62078bosinterp7 Seca cp1 PDF
62078bosinterp7 Seca cp1 PDF
62078bosinterp7 Seca cp1 PDF
AUTOMATED
BUSINESS PROCESSES
LEARNING OUTCOMES
After reading this chapter, you will be able to -
Operational
Categories Supporting
Management
Objectives
Automation Benefits
Implementation
Enterprise Business Processes
Human Resources
Digrammatic Flowcharts
Representation
Data Flow Diagrams
Regulatory and
Compliance The Companies Act, 2013
Requirements
IT Act, 2000
1.1 INTRODUCTION
In today’s connected world where information flows at speed of light, success of
any organization depends on its ability to respond to fast changing environment.
The capability of any organization depends on its ability to take fast decisions. A
large organization typically has several different kinds of Information systems built
around diverse functions, organizational levels, and business processes that can
automatically exchange information. All these information systems have
fragmentation of data in hundreds of separate systems, degrades organizational
efficiency and business performance. For instance – sales personnel might not be
able to tell at the time they place an order whether the ordered items are in
inventory, and manufacturing cannot easily use sales data to plan for next
production.
The solution to this problem is provided by Enterprise Information Systems, by
collecting data from numerous crucial business processes like manufacturing and
production, finance and accounting, sales and marketing, and human resources and
storing the data in single central data repository. An Enterprise Information
System (EIS) may be defined as any kind of information system which improves
the functions of an enterprise business processes by integration.
An EIS provides a technology platform that enables organizations to integrate and
coordinate their business processes on a robust foundation. An EIS provides a
single system that is central to the organization that ensures information can be
shared across all functional levels and management hierarchies. It may be used to
amalgamate existing applications. An EIS can be used to increase business
productivity and reduce service cycles, product development cycles and marketing
life cycles. Other outcomes include higher operational efficiency and cost savings.
Example 1.1: When a customer places an order, the data flow automatically to
other fractions of the company that are affected by them leading to the enhanced
coordination between these different parts of the business which in turn lowers
costs and increases customer satisfaction. Refer to the Fig. 1.1.1.
♦ The order transaction triggers the warehouse to pick the ordered products
and schedule shipment.
♦ The warehouse informs the factory to replenish whatever has depleted.
♦ The accounting department is notified to send the customer an invoice.
♦ Debtors Department keeps track of payments.
Debtors
Customer Service
Department keeps Department Warehouse
track of payments Triggered to Pick
Keeping Track of all
Activities
Accounting Department
Notified for Invoicing
The details of these processes are shown in the Fig. 1.2.1 below:
Reduced Costs
♦ Manual tasks, given that they are performed one-at-a-time and at a slower
rate than an automated task, will cost more. Automation allows to accomplish
more by utilizing fewer resources.
♦ What format are they in: Paper, FAX, email, PDF etc.?
The benefit of the above process for user and entity being:
♦ It allows designing the process to focus on the desired result with workflow
automation.
Step 1: Define why we plan to • The answer to this question will provide justification for
implement BPA? implementing BPA.
Step 2: Understand the rules/ • The underlying issue is that any BPA created needs to
regulation under which it needs comply with applicable laws and regulations.
to comply with?
Step 4: Define the • This enables the developer and user to understand the
objectives/goals to be achieved reasons for going for BPA. The goals need to be precise
by implementing BPA. and clear.
• Once the entity has been able to define the above, the entity
Step 5: Engage the business
needs to appoint an expert, who can implement it for the
process consultant.
entity.
Step 6: Calculate the RoI for • The answer to this question can be used for convincing top
project. management to say ‘yes’ to the BPA exercise.
the final version of the process will help to capture all of this hard work, thinking
and experience which can be used to train new people.
1.3.6 Case studies on Business Processes Automation
Case 1: Automation of purchase order generation process in a manufacturing entity
Various steps of automation are given as follows:
Step 1: Define why we plan to go for a BPA?
The entity has been facing the problem of non-availability of critical raw material
items which is leading to production stoppages and delay in delivery. Delay in
delivery has already cost company in terms of losing customer and sales.
Step 2: Understand the rules / regulation under which needs to comply with?
The item is not covered by regulation, regarding quantity to be ordered or stored.
To keep cost at minimum, entity has calculated economic order quantity for which
orders are placed.
Step 3: Document the process, we wish to automate.
The present process is manual where the orders are received by purchase
department from stores department. Stores department generates the order based
on manual stock register, based on item’s re-order levels. The levels were decided
five years back and stores records are not updated timely.
Step 4: Define the objectives/goals to be achieved by implementing BPA.
The objective behind the present exercise is to ensure that there are no production
losses due to non-availability of critical items of inventory. This shall automatically
ensure timely delivery of goods to customer.
Step 5: Engage the business process consultant.
ABC Limited, a consultant of repute, has been engaged for the same. The consultant
has prior experience and knowledge about entity’s business.
Step 6: Calculate the ROI for project.
The opportunity loss for the project comes to around ₹ 100/- lakhs per year. The
cost of implementing the whole BPA shall be around ₹ 50/- lakhs. It is expected
that the opportunity loss after BPA shall reduce to ₹ 50 lakhs in year one, ₹ 25/-
lakhs in later years for the next five years.
As the time taken to arrive at the correct attendance is large, there is a delay in
preparation of salary. The same has already led to penal action against company
by labor department of the state.
Step 4: Define the objectives/goals to be achieved implementing BPA.
The objective for implementing BPA is to have:
♦ Correct recording of attendance.
♦ Timely compilation of monthly attendance so that salary can be calculated
and distributed on a timely basis.
♦ To ensure compliance with statutes.
Step 5: Engage the business process consultant.
XYZ Limited a consultant of repute has been engaged for the same. The consultant
has prior experience and knowledge about entity’s business.
Step 6: Calculate the RoI for project.
The BPA may provide tangible benefits in the form of reduced penalties and
intangible benefits which may include:
♦ Better employee motivation and morale,
♦ Reduced differences between employees,
♦ More focus on work rather than salary, and
♦ Improved productivity.
Step 7: Developing the BPA.
Implementing BPA includes would result in the following:
♦ All employees would be given electronic identity cards.
♦ The cards would contain details about employees.
♦ The attendance system would work in the following manner:
• Software with card reading machine would be installed at the entry
gate.
• Whenever an employee enters or leaves the company, he/she needs to
put the card in front of machine.
• The card reading machine would be linked to the software which would
record the attendance of the employee.
Example 1.5: Fig. 1.4.1 depicts the risk and its related terms.
Owners
wish to minimize
that may be
may be aware of reduced by
Vulnerabilities
Threat Agents
leading to
Risk
give exploit
rise to to
that increase
Threats Assets
wish to abuse and/or may damage
♦ Turn back. Where the probability or impact of the risk is very low, then
management may decide to ignore the risk.
(viii) Monitoring: The entire ERM process should be monitored, and modifications
made as necessary. In this way, the system can react dynamically, changing as
conditions warrant. Monitoring is accomplished through ongoing management
activities, separate evaluations of the ERM processes or a combination of both.
1.6 CONTROLS
Control is defined as policies, procedures, practices and organization structure that
are designed to provide reasonable assurance that business objectives are achieved
and undesired events are prevented or detected and corrected. The main objectives
of information controls are safeguarding of assets, maintenance of data integrity,
effectiveness in achieving organizational objectives, and efficient consumption of
resources. Controls include things like practices, policies, procedures, programs,
techniques, technologies, guidelines, and organizational structures.
Example 1.6: Purchase to Pay-Given below is a simple example of controls for the
Purchase to Pay cycle, which is broken down to four main components as shown in
the Fig. 1.6.1.
♦ Goods Receipt: The PO is then sent to the vendor, who will deliver the goods
as per the specifications mentioned in the PO. When the goods are received
at the warehouse, the receiving staff checks the delivery note, PO number etc.
and acknowledges the receipt of the material. Quantity and quality are
checked and any unfit items are rejected and sent back to the vendor. A
Goods Receipt Note (GRN) is raised indicating the quantity received. The GRN
may be raised manually and then input into the computer system or raised
directly by computer system.
Credit
Goods Receipt Input Invoice
Purchase Order
B Details F
processes, and data for a given enterprise or systems environment. ITG controls are
the basic policies and procedures that ensure that an organization’s information
systems are properly safeguarded, that application programs and data are secure,
and that computerized operations can be recovered in case of unexpected
interruptions.
General controls include, but are not limited to:
♦ Information Security Policy: An Information Security policy is the statement
of intent by the senior management about how to protect a company’s
information assets. The security policy is a set of laws, rules, and practices that
regulates how assets including sensitive information are managed, protected,
and distributed within the user organization. The security policy is approved by
the senior management and encompasses all areas of operations and drives
access to information across the enterprise and other stakeholders.
♦ Administration, Access, and Authentication: Access controls are measures
taken to ensure that only the authorized persons have access to the system and
the actions they can take. IT should be administered with appropriate policies
and procedures clearly defining the levels of access to information and
authentication of users.
♦ Separation of key IT functions: Secure deployment of IT requires the
organization to have separate IT organization structure with key demarcation of
duties for different personnel within IT department and to ensure that there are
no Segregation of Duties (SoD) conflicts.
♦ Management of Systems Acquisition and Implementation: Management
should establish acquisition standards that address the security, functionality,
and reliability issues related to systems acquisition. Hence, process of acquisition
and implementation of systems should be properly controlled.
♦ Change Management: IT solutions deployed and its various components must
be changed in tune with changing needs as per changes in technology
environment, business processes, regulatory, compliance requirements and
changing needs of the users. These changes impact the live environment of the
organization. Hence, change management process should be implemented to
ensure smooth transition to new environments covering all key changes
including hardware, software and business processes. All changes must be
properly approved by the management and tested before implementation.
♦ Backup, Recovery and Business Continuity: Heavy dependence on IT and
criticality makes it imperative that resilience of the organization operations
♦ The ability to protect against new vulnerabilities and threats and to recover
from any disruption of IT services quickly and efficiently.
♦ The efficient use of a customer support center or help desk.
♦ Heightened security awareness on the part of the users and a security
conscious culture.
1.6.4 Framework of Internal Control as per Standards on Auditing
A company's management team is responsible for the development of internal
control policies and procedures. SA315 defines the system of Internal Control as
“the process designed, implemented and maintained by those charged with
governance, management and other personnel to provide reasonable assurance
about the achievement of an entity’s objectives regarding reliability of financial
reporting, effectiveness and efficiency of operations, safeguarding of assets, and
compliance with applicable laws and regulations”.
An Internal Control System -
♦ facilitates the effectiveness and efficiency of operations.
♦ helps ensure the reliability of internal and external financial reporting.
♦ assists compliance with applicable laws and regulations.
♦ helps safeguarding the assets of the entity.
As per SA315, the five components of any internal control as they relate to a
financial statement audit are explained below. All these components must be
present to conclude that internal control is effective.
I. Control Environment
The Control Environment is the set of standards, processes, and structures that
provide the basis for carrying out internal control across the organization. The
Board of Directors and Senior Management establish the tone at the top regarding
the importance of internal control, including expected standards of conduct.
Management reinforces expectations at the various levels of the organization. The
control environment comprises the integrity and ethical values of the organization;
the parameters enabling the board of directors to carry out its governance
responsibilities; the organizational structure and assignment of authority and
responsibility; the process for attracting, developing, and retaining competent
individuals; and the rigor around performance measures, incentives, and rewards
to drive accountability for performance. The resulting control environment has a
pervasive impact on the overall system of internal control.
process relevant transactions. The masters are set up first time during installation
and these are changed whenever the business process rules or parameters are
changed. Examples are Vendor Master, Customer Master, Material Master,
Accounts Master, Employee Master etc. Any changes to these data have to be
authorized by appropriate personnel and these are logged and captured in
exception reports. The way masters are set up will drive the way software will
process transactions of that type. For example: The Customer Master will have the
credit limit of the customer. When an invoice is raised, the system will check against
the approved credit limit and if the amount invoiced is within the credit limit, the
invoice will be created, if not the invoice will be put on “credit hold” till proper
approvals are obtained.
Example 1.8: Some examples of masters are given here-
♦ Vendor Master: Credit period, vendor bank account details, etc.
♦ Customer Master: Credit limit, Bill to address, Ship to address, etc.
♦ Material Master: Material type, Material description, Unit of measure, etc.
♦ Employee Master: Employee name, designation, salary details, etc.
3. Transactions
Transactions refer to the actual transactions entered through menus and functions
in the application software, through which all transactions for specific modules are
initiated, authorized or approved. For example: Sales transactions, Purchase
transactions, Stock transfer transactions, Journal entries and Payment transactions.
Implementation or review of specific business process can be done from risk or
control perspective. In case of risk perspective, we need to consider each of the key
sub-processes or activities performed in a business process and look at existing
and related control objectives and existing controls and the residual risks after
application of controls. The residual risk should be knowingly accepted by the
management.
If we review this from a control objective perspective, then for each key sub-process
or activity, we will consider what is sought to be achieved by implementing controls
and then evaluate whether risks are mitigated by controls which are implemented
at present and what are the residual risks and whether there is need to
complement/add more controls.
Given below are some examples of risks and controls for a few business processes.
The checklist provided below is illustrative. It is not necessary that all the sub-
processes/activities given below are applicable for all enterprises. However, they
Transactions
Table 1.7.2: Risks and Control Objectives (Transactions-P2P)
Risk Control Objective
Unauthorized purchase requisitions are Purchase orders are placed only for
ordered. approved requisitions.
Purchase orders are not entered Purchase orders are accurately entered.
correctly in the system.
Purchase orders issued are not input and All purchase orders issued are input and
processed. processed.
Amounts are posted in accounts payable Amounts posted to accounts payable
for goods or services not received. represent goods or services received.
Amounts posted to accounts payable are Accounts payable amounts are accurately
not properly calculated and recorded. calculated and recorded.
Amounts for goods or services received All amounts for goods or services received
are not input and processed in accounts are input and processed to accounts
payable. payable.
Amounts for goods or services received Amounts for goods or services received
are recorded in the wrong period. are recorded in the appropriate period.
Accounts payable amounts are adjusted Accounts payable are adjusted only for
based on unacceptable reasons. valid reasons.
Credit notes and other adjustments are Credit notes and other adjustments are
not accurately calculated and recorded. accurately calculated and recorded.
All valid credit notes and other All valid credit notes and other
adjustments related to accounts payable adjustments related to accounts payable
are not input and processed. are input and processed.
Credit notes and other adjustments are Credit notes and other adjustments are
recorded in the wrong period. recorded in the appropriate period.
Disbursements are made for goods and Disbursements are made only for goods
services that have not been received. and services received.
Disbursements are distributed to Disbursements are distributed to the
unauthorized suppliers. appropriate suppliers.
Disbursements are not accurately Disbursements are accurately calculated
calculated and recorded. and recorded.
All disbursements are not recorded. All disbursements are recorded.
Invalid changes are made to the customer Only valid changes are made to the
master file. customer master file.
All valid changes to the customer master All valid changes to the customer master
file are not input and processed. file are input and processed.
Changes to the customer master file are Changes to the customer master file are
not accurate. accurate.
Changes to the customer master file are Changes to the customer master file are
not processed in a timely manner. processed in a timely manner.
Customer master file data is not up-to- Customer master file data is up to date
date and relevant. and relevant.
System access to maintain customer System access to maintain customer
masters has not been restricted to the masters has been restricted to the
authorized users. authorized users.
Transactions
Table 1.7.4: Risks and Control Objectives (Transactions-O2C)
Risk Control Objective
Orders are processed exceeding Orders are processed only within
customer credit limits without approved customer credit limits.
approvals.
Orders are not approved by Orders are approved by management as
management as to prices and terms of to prices and terms of sale.
sale.
Orders and cancellations of orders are Orders and cancellations of orders are
not input accurately. input accurately.
Order entry data are not transferred Order entry data are transferred
completely and accurately to the completely and accurately to the
shipping and invoicing activities. shipping and invoicing activities.
All orders received from customers are All orders received from customers are
not input and processed. input and processed.
Invalid and unauthorized orders are Only valid and authorized orders are
input and processed. input and processed.
Invoices are generated using Invoices are generated using authorized
unauthorized terms and prices. terms and prices.
Invoices are not accurately calculated Invoices are accurately calculated and
and recorded. recorded.
Transactions
Configuration
Tables 1.7.9 and 1.7.10 given below provide Risks and Control Objectives (Masters-
Fixed Assets) and Risks and Control Objectives (Transactions-Fixed Assets) respectively.
Masters
Fixed asset acquisitions are not All fixed asset acquisitions are recorded.
recorded.
Depreciation charges are not accurately Depreciation charges are accurately
calculated and recorded. calculated and recorded.
Depreciation charges are not recorded in All depreciation charges are recorded in
the appropriate period. the appropriate period.
Fixed asset disposals/transfers are not All fixed asset disposals/transfers are
recorded. recorded.
Fixed asset disposals/transfers are not Fixed asset disposals/transfers are
accurately calculated and recorded. accurately calculated and recorded.
Fixed asset disposals/transfers are not Fixed asset disposals/transfers are
recorded in the appropriate period. recorded in the appropriate period.
Records of fixed asset maintenance Records of fixed asset maintenance
activity are not accurately maintained. activity are accurately maintained.
Fixed asset maintenance activity records Fixed asset maintenance activity records
are not updated in a timely manner. are updated in a timely manner.
Accounting entries pertaining to Accounting entries pertaining to
acquisition, disposals, transfers, acquisition, disposals, transfers,
retirement are not recorded in the retirement are recorded in the correct GL
correct GL account. account.
System access to process fixed asset System access to process fixed asset
transactions has not been restricted to transactions has been restricted to the
the authorized users. authorized users.
4. Posting of Transactions
5. Generating Financial Reports
Risks and Control Objectives (Configuration-General Ledger); Risks and Control
Objectives (Masters-General Ledge) and Risks and Control Objectives (Transactions-
General Ledger) are provided below in Tables 1.7.11, 1.7.12 and 1.7.13 respectively.
Configuration
Table 1.7.11: Risks and Control Objectives (Configuration-General Ledger)
that were posted to the general ledger that were posted to the general ledger
during the month are not flagged by the during the month are flagged by the
system and not subsequently reviewed system and subsequently reviewed for
for accuracy and approved by the accuracy and approved by the controller
controller or CFO after month-end. or CFO after month-end.
Automated amortization timing, periods Automated amortization timing, periods
and methods are not appropriate and not and methods are appropriate and
accurately entered. accurately entered.
Standard, recurring period-end journal Standard, recurring period-end journal
entries submitted from subsidiary entries submitted from subsidiary ledger
ledger systems are not automated, not systems are automated, appropriately
appropriately approved and not entered approved and entered accurately.
accurately.
Transactions can be recorded outside of Transactions cannot be recorded outside
financial close cut-off requirements. of financial close cut-off requirements.
The sources of all entries are not readily The sources of all entries are readily
identifiable. identifiable.
Transactions are not rejected, accepted Transactions are rejected, or accepted
and identified, on exception reports in the and identified, on exception reports in the
event of data exceptions. event of data exceptions.
Account mappings are not up to date. Account mappings are up to date.
Adding to or deleting general ledger Adding to or deleting general ledger
accounts are not limited to authorize accounts are limited to authorized
accounting department personnel. accounting department personnel.
Masters
Table 1.7.12: Risks and Control Objectives (Masters-General Ledger)
Risk Control Objective
General ledger master file change reports General ledger master file change
are not generated by the system and are reports are generated by the system and
not reviewed as necessary by an individual reviewed as necessary by an individual
who does not input the changes. who does not input the changes.
A standard chart of accounts has not A standard chart of accounts has been
been approved by management and is approved by management and is not
not utilized within all entities of the utilized within all entities of the
corporation. corporation.
Transactions
Pre-defined Process Stored Data Internal Storage Sequential Data Direct Data Manual Input
Auto Height Text Dynamic Connector Line curve Connector Control Transfer Annotation
There are many different types of flowcharts, and each type has its own collection
of boxes and notational conventions. The two most common types of boxes in a
flowchart are as follows:
♦ Separate the different steps in the process. Identify each individual step in
the process and how it is connected to the other steps. On the most general
level, you will have events (steps that require no action by the business),
activities (performed by the business in response to input), and decision
gateways (splits in the process where the path of the process is decided by
some qualifier). Between these objects, there are connectors, which can be
either solid arrows (activity flow) or dashed (message/information flow).
♦ Clarify who performs each step and what is performed in each step. To make
the process as clear as possible, you should determine which part of the
business completes each step. For example, different parts of the process may
be completed by the accounting department, customer service, or order
fulfilment. Alternately, for a small business, these steps may be completed by
specific individuals. In BPMN, the associated person or department for each
activity is either denoted by a designator next to the step or by a horizontal
division or “lanes” in the flow chart that shows which part of the business
performs each step, i.e. person or department.
Fig. 1.8.2 is a very simple flowchart which represents a process that happens in our
daily life.
Lamp No
Plug in lamp
plugged in?
Yes
Yes
Bulb Replace bulb
burned out?
No
Repair lamp
START
SET A=1 2
B=B+A 3
No
IS A=199? 4
5
A=A+2 Yes
PRINT B 6
END
Fig. 1.8.3: Flowchart for addition of first 100 odd numbers
Step 1 - All working locations are set at zero. This is necessary because if they are
holding some data of the previous program, that data is liable to corrupt the result
of the flowchart.
Step 2 - A is set at 1 so that subsequently by incrementing it successively by 2, we
get the wanted odd terms: 1,3,5,7 etc.
Step 3 - A is poured into B i.e., added to B. B being 0 at the moment and A being
1, B becomes 0 + 1 = 1.
Step 4 - Step 4 poses a question. “Has A become 199?” if not, go to step 5, we shall
increment A by 2. So, that although at the moment A is 1, it will be made 3 in step
5, and so on. Then go back to Step 3 by forming loop.
Since we must stop at the 100th term which is equal to 199. Thus, A is repeatedly
incremented in step 5 and added to B in step 3. In other words, B holds the
cumulative sum up to the latest terms held in A.
When A has become 199 that means the necessary computations have been carried
out so that in Step 6 the result is printed.
Example 1.10: An E-commerce site has the following cash back offers.
(i) If purchase mode is via website, an initial discount of 10% is given on bill amount.
(ii) If purchase mode is via phone app, an initial discount of 20% is given on bill
amount.
(iii) If done via any other purchase mode, the customer is not eligible for any discount.
Start
TRP = 0, TBA = 0, BA = 0
Yes
If PM = Website? IN_DISC = 0.10
No
Yes
If PM = Phone App? IN_DISC = 0.20
No TRP = NOP * 10
IN_DISC = 0
BA = BA – (BA*IN_DISC)
No
Yes
ET_DISC = 0.40 If TRP > 200?
No
TBA = BA – (BA*ET_DISC)
TBA = BA
I =1
No No
If CLASS= A? If CLASS = B? HRA = 0.1*BASIC
Yes Yes
HRA = 0.3 * BASIC HRA = 0.2*BASIC
DA = 0.6 * BASIC
P4= C4*100/500
Stop
Start
S=Z
Step A Z=Y
Y=X
X=S
I=I+1
Step B
If I = 1?
No
Yes
Print X, Y, Z
Stop
(d) For I = 1 at Step A; the flowchart will enter an Infinite Loop as the condition I =
1 will never be true.
Table 1.8.1: Working of Example 1.12
I=0
S=0 S=Z S = 30 S = 20 S = 10 S = 30 S = 20 S = 10
Z = 30 Z=Y Z = 20 Z = 10 Z = 30 Z = 20 Z = 10 Z = 30
Y=X
Y = 20 Y = 10 Y = 30 Y = 20 Y = 10 Y = 30 Y = 20
X=S
X = 10 I=I+1 X = 30 X = 20 X = 10 X = 30 X = 20 X = 10
Start
DISC = 0
No
Yes
If CUST_TYPE = ‘DEALER’? DISC = 0.12 * VAL_ORDER
If PROD_TYPE = ’B’?
Yes
No No
Yes DISC = 0.08 * VAL_ORDER
If CUST_TYPE = ‘RETAILER’?
FIN_BILL_AMT = VAL_ORDER - DISC
DISC = 0.15 * VAL_ORDER
No
Yes
If VAL_ORDER ≥ 10,000? Print FIN_BILL_AMT, DISC
DISC = 0.20 * VAL_ORDER
No
DISC = 0.0 Stop
Example 1.14: The Fig. 1.8.8 depicts a simple business process (traditional method)
flow.
No Shipping
Customer
Distribution
Centre Not available Verify Availability
Yes Available
Accounts
Print Invoice
Example 1.16: Given below in Fig. 1.8.10 is a simple scenario depicting a book
borrowed from a library being returned and the fine calculated, due to delay.
Library Database
Product
Ok?
Invoice
Sales
No
Order Entered In Stock?
Production Diskettes
Yes Scheduled Copied
Order Picked
Packages
Shipping
Assembled Order
Shipped
No
Manufacturing
Send information Product
to manufacturing manufactured
Receivables
(iv) Stores
• Receives the material.
• Checks the quantity received with the PO and quality with the users. If
there is any discrepancy the vendor is immediately informed.
• The Goods Received Note (GRN) is prepared based on the actual receipt
of material and the stores stock updated. The GRN is then sent to the
Accounts Payable department for processing the payment.
• A Material Issue Note is created and the material is sent to the
concerned user.
(v) Accounts Payable (AP)
AP will do a “3-way match” of PO/GRN/VI. This is to ensure that the price,
quantity and terms indicated in the VI matches with the PO and the quantity
received in the PO matches with the GRN quantity. This check establishes that
what has been ordered has been delivered.
• If there is no discrepancy, the payment voucher is prepared for payment
and the necessary approvals obtained.
• If there is a discrepancy, the VI is put “on hold” for further clarification
and subsequently processed.
• Finally, the payment is made to the vendor.
The core to any enterprise’s success is to have an efficient and effective financial
information system to support decision-making and monitoring. The risks, controls
and security of such systems should be clearly understood to pass an objective
opinion about the adequacy of control in an IT environment.
1.9.1 The Companies Act, 2013
The Companies Act, 2013 has two very important Sections - Section 134 and
Section 143, which have a direct impact on the audit and accounting profession.
(i) Section 134
Section 134 of the Companies Act, 2013 on “Financial statement, Board’s
report, etc.” states inter alia:
The Directors’ Responsibility Statement referred to in clauses (c e) of sub-section
(3) shall state that:
the Directors had taken proper and sufficient care for the maintenance of adequate
accounting records in accordance with the provisions of this Act for safeguarding
the assets of the company and for preventing and detecting fraud and other
irregularities;
♦ the Directors, in the case of a listed company, had laid down internal financial
controls to be followed by the company and that such internal financial
controls are adequate and were operating effectively.
Explanation: For the purposes of this clause, the term “Internal Financial Controls”
means the policies and procedures adopted by the company for ensuring the
orderly and efficient conduct of its business, including adherence to company’s
policies, the safeguarding of its assets, the prevention and detection of frauds and
errors, the accuracy and completeness of the accounting records, and the timely
preparation of reliable financial information.
(ii) Section 143
Section 143, of the Companies Act 2013, on “Powers and duties of auditors
and auditing standards” states inter alia:
Section 143(3)(i) contains the Auditor’s Report which shall state that:
“Whether the company has adequate internal financial controls system in place and
the operating effectiveness of such controls”;
When we talk in terms of “adequacy and effectiveness of controls”; it refers to the
adequacy of the control design and whether the control has been working
effectively during the relevant financial year.
Example 1.20: Let us assume that a company has a sales invoicing control wherein
all sales invoices raised by the salesman which is greater than ₹ 50,000/- are
reviewed and approved by the sales manager. In terms of the control, design this
control may seem adequate. However, if during audit, it was found that, during the
year, there were many invoices raised by the salesman which was greater than
₹ 50,000/- and not reviewed and approved by the sales manager. In such a case,
although the control design was adequate, the control was not working effectively,
due to many exceptions without proper approval.
As per ICAI’s "Guidance Note on Audit of Internal Financial Controls Over
Financial Reporting”:
Clause (i) of Sub-section 3 of Section 143 of the Companies Act, 2013 (“The 2013
Act” or “The Act”) requires the auditors’ report to state whether the company has
adequate internal financial controls system in place and the operating effectiveness
of such controls.
I. Management’s Responsibility
The Companies Act, 2013 has significantly expanded the scope of internal controls
to be considered by the management of companies to cover all aspects of the
operations of the company. Clause (e) of Sub-section 5 of Section 134 to the Act
requires the directors’ responsibility statement to state that the directors, in the
case of a listed company, had laid down internal financial controls to be followed
by the company and that such internal financial controls are adequate and were
operating effectively.
Clause (e) of Sub-section 5 of Section 134 explains the meaning of the term,
“internal financial controls” as “the policies and procedures adopted by the
company for ensuring the orderly and efficient conduct of its business, including
adherence to company’s policies, the safeguarding of its assets, the prevention and
detection of frauds and errors, the accuracy and completeness of the accounting
records, and the timely preparation of reliable financial information.”
Rule 8(5)(viii) of the Companies (Accounts) Rules, 2014 requires the Board of
Directors’ report of all companies to state the details in respect of adequacy of
internal financial controls with reference to the financial statements.
The inclusion of the matters relating to internal financial controls in the directors’
responsibility statement is in addition to the requirement for the directors to state
that they have taken proper and sufficient care for the maintenance of adequate
accounting records in accordance with the provisions of the 2013 Act, for
safeguarding the assets of the company and for preventing and detecting fraud
and other irregularities.
II. Auditors’ Responsibility
The auditor’s objective in an audit of internal financial controls over financial
reporting is to express an opinion on the effectiveness of the company’s internal
financial controls over financial reporting and the procedures in respect thereof are
carried out along with an audit of the financial statements. Because a company’s
internal controls cannot be considered effective if one or more material weakness
exists, to form a basis for expressing an opinion, the auditor should plan and
perform the audit to obtain sufficient appropriate evidence to obtain reasonable
assurance about whether material weakness exists as of the date specified in
management’s assessment. A material weakness in internal financial controls may
exist even when the financial statements are not materially misstated.
III. Corporate Governance Requirements
Corporate Governance is the framework of rules and practices by which a board of
directors ensures accountability, fairness, and transparency in a company’s
relationship with its all stakeholders (financiers, customers, management,
employees, government, and the community). The directors of a company are
responsible to the shareholders for their actions in directing and controlling the
business of the company. Good corporate governance requires establishment of
sound internal control practices, risk management, and compliance with relevant
laws and standards such as corporate disclosure requirements. Good management
practices are one of the important elements of corporate governance. The major
elements of corporate governance include management’s commitment, good
management practices, functional and effective control environment, transparent
disclosure and well defined shareholder rights.
The Corporate Governance framework consists of:
(i) explicit and implicit contracts between the company and the stakeholders for
distribution of responsibilities, rights, and rewards.
(ii) procedures for reconciling the sometimes-conflicting interests of
stakeholders in accordance with their duties, privileges, and roles, and
(iii) procedures for proper supervision, control, and information-flows to serve as
a system of checks-and-balances.
2(i) “Computer” means any electronic, magnetic, optical or other high-speed data
processing device or system which performs logical, arithmetic, and memory
functions by manipulations of electronic, magnetic or optical impulses, and
includes all input, output, processing, storage, computer software, or
communication facilities which are connected or related to the computer in a
computer system or computer network;
2(j) “Computer Network” means the interconnection of one or more Computers or
Computer systems or Communication device through-
(i) the use of satellite, microwave, terrestrial line, wire, wireless or other
communication media; and
(ii) terminals or a complex consisting of two or more interconnected
computers or communication device whether or not the interconnection
is continuously maintained;
2(o) “Data” means a representation of information, knowledge, facts, concepts or
instructions which are being prepared or have been prepared in a formalized
manner, and is intended to be processed, is being processed or has been
processed in a computer system or computer network and may be in any form
(including computer printouts magnetic or optical storage media, punched
cards, punched tapes) or stored internally in the memory of the computer;
2(v) “Information” includes data, message, text, images, sound, voice, codes,
computer programmes, software and databases or microfilm or computer
generated microfiche;
In a cyber-crime, computer or the data are the target or the object of offence or
a tool in committing some other offence. The definition of term computer
elaborates that computer is not only the computer or laptop on our tables, as
per the definition computer means any electronic, magnetic, optical or other
high speed data processing devise of system which performs logical, arithmetic
and memory function by manipulations of electronic, magnetic or optical
impulses, and includes all input, output, processing, storage, computer software
or communication facilities which are connected or related to the computer in a
computer system or computer network. Thus, the definition is much wider to
include mobile phones, automatic washing machines, micro-wave ovens etc.
A. Key Provisions of IT Act
Some of key provisions of IT related offences as impacting the banks are given here.
(c) cultivates, entices or induces children to online relationship with one or more
children for and on sexually explicit act or in a manner that may offend a
reasonable adult on the computer resource; or
(d) facilitates abusing children online; or
(e) records in any electronic form own abuse or that of others pertaining to sexually
explicit act with children, shall be punished on first conviction with imprisonment
of either description for a term which may extend to five years and with a fine
which may extend to ten lakh rupees and in the event of second or subsequent
conviction with imprisonment of either description for a term which may extend
to seven years and also with fine which may extend to ten lakh rupees:
PROVIDED that provisions of Section 67, Section 67A and this section does not extend
to any book, pamphlet, paper, writing, drawing, painting representation or figure in
electronic form -
(i) the publication of which is proved to be justified as being for the public good
on the ground that such book, pamphlet, paper writing, drawing, painting,
representation or figure is in the interest of science, literature, art or learning or
other objects of general concern; or
(ii) which is kept or used for bona fide heritage or religious purposes.
Explanation -
For the purposes of this section, "children" means a person who has not completed
the age of 18 years.
B. Computer Related Offences
Let us look at some common cyber-crime scenarios which can attract prosecution
as per the penalties and offences prescribed in Information Technology Act, 2000
(amended via 2008).
♦ Harassment via fake public profile on social networking site: A fake
profile of a person is created on a social networking site with the correct
address, residential information or contact details but he/she is labelled as
‘prostitute’ or a person of ‘loose character’. This leads to harassment of the
victim. Section 67 of the IT Act, 2000 is applicable here.
♦ Email Account Hacking: If victim’s email account is hacked and obscene
emails are sent to people in victim’s address book. Sections 43, 66, 66A, 66C,
67, 67A and 67B of IT Act, 2000 are applicable in this case.
“At ABC Ltd., we take your privacy very seriously. Because of this, we want to provide
you with explicit information on how we collect, gather and identify information
during your visit to our site. This information may be expanded or updated as we
change or develop our site. For this reason, we recommend that you review this
policy from time-to-time to see if anything has changed. Your continued use of our
site signifies your acceptance of our privacy policy.”
Personally, identifiable information refers to information that tells us specifically
who you are, such as your name, phone number, email or postal address. In many
cases, we need this information to provide the personalized or enhanced service
that you have requested. The amount of personally identifiable information that
you choose to disclose to ABC Ltd. is completely up to you. The only way we know
something about you personally is if you provide it to us in conjunction with one
of our services.
What information do we collect and how do we use it?
♦ ABC Ltd. collects information on our users by your voluntary submissions
(e.g., when you sign up for a white paper or request product information).We
also collect, store and accumulate certain non-personally identifiable
information concerning your use of this web site, such as which of our pages
are most visited.
♦ The information ABC Ltd. collects is used in a variety of ways: for internal
review; to improve the content of the site, thus making your user experience
more valuable; and to let you know about products and services of interest.
Email
♦ If you have provided us your email address, ABC Ltd. periodically sends
promotional emails about products offered by us. If you do not wish to
receive email information from ABC Ltd. please let us know by emailing us.
♦ ABC Ltd. does not sell, rent, or give away your personal information to third
parties. By using our web site, you provide consent to the collection and use
of the information described in this by Privacy Policy of ABC Ltd.
IV. Sensitive Personal Data Information (SPDI)
Reasonable Security Practices and Procedures and Sensitive Personal Data or
Information Rules 2011 formed under Section 43A of the Information Technology
Act 2000 define a data protection framework for the processing of digital data by
Body Corporate.
Scope of Rules: Currently the Rules apply to Body Corporate and digital data. As
per the IT Act, Body Corporate is defined as “Any company and includes a firm, sole
proprietorship or other association of individuals engaged in commercial or
professional activities.”
The present scope of the Rules excludes from its purview several actors that do or
could have access to Big Data or use Big Data practices. The Rules would not apply
to government bodies or individuals collecting and using Big Data. Yet, with
technologies such as IoT (Internet of Things) and the rise of Smart Cities across
India – a range of government, public, and private organizations and actors could
have access to Big Data.
Definition of Personal and Sensitive Personal data: Rule 2(i) defines personal
information as “information that relates to a natural person which either directly or
indirectly, in combination with other information available or likely to be available
with a body corporate, is capable of identifying such person.”
Rule 3 defines sensitive personal information as Passwords; Financial information;
Physical/physiological/mental health condition; Sexual orientation; Medical records
and history; and Biometric information.
The present definition of personal data hinges on the factor of identification (data that
is capable of identifying a person). Yet this definition does not encompass information
that is associated to an already identified individual - such as habits, location, or
activity.
The definition of personal data also addresses only the identification of ‘such
person’ and does not address data that is related to a particular person but that
also reveals identifying information about another person - either directly - or when
combined with other data points. By listing specific categories of sensitive personal
information, the Rules do not account for additional types of sensitive personal
information that might be generated or correlated through the use of Big Data
analytics.
Importantly, the definitions of sensitive personal information or personal
information do not address how personal or sensitive personal information - when
anonymized or aggregated – should be treated.
Consent to collect: Rule 5(1) requires that Body Corporate should, prior to
collection, obtain consent in writing through letter or fax or email from the provider
of sensitive personal data regarding the use of that data.
In a context where services are delivered with little or no human interaction, data
is collected through sensors, data is collected on a real time and regular basis, and
data is used and re-used for multiple and differing purposes - it is not practical,
and often not possible, for consent to be obtained through writing, letter, fax, or
email for each instance of data collection and for each use.
Consent to Disclosure: Rule 6 provides that Disclosure of sensitive personal data
or information by body corporate to any third party shall require prior permission
from the provider of such information, who has provided such information under
lawful contract or otherwise, unless such disclosure has been agreed to in the
contract between the body corporate and provider of information, or where the
disclosure is necessary for compliance of a legal obligation.
ILLUSTRATION 1.1
ABC Ltd. is engaged in the business of producing consumer durable products. It is
facing the problem of poor customer service due to its broken, inefficient, and
manual processes. The customers of the company are becoming more demanding
with respect to higher quality of products and delivery time.
To remain competitive in the market and to overcome the issues faced by its
customers, the company decided to optimize and streamline its essential business
processes using the latest technology to automate the functions involved in
carrying out these essential processes. The management of the company is very
optimistic that with automation of business processes, it will be able to extract
maximum benefit by using the available resources to their best advantage.
Moreover, with automation the company will be able to integrate various processes
and serve its customers better and faster. The management is aware that the
automation of business processes will lead to new types of risks in the company’s
business. The failure or malfunction of any critical business process will cause
significant operational disruptions and materially impact its ability to provide timely
services to its customers. The management of ABC Ltd. adopted different Enterprise
Risk Management (ERM) strategies to operate more effectively in environment
filled with risks. To reduce the impact of these risks, the company also decided to
implement necessary internal controls.
Read the above illustration carefully and answer the following questions:
1. The processes automated by ABC Ltd. are susceptible to many direct and indirect
challenges. Which of the following factor cannot be considered valid in case the
company fails to achieve the desired results?
(a) The business processes are not well thought or executed to align with
business objectives.
(b) The staff may perceive automated processes as threat to their jobs.
(c) The documentation of all the automated business processes is not done
properly.
(d) The implementation of automated processes in the company may be an
expensive proposition.
2. The processes automated by ABC Ltd. are technology driven. The dependence
on technology in key business processes exposed the company to various
internal as well as external threats. According to you, external threats leading to
cyber-crime in BPA is because:
(a) Organizations may have a highly-defined organization structure with
clearly defined roles, authority and responsibility.
(b) There may not be one but multiple vendors providing different services.
(c) The system environment provides access to customers anytime, anywhere
using internet.
(d) The dependence on technology is insignificant.
3. The management of ABC Ltd. adopted a holistic and comprehensive approach
of Enterprise Risk Management (ERM) framework by implementing controls
across the company. Identify the false statement w.r.t components of ERM
framework.
(a) As a part of event identification, potential events that might have an
impact on the entity should be identified.
(b) As a part of risk assessment component, identified risks are analyzed to
form a basis for determining how they should be managed.
(c) As a part of monitoring, the entire ERM process should be monitored with
no further modifications in the system.
(d) As a part of control activities, policies and procedures are established and
executed to help ensure that the risk responses that management selected
are effectively carried out.
4. The management of ABC Ltd. implemented different Information Technology
General Controls (ITGCs) across different layers of IT environment with an
objective to minimize the impact of risks associated with automated processes.
Which of the following is not an example of ITGC?
(a) Information Security Policy
automation and submitted his report to the management covering the following
points:
♦ The major benefits of Business Process Automation;
♦ The processes that are best suited to automation;
♦ Challenges that DXN Ltd. may face while implementing automated processes;
♦ Risks involved in Business Process Automation and how the management
should manage these risks
Read the above illustration carefully and answer the following Questions:
1. As the DXN Ltd. was implementing the automated processes for the first time,
the consultant suggested not to automate all the processes at a time and
automate only critical processes which would help the company to handle large
volume of transactions. Which of the following business processes are not best
suited to automation:
(a) Processes involving repetitive tasks
(b) Processes requiring employees to use personal judgment
(c) Time sensitive processes
(d) Processes having significant impact on other processes and systems
2. While understanding the criticality of various business processes of DXN Ltd., the
consultant Mr. X documented the current processes and identified the processes
that needed automation. However, documentation of existing processes does
not help in _______.
(a) providing clarity on the process
(b) determining the sources of inefficiency, bottlenecks, and problems
(c) controlling resistance of employees to the acceptance of automated
processes
(d) designing the process to focus on the desired result with workflow
automation
3. When DXN Ltd. decided to adopt automation to support its critical business
processes, it exposed itself to number of risks. One risk that the automated
process could lead to breakdown in internal processes, people and systems is a
type of _____.
(a) Operational Risk
4. Mr. X of DXN Ltd. prepared various flowcharts depicting how various processes
should be performed after automation and submitted his report to the
management. The flowcharting symbol that he used to depict processing step is
______.
(a) Rectangular Box
(b) Diamond
(c) Oval
(d) Line
SOLUTION
SUMMARY
Technology is the enabler of business process automation (BPA), and it can
automate business processes to the point where human intervention is
unnecessary. Automation can save time and money, delight customers who no
longer must wait in line for a person to assist them with a transaction and avoid
human errors.
But not every business process is a good fit for automation, so it’s incumbent upon
companies to determine which processes are best suited to automation and which
ones are best handled manually. How do companies select which business
processes to automate? Companies start by looking at the strategic and operating
drivers for process improvement in their organizations and industries. For instance,
in today’s global market, nearly every company is feeling pressure to get goods to
IT is primary driver for enterprises to survive and thrive in this digital age.
Regulators have recognized critical importance of IT and hence facilitate digital
economy by providing legislative framework and mandating compliances as
required. The IT Act, 2000 and Companies have been updated to meet the needs
of digital economy. Protection of privacy and personal information is also
mandated. Cyber-crime is a reality of digital world when operates without
geographical boundaries. Various types of computer related defines have been
defined and penalties specified for these offences. Digitization of business
processes should for modern enterprises and this leads to new risks which should
be mitigated by implementing appropriate controls.
7. As an entrepreneur, your business may face all kinds of risks related from serious
loss of profits to even bankruptcy. What could be the possible Business Risks?
(Refer Section 1.4.3 (A))
8. Automated processes are technology driven. The dependence on technology in
BPA for most of the key business processes has led to various challenges. Explain
the technology related risks involved in BPA. [Refer Section 1.4.3 (B)]
16. Give five examples of computer related offences that can be prosecuted
under the IT Act 2000 (amended via 2008).
(Refer Section 1.9.2[Point No. I])
17. Draw a Flowchart for the following process:
Leebay is a new e-commerce web site that is setting up business in India.
Leebay and their partner bank Paxis have come up with a joint promotion
plan for which the following offers are proposed. Customers can either login
through a mobile app or directly from the website:
(i) If the payment mode chosen is ‘Paxis Credit’, then a 20% discount is given
to the user.
(ii) If the payment mode chosen is ‘Paxis Debit’, then a 10% discount is given
to the user.
(iii) If other payment modes are used, then no discount is given.
Also, to promote the downloads of its new smart phone app, the company
has decided to give the following offer:
(i) If the purchase mode is ‘Mobile App’, then no surcharge is levied on the
user.
(ii) If any other purchase mode is used, then additional 5% surcharge is
levied on the user. This surcharge is applied on the bill after all
necessary discounts have been applied.
With bill amount, payment mode and purchase mode as inputs, draw a flowchart
for the billing procedure for Leebay.
Solution: The variables used are defined as follows:
PU_MODE: Purchase Mode
BILL_AMT: Initial Bill Amount
TOT_BILL_AMT: Bill Amount after Discount
SCHG: Surcharge
FIN_BILL_AMT: Final Bill Amount after Surcharge
DISC: Discount
PMT_MODE: Payment Mode
Start
TOT_BILL_AMT = 0, FIN_BILL_AMT = 0
Yes
If PU_MODE = Mobile App? SCHG = 0.00
No
SCHG = 0.05
Yes
DISC = 0.20
If PMT_MODE = ‘Paxis Credit’?
No
Yes
DISC = 0.10
If PMT_MODE = ‘Paxis Debit’?
No
DISC = 0.0
Stop