.
4. Audit hooks – Flag suspicious transactions & display a message at the auditor‟s terminal
5. Continuous and Intermittent Simulation – This audit module works along with the DBMS like
SCARF. It does parallel simulation & reports the discrepancy through a separate log file.
Analysis of Program logic
(Time consuming & require programming language proficiency)
1. Automated flowcharting programs (Automatically generates flow-chart from source code)
2. Automated decision table programs
Source Data Controls
 Detection of inaccurate & unauthorised source data.
 Input control matrix (control applied to each field of input data)
 Periodical review of control procedures to maintain effectiveness
Data Files Controls
 Data storage risk (access, modification, destruction)
 Audit procedures checklist

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 29 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Chapter-3
Basic Concepts of MIS

Management Information System

 Determining the objectives  Reprocessing of data &  Consisting of a no. of
 Developing plans putting them into a elements operating
 Securing & organizing meaningful & useful together for
various resources context accomplishment of an
 Exercising adequate objective.
controls
 Monitoring the results
MIS is a network of information that supports management decision making.
It uses the information resource for effective & better achievement of organizational
objectives.
Canith defines “MIS as an approach that visualize the organisation as a single entity
composed of various inter-related and inter-dependent sub-systems to provide timely &
accurate information for management decision making.
Characteristics of an effective MIS
1. Management oriented [Development of MIS starts from the need of the management]
2. Management directed [management actively directs the MIS development]
3. Integrated [all the information sub-system works as a single entity]
4. Common Data Flow [common input, processing & output procedures & media]
5. Heavy planning element [consumes substantial time to develop]
6. Sub-system concept [entire MIS is divided into smaller sub-systems]
7. Common Database
8. Computerized
Misconceptions about MIS [and their clarifications]
1. MIS is about the use of computers [it may or may not involve computers]
2. More data in reports means better information for managers [quality of data and not the
quantity of data is relevant]
3. Accuracy in reporting is of vital importance [Information may be approximate. Accurate
information involves higher cost]
Pre-requisites of MIS
i. Database and DBMS
ii. Qualified system & staff
iii. Support of top management
iv. Adequate control & maintenance of MIS
v. Evaluation of MIS
Constraints in operating MIS
i. Non availability of experts
ii. Difficulty in dividing MIS into sub-systems
iii. MIS is non standardized
iv. Non co-operation from staff
v. Difficult to quantify the benefits of MIS
Effects of using computer MIS
AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415
CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 30 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

i. Speed in information processing & retrieval

ii. Increases the usefulness of information system
iii. Scope of analysis widened
iv. Complexity of system design & operation
v. Integration of different information sub-system
Limitations of MIS
i. Effectiveness of MIS depends upon the quality of input
ii. Not a substitute of effective management
iii. MIS lacks flexibility
iv. Ignores the non quantitative factors (attitude & morale)
v. Useless for non programmed decisions
vi. Difficult to maintain privacy & secrecy
Types of information
Environmental Information Competitive Information Internal Information
 Govt. policies  Industry demand  Sales forecast
 Factors of production  Firm demand  Financial budget
 Technological information  Competitive data  Supplier factors
 Economic trend  Internal policies
Levels of management & their information requirement
Top Level (Strategic Level) Middle Level (Tactical Level) Supervisory Level
 Determining the overall  Sales Manager, Purchase  Section officers, Foreman
goals & objectives Manager, Finance Manager  Instruct and supervise
 Economic / political /  Most of the information is employees
social information internal  Make routine & day to
 Competitive information  Demand & supply day decisions.
information

Database
It is a super-file that consolidates & integrates the data that was previously stored in
different files.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 31 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Chapter – 4
Systems Approach & Decision Making
System Approach to Management
It‟s a way of thinking about management problems.
Each problem should be examined in its entirety and effect of the proposed changes to each
part of the organization e.g. changing from batch production to continuous production will
affect finance, warehousing, purchase department, etc.
Decision-Making
It is a never-ending process of choosing a particular course of action out of several
alternative courses for achievement of desired goals.
Pre-decisional, decisional & post-decisional functions are performed by management.
Steps involved in decision making
1. Defining the problem
2. Analyzing the reasons
3. Identifying the alternative solutions
4. Evaluation of the same
5. Selection of the best alternative
6. Implementation of the solution
Classification of decisions
1. Programmed & non-programmed decisions
2. Strategic & tactical decisions
3. Individual & group decisions
Functional Information Areas
Finance & Accounting Production Marketing Personnel
Financial decision - Production Planning Marketing bridges - Proper recruitment
making involves - Production Control the gap between the - Placement
decision regarding - Material requirement firm & its customers. - Training
procurement & planning (MRP) - Sales support & - Compensation
effective utilization analysis. - Maintenance
of funds. Production Planning = - Market research & - Health & Safety
- Estimation of funds What to produce + intelligence. Sources of information
& the timing. When to produce + - Advertising &
- Accounting
- Capital structure. How to produce. promotion. information system
(Optimum Mix) - Product development - Payroll processing
- Capital budgeting & planning.
(Investment) - Product pricing
- Profit planning - Customer service
- Tax management
3 types of information
- Working capital
- Internal
management
- Competitive
- Current Assets
- Environmental
management.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 32 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Chapter – 5
Decision Support & Executive Information System
Decision Support System
It is a system that provides tools to managers to assist them in solving semi-structured &
unstructured problems (it is not a means to replace the management).
Programmed Decision System replace human decision making (no management is involved).
Properties of DSS
1. Support semi-structured & unstructured decisions
2. Ability to adapt the changing needs
3. Ease of learning & use
Components of DSS
1. Users (Managers)
2. Databases
3. Planning Languages (General purpose, special purpose)
4. Model Base (Brain of the DSS, custom developed)
Tools of DSS
1. Data based software
2. Model based software Integrated Tools combines all these software in one
3. Statistical software package.
4. Display based software
DSS in Accounting
1. Cost Accounting System (Generally used in Health Care industry)
2. Capital Budgeting System (Calculates NPV, IRR of various projects)
3. Budget Variance Analysis System (Forecasting budget & analyzing variances)
4. General Decision Support System, etc.
Executive Information System
It is a DSS designed to meet the special needs of top-level management and having
additional capabilities such as e-mail.
It provides on-line access to information in a useful & navigable format (mouse & touch
screen driven, pictorial & graphical presentation).
Types of planning by top level management
(i) Strategic Planning (CEO level)
(ii) Tactical Planning (Planning to carry out Strategic Planning)
(iii) Fire Fighting (Major damage, new competitor, strike)
(iv) Control (General controls)
Characteristics of Information obtained in EIS
(i) Unstructured (iv) Informal Source
(ii) High degree of uncertainty (v) Lack of details
(iii) Future Orientation (Economic trend, govt. decision, consumer choice, competitor,
etc.)

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 33 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Chapter – 1
Basic concepts of systems
 System is a set of inter-related elements that operate collectively to accomplish some
common goal.
 Abstract System is an orderly arrangement of independent ideas or constructs.
 Physical System consists of physical elements rather than ideas.
 It is a collection of elements that surround the system and often interact with the system.
 The features that define and delineate a system form its boundary.
 Sub-system is a part of larger system.
 Inter-connections & interactions between the sub-systems are called interfaces.
 Decomposition is the process of dividing a system into sub-systems and so on.
 Simplification is the process of organizing sub-system to simplify their inter-connections
(clusters of sub-systems are established).
 Supra-system is an entity formed by a system / sub-system and its related systems / sub-
system

INPUT PROCESSING OUTPUT

Types of Systems
Deterministic System (Computer Program)
 Operates in a predictable manner
 Interaction among the parts is known with certainty
Probabilistic system (Inventory System)
 Describe in terms of probable behaviour
 Certain degree of error is always attached
Closed system
 No interaction across its boundary.
 Relatively closed system (it is a closed but not completely closed system in the physics
sense).
Open System (Organisation)
 Actively interacts with other systems
 Tend to change to survive and grow due to change in external environment.
System Entropy
 System Entropy means decay, disorder or dis-organisation of a system.
 Negative entropy is the process of preventing entropy by input of matter, repair, replenish &
maintenance.
System Stress & System Change
 A stress is a force transmitted by a system‟s supra-system that causes a system to change.
 It arises due to 2 reasons :- Change in the goal & Change in the achievement level.
 Systems accommodate stress through structural changes or process changes.
Information
Information is data that have been put into a meaningful & useful context.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 34 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Characteristics
(i) Timeliness
(ii) Purposeful
(iii) Mode and Format (visual, verbal or written)
(iv) Redundancy
(v) Rate of transmission (bits per minute)
(vi) Frequency (daily, weekly, or monthly)
(vii) Completeness
(viii) Reliability
(ix) Cost-Benefit Analysis
Business Information System
 Transaction Processing System
 Management Information System
 Decision Support System
 Executive Information System
 Expert System (Artificial Intelligence) – It replace the need for human expertise. It is useful
for a specific area e.g. taxation problem, refinery, etc.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 35 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Chapter – 2
Transaction Processing System
Captures data and information reporting
Simplification of information processing by clustering business transactions
a) Revenue cycle
b) Expenditure cycle
c) Production cycle
d) Finance cycle
Components of transaction processing system
1. Input
2. Processing (on-line processing, batch processing)
3. Storage
4. Output
Types of codes used in transaction processing system
1. Mnemonic Codes
2. Sequence Codes
3. Block Codes
4. Group Codes

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 36 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

SUMMARY OF MICS
StartingYourPreparationforMICS:

If you are starting your preparation for MICS, high importantance wise chapter in
exam is given below:

1. System Development Process (Ch7)

2. System Design (Ch 8)
3. System Acquisition S/W Development & Testing(Ch 9)
4. System Implementation & Maintenance (Ch 10)
5. EDP General Controls (Ch 13)
6. EDP Application Controls (Ch 14)
7. Computer Frauds (Ch 15)
8. Cyber Laws (Ch 16)
9. Audit of Information System (Ch17)
10.Information Security (Ch 18)
11.MIS
12.Design of Computerised Commercial Applications (Ch 11)
13.Enabling Technologies (Ch 6)
14.Decision Support System (Ch 5)
15.CASE Tools (Ch 19)
16.ERP (Ch 12)
17.Basic Concept of Systems (Ch1)
18.System Approach & Decision Making(Ch 4)

Chapter wise important point summary for ready reference

at the time of Examination.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 37 of 123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Basic Concept of System

1. TypeofSystem
(1) Deterministic and Probabilistic System.
(2) Closed and Open System.

2. CharacteristicsofInformation
(1) Timeliness
(2) Purpose
(3) Mode and Format
(4) Redundancy
(5) Rate
(6) Frequency
(7) Completeness
(8) Reliability
(9) Cost Benefit Analysis
(10) Validity
(11) Quality

3. CategoriesofInformationSystems
(1) Transaction Processing System (TPS)
(2) Management Information System (MIS)
(3) Decision Support System (DSS)
(4) Executive Information System (EIS)
(5) Expert Systems (ES)

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 38 of
123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Transaction Processing System

1. TransactionProcessingCycle
1. Revenue Cycle
2. Expenditure Cycle
3. Production Cycle
4. Finance Cycle

2. ComponentsoftheTransactionProcessingSystem
1 Inputs
2 Processing
3 Computer Storage
4 Computer Processing
5 Reference of Table File
6 Outputs

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 39 of
123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

BasicConceptofMIS

1. CharacteristicsofaneffectiveMIS
1. Management Oriented
2. Management Directed
3. Integrated
4. Common Data Flows
5. Heavy Planning Element
6. Sub System Concept
7. Common Database
8. Computerised

2. MisconceptionorMythsaboutMIS
1. The study of management information system is about the use of computers.
2. More data in reports means more information for managers.
3. Accuracy in reporting is of vital importance

3. Pre-RequisitesofaneffectiveMIS
1. Database
2. Qualified system and management staff
3. Support of Top Management
4. Control and maintenance of MIS
5. Evaluation of MIS

4. ConstrainsinOperatingaMIS
1. Non availability of Experts
2. Problem of selecting the sub-system
3. Varied objectives of business concerns
4. Non availability of Co-operation from staff
5. High turnover of Experts
6. Difficulty in Quantifying the benefit of MIS

5. EffectsofusingComputerforMIS
1. Speed of processing and retrieval of data increases
2. Scope of use of information system has expanded
3. Scope of analysis widened
4. Complexity of system design and operation increased
5. Integrates the working of different information sub-system
6. Increase the effectiveness of Information system
7. More comprehensive Information

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 40 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

6. LimitationsofMIS
1. Quantity of Input and Processing
2. Not substitute for effective management only alternate tools for decision
making
3. Not have requisite flexibility to quickly update itself
4. Can not provide tailor made information package
5. Ignore non-quantitative factors
6. Less useful for making non-programmed decisions
7. Less useful for non sharing culture organisations
8. Effectiveness decreases due to frequent changes in top-management,
organizational structure and operation team

7. Establishinginformationrequirement
1. Environment information (i)
Government Policy (ii)
Factors of Production
(iii) Technological Environment
(iv) Economic Trends

2. Competitive information
(i) Industry demand (ii)
Firm demand
(iii) The Competitive Data

3. Internal information
(i) Sales Forecast
(ii) Financial Plan/Budget
(iii) Supply Factors
(iv) Internal Policies

8. Factorsonwhichinformationrequirementsdepend
1. Operational Function
2. Type of decision making
(i) Programmed decisions
(ii) Non-Programmed decision

3. Level of management activity

(i) Strategic Level
(ii) Tactical Level
(iii) Supervisory Level

9. LevelsofManagement
1. Top Level (Strategic Level)
2. Middle Level (Tactical Level)
3. Supervisory Level

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 41 of 123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

System approach and Decision Making

1. Stepintheprocessofdecisionmaking
1. Defining of the problem
2. Gathering and analysing data concerning the problem
3. Identification of alternative solution
4. Evaluation of alternative solution
5. Selection of the best alternative
6. Implementation of the solution

2. ClassificationofDecisions
1. Programmed and non-programmed decisions
2. Strategic and Tactical decisions
3. Individual and Group decision

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 42 of
123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

DecisionSupportandExecutiveInformationSystems

1. Characterofdecisionsupportsystem(DSS)
1. Semi structured and Un structured Decisions
2. Ability to adapt to changing needs
3. Easy to use

2. ComponentsofDecisionSupportSystems(DSS)
1. The users
2. Databases
3. Planning Languages
4. Model Base

3. ToolsofDecisionSupportSystems(DSS)
(1) Data-based Software
(2) Model Based Software
(3) Statistical Software
(4) Display Based Software

4. Characteristicsofthetypesofinformationusedinexecutivedecision
(1) Lack of Structure
(2) High degree of uncertainty
(3) Future Orientation
(4) Informal source
(5) Low Level of Detail

5. PurposeofExecutiveInformationSystem
1. Support Managerial Learning
2. Timely access to information
3. Ability to direct management attention to specific areas

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 43 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

EnablingTechnologies

1. TraditionalComputingModel
1. Mainframe Architecture
2. Personal Computers
3. File Sharing Architecture
4. Client Server Model

2. BenefitoftheClient/ServerTechnology
1. Easier work
2. Reduction of Cost
3. Increase Productivity
4. End User Productivity
5. Developer Productivity
6. Less person required for maintain
7. Less expenses in Hardware
8. Increase in Efficiency
9. Reduction in cost of purchasing, installing and upgrading software programs
10. Increase in Management control
11. Easier to implement
12. Long term cost benefits for development and support

3. CharacteristicsofClient/ServerTechnology
1. Consist of Client and Server process
2. Client and Server portion can operate on separate computer platforms
3. Any platform can be upgraded without having to upgrade the other platform
4. Server is able to service multiple clients or vise versa
5. Capability of networking
6. Significant portion of the application logic resides at the client end
7. Action is usually initiated at the client end
8. GUI generally resides at the client end
9. SQL capability is present
10. Database server should provide data protection and security

4. ComponentsofClientServerArchitecture
1. Client
2. Server
3. Middleware
4. Fat-client ore Fat-Server
5. Network

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 44 of 123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

5. ControltechniquestoincreasethesecurityasperISauditor
requirement
1. Disabling the floppy disk drive
2. Diskless workstation
3. Network monitoring
4. Data encryption techniques
5. Authentication system should be introduce by entering username and
password
6. Use of Smart Card
7. Use of Application controls

6. RiskofClient/Server
1. Technological Risks
2. Operational Risks
3. Economic Risks
4. Political Risks

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 45 of
123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

SystemDevelopmentProcess

1. ActivitiesofSystemDevelopmentLifeCycle
1. Preliminary Investigation
2. Requirements analysis or systems analysis
3. Design of System
4. Development of Software
5. Systems Testing
6. Implementation and Maintenance

2. ReasonforfailuresystemDevelopmentactivities
1. Lack of senior management support for and involvement in information
system development
2. Shifting user needs
3. Development of Strategic system
4. New Technologies
5. Lack of Standard Project management and systems development
methodologies
6. Overworked or under-trained development staff
7. Resistance to change
8. Lack of user participation
9. Inadequate testing and user training

3. ApproachestoSystemsDevelopment
1. Traditional Approach
2. Prototyping Approach
3. End user development approach
4. Top down Approach
5. Bottom up Approach
6. Systematic Approach for Development in small organizations

4. StepsforPrototypingApproach
1. Identify Information System Requirements
2. Develop the Initial Prototype
3. Test and Revise
4. Obtain User Signoff of the Approved Prototype

5. AdvantageofPrototypingApproach
1. Satisfaction of users‟ needs and requirements
2. Short Period required for development
3. Errors detected and eliminated early in the developmental process

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 46 of
123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

6. DisadvantageofPrototypingApproach
1. More time required in experimenting with approach
2. Frequently testing required
3. Cause behavioral problems with system users

7. StagesinTopdownApproach
1. Analysis the objectives and goals of the organisation
2. Indentify the function of the organisation
3. Ascertain the major activities, decisions and functions
4. Indentify the information requirement for activities and decisions
5. Preparing specific information processing programs in detail and modules
within these programs

8. SystemDevelopmentLifeCycleMethodology
1. Project divided into number of identifiable processes
2. Periodically deliverables should be produced and monitors the development
process
3. Requirement of Higher authority participate in project
4. Testing before implementation
5. Training plan should be develop for user
6. Assess the effectiveness and efficiency before installing new system

9. ObjectivesofPreliminaryInvestigation
1. Clarify and understand the project request
2. Determine the size of the project
3. Technical and Operational feasibility
4. Assess cost and benefits of alternative approaches
5. Report findings to the management

10. PreliminaryInvestigationmethodology/process
1. Conducting the Investigation
2. Indentifying Viable Option
3. Testing Project‟s Feasibility
4. Estimating Costs and Benefits
5. Reporting Results to Management

11. MethodsofInvestigation
1. Reviewing internal documents
2. Conducting interviews

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 47 of 123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

12. TypesofProject‟sFeasibility
1. Technical Feasibility
2. Economic Feasibility
3. Operational Feasibility
4. Schedule Feasibility
5. Legal Feasibility

13. TypesofCostinCostbenefitanalysis
1. Development Cost
2. Operational Cost
3. Intangible Cost

14. Factfindingtechniquesforsystemsanalysis
1. Documents
2. Questionnaires
3. Interviews
4. Observation

15. MethodsofanalysisofPresentsystembytheSystemAnalyst
1. Review Historical Aspects
2. Analysis inputs
3. Review data files maintained
4. Review methods, procedures and data communications
5. Analyse outputs
6. Review internal controls
7. Model the existing physical system and logical system
8. Undertake overall analysis of present system

16. ToolsforSystemDevelopment
1. System components and flows
2. User interface
3. Data attributes and relationships
4. Detailed system process

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 48 of
123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

SystemDesign
1. AreasofNewSystemDesign
1. Output
2. Input
3. Processing
4. Storage
5. Procedures
6. Personnel

2. ImportantfactorsinOutputdesign
1. Content
2. Form
3. Output Volume
4. Timeliness
5. Media
6. Format

3. Variousmethodsofpresentoutputinformation
1. Tabular Format
2. Graphic Format

4. Guidelinesfordesigningprintedoutput
1. Read from left to right and top to bottom
2. Items should be easiest to find
3. Printed report should include heading, title of report, page number, etc
4. Related data should be grouped together
5. Control breaks should be used to find critical information
6. Sufficient margin should be made on page
7. Detail line for variable data should be defined
8. Mock up reports should be reviewed

5. ImportantfactorsforInputDesign
1. Content
2. Timeliness
3. Media
4. Format
5. Input Volume

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 49 of
123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

6. GuidelinesforformInputdesign
1. Making forms easy to fill
(i) Form Flow
(ii) Divide forms in logical sections
(iii) Filled Template
(iv) Captioning

2. Meeting the intended purpose

3. Ensuring accurate completion
4. Keeping forms attractive

7. CodingmethodsforInputDesign
1. Individuality
2. Space
3. Convenience
4. Expandability
5. Suggestiveness
6. Permanence

8. CodingSchemeforInputDesign
1. Classification Codes
2. Function Codes
3. Significant-digit subset codes
4. Mnemonic Codes
5. Hierarchical Classification

9. ContainsofSystemManual
1. General Description of the existing system
2. Flow of existing system
3. Output of the existing system
4. General description of the new system
5. Flow of the new system
6. Output layout
7. Output distribution
8. Input layouts
9. Input responsibility
10. Macro-logic
11. Files to be maintained
12. List of Programs
13. Timing estimates
14. Controls
15. Audit Trail

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 50 of
123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

System‟sAcquisitionSoftwareDevelopmentandTesting

1. Importantpointsforselectingacomputersystem
1. Latest possible technology
2. Capability of Storage peripherals
3. Software Package
4. Compare same series computer
5. Vendor and machine section

2. AdvantageofBuyingSoftware/Pre-writtenapplicationpackage
1. Rapid Implementation
2. Low Risk
3. Quality
4. Cost

3. FactorsforvalidationofVendorsproposalsevaluation
1. The performance Capability
2. The cost and benefit analysis
3. The Maintainability
4. The Compatibility
5. Vendor Support

4. MethodsforValidationthevendorsproposal
1. Checklists
2. Point-Scoring Analysis
3. Public evaluation reports

5. StagesforSoftwareDevelopment
1. Program Analysis
2. Program Design
3. Program Coding
4. Debug the program
(i) Use Structure walkthroughs
(ii) Test the program
(iii) Review the program code for adherence to standards
5. Program documentation
6. Program maintenance

6. ToolsforProgramDesign
1. Program flow Chart
2. Pseudo Code
3. Structure Chart
4. 4GL Tools
5. Object oriented programming and design tools

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 51 of 123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

7. Pre-requisiteforsystemtesting
1. Preparing realistic test data
2. Processing Test date
3. Through checking of the results
4. Reviewing the results

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 52 of
123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

SystemImplementationandMaintenance
1. StepsforEquipmentInstallation
1. Site Preparation
2. Equipment Installation
3. Equipment check out

2. Strategiesforconvertingfromtheoldsystemtothenewsystem
1. Direct Chang over
2. Parallel conversion
3. Gradual Conversion
4. Modular prototype conversion
5. Distributed conversion

3. Fundamentallyactivitiesbeforeconversionofprevioussystemto new
informationsystem
1. Procedure Conversion
2. File Conversion
3. System Conversion
4. Scheduling Personnel and equipment
5. Alternative plans in case of equipment failure

4. Typesofevaluationofthenewsystem
1. Development evaluation
2. Operation Evaluation
3. Information Evaluation

5. CategoryofSystemMaintenance
1. Schedule maintenance
2. Recue maintenance

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 53 of 123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

EnterpriseResourcePlanning:redesigningBusiness

1. CharacteristicsofERP
1. Flexibility
2. Modular & Open
3. Comprehensive
4. Beyond the Company
5. Best Business Practices

2. FeaturesofERP
1. ERP provided muliti-facility
2. Support Planning
3. End to end supply chain management
4. Company-wide integrated information system
5. Increase Corporate Goodwill
6. Became bridge the information gap across organisations
7. Integration of system
8. Solution for better project management
9. Allows automatic introduction of the latest technologies
10. Eliminates problem
11. Provides intelligent business tools

3. BenefitsofERP
1. Gives better business control
2. Reduce paper work
3. Improve timeliness
4. Faster customer response
5. Better monitoring and quicker resolution of queries
6. Quick response to changing market conditions
7. Competitive Advantage
8. Improve Supply-demand linkage
9. Improve international business
10. Better access of Management Information

4. MethodologyforERPImplementation
1. Indentifying the needs
2. Evaluation ERP
3. Deciding
4. Reengineering the business process
5. Evaluation various ERP Package
6. Finalising most suitable ERP Package
7. Installing the required hardware and software
8. Finalising consultants
9. Implementing the ERP Package

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 54 of
123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

5. CriteriaforevaluationvariousERPpackage
1. Flexibility
2. Comprehensive
3. Integrated
4. Beyond the company
5. Best business practices
6. New technologies

6. GuidelinesforERPImplementation
1. Understanding the corporate needs and culture of the organization
2. Process redesign exercise
3. Establish good communication network
4. Provide strong and effective leadership
5. Finding an efficient and capable project manager
6. Creating a balanced team
7. Selecting a good implementation methodology
8. Training end user
9. Making the required changes in the working environment

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 55 of
123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

ControlsinEDPSet-Up:GeneralControls

1. TypesofControlsinaComputer-Basedsystems
1. General Controls
2. Application Controls

2. ObjectivesofOperatingsystemscontrols
1. Protect itself from users
2. Protect users from each others
3. Protect users from themselves
4. Protected from itself
5. Protected from its environment

3. SecurityComponentsforOperatingSystem
1. Logon Procedure
2. Access Token
3. Access Control List
4. Discretionary Access Control

4. ThreatstoOperatingSystemIntegrity
1. Accidental Threats
2. Intentional Threats

5. ControllingAccessPrivilegesforOperatingsystem
1. Password Control
2. Reusable Passwords
3. One-time Passwords

6. ListofCommontypeofDestructiveProgramsinOperatingSystem
1. Virus
2. Worm
3. Logic Bomb
4. Back Door
5. Trojan Horse

7. ObjectiveofAuditTrailstosupportsecurityinOperatingSystem
1. Detecting Unauthorized Access
2. Reconstructing Events
3. Personal Accountability

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 56 of 123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

8. ListofSeveraldatabasecontrolfeatures
1. User View
2. Database Authorization Table
3. User-Defined Procedures
4. Data Encryption
5. Biometric Devices

9. ListcontrolsinOrganizationStructure
1. Separating systems development from computers operations
2. Separating the database Administrator from other Functions
3. Separating New Systems Development from Maintenance
4. An Alternative Structure for Systems Development
5. Separating the Data Library from Operations

10. ActivitiesofSystemdevelopmentControls
1. System Authorization Activities
2. User Specification Activities
3. Technical Design Activates
4. Internal Audit Participation
5. Program Testing
6. User Test and Acceptance Procedures

11. ActivitiesofsystemMaintenanceControls
1. Maintenance Authorisation, Testing and Documentation
2. Source Program Library Controls
3. Audit Trail and Management Report
4. Program Version Number
5. Controlling Access to Maintenance Commands
6. Message Sequence Numbering

12. VarioustoolswhichdamageComputerCentreSecurity
1. Fire Damage
2. Water Damage
3. Energy Variations
4. Pollution damage
5. Unauthorized Intrusion

13. Listofmajorfeaturesofwelldesignedfireprotectionsystem
1. Automatic and manual Fire alarm
2. Fire System
3. Manual Fire Extinguisher at strategic location
4. Control Panel
5. Master Switches installed
6. Building may be constructed from fire resistant materials
7. Fire Extinguishers and Fire Exists should be marked clearly

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 57 of
123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

8. Automated system should be installed to inform fire station

9. Experienced Security Office should be deployed

14. ComponentsofDisasterRecoveryPlan
1. Emergency Plan
2. Recovery Plan
3. Backup Plan
4. Test Plan

15. ToolsforControllingriskfromSubversiveThreats
1. Firewalls
(i) Networks-Level Firewalls
(ii) Application-level firewall
2. Controlling Denial of Service attacks
3. Encryption
(i) Private Key Encryption
(ii) Public Key Encryption
4. Message Transaction Log
5. Call Back Devices

16. InherentProblemsofPersonalComputersandtheControls
1. Weak Access control
2. Multilevel Password Control
3. Inadequate Backup Procedure

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 58 of
123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

ControlsinEDPSet-UP:ApplicationControls
1. ClassesofInputControl
1. Source Document Controls
2. Data Coding Controls
3. Batch Controls
4. Input error Correction
5. Generalized data input systems

2. ControlListforSourceDocument
1. Use Pre numbered Source Documents
2. Use Source Documents in Sequence
3. Periodically Audit source Documents

3. TypesofError
1. Transcription Error (i)
Addition Error (ii)
Truncation Error
(iii) Substitution Error
2. Transposition Error

4. LevelsofInputValidationControls
1. Field Interrogation
2. Record Interrogation
3. File Interrogation

5. CommonTypeofFieldInterrogation
1. Limit Checks
2. Picture Checks
3. Valid Code Checks
4. Check Digit
5. Arithmetic Checks
6. Cross Checks

6. CommonTypeofRecordInterrogation
1. Sequence Checks
2. Format Completeness Checks
3. Combination Checks
4. Passwords

7. CommonTypeofFileInterrogation
1. Internal Label Checks
2. Version Checks
3. An Expiration Date Checks

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 59 of
123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

8. Commonerror-handlingtechniqueforinputerrorcorrection
1. Immediate Correction
2. Create an error file
3. Reject the entire batch

9. CategoriesofProcessingControls
1. Run-to-Run Controls
2. Operator Intervention controls
3. Audit Trail Controls

10. TechniquestopreserveaudittrailsinComputerBasedInformation
System
1. Transaction Logs
2. Transaction Listing
3. Log of Automatic Transactions
4. Listing of Automatic Transactions
5. Unique Transaction Identifiers
6. Error Listing

11. TypeofOutputControl
1. Tape and Disk Output Controls
2. Printed Output Controls

12. TechniquesofOutputcontrolsforprintedoutput
1. Verification of Output
2. Distribution of Output
3. Procedures for acting on exception reports

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 60 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

DetectionofComputerFrauds

1. Computersfraudsincludefollowingactivity
1. Clearly recognizable frauds
2. Hacking
3. Manipulation of computer system
4. Theft or destruction of confidential and sensitive information
5. Abuse of computer systems by employees
6. software piracy

2. DataProcessingmodelfraud
1. Input
2. Processor
3. Computer Instruction
4. Data
5. Output
6. Malicious alterations of email

3. DifferentwaysofInternetFraud
1. It is unregulated
2. Low Cost and can be set up anywhere in India
3. An impressive site
4. Glamour and novelty
5. May operate outside the legal jurisdiction

4. Reasonfornotknowshowmanycompaniesloosedbecauseof
ComputerFraud
1. Not everyone agrees on what constitute computer fraud
2. Many computers frauds go undetected
3. Frauds are not reported
4. Most networks have a low level of security
5. Many internet pages give step by step instruction on how to perpetrate
computer frauds and abuses
6. Law enforcement is unable to keep up with the growing number of computer
frauds.

5. Precaution/measuresfordecreasethecomputerfrauds
1. Make Fraud Less Likely to Occur
2. Use Proper Hiring and Firing Practices
3. Manage Disgruntled Employees
4. Train Employees in Security and Fraud Prevention Measures
5. Security measures
6. Telephone disclosures
7. Fraud awareness
8. Ethical considerations

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 61 of 123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

9. Punishment for unethical behavior

10. Educating employees in security issue
11. Manage and Track Software Licenses
12. Required Signed Confidentiality Agreements

6. DifferentwaytocontrolComputerfraud
1. Develop a Strong System of Internal Controls
2. Segregate Duties
3. Require Vacations and Rotate Duties
4. Restrict Access to Computer Equipment and Data Files
5. Encrypt Data and Programs
6. Protect Telephone Lines
7. Protect the System from Viruses
8. Control Sensitive Data
9. Control Laptop Computers

7. StepstodetectComputerFraud
1. Conduct Frequent Audit
2. Use a Computer Security Officer
3. Use Computer Consultants
4. Monitor System Activates
5. Use fraud detection software

8. MethodstoreduceComputerfraudLosses
1. Maintain Adequate Insurance
2. Keep a current backup copy
3. Develop a contingency plan
4. Use special software designed to monitor system activity

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 62 of
123
 Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

CyberLawsandInformationTechnologyAct2000
1. ObjectivesofAct
1. To grant Legal Recognition for transaction
2. To give Legal Recognition to Digital Signature
3. To facilitate electronic filing of documents with Government
4. To facilitate electronic storage of data
5. To facilitate and give legal sanction to electronic fund transfer
6. To give legal recognition for keeping books of account by bankers
7. to amend the various Indian act

2. Areaswhereactshallnotapply
1. A negotiable Instrument
2. A trust
3. A will
4. Any contract for the sale or conveyance of immovable property
5. Any such class of documents or transactions

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 63 of
123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

AuditofInformationSystems

1. DisadvantageofComputerAuditApproach
1. Electronic Evidence
2. Terminology
3. Automated Processes
4. New Risks and Controls
5. Reliance on Controls

2. AreasforreviewbeforestartingofInformationSystem(IS)audit
1. Computerised Systems and Applications
2. Information Processing Facilities
3. System Development
4. Management of Information systems
5. Client/Server, Telecommunications and Intranets

3. Frameworkforauditingcomputersecurity
1. Types of Security errors and Fraud faced by companies
2. Control Procedures to minimize security errors and fraud
3. Systems review audit procedures
4. Tests of controls audit procedures
5. Compensating Controls

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 64 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

InformationSecurity

1. ObjectiveofInformationSecurity
1. Information easily available and usable when required (Availability)
2. Data and information are disclosed only to those who have a right to know it
(Confidentiality)
3. Data and Information are protected against unauthorized modification
(Integrity)

2. Stepforestablishingbetterinformationprotection
1. Not all data has the same value
2. Know where the critical data resides
3. Develop an access control methodology
4. Protect information stored on media
5. Review hardcopy output

3. CorePrinciplesofSecurityObjective
1. Accountability-Responsibility and accountability must be explicit
2. Awareness-Awareness of risks and security initiatives must be disseminated
3. Multidisciplinary-Security must be addressed taking into consideration both
technological and non technological issues
4. Cost Effectiveness-Security must be cost effective
5. Integration-Security must be coordinated and integrated
6. Reassessment-Security must be reassessed periodically
7. Timeliness-Security procedures must provide for monitoring and timely
response
8. Societal Factors- Ethics must be promoted by respecting the rights and
interests of others.

4. TypesofProtectionforanOrganization
1. Preventative Information Protection
2. Restorative Information Protection
3. Holistic Protection

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 65 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

UseofSimpleCASETools,AnalysisofFinancialStatements using
DigitalTechnology
1. KeycomponentsofComputerAidedSoftwareEngineering(CASE)
environments
1. Analysis Dimension
2. Development Dimension
3. Management Dimension
4. Support Dimension

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 66 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Exam Paper Analysis at a glance:

1. CompulsoryQuestion

1. EDP General Controls (Ch 13)

2. EDP Application Controls (Ch 14)
3. Computer Frauds (Ch 15)
4. Cyber Laws (Ch 16)
5. Audit of Information System (Ch17)
6. MIS (Ch.3)

2. NormalQuestionswithhighvalue

1. System Development Process (Ch7)

2. System Design (Ch 8)
3. System Acquisition S/W Development & Testing(Ch 9)
4. System Implementation & Maintenance (Ch 10)
5. Design of Computerised Commercial Applications (Ch 11)
6. Information Security (Ch 18)

3 LessImportantChapters

1. Basic Concept of Systems (Ch1)

2. System Approach & Decision Making(Ch 4)
3. Decision Support System (Ch 5)
4. Enabling Technologies (Ch 6)
5. ERP (Ch 12)
6. CASE Tools (Ch 19)

4. Otherpointstoremember

1. As per the analysis for last several exam papers Chapter 7 to Chapter
10 (System Development to System Maintenance) comes for nearly 40-45
marks.
2. Questions from Design of Computerised Commercial Applications (Ch
11).
This Question will always come directly from institute Module.
3. Do not leave MIS. Last few papers there is high weight around 15 Marks.
4. Also EDP General & EDP Application Controls comes for around 15-25
Marks and it mostly comes along with Fraud or System Chapters 7 to 10.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 67 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Question and Answer Zone

(47 Most IMP FAQ)
CHAPTER 1

Q-1 what is information and its characteristics?

Information is data that has been put into meaning full and useful context. A data processing
system processes data to generate information. Information is the substance on which
business decisions are based. Therefore, the quality of information determines the quality of
action or decision.

Information is a basic resource in the modern society. Organizations spend most of their time
generating, processing, creating, using, and distributing information. Information and
information system are valuable organization resources that must be properly managed for
the organization to succeed.

Information flows are as important to the survival of a business as the flow of blood is to the
life and survival of an individual. Information flow is important for good business decisions
and it has been often said that a receipt of business is, “90% information and 10%
inspiration.”

Characteristics of information

The important characteristics of useful and effective information are as follows.

1. Timeliness- it is mere truism to say that information , to be any use, has to be timely.
Time losses must be vary carefully watched on a daily and continous basis and
analyzed to find means to minimize them, the MIS must be geared for this purpose.
However, it is not always necessary that information is required at such a short
interval. Usually, as we proceed from the lower levels to the higher levels of
management, the time interval necessary for providing decision-important
information on a routine or on a exception basis increases at a strategic level.

2. Purpose- information must have purpose. At the time it is transmitted a person or

machine, otherwise it is a simple data. Information communicated to people has a
variety of purposes, because of the variety of activities performed by the business
organizations. The basic purpose of information is to information, evaluate , persuade
and organize

3. Mode and format- the modes of communicating information to humans are sensory(
through site, hear, taste, touch, smell) but in business they are either visual , verbal or
in written form.
Format of information should be so designed that it assists in decision making, solving
problems, initiating planning, controlling and searching. Therefore all the statistical rules of
compiling statistical tables and presenting information by means of diagram, graphs, curves,
etc, should be considered and appropriate one followed. The data should only be classified
into those categories which have relevance to the problem at hand. Format of information

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 68 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
dissemination is a matter of imagination and perception. It should be simple and relevant,
should highlight important points but should not be too cluttered up

4. Redundancy- it means the excess of information carried per unit of data. For
example, 70% of letters used in a phrase usually redundant. However in a business
situation redundancy sometime be necessary to safeguard against error in
communication process. For example Correspondence in contracts may carry figure
like “ 4” followed by four.

5. Rate- the rate of transmission/ reception of information may be represented by the

time required to understand a particular situation. Quantitatively, the rate for humans
may be measured by the number of characters per minutes, such a sales reports from
district office. For machines the rate may be based on number of bids of information
per character per unit of time.

6. Frequency- the frequency with which the information is transmitted or received

affects its value. Financial repots prepared weekly may show so little changes that
they have small value, where as monthly reports may indicate changes big enough to
some problem and trends

7. Completeness- the information should be as complete as possible. With the complete

information the manager is in a much better position to decide whether or not to
undertake the venture

8. Reliability- in statistical surveys, for example, the information that is arrived at

should have an indication at the confidence level. Even other wise also information
should be reliable and external sources relied upon indicated.

9. Cost benefit analysis- the benefits that are derived from the information must justify
the cost incurred in procuring information. The cost factor is not difficult to establish.
In-fact the assessment of benefits is very subjective and its conversion into objective
units of measurement is almost impossible. To solve this problem we can classify all
the managerial statements into many categories with reference to the importance
attached, say, (a) absolutely essential statements, (b) necessary statements, (c) normal
statements, (d) extra statements.

10. Validity- it measures the closeness of information to the purpose which it purports to
serve. For example, some productivity measure may not measure, for the given
situation, what they are supposed to do e.g., the real rise or fall in productivity. The
measure suiting the organization may have to be carefully selected or evolved

11. Quality- quality refers to correctness of information. Information is likely to be

spoiled by the personal bias. For example, an over optimistic salesman may give
rather too high estimates of sales. This problem, however, can be circumvented by
maintaining salesman‟s estimates and actual sales and deflating or inflating the
estimates in light of this.
Q-2 Differentiate between following :-
i) Deterministic & probabilistic system

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 69 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
ii) Open & closed systems
iii) Sub-system & supra system

--------------------------------------------------------------------------------------------------
Ans. I) Deterministic system Probabilistic system
---------------------------------------------------------------------------------------------------

1. Operates in predictable manner. Operates in probable manner.

2. Interacting among its subsystems can has a probable behavior that

be anticipated without errors. Can not be anticipated
with out errors.

3. E.g. a computer system E.g. manual processing

system, inventory system.

--------------------------------------------------------------------------------------------------
II) Closed Open
--------------------------------------------------------------------------------------------------

1. An independent self contained system actively interact with other

that does not interact with environment systems and establish relation

2. As it does not get feedback from environ- aware of the environment

ment hence tend to deteriorate. Around and gets continuous
feedback.

3. E.g. some computer program e.g. business organization

--------------------------------------------------------------------------------------------------

III) Subsystem :- a subsystem is part of a large system. Each system is composed of

subsystems, which in turn are made up of other subsystems, each subsystem being delineated
by its boundaries. The interconnections and interactions between the subsystems are termed
interfaces.

Supra system :- a supra system refers to the entity formed by a system and other
equivalent subsystems with which it interacts. For example an organization may be subdivide
into numerous functional areas such as marketing finance etc. each of these functional areas
can be viewed as a subsystem of a larger system. For example marketing may be viewed as a
system that consists of elements such as market research, advertising etc collectively these
elements in the marketing area may be viewed as making up the marketing supra system.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 70 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
CHAPTER 2

Q-3 Write short note on transaction processing cycle? Explain also the four common
cycles of business activity?

Ans. The term accounting information system includes the variety of activities associated
with an organization‟s transaction processing cycles. Although no two organizations are
identical, most experience similar types of economic events. These events generate various
transactions. A transaction processing cycle organizes transactions by an organisation‟s
business processes. The nature and types of tps varies, depending on the information needs of
a specific organization. Nevertheless, most business organizations have in common,
transactions that may be grouped according to 4 common cycles of business activity.

Four common cycles

1. Revenue cycle :- events related to the distribution of goods and services to other
entities and the collection of related payments.
2. Expenditure cycle :- events related to the acquisition of goods and services from
other entities and the settlement of related obligations.
3. Production cycle :- events related to the transformation of resources into goods and
services.
4. Finance cycle :- events related to the acquisition and management of capital funds
including cash.

The transaction cycle model of an organization includes a fifth cycle- the financial
reporting cycle. The financial reporting cycle is not an operating cycle. It obtains accounting
and operating data from the other cycles and processes these data in such a manner that
financial reports may be prepared. The preparation of financial reports in accordance with
generally accepted accounting principles requires many valuations and adjusting entries that
do not directly result from exchanges. Depreciation and currency transactions are two
common examples. Such activities are part of an organisation‟s financial reporting cycle.

Q-4 write short note on transaction processing system?

Ans :- the principle components of a TPS include inputs, processing, storage, and outputs.
These components or elements are part of both manual and computerized systems.
i) Input source documents such as customer orders, sales slips, invoices, purchase orders
and employee time cards are the physical evidence of inputs into the TPS

ii) Processing processing involves the use of journals and registers to provide a permanent
and chronological record of inputs. The entries are done either by hand in simple manual
systems or by a data entry operator using a pc. Journals are used to record financial
accounting transacts and registers are used to record other types of data not directly related to
accounting.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 71 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

iii) Storage ledgers and file provide storage of data in both manual and computerized
systems. The general ledger, the accounts/vouchers payable ledgers and the accounts
receivable ledgers are the records of financial account. They provide summaries of a firm‟s
financial accounting transactions. All accounting transactions must be reflected in the GL

iv) Computer storage a file is an organized collection of data. There are several types of
files. A transaction file is a collection of input data. Transaction files usually contains data
that are of temporary rather than permanent interest. By contrast, a master file contains data
that are of a more permanent or continuing interest.

v) Computer processing when computers are used for processing, two different modes of
processing accounting transactions are possible. These modes are batch processing and direct
processing. Batch processing is conceptually very similar to a traditional manual accounting
system.

vi) Outputs there is a wide variety of outputs from a tps. Any document generated in the
system is an output . Some documents are both output and input( e.g. a customer invoice is
an output from the order entry application system and also an input document to the
customer). Other common outputs of a tps are the trial balance, financial reports, operational
reports, pay cheques, bill of lading and voucher cheques (payments to vendor)

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 72 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
CHAPTER 3

Q-5(i) Explain the pre-requisites of effective MIS

(ii) What are the major constraints in operating an MIS?

Ans. (i) MIS is an old management tool. It is being used by business managers as a
means for better management and scientific decision making. However, it has attained new
dimensions after the advent of computers. The main pre-requisites of an effective MIS are as
follows :-

A) Database :- it can be defined as a superfile which consolidates data records formerly

stored in many data files. The data in database is organized in such a way that accesses to the
data is improved and redundancy is reduced. Normally, the database is sub-divided into the
major information subsets needed to run a business.
these subsets are (a) customer and sale file (b) vendor file (c) personnel file (d) inventory file
(e) gl accounting file.
the main characteristics of database in that each subsystem utilizes same data and
information kept in the same file to satisfy its information needs.
the database is
capable of meeting information requirements of its executives, which is necessary for
planning, organizing and controlling the operations of the business concern. But, it has been
observed that such a database meets the information needs of control to its optimum.

B) Qualified system & management staff : the second prerequisite of an effective mis is
that it should be manned by qualified officers. These officers who are experts in the field
should understand clearly the views of their fellow officers. For this, the organizational
management base should comprise of two categories of officers vis.
1) systems and computer experts, 2) management experts

C) Support to top management : the MIS to be effective, should receive the full support of
the top management. The reasons for this are as follows :-
1) subordinate managers are usually lethargic about activities, which do not receive the
support of their superiors.

2) the resources involved in computer based information system are large and are growing
larger in view of importance gained by mis.

D) Control and maintenance of MIS: control of the MIS means the operation of the system
as it was designed to operate . Sometime, users develop their own procedures or shortcut
methods to use the system, which reduces its effectiveness. To check such habits of users, the
management at each level in organization should device. Checks for the information system
control.
maintenance is closely related to control. There are times when the need to improve
the system will be discovered. Formal methods for changing and documenting changes must
be provided.

E) Evaluation of MIS : the evaluation of MIS should take into account the following points
:-
1) examining whether enough flexibility exists in the system, to cope with any
expected or unexpected information requirement in future.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 73 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
2) ascertaining the views of users and the designers about the capabilities and
deficiencies of the system.
3) guiding the appropriate authority about the steps to be taken to maintain
effectiveness of MIS.

Ans (ii) constraints in operating a MIS : major constraints which come in the way of
operating an information system are as follows :-
a) Non-availability of experts, who can diagnose the objective of the
organization and provide a desired direction for installing and operating
system. This problem may be overcome by grooming internal staff. The
grooming of staff should be preceded by proper selection & training.
b) Experts usually face the problem of selecting the sub-system of mis to be
installed and operated upon.the criteria which should guide the experts here,
may be the need and importance of information for which an mis can be
installed first.
c) Due to varied objectives of business concerns, the approach adopted by
experts for designing and implementing MIS is a non-standardized one.
though in this regard nothing can be done at the initial stage, but by and by
standardization may be arrived at, for the organization in the same industry.
d) Non-availability of co-operation from staff in-fact is a crucial problem. It
should be handled tactfully. Educating the staff may solve this problem. This
task should be carried out by organizing lectures, showing films and also
explaining to them the utility of the system.
e) There is high turnover of experts in MIS. Turnover in-fact arises due to
several factors like pay packet, promotion chances, future prospects, behavior
of top ranking officers etc. Turnover of experts can be reduced by creating
better working conditions and paying atleast at par with other similar
concerns.
f) Difficulty in quantifying the benefits of MIS, so that it can be easily
comparable with cost. This raises questions by departmental managers about
the utility of MIS. They forget that MIS is a tool, which is essential to fight
out competition and the state of uncertainty that surrounds business today.

Q-6 Discuss the factors on which information requirements of executives depends?

Ans- the factors on which information requirements of executives depend are:

1. Operational function
2. Types of decision making
3. Level of management activity

1. Operational Function- the grouping or clustering of several functional units on the

basis of related activities into a sub systems is termed as operational function. For
example, in a business enterprise, marketing is an operational function, as it is the
clustering of several functional units like market research, advertising, sales analysis
and so on. Like wise, production finance, personnel etc. can all be considered as
operational functions.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 74 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
2. Types of decision making- Organizational decision can be categorized as
programmed and non-programmed ones.

Programmed decisions : Programmed decisions refer to decisions made on problems and

situations by reference to a predetermined set of precedents, procedures, techniques and
rules. These are well-structured in advance and are time tested for their validity. As a
problem or issue for decision making emerges, the relevant pre-decided rule or procedure is
applied to arrive at the decision. For example, in many organizations, there is a set procedure
for receipt of material,

payment of bills, employment of clerical personnel, release of budgeted funds, and so on.

Non-programmed decisions : are those, which are, made on situations and problems which
are novel and non-repetitive and about which not much knowledge and information are
available. They are non programmed in the sense that they are made not by reference to any
pre determined guidelines, standard operating procedures, precedents and rules but by
application of managerial intelligence, experience, judgement and vision to tackling
problems and situations, which arise infrequently and about which not much is known.

3. Level of management activity – Different levels of management activities in

management planning and control hierarchy are strategic level, tactical level and
operational level

Strategic Level-strategic level management is concerned with developing of organizational

mission, objectives and strategies. Decision made at this level of organization to handle
problems critical to the survival and success of the organization, are called strategic
decisions. They have a vital impact on the direction and functioning of the organization-as
for example decision on plant location, introduction of new products, making major new
fund raising and investment operations, adoption of new technology, acquisition of outside
enterprise and so on.

Tactical Level : Tactical level lies in the middle of management hierarchy. At this level,
managers plan, organize, lead and control the activities of other managers. Decisions made at
this level called the tactical decisions ( which are also called operational decisions) are made
to implement strategic decisions . A single strategic decision calls for a series of tactical
decisions, which are of a relatively structured nature. Tactical decisions are relatively short,
step-like spot solutions to breakdown strategic decisions into implementable packages.

Supervisory Level : This is the lowest level in managerial hierarchy. The mangers at this
level co-ordinate the work of others who are not themselves mangers. They ensure that
specific tasks are carried out effectively and efficiently.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 75 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
CHAPTER 4

Q-7 Briefly discuss various functional Information system areas?

Ans- There are various users of information systems in business as there are number of
activities to be performed in order to solve business problems. A business manager should
have a general understanding of the major ways information system are used to support each
of the functions of business. Managerial end users are required to make decisions in several
areas viz. finance, production, marketing, personnel etc.

1. Finance and Accounting System- Finance and accounting, as such are separate
functions but are sufficiently related to be described together. Accounting covers the
classification of financial transactions and summarization into the standard financial
statements (profit and loss account and balance sheet). Financed system ensures
adequate organizational financing at a low cost so as to maximize returns to
shareholders (owners). It comprises of major functions such as granting of credit to
customers, collection process, cash management, financing capital and so on
2. Marketing System – The marketing system is aimed at supporting the decision
making, reporting and transactions processing requirement of marketing and sales
management. The main objective of marketing management system is to develop,
promote distribute, sell and service the products of the organization and return a profit
that is enough to justify the existence of the organization. Marketing bridges the gaps
between the business firms and its customers, by making available to the customers,
the products of the firm.
The information that marketing management receives is important,
however, the information that marketing generates is vital to the rest of the organization.
Because of this, the impact of ineffective marketing information systems is felt throughout
the organization. Even more important is marketing‟s role as a company‟s revenue
generating branch.
The marketing information system must be designed to support a
marketing management organization. It consists of following inter- related information sub
systems to enhance the decisional capacities in various marketing activities.
i) Sales
ii) Market research and intelligence
iii) Advertising and promotion
iv) Production development and planning
v) Production pricing system
vi) Customer services

3. Production System- One of the major areas in any kind of enterprise is production
and operations management. Generally, production management is the term used to
refer to those activities, which are necessary to manufacture products. However, in
many companies the area is broad enough to include such activities as purchasing,
warehousing, transportation, and other operations from the procurement of raw
materials through various activities until a product is available to the buyer.
The production system generally includes all
activities relating to production planning, product engineering, scheduling and operations of
production facilities, quality control etc. the decision making is based on information in form
of pending sales orders, expected sales, consumer grievances, etc. production decisions are

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 76 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
aimed towards monitoring of in-process inventory, balancing of daily finished and semi-
finished stocks, correction of any deviation in production performance.

4. Personnel System- The personnel information system deals with the flow of
information about people working in the organization as well as future personnel
needs. In most of the organizations, the systems is concerned primarily with the six
basic sub systems of the personal function; recruitment, training, compensation,
maintenance and health and safety.
It is generally accepted that the
personnel function is one of the best computerized of all the personnel functions. Authorized
system may not be necessary for small firms, but large business firms are realizing that
computer based personnel information systems are necessary for increasing the operational
efficiency of personnel management.

Q-8 What is Productional Information System?

Q-9 Point out the basic requirements for production planning & control ?

Ans- The main requirements of production planning control system are as follows:

1. Firm‟s policy with regard to production of various products.

2. Sales order, sales forecast, stock positions, order backlog.
3. Available labour force with their capabilities
4. Standards of labour time, material, machine time land over head costs, etc.
5. Schedule of meeting the sales orders, region wise, territory wise etc.
6. Quality norms for materials to be used and for the finished products.
7. break-up of the jobs and their resources requirements.

Q -10 “Personnel Information System deals with the flow of information relating to
people” Explain ?

Ans- The personal information system should be organized on functional basis. It should
have the following information sub system to increase the operational efficiency of personal
management.

1. Recruitment- properly managed recruitment sub system may forecast personnel

needs and skills required for recruiting personnel at the proper time to meet
organizational manpower needs. Such a sub system may not only furnish
information concerning skills required for company programs and processes but
also maintains the inventory of skills available within the organization.
2. Placements- This sub system is concerned with the task of matching the available
persons with the requirements. A good placements sub system makes use of latest
behavioural tools and techniques. It ensures that the capabilities of people are
identified before being matched with properly organized work requirements.
3. Training and development- As technological changes and demands for new
skills accelerate, many new companies find that they must develop much of their
requirements from internal sources. In addition, a large part of the work force

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 77 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
must constantly be updated in new techniques and developments. This task is the
function of the training and development sub system.
4. Compensation- This sub system is concerned with the task of determining pay
and other benefits for the workers of the concern. It makes use of traditional
payroll and other financial records, government reports and unions expectation
before arriving at the final figure of pay and other benefits for each category of
workers.
5. Maintenance- This susb system is designed to ensure that personnel policies and
procedures are achieved. It may be extended to the operation of systems control,
work standards which are required to measure performance against financial plans
or other programmes, and the many subsidiary records normally associated with
the collection, maintenance and dissemination of personal data.
6. Health & Safety- This sub system is concerned with the health of personnel and
the safety of jobs in the organization.

Q-11 Differentiate Between – a) Programmed and Non Programmed Decisions

b) Strategic and tactical Decisions
c) Individual and Group Decision

Ans- (a)Programmed decisions : Programmed decisions refer to decisions made on

problems and situations by reference to a predetermined set of precedents, procedures,
techniques and rules. These are well-structured in advance and are time tested for their
validity. As a problem or issue for decision making emerges, the relevant pre-decided rule or
procedure is applied to arrive at the decision. For example, in many organizations, there is a
set procedure for receipt of material, payment of bills, employment of clerical personnel,
release of budgeted funds, and so on.

Non-programmed decisions : are those, which are, made on situations and problems which
are novel and non-repetitive and about which not much knowledge and information are
available. They are non programmed in the sense that they are made not by reference to any
pre determined guidelines, standard operating procedures, precedents and rules but by
application of managerial intelligence, experience,judgement and vision to tackling problems
and situations, which arise infrequently and about which not much is known.

(b)Strategic Level-strategic level management is concerned with developing of

organizational mission, objectives and strategies. Decision made at this level of organization
to handle problems critical to the survival and success of the organization, are called strategic
decisions. They have a vital impact on the direction and functioning of the organization-as
for example decision on plant location, introduction of new products, making major new
fund raising and investment operations, adoption of new technology, acquisition of outside
enterprise and so on.

Tactical Level : Tactical level lies in the middle of management hierarchy. At this level,
managers plan, organize, lead and control the activities of other managers. Decisions made at
this level called the tactical dcesions ( which are also called operational decisions) are made
to implement strategic decisions . A single strategic decision calls for a series of tactical
decisions, which are of a relatively structured nature. Tactical decisions are relatively short,
step-like spot solutions to breakdown strategic decisions into implementable packages

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 78 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
(c) Individual Decisions-Many decisions, even critical ones, in organizations are made by
individual managers, who assume full responsibility for the consequences of such decisions.
Infact, individual managers are vested with enough authority to make a large number of
decisions; they are paid for the job. The individual managers at their respective levels-right
from the chief executive down to first line supervisor-are called upon to decide many things.
They may get information, factual analytical reports, pros and cons of alternatives and
suggested courses of action from their subordinates or from specially established committees.
But the responsibility and authority or the onus of making the final decision rests with the
concerned manager himself. He can not delegate or abdicate this authority.

Group Decisions- Group Decisions are those, which are made by, more than one manager
joining together for the purpose. In an organization, two or more managers at the same or
different levels put their heads together, jointly deliberate on the problem, information and
alternatives and hammer out a decision for which they assume collectively responsibility.
Decisions, which have inter departmental effects- for example a product related decision
affecting manufacturing, purchasing and marketing- departments, are some times made by
forming a committee, composed of responsible executives of the three departments.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 79 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
CHAPTER 5

Q-12 Discuss various components of DSS. Also explain the categories of software tools
available?

Ans- A decision support system has four basic components: (1) The user (2) One or more
database (3) A planning language (4) The model base

(1) The Users- The user of a decision support system is usually a manager with an
unstructured or semi-structured problem to solve. The manager may be at any
level of authority in the organization (e. g. either top management or operating
management). Typically, users do not need a computer background to use a
decision support system for problem solving. The most important knowledge is a
thorough understanding of the problem and the factors to be considered in finding
a solution

(2) Database- Decision support system include one or more databases. These
databases contain both routine and non routine data from both internal and
external sources. The data from external sources include data about the operating
environment surrounding an organization- for example, data about economic
conditions, market demand for the organization‟s goods or services, and industry
competition
decision support users may construct additional databases
themselves. Some of the data may come from internal sources

(3) Planning languages- Two types of planning languages that are commonly used
in decision support systems are (1) General purpose planning languages and (2)
special purpose planning languages. General purpose planning languages allow
users to perform many routine tasks- for example, retrieving various data from a
data base or performing statistical analyses. The languages in most electronic
spreadsheets are good examples of general purpose planning languages.
Special
purpose planning languages are more limited in what they can do, but they usually
do certain jobs better than the general purpose planning languages. Some
statistical languages, such as SAS, SPSS, and Minitab, are example of special
purpose planning languages.

(4) Model Base- The planning language in a decision support system allows the users
to maintain a dialogue with the model base. The model base is the brain of the
decision support system because it performs data manipulations and computations
with the data provided to it by the user and the database there are many types of
model bases, but most of them are custom developed models that do some types
of mathematical functions-for example, cross tabulation, regression analyses, time
series analyses, linear programming and financial computations. The model base
may dictate the type of data included in the database and the type of data provided
by the user.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 80 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
Categories of Software Tools-
The tools of decision support include a variety of software supporting database query,
modeling, data analyses, and display. A comprehensive tool kit for DSS would include
software supporting these application areas.

Example of software tools falling into these four categories are given below.

Data Based Model Based Statistical Display Based

Software Software Software Software

DBASE IV Foresight SAS Chartmaster

FOCUS IFPS SPSS SASGRAPH
NOMAD II Lotus 123 TSAM TELLAGRAF
RAMIS Model
R : Base 5000 Multiplan
SQL Omnicalc

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 81 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

CHAPTER 6

Q-13 What are the benefits of Client Server Technology?

Ans- Client/server systems have been hailed as bringing tremendous benefits to the new
user, especially the users of mainframe systems. Consequently, many businesses are
currently in the process of changing or in the near future will change from mainframe (or PC)
to client/server systems. Client/server has become the IT solution of choice among the
country‟s largest corporations. In fact, the whole transition process, that a change to a
client/server invokes, can benefit a company‟s long run strategy.

People in the field of information system can use client/server computing to make
their jobs easier.
Reduced the total cost of ownership.
Increased productivity
End user productivity
Developer productivity
Takes less people to maintain a client/server application that a mainframe
The expense of hardware and network in the client/server environment are less than
those in the mainframe environment
Users are more productive today because they have easy access to data and because
applications can be divided among many different users so efficiency is at it‟s highest
Client/server applications make organizations more effective by allowing them to port
applications simply and efficiently
Reduce the cost of the client‟s computer: the server stores data for the clients rather
than clients needing large amounts of disk space. There fore, the less expensive
network computers can be used instead
Reduce the cost of purchasing, installing, and upgrading software programs and
applications and applications on each client‟s machine: delivery and maintenance
would be from one central point, the server.
The management control over the organization would be increased
Many times easier to implement client/server than change a legacy application
Leads to new technology and the move to rapid application development such as
object oriented technology.
Long term cost benefits for development and support.
Easy to add new hardware to support new systems such as document imaging and
video teleconferencing which would not be feasible or cost efficient in a mainframe
environment.
Can implement multiple vendor software tools for each application.

Q-14 Write short note on Server Centric Model?

Ans- The TCO (Total Cost of Ownership) is one of the greatest concerns in today‟s
enterprises computing environment. In the past, much attention has been focused on the
initial acquisition costs to create an enterprises computing system rather than the ongoing
costs of ownership. According to many research, companies‟ acquisition costs- although a
substantial one time investment- represent only a portion of the total cost of an enterprise
computing solution. Today, however, the focus has shifted to recurring costs, often called

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 82 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
“soft” costs because they are difficult to quantify. Server-centric computing is a model, in
which applications are deployed, managed, supported abd executed 100% on a server. The
client handles data entry and information display.

It uses a multi user operating system and a method for distributing the representation of an
application‟s interface to a client device.
Traditionally used for centralizing business applications such as general ledger,
payroll, order entry and point of sale applications, this recently expanded model now
includes web based applications where users browse through data over the network. Almost
any client device can be adapted for use with server centric applications

Q-15 What are the risks associated with the client-server architecture? Discuss some
control techniques that are essential for client server security?

Ans- The benefits from the client/server are truly praiseworthy but there are also risks
involved in the transition from mainframe (or PC) to client/server. We can classify these
risks into four categories : operational, technological, economic, and political

Technological Risks : the technological risk is quite simple- will the new system work? The
short term aspect of this question is – will it literally work? But more important is the risk
that in the long run the system may grow obsolete. To resolve this issue the firm and It
consultant/division making process while deciding what systems to incorporate into their
organizations.

Operational Risks : These risks parallel the technological risks in both the short and long
run. Respectively, they are : will you achieve the performance you need from the new
technology and will the software that you chose be able to grow or adapt to the changing
needs of the business. Once again sound planning and keeping an eye to the future are the
only remedies for these risks.

Economic Risks : In the short run, firms are susceptible to hidden costs associated with the
initial implementation of the new client/server system. Cost will rise in the short term since
one needs to maintain the old system(mainframe) and the new client server architecture
development. In the long run, the concern centers around the support costs of the new
system.

Political Risks : finally, political (people) risks involved in this transition are addressed.
Here, the short term question is-will end users and management be satisfied? The answer to
this definitely not if the system is difficult to use or is plagued with problems.

Client/Server Security –
Security procedures for client/server technology is not clearly defined or protected. As they
utilize distributed techniques there is an increased risk of access of data and modification. To
get secured client/server environment all access points should be known. As the application
data may exist on the server or client, a number of access routes exist, which should be
examined and checked.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 83 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
To increase the security, an IS auditor should ensure that the following control techniques are
in place :

Access to data and application is secured by disabling the floppy disk drive.
Diskless workstation prevents unauthorized access
Unauthorized users may be prevented from overriding login scripts and access by
securing automatic boot or startup batch files.

Network monitoring can be done to know about the client so that it will be helpful
for later investigation, if it is monitored properly. Various network monitoring
devices are used for this purpose. Since this a detective control technique, the
network administrator must continuously monitor the activities and maintain the
devices, otherwise these tools become useless.
Data encryption techniques are used to protect data from unauthorized access.
Authentication systems can be provided to a client, so that they can enter into
system, only by entering login name and password.
Smart cards can be used. It uses intelligent hand held devices and encryption
techniques to decipher random codes provided by client server based operating
systems. A smart card displays a temporary password based on an alogrith and
must be re-entered by the user during the login session for access onto the client-
server system.
Application controls may be used and users will be limited to access only those
functions in the system that are required to perform their duties.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 84 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
CHAPTER 7

Q-16 Write Short Notes on –

1) System development life cycle
2) Feasibility study
3) System analyses
4) System Development Methodology
5) Software project manager
6) Data dictionary

Ans- 1) System development life cycle - The system development life cycle method can be
thought of as a set of activities that analysts, designers and users carry out to develop and
implement an information system. In most business situations, these activities are all closely
related, usually inseparable and even the order of the steps in these activities may be difficult
to determine. Different parts of a project can be in various phases at the same time, with
some components undergoing analysis while others are at advanced design stages.

The system development life cycle method consists of the following activities :

(i) Preliminary investigation

(ii) Requirement analyses or system analyses
(iii) Design of system
(iv) Development of software
(v) System testing
(vi) Implementation and maintenance

2) Feasibility study – after possible solution options are identified, project feasibility- the
likelihood that these systems will be useful for the organization-is determined. A feasibility
study is carried out by the system for this purpose. Feasibility study refers to a process of
evaluating alternative systems through cost/benefit analyses so that the most feasible study of
a system is undertaken from three angles : technical, economic and operational feasibility.
The proposed system is evaluated from a technical view point first and if technically feasible,
its impact on the organization and staff is assessed. If a compatible technical and social
system can be devised, it is then tested for economic feasibility.

3) System Analysis-

4) System Development Methodology- Methodology means methods followed, here

system development methodology means methods followed for system development.
A system
development methodology ( also known as system development life cycle (SDLC)
methodology) is formalized, standardized well documented set of activities used to manage a
system development project. This should be used when information system is developed or
maintained.

The methodology has the following characteristics-

1. Divide the project into manageable task and manageable process. This process
help in project planning and control

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 85 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
2. Document every step and process and produce specific records and other
documents during system development to make development team accountable
for system execution and these documents and reports become a reference for
training and maintenance of system.
3. Assure the participation of users, managers and auditors in the project. These
generally provide approvals often called signoff at pre established points and this
signify the approval of development profess and system being development.
4. The system must be tested thoroughly prior to implantation to ensure that it meets
user‟s requirement.
5. A training plan should be developed for those who will operate and use the new
system.
6. A post implementation review of developed system must be performed to access
the efficiency and effectiveness of system.
7. an organization system development methodology should be documented in the
form of system development standards manual.

5) Software project management-

6) Data dictionary- data dictionary is a computer file which stores description of all data
elements, their attributes & relationships. It has many uses like acting as guide to
analyst/programmer/auditors/accountants, helps in audit trail & in planning data flow to the
I/S & also serves as an aid investigating & developing internal control procedures. It
generally contains-

a. Names of the computer data files

b. Name of the computer program that modify data
c. Field names, their width & data type, range
d. Identity of source document used to create data
e. Identity of users permitted to access database & their rights like add, edit, view,
delete, report etc.
f. Identity of users not permitted & their rights like add, edit, view, delete, report etc
g. Identity of programs permitted to access database
h. Identity of programs not permitted to access database
i. Details about edit controls
j. Details about data security

Q-17 What is DFD? Give one example..

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 86 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
CHAPTER 8

Q-18 What guide lines should be followed while designing printed and screen output?

Ans. There are certain guidelines, which should be followed while preparing the layout
form. It will not make the analyst‟s job easier, but will also ensure that users will receive an
understandable report. Some of these guidelines are summarized below.:

1. Reports and documents should be disgned to read from left to right and top to
bottom.
2. The most important items should be easiest to find.

3. Each printed report should include the heading or title of the report, page number,
date of preparation and column headings. The heading or title of the report
orients the users to what it is they are reading. The title should be descriptive, yet
concise. Each page should be numbered so that the users has an easy point of
reference when discussing output with others or relocating important figures. The
date of report preparation should be included on each print out. Some times this
helps users to estimate the value of the output. Column headings serve to further
orient the user as to the report contents.

4. Each data item must have a heading. Which should be short and descriptive. Data
items are related to one other should be grouped together on the report.

5. Control breaks should be used in the report to help readability. They should be
separated from the rest of data with additional lines. Attention should be drawn to
control breaks summaries and other important information by boxing them off
with special characters such as asterisks or extra space. This makes it easier to
find critical information.

6. Sufficient margin should be left on the right and left as well as top and bottom of
an output report. This enables the user to focus his attention on the material
centered on the page and makes reading easier.

7. The details line for variable data should be defined by indicating whether each
space is to be used for an alphabetic, special or numeric character.

8. The mock up reports should be reviewed with users and programs for feasibility,
usefulness, readability, understandability and an esthetic appeal

Q-19 Why coding system is required in information system. List the characteristics of
good coding scheme and also some commonly used coding scheme.

Ans- Coding Methods :- Information system projects are designed with space, time and cost
saving in mind. Hence, coding methods in which conditions, words or relationships are
expressed by a code are developed to reduce input, control errors and to speed up the entire
process. A code is a brief number, title or symbol used instead of lengthy or ambiguous
description. When an event occurs, the details of the event are summarized by the code. The
system analyst is responsible for devising an appropriate coding scheme. Although there
exist coding schemes in manual system also, it is usually necessary to modify these to suit

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 87 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
computer capabilities, since human beings can manage with bad and disorganized coding
schemes but not the computer.

Some of the desired characteristics of a good coding schemes are enumerated below.

(i) Individuality : The codes must identify each object in a set uniquely and with absolute
precision. To use one code number for several objects in a set would obviously cause a great
deal of confusion. Furthermore, the code should be universally used over the entire
organization.

(ii) Space : As far as possible a code number must be much briefer than description

(iii) Convenience : The formats of code numbers should facilitate their use by people. This
implies that the code number should be short and simple and consist of digits and or upper
case alphabets. It is better to avoid the use of such special symbols as hyphens, oblique, dot,
etc.

(iv) Expandability : As far as possible future growth in the number of objects in a set should
be provided for. Therefore, whilst introducing the scheme, longer number of digits/number
than necessary at present may be adopted as the code length.

(v) Suggestiveness : The logic of the coding scheme should be readily understandable. Also,
the letter or number should be suggestive of the item characteristics e. g., whether it made
from a casting or rolled stock, whether it pertains specifically to such and such model or it is
used commonly by more than one end product.

(vi) Permanence : Changing circumstances should not invalidate the scheme or

invalidation in the future should be kept to minimal.

Coding schemes :- some common examples of Coding Schemes are –

Classification Place separate entities ( e g place, events, people, objects, features etc.)
Codes into distinct group classes which are used to distinguish one class from
another , small or single digits e.g. first digit of material items in an
automobile company signifying vehicle model ranging from 0-9.

Function State activities/ work to be performed without giving all details e.g. in a
Codes TPS separate codes can be given to function of updating, adding, deleting
records in a database.

Significant To code complex item which carry various information, Codes can be
Digit divided into subsets or sub codes where various digits & their group
Subset signify different details e. g. for coding inventory items an 8 digit coding
Codes scheme can be developed where first three digits are for product class,
Next three for item number & last two for vendor code.

Mnemonic Suitable where codes are to be remembered by users. Use abbreviations

Codes generally having alphabets e.g. CA, MBA etc.

Hierarchical Suitable for complex item where various details & classifications are

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 88 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
Classification involved . Tree structure can be made having various alternatives.
Codes Coding can be done using digits to signify various levels.

Q-20 Write short note on –

(i) Application package
(ii) Program debugging
(iii) Bench marking problem
(iv) Program development life cycle
(v) system testing

Ans- (i) Application package

(ii) Program debugging- the process of debugging a program refers to correcting

programming language syntax and diagnostic errors so that the programs “ compiles
cleanly”. A clean compile means that the program can be successfully converted from the
source code written by the programmer into machine language instructions. Once the
programmer achieves a clean compile, the program is ready for structure walk through
discussed below.
Debugging can be tedious task. It consists of four steps : inputting the source program to the
complier, letting the complier find error in the program, correcting lines of code that are in
error, and resubmitting the corrected source program as input to the complier. The length of
time required to debug a program can be shortened considerably by the use of an interactive
compiler which checks the source program and displays any errors on a CRT or prints them
on a printer. The programmer corrects the indicated errors and initiates the interactive
compiler as often as necessary until all errors are corrected.

(iii) Bench marking problem – Benchmarking problems for vendor‟s proposals are sample
programs that represent at least a part of the buyer‟s primary computer work load. They
include software considerations and can be current applications programs or new programs
that have been designed to represent planned processing needs i.e., benchmarking problem
are oriented towards testing whether a computer offered by the vendor meets the
requirements of the job on hand of the buyer. They are required to be representative of the
job on hand of the buyer. Obviously benchmarking problems can be applied only if job mix
has been clearly specified. If the job is truly represented by the selected benchmarking
problems, then this approach can provide a realistic and tangible basis for comparing all
vendor‟s proposals.

(iv) Program development life cycle

(v) System Testing- System level testing must be conducted prior to installation of an
information system. It involves (a) preparation of realistic test data in accordance with the
system test plan, (b) processing the test data using the new equipment, (c) through checking
of the results of all system tests, and (d) reviewing the results with future users, operators and
support personnel. System level testing is an excellent time for training employees in the
operation of the IS as well as maintaining it. Typically, it requires 25 to 35 percent of the
total implementation effort.
One of the most effective way to perform system level testing to perform parallel operations
with the existing system. During parallel operations, the mistakes detected are often not those
of the new system, but of the old. These differences should be reconciled as far as it is
feasible economically.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 89 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
CHAPTER 10

Q- 21 Describe the four aspects of system implementation phase?

Ans-The process of ensuring that the information system is operational and then allowing
users to take over its operation for use and evaluation is called systems implementation.
Implementation includes all those activities that take place to convert from the old system to
the new.
Successful implementation may not guarantee improvement in the organization using
the new system but improper installation will prevent it. There are four aspects of
implementation are –

Equipment Installation
Training Personnel
Conversion Procedure
Post implementation Evaluation

1. EQUIPMENT INSTALLATION
The hardware required to support the new system is selected prior to the implementation
phase. The necessary hardware should be ordered in time to allow for installation testing of
equipment during the implementation phase. An installation checklist should be developed at
this time with operating advice from the vendor and system development team. In those
installations where people are experienced in the installation of the same or similar
equipment, adequate time should be scheduled to allow completion of the following
activities:

i. Site Preparation: An appropriate location must be found to provide an

operating environment for the equipment that will meet the vendor‟s
temperature, humidity and dust control specification. The site layout should
allow ample space for moving the equipment in and setting it for normal
operation.
ii. Equipment Installation : The equipment must be physically installed by the
manufacturer, connected to the power source and wired to communication lines
if required.
iii. Equipment Check Out : The equipment must be turned on for testing under
normal operating conditions. Not only the routine „diagnostic test‟ should be run
by the vendor, but also the implementation team should devise and run
extensive tests of its own to ensure that equipment are in proper working
conditions.

2. TRAINING PERSONNEL
A system can succeed or fail depending on the way it is operated and used. Therefore, the
quality of training received by the personnel involved with the system in various capacities
helps or hinders the successful implementation system. Thus, training is becoming a major
component of system implementation. When a new system is acquired which often involves
new hardware and software, both users and computer professionals generally need some
type of training.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 90 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
i. Training System Operators : Many systems depend on the computer centre
personnel, who are responsible for keeping the equipment running as well as for
providing the necessary support services. Their training must ensure that they
are able to handle all possible operations, both routine and extra-ordinary.
Operators training must also involve the data entry personnel.

The operators should also be instructed in what common malfunctioning may occur how to
recognize them, and what steps to take when they arise. Training also involves
familiarization with run procedures, which involves working trough the sequence of activities
needed to use a new system on an on going basis.
ii. User Training : User training may involve equipment use, particularly in the
case where a micro computer is in use and the individual involved is both
operator and user. Users must be instructed first how to operate the equipment.
Users should be trained on data handling activities such as editing data,
formulating inquiries ( finding specific records or getting responses to
questions) and deleting records of data. If a micro computer or data entry
system disks, users should be instructed in formatting and testing disks.

3. CONVERSION OR CHANGEOVER FROM MANUAL TO

COMPUERISED SYSTEM –
Conversion or changeover is the process of changing from the old system to the new system.
It requires careful planning to establish the basic approach to be used in the actual
changeover. There are many conversion strategies available to the analyst who has to take
into account several organisatioanl variables in deciding which conversion strategy to use.
There is no single best way to proceed with conversion. It may be noted that adequate
planning and scheduling of conversion as well as adequate security are more important for a
successful changeover.

Conversion strategies : There are five strategies to convert the old system to the new
system.

(a) Direct Changeover: When on a specified date old system is dropped & new is
followed- successful if extensively tested beforehand- risky approach- users may
resent due to unfamiliarity- no way to compare the two system.

(b) Parallel Conversion: Most frequently used – feeling of security to users –

comparison possible – disadvantages are doubling of work load & costs

(c) Gradual Conversion : Combines best of the earlier two plans – volume of
transactions is gradually increased – easy to detect & recover from errors –
disadvantages are time consuming & unsuitable for small organizations

(d) Modular Prototyping : Uses building of modular operational prototypes in gradual

manner – module by module acceptance 7 use – thorough testing of each - problem
in integration & interface.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 91 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
(e) Distributed Conversion : Refers to a situation when many installation of same
system are required like branches or franchise – conversion is done site by site –
uses experience but problem of uniqueness in each site

Activities involved in conversion are –

a. Procedure conversion Operating procedures for computer & other functional area
must be documented & spelled out to staff & tested after implementation
b. File conversion From manual to computerized database files – online or offline
c. System conversion Integration of new all new inputs, processes, hardware,
software etc
d. Scheduling personnel & equipment
e. Alternative plans in case of failure

4. EVALUATION OF THE NEW SYSTEM

The final step of the system implementation is evaluation. Evaluation provides the feedback
necessary to assess the value of information and the performance of personnel and
technology included in the newly designed system. This feedback serves two functions.

1. It provides information as to what adjustments to the information system may be

necessary.
2. It provides information as to what adjustment should be made in approaching future
information systems development projects.
There are two basic dimensions of information systems that should be evaluated. The first
dimension is concerned with whether the newly developed system is operating properly. The
other dimension is concerned with whether the user is satisfied with the information system
woth regard to the reports supplied by it.

i. Development evaluation
ii. Operational evaluation
iii. Informatioanl evaluation

Q-22 Write Short Note on –

i. Post implementation evaluation
ii System maintenance

Ans : . (i) Post implementation evaluation-

The final step of the system implementation is evaluation. Evaluation provides the feedback
necessary to assess the value of information and the performance of personnel and
technology included in the newly designed system. This feedback serves two functions.

3. It provides information as to what adjustments to the information system may be

necessary.
4. It provides information as to what adjustment should be made in approaching future
information systems development projects.
There are two basic dimensions of information systems that should be evaluated. The first
dimension is concerned with whether the newly developed system is operating properly. The

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 92 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
other dimension is concerned with whether the user is satisfied with the information system
woth regard to the reports supplied by it.

iv. Development evaluation

v. Operational evaluation
vi. Informational evaluation

(ii) System maintenance-

Most information systems requires at least some modifications after development. The need
for modification arises from a failure to anticipate all requirements during system design
and/or from changing organizational requirements. Consequently periodic systems
maintenance is required for most of the information systems. Systems maintenance involves
adding new data elements, modifying reports, adding new reports, changing calculations, etc.

Maintenance can be categorized in the following two ways :

1. scheduled maintenance is anticipated and can be planned for, for example the
implementation of a new inventory coding scheme can be planned in advance.
2. Rescue maintenance refers to previously undetected malfunctions that were not
anticipated but require immediate solution. a system that is properly developed and
tested should have few occasions of rescue maintenance.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 93 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
Chapter 11

Q-23 Draw system flow chart & explain input files and outputs of accounts payable
system?
Ans- view page No 11.7 of ICAI study module

Q- 24 Draw system interface chart & explain inputs & files of WIP control system?

Ans- view page number 11.41 of ICAI study module

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 94 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
Chapter 12

Q- 25 What is BPR? How is it concerned with the implementation of ERP?

Ans- The most accepted and formal definition for BPR, given by Hammer and Champhy is
reproduced here, “ BPR is the fundamental rethinking and radical redesigning of processes to
achieve dramatic improvement, in critical, contemporary measures of performance such as
cost, equity, service and speed.” This has a few important key words, which need clear
understanding. Here, dramatic achievement means ti achieve 80% or 90% reduction (in say,
delivery time, work in progress or rejection rate) and not just 5%, 10% reduction.
Radical redesign means
BPR is reinventing and not enhancing or improving. In a nutshell, a “cleansiate approach” of
BPR says that “ Whatever you were doing in the past is all wrong”, do not get biased by it or
reassemble you new system to redesign it afresh. Fundamental rethinking means asking the
question “ why do you do what do you do”. Thereby eliminating business process altogether
if it does not add any value to the customer.
Thus BPR aims at major transformation of the business processes to
achieve dramatic improvement. Here, the business objectives of the enterprises ( e.g. profits,
customer-satisfaction through optimal cost, quality, deliveries etc.) are achieved by
“transformation” of the business process which may, or may not, require the use of
information technology (IT)

BPR’s concern with the implementation of ERP-

ERP merges very well with common business management issues like Business Process
reengineering, total quality management, mass customization, service orientation, and virtual
corporation etc. the basic objective of implementing an ERp program is to put in place the
applications and infrastructure architecture that effectively and completely support the
enterprise‟s business plan and business process. When an enterprise does not have optimized
business processes, the ERP implementation needs a process reengineering which enable to
capture knowledge of the experts into the system thus gaining considerable benefits in
productivity.

Q-26 Write short notes on-

(i) Business Modelling
(ii) SAP R/3 Package

Ans- (i) Business Modelling- The approach of ERP implementation is carried out using MIS
planning. First of all, a model consisting of core business process or activities is to be
developed. This is the diagrammatic representation of business as a large system with
interconnection of subsystems or processes that it comprises of. We can model business as a
system making the processes managing their facilities and material as their resources.
Information is treated as a a vital resource managing other resources.
Business model is
accompanied with a data model which consists of description of the following entities –
1. External Data – customers, suppliers, Competitors, distributors
2. Internal Data – Funds, Mkt. Research, Production, Inventory, Personnel,
sales, payroll, General Ledger

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 95 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
(ii) SAP R/3 Package- In five years R/3 is the market leader in new sales. Its philosophy of
matching business processes to modules is excellent. It offers a wide range of functions and
irs major shortcomings are yet to be identified. However, it remains complex, because it
offers much; few people know how to get the best from it. R/3 will be around for a long time;
few people get fired for buying it.

Q-27 Discuss the characteristics and benefits of ERP?

Ans- ERP Characteristics : An ERP system is not only the integration of various
organization processes. Any system has to posses few key characteristics to qualify for a true
ERP solution. These features are :

Flexibility : An ERP system should be flexible to respond to the changing needs of an

enterprise. The client server technology enables ERP to run across various database back
ends through Open Data Base Connectivity (ODBC)

Modular & Open : ERP system has to have open system architecture. This means that any
module can be interfaced or detached whenever required without affecting the other modules.
It should support multiple hardware platforms for the companies having heterogeneous
collection of systems. It must support some third party add-ons also.

Comprehensive : It should be able to support variety of organizational functions and must

be suitable for a wide range of business organizations.

Beyond the company : It should not be confined to the organizational boundaries, rather
support the online connectivity to the other business entities of the organization.

Best business practices :It must have a collection of the best business processes applicable
worldwide. An ERP package imposes its own logic on a company‟s strategy, culture and
organization.

Benefits of ERP :- The benefits accruing to any business enterprises by implementing an

ERP package are unlimited. According to companies like NIKE, DHL, Tektronix, Fujitsu,
Millipore and Sun Microsystems, the following are some of the benefits they achieved by
implementing the ERP packages.

Give Accounts Payable personnel increased control of invoicing and payament

processing and thereby boosting their productivity and elementing their reliance on
computer personnel for these operations.
Reduce paper documents by providing on line formats for quickly entering and
retrieving information.
Improves timeliness of information by permitting posting daily instead of monthly
Greater accuracy of information with detailed content, better presentation,
satisfactory for the auditors.
Improved cost control
Fasters response and follow up on customers
More efficient cash collection, say, material reduction in delay in payments by
customers.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 96 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Better monitoring and quicker resolution of queries.

Enables quick response to change in business operations and market conditions.
Helps to achieve competitive advantage by improving its business process.
Improves supply demand linkage with remote locations and branches in different
countries.
Provides a unified customer database usable by all applications.
Improves information access and management throughout the enterprise.
Provides solution for problems like Y2K and Single Monetary Unit (SMU) or Euro
Currency.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 97 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
Chapter-13

Q- 28 What are the functions of Operating Systems? Discuss the associated Operating
System Control?

Ans : The operating system is the computer‟s control program. It allows users anf their
applications to share and assess common computer resources, sucha s processors, main
memory, databases, and printers. The modern accountant needs to recognize the operating
the operating system‟s role in the overall control picture to properly assess the risks that
threaten the accounting system.
If operating system integrity is compromised, controls within
individual accounting applications may also be circumvented or neutralized. Because the
operating system is common to all users, the larger the computer facility, the greater the scale
of potential damage. Thus, with more and more computer resources being shared by an ever-
expanding user community, operating system security becomes an important control issue.

The main functions of Operating Systems are :

1. Allocation or management of hardware resources such as CPU, Memory,
Printer etc. to users/application
2. Providing interface between user and computer system
3. Job scheduling & special tasks like multiprogramming etc.
4. Assigning memory workspace/partitions to applications
5. Authorizing access to terminals, databases, printers etc.

Associated Operating System Control :

To perform the abovementioned tasks consistently and reliably, the operating system must
achieve five fundamental control objectives.

1. The operating system must protect itself from users. User applications must not be
able to gain control of, or damage in any way, the operating system, thus causing it to
cease running or destroy data.

2. The operating system must protect users from each other. One user must not be able
to access, destroy, or corrupt the data or programs of another user.

3. The operating system must protect users from themselves. A user‟s application may
consist of several modules stored in separate memory locations, each with its own
data. One module must not be allowed to destroy or corrupt another module.

4. The operating system must be protected from itself. The operating system is also
made up of individual modules. No modules should be allowed to destroy or corrupt
another module.

5. The operating system must be protected from its environment. In the event of a power
failure or other disaster, the operating system should be able to achieve a controlled
termination of activities from which it can later recover.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 98 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
Q- 29 Write Short Note on (i) Source Program Library
(ii) Disaster Recovery Plan
(iii) System development Control

Ans :
(i) Source Program Library : In larger computer systems, application program modules are
stored in source code form on magnetic disks called the source program library (SPL)

The Worst Case Situation – No Control : This arrangement has the potential to create two
serious forms of exposure :

1. Access to programs is completely unrestricted. Programmers and others can access

any program stored in library, and there is no provision for detecting an unauthorized
intrusion.
2. Because of these control weaknesses, programs are subject to unauthorized changes.
Hence, there is no basis for relying on the effectiveness of other controls
(maintenance authorization, program testing, and documentation). In other words,
with no provision for detecting unauthorized access to the SPL, the program‟s
integrity can not be verified.

A Controlled SPL Environment : To control the SPL, protective features and procedures
must be explicitly addressed. This requires the implementation of anSpl management system
(SPLMS).

(ii) Disaster Recovery Plan : some disasters can not be prevented or evaded. The survival
of a firm affected by such a disaster depends on how is reacts. With careful planning, the full
impact of a disaster can be absorbed and the organization can still recover.
The term “Disaster
Recovery” describe the contingency measures that organizations have adopted at key
computing sites to recover from, or to prevent any monumentally bad event or disaster. A
disaster may result from natural causes such as fire, flood or earthquake etc. or from other
sources such as a violent takeover, willful or accidental destruction of equipment or any other
act of such catastrophic proportions that the organizations could be ruined. The primary
objective of a disaster recovery plan is to assure the management that normalcy would be
restored in a set time after any disaster occurs, thereby minimizing losses to the organization

Although each organization would like to have a specifically tailored disaster recovery plan,
the general components of the plan would be as follows :

1. Emergency Plan : It identifies the personnel to be notified immediately, for

example, fire service, police, management, insurance company etc. it provides
guidelines on shutting down equipment, termination of power supply, removal of
storage files and removable disks, if any.

2. Recovery Plan : A recovery committee is constituted. Preparing

specifications of recovery like setting out priorities for recovery of application systems,
hardware replacements etc. will be the responsibility of recovery plan.

3. Backup Plan : An effective safeguard is to have a backup of anything that

could be destroyed, be it hardware or software. It is necessary to make copies of

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 99 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
important programs, data files, operating systems and test programs etc. in order to get
back into operation before the company can suffer an intolerable loss.

4. Test Plan : It identifies deficiencies in the emergency, backup orv recovery

plan. It contains procedures for conducting DRP testing like.

(i) Paper walk-throughs

(ii) Localised tests
(iii) Full operational tests

(iii) System development Control :-

The six activities discussed below deal with the authorization, development and
implementation of the original system.

System Authorization Activities : All systems must be properly authorized to ensure their
economic justification and feasibility. Each new system request be submitted in written form
by users to system professionals who have both the expertise and authority to evaluate and
approve ( or reject) the request.

User Specification Activities : Users must be actively involved in the systems development
process. The creation of a user specification document often involves the joint efforts of the
user and systems professionals. However, it is most important that this document remain a
statement of user needs. It should describe the users‟s view of the problem, not that of the
systems professionals.

Technical Design Activities : The technical design activities in the SDLC translate the user
specifications into a set of detailed technical specifications of a system that meets the user‟s
needs. The adequacy of these activities is measured by the quality of the documentation that
emerges from each phase. Documentation is both a control and evidence of control and is
critical to the system‟s long term success.

Internal Audit Participation : The auditor should become involved at the inception of the
SDLC process to make conceptual suggestion regarding system requirements and controls.
Auditors involvement should continue throughout all phases of the development process and
into the maintenance phase.

Program Testing : All programs modules must be thoroughly tested before they are
implemented. The results of the tests are then compared against predetermined results to
identify programming and logic errors.

User Test And Acceptance Procedure : Just before implementation, the individual modules
of the system must be tested as unified whole. A test team comprising user personnel, system
professionals, and internal audit personnel subjects the system to rigorous testing. Once the
test team is satisfied that the system meets its stated requirements, the system is formally
accepted by the user department(s)

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 100 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
Chapter 14

Q-30 Discuss 3 Levels of Validation Controls?

Ans : Input validation controls are intended to detect errors in transaction data before the
data is processed. Validation procedure are most effective when they are performed as close
to the source of the transaction as possible. Compute Based Information System (CBIS)
using real time processing or batch processing with direct access master files can validate
data at the input stage.

There are three levels of Input validation controls :

(a) Field Interrogation

(b) Record Interrogation
(c) File interrogation

(a) Field Interrogation: Field interrogation involves programmed

procedures that examine the characters of the data in the field. The following are some
common types of field interrogation

(1) Limit Checks may be applied to both the input data and
output data. The field is checked by the program to ensure that its value lies
within certain precedents limits (in the programs). This applies to both input and
output fields considered to be important.
(2) Picture Checks these checks against entry into processing of
incorrect character.
(3) Valid Code Checks : Checks are made against
predetermined transaction codes, table or order data to ensure that input data are
valid. The predetermined codes or tables may either be embedded in the
programs or stored in (direct access) files.
(4) Check digit : One method for detecting data coding errors is
a check digit. A check digit is a controlled digit ( or digits) added to the code
when it is originally assigned that allows the integrity of the code to be
established during subsequent processing. The check digit can be located
anywhere in the code, as a prefix, a suffix or embedded someplace in the
middle. Whenever the code is transcribed from one document to another this
checks is to be effected
(5) Arithmetic Codes :Arithmetic is performed in different
ways to validate the result of other computations of the values of selected data
fields
(6) Cross Checks : may be employed to verify fields appearing
in different files to see that the result tally.

(b) Record Interrogation :

(i) Sequence checks are exercised to detect any missing transaction, off serially numbered
vouchers ( subsequently transcribed for computer processing) or erroneous sorting.
(ii) Format completeness checks are used to check the presence and positions of all the data
fields in a transaction. This check is particularly useful for variable dat field records.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 101 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
(iii) Redundant data checks are used in sequential processing. Matching keys of the
transaction record and its master record may not be deemed enough. One may, in a sales
application for example, want to compare, say first five characters of the customer‟s name.
(iv) Combination Checks : Credit against shipments is invalid and ought to be rejected
(v) Passwords are issued to the various users in online systems for processing their
enquiries. It is desirable to periodically change the passwords.
(vi) Once a user has been identified in an online system, it remains to be seen what he is
authorized to access, read, write etc.

(c) File Interrogation : The purpose of file interrogation is to ensure that the correct file is
being processed by the system. These controls are particularly important for master files,
which contain permanent records of the firm and which, if destroyed or corrupted, are
difficult to replace.

Q- 31 Write short note on-

(i) Batch Control
(ii) Check Digits
(iii) Run to Run control
(iv) Audit Trail control
(v) Tape and Disk O/p Control

Ans : (i) Batch Control :- Batch control are an effective method of computing of meaning
high volumes of transaction data through a system. The objective of batch control is to
reconcile output produced by the system with the input originally entered into the system.
This provides that :

All records in the batch are processed

No records are processed more than once
An audit trail of transactions is created from input through processing to the
output stage of the system.

Batch control is not exclusively an input control technique. Control the batch continues
through all phases of the system.

(ii) Check Digits :- One method for detecting data coding errors is a check digit. A check
digit is a controlled digit ( or digits) added to the code when it is originally assigned that
allows the integrity of the code to be established during subsequent processing. The check
digit can be located anywhere in the code, as a prefix, a suffix or embedded someplace in the
middle. Whenever the code is transcribed from one document to another this checks is to be
effected

(iii) Run to Run control :- The preparation of batch control figures was previously
discussed as an element of input control. Run to Run controls use batch figures to monitor
the batch as it moves from one programmed procedure (run) to another. These controls
ensure that each run in the system processes the batch correctly and completely. Batch
control figures may be contained in either a separate control record created at the data input
stage or an internal label.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 102 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
(iv) Audit Trail control :- The provision of an audit trail is an important objective of process
control. In an accounting system, every transaction must be traceable through each stage of
processing from its economic source to its presentation in financial statements. In a
Computer Based Information System (CBIS) environment, the audit trail cab become
fragmented and difficult to follow. It thus becomes critical that each major operation applied
to a transaction be thoroughly documented.

(v) Tape and Disk O/p Control :- Computer output to magnetic tapes and disks is not
normally verified by direct human observation as is the case with manually printed output.
Hence, special care must be taken to ensure accuracy in encoding of information on these
output media. It may be noted that the disk drives and tape drives have built-in-dual
recording mode to enable these machines to check on recording accuracy. It works as follows
:

The disk/tape is encoded with the desired information, this information is read again using
the reading mechanism of the tape or disk drive. A comparison is made to verify the original
output. In most cases, the comparison of the initial output data with the newly recorded data
will result in a confirmation of identical information, and the tape or disk system is then able
to signal the CPU that the required writing operation has been successful. In such instances,
either a second writer attempt can be initiated, or computer operator notifies for alternative
action.

Use of file labels can be trated as an output control in case of tape and disk files. The file
label processing requires the updating of information in trailer record to reflect the new status
of the file.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 103 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
CHAPTER -15

Q-32 Why is there a rise in Internet Computer Frauds? Give some examples of Internet
Frauds ?

Ans : Organization that track computer that 80% of business have been victimized by at
least one incident of computer fraud. However, for the following reasons no one knows for
sure exactly how many companies loose to computer fraud.

1. Not everyone agrees on what constitute computer fraud. For example, some people restrict
the definition to a crime that takes place inside a computer or is directed at it. For other it is
any crime where the perpetrator uses the computer as a tool . many people do not believe
that making an unlicensed copy of software constitute computer fraud. Software publishers
however, think otherwise.

2. many computer fraud go undetected. It is estimated that only 1% of all computer crime is
detected.

3. 80-90 % of the frauds data that are uncovered are not reported. Only the banking industry
is required by law to reportb all frauds. The most common reason for failure to report
computer fraud is a company‟s fear that adverse publicity would result in copycat fraud and
loss of customer confidence that would cost more than the fraud itself.

4. Most networks have a low level of security. It is estimated that two out of three sides have
serious vulnerabilities, and most firewalls and other protective measures at the sites are
ineffective.

5. Many internet pages give step by step instructions on how to perpetrate computer frauds
and abuses. There are thousands of pages on how to break into routers and disable web
servers.

6. Law enforcement is unable to keep up with the growing number of computer frauds.

Few Examples of Internet Frauds :-

1. In 1997 the US Federal Trade Commission began litigation against a company called
“Fortuna Alliance” which had an internet site. This company offered investors a return of $
5000 per month for an investment of & 250. it might be thought that no one would be
fooloish enough to invest in such an improbable scheme but in fact investors lost about $6
million before the FTC blocked access to the site.

2. In August 1997, the European Union bank which, traded over the Internet, collapsed. It
was registered in Antigua and had been founded by two Russians in 1994. the site claimed
that it offered a $ 1 million certificate of deposit that paid interest of 9.91%. it had attached
attracted unfavourable comment by the bank of England some time before it collapsed.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 104 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
3. Offshore trusts are mainly an American problem. Internet sites and bulk email schemes
promises freedom from US taxes if victims transfer their assets to an offshore trust and pay a
handsome fee. What happens is that the fraudsters either decamp with the fees (often
thousands of dollars) or set up the trusts and make themselves beneficiaries, thus all the
victims assets vest in them.

Q-33 Discuss Categories of Computer Frauds based on data processing model?

Ans :- Various studies have examined fraud to determine the type of assets stolen and the
approaches used by employees to commit computer fraud. One way to categories computer
frauds is to use the data processing model: input, processor, computer instructions, stored
data and output.

1. Input :- The simplest and most common way to commit a fraud is to alter computer input,
it requires little, if any, computer skills, instead, perpetrator needs only to understand how the
system operates so that they can cover their tracks.

Collusive fraud- one perpetrator opens an account at a bank, and then prepared blank
deposit slip. The slips were similar to those available in bank lobby, except that his account
number was encoded on them. One morning he replaced all the deposit slips in the bank
lobby with his forged ones, for three days all bank deposits using the forged slips directly
into his account. After three days the perpetrator withdrew the money and disappeared. He
used an alias: his identity was never uncovered nor was he ever found.

Disbursement fraud- The perpetrator causes a company either pay too much for ordered
goods or to pay for goods that were never ordered. One perpetrator used a DTP package to
prepare fraudulent bills for office supplies that were never ordered, then mailed those bills to
companies across the country. The perpetrator kept the amount low enough so that most
companies did not bother to require purchase orders or approvals. An amazingly high
percentage of the companies paid the bills without question.

Payroll frauds- Perpetrators can enter data to increase that salary, create fictitious employee,
or retain a terminated employee on the records. Under the latter two approaches, the
perpetrator proceeds to intercept and cash the illegal cheques.

Cash receipt frauds – the perpetrator hides the theft by falsifying system input. For
example, an employee at the Arizona Veteran‟s Memorial Coliseum sold customers full price
tickets, and pocketed the difference.

2. Processor :- Computer fraud can be committed through unauthorized system use,

including the theft of computer time and services. For example, some companies do not
permit employees to use company computers to keep personal or outside business records.
Violating this policy would constitute a fraud. While most people would not call it fraud
employee, goofing (surfing the internet for personal entertainment on company time) has
become a serious problem at many companies. One study estimates that employees with
access to the internet, on average, lose one to two hours of productivity a week goofing.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 105 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
3. Computer Instructions :- Computer fraud can be accomplished by tempering with the
software that processes company data. This may involve modifying the software that
processes company data. This may involve modifying the software, making illegal copies, or
using it an unauthorized manner. It might also involve developing a computer fraud used to
be one of the least common, because it requires a specialized knowledge about computer
programming that is beyond the scope of most users. Today , however , such frauds are much
more frequent because there are many web pages with instructions on how to create viruses
and other computer instruction based schemes.

4. Data :- Computer fraud can be prepared by altering or damaging a company‟s data files or
by copying, using, or searching them without authorization. There have been numerous
instances of data files being scrambled, altered or destroyed by the disgruntled employees. In
one instance, an employee removed all the the external labels from hundreds of tape files. In
another case, an employee used a powerful magnet to scramble all the data on magnetic files.
Data can also be destroyed,
changed or defaced- particularly if saved in company website.

5. Output :- Computer fraud can be carried out by stealing or misusing system output,
system output is usually displayed on monitors or printed on paper. Unless properly
safeguarded, monitor and printer output is subject to pry eyes and unauthorized copying.

6. Malicious alterations of email :- This can happen when a employee has a grudge against
another member of staff or management. The effects can be troublesome, if not damaging.

Q-34 Discuss various measures that can reduce potential for computer frauds?

Ans: Because fraud is such a serious problem, organization must take every precaution to
protect their information systems. A number of measures can significantly decrease the
potential for fraud and any resulting losses.

(a) Make fraud less likely to occur: Some computer consultants claim that the most
effective method of obtaining adequate system security is to rely on the integrity of company
employees. At the same time, research shows that most frauds are committed by current and
former employees. Thus employees are both the greatest control strength and weakness.
Organizations can take steps to increase employee integrity and reduce the likelihood of
employees committing a fraud.

(b) Use proper hiring and firing practices: A manager‟s most important responsibilities is
to hire and retain honest people. Similarly a company should be very careful when firing
employees. Dismissed employees should should be removed from sensitive jobs immediately
and denied access to the computer system to prevent sabotage or copying confidential data
before they leave.

( c ) Manage disgruntled employee:- many employees who commit fraud are seeking
revenge or “injustice” for some wrong they perceive has been done to them. Hence
companies should have procedures for identifying these individuals and either helping them
resolve their feelings or removing them from jobs with system access.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 106 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
(d) Train employees in security and fraud prevention measures : many top executives
believe that employee training and education is the most important element of any security
program. Fraud is much less likely to occur in an environment where employees believe
security is everyone‟s business.

To develop this type of culture a company should educate and train employees in the
following areas.

(i) Security measures : Employees should be well schooled in security measures, taught
why they are important , and motivated to take them every seriously

(ii) Telephone Disclosure : Employees should be taught to not give out confidential
information over the telephone without knowing for sure who is calling. The employees can
be taught tactics such as dialing the caller back and verifying a person‟s identity by asking
penetrating and specific questions that only they would be able to answer.

(iii) Ethical Consideration : The company should promote its ethical standards in its
practices and through company literature such as employee handouts. Acceptable and
unacceptable behaviour should be defined so that employees are aware of a company‟s
ethical position should a problem arise.

(iv) Punishment for unethical behaviour : Employees should be informed of the

consequences of unethical behaviour (reprimands, dismissal, prosecution, etc.). this
information should be disseminated not as a threat but as the consequence of choosing to act
unethically. For example, employees should be informed that using a computer to steal or
commit fraud is federal crime and anyone so doing faces immediate dismissal and/or
prosecution.

(v) Educating employees in security issues, fraud awareness, ethical considerations, and the
consequences of choosing to act unethically can make a tremendous difference.

(vi) Fraud awareness : Employees should be made aware of fraud, its prevalence, and its
dangers. They should be taught why people commit fraud and how to deter and detect it.

(vii) Manage and track software Licenses: software licenses management, a fast growing
area of information technology management, helps companies make sure they comply with
all their software licenses. Of key concern is making sure there are enough licenses to met
user demands and that there are not more users than licenses. This protects them from
software piracy lawsuits. It can also save the company money ensuring that it does not pay
for more licenses than they actually use or need.

(viii) Require signed confidentially agreements : all employees vendors, and contractors
should be required to sign and abide by a confidentiality agreement.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 107 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Q-35 What kinds of control can be incorporated in the system to make frauds difficult
to perpetrate?

Ans : One way to deter fraud is to design a system with sufficient controls to make fraud
difficult to perpetrate. These controls help ensure the accuracy, integrity and safety of system
resources.

(i) Develop a strong system of internal controls : The overall responsibility for a secure
and adequate controlled system lies withy top management. Managers typically delegate the
design of adequate control systems to systems analysts, designers and end users. The
corporate information security officer and the operations staff are typically responsible for
ensuring that control procedure are followed.

(ii) Segregate Duties : There must be an adequate segregation of duties to prevent

individuals from stealing assets and covering up their tracks.

(iii) Require vacations and rotate duties : many fraud schemes, such as lapping and kiting,
require the ongoing attention of the perpetrator. If mandatory vacations were coupled with a
temporary rotation of duties, such ongoing fraud schemes would fall apart.

(iv) Encrypt Data and program : Another way to protect data is to translate it into a secret
code, there by making it meaningless to anyone without the means to decipher it.

(v) Restrict access to computer equipment and data files : Computer fraud can be
reduced significantly if access to computer equipment and data files is restricted. Physical
access to computer equipment should be restricted, and legitimate users should be
authenticated before they are allowed to use the system.

(vi) Protect telephone lines : Computer hackers (called phreakers when they attack phone
system) use telephone lines to transmit viruses and to access, steal and destroy data. One
effective method to protect telephone lines is to attach an electronic lock to them.

(vii) Protect the system from viruses : There are hundreds of thousands of viruses attacks
every year, and an estimated 90% of the PCs that suffer a virus attack are re infected with in
30 days by the same virus or some other virus. A system can be protected from viruses.

Fortunately, some very good virus protection programs are available. Virus protection
programs are designed to remain in computer memory and search for viruses trying to
infiltrate the system. Make sure that the latest version of the anti-virus programs are used.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 108 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
CHAPTER-16

Q-36 Write short note on –

(i) E Governance
(ii) Duties of subscribers
(iii) Duties of C.A.
(iv) Appellate Tribunal

Ans :
(i) E Governance :- Section 6 lays down the foundation of Electronic Governance. It
provides that the filing of any form, application or other documents, creation, retention or
preservation of records, issue or grant of any license or permit or receipt or payment in
Government offices and its agencies may be done through the means of electronic form. The
appropriate Government has the power to prescribe the manner and format of the electronic
records and the method of payment of fee in that connection.
Section 7 provides that
the documents, records or information which has to be retained for any specified period shall
be deemed to have been retained if the same is retained in the electronic form provided the
following conditions are satisfied :

the information therein remains accessible so as to be usable subsequently.

The electronic record is retained in its original format or in a format which accurately
represents the information contained.
The details which will facilitate the identification of the origin, destination, dates and time of
dispatch or receipt of such electronic records are available therein.

Section 8 provides the publication of rules, regulations and notifications in the electronic
gazette. It provides that where any law requires the publication of any rule, regulation, order,
bye law, notification or any other matter in the official gazette, then such requirement shall
be deemed to be satisfied if the same is published is an electronic form. It also provides
where the official gazette is published both in the printed as wel as in the electronic form, the
date of publication shall be the date of publication of the official gazette which was first
published in any form.

(ii) Duties of subscribers :-

On acceptance of the digital signature certificate the subscriber shall generate a key pair
using a secure system.

A subscriber shall be deemed to have accepted a digital signature certificate if he publishes

or authorizes the publication of such signature to one or more persons or otherwise
demonstrates his approval of the digital signature certificate. By so accepting the certificate,
the subscriber certifies to the public the following.
(a) that he holds the private key corresponding to the public key listed in the digital signature
certificate, and

(b) that all the information contained in the certificate as well as material relevant to them are
true.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 109 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

The subscriber shall exercise all reasonable care to retain control of his private key
corresponding to the public key. If such private key has been compromised ( i.e. endangered
or exposed) the subscriber must immediately communicate the fact to the certifying
authority.

(iii) Duties of Certifying Authority :-

This section provides that every certifying authority shall follow certain procedure in respect
of digital signature as given below :-

make use of hardware, software, and procedure that are secure from intrusion and misuse
provide a reasonable level of reliability in its services which are reasonably suited to the
performance of intended functions.
Adhere to security procedures to ensure that the secrecy and privacy of the digital signatures
are assured and
Observe such other standards as may be specified by regulations.

Every certifying authority shall also ensure that every person employed by him compiles
with the provisions of the act, or rules, regulations or order made there under.
A certifying authority must display its license at a conspicuous place of the premises in
which it carries on its business and a certifying authority whose license is suspended or
revoked shall immediately surrender the license to the controller.
Section 34 further provides that every certifying authority shall disclose its digital signature
certificate which contains the public key corresponding to the private key used by that
certifying authority and other relevant facts.

(iv) Appellate Tribunal :-

The “Cyber Regulation Appellate Tribunal” has appellate powers in respect of orders passed
by any adjudicating officer. Civil courts have been barred from entertaining any suit or
proceedings in respect of any matter which an adjudicating officer or tribunal is empowered
to handle.

Section 48 provides for establishment of one or more appellate tribunals to be known as

Cyber Regulation Appellate Tribunals.

The Cyber Regulation Appellate Tribunals shall consist of one person only (called the
presiding officer of the tribunal) who shall be appointed by notification by the central
government. Such a person must be qualified to be a judge of a high court or is or has been
member of the Indian legal services. In the post in Grade I of that services for at least three
years.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 110 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
The presiding officer shall hold office for term of five years or up to a maximum age limit of
65 years , which ever is earlier.

Section 52 provides for the salary and allowances and other terms and conditions of services
of the presiding officer.
Service 53 provides that in the situation of any vacancy occurring in the office of the
presiding officer of Cyber regulation Tribunal. The Central Government shall appoint
another person in accordance with the provision of this act.

Q-37 What are advantages of digital signature technique for analysis of financial
information?

Q-38 Write short note on Key Figure ?

Ans- Profitability analysis system uses the concept of key figures to define the lowest level
at which it is possible to display the quantities, revenue, sales deductions and costs when a
contribution margin calculation for a business segment is carried out. The system offer lists
of commonly used key figures as proposals to adopt or supplement by key of one‟s own
specification.

These key figures can be set at any level of detail. Revenue for example can be displayed
across a revenue element structure consisting of revenue from external customers and partner
companies. Revenue alternations, such as credit memos, rebates and sales deductions can be
displayed as separate revenue elements.

Costs are stored as value fields. The details depend on the specific R/3 applications that are
installed and configured.

Q-39 Discuss the civil & criminal offences and the related penalties provided under I T
Act. ?

Ans. Chapter XI deals with some computer crimes and provides for penalties for these
offences. It contains section 65 to 78

Tampering with computer source documents (section 65)

This section provides for punishment with imprisonment upto three years or with a fine
which may extend to Rs. 2 lakhs or with both whoever knowingly or intentionally tampers
with the computer code source documents.
“Computer source code” means the listing of programmes, computer commands, design and
layout and programme analyses of computer resources in any form.

Hacking with computer system : (Section 66)

Hacking is a term used to describe the act of destroying or deleting or altering any
information residing in a computer resources or diminishing its value or utility, or affecting it
injuriously in spite of knowing that such action is likely to cause wrongful loss or damage to
the public or that person. Section 66 provides that a person who commits hacking shall be
punished with a fine upto Rs. 2 Lakhs or with imprisonment upto 3 years, or with both.

Publishing of Information which is obscene in electronic form (Section 67)

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 111 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
Section 67 provides for punishment to whoever transmits or publishes or causes to be
published or transmitted, any material which is obscene in electronic form with
imprisonment for a term which may extend to five years and with fine which may extend to
Rs . 1 Lakh on first conviction. In the event of second or subsequent conviction the
imprisonment would be for a term which may extend to ten years and fine which may extend
to rs. 2 laks

Penalties for damage to computer, computer system or network

Section 43 deals with penalty for damage to computer, computer system etc. By any of the
following methods :

securing access to the computer, computer system or computer network.

Downloading or extracting any data, computer database or information from such computer
system or those stored in any removable storage medium.
Introducing any computer contaminant or computer virus into any computer. Computer
system or network
Damaging any computer, computer system or network or any computer data, database or
programme
Disrupting any computer, computer system or network
Denying access to any person authorized to access any computer, computer system or
network
Providing assistance to any person authorized to access any computer, computer system or
network in contravention of any provisions of this act or its rules.
Charging the services availed of by one person to the account of another person by tampering
with or manipulating any computer, computer system or network.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 112 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
CHAPTER – 17

Q-40 Why do manual audit methods prove ineffective in Information System Audit?

Ans The audit methods that are effective for manual audits prove ineffective in many IS
audits because of these factors.

Electronic evidence – Essential evidence is not physically retrievable by most auditors, and it
is not readable in it is readable in its original electronic form.
Terminology- The tools and techniques used in automated applications are described in terms
that are difficult for the non-EDP auditors to understand
Automated processes- The methods of processing are automated rather than manual, making
it difficult for the non-EDP auditor to comprehend processing concepts and the logic of these
concepts.
New risks and controls – Threats to computer systems and the countermeasures to those
threats (i.e. controls) are new to non EDP auditors, and the magnitude of the risks and the
effectiveness of the controls are not understood.
Reliance on controls – In manual system, the auditor can place some reliance on hard-copy
evidence, regardless of the adequacy of the controls. Whereas, in automated systems, the
electronic evidence is only as valid as the adequacy of controls.

Because the rate of these changes varies among systems in organizations. The methods and
approaches of auditing automated information systems differ among applications and
organizations. For example, some organizations still rely heavily on hard copy evidence, and
others have eliminated much of it.

Q-41 Briefly discuss the framework for audit of-

(a) Program Development
(b) Data file control

Ans :
(a) Program Development:-Table 2 provides a framework for reviewing and evaluating the
program development process. Two things can go wrong in program development :

(1) in advertent errors due to misunderstanding system specifications or careless

programming, and

(2) unauthorized instructions deliberately inserted into the programs. These problems can be
controlled by requiring both management and user authorization and approval, through
testing, and proper documentation.

Table 2 Frame work for Audit of program Development

Types of Errors and Fraud

Inadvertent programming errors.

Unauthorized program code

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 113 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
Control Procedures
Management authorization for program development and approval of programming
specifications.
User approval of programming specifications
Thorough testing of new programs
User acceptance testing
Complete systems documentation, including approvals

Audit Procedures : System Review

Independent and concurrent review of the systems development process.
Review systems development policies and procedures
Review systems authorization and approval procedures
Review programming evaluation standards
Review program documentation standards
Review program testing and test approval procedures
Discuss systems development procedures with management, system users, and IS
personnel
Review final application system documentation.

Audit Procedures : Tests of Control

Interview users about their involvement in systems design and implementation
Review minutes of development team meetings for evidence of involvement
Verify management and user sign-off at milestone points in the development process
Review test specifications, test data and results of system tests

Compensating Controls
Strong processing controls
Independent processing of test data by auditor.

The auditor role in system development should be limited to an independent review of

systems developments activities. To maintain the objectivity necessary for performing an
independent evaluation function, auditors should not be involved in developing the system.
During the system review, auditors should gain an understanding of development procedures
by discussing them with management, system users and IS personnel. They should also
review the policies,procedures, standards and documentations listed inTable2.

To test system development controls, auditors should interview managers and system users,
examine development approvals and review thoroughly all documentation relating to the
testing process and ascertain that all program changes were tested. The auditor should
examine the test specifications, review data and evaluate the test results. If unexpected test
results were obtained, the auditor should ascertain how the problem was resolved.

Strong processing controls (see objective 4) sometimes can compensate for inadequate
development controls. If compensatory processing controls are relied on., the auditor should
obtain persuasive evidence of compliance, using techniques such as independent processing
of test data. If this type of evidence can not be obtained, the auditor may have to conclude
that a material weakness in internal control exists and that the risk of significant errors or
fraud in application programs is unacceptably high.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 114 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
(b) Data file control;- The sixth objective is concerned with the accuracy, integrity and
security of data stored in machine readable files. Data storage risks include the unauthorized
notification, destruction or disclosure of data. Many of the controls discussed in Chapter 14
are used to protect the system against these risks. If file controls are seriously deficient,
especially with respect to physical or logical access or to backup and recovery procedures,
the auditor should strongly recommend they be rectified. Table 6 summarizes the errors,
controls and audit procedures for this objective.

The auditing by objectives approached is a comprehensive, systematic and effective means of

evaluating internal controls in an AIS. It can be implemented using an audit procedures
checklist for each objective. The checklist should help the auditor reach a separate conclusion
for each objective and suggest compensating controls when an objective is not fully
achieved. A separate version of the checklist should be completed for each significant
application.

Auditors should review system designs while designs while there is still time to adopt their
suggestions for controls and audit feactures. Techniques like ITF, snapshots, SCARF, audit
hooks and real time notifications should be incorporated into a system during the design
process, rather than as an afterthought. Similarly, most application control techniques are
easier to design into the system than to add after the system is developed.

Table 6 : Frame work for Audit Of Data Controls

Types of errors and fraud

Destruction of stored data due to inadvertent errors, hardware or software
malfunctioning and intentional acts of sabotage or vandalism.
Unauthorised modification or disclosure of stored data.

Control Procedures
Secure file library and restrictions on physical access to data files.
Logical access controls using passwords and acess control matrix
Proper use of file labels and write protection mechanism
Concurrent update controls
Use of data encryption for highly confident data
Use of virus protection software
Maintenance of backup copies of all data files in all off site location
Use of checkpoint and rollback to facilitate system recovery.

Audit Procedures : System Review

Review documentation for functions of file library operation
Review logical access policies and procedures
Review operating documentation prescribed standards for
 Use of file labels and write protection mechanisms
 Use of virus protection software
 System recovery, including checkpoint and rollback procedures.
Review systems documentation to examine prescribed procedures for
 Use of concurrent update controls and data encryption
 Control of file conversion.
 Reconciling master file totals with independent control totals

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 115 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Examine disaster recovery plan

Discuss data file control procedures with IS managers operators.

Audit Procedures : Test of Controls

Observe and evaluate file operations
Review records of passwords assignment and modifications.
Observe and evaluate file handling procedures by operations personnel
Observe the preparation and off-site storage of backup files.
Verify the effective use of virus protection procedures.
Verify the use of concurrent update controls and data encryption.
Verify completeness, currency and testing of disaster recovery plan.
Reconcile master file totals with separately maintained control totals.
Observe the procedures used to control file conversion.

Compensating Controls
Strong user controls
Effective computer security controls
Strong processing controls.

Auditors use an input control matrix to document the review of source data controls. The
matrix shows the control procedures applied to each field on an input record.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 116 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
CHAPTER 18

Q-42 What is information security? Why is it important? Also explain the factors that
should be considered while deciding about the level of protection needed?

Ans Security relates to the protection of valuation assets against loss, disclosure or damage.
Security valuable assets from threats, sabotage or natural disaster with physical safeguards
such as locks, perimeter fences and insurances is commonly understood and implemented by
most organizations. However security must be expanded to include logical and other
technical safeguards such as user identifiers, Passwords, firewalls etc. which are not
understood nearly as well by organizations as physical safeguards. This concept of security
applies to all information. In this context, the valuable assets are the data or information
recorded, processed, stored, shared, transmitted, or retrieved from an electronic medium.

Why is information security important :-

In a global information society, where information travels through cyberspace on a routine

basis, the significance of information is widely accepted. In addition, information and the
information systems and communications that deliver the information are truly pervasive
throughout organizations-from the user‟s platform to local and wide area networks to servers
to mainframe computers.

Security failures may result in both financial losses and/or intangible losses such as
unauthorized disclosure of competitive or sensitive information.
Threats ton information systems
may arise from intentional or unintentional acts and may come from internal or external
sources. The threats may emanate from, among others technical conditions (program bugs,
disk crashes), natural disaster (fires, floods), environmental conditions (electrical surges),
human factors (lack of training, errors and omissions), unauthorized access (hacking), , or
viruses. In addition to these, other threats, such as business dependencies (reliance on third
party communications carriers, outsourced operations, etc.) that can potentially result in a
loss of management control and oversight are increasing in significance.
Adequate measures for
information security help to ensure the smooth functioning of information systems and
protect the organization from loss or embarrassment caused by security failures.

Establishing better information protection :-

Processing information is crucial to the overall success or failure of a company. Businesses

hold such a vast array of data, what steps do they need to take to keep all of their critical
information protected? These points may be considered :

Not all data has the same value And as such, the information may be handled and
protected differently. Organization must determine the value of the different types of
information in their environment before they can plan for the appropriate levels of
protection.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 117 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Know where the critical data resides In today‟s business environment, this is
normally the company‟s information system infrastructure. Because each piece of
information may require different levels of protection, identifying where each is located
enables an organizations to establish an integrated security solution. This approach also
provides significant cost benefits, as the company does not need to spend more on
protecting data than the data itself is worth.
Develop an access control methodology, Information does not have to be removed
to cause damage or to have financial impact. Information that is inadvertently damaged or
copied without the knowledge of the owner may render the data useless. To guard against
this, organizations must some type access control methodology. For important data, this
access control (and the associated auditing) should be extend to the file level.
Review hardcopy output , The hardcopy output of employees‟ daily work should
also be reviewed. Although strategic plans in their final forms may be adequately
protected, what measures are used to safeguard all drafts and working papers? What
information is regularly placed in the recycle or trash containers without thought to its
value?

Q-43 Discuss various types of information protection ?

Ans : There are basically two types of protection that an organization can use: preventive and
restorative

1. Preventive Information Protection : This type of protection is based on use of security

controls. Information security controls are generally grouped into three types of control:
Physical, Logical and administrative. Organizations require all three types of controls. The
organization‟s information security policy through the associated information security
standards documentation mandates use of these controls. Here
are some examples of each type of control :

Physical : Doors, Locks, Guards, Floppy Disk access Locks, Cables locking
systems to desks/walls. CCTV, paper shredders, fire suppression systems.
Logical (Technical) : Passwords, File permission, Access control lists,
Account Privileges, Power protection systems
Administrative : Security awareness, uses account revocation, policy

2. Restorative Information protection : Planning and operating an effective and timely

information backup and recovery program is vital to an operation. Information backup does
not simply involve backing up “ just the valuable information” but it frequently also means
backing up the system as well. Since the information may need services that the system
provides to make the information usable.
The key requirement of any restorative information
protection plan is that the information can be recovered. This is frequently an issue that many
organizations fail to properly address.
Here are few questions any restorative information
protection program must address.
Has the recovery process been tested recently?
How long did it take?
How much productivity was lost?

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 118 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)

Did everything go according to plan?

How much extra time was needed to input the data changes since the last backup?

3. Holistic Protection :- Protecting corporate information from harm or loss is not an easy
task. Protection must be done holistically and give the organizations the appropriate level of
security at a cost that is acceptable to the business. One must plan for the unexpected and
unknown, expect the worst events to happen. And recover from these events if and why they
occur as though nothing ever happened.

Q 44 Explain Information Security Policy ( Contents and Implementation)

Ans :

Q-45 What are the levels of CASE Tools and integration ?

Ans: Specialized CASE tools can be combined together to provide a wider support to
software process activities. An effective integration for framework makes evolution possible
as new systems are added without distributing the existing systems. In systems engineering
environment, there are five different levels of integration of CASE tools which are possible
Let
us examine each of these tools in detail.

1. Platform Integration : Platform integration means that the tools or work benches to be
implemented run on the same platform where platform means either a single
computer/operating system or a network of systems.

2. Data Integration : Data integration is the process of exchange of data by CASE tools. The
result from on tool can be passed on as input to another tool.

There are a number of different levels of data integration :

(a) Shared File All tools recognize a single file format. The most general purpose shareable
file format is where files are made of lines of characters.

(b) Shared data structure The tools make use of shared data structures which usually include
program or design language information.

(c) Shared Repository The tools are integrated around an object management system which
includes a public share data describing the data entities and relationship which can be
manipulated by the tools.

3. Presentation Integration:- Presentation or user interface integration means that the tools
in the system use a common metaphor or style and a set of common standards for user
interaction.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 119 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
There are three different levels of presentation integration .

(a) Window system integration Tools which are integrated at this level use the same
underlying window system and present a common interface for the window manipulation
commands.
(b) Tools which are Integrated at this level use the same form of commands for comparable
functions.
(c ) Interaction Integration This is related with a direct manipulation interface where the user
interacts with a graphical or textual view of the entity.

4. Control Integration:- Control Integration is the mechanism of one tool in a workbench or

environment to control the activation of other tools in the CASE system. The tool is able to
start and stop other tools. The tool can also call the sources of another tool in the system.
These services are accessed through program interfaces.

5. Process Integration :- Process Integration means that the CASE system has embedded
knowledge about the process activities, their planning, their constraints and the tools needed
to support their activities. The CASE system participates in the scheduling of these activities
and in checking that the required activity reference is maintained.

Q-46 Discuss the components of programming work benches?

Ans : Programming work benches is made up of a set of tools to support the process of
program development. Some of these tools which are part of a programming work bench are
:

(a) Language compiler Translates host programs to object code. As part of a translation
process, an abstract syntax tree and a symbol table is created.
(b) Structure editor Incorporates embedded programming language knowledge and edits the
syntax representation of the program in the AST rather than its source code text.
(c ) Linker Links the object code program with components which have already been
compiled.
(d) Loader Loads the executable program into the computer memory prior to
execution.
(e) Cross referencer Produces a cross referencer listing showing where all program
names are declared and used.
(f) Pretty printer Scans the AST and prints the source program according to
embedded formatting rules.
(g) Static analyzer Analyses the sources code to discover anomalies such as
uninitialized variables. Unreachable code, uncalled functions and procedures etc.
(h) Dynamic analyzer Produces a source code listing annotated with the number of
times each statement was executed when the program was run. It may also generate
information on program information on program benches and loops and statistics of
processor usage.
(i) Interactive debugger Allows the user to control the execution sequence and view
the program state as execution progresses.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 120 of 123
Mukesh Agarwal Research Group CA FINAL MICS (CA Final NOTES 2009)
Q-47 Explain the features of analyses & design work benches?

Ans Analyses and design work benches are designed to support the analyses and design
stages of the software process where models of the system are created. The components of
this model are

(a) Diagram editors to create data flow diagrams, structured charts, entity relationship
diagram and so on.

(b) Design analyses and checking tools which process the designs and then submit report on
errors and anomalies. These are integrated with editing system so that user errors are trapped
at an early stage in the process.

(c ) Repository query languages which allows the designer to find the designs and associates
design information in the repository.

(d) A data dictionary Which maintains information about the entities used in a system design.

(e) Report definition and generation tools which take information from the central store and
automatically generate system documentations.

(f) Forms definition tools which allow screen and document formats to be specified.

(g) Import Export Facilities which allow the interchange of information from the central
repository with other development tools.

(h) Code generators which generator code or code skeletons automatically from the design
captured in the central store.

AECIndia.Commerce, G M Ext. Place, Shinde Ki Chhawani, Gwalior-474001 +91-751-2424240, 98930-16415

CS/CA Guidance Classes Web: www.aeccsca.blogspot.com E-mail: [email protected] Page 121 of 123