GM TEST SERIES

CA Inter New Course

Amendments for
Dec’ 2021 Attempt
EIS & SM

Contact No. -9070800090 Email id – [email protected]

 CA INTER NEW COURSE

EIS & SM

AMENDMENTS for Nov 2021

Ch 1 – Automated Business Processes

1) Which Business Processes should be automated?

(Addition of New Concept)
 Technology is the enabler of Business Process Automation (BPA). BPA offers many
advantages to the business. But every business process is not a good fit for automation.
Companies tend to automate those business processes that are time and resource-
intensive operationally or those that are subject to human error. Following are the few
examples of processes that are best suited to automation:
a) Processes involving high-volume of tasks or repetitive tasks:
Many business processes such as making purchase orders involve high-volume of repetitive
tasks.
Automating these processes results in cost and work effort reductions.
b) Processes requiring multiple people to execute tasks:
A business process which requires multiple people to execute tasks often results in waiting time
that can lead to increase in costs.
E.g. Help desk services. Automating these processes results in reduction of waiting time and in
costs.
c) Time-sensitive processes:
Business process automation results in streamlined processes and faster turnaround times.
The streamlined processes eliminate wasteful activities and focus on enhancing tasks that add
value.
Time-sensitive processes are best suited to automation. For example - online banking system,
railway/aircraft operating and control systems etc.

GMTESTSERIES.COM®
d) Processes involving need for compliance and audit trail:
With business process automation, every detail of a particular process is recorded. These
details can be used to demonstrate compliance during audits. For example- invoice issue to
vendors.
e) Processes having significant impact on other processes and systems:
Some processes are cross-functional and have significant impact on other processes and
systems.
 In cross functional processes, different departments within the same company work hand
in hand to achieve a common goal,
 e.g., the marketing department may work with sales department. Automating these
processes results in sharing information resources and improving the efficiency and
effectiveness of business processes.

2) Challenges involved in Business Process Automation

(Addition of New Concept)
 Automated processes are susceptible to many challenges, some of them are discussed
below:
a) Automating Redundant Processes:
Sometimes organizations start off an automation project by automating the processes they find
suitable for automation without considering whether such processes are necessary and create
value.
In other cases, some business processes and tasks require high amount of tacit knowledge (that
cannot be documented and transferred from one person to another) these processes are
generally not good candidates for automation as these processes are hard to encode and
automate.

b) Defining Complex Processes:

BPA requires reengineering of some business processes that requires significant amount of time
to be allocated and spent at this stage.

GMTESTSERIES.COM®
This requires a detailed understanding of the underlying business processes to develop an
automated process.
c) Staff Resistance:
In most cases, human factor issues are the main obstacle to the acceptance of automated
processes.
Staff may see process automation as a way of reducing their decision-making power.
This is due to the reason that with automated processes, the management has a greater
visibility of the process and can make decisions that used to be made by the staff earlier.
Moreover, the staff may perceive automated processes as threat to their jobs.
d) Implementation Cost:
The implementation of automated processes may be an expensive proposition in terms of
acquisition/development cost of automated systems and special skills required to operate and
maintain these systems.

3) Types of Risks
(Addition in Technology Risks)
Technology Risk -
 The dependence on technology in BPA for most of the key business processes has led to
various challenges.
 As Technology is taking new forms and transforming as well, the business processes and
standards adapted by enterprises should consider these new set of IT risks and challenges:
i) Downtime due to technology failure:
Information system facilities may become unavailable due to technical problems or equipment
failure.
A common example of this type failure is non-availability of system due to server failure.
ii) Frequent changes or obsolescence of technology –
Technology keeps on evolving and changing constantly and becomes obsolete very quickly.
Hence, there is always a challenge that the investment in technology solutions unless properly
planned may result in loss to bank due to risk of obsolescence.
iii) Multiplicity and complexity of systems –

GMTESTSERIES.COM®
The Technology architecture used for services could include multiple digital platforms and is
quite complex. Hence, this requires the personnel to have knowledge about requisite
technology skills or the management of the technology could be outsourced to a company
having the relevant skill set.

iv) Different types of controls for different types of technologies/systems –

Deployment of technology gives rise to new types of risks which are explained later in this
chapter. These risks need to be mitigated by relevant controls as applicable to the
technology/information systems deployed.
v) Proper alignment with business objectives and legal/regulatory requirements –
Organizations must ensure that the systems implemented, cater to all the business objectives
and needs, in addition to the legal/regulatory requirements envisaged.
vi) Dependence on vendors due to outsourcing of IT services –
In a systems environment, the organization requires staff with specialized domain skills to
manage IT deployed. Hence, these services could be outsourced to vendors and there is heavy
dependency on vendors and gives rise to vendor risks which should be managed by proper
contracts, controls and monitoring.

vii) Vendor related concentration risk –

There may not be one but multiple vendors providing different services. For example, network,
hardware, system software and application software services may be provided by different
vendors or these services may be provided by a single vendor. Both these situations result in
higher risks due to heavy dependence on vendors.
viii) Segregation of Duties (SOD) –
Organizations may have a highly-defined organization structure with clearly defined roles,
authority and responsibility. The Segregation of Duties as per organization structure should be
clearly mapped.
This is a high-risk area since any SOD conflicts can be a potential vulnerability for fraudulent
activities. For example, if a single employee can initiate, authorize and disburse a loan, the
possibility of misuse cannot be ignored.

GMTESTSERIES.COM®
ix) External threats leading to cyber frauds/ crime –
The system environment provides access to customers anytime, anywhere using internet.
Hence, information system which was earlier accessible only within and to the employees is
now exposed as it is open to be accessed by anyone from anywhere.
Making the information available is business imperative but this is also fraught with risks of
increased threats from hackers and others who could access the software to commit
frauds/crime.
x) Higher impact due to intentional or unintentional acts of internal employees –
Employees in a technology environment are the weakest link in an enterprise.
xi) New social engineering techniques employed to acquire confidential credentials –
Fraudsters use new social engineering techniques such as socializing with employees and
extracting information which is used unauthorized to commit frauds.
For example: extracting information about passwords from staff acting as genuine customer
and using it to commit frauds.

xii) Need for governance processes to adequately manage technology & information security
Controls in system should be implemented from macro and business perspective and not just
from function and technology perspective. As Technology, has become key enabler for bank
and is implemented across the organization, senior management should be involved in
directing how technology is deployed in and approve appropriate policies. This requires
governance process to implement security as required.
xiii) Need to ensure continuity of business processes in the event of major exigencies –
The high dependence on technology makes it imperative to ensure resilience to ensure that
failure does not impact banking services. Hence, a documented business continuity plan with
adequate technology and information systems should be planned, implemented and
monitored.
4) Enterprise Risk Management (ERM) Framework
(Addition in introduction of ERM)

GMTESTSERIES.COM®
 ERM provides a framework for risk management which typically involves identifying events
or circumstances relevant to the organization’s objectives (risks and opportunities),
assessing them in terms of likelihood and magnitude of impact, determining a response
strategy, and monitoring progress. Various potential threats to computer system affect the
confidentiality, integrity, and availability of data and computer system. For successful
continuity of business, it is very essential to evaluate these potential threats and control
them so as to minimize the impact of these threats to an acceptable level. By identifying
and pro-actively addressing risks and opportunities, business enterprises protect and
create value for their stakeholders, including owners, employees, customers, regulators,
and society overall.
 ERM is a risk-based approach, which includes the methods and processes used by
organizations to manage risks. ERM provides a framework for risk management which
involves:
 Identifying potential threats or risks.
 Determining how big a threat or risk is, what could be its consequence, its impact, etc.
 Implementing controls to mitigate the risks.

5) Key Provisions of IT Act (Addition of Following Sections)

[Section 66F] Punishment for cyber terrorism
1) Whoever –

A. with intent to threaten the unity, integrity, security or sovereignty of India or to strike terror
in the people or any section of the people by –
i) Denying or cause the denial of access to any person authorized to access computer resource;
or
ii) Attempting to penetrate or access a computer resource without authorization or exceeding
authorized access; or
iii) Introducing or causing to introduce any computer contaminant,
and by means of such conduct causes or is likely to cause death or injuries to persons or
damage to or destruction of property or disrupts or knowing that it is likely to cause damage or

GMTESTSERIES.COM®
disruption of supplies or services essential to the life of the community or adversely affect the
critical information infrastructure specified under section 70; or

B. knowingly or intentionally penetrates or accesses a computer resource without authorization

or exceeding authorized access, and by means of such conduct obtains access to information,
data or computer database that is restricted for reasons of the security of the State or foreign
relations; or any restricted information, data or computer database, with reasons to believe
that such information, data or computer database so obtained may be used to cause or likely to
cause injury to the interests of the sovereignty and integrity of India, the security of the State,
friendly relations with foreign States, public order, decency or morality, or in relation to
contempt of court, defamation or incitement to an offence, or to the advantage of any foreign
nation, group of individuals or otherwise, commits the offence of cyber terrorism.
2) Whoever commits or conspires to commit cyber terrorism shall be punishable with
imprisonment which may extend to imprisonment for life.

[Section 67] Punishment for publishing or transmitting obscene material in electronic form
 Whoever publishes or transmits or causes to be published or transmitted in the electronic
form, any material which is lascivious or appeals to the prurient interest or if its effect is
such as to tend to deprave and corrupt persons who are likely, having regard to all relevant
circumstances, to read, see or hear the matter contained or embodied in it, shall be
punished on first conviction with imprisonment of either description for a term which may
extend to three years and with fine which may extend to five lakh rupees and in the event
of a second or subsequent conviction with imprisonment of either description for a term
which may extend to five years and also with fine which may extend to ten lakh rupees.

[Section 67A] Punishment for publishing or transmitting of material containing sexually explicit
act, etc. in electronic form
 Whoever publishes or transmits or causes to be published or transmitted in the electronic
form any material which contains sexually explicit act or conduct shall be punished on first

GMTESTSERIES.COM®
 conviction with imprisonment of either description for a term which may extend to five
years and with fine which may extend to ten lakh rupees and in the event of second or
subsequent conviction with imprisonment of either description for a term which may
extend to seven years and also with fine which may extend to ten lakh rupees.
[Section 67B] Punishment for publishing or transmitting of material depicting children in
sexually explicit act, etc. in electronic form

 Whoever, -
a) Publishes or transmits or causes to be published or transmitted material in any electronic
form which depicts children engaged in sexually explicit act or conduct; or

b) creates text or digital images, collects, seeks, browses, downloads, advertises, promotes,
exchanges or distributes material in any electronic form depicting children in obscene or
indecent or sexually explicit manner; or cultivates, entices or induces children to online
relationship with one or more children for and on sexually explicit act or in a manner that may
offend a reasonable adult on the computer resource; or

c) Facilitates abusing children online; or

d) records in any electronic form own abuse or that of others pertaining to sexually explicit act
with children, shall be punished on first conviction with imprisonment of either description for
a term which may extend to five years and with a fine which may extend to ten lakh rupees and
in the event of second or subsequent conviction with imprisonment of either description for a
term which may extend to seven years and also with fine which may extend to ten lakh rupees:

 PROVIDED that provisions of Section 67, Section 67A and this section does not extend to
any book, pamphlet, paper, writing, drawing, painting representation or figure in electronic
form –
i) the publication of which is proved to be justified as being for the public good on the ground
that such book, pamphlet, paper writing, drawing, painting, representation or figure is in the
interest of science, literature, art or learning or other objects of general concern; or

ii) which is kept or used for bona fide heritage or religious purposes.

GMTESTSERIES.COM®
 Explanation -
For the purposes of this section, "children" means a person who has not completed the age of
18 years.

6) Privacy of Online Data

(Addition of New Point)

 When people access the Web, they often entrust vital personal information such as their
name, address, credit card number, etc. to their Internet Service Providers and to the
websites they accessed.
 This information may fall into wrong hands and may be used for illegitimate purposes.
 The organizations that collect and manage the personal information of people must also
protect it against misuse.
 The collection of personal information by an organization is an important issue related to
the privacy of online data.
 Multi-national companies often receive information in one country and process this
information in some other country where privacy laws are altogether different. Therefore,
in a globalized world it becomes very challenging for these companies to ensure uniform
standards of privacy.
 The main principles on data protection and privacy enumerated under the IT Act, 2000 are
as follows:
 Defining ‘data’, ‘compute database’, ‘information’, ‘electronic form’, ‘originator’,
‘addressee’ etc.
 creating civil liability if any person accesses or secures access to computer, computer
system or computer network
 creating criminal liability if any person accesses or secures access to computer, computer
system or computer network
 declaring any computer, computer system or computer network as a protected system
 imposing penalty for breach of confidentiality and privacy

GMTESTSERIES.COM®
 setting up of hierarchy of regulatory authorities, namely adjudicating officers, the Cyber
Regulations Appellate Tribunal etc

7) Sensitive Personal Data Information (SPDI)

(Addition in SPDI)
 Reasonable Security Practices and Procedures and Sensitive Personal Data or Information
Rules 2011 formed under Section 43A of the Information Technology Act 2000 define a data
protection framework for the processing of digital data by Body Corporate Consent to
collect: Rule 5(1) requires that Body Corporate should, prior to collection, obtain consent in
writing through letter or fax or email from the provider of sensitive personal data regarding
the use of that data.
 In a context where services are delivered with little or no human interaction, data is
collected through sensors, data is collected on a real time and regular basis, and data is
used and re-used for multiple and differing purposes - it is not practical, and often not
possible, for consent to be obtained through writing, letter, fax, or email for each instance
of data collection and for each use.
 Consent to Disclosure: Rule 6 provides that Disclosure of sensitive personal data or
information by body corporate to any third party shall require prior permission from the
provider of such information, who has provided such information under lawful contract or
otherwise, unless such disclosure has been agreed to in the contract between the body
corporate and provider of information, or where the disclosure is necessary for compliance
of a legal obligation.

Ch 2 - Financial & Accounting Systems

1) Types of Ledgers
(Addition of examples in Ledgers)
 The examples of Ledger account are as follows:
a) Assets includes Cash, property plant and equipment, accounts receivable etc.

GMTESTSERIES.COM®
b) Expense includes salary, insurance, utilities etc.

c) Income includes sales, interest income, rent income and other operating income etc.

d) Liabilities includes Debt/loans, accounts payable, outstanding expenses etc.

2) Enterprise Resource Planning (ERP) Systems

(Addition in ERP Systems)

 Data Warehouse is a module that can be accessed by an organization’s customers, suppliers

and employees.
 It is a repository of an organization’s electronically stored centralized data. Data
warehouses are designed to facilitate reporting and analysis.
 This classic definition of the data warehouse focuses on data storage.
 The process of transforming data into information and making it available to the user in a
timely enough manner to make a difference is known as Data Warehousing.
 The means to retrieve and analyze data, to extract, transform and load data, and to
manage the data dictionary are also considered essential components of a data
warehousing system
3) Role Based Access Control (RBAC) in ERP System
(Addition in RBAC in ERP system)

It is used by most enterprises and can implement Mandatory Access Control (MAC) or
Discretionary Access Control (DAC).
 MAC criteria are defined by the system administrator, strictly enforced by the Operating
System and are unable to be altered by end users.
 Only users or devices with the required information security clearance can access protected
resources.

GMTESTSERIES.COM®
 A central authority regulates access rights based on multiple levels of security.
Organizations with varying levels of data classification, like government and military
institutions, typically use MAC to classify all end users.
 Whereas, DAC involves physical or digital measures and is less restrictive than other access
control systems as it offers individuals complete control over the resources they own. The
owner of a protected system or resource sets policies defining who can access it.

4) Inside the Data Analytics Process

(Addition of New concept)
 Data Analytics can also be separated into Quantitative Data Analysis and Qualitative Data
Analysis.
a) Quantitative Data Analysis: This involves analysis of numerical data with quantifiable
variables that can be compared or measured statistically.

b) Qualitative Data Analysis: The qualitative approach is more interpretive - it focuses on

understanding the content of non-numerical data like text, images, audio and video, including
common phrases, themes and points of view.

 Now, organizations increasingly use self-service BI tools that let executives, business
analysts and operational workers run their own ad hoc queries and build reports
themselves. More advanced types of Data Analytics include–
 Data Mining which involves sorting through large data sets to identify trends, patterns and
relationships;
 Predictive Analytics, which seeks to predict customer behaviour, equipment failures & other
future events; and
 Machine Learning, an artificial intelligence technique that uses automated algorithms to
churn through data sets more quickly than data scientists can do via conventional analytical
modelling.
 Data Analytics applications involve more than just analysing data.
 Particularly on advanced analytics projects, much of the required work takes place upfront,
in collecting, integrating and preparing data and then developing, testing and revising

GMTESTSERIES.COM®
 analytical models to ensure that they produce accurate results. In addition to data scientists
and other data analysts, analytics teams often include data engineers, whose job is to help
get data sets ready for analysis.
A) Data Collection:

 The analytics process starts with data collection, in which data scientists identify the
information they need for an analytics application and then work on their own or with data
engineers and IT staffers to assemble it for use.
 Data from different source systems may need to be combined via data integration routines
transformed into a common format and loaded into an analytics system, such as a Hadoop
cluster, NoSQL database or data warehouse.
 In other cases, the collection process may consist of pulling a relevant subset out of a
stream of raw data that flows into, and moving it to a separate partition in the system so it
can be analysed without affecting the overall data set.
B) Find and Fix Data Quality Problem:
 Once the data that’s needed is in place, the next step is to find and fix data quality problems
that could affect the accuracy of analytics applications.
 That includes running data profiling and data cleansing jobs to make sure that the
information in a data set is consistent and that errors and duplicate entries are eliminated.
 At that point, the data analytics work begins in earnest. A data scientist builds an analytical
model, using predictive modelling tools or other analytics software and programming
languages such as Python, Scala, R and SQL.
 The model is initially run against a partial data set to test its accuracy; typically, it’s then
revised and tested again, a process known as “training” the model that continues until it
functions as intended.
 Finally, the model is run in production mode against the full data set, something that can be
done once to address a specific information need or on an ongoing basis as the data is
updated.

C) Building Analytical Model:

GMTESTSERIES.COM®
 In some cases, analytics applications can be set to automatically trigger business actions.
 Otherwise, the last step in the data analytics process is communicating the results
generated by analytical models to business executives and other end users to aid in their
decision-making.
 That usually is done with the help of data visualization techniques, which analytics teams
use to create charts and other info graphics designed to make their findings easier to
understand.
 Data visualizations often are incorporated into BI dashboard applications that display data
on a single screen and can be updated in real time as new information becomes available.
 Some Application areas of Data Analytics are as follows:
 Data Analytics initiatives support a wide variety of business uses. For example, banks and
credit card companies analyse withdrawal and spending patterns to prevent fraud and
identity theft.
 E-commerce companies and marketing services providers do click stream analysis to
identify website visitors who are more likely to buy a product or service based on navigation
and page-viewing patterns.
 Mobile network operators examine customer data to forecast so they can take steps to
prevent defections to business rivals; to boost customer relationship management efforts.
Other companies also engage in CRM analytics to segment customers for marketing
campaigns and equip call center workers with up-to-date information about callers.
 Healthcare organizations mine patient data to evaluate the effectiveness of treatments for
cancer and other diseases.

GMTESTSERIES.COM®