IT Application: CA in Bangladesh

CA in Bangladesh
www.facebook.com/CAinBD Chapter-1
IT Application
Strategy: Strategy is a planned course of action undertaken to achieve the goals and objectives of an organization. Information technology strategy: The process of determining an organization's long-term goals and then identifying the best approach for achieving those goals is called the Information Technology Strategy. Overall strategy: The overall strategy of an organization is known as corporate strategy, but strategy may also be developed for any aspect of an organizations activities such as environmental management or manufacturing strategy. Corporate level strategy is concerned with: Reach; Competitive contact; Managing activities and business interrelationships; Management practices. Four aspects of strategy: Organizational strategy may have four aspects and they are: Scope of operations; Resource allocation; Competitive advantage; Synergy. Scope of operations: The first component encompasses the geographic locations and based on the location organization offer different advantages to the customer to maximize the organizational opportunities. Resource allocation: The second component of the global strategy-focuses on use of organizational resources so that an organization can compete successfully in the chosen markets. Competitive advantage: This component of the strategy involves not only identifying existing or potential areas of competitive advantage but also developing a plan for sustaining areas of competitive advantage. Synergy: Finally, global strategy should involve establishing a plan for the company that enables its various functions and operations to benefit one another. Organizational planning: The components of fundamental organizational planning process consist of: team building, modeling and consensus; evaluating of an organization that has accomplished and the resources they have aquired; analyzing their business, economic, political and societal environment; anticipating and evaluating the impact of future developments; building a shared vision and deciding on goals that they want to achieve; and deciding actions to take to achieve their goals. A plan is formally articulates the actions that are necessary to achieve goals. Thus, a plan is an action statement. Plans lead to actions produce results and part of planning is learning from results. In this context, the planning process is followed by implementation. Strategic planning deals with the development of an organizations mission, goals, strategics and policies.
S. F. Ahmed & Co. Articled Association (34th Association)
CA in Bangladesh
www.facebook.com/CAinBD Business IT planning: The business/IT planning process focuses on discovering innovative approaches to satisfying a companys customer value and business value goals. This planning process leads to development of strategies and business models for new e-business and e-commerce platforms, processes, products and services. A company can develop IT strategies and IT architecture that supports building and implementing their newly planned business applications. The business/IT planning process has three major components: Strategy development: Developing business strategies that support a companys business vision. For example, use information technology to create innovative e-business systems that focus on customer and business value. Resource management: Developing strategic plans for managing or outsourcing a companys IT resources, including IS personnel, hardware, software, data and network resources. Technology architecture: Making strategic IT choices that reflect information technology architecture designed to support a companys e-business and other business/IT initiatives. Objective of an IT strategic plan: The major objective of an IT strategic plan is to put in a place a roadmap that ensure ITs direction is linked to the organizations business plans and overall strategy. Six phases of IT strategic planning: There are six phases of IT strategic planning and they are: 1) Business strategy and direction: Competitive force analysis; Balanced business scorecard; Change Readiness. 2) IT strength and weakness: Benchmarks and spending; The application portfolio; Skills and Infrastructure; Governance and control. 3) IT vision and strategy: Preferred future state; Strategic intent and imperative; Principles and strategies. 4) IT architectures: Application architecture; Data architecture; Network architecture; Organization architecture. 5) IT transition plan: Prioritized IT opportunity proposals; Time-phased project plan; Balanced resource utilization plan; Alternative funding scenarios. 6) On-going planning process: Opportunity screening and prioritization; Quarterly & annual revisions; Planning calendar; Budgeting and operational planning.
Benefits of IT strategic planning: The benefits of developing an IT strategic plan and planning process include: The establishment of a sound decision making approach that organization realizes the expected business benefits from technology;
CA in Bangladesh
www.facebook.com/CAinBD The mitigation of the risks surrounding IT investment decisions that could otherwise mean costlydeployment of technologies, loss of competitive advantage and failure to realize the full value of the firms investment in technology.
Process of developing IT strategy: Now a days, the use of information technology (IT) as a competitive weapon has become a popular clich; but there is still a marked lack of understanding of the issues that determine the influence of information technology on a particular organization and the processes that will allow a smooth coordination of technology and overall strategy. Moreover, Information Technology (IT) is increasingly relied on to drive business profitability and to achieve organizational goals day by day. So, it is very important for the IT strategy of an organization to be developed in tandem with the overall strategy of the organization. Developing information technology (IT) strategy that supports and is supported by business strategy is critical for generating business value in todays organizations. In the face of rapidly changing business conditions and continuously evolving IT, however, organizations have yet to learn how to develop an effective IT strategy. So, the core purpose in developing and IT strategy is to ensure that there is a strong and clear relationship between investment decisions and the organizations overall strategies, goals, and objectives. Developing a sound IT strategy can be very important for one simple reason and organization defines the IT agenda incorrectly or partially correctly, it runs the risk that significant organizational resources will be misdirected. Some and perhaps most, resources may not be devoted to furthering strategically important areas. This risk has nothing to do with how well and organization executes the chosen IT direction. Being on time, on budget and on specification is of diminished utility if the wrong thing is being done. Understanding the strategy of the organization is a must for developing an effective IT strategy. If the IT strategy does not fit with the overall organizations vision, there will be constant conflict. Top leadership will need to invest valuable time in articulating the organizational vision and determining how IT will help with meeting and sustaining that vision. While the organizational vision will drive the IT strategy, progressive-thinking leaders should also be cognizant of how IT strategy can influence the organizational strategy. Technology redefines opportunities and the choices executives make to exploit those opportunities and establish new capabilities. As a result, organizations are able to evolve current business models and, in some cases, build new ones. Effective strategy development is becoming vital for todays organizations. As the impact of IT has grown in organizations. IT strategy is finally getting the attention it deserves in business. Nevertheless, most organizations are still in the very early stages of learning how to develop an effective IT strategy and synchronize it with an overall business strategy. Getting the balance right between the many different ways IT can be used to affect a business is a constant challenge for todays leaders. While there is, as yet, no well-developed IT strategy development process, there appears to be general agreement on certain critical success factors and the key elements involved. Over time, these will likely be refined and better-integrated with overall business strategy development. Those who learn to do this well without locking the enterprise into inflexible technical solutions are likely to win big in todays rapidly-evolving business environment. Information technology architecture: The IT architecture that is created by the strategic business/IT Planning process is a conceptual design or bluprint that includes the following major components: Technology platform: The Internet, intranets, extranets and other networks, computer systems, system software and integrated enterprise application software provide a computing and communications infrastructure or platform that supports the strategic use of information technology for e-business, ecommerce, and other business/IT applications; Data resources: Many types of operational and specialized databases, including data warehouses and Internet/intranet databases store and provide data and information for business processes and decision support;
CA in Bangladesh
www.facebook.com/CAinBD Applications architecture: Business applications of information technology are designed as an integrated architecture of enterprise systems that support strategic business initiatives, as well as crossfunctional business processes. IT organization: The organizational structure of the IS function within a company and the distribution of IS specialists are designed to meet the changing strategies of a business. The form of the IT organization depends on the managerial philosophy and business/IT strategies formulated during the strategic planning process.
E-commerce: Electronic Commerce stands on E-commerce are the idea of doing business electronically over the Internet. Paper driven business transactions are being re-engineered to capture the benefits of doing business electronically. Electronic Commerce is the business environment in which information for buying, selling and transportation of goods and services moves electronically from computer to computer in an automated way. Information gathering, processing, manipulating and distribution are common to trade and commerce no matter what the commodity or service is that is being exchanged. It has many offshoots now, including E-business and E-tailing. It is being projected as the next wave of the information technology application. Multinational companies are betting their future on E-business. In E-commerce, the first function is the creation of virtual shops and shopping malls, which exhibit the products and services they want to sell. To facilitate selling, there has to be a way of paying electronically, which then calls for security and identification systems. Electronic banks have to be created, which allow people to deposit, withdraw and pay money just by pressing keys on a computer in their home. Then there have to be a system of delivery goods: either on-line in the case of information products or a physical delivery system in the case of hard products. The high end of E-business is B2B (business to business) in which firms tie up resources. Some companies are doing business with their dealers electronically. Orders, schedules, receipts, invoices all can be delivered on-line. Thus, they can save on costs by managing their stocks and inventories properly. Some common business applications related to electronic commerce are: E-mail; Enterprise connect management; Instant messaging; Newsgroups; Online shopping and order tracking; Online banking; Online office suites; Domestic and international payment system; Shopping cart software; Teleconferencing; Electronic tickets; etc.
Factors to consider in the decision process related to e-commerce applications: The problems of e-commerce applications include reducing the time of data access so that huge databases can be searched quickly, decreasing the cost of database design etc. There are eight factors affecting e-commerce adoption: External influence; Government initiatives; Geographical condition; Political condition; Economic condition; Technology infrastructure; public awareness; Socio-cultural condition.
CA in Bangladesh
www.facebook.com/CAinBD Decision making process of e-commerce: Decision making process of e-commerce system includes: Strategic orientation; Integration; Cooperation; Content/added value; Critical mass; Functionality; Feedback; Marketing; Trust; Technology. Identifying risks in e-commerce: A risk is anything that could hamper the achievement of an objective. The identified risks of e-commerce can be categorized in the following ways: Information risk; Technology risk; Business risk. Information Risk: Content on web page exposing web publisher to libel, defamation of character, slander; Copyright infringement and invasion of privacy suits stemming from posted textual content; Copyright infringement and invasion of privacy suits stemming from digital scanning and morphing; Copyright, patent, or trade secret infringement violations by material used by web site developers. After unauthorized access to a web site, online information about employees or customers is stolen, damaged or released without authorization; Electronic bulletin boards containing defamatory statements resulting in liability or embarrassment. Worldwide legal exposure resulting from use of creative material (e.g. names, likenesses) that violates laws of countries outside of the home country. Credit card information intercepted in transit is disclosed or used for fraudulent purposes; Information that has been changed or inserted in transmission is processed leading to erroneous results; Flight of intellectual property due to employees moving to competitors. Technology Risk: Negligent errors or omissions in software design; Unauthorized access to a web site; Infecting a web site with computer viruses; Internet service provider (ISP) server crashes; Software error and omission risks causing unauthorized access; Software content risk that violates a copyright or is libelous; Third party intercepts credit card information in transit causing breeches in security for online payments; Intercepting and copying or changing non-credit card information during transmission; Insufficient bandwidth to handle traffic; Obsolete hardware or hardware lacking the capacity to process required traffic; Risk due to excessive ISP outages or poor performance; ISP phone numbers being busy; ISP or home-company servers being down; Scant technical infrastructure to manage cycle time to develop, present, and process web-based products; Risk of improperly integrating e-commerce system with internal databases; Risk of improperly integrating e-commerce system with internal operational processes; Risk due to poor web site design manifesting themselves in long response times; Inability of customer or supplier computers to handle graphical downloads.
CA in Bangladesh
www.facebook.com/CAinBD Business Risk: Web page content exposes web publisher to libel, defamation of character, slander; Electronic bulletin boards containing defamatory statements resulting in liability; Worldwide legal exposure resulting from use of information in violation of home-country laws; Using web sites to conduct illegal promotional games, such as a sweepstakes or contests; Risks related to payment to web site developers and disputes between developers and clients; Lack of maintenance on existing web pages; Impact on business due to intellectual property lost due to employees moving to competitors; Changes in supplier relationships re: data access, data ownership, distribution strategy, and marketing tactics; Changes in customer relationships re: data access, data ownership, distribution strategy, and marketing tactics; Products out-of-stock due to poor communication with operations; High shipping costs required for distribution; Inconvenient return policieslack of coordination with physical system; Excessive dependence on ISP to support firms business strategy; Inability to manage cycle time for developing, presenting, and processing web-based products; Risk due to unprotected domain names which are usurped by other organizations; Improperly integrating e-commerce systems with internal operational processes; Insufficient integration of e-commerce with supply chain channels. Typical risks to e-commerce systems: The following risk may be found in e-commerce system: Risk to corporate information and intellectual property from internal staff and trading partners; Hacker exploitation of errors in software application design, technical implementation or systems operation; Website defacement; Denial-of-service attacks. Major advantage of e-commerce: E-commerce offers the following major direct advantages: Improved productivity; Cost savings; Streamlining business processes; Better customer services; and Opportunities for new businesses. Improved productivity: Using e-commerce significantly reduces the time required to create, transfer and process a business transactions between trading partners. Human errors like duplications of records are largely eliminated with the reduction of data entry and recently in the process. This improves the speed and accuracy. Cost savings: Research has estimated that doing business on the Internet can result in cost savings of about 50% to 10% of sales. This cost can stem from efficient communication, quicker turnaround time and closer access to markets. Streamlining business processes: Costs savings are amplified, when business go a step further and adapt their internal processes and back-end legacy systems to take advantage of electronic commerce. Business process can be made more efficient with automation. Better customer services: With electronic commerce, there is better and more efficient communication with customers. Customers can enjoy the convenience of shopping at any hour, anywhere in the world. Opportunities for new business: Businesses over the Internet have a global customer reach. There are endless possibilities for business to exploit and expand their customer base. E-Commerce also offers the competitive advantage of Broader market reach; Increased efficiency and accuracy through automated order processing; Inventory control; Billing; Shipping and so forth better customer services; Instant communications with consumers and trading partners; S. F. Ahmed & Co. Articled Association (34th Association)
CA in Bangladesh
www.facebook.com/CAinBD Improved profit margins through automated supply chain management; Better forecasting of customer need; Reduced labor costs; Lower overall costs; etc.
E-commerce success factors: Some of the key factors for success in e-commerce are given below: Selection and value; Performance and service; Look and feel; Advertising and incentives; Personal attention; Community relationships; Security and reliability. Disadvantages of e-commerce: The main disadvantage of e-commerce is the lack of a business model, lack of trust and key public infrastructure, slow navigation on the internet, the high risk of buying unsatisfactory products and most of all lack of security. The disadvantages and limitations of e-commerce can be classified as technological and non-technological. Technological: The e-commerce system itself, there is no universally accepted standard for quality, security and reliability. The software of e-commerce development tools are always evolving and have difficulties in integrating the Internet and e-commerce software with parts of the existing applications and databases. Non-technological: The lack of trust is one of the main reason for which customers are unwilling to accept e-commerce due to privacy and security concerns. Another drawback is the presence of hackers. Limitations of e-commerce: The limitations regarding e-commerce can be explained in the following two ways: Technical limitation: Costs of a technological solution; Some protocols are not standardized around the world; Reliability for certain processes; Insufficient telecommunications bandwidth; Software tools are not fixed but constantly evolving; Integrating digital; and non digital sales and production information; Access limitations of dial-up, cable, ISDN, wireless; Difficulty in integrating e-commerce infrastructure with current organizational IT system. Non technical limitation: Customer fear of personal information being used wrongly Privacy issues Customer expectations unmet Rules and regulations Security and privacy vulnerability to fraud and other crimes Lack of trust and user resistance Fear of payment information being unsecure Tactile limitations many businesses face cultural and legal obstacles legal issues outstanding such as jurisdiction legal environment has many new and conflicting laws cultural obstacles linguistic challenges Limitations of support services Financial cost Sourcing tech support in foreign languages Lack of critical mass in certain market areas for seller and buyers S. F. Ahmed & Co. Articled Association (34th Association)
CA in Bangladesh
www.facebook.com/CAinBD Accessibility outside of urban/ suburban and areas effects universality Higher employee training required to be click and mortar Peoples resistance to change People not used to faceless/ paperless/ non-physical transactions
Categories of electronic commerce: There are many ways to classify electronic commerce transactions. One is by looking at the nature of the participants in the electronic commerce transactions. The three major electronic commerce categories are business-to-consumer (B2C) e-commerce, business-to-business (B2B) e-commerce and consumer-toconsumer (C2C) e-commerce. Business-to-consumer (B2C) e-commerce: It involves retailing products and services to individual shoppers. In this form of electronic commerce, business must develop attractive electronic marketplaces to entice and sell products and services to customers. For example, many companies offer e-commerce websites that provide virtual storefronts and multimedia catalogs, interactive order processing, secure electronic payment systems and online customer support. BarnesandNoble.com, which sells books, software and music to individual consumer is an example of B2C e-commerce. Business-to-business (B2B) e-commerce: Beyond individual consumer transactions, e-commerce has given companies an entirely different way to conduct business. Using powerful Websites and online databases, companies not only sell goods to individual customers, but also track inventory, order products, send invoices and receive payments. Using e-commerce technologies (ranging from standard networks to supercomputers), companies are rapidly forming online partnerships to collaborate on product designs, sales and marketing campaigns and more. By giving one another access to their private networks, corporation partners access vital information and work together more efficiently. Although millions of consumer transactions take place each day on the Web, business-to-business (B2B) transactions actually account for most of the money that is spent online. As its name implies, a businessto-business transaction is takes place between companies, here consumers are not involved. The concept of B2B transactions did not arrive with the Internet. In fact companies were doing business electronically long before the rise of the Web, by using private networks and computer systems to handle transactions. But Internet technologies have made the process easier, more efficient and available to virtually all businesses. Any financial transactions between two companies can be considered a B2B transaction and probably can be handled over the Internet. For examples: A store orders an out-of-stock product from a distributor; A car manufacturer orders parts from a wide range of suppliers; A stock broker buys shares for a client by using an electronic exchange; A bank requests credit information from a major credit reporting agency; etc. Milacron's Web site for selling machinery, mold bases and related tooling, supplies and services to companies engaged in plastics processing is an example of B2B e-commerce. Consumer-to-consumer (C2C) e-commerce: It involves consumers selling directly to consumers. For example, eBay, the giant Web auction site enables people to sell their goods to other consumers by auctioning the merchandise off to the highest bidder. Thus participating in or sponsoring consumer or business auction is an important e-commerce alternative for B2C or B2B e-commerce. Electronic personal advertising of products or services to buy or sell by customers at electronic newspaper sites, customer e-commerce portals or personal websites is also an important form of C2C e-commerce. Another way of classifying electronic commerce transactions is in terms of the participants' physical connection to the Web. Until recently, almost all e-commerce transactions took place over wired networks. Now mobile phones and other wireless handheld digital appliances are Internet enabled to send text messages, access Websites and make purchases. Companies are offering new types of Webbased products and services that can be accessed by these wireless devices. The use of handheld wireless devices for purchasing goods and services from any location has been termed mobile commerce or m-commerce. Both business-to-business and business-to-consumer e-commerce transactions can take place using m-commerce technology.
Electronic data interchange: Electronic data interchange (EDI) is a direct computer-to-computer exchange of data. The data found in business documents, such as purchase invoices or bills of lading are transmitted from one computer to another over a telecommunication network. EDI is replacing the physical exchange of documents and can S. F. Ahmed & Co. Articled Association (34th Association)
CA in Bangladesh
www.facebook.com/CAinBD save time and money by eliminating the need for rekeying data, thereby reducing input errors, eliminating unnecessary handling and copying of documents and increasing the productivity of employees. An EDI transaction is simply an exchange of flat files between trading partners that have established a communication link. In a word EDI can be defined as "The transfer of electronic data from one organizations computer to another, the data being structured in a commonly agreed format so that it is directly usable by the receiving organization's computer system. The message by the senders applications software is translated into the agreed EDI format and placed on the network by the network access software. This electronic data is sent to the mailbox facility of the EDI service provider. Here it is stored until received by the retriever's network access software. Frequently, the services of a value-added network (VAN) may also be required. EDI software may be implemented on a variety of platforms, from PCs to mainframe computers such as Hewlett-Packard's HP 3000, DEC's VAX 6000 and IBM's AS/400 and ES/9000 mainframes. EDI is not a new technology. It got its formal start in the transportation industry as early as 1975, the grocery industry followed with an EDI project in 1978. Those are needed to implement EDI on a PC is a modem, a printer and EDI software. In the simplest form of EDI, transactions are typed directly into the PC and they can be printed at the other end. But the true power of EDI can be achieved when EDI software is integrated with internal systems that handle only information relating to manufacturing, marketing, accounting, finance and other functional areas. Cost of implementing EDI: The costs associated with implementing EDI fall into six general areas: software, hardware, VAN charges, software Interface, program maintenance and process reengineering. Some estimates of these costs are provided below: these costs can vary significantly from one organization to the next. Software: EDI software can range from $500 for PC to $100,000 for mainframes. Annual software maintenance typically costs 10 percent to 15 percent of the purchase price; Hardware: Costs vary depending on the type of computers used; VAN charges: Users should expect from $25 to $200 in VAN startup costs. Monthly fees of $3 to $50 and use fees of 10 cents to 50 cents per 1,000 characters transmitted or received are usual in the industry; Software interface: Integrating EDI software with existing applications can be expensive, because it often requires the development of a customized interface. This is one of the primary reasons smaller firms often reluctant to implement full-blown EDI systems; Program maintenance: These costs include software maintenance, technical support and personnel training; they vary from one organization to another; Organizational changes: A significant (and sometimes hidden) cost of EDI implementation is the change that it creates in an organization. Quite often these changes raise the fundamental question, "Why do we do business the way we do?" The answers may lead to significant (and costly) organizational changes and such costs are difficult to estimate. Benefits of EDI: EDI is a powerful technology because it can create partnerships where none existed and can replace sluggish bureaucracies with responsive organizations. It is one of the most successful efforts in recent years to reduce operating costs and increase worker productivity. In some cases, it has changed the relationship between suppliers and customers from one of caution and mistrust to one of cooperation and collaboration. EDI is so powerful that it is viewed as a glue technology that binds businesses together in the value chain from raw materials to finished products. The benefits of EDI may be divided into three groups: direct, indirect and strategic. Direct benefits include decreased operating costs and increased productivity. Indirect benefit comes from using EDI to reengineer business practices. EDI enables businesses to identify and implement the most efficient way to conduct business. Finally EDI can yield strategic benefits in the marketplace. Further more EDI ensures: The speed, with which an inter-organizational transaction is processed, is minimized; The paperwork of transaction processing is eliminated; The costs of transaction processing are reduced, as much of the need for human interpretation and processing is removed; Reduced human involvement and reduces error.
CA in Bangladesh
www.facebook.com/CAinBD Enterprise resource planning (ERP): ERP is the technological backbone of e-business, an enterprise-wise transaction framework with links into sales order processing, inventory management and control, production and distribution planning and finance. Enterprise resource planning is a cross functional enterprise system driven by an integrated suite of software modules that supports the basic internal business processes of a company. For example, ERP software for a manufacturing company will typically process the data from and track the status of sales, inventory, shipping and invoicing as well as forecast raw material and human resource requirements. ERP gives a company an integrated real-time view of its core business processes, such as production, order processing and inventory management tied together the ERP application software and a common database maintained by a database management system. ERP systems track business resources (such as cash, raw materials and production capacity) and the status of commitments made by the business (such as customer orders, purchase orders, and employee payroll), no matter which department (manufacturing, purchasing, sales, accounting etc.) has entered the data into the system. Benefit and challenges of ERP: ERP systems can generate significant business benefits for a company. Many other companies have found major business value in their use of ERP in several basic ways: Quality and efficiency: ERP creates a framework for integrating and improving a company's internal business processes that results in significant improvements in the quality and efficiency of customer service, production and distribution. Decreased costs: Many companies report significant reductions in transaction processing costs and hardware, software and IT support staff compared to the nonintegrated legacy systems that were replaced by their new ERP systems. Decision support: ERP provides vital cross-functional information on business performance quickly to managers to significantly improve their ability to make better decisions in a timely manner across the entire business enterprise. Enterprise agility: Implementing ERP systems breaks down many former departmental and functional walls or "silos" of business processes, information systems and information resources. This results in more flexible organizational structures, managerial responsibilities and work roles, and therefore a more agile and adaptive organization and workforce that can more easily capitalize on new business opportunities.
Identifying business/IT strategies: Internet technologies, e-business and e-commerce applications can be used strategically for competitive advantage, as this text repeatedly demonstrate. However, in order to optimize this strategic impact, a company must continually assess the strategic value of such applications. The major competitive advantages are as follows: Cost and efficiency improvements: This quadrant represents a low amount of Internet company, customer and competitor connectivity and use of IT via the Internet and other networks. So one recommended strategy would be to focus on improving effeciency and lowering costs by using the Internet and the World Wide Web as a fast, low-cost way to communicate and interact with customers, suppliers, and business partners. The use of e-mail, chat systems, discussion groups, and a company website are typical examples. Performance improvement in business effectiveness: Here a company has a high degree of internal connectivity and pressures to substantially improve its business processes, but external connectivity by customers and compititors is still low. A strategy of making major imrpovements in business effectiveness is recommended. For example, widespread internal use of Internet-based technologies like intranets and extranets can substantially improve information sharing and collaboration within the business and with its trading partners. Global market penetration: A company that enters this quadrant of the matrix must capitalize on a high degree of customer and competitor connectivity and use of IT. Developing e-business and e-commerce applications to optimize interation with customers and build market share is recommended. For example, e-commerce websites with value-added information services and extensive online customer support would be one way to implement such a strategy.
CA in Bangladesh
www.facebook.com/CAinBD Product and service transformation: Here a company and its customers, suppliers, and competitors are extensively networked. Internet-based technologies including e-commerce websites and e-business intranets and extranets, must now be implemented throughout the companys operations and business relationships. This enables a company to develop and deploy new Internet- based products and services that strategically reposition it in the marketplace, using the Internet for electronic commerce transaction processing with customers at company websits and e-commerce auctions and exchanges for suppliers and typical examples of such strategic e-business application. Implementing business change: Implementation activities include managing the introduction and implementation of changes in business processes, organizational structures, job assignments and work relationships resulting from business/IT strategies all applications such as e-business initiatives, reengineering projects, supply chain alliances and the introduction of new technologies. Companies use change management tactics such as user involvement in business/IT planning and development to reduce end user resistance and maximize acceptance of business changes by all stakeholders. Strategic Information System (SIS): A system that delivers information products and services that play a direct and prominent role in helping the firm achieve its strategic goals. Researchers have classified information systems into three categories: Systems that support business functions, such as accounting, marketing, and manufacturing information systems; Systems that support strategic planning, such as DSS and EIS; Systems that are part of a firms strategy. Benefit of the strategic information system: Strategic information system makes benefit both the organization and the customer which are decribed below: Benefits to the organization: Increased market share; Reduction of processing costs; Ability to charge higher prices because of value-added component; Increase in profit margins. Benefits to the customer: Increased customer satisfaction; Increased customer control; Reduction in transaction costs (such as shipping and handling costs, merchandise returns, and recording). Characteristics of strategic information systems: There are three Characteristics commonly found in all strategic information systems. They are as follows: Telecommunications as a central part of an SIS; Reliance on a number of vendors for providing information technologies; Cooperation among a number of organizations.
CA in Bangladesh
IT Application
Business Process Enablement
Business Model: A business model describes the rationale of how an organization creates, delivers, and captures value i.e. (economic, social or other forms of value). The process of business model construction is part of business strategy. Business model converts innovation to economic value for the business. The business model also reflects how a company makes money by specifying where it is positioned in the value chain. It draws on a multitude on business subjects including entrepreneurship, strategy, economics, finance, operations and marketing.
Business Model Design: Business model design refers to the activity of designing a company's business model. It is part of the business development and business strategy process and involves design methods. Business model design includes the modeling and description of a company's: value propositions target customer segments distribution channels customer relationships value configurations core capabilities partner network cost structure revenue model Business model design is distinct from business modeling. The former refers to defining the business logic of a company at the strategic level, whereas the latter refers to business process design at the operational level. A business model design template can facilitate the process of designing and describing a company's business model.
IT Contribution to the Support of Business Models: Information technology serves the business organizations in various ways. Information technology and their applications in business models are as follows: Information Technology: Now it is said that we live in the information age, meaning information technology has become a part of our everyday lives. Many companies now have IT departments for managing the computers, networks, and other technical areas of their businesses. IT Governance Consulting Services: The role that IT plays in organizations has changed drastically in recent years. IT has become an integral part of business strategy, which has introduced new risks and challenges. IT Management is increasingly being challenged to understand and articulate the risks and benefits of IT and to find ways to deal with: Aligning IT with the business strategy; Adding value to the business; Managing the risk of IT; Managing the IT resources; Managing ITs Performance. IT Strategy Facilitation and Development: The development of an IT strategy that manages and directs all IT resources in line with the business strategy and operations is a key requirement and challenge for business as well as IT management. IT Contribution: In present, in many organizations business transactions are fully automated. For example banking system most of the operations are automated. So, It contribution in business expand rapidly. Risk Avoidance: This includes not performing an activity that could carry risk. An example would be not buying a property or business in order to not take on the legal liability that comes with it. Another would be not flying in order not to take the risk that the airplane was to be hijacked. Avoidance may seem the answer to all risks, but avoiding risks also means losing out on the potential gain that accepting S. F. Ahmed & Co. Articled Association (34th Association)
CA in Bangladesh
www.facebook.com/CAinBD (retaining) the risk may have allowed. Not entering a business to avoid the risk of loss also avoids the possibility of earning profits. It is the most effective way of managing risk. Risk Transfer: Risk transfer is sharing with another party the burden of loss or the benefit of gain, from a risk and the measures to reduce a risk. The term of risk transfer is often used that anyone can transfer a risk to a third party through insurance or outsourcing. In practice if the insurance company or contractor go bankrupt or end up in court, the original risk is likely to still revert to the first party. Typical Threats and Electronic Business Information System: An electronic business information system has many threats that can be selected for the risk assessment in a manner that will be best represent what might occur within the department, and can be prioritized to identify the ones most likely to occur. System administration practices; Client system access control; Operational policies; Key person dependency; Passwords; Data exposure/loss; Physical security (internal); Clear text; Physical security (external); Spoofing; Natural disaster; Construction.
Service Level Management: Service level management is the process by which an organization identifies and agrees on the level of IT service needed to support the business and defines a mechanism to monitor the identified service levels to see that they are being achieved. Within the service level management process, organizations typically use service level agreements (SLAs) to define specifically what a service is, to define the level at which it must be provided, and to gain agreement with all parties on the desired result. In short Service Level Management is the process that forms the link between the IT organization and customers. The main aim of SLM is to ensure the quality of the IT services provided, at a cost acceptable to the business/customer The other goals for SLM is to maintain and improve on service quality through a constant cycle of agreeing, monitoring, reporting and improving the current levels of service. It is focused on the business and maintaining the alignment between the business and IT.
IT Service Level Attributes: Information technology helps Service Level Management. There are some important attributes of IT Service level as follows: Must be attainable; Must be cost effective; Must meet business needs; Must be supported by negotiated Service Level Agreements; Must be monitored; Must be agreed by all parties. Components of Service Level Management: Components of Service Level Management are follows: Availability; Measurement; Performance; Reporting; Security; Service support; Service level agreements. Service Level Agreement: A service-level agreement is a part of a service contract where the level of service is formally defined. In practice, the term SLA is sometimes used to refer to the contracted delivery time (of the service) or S. F. Ahmed & Co. Articled Association (34th Association)
CA in Bangladesh
www.facebook.com/CAinBD performance. As an example, internet service providers will commonly include service level agreements within the terms of their contracts with customers to define the level(s) of service being sold in plain language terms. In this case the SLA will typically have a technical definition in terms of mean time between failures (MTBF), mean time to repair or mean time to recovery (MTTR); various data rates; throughput; jitter; or similar measurable details. Service Level Agreement (SLA) is used to manage the performance of a service. While it may not yet be common as part of your development project, an SLA can improve the quality of the development process, reduce the risks of project failure and strengthen customer relationships. An SLA exudes professionalism, publishing and living by acceptable standards suggests a company understands its business and customers.
Developing a Disaster Recovery Plan: An effective DRP can be achieved by carrying out the following five steps: Identify the core elements of the firm, including finance, business processes, human resources and information technology; Assign monetary values for each asset or element using an Annual Loss Expectancy (ALE) calculation-multiplying the potential frequency of a disaster occurring by the expected sterling (GBP) loss per instance; Prioritize these areas, focusing on those directly affecting the bottom line. Assign responsibilities for each of these spheres to suitable personnel. Define what customers, suppliers and stakeholders expect, particularly in terms of contractual obligations. Conduct What if scenario planning to determine suitable responses for various disasters or emergencies (anything that can destroy or render resources or data inoperable is a potential disaster). Communicate the strategy throughout the firm, ensuring the necessary resources are adequately prepared. Test and review the strategy at least annually or as significant internal changes occur and to integrate this planning and control process into every element of business planning and operation, allowing DR plans to grow in step with the business and its changing requirements. The advantages of Disaster Recovery Planning: The major advantages of DRP in the business are as follows: Ability to maintain, or resume, operational trading; Safeguarding reputation, brand and image; Reducing downtime through the mitigation of disasters; Prevents loss of customers to competitors due to inability to trade; Increases confidence of associates, clients, investors and business partners.
Organizations face five types of IT investment opportunities to further business strategywhat are those opportunities? Explain briefly. Organizations face five types of IT investment opportunities to further business strategy. Determining the balance between the opportunities is a significant component of how IT strategy delivers business value. In this way, organizations have to adopt a portfolio approach to IT investments. The five investment opportunities Business Improvement; Business Enabling; Business Opportunities; Opportunity Leverage; Infrastructure. Critical Success Factors of Strategy Development: The right technology strategy is an opportunity for organizational change and improvement. In case of developing an IT strategy for an organization, five critical success factors should be considered: Revisiting the business model; Adopting strategic themes; Getting the right people involved; Working in partnership in business; and Balancing IT investment opportunities.
CA in Bangladesh
IT Application
Management information system
Data: Data consist of the raw numbers that computers organize to produce information. It is the streams of raw figures and facts representing events such as business transactions. Information: Information is data that has been processed into a form that is meaningful to the recipient and is of real or perceived value in current or progressive decision. Information is valuable when it is reliable, clear, complete, timely, right quantity and relevant. Information depicts the precise, structural and organized presentation of data indicating, summarizing the position of a phenomenon. Basically, information is used for decision making, calculating or exchanging ideas and plans. The evolution of technology started due to increase demand of information. Information should be preserved and retrieved whenever want. Data Data transformation Information The Difference between Data and Information: It often seems that computers must understand human language because human being understands the information they produce. However, computers cannot understand anything. Computers recognize two distinct physical states produced by electricity, magnetic polarity or reflected light. Essentially, they understand whether a switch is on or off. In fact, the CPU, which acts like the brain of the computer, consists of several million tiny electronic switches, called transistors. A computer appears to understand information only because it operates at such phenomenal speeds, grouping its individual on/off switches into patterns that become meaningful to us. In the world of computing, data is the term use to describe the information represented by groups on/off switches. Although the words data and information often are used interchangeably, there is an important distinction between the two words. In the strictest sense, data consist of the raw numbers that computers organize to produce information. Information depicts the precise, structural and organized presentation of data indicating, summarizing the position of a phenomenon. Basically, information is used for decision making, calculating or exchanging ideas and plans. The evolution of technology started due to increase demand of information. Information should be preserved and retrieved whenever want. Technology is used in these arenas also in the form of database concept. So, it can be said that technology is the technique used to play with the information. Characteristics of useful information: Information should have certain characteristics to make it valuable and meaningful and they are as follows: Accurate; Timely; Complete; Relevant; Cost effective. Information system: An information system is organized combination of people, hardware, software, communication network and data resources that collets, transforms and disseminates information in an organization. In other way Information system is a mechanism that helps people to collect, organize and use information. Components of an information system: An information system contains information about the organization and surrounding environment. The basic components of information system are input, processing and output. Form all these components, organization gets information for decision and control the organization. An information system also requires feedback and control components to meet the objectives. Input: The connection of computer with outside world is made through input devices. Input devices enable users to input characters such as letters and numbers. It is the activity of gathering and capturing raw data from within the organization and /or from its external environment.
S.F. Ahmed & Co. Articled Association (34th Association)
CA in Bangladesh
www.facebook.com/CAinBD Processing: The microprocessor performs processing tasks under the direction of a program. Processing involves converting or transforming data into more meaning form. Output: Output shows the results of processing operations. It involves producing useful information in a proper from such as reports, paychecks or documents and transferring the processed information to the users. Output from one information system can become input for another. Feedback: Feedback or control mechanism to allow people to evaluate the performance of the systems and make necessary changes to input or processing activities. Input Process Output Feedback Fig: Information system Information technology: In the broadest sense, information technology refers to both the hardware and software that are used to store, retrieve and manipulate information. It is the use of computers and software to manage information. The information technology department of an organization would be responsible for storing information, protecting information, processing the information, transmitting the information as necessary and later retrieving information as necessary. Information technology can help business process, managerial decision making and workgroup collaborations. The following information technologies are used in a computer based information system: Computer based hardware technologies; Computer based software technologies; Telecommunication network technologies; Data resource management technologies. Information access management: Access of information system plays a vital role in management. If the information is not accessible by the managers then the information becomes useless. Unauthorized access to information system can be harmful for the organization. For this information access management that means organization information must be accessible to the authorized persons. Importance to management of the accessibility of information: Information is the most valuable things for decision making and managers need to access the information when they need. The importance of information for decision making of the management is as follows: Easy information access enables organizational knowledge workers to quickly and easily access the relevant documents, work product, people, projects, enterprise, relationships and other information they need to do their jobs more effectively, which in turn makes the organization more efficient and competitive; Managers need to use information for decision making and making sense of changes and developments in their external environment. Managers also need to generate new knowledge which can be applied to design new products and services, enhance existing offerings and improve organizational process. Managers do not characteristically solve problems but not apply rules and copy solutions from others. Information access authorization: Criteria for access authorization are: Granting access Restricting access Identity based access Information access establishment and modification: Implement policies and procedures that based upon the organization access authorization polices, establish, document, review and modify users right of access to workstation, transaction program and /or process by the following ways: Establishing and documenting access authorization; Maintenance to access rights.
CA in Bangladesh
www.facebook.com/CAinBD Information security: Information security means protecting information and information systems from unauthorized access, use, disclosure, disruption, modification or destruction. It can be accomplished by implementing a plan that incorporates the appropriate components for providing the required protection, including controls, rules, procedure, user training and computer hardware and software. Once the plan is completed, the following steps must be taken to ensure that the organizations information security objectives include: Implementing the plan; Monitoring logs to verify compliance and identify problems; Measuring the results; Identifying potential improvements; Refining processes and procedures. Information security ensures the confidentiality, integrity and availability of data of the organization. Confidentiality is the term used to prevent the disclosure of information to unauthorized individuals or systems. Integrity means data cannot be modified without authorization. Availability ensures the information or data must be served when it is needed. Importance of information security: Major importance of information security is as follows: Information systems & communications that deliver the information are truly persuasive throughout organizations-from the users platform to local & wide area networks to serves to mainframe computers; Organizations depend on timely, accurate, complete, valid, consistent, relevant & reliable information; Executive management has a responsibility to ensure that the organization provides all users with a secure information systems environment. Tools for information security: Effective security management can minimize errors, fraud and losses in the information system. Currently common security tolls used by the organization and individuals are as follows: Encryption: Encryption of data has become an important way to protect sensitive information transmitted over Internet and other networks. Encryption is the coding and scrambling of messages to prevent unauthorized access to or understanding of the data being transmitted. A message can be encrypted by applying a secret numerical code, called an encryption key, so that the data are transmitted as a scrambled set of characters (The key consists of a large group of letters, numbers and symbols). To be read the message must be decrypted (unscrambled) with a matching key. There are several alternative methods of encryption, but public key encryption is becoming popular. Public key encryption has two keys, one private key and one public key. The keys are mathematically related so that data encrypted with one key can be decrypted using only the other key. To send and receive messages, communicators first create separate pairs of private and public keys. The public key is kept in a directory and private key must be kept secret. The sender encrypts a message with the recipients public key. On receiving the message, the recipient uses his or her private key to decrypt it. Encryption is especially useful to shield messages on the Internet and other public networks because they are less secure than private networks. Encryption helps protect transmission of payment data, such as credit card information and addresses the problems of message integrity and authentication. Firewalls: A computer within a LAN uses a gateway to connect to the Internet, the worldwide consortium of computer networks. The connection is a security risk, as a LAN has no control over users on the Internet. Applications transferred through the Internet to the LAN may contain computer viruses that can harm the components of the LAN. Besides, unauthorized users may have other objectives such as prying into a competitor's database or obtain classified information that are otherwise not available for public use. A firewall is a special gateway that protects the users within a LAN from all such hazards while letting item access the external information. Firewalls use to prevent unauthorized users from accessing private networks. A Firewall isolates a computer system from unauthorized access of another computer system on the Internet. As growing numbers of businesses expose their networks to Internet traffic, firewalls are becoming a necessity. A firewall is a combination of hardware and software that controls the flow of incoming and outgoing network traffic. It is generally placed between the organization's private internal networks and untrusted external networks such as the Internet, although firewalls can also be used to protect one part
CA in Bangladesh
www.facebook.com/CAinBD of a company's network from the rest of the network. The firewall acts like a gatekeeper that examines each user's credentials before access is granted to a network. The firewall identifies names, Internet Protocol (IP) addresses, applications and other characteristics of incoming traffic. It checks this information against the access rules that have been programmed into the system by the network administrator. The firewall prevents unauthorized communication into and out of the network, allowing the organization to enforce a security policy on traffic flowing between its network and other un-trusted networks, including the Internet. In large organizations, the firewall often resides on a specially designated computer separate from the rest of the network so no incoming request can directly access private network resources. There are a number of firewall screening technologies, including static packet filtering, inspection, Network Address Translation and application proxy filtering. The following techniques are used in combination to provide firewall protection. To create a good firewall, an administrator must write in very fine detail and maintain the internal rules identifying the people, applications or addresses that are allowed or rejected. Firewalls can deter, but not completely prevent, network penetration by outsiders and should be viewed as one element in an overall security plan. To deal effectively with Internet security, broader corporate policies and procedures, user responsibilities and security awareness training may be required. E-mail monitoring: Internet and other online e-mail systems are one of the favorite avenues of attack by hackers for spreading computer viruses or breaking into networked computers. For this e-mail is also the battlefield for attempts by the organization to enforce policies against illegal, personal or damaging messages by employees through monitoring software. Virus defense: Corporate antivirus protection is a centralized function of information technology by adopting anti-virus program runs in the background. Large organization builds defenses against the spread of viruses by centralizing the distribution and updating of antivirus software as responsibility IT department. Other organizations are outsourcing the virus protection responsibility to their internet service providers or to telecommunications or security management companies. Security code: Security codes are a type of multilevel password system for security management. An end user logs into the computer system by entering his or her unique identification code or user ID and the user is then asked to enter a password in order to gain access in the system. Back-up files: Back-up is nothing but copying of data and programs or whatever computers document it is, on to spare magnetic tapes/disk to provide security. The simplest and the most inexpensive way to avoid disastrous loss of data are to implement a schedule of periodic backups with storage off-site. It is one of the few simple, economical ways to ensure that data safe and usable. Back-up files are kept in offpremises for ensuring future security. The following resources must be considered; Personnel; Hardware; Facilities; Documentation; Supplies; Data/Information; Application software; System software. Security monitors: Security of a network may be provided by specialized system software packages known as system security monitors. System security monitors are programs that monitor the use of computer system and networks and protect them from unauthorized use, fraud and destruction. Biometric security: Biometric security is a fast-growing area of computer security. This security measure is provided by computer devices that measure physical traits that make each individual unique. This includes voice verification, fingerprints, hand geometry, signature dynamics, keystroke analysis, retina scanning, face recognition and genetic pattern analysis.
CA in Bangladesh
www.facebook.com/CAinBD Computer failure control: To ensure the information availability computer systems failures must be controlled. Computer system fails for several reasons-power failures, electronic circuitry malfunctions, and telecommunications network problem, hidden programming errors, computer viruses, computer operator errors and electronic vandalism. To avoid these failures a backup computer system can be arranged with disaster recovery organizations. Faults tolerant system: Sometimes being able to recover data from a hardware failure is not enough. Some LANs must not experience any down time or data or money will be lost. Many Enterprise uses fault tolerant computer systems that have redundant processors, peripherals and software that provide fail over capability to back-up components in the event of system failure. One can use replication to allow the network to continue to operate in the absence of a server and can implement fault tolerance in servers to make it less likely for a hardware failure to cause a server to go down. This may provide a fail-safe capability where the computer system continues to operate at the same level even if there is a major hardware or software failure. Windows NT server supports RAID (Redundant Arrays of Inexpensive Disks) for fault tolerance. The levels of fault tolerance are as follows: Level 0: Level 0 increases disk performance but does not make server more-fault tolerance. Level 1: Mirroring: Disk mirroring or RAID level 1 make an exact copy of hard drive partition on another hard, drive partition in the system. Level 5- Striping with parity: Disk stripping with parity, also called RAID Level 5, protects from failure of anyone disk in computer by spreading the information to be stored on disk across several disks and by including error-correction information on the disks. Disk striping with parity requires at least three partitions of the same size and each partition should be on a different physical drive. Striping with parity wastes less disk space than does mirroring and it also often results in taster disk performance because the operating system can request the data from all the striped drives at the same time. Disaster recovery: Natural and manmade disasters do happen. Hurricanes, earthquakes, fires, floods, criminal and terrorist acts and human error can all severely damage an organization's computing resources and thus the health of the organization itself. Many organizations like airlines, banks and online services, for example, are crippled by losing even a few hours of computing power. Many firms could survive only a few days without computing facilities. That's why organizations develop disaster recovery procedures and formalize them in a disaster recovery plan. It specifies which employees will participate in disaster recovery and what their duties will be; what hardware, software and facilities will be used and the priority of applications that will be processed. Arrangements with other companies for use of alternative facilities may be done in disaster period.
CA in Bangladesh
www.facebook.com/CAinBD A diagram of disaster recovery policy is as follows: Disaster event
Notification and execute telephone tree
Assess damage and execute appropriate contingency plan
Assemble systems recovery team at command center
Assemble user recovery team at command center
Retrieve critical data from offside vault
Notify customers, notify senior user management, assemble administrative support
Notify support vendors on required hardware Initiate transportations of critical operations support personnel to hot-side Configure hot-side for critical operations Establish temporary communication link between the hot-side and the command center
Commence operations
CA in Bangladesh
www.facebook.com/CAinBD Information system controls: Information system controls are methods and devices that attempt to ensure the accuracy, validity and propriety of information system activities. Information system controls must be developed to ensure proper data entry, processing techniques, storage methods and information output. These controls are designed to monitor and maintain the quality and security of the input, processing, output and storage activities of any information system. Auditing information technology security: Auditing information services department should be periodically examined or audited by internal auditing personnel from the business firm. In addition, periodic audits by external auditors from professional accounting firms are a general business practice. Such audits systems should review and evaluate whether proper and adequate information system controls, procedural controls, facility controls and other managerial controls have been developed and implemented. There are two basic approaches for auditing information systems that is auditing the information processing activities of computer-based information systems. They are known as: Auditing through the computer system: Involves verifying the accuracy and integrity of the software that processes the data as well as the input of data and output produced by the computer systems and networks. Auditing through the computer requires knowledge of computer system, network operations and software development: Some firms employ special EDP auditors for this assignment. They may use special test processing accuracy and the control procedures built into the software. The auditors may develop special test programs or use audit software packages. Steps of audit control process: IT security management should be periodically examined or audited by an organizations internal auditing staff or external auditors from professional accounting firms. The following are the steps of audit control process: Determine the activities that will be tracked or audited; Select the tools that will be deployed for auditing and system activity reviews; Develop and deploy the information system activity review or audit policy; Develop appropriate standard operating procedure; Implement the audit or system activity review process. The role of auditing in the control process: How does management know that information systems security and controls are effective? To answer this question, organizations must conduct comprehensive and systematic audits. An MIS audit identifies all of the controls that govern individual information systems and assesses their effectiveness. To accomplish this, the auditor must acquire a thorough understanding of operations, physical facilities, telecommunications, security systems, security objectives, organizational structure, personnel, manual procedures, and individual applications. The auditor usually interviews key individuals who use and operate a specific information system concerning their activities and procedures. Security, application controls, overall integrity controls and control disciplines are examined. The auditor should trace the flow of sample transactions through the system and perform tests, using, if appropriate, automated audit software. Security audits should review technologies, procedures, documentation, training and personnel. A very thorough audit will even simulate an attack or disaster to test the response of the technology, information systems staff and business employees. The auditor lists and ranks all control weaknesses and estimates the probability of their occurrence. It then assesses the financial and organizational impact of each threat. Audit trail: An audit trail can be defined as the presence of documentation that allows a transaction to be traced through all stages of its information processing. This journey may begin with a transaction's appearance on a source document and may end with transformation into information on a final output document or record. The audit trail of manual information systems was quite visible and easy to trace. However, computer based information systems have changed the form of the audit trail information formerly available to the auditor in the form of visual records may no longer be available. Now auditors must know how to search electronically through magnetic disk and tape files of past activity to follow the audit trail of most business systems. Many times, this electronic audit trail takes the form of control logs that automatically record all computer network activity on magnetic disk or tape devices. This audit feature can be found on many online transactions processing systems, performance and security monitors, operating systems and network control programs. Software that records all network activity is also widely used on the
CA in Bangladesh
www.facebook.com/CAinBD Internet, especially the World Wide Web, as well as corporate intranets and extranets. Such an audit trail helps auditors check for errors or fraud, but also helps IS security specialists trace and evaluate the trail of hacker attacks on computer networks. Different levels of management: The terms levels of management refers to a line of demarcation between various managerial positions in an organization. The number of levels in management increases when the size of the business and workforce increases. The level of management determines a chain of command, the amount of authority and status enjoyed by a managerial position. The level of management can be classified by three broad categories and they are: Top level/administrative level; Middle level/executor; Low level/supervisory/operative/first-line managers. Information requirement of management levels: The following is the information requirement of the various levels of management: Top level management: To management analyzes broader trends in the economy, the business environment and overall company performance, in order to conduct long-range planning for the entire organization; Middle level management: Middle manager needs summaries and analyses for setting intermediate and long-range goals for the department or projects under their supervision; First level management: First line managers need information to oversee the day-to-day details of their departments or projects. Types of decisions in management: There are three different kinds of management in an organization. Each of these levels has different information requirements for decision support and responsibility for different types of decisions. Decisions can be classified into three categories: Unstructured decisions; Structured decisions; Semi-structured decisions. Information systems in different organizational levels: Three main categories of information systems serve different organizational levels: operational-level systems, management-level systems and strategic-level systems. Operational-level systems: These support operational managers by keeping track of the elementary activities and transactions of the organization such as sales, receipts, cash deposits, payroll, credit decision, flow of materials in factory etc. The principal purpose of the systems at this level is to answer routine questions and to track the flow of transactions through the organization. Management-level systems: These serve the monitoring, controlling, decision-making and administrative activities of the middle managers. It ensures that all the things of the organization are working well. Management-level systems typically provide periodic reports rather than instant information on operations. Some management-level systems support non-routine decision making. They tend to focus on lessstructured decisions for which information requirements are not always clear. Strategic-level systems: It helps senior management tackle and address strategic issues and long-term trends, both in the firm and in the external environment. Their principal concern is matching changes in the external environment with existing organizational capability. Decision making levels: The following are the different decisions making level in an organization: Strategic: To forecast the future plan, policies of the organization; Tactical: Tracks the reason of better performance or worse performance of the activities of the organization; Knowledge: To design promotional and/or other important documents of the organization for betterment of its activities; Operational: To record daily transactions.
CA in Bangladesh
www.facebook.com/CAinBD Major types of information systems in the organization: Generally the following six types of information systems are correspond to each organizational level. The organization has executive support systems (ESS) at the strategic level, management information systems (MIS) and decision support systems (DSS) at the management level, knowledge work system (KWS) at knowledge level and transaction processing systems (TPS) and office automation system (OAS) at the operational level. Systems at each level in turn are specialized to serve each of the major functional areas. Transaction processing systems (TPS): These are the basic business systems that serve the operational level of the organization. A transaction processing system is a computerized system that performs and records the daily routine transactions necessary to conduct business. Examples are; sales order entry, hotel reservation systems and payroll, employees record keeping etc. At the operational level, task, resources and goal are predefined and highly structured. Transaction processing systems are often so central to a business that TPS failure for a few hours can lead to organization demise and perhaps that of other organizations linked to it. Managers need TPS to monitor the status of internal operations and the organization relations with the external environment. TPS are also major producers of information for other types of systems. Management information system (MIS): An MIS can be defined as a network of computer-based data processing procedures developed in an organization and integrated as necessary with manual and other procedures for the purpose of providing timely and effective information to support decision making and other necessary management functions. MIS usually generates regular periodic reports to feed management functional areas to help management decision making and operations. MIS also provides needed ad hoc and special query reports. MIS reports must cater information with following attributes: Accuracy; Timeliness; Completeness; Conciseness. MIS design must consider the three levels of management-the top level, the middle level and the lower or supervisory level. Top level managers need a general understanding of the organizations activities. They need the type of information that will support long-range strategic plans and decisions. Middle level managers are responsible for making the tactical decisions that will allocate the resources and establish the controls needed to implement the top level plans. And lower level managers make day-to-day operational decisions to schedule and control specific tasks. The actual results of an operation may be checked daily against planned, expectations and corrective actions may be taken as needed. Decision support system (DSS): Decision support system (DSS) refers to the process in which the managers take assistance of the components and facilities of the MIS hardware and software in order to make some ad hoc analysis of some special problems faced by them and generate useful insights into the decision criteria involved. The analyses are totally ad hoc and not done by the MIS as a routine. The analyses help management to make better decisions. This is common practice in case of relatively unstructured problems where there is a high degree of uncertainty. DSS often involves simulations expert systems and so called information centers where needed DSS facilities are clustered together for use by managers. DSS concept requires that the managers get ready access to computer hardware and software tools nearby in order to make decisions more effectively often in an interactive manner with concerned managers. Modern advancement in hardware and software technologies has been of great help in this direction. Development of PC's, computer networks, communication systems, internets, all types of softwares has basically helped in wide use of DSS concept in business, industry, management and many other fields DSS has come of age and is preceding hand-in-hand with MIS. MIS is the backbone information system for management and DSS is providing the constant scope for ad hoc optimization with management intervention. Management has to be resourceful and well-equipped to derive the benefits. The evaluation of computer and communication technology is realty helping the process very well.
CA in Bangladesh
www.facebook.com/CAinBD Characteristics of DSS: They support semi structured or unstructured decision making; They are flexible enough to respond to the changing needs of decision makers; and They are easy to use. Component of DSS: A DSS has four basic components: The users; Database; Planning languages; Model base Example of DSS: Cost accounting system; Capital budgeting system; Budget variance analysis system; General decision support system Executive support systems (ESS): The most practical and widely implemented application of artificial intelligence in business is the development of expert systems. An executive support system (ESS) or expert system is a knowledgebased information system that uses its knowledge about a specific, complex application area to act as an expert consultant to end users. Executive support systems provide answers to questions in a very specific problem area by making humanlike inferences about knowledge contained in a specialized knowledge base. They must also be able to explain their reasoning process and conclusions to a user. So ESS can provide decision support to end users in the form of advice from an expert consultant in a specific problem area. Through using an expert system non-expert can achieve performance comparable to an expert in that particular domain. Components of an ESS: The components of an expert system include a knowledge base and software modules that perform inferences on the knowledge and communicate answers to a users question. The components are as follows: Knowledge base: The knowledge base of an expert system contains (1) facts about a specific subject area and (2) heuristic (rules of thumb) that express the reasoning procedures of an expert on the subject. There are many ways that such knowledge is represented in expert systems. Some of the methods of knowledge representation are: Case-based reasoning: Representing knowledge in an expert system's knowledge base in the form of cases, that is examples of past performance, occurrences and experiences. Frame-based knowledge: Knowledge represented in the form of a hierarchy or network of frames. A frame is a collection of knowledge about an entity consisting of a complex package of data values describing its attributes. Object-based knowledge: Knowledge represented as a network of objects. An object is a data element that includes both data and the methods or processes that act on those data. Rule-based knowledge: Knowledge represented in the form of rules and statements of fact. Rules are statements that typically take in the form of a premise and a conclusion such as: If (condition), Then (conclusion). Software resources: An expert system software package contains an inference engine and other programs for refining knowledge and communicating with users. The inference engine program processes the knowledge (such as rules and facts) related to a specific problem. It then makes associations and inferences resulting in recommended courses of action for a user. User interface programs for communicating with end users are also needed, including an explanation program to explain the reasoning process to a user if requested. Criteria for applications of expert system: The basic factors that should be taken into account for an expert system is required to be developed for a potential application area are as follows: Domain: The domain or subject area of the problem is relatively small and limited to well-defined problem area. Expertise: Solutions to the problem require the efforts of an expert. That is a body of knowledge, techniques and intuition is needed that only a few people possess. Complexity: Solution of the problem is a complex task that requires logical inference processing, which would not be handled as well by conventional information processing.
CA in Bangladesh
www.facebook.com/CAinBD Structure: The solution process must be able to cope with ill-structured, uncertain, missing and conflicting data and a problem situation that change with the passage of time. Availability: An expert exists who is articulate and cooperative, and who has the support of the management and end-users involved in the development of the proposed system. Benefit and limitations of expert system: All computer application expert systems offer some real benefits but there are also some limitations. An expert system captures the expertise of an expert or group of expert in a computer-based information system. Thus, it can outperform a single human expert in many problem situations. The benefits of expert system can accrue to both managers and the organization: Benefits of expert systems to managers: The major benefits of expert systems to managers are as follows: An expert system is faster and more consistent, can have the knowledge of several experts and does not get tired or distracted by overwork or stress; Make better decisions by considering more alternatives; Apply a higher level of logic in evaluating the alternatives; More time to evaluate decision results; Achieve a consistency in the decisions taken. Benefits of expert systems to the organizations: An organization that implements an expert system can expect: Better performance for the organization; Maintain control over the organization's knowledge; Expert systems also help to preserve and reproduce the knowledge of experts. They allow an organization to preserve the expertise of an expert before leaves the organization. Finally, expert systems can have the same competitive advantages as other types of information technology. That is, the effective use of expert systems can allow a firm to significantly improve the efficiency of its business processes or produce new knowledge based products and services. Limitations of expert systems: The major limitations of expert systems are: They have limited focus, inability to learn, maintenance problems and high developmental cost; Expert systems excel only in solving specific types of problems in a limited domain of knowledge, but they fail miserably in solving problems requiring a broad knowledge base and subjective problem solving; They cannot handle inconsistent knowledge; They cannot apply the judgment and intuition recognized as important ingredients of problem solving; They cannot apply to unstructured/partially-structured problems. However, some of these limitations can be overcome by combining expert systems with AI technologies such as fuzzy logic and neural networks or by the use of expert system developmental tools that make the job of development and maintenance easier. Office automation system (OAS): Office automation systems are information technology applications designed to increase data workers productivity by supporting the coordinating and communicating activities of the typical office. It is also known as enterprise collaboration system and this system enhance team and work group communications and productivity. Relationship between information systems: The basic relationship between the TPS, MIS, ESS, DSS, KWS and OAS are as follows: TPS supports all other systems. KWS and OAS support MIS and DSS. MIS supports ESS, DSS, KWS and OAS. DSS supports only ESS. Artificial intelligence: Artificial intelligence (AI) is a branch of computer science concerned with designing intelligent computer systems, that is, systems that exhibit the characteristics we associate with intelligence in human behavior-understanding, language, learning, reasoning, solving problems and so on. AI is an interdisciplinary field. It is influenced and shaped by disciplines such as psychology, mathematics, cognitive science, computational linguistics, data processing, decision support systems and
CA in Bangladesh
www.facebook.com/CAinBD computational modeling. AI is made up of various branches of study, such as expert systems, fuzzy logic, generic algorithms, virtual reality, intelligent agents, natural language interfaces, neural networks and robotics. Some of the attributes of intelligent behavior that AI is attempting to duplicate these capabilities in computer-based-systems are as follows: Think and reason; Use reason to solve problems; Learn or understand from experience; Acquire and apply knowledge; Exhibit creativity and imagination; Deal with complex or perplexing situations; Respond quickly and successfully to new situations; Recognize the relative importance of elements in a situation; Handle ambiguous, incomplete or erroneous information. Though much work has been done in many of the subgroups that fall under the AI umbrella, critics believe that no computer can truly pass the Turing test. They claim that developing intelligence to impart true humanlike capabilities to computers is simply not possible. But progress continues and only time will tell if the ambitious goals of artificial intelligence will be achieved and equal the popular images found in science fiction. Knowledge workers and knowledge work: Knowledge workers include researchers, designers, architects, scientists and engineers who primarily create knowledge and information for the organization. Knowledge workers usually have high levels of education and memberships in professional organizations and are often asked to exercise independent judgment as a routine aspect of their work. For example, knowledge workers create new products or find ways of improving existing ones. Knowledge workers perform three key roles that are critical to the organization and to the managers who work within the organization: Keeping the organization current in knowledge as it develops in the external world-in technology, science, social thought and the arts; Serving as internal consultants regarding the areas of their knowledge, the changes taking place and opportunities; Acting as change agents, evaluating, initiating and promoting change projects. Most knowledge workers rely on office systems, such as word processors, voice mail, e-mail, videoconferencing and scheduling systems, which are designed to increase worker productivity in the office. However, knowledge workers also require highly specialized knowledge work systems. These knowledge work systems (KWS) are specifically designed to promote the creation of knowledge and to ensure that new knowledge and technical expertise are properly integrated into the business. Moreover, knowledge work is segmented into many highly specialized fields and each field has a different collection of knowledge work systems that are specialized to support workers in that field. Requirements of knowledge work systems/how knowledge worker differ from other worker: Knowledge work systems have characteristics that reflect the special needs of knowledge workers. First, knowledge work systems must give knowledge workers the specialized tools they need, such as powerful graphics, analytical tools and communications and document management tools. These systems require great computing power to handle the sophisticated graphics or complex calculations necessary for such knowledge workers: a scientific researcher, product designers and financial analysts. Because knowledge workers are so focused on knowledge in the external world, these systems also must give the worker quick and easy access to external databases. A user-friendly interface is very important to a knowledge worker's system. User-friendly interfaces save time by enabling the user to perform needed tasks and get to required information without having to spend a lot of time learning how to use the computer. Saving time is more important for knowledge workers than for most other employees because knowledge workers are highly paid. Wasting a knowledge worker's time is simply too expensive and knowledge workers can easily fall prey to information overload. Knowledge workstations often are designed and optimized for the specific tasks to be performed; so, for example, a design engineer requires a different workstation setup than a financial analyst. Design engineers need graphics with enough power to handle three dimensional computer-aided design (CAD) systems. However, financial analysts are more interested in access to a myriad of external databases and technology for efficiently storing and accessing massive amounts of financial data.
CA in Bangladesh
IT Application
Designing, implementation and evaluating information systems
System: A system is a set of components that interact to achieve a common goal. Information system: An information system is a collection of hardware, software, data, people, communications and procedures that work together to produce quality information. System development: System development is the activity of creating a new business system or modifying an existing business. System development life cycle (SDLC): The system development life cycle (SDLC) is based on the systems approach, which divides problem solving into a set of interrelated activities. The system development life cycle (SDLC) is one of the oldest and most traditional development methodologies. The development of an information system follows a life cycle from the conception of the system to the delivery of that system, hence the term system development life cycle. Participants of system development: Effective system development requires a team effort. For each system development project, the organization usually establishes a project team to work on the project from beginning to end. The team usually consists of: Stakeholders; Users; Managers; System development specialist; Various support personnel. The development team is responsible for determining the objectives of the information system and objectives of the organization. Project management: Project management is the application of knowledge, skills, tools, and techniques to project activities in order to meet or exceed stakeholder needs and expectation from a project. Activities of project management: Project management includes the application of knowledge, skills, tools and techniques to achieve specific targets within specified budget and time constraints. Project management activities include: Planning the work; Assessing risk; Estimating resources required to accomplish the work; Organizing the work; Acquiring human and material resources, assigning tasks etc.; Directing activities; Controlling project execution; Reporting progress; analyzing the result. Variables of project management: Project management for information systems deal with five major variables: Scope; Time; Cost; Quality; and Risk.
S. F. Ahmed & Co. Articled Association (34th association)
CA in Bangladesh
www.facebook.com/CAinBD Components of a project: The following are the basic components of a project that must consider by the project leader: The goal, objectives and expectations of the project, collectively called the scope of the project; Required activities; Time estimates for each activity; Cost estimates for each activity; The order in which activities must occur; Activities that may be performed concurrently.
Phases of SDLC: The activities of the SDLC can be grouped into the five major phases: 1. System planning Problem definition; Planning. 2. System analysis Understanding the problem; Feasibility study; Requirements specification. 3. System design 4. System implementation Development; Testing; Implementation 5. System operation and maintenance Maintenance; Review The systems life-cycle is a framework of the processes (stages) which need to occur in the development of a computer system. In general terms, there are the following stages:
System planning: Problem definition: This stage is concerned with identifying the initial problem or idea, assessing the justification for further action against the business objectives and setting the initial strategy and objectives of the project. Planning: Planning for a project begins when the steering committee receives a project request where the steering committee is a decision making body for an organization. During planning, four major activities are performed: Reviewing and approving the project requests; Prioritizing the project requests; Allocating resources such as money, people and equipment to approved projects; and Forming a project development team for each approved project. In the field of information systems, planning refers to the process of the translation of strategic and organizational goals into system development plan and initiatives. The process of information system planning is as follows: Organizations business strategic plan
Information systems planning
Information systems plan
System development initiative
CA in Bangladesh
www.facebook.com/CAinBD Overall objectives of information systems are usually distilled from the relevant aspects of the organizations business strategic plan. Importance of planning ensures that specific systems development project to the quality of the finished system can be summarized in the following points: Proper systems planning ensure that specific system development objectives support organizational goals; It provides a long range view of information technology use in the organization; It provides guidance on how the system infrastructure of the organization should be developed over time; It serves as a roadmap indicating the direction and rationale of systems development; It ensures better use of systems resources, including funds, systems personnel and time for scheduling specific projects. The steps of information system planning are given below: Strategic plan
Develop overall objectives
Identify information system projects
Set priorities and select projects
Develop information systems plan
Analyze resource requirements
Set schedules and deadlines
Develop information system planning document In case of Information systems development, planning includes: The key management decisions concerning hardware acquisition; Structure of authority, data and hardware; Required organizational change. Organizational changes are usually described, including: Management and employee training requirement; Recruiting efforts, changes in business processes; Changes in authority, structure or management practice. Importance of planning: Consistency; Efficiency; Cutting edge; Lower costs; Adaptability. Importance of control: Control consists of four major activities: Conducting a post-implementation system review; Correcting errors; Identifying enhancements; and Monitoring system performance. Internal controls system must ensure the following things: Laws and enterprise policies are properly implemented; Accounting records are accurate; Enterprise assets are used effectively;
CA in Bangladesh
www.facebook.com/CAinBD Steps are taken to reduce chances of losing assets or incurring liabilities from fraudulent or similar activities, such as the carelessness or dishonesty of employees, customers or suppliers.
Major activities of control: Conducting a post implementation system review; Correcting errors; Identifying enhancements; Monitoring system performance.
System analysis: System analysis is the process of developing a detailed analysis of the problem so that developers can better understand the nature, scope, feasibility and requirements of the new system. There are three main activities in this phase gaining a thorough understanding of the problem, conducting a feasibility study and establishing system requirements. Understanding the problem: Developers and users should fully understand the existing problems and the strengths and weaknesses of the existing system. In some cases, the problem may be that there is no system, in others the problem may be that the existing system is outdated or incapable of meeting user needs. Other activities in this step include identifying the overall implications and benefits of the new system for the entire organization, taking an inventory of existing hardware and software and identifying the information needs of existing and potential users. Feasibility analysis: The system analysis phase also involves a feasibility study, which determines whether the system is feasible within the socio-technical framework of the organization. It is a high-level overview analysis of the problem area to identify the boundary of the area for investigation and the outline of requirements. The feasibility study carefully examines technical, economic, operational, scheduling, legal and strategic factors. Technical feasibility analysis determines whether the proposed system can be developed and implemented using existing technologies or whether new technologies are required. Hardware, software and network requirements for the new system are also determined in this step. Economic feasibility analysis evaluates the financial aspects of the project by performing a costbenefit analysis and assessing both the tangible and the intangible benefits of the system. Establishing economic feasibility is such a difficult task and is often so badly done that poor project estimates are cited as one of the top reasons for system failures. Operational feasibility analysis determines whether there will be any problems in implementing the system in its operational environment, looks at issues such as integrating the new system with existing systems in the organization and assesses how the system fits with the strategic business plan and the strategic information plan of the organization. Schedule feasibility studies address the time it will take to complete the project. In this step, decision makers must take into account available resources, such as manpower, time, money and equipment. It also helps to identify any additional resources that may be required to complete the project on time. Although this may sound like a simple task, determining project completion time is often very difficult. This is one of the primary reasons why so many software projects are behind schedule. Legal feasibility studies take into account factors such as copyrights, patents and other regulations, if any. As the number of lawsuits in the computer industry increases, organizations are being more cautious about the legal implications of system development. In the case of life-threatening systems, legal feasibility can become a deciding factor. Finally, strategic feasibility analysis looks into factors such as the ability of the system to increase market share, give the organization a competitive edge in the marketplace, enhance the productivity of knowledge workers and achieve other strategic goals of the organization. Role of accountant in feasibility analysis: The first activity of accountant is preparation of feasibility reports that assist management in assessing the viability/profitability or otherwise of proposed capital expenditure, cash budget or cash flow
CA in Bangladesh
www.facebook.com/CAinBD projection etc. Then the accountant should investigate the performance/operations of competing business organizations to assist management in policy formulation. Requirements specification: This is an in-depth analysis to establish the environment and the exact business requirement. It will also produce definition of what the business requirements mean in terms of a new system and the detailed description of the requirements is in a form in which they can be interpreted by the technical designer who will eventually develop the new system. The accountant must have the knowledge about the following technical information and system requirements to develop new accounting information: Hardware requirement; Software requirements; Required interfaces; Functional capabilities; Performance levels; Reliability; Security/privacy; Quality; Constraints and limitations; System modules; System architecture.
Hardware and software specification: Hardware specifications: Performance: What is its speed, capacity and throughput? Reliability: What are the risk of malfunction and its maintenance requirements? What are its error control and diagnostic features? Comparability: Is it comparable with existing hardware and software? Is it compatible with hardware and software provided by competing supplies? Technology: In what year of its product life cycle is it? Does it use a new untested technology or does it run the risk of obsolescence? Ergonomics: Has it been "human factor engineered with the user in mind? Is it user-friendly, designed to be safe, comfortable and easy to use? Connectivity: Can it be easily connected to wide area and local area networks that use different types of network technologies and bandwidth alternatives? Scalability: Can it handle the processing demands of a wide range of end users, transactions, queries and other information processing requirements? Software: Is system and application software available that can best use this hardware? Support: Are the services required to support and maintain it available? Software specifications: Quality: Is it bugged free or does it have many errors in its program code? Efficiency: Is the software a well developed system of program code that does not use much CPU time, memory capacity or disk space? Flexibility: Can it handle our e-business processes easily without major modification? Connectivity: Is it web-enabled so it can easily access the Internet, intranets and extranets on its own or by working with Web browsers or other network software? S. F. Ahmed & Co. Articled Association (34th association)
CA in Bangladesh
www.facebook.com/CAinBD Language: Is it written in a programming language that is familiar to our own software developers? Documentation: Is the software well documented? Does it include help screens and helpful software agents? Hardware: Does existing hardware have the features required to best use this software? Other Factors: What are its performance, cost, reliability, availability, compatibility, modularity, technology, ergonomics, scalability and support characteristics?
System design: System design is the creation of a roadmap that shows system developers how to convert system requirements into a workable, operational system by exploring different designs and identifying the best design for the project. A number of technical, organizational and managerial considerations, along with user preferences and resource constraints should be taken into account before designing a system. This stage produces the detailed technical plan for the new system. System design involves carefully scrutinizing each system requirement and converting it into a sequence of detailed procedural steps and system specifications. For example, an architect looks at the blueprint of a house and identifies the specifications-the amount of concrete, wood, wiring and so on, that are required to convert the blueprint into a reality. Similarly, the system developer must analyze each requirement and determine how to make the system meet it. There are two types of design: logical and physical design. Logical design identifies the records and relationships to be handled by the system. It focuses on the logic or the reasoning, behind the system by breaking down the system into sub-systems and each sub-system into smaller sub-systems, until the process cannot be repeated any further. The logical design establishes the relationships among the various sub-systems, the records and variables in the sub-systems, and the interrelationships among variables and sub-systems. The logical design defines the database as seen by end-users and programmers. Physical design, on the other hand, addresses the physical aspects of the system, input and output devices, hardware, configurations for the network, memory and storage, physical security and so on. The physical design also defines data structures, access methods, file organization, indexes, blocking, pointers and other attributes of the system. In particular, system design involves three main activities: 1. Identify the technology required to implement the system: System designers and developers must identify the hardware, software and network requirements of the new system. In some cases, the required technologies may already be present; in others, new technologies may have to be acquired; 2. Ensure that the design is rigorous and reliable: System design is not an isolated activity, but is interwoven with other activities in the development cycle. Hence, activities in the design phase must be coordinated with other phases in the development life cycle. A key factor is ensuring a robust and reliable design is to involve users from the early stages of system development. Although the role of the user appears to be obvious, many organizations fail to involve users; this failure leads not only to resentment and frustration, but also to system abandonment. 3. Provide detailed specifications and a one-to-one mapping of the specifications and system objectives: The system designer should map system specifications against system objectives so that all people involved in the project clearly understand their contributions to the overall system. By linking each specification to a specific system objective, developers can better understand how the specification will contribute to overall system goals. Initial system design: The initial system design is a working version of an information system or part of the system, but it meant to be only a preliminary model. System analysis
Evaluate design alternativesPrepare design specificationPrepare conceptual system design report
Figure: System design in operation
CA in Bangladesh
www.facebook.com/CAinBD The major activities of initial systems design are: User interface design, data manipulation and output analysis; Process design, output design and output analysis; User interface design, data design and process design; Data design, input validation and processing. System designs is divided between accountants and IT professionals as follows: The accounting function is responsible for conceptual systems; The IT function is responsible for physical systems.
Designing is considered the most important stage in SDLC.-Do you agree with this statement? System design is a road map that shows system developers how to convert system requirements into system features. The design of information system is the overall plan or model for the system. Like the blue print of a building or house, it consists of all the specifications, form and structure of the system. Here the responsibility of a designer is so important because in this stage produces the detailed technical plan for the new system. So, the system design is the most important stage. It can consider as the focal point of SLDC.
System implementation: This system implementation phase consists of two primary parts: construction and delivery which are also three sub-stages namely development, testing and implementation. Development: Programming is only one phase in the system development life cycle. Programming is a very timeconsuming and labor intensive task. In some projects, programming alone may take many years. Large to medium-sized systems usually involve a team of programmers. This stage contains the coding of the processes of the new system, if a computer system has been specified. Testing: It involves thoroughly probing the system to ensure that its performance matches system requirements and meets the expectations of end-users. Testing is one of the most difficult tasks in system development. It requires creativity, persistence and a thorough understanding of the system and the principles of computer science. Good testers find creative ways to make the system fail, because this will arduously test the boundaries of the system and make it less likely to fail in the future. Organizations find it extremely difficult to estimate the resources required for testing. Simply because it is difficult to estimate how many bugs (problems) will be found in the system. Some software manufacturers are reluctant to commit resources to testing because they are eager to get the product out the door as quickly as possible. This is one reason why programs may already on sale are riddled with errors and why software companies often bring out several versions of a given program before major errors are eliminated. There are four types of testing: unit testing, system testing, integration testing and acceptance testing. If a system is viewed as a collection of programs (units), in unit testing, each program is individually tested. However, this does not guarantee that the system is free of errors. The second type of testing is system testing, in which the system is tested in its entirety to ensure that its component units will function effectively when brought together as a system. System testing also involves other system-related issues, such as performance time, memory requirements, back-up functions and security controls. Integration testing verifies that the information system works well with other systems. Finally, in acceptance testing, developers and actual users test the system is ready for its operational environment and whether its performance is acceptable to users. Implementation: This stage involves the conversion of the business procedures from current working practices to new ones and of data from current forms of storage to new formats. During this stage user manuals have to be produced, training given and a strategy for change-over to the system has to be finalized and executed. After testing is completed, the next step is to implement the system in its operational environment. Systems should be implemented without disrupting the daily operations of the organization; this S. F. Ahmed & Co. Articled Association (34th association)
CA in Bangladesh
www.facebook.com/CAinBD requires careful planning and coordination. If the system is new and not a replacement system, implementation is fairly straight forward. If the system is replacing and existing one, implementation becomes critical.
Different conversion strategies for conversion from a manual to a computerized system: The initial operation of a new business system can be a difficult task. This typically requires a conversion process from the use of a present system to the operation of a new or improved application. Conversion methods can often the impact of introducing new information technologies into an organization. Following acceptance testing, a planned conversion to the new system is performed. The implementation measures have to be completed during this stage. There are four common conversion strategies are as follows: Parallel strategy: This is the safest method. The old and new systems run simultaneously until sufficient confidence is gained in the new system. Parallel basis of conversion strategy is the best method of conversion because it has some major advantages. Here both the old and new systems are operating until the project development team and end user management agree to switch completely over the new system. It is during this time that the operations and results of both systems are compared and evaluated. Errors can be identified and corrected, and the operating problems can be solved before the old system is abandoned. The disadvantage of this approach, however, is that it is expensive for two systems to be run in parallel. Direct cutover strategy: This is the most risky method. At a certain point, the old system is completely replaced by the new one. The advantage of this strategy is that it requires no transaction costs and is a quick implementation technique. The disadvantage is that it is extremely risky and can disrupt operations seriously if the new system does not work correctly, since there is no other system to fall back on. Phased strategy: The new system is introduced at incremental stages. Each function or organizational unit is converted separately at different times using either a direct cutover or parallel conversion. The strategy is often used with larger systems that are split into individual sites. Pilot strategy: This method relies on introducing a part of the system into one carefully designated organizational area, learning from this experience and then introducing the complete system.
System operation and maintenance: Minor modifications to the system to optimize performance, improve its usability or accommodate small changes in the environment will have to be made from time to time, whilst the system is operational and/or major modification or replacement also needed in system if existing system cannot fulfill the requirement of the business. This phase also divided in two sub-system and they are: System maintenance: Since businesses operate in a dynamic environment, the needs of system users are also dynamic, so good systems must continuously evolve. System maintenance is one way of ensuring that the system continues to meet the growing and changing needs of users through system, additions, deletions and enhancements. Clearly, as the system ages the extent and critically of system maintenance increase. The IEEE defines maintenance as modification of a software product after delivery to correct faults, to improve performance or other attributes or to adapt the product to changed environment. System maintenance begins after the system becomes operational and should last as long as the system is in use. Although it lacks the glamour of development, maintenance is the key to continuing to derive the maximum benefits from a system. User requests for new features or for enhancement of existing features, a changing business climate, new technologies or new information needs within the organization can accelerate system maintenance. Maintenance costs usually increase with time and at some point it becomes more expensive to maintain the system than it is to develop a new one. At that point, the organization may make the decision to abandon the existing system and build a new one. Review: Due to change in business environment major modifications would be needed to retain business effectiveness, a full review is required. This may result in major re-working or even complete replacement of the system.
CA in Bangladesh
www.facebook.com/CAinBD Reasons to fail to achieve the success of system development objectives: Information system development of an organization is a vital thing. The success of the system helps management in decision making. The reasons as to why the organizations fail to achieve their system development objectives are: Lack of proper documentation of their system goal and system operational activities; Lacking of expertise; Lacking of knowledge management; Poorly build infrastructure in terms of computer backbone and computer hardware; Time to time monitoring failure; Up-gradation and modification of software is not made properly.
Accounting information systems (AIS): Accounting information systems (AIS) combines that of accounting with the much newer field of information systems, systems that include people, processes, procedures and information technology in a flexible resource used to handle data. Specifically, accounting information systems are a subset of management information systems, systems designed to support and supplement the decisionmaking process at all levels of management. The field of AIS includes the use, design and implementation of such systems and their adherence to traditional accounting methods and contemporary standards in accounting practices. AIS technology: AIS technology can be separated into three basis categories namely: Input; Process; and Output. Steps of a system development: The development of accounting information systems following five basic phases: System analysis; Prepare design specifications; Physical design; Implementation and conversion; Operation and maintenance. System development can be broadly divided by the following stages: Establishing and recording user requirements; Investigation and feasibility; Project management; Developing a solution to fulfill requirement; Initial system design; Technical information and systems requirement; Specification of hardware and software; Implementing security requirements; Installing/implementation; Testing; System conversion and start-up; Post implementation review.
Computer-assisted audit techniques (CAATs): The overall objectives and scope of an audit do not change when an audit is conducted in a computer information technology (IT) environment. The application of auditing procedures may, however, require the auditor to consider techniques known as Computer Assisted Audit Techniques (CAATs) that use the computer as an audit tool. CAATs may improve the effectiveness and efficiency of auditing procedures. They may also provide effectives tests of control and substantive procedures where there are no input documents or a visible audit trail or where population and sample size are very large. Uses of CAAT: CAAT tools have a significant advantage over manual data testing techniques. It is an audit tools for auditor for auditing the automated system. It enhances the productivity of auditors. The major uses of CAAT are as follows: S. F. Ahmed & Co. Articled Association (34th association)
CA in Bangladesh
www.facebook.com/CAinBD Recalculating and verifying balances; Testing compliance with standards; Aging analysis of receivables and payables; Identifying control issues; Testing duplicates within data; Testing gap in invoice number etc.
Description of computer assisted audit techniques (CAATs): Computer assisted audit techniques including computer tools, collectively referred to as CAATs. CAATs may be used in performing various auditing procedures, including the following: Tests of details of transactions and balances, for example, the use of audit software for recalculating interest or the extraction of invoices over a certain value from computer records; Analytical procedures, for example, identifying inconsistencies or significant fluctuations; Tests of general controls, for example, testing the set-up or configuration of the operating system or access procedures to the program libraries or by using code comparison software to check that the version of the program in use is the version approved by the management; Sampling programs to extract data for audit testing; Tests of application controls, for example, testing the functioning of a programmed control; Re-performing calculations performed by the entity's accounting systems. CAATs are computer programs and data the auditor uses as part of the audit procedures to process data of audit significance contained in an entity's information systems. The data may be transaction data, on which the auditor wishes to perform tests of controls or substantive procedures or they may be other types of data. For example, details of the application of some general controls may be kept in the form of text or other files by applications that are not part of the accounting system. The auditor can use CAATs to review those files to gain evidence of the written programs, utility programs or system management programs. Regardless of the origin of the programs, the auditor substantiates their appropriateness and validity for audit purposes before using them. Package programs are generalized computer programs designed to perform data processing functions, such as reading data, selecting and analyzing information, performing calculations, creating data and files and reporting in a format specified by the auditor; Purpose-written programs perform audit tasks in specific circumstances. These programs may be developed by the auditor, the entity being audited or an outside programmer hired by the auditor. In some cases the auditor may use an entity's existing programs in their original or modified state because it may be more efficient than developing independent programs. Utility programs are used by an entity to perform common data processing functions, such as sorting, creating and printing files. These programs are generally not designed for audit purposes and therefore may not contain features such as automatic record counts or control totals. System management programs are enhanced productivity tools that are typically part of a sophisticated operating systems environment, for example, data retrieval software or code comparison software. As with utility programs, these tools are not specifically designed for auditing use and their use requires additional care. Embedded audit routines are sometimes built into an entity's to provide data for later use by the auditor. These include the following: o Snapshots: This technique involves taking a picture of a transaction as at flows through the computer systems. Audit software routines are embedded at different points in the processing logic to capture images of the transaction as it progresses through the various stages of the processing. Such a technique permits an auditor to track data and evaluate the computer processes applied to the data. o System Control Audit Review File: This involves embedding audit software module within an application system to provide continuous monitoring of the systems transactions. The information is collected into a special computer file that the auditor can examine. Test data techniques are sometimes used during an audit by entering data (for example, a sample of transactions) into an entity's computer system and comparing the results obtained with predetermined results. An auditor might use test data to: o Test specific controls in computer programs, such as on-line password and data access controls; o Test transactions selected from previously processed transactions or created by the auditor to test specific processing characteristics of an entity's information systems. Such S. F. Ahmed & Co. Articled Association (34th association)
CA in Bangladesh
www.facebook.com/CAinBD transactions are generally processed separately from the entity's normal processing and test transactions used in an integrated test facility where a "dummy" unit (for example, a fictitious department or employee) is established and to which test transactions are posted during the normal processing cycle. When test data are processed with the entity's normal processing, the auditor ensures that the test transactions are subsequently eliminated from the entity's accounting records. The increasing power and sophistication of PCs, particularly laptop has resulted in other tools for the auditor to use. In some cases, the laptops will be linked to the auditors main computer systems. Examples of such techniques include: Expert systems for example in the design of audit programs and in audit planning and risk assessment; Tools to evaluate a client's risk management procedures; Electronic working papers, which provide for the direct extraction of data from the client's computer records, for example, by downloading the general ledger for audit testing; and Corporate and financial modeling programs for use as predictive audit tests. These techniques are more commonly referred to as "audit automation.
Considerations in the use of CAATs: When planning an audit, the auditor may consider an appropriate combination of manual and computer assisted audit techniques. In determining whether to use CAATs, the factors to consider include: The IT knowledge, expertise and experience of the audit team; The availability of CAATs and suitable computer facilities and data; The impracticability of manual tests; Effectiveness and efficiency; and Timing. Before using CAATs, the auditor considers the controls incorporated in the design of the entity's computer systems to which the CAATs would be applied in order to determine whether and if so, how, CAATs should be employed. IT knowledge, expertise and experience of the audit team: The audit team should have sufficient knowledge to plan, execute and use the results of the particular CAAT adopted. The level of knowledge required depends on the complexity and nature of the CAAT and of the entity's information system. Availability of CAATs and suitable computer facilities: The auditor considers the availability of CAATs, suitable computer facilities and the necessary computer-based information systems and data. The auditor may plan to use other computer facilities when the use of CAATs on an entity's computer is uneconomical or impractical, for example, because of an incompatibility between the auditor's package program and the entity's computer. Additionally, the auditor may elect to use their own facilities, such as PCs or laptops. The cooperation of the entity's personnel may be required to provide processing facilities at a convenient time to assist with activities such as loading and running of the CAATs on the entity's system and to provide copies of data files in the format required by the auditor. Impracticability of manual tests: Some audit procedures may not be possible to perform manually because they rely on complex processing (for example, advanced statistical analysis) or involve amounts of data that would overwhelm any manual procedure. In addition, many computer information systems perform tasks for which no hard copy evidence is available and therefore, it may be impracticable for the auditor to perform tests manually. The lack of hard copy evidence may occur at different stages in the business cycle. Source information may be initiated electronically, such as by voice activation, electronic data imaging or point of sale electronic funds transfer. In addition, some transactions, such as discounts and interest calculations, may be generated directly by computer programs with no specific authorization of individual transactions. A system may not produce a visible audit trail providing assurance as to the completeness and accuracy of transactions processed. For example, a computer program might match delivery notes and suppliers' invoices. In addition, programmed control procedures, such as checking customer credit limits, may provide hard copy evidence only on an exception basis. A system may not produce hard copy reports. In addition, a printed report may contain only summary totals while computer files retain the supporting details.
CA in Bangladesh
www.facebook.com/CAinBD Effectiveness and efficiency: The effectiveness and efficiency of auditing procedures may be improved by using CAATs to obtain and evaluate audit evidence. CAATs are often an efficient means of testing a large number of transactions or controls over large populations by: Analyzing and selecting samples from a large volume of transactions; Applying analytical procedures; and Performing substantive procedures. Matters relating to efficiency that an auditor might consider include: The time taken to plan, design, execute and evaluate a CAAT; Technical review and assistance hours; Designing and printing of forms (for example, confirmations); and Availability of computer resources. In evaluating the effectiveness and efficiency of a CAAT, the auditor considers the continuing use of the CAAT application. The initial planning, design and development of a CAAT will usually benefit audits in subsequent periods. Timing: Certain data, such as transaction details are often kept for only a short time and may not be available in machine-readable form by the time the auditor wants them. Thus, the auditor will need to make arrangements for the retention of data required or may need to alter the timing of the work that requires such data. Where the time available to perform an audit is limited, the auditor may plan to use a CAAT because its use will meet the auditor's time requirement better than other possible procedures. Steps of using CAATs: The major steps to be undertaken by the auditor in the application of a CAAT are to: a) Set the objective of the CAAT application; b) Determine the content and accessibility of the entity's files; c) Identify the specific files or databases to be examined; d) Understand the relationship between the data tables where a database is to be examined; e) Define the specific tests or procedures and related transactions and balances affected; f) Define the output requirements; g) Arrange with the user and IT departments, if appropriate, for copies of the relevant flies or database tables to be made at the appropriate cut off date and time; h) Identify the personnel who may participate in the design and application of the CAAT; i) Refine the estimates of costs and benefits; j) Ensure that the use of the CAAT is properly controlled and documented; k) Arrange the administrative activities, including the necessary skills and computer facilities; l) Reconcile data to be used for the CAAT with the accounting records; m) Execute the CAAT application; and n) Evaluate the results. Controlling the CAAT application: The specific procedures necessary to control the use of a CAAT depend on the particular application. In establishing control, the auditor considers the need to: a) Approve specifications and conduct a review of the work to be performed by the CAAT; b) Review the entity's general controls that may contribute to the integrity of the CAAT, for example, control over program changes and access to computer files. When such controls cannot be relied on to ensure the integrity of the CAAT, the auditor may consider processing the CAAT application at another suitable computer facility; and c) Ensure appropriate integration of the output by the auditor into the audit process. Procedures carried out by the auditor to control CAAT applications may include: a) Participating in the design and testing of the CAAT; b) Checking, if applicable, the coding of the program to ensure that it conforms with the detailed program specifications; c) Asking the entity's computer staff to review the operating system instructions to ensure that the software will run in the entity's computer installation; d) Running the audit software on small test files before running it on the main data files; e) Checking whether the correct files were used, for example, by checking external evidence, such as control totals maintained by the user and that those files were complete; f) Obtaining evidence that the audit software functioned as planned, for example, by reviewing output and control information; and S. F. Ahmed & Co. Articled Association (34th association)
CA in Bangladesh
www.facebook.com/CAinBD g) Establishing appropriate security measures to safeguard the integrity and confidentiality of the data. When the auditor intends to perform audit procedures concurrently with online processing, the auditor reviews those procedures with appropriate client personnel and obtains approval before conducting the tests to help avoid the inadvertent corruption of client records. To ensure appropriate control procedures, the presence of the auditor is not necessarily required at the computer facility during the running of a CAAT. It may, however, provide practical advantages, such as being able to control distribution of the output and ensuring the timely correction of errors, for example, if the wrong input file were to be used. Audit procedures to control test data applications may include: Controlling the sequence of submissions of test data where it spans several processing cycles; Performing test runs containing small amounts of test data before submitting the main audit test data; Predicting the results of the test data and comparing it with the actual test data output for the individual transactions and in total; Confirming that the current version of the programs was used to process the test data; and Testing whether the programs used to process the test data were the programs the entity used throughout the applicable audit period. When using a CAAT, the auditor may require the cooperation of entity staff with extensive knowledge of the computer installation. In such circumstances, the auditor considers whether the staff improperly influenced the results of the CAAT. Audit procedures to control the use of audit-enabling software may include: Verify the completeness, accuracy and availability of the relevant data, for example, historical data may be required to build a financial model; Reviewing the reasonableness of assumptions used in the application of the tool set, particularly when using modeling software; Verifying availability of resources skilled in the use and control of the selected tools; and Confirming the appropriateness of the tool set to the audit objective, for example, the use of industry specific systems may be necessary for the design of audit programs for unique business cycles. Documentation: The standard of working paper documentation and retention procedures for a CAAT is consistent with that for the audit as a whole. The working papers need to contain sufficient documentation to describe the CAAT application, such as: (a) Planning: CAAT objectives; Consideration of the specific CAAT to be used; Controls to be exercised; Staffing timing and cost. (b) Execution: CAAT preparation and testing procedures and controls; Details of the tests performed by the CAAT; Details of input, processing and output; Relevant technical information about the entitys accounting system, such as file layouts. (c) Audit evidence: Output provided; Description of the audit work performed on the output; Audit conclusions. (d) Other: Recommendations to entity management; In addition it may be useful to document suggestions for using the CAAT in future years.
CA in Bangladesh
IT Application Controls and standards

Computer security: Computer security includes the policies, procedures, tools and techniques designed to protect an organization's computer assets from accidental, intentional or natural disasters including accidental input or output errors, theft, breakings, physical damage and illegal access or manipulation. Computer security is a complex and pervasive problem that often stumps many organizations, which struggle to balance proper security against the cost and inconvenience of providing it. It cannot be achieved through automation or sophisticated equipment alone; it also requires the active participation of employees with common sense, good judgment and high moral values, because security is ultimately the responsibility of the individual using the computer. Therefore, it is not surprising that organizations that promote creativity, innovation, trust and high ethical standards appear to be more successful in enforcing computer security than organizations with stifling cultures.
Security issues: The security issues of a computerized system can be discussed by dividing them in four related issues and these are as follows. Security; Integrity; Privacy; and Confidentiality. Each issue is discussed below: Security: It can be classified as follows: System Security: It refers to the technical innovations and procedures applied to the hardware and operating systems to protect against deliberate or accidental damage from a defined threat. Data Security: It refers to the protection of data from loss, unauthorized disclosure and modification, processing errors and destruction. Integrity: It has also two sides: System Integrity: It refers to the proper functioning of hardware and programs appropriate physical security and safety against external threats. Data Integrity: Data Integrity makes sure that the data do not differ from its original form and have not been accidentally or intentionally destroyed, altered or disclosed without proper authorization. Privacy: It defines the rights of the users or Enterprise to determine what information they are willing to share with or accept from others and how the Enterprise can be protected against unwelcome unfair information. Confidentiality: This is a special status given to sensitive information in a database to minimize the possible invasion of privacy.
Security controls: Computer security controls are policies, procedures, tools and techniques designed to reduce security breaches and system destruction to prevent errors in data, software and systems to protect systems from accidental, intentional and natural disasters and to continually enhance system security. In other word, security controls are safeguards or countermeasures to avoid, counteract or minimize security risks. Controls may be manual or automated. Effective controls provide information system security that is the accuracy, integrity and safety information system activities and resources. An effective control also provides quality assurance for information systems. That is, they can make computer based information system more free of errors and fraud and able to provide information products of higher quality than manual types of information processing. The IS controls in the audit program have been grouped into four general types that must be developed to ensure the quality and security of information systems. These are: Physical security control; Logical security control; Environmental control; IS operating control.
CA in Bangladesh
www.facebook.com/CAinBD Physical security controls: The primary goal of physical facilities control is to protect the physical facilities that house the computer and other related assets from theft, unauthorized access, natural disasters and vandalism through measures such as posting security personnel, installing fire alarms, hidden cameras and requiring users to wear badges or use smart cards to gain access to the building. Physical security controls pertain to the protection over computer hardware, components and the facilities within which they reside. Though the reliability of physical support facilities is often overlooked, but it is an important part of the system security, particularly for real time system. Physical security control also protect equipment against physical damage resulting from natural disasters such as earthquakes, hurricanes, tornadoes, flood etc. as well as other danger like bombings, fires, power surges, theft, vandalism and unauthorized tampering. There are various types of physical security controls should be adopted within an organization. Some of them are as follows: Physical locks; Security guards; Video surveillance cameras; General emergency and detection control; Heating, ventilation and cooling system; Insurance coverage; Periodic back-up; Emergency power and uninterruptible power supply system; Business resumption program; Back-up system security administrator. Physical locks: This is the first step of physical security that is established usually using various types of locks on doors to the rooms that includes the main computer room where file server, gateways, routers and other telecommunication equipments are located. Various types of physical locks are conventional key locks, electronic access badge, cipher locks, combination locks, biometric locks etc. Biometrics lock is fast growing area of computer security. These are security measures provided by computer devices that measure physical traits that make each individual unique. This includes voice verification, fingerprints, hand geometry and signature dynamics, keystroke analysis. Security guards: Employment of security guard is one of the common practices for physical control. It reduces the chances of crime and they also help in monitoring the video camera. The incident report prepare by the security guard can be the crucial evidence in case of criminal prosecution and/or employee misconduct. Video surveillance cameras: Basically this type of camera has been positioned in strategic locations of the organization that afford full views of the IT system and perform as an additional control to protect unauthorized activities and also provide recording evidence with mentioning time, date etc. General emergency and detection control: In many organizations alarm system is used for safety and security reason. Through this system unauthorized person, unauthorized devices can be detected and at the same time natural disaster like fire, smoke etc. can be notified to management in early stage for prevention by automated way. Heating, ventilation and cooling system: Computer survives best in a cool, dry, dust-free environment. Through HVAC systems it can be maintained and it should be audited periodically to ensure the environment. Insurance coverage: Main purpose of insurance is to spread the economic cost and the risk of loss from an individual or business to a large number of people. This is accomplished through the use of an insurance policy. Policies are contracts that obligate the insurer to indemnify the policyholder or some third party from specific risks in return for the payment of a premium. Policies usually can be obtained to cover the following resources: Equipment; Facilities; Storage media; Business interruption; Extra expenses; Valuable papers; Accounts receivable; Media transportation; Malpractice, errors. S. F. Ahmed & Co. Articled Association (34th Association)
CA in Bangladesh
www.facebook.com/CAinBD Periodic back-up: A better back-up policy is to perform periodically (every day, weekly, monthly) of all types of software, programs, data etc. by using the different types of back-up media. The back-up media must be logged and stored both inside and off-site location and also make provision for periodic audit for evolution the adequacy of physical controls. Emergency power and uninterruptible power supply system: An emergency power system and an uninterruptible power supply system should be designed into every information processing facility. An emergency power system consists of a generator and the necessary hardware to provide limited electrical power to critical operational areas within areas within a facility. In the event of a power loss, the emergency power system should activate automatically. A UPS system consists of an arrangement of batteries and supporting hardware components that are configured to provide smooth, continuous power to computer equipment. During an audit of physical security at one information processing center, a description of the emergency power system and UPS system was prepared and key aspects of the systems were tested. Business resumption programs: BRP refers as disaster recovery plan. It must include the followings: List of key contract personnel of the organization; Identify and rank operational area; Brief description of events of BRP; Concise description of action actions taken at that time; Potential psychological impact of the disaster and necessary assistance of BRP. Back-up system security administrator: Granting complete control over a computer system to one individual is one of the most common control weaknesses in the real world; The system security administrator could be involved in an accident, have to leave work unexpectedly, or may be at a location where he or she cannot be reached; Thus, the organization might not be able to restore operations adequately in a timely manner.
Logical security control: Logical security control restricts the access capabilities of users of the system and prevents unauthorized users from accessing the system. It may exist within the operating system, database management system, application program and/or all the three. It includes system access capabilities of users, system access profiles and parameters and logging mechanisms. The major logical security controls are as follows: User IDs and passwords; Remote access control; Computer operations audit; Back-up and recovery procedures; Integrity/completeness checks. Application program Database management system Operating system Fig: Logical control User IDs and passwords: Password should be in minimum length. The system should reject any user attempts to enter passwords with fewer characters than the parameter settings. For most commercial system, a minimum password length of eight characters is sufficient. The system should be programmed so that the system user ID cannot be deleted and allow only certain user IDs to sign on from workstation. Remote access controls: Today more and more users are requiring the ability to sign on remotely using laptops, personal digital assistants (PDAs) and some kinds of cell phones. The most common remote access controls include dedicated leased lines, automatic dial back; secure sockets layer (SSL) sessions, multifactor authentication and virtual private networks (VPNs). This control may be made by using the following networking systems: Dedicated leased lines; Automatic dial-back; Secure sockets layer; Multifactor authentication; Virtual Private Networks.
CA in Bangladesh
www.facebook.com/CAinBD Computer operations audit: A computer operations audit assessments of internal controls that ensures the production jobs are completed in a timely manner and production capacity is sufficient to meet short- and long-range processing needs; output media are distributed in a timely, accurate and secure manner; back-up and recovery procedures adequately protect data and programs against accidental or international loss or destruction; problem management procedures ensure that system problems are documented and resolved in a timely and effective manner. Back-up and recovery procedures: The primary controls to provide this protection are to perform periodic (daily, weekly, monthly) backups of system software, application programs and data as well as storage and rotation of the back-up media such as magnetic tapes, disks and compact disks (CDs) to a secure offsite location; Daily backups are usually necessary only for data since the application programs and system software do not charge significantly. Management should ensure that tests are performed to confirm that system operations can in fact be fully restored using the back-up media. Integrity/completeness checks: When large volumes of data are electronically imported from or exported to other systems, data integrity and completeness controls can provide reasonable assurance that the recipient has received all the data intact without any alterations or missing information. Control totals are the most common form of integrity/completeness check. The sender provides the recipient with control totals, such as the total number of records in the data file and the total amount of the records.
Environmental control: Environmental control include IS security policies, standards and guidelines, the reporting structures within the IS processing environment, the financial condition of the service organizations and vendors, vendors software license, maintenance and support agreements and warranties and the status of computing system, policies and procedures placed in operation of the service organization. IS operating control: Information system operating controls are designed to ensure that the information system is operating efficiently and effectively. These controls include the timely and accurate completion of production jobs, distribution of output media, performance of back-up and recovery procedures, performance of maintenance procedures, documentation and resolution of system problems and monitoring of central processing unit and data storage capacity utilization. Information system security policy: A security policy consists of statements ranking information risks, identifying acceptable security goals and identifying the mechanisms for achieving these goals. Security policies must be approved by the top management and specify the persons responsibility for its implementation but it should not specify the detailed control. An IS security policy is divided into five sections: Purpose and responsibility: The purpose of the Organizations Information Systems Security Policy is to provide the essential guidelines for efficient electronic transaction processing and reporting services, management information systems and appropriate customer information capabilities for top level management to effectively operate the Organization. System procurement and development: The computing systems of the Organization shall be constantly monitored to identify the current and future needs. The Organization should follow the system life-cycle evaluation steps like problem definition, requirement analysis, feasibility study, design, development, testing, monitoring, review etc. Access terminals: Management is authorized to install other dial-up access online terminals as may be required in operations of the Organization. Equipment and information security: Equipment and Information security can be further divided into 3 categories. They are as follows: Equipment and environmental security; Information and communication security; Contingency and recovery. Service bureau programs: The Organizations service Bureau agreements shall be drafted to require that such bureaus retained by the Organization indicate a commitment to developing and maintaining computer application software in such a manner that system capabilities, as specified by the Organization, are ensured and that appropriate record-keeping checks and balances are in place. S. F. Ahmed & Co. Articled Association (34th Association)
CA in Bangladesh
www.facebook.com/CAinBD Information system security standard: Information system security standard are minimum criteria, rules and procedures established by the senior management that must be implemented to help ensure the achievement of IS security policy. The following minimum IS security standards have been approved by senior management and are to be applied to applicable information systems within the organization: Upon completion of initial installation of software, the maiden password shall be changed by the system security administrator; A back-up system security administrator shall be designated and trained to ensure continued operation of the system, even in the absence of the primary system security administrator; System security administrators shall set parameters to require passwords to be a minimum of 8 alphanumeric, case-sensitive characters in length; Systems shall be designed so that passwords are masked (i.e. invisible) on workstation screens as they are entered by users; Systems shall be designed so that password files are encrypted by a secure algorithm so that nobody, including system security administrator, can view them; System security administrators shall set passwords to automatically expire within 60 days or less; User IDs shall be suspended after three consecutive unsuccessful sign on attempts; User sessions shall be terminated after 5 minutes of inactivity; Users shall not be allowed concurrent sign on sessions; Systems security administrator shall move the user IDs of terminated or transferred users immediately upon notification from the user department manager and/or the human resource department. Department managers shall be responsible for training users not to share or divulged the password to anyone, write them down, post them in the work stations, store them in an electronic file or perform in any other act that could potentially result in their password being divulged; System security administrators shall request user department management to review user access capabilities and certify in writing that the access capabilities of the users in their department are necessary to perform normal duties; Logical security related events shall be logged by the system and the log shall be continuously monitored by system security administrators for potential acts of unauthorized access; Business resumption procedures shall be fully developed, tested and documented by management in collaboration with system security administrator and other key staff members; Adequate insurance coverage shall be maintained over the hardware, Operating system, application software and data. Hardware should be covered at replacement cost; Vendor-developed applications acquired in the future should be contractually required to improve programming that enabled standards to be deployed upon installation; Confidential information including passwords shall be encrypted by a secure algorithm during electronic transmission; System security administrators shall install software that automatically checks for viruses using a current virus pattern file. Control and standards for information integrity: Information integrity provides reasonable assurance that the data recipients have received all the data intact. It has follows components: System and information integrity policy and procedures; Flaw remediation; Malicious code protection; Security alerts and advisories; Security functionality verification; Software and information integrity; Spam protection; Information input restrictions; Information input accuracy, completeness, validity and authenticity. System and information integrity policy and procedures: A control system including information integrity increases assurance that sensitive data have neither been modified nor deleted in an unauthorized or undetected manner. The security controls described under the system and information integrity family provide policy and procedure for indentifying, reporting and correcting control system flaws. For this reason the organization develops, disseminates and periodically reviews and updates formal, documented, system and control integrity policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities and compliance. S. F. Ahmed & Co. Articled Association (34th Association)
CA in Bangladesh
www.facebook.com/CAinBD Flaw remediation: The organization centrally manages the flaw remediation process and installs updates automatically. For this reason organization should consider the risk of employing automated flaw remediation process on a control system. To control the flaw remediation the organization must, identifies, reports and corrects system flaws; tests software updates related to flaw remediation for effectiveness and potential side effects on organizational systems before installation and incorporates flaw remediation into the organizational configuration management process as an emergency change. Malicious code protection: To protect the system from malicious code, the organization should employs malicious code protection mechanism at system entry and exit points and at workstations, servers, or mobile computing devices on the network. Updates malicious code protection mechanisms, whenever new releases are available in accordance with organizational configuration management policy and procedures. Security alerts and advisories: To implement security alerts and advisories the organization receives system security alerts, advisories and directives from designated external organizations on an ongoing basis and generates those as deemed necessary. Disseminate security alerts, advisories and directives to an organization-defined list of personnel. Security functionality verification: The organization verifies the correct operation of security functions within the control system upon system startup and restart, upon command by user with appropriate privilege, periodically and/or at defined time periods. The control system notifies the system administrator when anomalies are discovered. Software and information integrity: The system monitors and detects unauthorized changes to software and information. The organization reassesses the integrity of software and information by performing on organization-defined frequency scans of the system and uses the scans with extreme caution on designated high-availability systems. Spam protection: To control the unwanted spam messages the organization should employs spam protection mechanisms at system entry points and at workstations, servers or mobile computing devices on the network to detect and take action on unsolicited messages transported by electronic mail, electronic mail attachments, web accesses or other common means. Information input restrictions: The organization implements security measures to restrict information input to the control system to authorized personnel only. Restrictions on personnel authorized to input information to the control system may extend beyond the typical access requirements employed by the system and include limitations based on specific operational or project responsibilities. Information input accuracy, completeness, validity and authenticity: The Control system employs mechanisms to check information for accuracy, completeness, validity and authenticity. Control and standards for information access control: Access control is used to provide authorized access to the information system that means ensure resources are only accessed by the appropriate personnel and that personnel are correctly identified. The major mechanisms of access control are as follows: Access control policy and procedures; Identification and authentication policy and procedures; Account management; Account review; User identification and authentication; Device identification and authentication; Passwords. Access control policy and procedures: The Organization should develops, disseminates and periodically reviews and updates a formal, documented, access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities and compliance. Identification and authentication policy and procedures: The organization should develops, disseminates and periodically reviews and updates a formal, documented, identification and authentication policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities and compliance. S. F. Ahmed & Co. Articled Association (34th Association)
CA in Bangladesh
www.facebook.com/CAinBD Account management: The organization manages the following controls for system accounts: Identifying account types (i.e., individual, group and system); Establishing conditions for group membership; Requiring appropriate approvals for requests to establish accounts. Authorizing, establishing, activating, modifying, disabling and removing accounts Account review: The organization manages reviews and analyzes system audit records on an organization-defined frequency for indications of inappropriate or unusual activity and report findings to designated organizational officials. User identification and authentication: The system uniquely identifies and authenticates organizational users by using the following controls: The system employs multifactor authentication for remote access and for access to privileged accounts; The system employs multifactor authentication for network access and for access to privileged accounts; The system employs multifactor authentication for local and network access. Device identification and authentication: The system uniquely identifies and authenticates an organization defined list of devices before establishing a connection. The system authenticates devices before establishing remote network connections using bi-directional authentication between devices that is cryptographically based. Password: Password is the key to electronic account at the office. Selecting a good password is the single most important thing that does to protect the security of an electronic account. The organization develops and enforces policies and procedures for control system users concerning the generation and use of passwords. How does one choose a good password? It is often said that choosing a good password will be the hardest thing that one does all day and it's true. Choosing a password that is both easy to remember and difficult to guess is not a small task. However, there are some popular methods of choosing passwords which are usually considered fairly well. One such method is to use the first letter from each word in a phrase, including punctuation and capitalization and using numbers or symbols to represent words in the phrase. Another method is to start with two or more unrelated words and then abbreviate or mangle them in some manner, such that no part will be found in the dictionary. Make sure the two words arent easily guessable. In addition to these methods, some rules that prevent the user from choosing passwords with the bad traits described above. Specifically, the user passwords must have the following characteristics: Must be at least 6 characters long; Must contain at least 1 character from each of at least 3 different character classes. The character classes are: - lowercase letters; - uppercase letters; - numbers; - punctuation (printable characters other than letters or numbers); - all other characters (control characters). Must not appear to be systematic ("abcdef" will be rejected); Must not be based on anything in the user password file entry (name, login name, user id etc.); Must not be based on a dictionary word or a reversed dictionary word. A complete word as a substring will cause the user password to be rejected. Protecting measures of password (individual): Password is a secret which only should be known by the user. If anybody else learns password, the users security has been compromised. Here are some measures for protect the users password: Never tell the password to anyone; Do not write down the password; Never put the password in electronic mail to anyone (including system administrators or those who claim to be system administrators). If ever gets mail from anyone asking for the password, please send mail to lab immediately. Do not include the password; Change the password frequently, but choose a password that is easy to remember, so that users dont have to write it down; S. F. Ahmed & Co. Articled Association (34th Association)
CA in Bangladesh
www.facebook.com/CAinBD Do not type password on any system that will put the password over a potentially insecure network in clear text.
Control measures of password (corporate): Default passwords of different systems or programs must be changed immediately after installation; Organization replaces default user names whenever possible; Organization develops policies that stipulated the complexity level of the password for each critical level; Good security practices need to be followed in the generation of passwords; Password must be transferred to the users via source media; Control and standards for computer audit: Information system audit: Information systems audit is a part of the overall audit process, which is one of the facilitators for good corporate governance. There is no universal definition of IS audit. A famous information technologist Ron Weber defined IS audit as the process of collecting and evaluating evidence to determine whether a computer system (information system) safeguards assets, maintains data integrity, achieves organizational goals efficiently and consumes resources efficiently. Importance of IS audit: Information system is the lifeblood of any large business. Information system not only record business transactions, but actually drives the key business process of the enterprise. The purpose of IS audit is to review and provide feedback, assurances and suggestions. IS audit is important, because to ensure the availability of information for the business at all times when required; to ensure the system is well protected against all types of losses and disasters; to establish the confidentiality of the system; to check whether the system is always be accurate, reliable and timely; to ensure that no unauthorized modification can be made to the data or the software in the system. IS audit standard: IS an audit standard provides audit professionals a clear idea of the minimum level of acceptance performance essential to discharge their responsibilities effectively. Audit objectives in a computer information system environment & elaborates on the following: The auditors responsibility in gaining sufficient understanding & assurance on the adequacy of accounting and internal controls that protect against the inherent & control risks in a CIS and the resulting considerations to be taken while designing audit procedures; The potential impact of auditing in a CIS on the assessment of control & audit risks; The auditor is required to determine the following factors to determine the effect of CIS environment on the audit arising from: The extent to which the CIS is used for recording, compiling & analyzing accounting information. The system of internal controls relating to the authorized, complete, accurate & valid processing & reporting procedures. The impact of CIS accounting system on the audit trail. The standard also requires the auditor to have sufficient knowledge of the CIS possess appropriate specialized skills to enable him to plan, direct, supervise, control & review the work performed. The IS audit process: The purpose of IS audit is to review and provide fee back, assurance and suggestions. These concerns can be grouped under three board heads: Availability: Will the information systems on which the business is heavily dependent be available for the business at all times when required? Are the systems well protected against all types of losses and disasters? Confidentiality: Will the Information in the systems be disclosed only to those who have a need to see and use it and not to anyone else? Integrity: Will the information provided by the systems always be accurate reliable and timely? What ensures that no unauthorized modification can be made to the data or the software in the systems?
CA in Bangladesh
www.facebook.com/CAinBD Elements of IS audit: An information system is not just a computer. Todays information systems are complex and have many components that piece together to make a business solution. Assurance about an information system can be obtained only if all the components are evaluated and secured. The proverbial weakest link is the total strength of the chain. The major elements of IS audit can be broadly classified: Physical and environmental review: This includes physical security power supply and conditioning, humidity control and other environmental factors; System administration review: This includes security review of the operating systems database management systems. All system administration procedures and compliance; Application software review: The business application could be payroll invoicing a web-based customer order processing system or an enterprise resource planning system that actually runs business. Review of such application software includes access control and authorizations. Validations, error and exception handling, business process flows within the application software and complementary manual controls and procedures. Additionally a review of the system development lifecycle should be completed. Network security review: Review of internal and external connections to the system perimeter security, firewall review, router access control lists, port scanning and intrusion detection are some typical areas of coverage. Business continuity review: This includes existence and maintenance of fault tolerant and redundant hardware, backup procedures and storage and documented and tested disaster recovery business continuity plan. Data integrity review: The purpose of this is scrutiny of live data to verify adequacy of controls and impact of weaknesses, as noticed from any of the above reviews. Such substantive testing can be done using generalized audit software (e.g., computer assisted audit techniques). Events of computer audit: Computer audit examines the systems record and activities to determine the systems security and the security breaches. It includes the following events: Audit and accountability policy and procedures; Auditable events; Content of audit records; Audit storage capacity; Response to audit processing failure; Audit monitoring, analysis and reporting; Time stands; Protection of audit information; Audit generation. Audit and accountability policy and procedures: The Organization develops, disseminates and periodically updates a formal, documented, audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities and compliance. Auditable events: The organization maintains some policies for auditable events, such as determines, based on a risk assessment in conjunction with mission/business needs, which systemrelated events required auditing. Ensures that auditable event is adequate to support after the-fact investigations of security incident and includes execution of privileged functions in the list of event to be audited by the system. Content of audit records: Controls for purpose of audit records are the system produces audit record that content sufficient information to establish what events occurred, when the events occurred, where the events occurred, the sources of the event and the outcomes of the event. Audit storage capacity: The Organization allocates sufficient audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceed. Response to audit processing failure: The controls for response to audit failures are the system provides a warning when allocated audit record storage. Volume reaches an organization define percentage of maximum audit record storage capacity. Audit monitoring, analysis and reporting: The controls for audit monitoring, analysis and reporting are the system reviews and analyzes system audit records on an organization-defined frequency for indications of in appropriate or unusual activity and report findings to designated organizational officials. The organizational analyzes and correlates audit records across different repository to gain organization-wide situational awareness. S. F. Ahmed & Co. Articled Association (34th Association)
CA in Bangladesh
www.facebook.com/CAinBD Time stands: The controls are the system uses internal system clocks to generate time stamps for audit records. The system synchronizes internal system clocks on an organization-define frequency. Protection of audit information: The control system protects audit information and audit rules for unauthorized access, modification and deletion. Audit generation: Audit generation is the system provides audit record generation capability for the auditable events. It allows authorized users to select which auditable events are to be audited by specific components of the system. It generates audit records for the selected list of auditable events.
Control and standards for system implementation phases: System implementation phases controls are the control of an information system from analysis to implementation of the system. It includes the following: System Installation; System Testing; Documentation; Training; File Conversion and change-over System installation: An implementation plan should be documented, communicated and approved. System testing: A test plan/methodology should exist for managing and monitoring the testing effort to provide reasonable assurance that the system functionality is fully tested. Documentation: Documentation is one of the most important tools for control. System documentation should include the following: System descriptions: System descriptions provide narrative explanations of operating environments and the interrelated input, processing and output functions of integrated application systems. System documentation: System documentation includes system flowcharts and models that identify the source and type of input information, processing and control actions and the nature and location of output information. System file layouts: System file layouts describe collections of related records generated by individual processing applications. Training: Personnel training are important for the successful implementation of information system because through this organizational employees can easily cope up with the new system. Without knowing the full process of the system a person cannot handle all the functionalities of the information system. For better understanding with the information system implemented, organizational employees must have to be oriented with the new system by training. Training should be necessary for both system operators as well as the users. The types of training they require are as follows: System operator needed the following training: System training; Network training; Hardware training; Security training; Maintenance training; Data recovery or back-up training; System software training; etc. Users need the following training: System software training; Facilities training; Operating system training; etc. File conversion and change-over: In case of implementation of an automated or new system, existing old file must be included in the new system. This file can be in a manual or an automated form. The tasks in this section are twofold: Data input of the file; Data verification of the file. In case of replacing the manual file, hard copy of data need to be entered into the system and verify the accuracy of input data. For this organization employ parallel conversion methodology. Parallel operations consist of running the old process or system and the new system simultaneously until the new system is certified. S. F. Ahmed & Co. Articled Association (34th Association)
CA in Bangladesh
www.facebook.com/CAinBD Control and standards for system maintenance and evaluation: Computer system maintenance procedures should adequately protect computer hardware against failure over the expected useful life of the equipment and should be serviced according to manufacturers recommendation as specified in the contract with vendor. Control and standards for system maintenance and evaluation process includes the followings: System maintenance policy and procedures; Legacy system upgrades; System monitoring and evaluation; Backup and recovery; Unplanned system maintenance; Periodic system maintenance; Post implementation review. System maintenance policy and procedures: A system maintenance policy is a formal, documented, control system maintenance policy that addresses purpose, scope, roles, responsibility, management commitment, coordination among organizational entities and compliance. The organization ensures the control system maintenance policy and procedures are consistent with applicable laws, directives, policies, regulations, standards and guidance and it should be included as part of the general information security policy for the organization. System maintenance procedures should be developed for the security program in general and for a particular control system when required. Legacy system upgrades: The organization develops policies and procedures to upgrade existing legacy control systems to include security mitigating measures commensurate with the organizations risk tolerance and the risk to the system and processes controlled. System monitoring and evaluation: The organization conducts periodic security vulnerability assessments according to the risk management plan and accordingly it should be monitored and evaluated periodically to identify vulnerabilities or conditions that might affect the security of a control system. Back-up and recovery: The organization makes and secures backups of critical system software, applications and data for use if the control system operating system software becomes corrupted or destroyed. Unplanned system maintenance: Unplanned maintenance is required to support control system operation in the event of system/component malfunction or failure. Security requirements necessitate that all unplanned maintenance activities use approved contingency plans and document all actions taken to restore operability to the system. Periodic system maintenance: The system schedules, performs, documents and reviews records of maintenance and repairs on system components in accordance with manufacturer or vendor specifications and/or organizational requirements and it must be done periodically to verify that the controls are still functioning properly following maintenance or repair actions. Post implementation review: Organizations implement various IT solutions to meet their business requirements. Once the solutions are implemented, post implementation reviews are generally carried out by IS auditors to assess the effectiveness and efficiency of the IT solutions and their implementation, initiate actions to improve the solution (where necessary) and serve as a learning tool for the future. Risks to IT systems: IT risk assessment: Before an organization commits resources to controls, it must know which assets require protection and the extent to which these assets are vulnerable. A risk assessment helps answer these questions and also helps the firm determine the most cost-effective set of controls for protecting assets. A risk assessment determines the level of risk to the firm if a specific activity or process is not properly controlled. Business managers working with information systems specialists can determine the value of information assets, points of vulnerability, the likely frequency of a problem and the potential for damage. One problem with risk assessment and other methods for quantifying security costs and benefits is that organizations do not always know the precise probability of threats occurring to their information systems and they may not be able to quantify the impact of such events accurately. Nevertheless, S. F. Ahmed & Co. Articled Association (34th Association)
CA in Bangladesh
www.facebook.com/CAinBD some effort to anticipate, budget for and control direct and indirect security costs will be appreciated by management in this case. The end product of risk assessment is a plan to minimize overall cost and maximize defenses. To decide which controls to use, information systems builders must examine various control techniques in relation to each other and to their relative cost-effectiveness. A control weakness at one point may be offset by a strong control at another. It may not be cost-effective to build tight controls at every point in the processing cycle if the areas of greatest risk are secure or if compensating controls-exist elsewhere. The combination of all of the controls developed for a particular application determines the applications overall level of control. The areas to be focused upon are: 1. Prioritization; 2. Identifying critical applications; 3. Assessing their impact on the organization: 4. Determining recovery time-frame; 5. Assess insurance coverage. What is a computer virus? What precautions a business can take to circumvent virus? Viruses are a form of high-tech maliciousness. It is the cause of destruction of data and software. One of the most destructive examples of computer crime involves the creation of computer viruses. Virus is the more popular term but technically a virus is a program code that cannot work without being inserted into another program. These programs copy annoying or destructive routines into the networked computer systems of anyone who accesses computers infected with the virus or who uses copies of magnetic disks taken from infected computers. Thus, a computer virus can spread destruction among many users. Though they sometimes display only humorous messages, they more often destroy the contents of memory, hard disks and other storage devices. Copy routines in the virus or worm spread the virus and destroy the data and software of many computer users. In a word, a computer virus is a rouge software program that attaches itself to other software programs or data files in order to be executed usually without user knowledge or permission. When a virus-infected is run the virus which has modified its host is able to replicate itself. Some viruses are merely annoying, such as the one which cause a small dot to wander randomly or deleted. There are many virus detention packages on the market today. These can be used to detect, control or remove viruses from the computer system. For the increasing use of intranets and extranets in business the security problems arises for the computer virus. For this data security, system security, integrity, privacy and confidentiality are affected very much. In this situation to safeguard the computer systems from virus infection, the following certain precautions should be taken to circumvent them: Install virus detection, control and removal programs in the computer system; Use only licensed and authorized programs. Avoid printed programs; Screen all disks through anti-virus programs and minimize disk swapping into the system; Anti-virus system should be active during use of a network or Internet; Update anti-virus system with the latest available device; Maintain backup copies of Important and critical data files and programs to safeguard from a disaster; etc. Typical symptoms of virus activity are: OS loading may slow; Opening a file is slow; Opening a program is slow; Logging may not happen; Internet may not available or disturbing; Message while booting (hardware failure); Font of document may change; Hard disk failure; etc. Hacking: Hacking remains the most common form of cyber crime and it continues to grow in popularity. A hacker is someone who uses a computer and network or Internet connection to intrude into another computer or system to perform an illegal act. This may amount to simple trespassing or acts that corrupt destroy or change data. In another form, hacking can be the basis for a Distributed Denial of Service (DDOS) attack, in which a hacker hides malicious code on the PCs of many unsuspecting victims. This code may enable the hacker to take over the infected PCs or simply use them to send requests to a Web Server. Successful DDOS attacks can cost targeted companies millions of dollars. The extent of the problem is not known simply because it is so widespread. PricewaterhouseCoopers estimates that viruses and hacking alone cost the world economy upwards of $1.6 trillion in 2003. S. F. Ahmed & Co. Articled Association (34th Association)
CA in Bangladesh
www.facebook.com/CAinBD At one time, a hacker was just a person who understood computers well; however, hacking now refers to criminal or antisocial activity. Today, hackers activities are usually categorized by their intent: Recreation attacks; Business or financial attacks; Intelligence attacks; Grudge and military attacks; Terrorist attacks. Other than posing an invasion of privacy, recreational hacking is relatively harmless. In most cases, recreational hackers just attempt to prove their abilities without doing any damage. In business, financial or intelligence attacks, however, hackers often engage in data diddling-forging or changing records for personal gain or attempting to copy the data from the penetrated system. Grudge attacks are carried out by hackers with a grievance against an individual or organization and such attacks are frequently destructive. The harm from terrorist attacks could be catastrophic. The industrial world is highly dependent on its computers and there is evidence that this type of attack may be the tool of future war. Common hacking methods: Hackers use a variety of methods to break into computer systems. These methods fall into three broad categories: Sniffing: The term sniffing refers to finding a user's password. There are three ways to sniff a password: password sharing, password guessing and password capture. Password sharing is the most common and occurs when a victim simply discloses his or her password to a hacker. Passwords are shared out of simple ignorance, when victims do not realize that the password might be used against their wishes or in ways they would never intend. Password guessing is done exactly as the term implies: a hacker tries to guess a user's password and keeps trying until he or she gets it right. Users can safeguard against password guessing by using complex Passwords. Network administrators can prevent guessing by limiting the number of attempts anyone can make to log into the network. In password capture, a password is obtained by some type of malware program and forwarded to the hacker. Passwords may be captured electronically if they are sent as text that is not encrypted. For example, during a login session, a hacker may intercept the password data when it is sent to a server even if it is encrypted within the system itself. Social Engineering: Social engineering used to be called "running a confidence game." The hacker may use any number of frauds to "con" victims out of their passwords. It might be as simple as dumpster diving. Just as in identity theft, a password thief searches the victim's trash in order to find useful access information. Another form of social engineering is the "phone survey," the "application" and the "emergency situation." In these situations, a hacker may contact potential victims by phone or e-mail and ask the victims to provide password information for an apparently legitimate reason. This method is sometimes referred to as phishing. Spoofing: Hackers may alter an e-mail header to make it appear that a request for information originated from another address. This is called spoofing. They can gain electronic entry by pretending to be at a legitimate computer, which is called 1P spoofing. Using this technique, the hacker intercepts a message or gains access to the system by posing as an authorized user. On a network, this is done by altering the message information to make it appear that it originated from a trusted computer. How to prevent system from hacker: The following measures may be taken to prevent information system from hacker: Implement firewalls; Develop a corporate security policy; Install anti-virus software; Keep operating system up to date; Do not run unnecessary network services; Conduct a vulnerability test; Avoid scam websites; Securing the ports;
CA in Bangladesh
www.facebook.com/CAinBD Controls for personal systems: An effective control system provides reasonable, but not absolute assurance for the safeguarding of assets, the reliability of financial information and the compliance with laws and regulation. The degree of control employed is a matter of good business judgment. Two categories of control over personal systems to ensure processing, integrity, security and safeguarding of IT resources and they are: General controls; Application controls General controls: It represents the foundation of the IT control structure. It help to ensure the reliability of data generated by IT systems and support the assertion that systems operate as intended and that output is reliable. General controls include: Access security, data & program security, physical security; Software development & program change controls; Data center operations; Disaster recovery. Application controls: Application or program controls are to ensure the complete and accurate processing of data from input through output. These controls are basically varied based on the business purpose of the specific application. Applications are the programs and processes, including manual processes that enable us to conduct essential activities: Buying products; Paying people; Accounting for research costs Forecasting and monitoring budgets. Application controls apply to application systems and include input controls (e.g., edit checks), processing controls (e.g., record counts) and output controls (e.g. error listings), they are specific to individual applications. Application controls Include: Input controls; Authorization; Validation; Error notification and correction; Processing controls; Output controls. They consist of the mechanisms in place over each separate system that ensures that authorized data is completely and accurately processed. What are the possible categories of risk when the company starts to use the customized account software? What measures can you take to encounter the risk? The possible categories of risk when the multinational company starts to use the customized accounting software are as follows: Customization: Without ensuring proper customization, the accounting system cannot bring better result for the organization. It includes financial report, input screen, forms, source code etc. Proper documentation: Proper documentation of the system record is very much important; otherwise improvement of the system is under threat. Training: Before implementing new system training is important to familiar the system to the employees which ensures the accurate and optimum use of the system. Vendor reliability: To ensure good accounting system, users must rely on continued support from the vendor. For this reason, vendor should be reliable and will be available when needed. Environment: Organizational environment is a great risk factor because without ensuring proper environment for the accounting system, it is very difficult to implement and run it. Security issue: System security which ensures data integrity, privacy and confidentiality is the big risk factor for an accounting system. Proper maintenance: Maintenance of the system is another risk. It helps in minor modifications to the system to optimize performance, improve its usability or accommodate small changes in the environment will have to be made from time to time, whilst the system is operational. Measures that can be taken to encounter the risk are as follows: To ensure proper customization, continuous review of the system is necessary; Documentation of the system must be preserved carefully; Employees training and work environment must be created; System should be developed by the reliable vendor; Proper security measures must be ensured; Provision for continuous maintenance with expert should be made. S. F. Ahmed & Co. Articled Association (34th Association)
CA in Bangladesh
www.facebook.com/CAinBD The reasons of people resist imposed change: The reasons why people resist imposed change and not change that they initiate can largely be attributed to fear. This applies in case of computerization at the organization. Specifically what individuals fear is related to their security and the uncertainly of the impact that change will have upon them personally. It is necessary to somehow make the employees overcome the fear complex in order to introduce changes smoothly. Employees will accept computerization easily when they are taken in confidence. In respect of employees in general, do the following: Inform them; Indicate benefits to them; Be honest with them; Get employees opinion; Involve employees in discussion; Use subcommittees; Use a third party; Assess management style; Dont delay decision making; Get feedback from employees; Consider alternatives; Possibly try a pilot implementation. When the management ignores these actions then the change process will be a bumpy ride with unpredictable results. Ethics in business: Ethics in business means the principles of right and wrong that can be used by business and user acting as free moral agent to make choices to guide their behavior. Organizations must provide employees with clear guidelines for conduct and encourage them to uphold high ethical standards in their everyday business practice. There are three sources that can be assessed ethical behavior: the law and regulations that specify codes of conduct; the explicit ethical guidelines established by an organization; and the ethical and moral code of conduct of an individual. Ethical problem in business issue: Now computer represent new ethical problems in business issue that are: Privacy: People desire to be in full control of what and how much information they want to share and some dont want to share without the permission of the individuals. Security: Computer security is an attempt to avoid such undesirable events as a loss of confidentiality of or data integrity. Ownership of property: Laws designed to preserve real property rights have been extended to cover what is referred to as intellectual property that is software. Equity and access: Some barriers to access are intrinsic to the technology of information systems, but some avoidable through careful system design. The end
CA in Bangladesh We believe in sharing.... www.facebook.com/cainbd

IT Application: CA in Bangladesh

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IT Application: CA in Bangladesh

Uploaded by

Copyright:

Available Formats

CA in Bangladesh

S. F. Ahmed & Co. Articled Association (34th Association)

S. F. Ahmed & Co. Articled Association (34th Association)

S. F. Ahmed & Co. Articled Association (34th Association)

S. F. Ahmed & Co. Articled Association (34th Association)

S. F. Ahmed & Co. Articled Association (34th Association)

S. F. Ahmed & Co. Articled Association (34th Association)

S. F. Ahmed & Co. Articled Association (34th Association)

S. F. Ahmed & Co. Articled Association (34th Association)

S. F. Ahmed & Co. Articled Association (34th Association)

S.F. Ahmed & Co. Articled Association (34th Association)

S.F. Ahmed & Co. Articled Association (34th Association)

S.F. Ahmed & Co. Articled Association (34th Association)

S.F. Ahmed & Co. Articled Association (34th Association)

S.F. Ahmed & Co. Articled Association (34th Association)

Notification and execute telephone tree

Assess damage and execute appropriate contingency plan

Assemble systems recovery team at command center

Assemble user recovery team at command center

Retrieve critical data from offside vault

Notify customers, notify senior user management, assemble administrative support

S.F. Ahmed & Co. Articled Association (34th Association)

S.F. Ahmed & Co. Articled Association (34th Association)

S.F. Ahmed & Co. Articled Association (34th Association)

S.F. Ahmed & Co. Articled Association (34th Association)

S.F. Ahmed & Co. Articled Association (34th Association)

S.F. Ahmed & Co. Articled Association (34th Association)

S.F. Ahmed & Co. Articled Association (34th Association)

S. F. Ahmed & Co. Articled Association (34th association)

Information systems planning

Information systems plan

System development initiative

S. F. Ahmed & Co. Articled Association (34th association)

Develop overall objectives

Identify information system projects

Set priorities and select projects

Develop information systems plan

Analyze resource requirements

Set schedules and deadlines

S. F. Ahmed & Co. Articled Association (34th association)

S. F. Ahmed & Co. Articled Association (34th association)

Evaluate design alternativesPrepare design specificationPrepare conceptual system design report

Figure: System design in operation

S. F. Ahmed & Co. Articled Association (34th association)

S. F. Ahmed & Co. Articled Association (34th association)

S. F. Ahmed & Co. Articled Association (34th association)

S. F. Ahmed & Co. Articled Association (34th association)

IT Application Controls and standards

S. F. Ahmed & Co. Articled Association (34th Association)

S. F. Ahmed & Co. Articled Association (34th Association)

S. F. Ahmed & Co. Articled Association (34th Association)

S. F. Ahmed & Co. Articled Association (34th Association)

CA in Bangladesh We believe in sharing.... www.facebook.com/cainbd

S. F. Ahmed & Co. Articled Association (34th Association)

You might also like