Chapter 1 Governance and Management of Digital Ecosystem

Introduction

●​ Enterprises aim to deliver value to stakeholders while operating within acceptable value
and risk parameters.
●​ Governance refers to decision-making processes that steer organizations, ensuring
accountability, structure, and resource optimization.

Key Principles of Governance Framework

1.​ Based on Conceptual Model: Consistent and allows automation.

2.​ Open and Flexible: Adapts to new issues.
3.​ Aligned to Major Standards: Conforms with global regulations and frameworks.

Enterprise Governance

●​ Framework ensuring strategic direction, risk management, and responsible use of

resources.
●​ Dimensions:
1.​ Corporate Governance: Focuses on conformance, regulatory compliance, and
shareholder value.

3 (Set D Notes by Mansi)

 2.​ Business Governance: Proactive, strategy-focused, and emphasizes value
creation.

IT Governance

●​ Aligns IT strategy with business goals.

●​ Objectives include increased value from IT, risk mitigation, and effective resource
utilization.
●​ Key questions involve decision-making, monitoring, and exception handling.

Governance of Enterprise IT (GEIT)

●​ A subset of corporate governance focused on implementing IS controls.

●​ Benefits: Alignment with enterprise goals, transparent oversight, and compliance with
regulations.

Enterprise Governance of Information and Technology (EGIT)

EGIT emphasizes the importance of Information and Technology (I&T) in enterprise support,
sustainability, and growth, especially in the context of digital transformation. This concept is

4 (Set D Notes by Mansi)

gaining traction as organizations recognize the necessity for effective governance structures
that integrate I&T into enterprise risk management.

Key points include:

- **Definition**: EGIT involves defining and embedding processes that align business and IT
responsibilities, enhancing value from IT investments.

- **Focus**: It goes beyond installing superior IT infrastructure, focusing on overall management

and governance.

- **Role of Boards**: Governing boards are crucial in overseeing the integration of I&T
processes to ensure that both business and IT align strategically and fulfill their roles effectively.

In summary, EGIT is vital for optimizing IT performance and managing risks related to IT
dependencies, ensuring that organizations maximize the benefits of their IT-enabled initiatives.

Business and IT Strategy

●​ IT must integrate seamlessly with business strategies.

●​ IT Steering Committee: Guides IT deployment aligned with enterprise goals.
●​ Strategic Planning:

1.​ Enterprise Strategic Plan.

2.​ IS Strategic Plan.
3.​ IS Requirements Plan.

5 (Set D Notes by Mansi)

 4.​ IS Applications and Facilities Plan.

1.5.5: Key Management Practices for Aligning IT Strategy with Enterprise

Strategy

This section emphasizes aligning IT strategy with the overarching goals and strategies of an
enterprise. The key practices include:

1.​ Understand Enterprise Direction​

○​ Analyze the enterprise's current environment, business processes, strategy, and

future objectives.
○​ Consider external factors like industry trends, regulations, and competition.
2.​ Assess Current Environment, Capabilities, and Performance​

○​ Evaluate the performance of internal business and IT capabilities, as well as

external IT services.
○​ Understand the enterprise architecture to identify improvement areas.
○​ Include service provider differentiation, financial impact, and benefits analysis.
3.​ Define Target IT Capabilities​

○​ Set goals for future IT and business capabilities based on enterprise needs.
○​ Leverage reference standards, best practices, and emerging technologies.
4.​ Conduct Gap Analysis​

○​ Identify gaps between current and desired IT states.

○​ Assess alignment of assets with business outcomes to optimize investments.
5.​ Define the Strategic Plan and Roadmap​

○​ Create a strategic plan that ties IT goals to enterprise objectives.

○​ Define initiatives, sourcing strategies, and measurements for monitoring
progress.
6.​ Communicate IT Strategy and Direction​

○​ Share the IT strategy with relevant stakeholders to create awareness and

alignment.

Success Metrics: Alignment is measured through stakeholder satisfaction, IT's support of

strategic goals, and mapping IT value drivers to business outcomes.

1.5.6: Business Value from Use of IT

6 (Set D Notes by Mansi)

This section discusses ensuring that IT contributes value to the business by optimizing
processes, services, and assets.

1.​ Evaluation of Value Optimization​

○​ Regularly assess IT-enabled investments, services, and assets for value creation
at reasonable costs.
○​ Adjust direction to maximize value realization.
2.​ Direction of Value Optimization​

○​ Use value management principles to achieve optimal returns from IT investments

over their lifecycle.
3.​ Monitoring Value Optimization​

○​ Track goals and metrics to ensure the expected value is realized.

○​ Address significant issues with corrective actions where necessary.

Success Metrics:

●​ Percentage of IT-enabled investments where benefit realization is monitored.

●​ Percentage of IT services delivering expected benefits.
●​ Accuracy and transparency of IT financial data.

Frameworks for IT Governance

1.​ COBIT:​

○​ Framework for IT governance and management.

○​ Organized into five domains: Evaluate, Align, Build, Deliver, and Monitor.
○​ Principles: Stakeholder value, holistic approach, dynamic systems, tailored
needs, End to end governance system and distinct governance from
management.

7 (Set D Notes by Mansi)

2.​ ITIL: Information technology Infrastructure library​

○​ Service management framework aligning IT with business needs.

○​ Includes practices in general, service, and technical management.
3.​ ISO 27001:​

○​ Focuses on information security management systems (ISMS).

○​ Promotes risk management and compliance.

8 (Set D Notes by Mansi)

Key Areas Identified in the MCQs

1.​ COBIT 5 Domains​

○​ Align, Plan, and Organize (APO):

■​ Covers overall organization, strategy, and supporting IT-related activities.
■​ Focused on aligning IT strategy with business objectives.
○​ Build, Acquire, and Implement (BAI):
■​ Focuses on acquiring and integrating IT solutions into business
processes.
○​ Deliver, Service, and Support (DSS):
■​ Emphasizes operational delivery, including incident and service
management.
■​ Example: DSS01 manages IT operations.
○​ Monitor, Evaluate, and Assess (MEA):
■​ Monitors performance, compliance, and alignment with enterprise goals.
2.​ Governance System Definition​

○​ Refers to structured processes and mechanisms enabling stakeholders to meet

enterprise objectives.
3.​ COBIT Framework​

○​ Provides a governance and management structure for enterprise information and

technology.
○​ Encompasses strategy, risk management, and operational efficiency.

Insights from the Questions

●​ Focus on DSS Domain: Operational aspects, like IT service delivery and support, are
highlighted.
●​ Governance Objectives: COBIT 5 emphasizes separating governance and
management functions.
●​ Stakeholder Involvement: Governance systems prioritize transparency and
accountability.
●​ Alignment of Goals: IT processes are aligned with broader enterprise strategies.

9 (Set D Notes by Mansi)

Chapter 2 Governance, Risk, and Compliance (GRC)

Main Points and Sub-Points

2.1 Introduction to GRC (Governance Risk and Compliance)

●​ GRC integrates governance, risk management, and compliance processes.

●​ Provides a structured approach for aligning IT with business objectives.
●​ Helps organizations manage risks, reduce costs, and ensure compliance.

2.2 Risk Fundamentals

●​ Key Concepts:
○​ Asset: Anything valuable to the organization, such as customer data, IT systems,
or reputation.
○​ Vulnerability: Weaknesses in systems that can be exploited (e.g., poor access
control or outdated software).
○​ Threat: Events or entities capable of harming systems (e.g., cyber-attacks,
natural disasters).
○​ Risk: Combination of vulnerabilities and threats leading to potential harm.
●​ CIA Triad: Confidentiality- only authorise users can access, Integrity- only authorise
users can change, Availability - amt of time user can use a system of information must
be maintained.

10 (Set D Notes by Mansi)

Summary of 2.2.2: Vulnerability

●​ Definition:​
A vulnerability is a weakness in a system's safeguards that exposes it to threats. These
weaknesses may exist in information systems, cryptographic systems, hardware
designs, security procedures, or internal controls.​

●​ Key Characteristics:​

○​ It enables threats to exploit the system.

○​ Missing safeguards contribute to vulnerability levels.
○​ Examples include weak access control methods and short passwords.
●​ Identification:​

○​ Vulnerabilities are determined through security evaluations, such as penetration

testing and safeguard analysis.
○​ Vulnerabilities can originate from design flaws, implementation defects, or
operational issues.

11 (Set D Notes by Mansi)

 ●​ Examples:​

○​ Leaving a door unlocked makes a house vulnerable to intruders.

○​ Short passwords make a system susceptible to cracking or guessing.

Summary of 2.2.3: Threat

●​ Definition:​
A threat is any entity, event, or circumstance with the potential to harm a system or its
components by unauthorized access, destruction, modification, or denial of service.​

●​ Key Characteristics:​

○​ A threat targets an asset and correlates closely with vulnerabilities.

○​ Threats exploit vulnerabilities to cause harm or disruption.
●​ Types of Threats:​

○​ Disclosure Threats: Unauthorized access to confidential data, such as a data

breach or espionage.
○​ Alteration Threats: Unauthorized modifications to data, compromising integrity.
○​ Denial of Service/Destruction Threats: Rendering systems or data unavailable
through attacks like DoS.
●​ Examples:​

○​ A hurricane threatening physical infrastructure.

○​ A cyber-attack aiming to steal sensitive data.
●​ Prevention:​

○​ Protect assets by mitigating vulnerabilities, as threats cannot be fully eliminated.

2.3 Risk Management

●​ Levels of Risk: Risk = threat x vulnerability

○​ Inherent Risk: Before any controls are applied.
○​ Current/Residual Risk: After implementing controls.
○​ Target Risk: Desired level of risk after applying additional controls.
●​ Types of Risks:
○​ Compliance Risks: Fines/penalties for non-compliance with laws.
○​ Operational Risks: Inefficiencies or system failures.
○​ Strategic Risks: Challenges in meeting organizational goals.
○​ Reputational Risks: Damage to brand due to ethical lapses or failures.

12 (Set D Notes by Mansi)

 ○​ Technological Risks: Failures in technology systems.

Summary of 2.3.3: Types of Risks

Risks faced by organizations can be broadly categorized as follows:

1.​ Compliance Risks:​

○​ Arise from non-compliance with laws, regulations, or internal policies.

○​ Examples include penalties for data protection violations or environmental
non-compliance.
2.​ Hazard (Pure) Risks:​

○​ Potentially harmful situations, such as natural disasters, theft, or health and

safety hazards.
3.​ Control (Uncertainty) Risks:​

○​ Unpredictable risks associated with projects or new initiatives.

○​ These involve unknown outcomes, costs, or delivery timelines.
4.​ Opportunity (Speculative) Risks:​

○​ Risks with potential positive or negative outcomes.

○​ Example: Taking a new business opportunity that may succeed or fail.
5.​ Examples of Real-World Risks:​

○​ Operational risks like employee fraud.

○​ Strategic risks from global market conditions or changing customer needs.

Summary of 2.3.4: Risk Management/Mitigation Strategies

Organizations use risk management strategies, often referred to as the 4T’s, to address
identified risks:

1.​ Transfer:​

○​ Sharing risk with third parties like insurers or vendors.

○​ Example: Purchasing insurance to mitigate financial risks.
2.​ Tolerate:​

○​ Accepting risks that are minor or costlier to mitigate.

○​ Example: Planning for minor production delays.
3.​ Terminate:​

13 (Set D Notes by Mansi)

 ○​ Avoiding risks entirely by modifying or stopping activities.
○​ Example: Replacing risky technology or vendors with safer alternatives.
4.​ Treat:​

○​ Mitigating risks by implementing controls to reduce impact.

○​ Example: Installing firewalls or creating daily data backups.

Risk Matrix and Dominant Responses:

●​ High Impact, Low Likelihood: Transfer.

●​ High Impact, High Likelihood: Terminate.
●​ Low Impact, Low Likelihood: Tolerate.
●​ Low Impact, High Likelihood: Treat.

2.4 Malicious Attacks

●​ Types of Threats:
○​ Active Attacks: Direct modification of systems (e.g., brute force, phishing).
○​ Passive Attacks: Eavesdropping or monitoring transmissions.
●​ Examples of Attacks:
○​ IP Spoofing: Disguising as an authorized entity.
○​ Phishing: Tricking users to reveal confidential data.
○​ Replay Attacks: Resending intercepted data packets.
○​ Man-in-the-Middle: Intercepting and modifying communications.

Summary of 2.4: Malicious Attacks

Malicious attacks are threats to IT infrastructure, classified as active or passive:

14 (Set D Notes by Mansi)

Active Attacks

These involve direct modifications or intrusions into systems:

1.​ Brute-Force Password Attacks:​

○​ Attackers repeatedly try combinations to crack passwords.

○​ Mitigation: Enforce complex passwords and account lockout policies.
2.​ Dictionary Attacks:​

○​ Common passwords are tested using dictionary words.

○​ Mitigation: Avoid simple passwords and include mixed-case letters, numbers, and
symbols.
3.​ IP Address Spoofing:​

○​ Attackers disguise themselves as legitimate users by altering IP addresses.

○​ Mitigation: Configure network routers to block unauthorized traffic.
4.​ Phishing:​

○​ Fake emails or websites trick users into revealing sensitive information.

○​ Mitigation: Educate users and avoid clicking suspicious links.
5.​ Hijacking:​

○​ Browser Hijacking: Redirects users to fake websites (e.g., typo-squatting).

○​ Session Hijacking: Intercepts and takes over active communication sessions.
6.​ Replay Attacks:​

○​ Previously intercepted data packets are reused to disrupt systems.

○​ Mitigation: Use session tokens and timestamp validation.
7.​ Man-in-the-Middle (MITM) Attacks:​

○​ Attackers intercept and modify communications between two parties.

○​ Example: Web spoofing to collect sensitive data like passwords.

15 (Set D Notes by Mansi)

Passive Attacks

Involve monitoring or eavesdropping without altering data:

1.​ Eavesdropping:​

○​ Unauthorized monitoring of network traffic to collect sensitive information.

○​ Mitigation: Encrypt communications.
2.​ Social Engineering:​

○​ Attackers manipulate individuals to reveal confidential information.

○​ Mitigation: Train employees on recognizing deceptive techniques.

Examples of Social Engineering

●​ Impersonating a technician to gain access to secure areas.

●​ Targeting untrained employees or those unfamiliar with security policies.

Mitigation Techniques for Malicious Attacks

●​ Educate employees on cybersecurity awareness.

●​ Implement firewalls and intrusion detection systems.
●​ Regularly update software to patch vulnerabilities.
●​ Enforce strict access controls and authentication protocols.

16 (Set D Notes by Mansi)

Malicious attacks exploit human and technical vulnerabilities, emphasizing the need for robust
security measures and proactive monitoring.

2.5 Malicious Software (Malware)

●​ Categories:
○​ Infecting Programs: Viruses, worms.
○​ Hiding Programs: Trojan horses, rootkits, spyware.
●​ Purpose: Disrupt systems, steal data, or cause financial harm.

Summary of 2.5: Malicious Software (Malware)

Malware refers to malicious software designed to infiltrate and harm systems, networks, or
devices. It can cause data breaches, system crashes, or unauthorized access. Malware
generally falls into two main categories: Infecting Programs and Hiding Programs.

Categories of Malware

1. Infecting Programs

These programs actively replicate themselves or infect other systems:

●​ Virus:​

○​ Attaches to or copies itself into another program.

○​ Requires a host to spread and can replicate to other computers.
○​ Causes harm by corrupting files, slowing systems, or crashing programs.
●​ Worm:​

○​ Self-contained program that replicates across networks without a host.

○​ Can overload networks by consuming bandwidth or perform malicious actions.

2. Hiding Programs

17 (Set D Notes by Mansi)

These programs conceal themselves while executing malicious activities:

●​ Trojan Horse:​

○​ Disguised as legitimate software to trick users into executing it.

○​ Often used to collect sensitive data, open backdoors, or upload/download files.
●​ Rootkit:​

○​ Modifies or replaces system programs to hide its presence.

○​ Provides attackers with ongoing access to compromised systems.
○​ Difficult to detect and can affect operating systems like Linux, UNIX, and
Windows.
●​ Spyware:​

○​ Collects user information without consent, often for malicious purposes like
identity theft.
○​ Functions include monitoring keystrokes, scanning files, and reading browser
cookies.

Effects of Malware

●​ Slowing down or crashing systems.

●​ Theft of sensitive information, such as credit card details and passwords.
●​ Unauthorized data modifications or deletions.

Examples of Malware Behaviors

●​ Monitoring user activity (e.g., keystroke logging).

●​ Exploiting security vulnerabilities.
●​ Manipulating system files to avoid detection.

Mitigation Strategies

●​ Install and update antivirus and anti-malware tools.

●​ Avoid downloading software from untrusted sources.
●​ Perform regular system scans and backups.
●​ Use firewalls to restrict unauthorized access.

18 (Set D Notes by Mansi)

Malware poses a significant threat to personal and business systems, emphasizing the
importance of robust security measures and user education.

2.6 Countermeasures

●​ Strategies to Mitigate Risks:

○​ Education and awareness programs.
○​ Anti-malware tools and regular scans.
○​ Implementation of firewalls and secure authentication.

2.7 Internal Controls

●​ Key Components:
○​ Control Environment: Organizational ethics and standards.
○​ Risk Assessment: Identifying risks and their impact.
○​ Control Activities: Policies to mitigate risks (e.g., segregating duties,
authorization systems).
○​ Information and Communication: Transparent sharing of relevant data.
○​ Monitoring: Ongoing evaluations of control effectiveness.
●​ Limitations:
○​ Cannot provide absolute assurance due to human error or fraud.

2.8 Compliance

●​ Ensures adherence to laws, regulations, and internal policies.

●​ Non-compliance may lead to financial penalties, reputational damage, and operational
setbacks.

Brief Description of Risks

●​ Compliance Risks: Result from non-adherence to regulatory or legal obligations.

●​ Operational Risks: Arise from failed internal processes, systems, or human errors.
●​ Strategic Risks: Linked to long-term organizational goals and market conditions.
●​ Reputational Risks: Damage caused by public perception due to ethical lapses or
failures.
●​ Technological Risks: Failures in IT systems, leading to service disruptions.
●​ Financial Risks: Impact on revenue and asset loss due to market fluctuations or fraud.

19 (Set D Notes by Mansi)

Based on the MCQs in Chapter 2 of the PDF, the key areas of focus are as follows:

1. Governance, Risk, and Compliance (GRC) Framework

●​ Definition and objectives of GRC:​

○​ Integration of governance, risk management, and compliance.

○​ Structured approach to align IT with business objectives.
○​ Improves decision-making and performance.
●​ Features of GRC tools:​

○​ Workflow management.
○​ Real-time dashboards for compliance and risk assessment.
○​ Risk data management and analytics.

2. Risk Fundamentals

●​ Asset Characteristics:​

○​ Valuable to the organization.

○​ Hard to replace without cost, time, or resources.
○​ Examples: Customer data, IT infrastructure, intellectual property.
●​ Vulnerability:​

○​ Weaknesses in systems that threats can exploit.

○​ Examples: Poor access controls, short passwords.
●​ Threats:​

○​ Events or entities capable of exploiting vulnerabilities.

○​ Types:
■​ Disclosure Threats: Unauthorized access to private information.
■​ Alteration Threats: Unauthorized changes to data.
■​ Denial of Service/Destruction Threats: Rendering resources
unavailable.
●​ Risk Definition:​

○​ Interaction between threats, vulnerabilities, and potential impacts.

○​ Example: Risk = Threat × Vulnerability × Impact.

20 (Set D Notes by Mansi)

3. Levels and Types of Risk

●​ Levels of Risk:​

○​ Inherent: Risk without controls.

○​ Current/Residual: Risk after controls are applied.
○​ Target: Desired level after further mitigation.
●​ Types of Risks:​

○​ Compliance Risks: Non-adherence to regulations.

○​ Operational Risks: Failures in processes or systems.
○​ Strategic Risks: Challenges in achieving business objectives.
○​ Reputational Risks: Negative public perception due to ethical failures.
○​ Technological Risks: Failures in IT systems.

4. Risk Management Strategies

●​ 4T's Framework:
○​ Transfer: Sharing risks with third parties (e.g., insurance, outsourcing).
○​ Tolerate: Accepting minor risks where mitigation costs exceed benefits.
○​ Terminate: Avoiding activities with high-risk potential.
○​ Treat: Implementing controls to reduce risks to acceptable levels.

5. Malicious Attacks

●​ Active and Passive Threats:​

○​ Active Threats: Include brute force, phishing, and IP spoofing.

○​ Passive Threats: Eavesdropping and monitoring transmissions.
●​ Examples of specific attacks:​

○​ Phishing: Tricking users into revealing sensitive information.

○​ Man-in-the-Middle: Intercepting and modifying communication between two
parties.
○​ Replay Attacks: Reusing intercepted data packets.

6. Internal Controls

21 (Set D Notes by Mansi)

 ●​ Components:​

○​ Control Environment: Organizational ethics and governance.

○​ Risk Assessment: Identifying and analyzing risks.
○​ Control Activities: Policies and procedures to mitigate risks.
○​ Information and Communication: Dissemination of data across the
organization.
○​ Monitoring: Ongoing evaluation of controls.
●​ Limitations:​

○​ Human error.
○​ Collusion or management override.
○​ Inability to cover unusual transactions.

7. Compliance

●​ Adherence to:
○​ External laws and regulations.
○​ Internal policies and standards.
●​ Examples:
○​ GDPR for data protection.
○​ PCI DSS for payment security.

22 (Set D Notes by Mansi)

CHAPTER 3

1. Enterprise Risk Management (ERM) Framework

●​ Definition: A structured approach to managing risks and opportunities that affect an

organization’s objectives.
●​ Importance: Helps in creating and protecting value for stakeholders.
●​ The ERM Framework is designed to help organizations identify, assess, manage, and
monitor risks that could impact their ability to achieve objectives. It aims to create and
protect value for stakeholders by integrating risk management into the organization's
processes.

2. Components of the ERM Framework (CRICkEt On Monitor)

●​ Control Environment
○​ Sets the organizational tone regarding risk.
○​ Includes risk management philosophy and risk appetite.
●​ Objective Setting
○​ Objectives must align with the organization’s mission and risk appetite.
○​ Objectives must be SMART.
○​
●​ Event Identification
○​ Identifies potential events that could impact objectives.
○​ Distinguishes between risks and opportunities.
●​ Risk Assessment
○​ Analyzes identified risks based on likelihood and impact.
○​ Considers both inherent and residual risks.
●​ Risk Response
○​ Management selects actions to align risks with risk tolerance.
○​ Possible responses include avoiding, accepting, reducing, or sharing risks.
●​ Control Activities
○​ Policies and procedures to ensure effective risk response implementation.
●​ Information & Communication
○​ Relevant information must be captured and communicated effectively.
○​ Ensures all levels of the organization are informed about risks.
●​ Monitoring
○​ Continuous monitoring of the ERM process.
○​ Adjustments made as necessary based on evaluations.

Management Objectives:​

23 (Set D Notes by Mansi)

 ●​ The framework addresses four categories of management objectives: Strategic,
Operational, Reporting, and Compliance. Each category reflects different aspects of
organizational performance and risk management.

Integration and Implementation:​

●​ Successful implementation of the ERM Framework requires integration into the

organization’s culture and processes. It emphasizes the need for a risk-aware culture
and alignment with other organizational activities.

Benefits of ERM:​

●​ By adopting the ERM Framework, organizations can enhance decision-making, improve

resource allocation, increase resilience, and better manage uncertainties that could
impact their objectives.

3. Management Objectives

●​ Strategic: Aligning risk management with strategic goals.

●​ Operations: Ensuring operational efficiency and effectiveness.

24 (Set D Notes by Mansi)

 ●​ Reporting: Accurate reporting of risk performance.
●​ Compliance: Adhering to laws and regulations.

4. Implementation of IT Controls

●​ Importance of IT in all enterprises.

●​ Need for both regulatory and management perspectives in IT controls.
●​ Focus on governance practices and their adequacy.

5. COSO Frameworks

●​ Emphasis on internal environment over external influences.

●​ Focus on loss prevention rather than risk-taking for returns.

6. Learning and Improvement

25 (Set D Notes by Mansi)

●​ Evaluate effectiveness of existing controls.
●​ Embed a risk-aware culture within the organization.
●​ Monitor and report on risk performance indicators.

26 (Set D Notes by Mansi)

This structured summary captures the essential points and subpoints from the PDF, providing a
clear overview of the ERM framework and its components.

Based on the multiple-choice questions (MCQs) provided in the PDF, here are the important
topics summarized:

1. Components of the ERM Framework

●​ Control Activities: Policies and procedures established to ensure that risk responses
are effectively carried out.
●​ Risk Assessment: The process of identifying and analyzing risks that could affect the
achievement of objectives.

27 (Set D Notes by Mansi)

 ●​ Information and Communication: Ensures that relevant information is communicated
effectively throughout the organization.
●​ Monitoring: Continuous evaluation of the ERM process to ensure its effectiveness and
to make necessary adjustments.

2. Management Objectives

●​ Strategic Objectives: Aligning risk management with the organization’s strategic goals.
●​ Operational Objectives: Ensuring efficiency and effectiveness in operations.
●​ Reporting Objectives: Accurate and timely reporting of risk performance.
●​ Compliance Objectives: Adhering to laws, regulations, and internal policies.

3. Risk Management Principles

●​ Risk Appetite: The level of risk that an organization is willing to accept in pursuit of its
objectives.
●​ Event Identification: The process of identifying potential events that could impact the
organization’s objectives.
●​ Risk Response: Selecting appropriate actions to address identified risks, which may
include avoiding, accepting, reducing, or sharing risks.

4. Benefits of Integrating ERM

●​ Increased Positive Outcomes: Enhancing the likelihood of achieving objectives.

●​ Reduced Negative Surprises: Minimizing unexpected adverse events.
●​ Improved Resource Deployment: Better allocation of resources to manage risks
effectively.
●​ Enhanced Enterprise Resilience: Strengthening the organization’s ability to withstand
challenges.

5. COSO ERM Framework

●​ Focus on Internal Environment: Emphasizes the internal controls and governance

practices within the organization.
●​ Risk Response: Addresses the need to manage risks not just to avoid losses but also to
pursue opportunities for returns.

6. Implementation of ERM

●​ Establishing Policies and Procedures: Necessary for effective risk management and
ensuring that selected risk responses are executed.
●​ Embedding a Risk-Aware Culture: Integrating risk management into the organizational
culture and daily operations.

28 (Set D Notes by Mansi)

CHAPTER 4

Learning Outcomes

●​ Understand components and functioning of information systems.

●​ Recognize the need for protecting information systems.
●​ Identify security policies, standards, and guidelines.
●​ Analyze information security threats and countermeasures.

Chapter Overview

Case Study: XYZ Ltd.

●​ Challenges: Lack of a documented security policy, insufficient management support,

absence of dedicated security personnel.
●​ Risks: Financial losses, productivity delays, loss of intellectual property, and reputation
damage.
●​ Needs: Security training, awareness programs, defined roles, and responsibilities.

Introduction to Information Systems

●​ Defined as a combination of people, hardware, software, data, and networks.

●​ Aim: Transform data into meaningful information.
●​ Components include hardware, software, people, data resources, and networking
systems.

Need for Protection of Information Systems

●​ Reliance on IT for business processes introduces security risks.

●​ Threats include hacking, viruses, denial of service (DoS) attacks, and natural disasters.
●​ Importance of safeguarding operations, data, applications, and technology assets.

Information System Security

●​ Focus: Protect data and system resources from loss, alteration, or disclosure.
●​ Key Components:

29 (Set D Notes by Mansi)

 ○​ Logical safeguards (firewalls, passwords).
○​ Physical safeguards (locks, secured premises).
●​ Ensures confidentiality, integrity, and availability (CIA triad).

30 (Set D Notes by Mansi)

31 (Set D Notes by Mansi)
Principles of Information Security

1.​ Confidentiality: Protect information from unauthorized access.

2.​ Integrity: Prevent unauthorized modifications.

32 (Set D Notes by Mansi)

 3.​ Availability: Ensure timely and reliable access to information.

Information Security Policy

●​ Formal statement outlining protection measures for information assets.

●​ Components:
1.​ Purpose, scope, and audience.
2.​ Incident response and monitoring mechanisms.
3.​ Roles and responsibilities.
●​ Types of Policies:
1.​ User Security Policies.
2.​ Organization Security Policies.
3.​ Network and System Security Policies.

33 (Set D Notes by Mansi)

34 (Set D Notes by Mansi)
Tools to Implement Information Security

1.​ Standards: Define technologies and methodologies.

2.​ Guidelines: Provide flexible implementation approaches.
3.​ Procedures: Step-by-step instructions for specific tasks.
●​ Framework aligns policies with organizational goals.

35 (Set D Notes by Mansi)

Monitoring and Auditing

●​ Regular checks to ensure policies align with business strategies.

●​ Importance of adapting to evolving risks.
●​ Internal and external audits assess effectiveness.

Case Studies

Case A: XYZ Ltd.

●​ No formal policy, reactive approach to risks.

●​ Issues: Lack of training, ad hoc security measures, and no disaster recovery plan.

Case B: JK Pvt. Ltd.

●​ Comprehensive policy with management support.

●​ Initiatives: Employee training, regular audits, and layered security architecture.

Key Concepts and Questions

●​ Addressed topics: Confidentiality, integrity, access control, and compliance.

●​ CIA triad and hierarchical policies emphasized.

Summary

●​ Information security is essential for safeguarding organizational assets.

●​ Policy implementation and monitoring improve risk management.
●​ Regular audits and training foster a culture of security awareness.

36 (Set D Notes by Mansi)

Chapter 5: Business Continuity Planning and Disaster Recovery Planning

Learning Outcomes

After studying this chapter, learners will:

●​ Understand Business Continuity Management (BCM).

●​ Comprehend the key phases of developing a Business Continuity Plan (BCP).
●​ Grasp the BCM process and its cycle.
●​ Learn about various types of plans and backups.
●​ Understand Incident Management Plans (IMP) and Disaster Recovery Procedural Plans
(DRPP).

Key Concepts

Introduction

●​ BCM helps enterprises manage disruptions due to outages or disasters.

●​ Ensures continuity of operations, reducing revenue and reputation loss.
●​ Regular audits ensure BCM aligns with policy and regulatory requirements.

1. Business Continuity Management (BCM)

Need for BCM

●​ Protects critical business functions during disruptions like power outages or disasters.
●​ Ensures recovery with minimal impact.

Scope

●​ Involves top management defining BCM scope, obligations, and control over outsourced
activities.

Advantages

●​ Proactive threat assessment.

●​ Planned responses to minimize disruption.
●​ Regular testing for readiness.

37 (Set D Notes by Mansi)

2. Business Continuity Policy

●​ A high-level guide to reduce losses in revenue, reputation, and productivity.

●​ Defines scope, guidelines, and responsibilities for continuity.
●​ Ensures regular testing, revision, and training.

3. Business Continuity Planning (BCP)

Key Areas

1.​ Business Resumption Planning: Operational response.

2.​ Disaster Recovery Planning: Technical recovery aspects.
3.​ Crisis Management: Organizational coordination during crises.

Objectives

●​ Ensure safety, minimize disruptions, coordinate recovery, and identify critical processes.

Development Phases

1.​ Pre-Planning: Scope definition and scheduling.

2.​ Vulnerability Assessment: Risk mitigation strategies.
3.​ Business Impact Analysis (BIA): Assess criticality and impact.
4.​ Detailed Requirements: Resource profiles for recovery.
5.​ Plan Development: Documentation of recovery strategies.
6.​ Testing/Exercising: Validation of BCP.
7.​ Maintenance: Keeping plans current.
8.​ Implementation: Initial testing and integration.

4. BCM Process & Cycle

1.​ Information Collection: Identify interdependencies and risks.

2.​ BCM Strategies: Develop response measures.
3.​ Implementation: Structure incident management teams.
4.​ Testing & Maintenance: Regular evaluations to identify gaps.
5.​ Training & Awareness: Ensure all stakeholders are prepared.

5. Types of Plans

1.​ Emergency Plan: Immediate actions post-disaster.

2.​ Backup Plan: Data recovery procedures.

38 (Set D Notes by Mansi)

 3.​ Recovery Plan: Long-term restoration of operations.
4.​ Test Plan: Identifies gaps in other plans via simulations.

6. Types of Backups

1.​ Full Backup: Entire dataset backup.

2.​ Incremental Backup: Only changes since the last backup.
3.​ Differential Backup: All changes since the last full backup.
4.​ Mirror Backup: Real-time replication without compression.
5.​ Cloud Backup: Off-site storage for redundancy.

7. Alternate Processing Facilities

1.​ Cold Site: Basic setup for recovery; slower activation.

2.​ Warm Site: Includes hardware for partial operations.
3.​ Hot Site: Fully functional facilities for quick recovery.
4.​ Reciprocal Agreements: Shared resources with another organization.

8. Disaster Recovery Procedural Plan

39 (Set D Notes by Mansi)

Includes:

●​ Activation conditions, fallback, and resumption procedures.

●​ Testing and maintenance schedules.
●​ Emergency contacts, medical procedures, and vendor lists.
●​ Alternate manual processes.

Summary

●​ BCM ensures operational continuity, safeguarding revenue and reputation.

●​ Plans and policies must be tested, updated, and communicated regularly to maintain
effectiveness.

Key Areas for Focus Based on MCQs in Chapter 5

1. Business Continuity Management (BCM)

●​ Definition and Importance: Focus on BCM's role in ensuring continuity during

disruptions like power outages, natural disasters, or cyberattacks.
●​ Scope and Advantages:
○​ Identification of key products/services.
○​ Risk accountability for outsourced services.
○​ Proactive threat assessment and damage minimization.

2. Business Continuity Policy (BCP)

●​ Objectives:
○​ Minimize revenue, reputation, and productivity loss.
○​ Ensure critical service delivery during disruptions.
●​ Key Components:
○​ Scope and guidelines for continuity.
○​ Ongoing testing and responsibility assignment.

3. Business Continuity Planning (BCP)

●​ Primary Objectives:
1.​ Ensure critical operations resume within an acceptable timeframe.
2.​ Establish emergency powers and recovery coordination.
●​ Key Phases:

40 (Set D Notes by Mansi)

 1.​ Pre-planning and project initiation.
2.​ Vulnerability assessment and security controls.
3.​ Business Impact Analysis (BIA) to identify critical systems.
4.​ Recovery strategy definition.

4. Types of Plans

●​ Emergency Plan: Immediate actions post-disaster (e.g., fire evacuation).

●​ Backup Plan: Specifies frequency, type (full, incremental, differential), and recovery
locations.
●​ Recovery Plan: Long-term restoration strategy.
●​ Test Plan: Regular testing to identify gaps in preparedness.

5. Backup Types

●​ Full Backup: All data backed up every time; high storage use.
●​ Incremental Backup: Only new/changed files since the last backup.
●​ Differential Backup: All changes since the last full backup.
●​ Mirror Backup: Real-time, exact replication of files.
●​ Cloud Backup: Offsite, accessible backup for redundancy.

6. Alternate Processing Facilities

●​ Cold Site: Basic infrastructure; slow recovery.

●​ Warm Site: Partial infrastructure with some hardware.
●​ Hot Site: Fully equipped for immediate recovery.
●​ Reciprocal Agreements: Shared recovery resources.

7. Disaster Recovery Procedural Plan

●​ Key Elements:
○​ Conditions for plan activation.
○​ Emergency, fallback, and resumption procedures.
○​ Regular maintenance and awareness activities.

8. Business Continuity Management Cycle

41 (Set D Notes by Mansi)

 1.​ Information Collection: Identify critical activities, assets, and risks.
2.​ BCM Strategies: Develop appropriate response measures.
3.​ Implementation: Establish incident management teams.
4.​ Testing and Maintenance: Evaluate and refine plans.
5.​ Training and Awareness: Ensure readiness across stakeholders.

Specific Focus Areas (MCQ Context)

1.​ BCM Cycle: Understanding all stages (e.g., Information Collection, Development &
Implementation, Testing).
2.​ Backup Methods: Characteristics, advantages, and disadvantages of full, incremental,
differential, and mirror backups.
3.​ Plan Testing: Importance of periodic testing and types of tests (e.g., desk checks,
simulations).
4.​ Processing Facility Options: Differences between cold, warm, and hot sites.
5.​ Key Documents in BCM: BIA report, risk assessment, incident logs, and business
continuity strategies.

42 (Set D Notes by Mansi)

Chapter 6: System Development Life Cycle (SDLC)

Learning Outcomes

After studying this chapter, you will:

●​ Understand the need for a System Development Life Cycle (SDLC).

●​ Learn the phases and activities involved in SDLC.
●​ Recognize the importance of testing, implementation, and maintenance of information
systems.

Key Concepts

1. Introduction

●​ Definition: SDLC provides a structured framework for developing and maintaining

systems.
●​ Purpose: Ensures better planning, control, and quality of system development.
●​ Barry Boehm’s W5HH Principle: Helps project managers address objectives,
schedules, responsibilities, and resource needs.

2. Need for SDLC

●​ New service delivery opportunities or problems in existing systems.

●​ Strategic management focus shifts (e.g., mergers, new delivery channels).
●​ Technology advancements or competitor strategies involving automation.
●​ Advantages: Better planning, quality compliance, and documentation.
●​ Shortcomings: Cumbersome for small projects, prolonged timelines.

43 (Set D Notes by Mansi)

3. Phases of SDLC

1.​ Preliminary Investigation:​

○​ Evaluates system feasibility (technical, financial, operational, legal, etc.).

○​ Results in a feasibility study and recommendations to management.
2.​ System Requirements Analysis:​

○​ Gathers and documents end-user requirements.

○​ Tools: Data Flow Diagrams, E-R diagrams, system modeling, and questionnaires.
○​ Delivers the System Requirements Specification (SRS).
3.​ System Design:​

○​ Logical design (blueprint) and physical construction (hardware, software,

databases).
○​ Key activities: User interface design, database design, and control measures.
4.​ System Development:​

○​ Converts design into functional systems via coding, debugging, and

documentation.
○​ Includes coding standards, programming languages, and debugging processes.

44 (Set D Notes by Mansi)

5.​ System Testing:​

○​ Types of testing:
■​ Unit Testing: Tests individual components.
■​ Integration Testing: Tests combined modules.
■​ Regression Testing: Ensures changes don’t introduce new issues.
■​ System Testing: Tests the system as a whole.
■​ Final Acceptance Testing: Includes User Acceptance Testing (UAT) and
Quality Assurance Testing (QAT).
6.​ System Implementation:​

○​ Involves hardware installation, user training, and system conversion strategies:

■​ Direct Changeover: Replaces the old system entirely.
■​ Phased Changeover: Gradual implementation.
■​ Pilot Changeover: Testing in a small area before full rollout.
■​ Parallel Changeover: Running old and new systems simultaneously.
7.​ Post-Implementation Review and Maintenance:​

○​ Review: Assesses the system's success and identifies improvements.

45 (Set D Notes by Mansi)

 ○​ Maintenance Types:
■​ Scheduled: Planned updates.
■​ Rescue: Immediate troubleshooting.
■​ Corrective: Fixing bugs.
■​ Adaptive: Adapting to environmental changes.
■​ Perfective: Enhancing functionality.
■​ Preventive: Improving maintainability.

4. Operational Manuals

●​ Provides users with system operation guidelines.

●​ Includes FAQs, troubleshooting sections, and contact details for support.

46 (Set D Notes by Mansi)

Chapter 7 System Acquisition and Development Methodologies.

Learning Outcomes

●​ Understanding systematic approaches to system acquisition and their phases.

●​ Learning about software procurement, IT proposal evaluation, and external acquisitions.
●​ Analyzing systems for requirement understanding.
●​ Comparing various SDLC (Software Development Life Cycle) models for suitability.
●​ Evaluating the pros and cons of system development models.

Illustrative Case Study

An issue with an online ticketing system is highlighted, leading to the conceptualization and
implementation of an automated solution for better efficiency and accuracy. This case serves as
a framework to introduce the chapter's topics.

Introduction

●​ Information Systems (IS): Defined as a combination of people, hardware, software,

networks, and data resources that process information.
●​ Need for IS: IS enhances organizational processes, customer interaction, and data
management. It ensures data input, processing, output, and feedback mechanisms.

7.2 Information System Acquisition

(A) Acquisition Standards - Management shall introduce acq. Std. that address :

●​ Importance of security, reliability, and compatibility with existing systems.

●​ Use of RFPs (Request for Proposals) for selecting vendors.
●​ Emphasis on defining functional, security, and operational requirements in acquisition
standards.

(B) Acquiring System Components from vendors

●​ Formation of a System Acquisition Committee to oversee procurement.

●​ Vendor selection considers factors like location, financial stability, and user feedback.
●​ Benchmarking is vital to test hardware and software compatibility and performance.

47 (Set D Notes by Mansi)

(C) Other Acquisition Aspects

●​ Hardware Acquisition: Emphasizes long-term vendor relationships for support and

expansion.
●​ Software Acquisition: Deciding between in-house development or vendor solutions
based on system needs.
●​ Legal Considerations: Contracts must clearly outline rights, responsibilities, and
intellectual property terms.
●​ Compliance: Ensure systems meet security certifications and legal regulations like
GDPR.
●​ Proposal Validation: Evaluates vendor solutions using criteria like compatibility,
maintainability, and performance.

(D) System Acquisition Cycle

1.​ Defining Requirements: Includes inputs, processes, and expected outputs.

2.​ Identifying Alternatives: Exploring off-the-shelf, custom, or outsourced solutions.
3.​ Feasibility Analysis: Evaluating economic, technical, operational, and legal constraints.
4.​ Risk Analysis: Identifying vulnerabilities and controls.
5.​ Selection Process: Matching solutions to requirements.

48 (Set D Notes by Mansi)

 6.​ Procuring Software: Negotiating terms and ensuring compliance with contracts.
7.​ Final Acceptance: Stipulating deliverables and acceptance criteria in agreements.

7.3 System Development Methodologies

General Characteristics

●​ Phased processes with starting and ending points.

●​ Deliverables for accountability.
●​ Approvals and testing at each stage.
●​ User training and post-implementation reviews.

Models

1.​ Waterfall Model​

○​ Sequential phases.
○​ Strengths: Clear documentation, measurable progress.
○​ Weaknesses: Rigid, inflexible, and slow to adapt to changes.

49 (Set D Notes by Mansi)

2.​ Prototyping Model​

○​ Iterative development of prototypes.

○​ Strengths: Encourages user feedback, quick iterations.
○​ Weaknesses: Inadequate documentation, potential for incomplete analysis.
3.​ Incremental Model

○​ Combines Waterfall and Prototyping methods. Iterative waterfall

○​ Strengths: Risk reduction, early deliverables.
○​ Weaknesses: Architectural challenges and rigid phase boundaries.

50 (Set D Notes by Mansi)

4.​ Spiral Model​

○​ Combines design and prototyping in stages.

○​ Strengths: Risk avoidance and flexibility.
○​ Weaknesses: Complexity, dependency on experienced project managers.
5.​ Rapid Application Development (RAD)​

○​ Focus on rapid prototyping and iterative delivery.

○​ Strengths: Quick implementation, user involvement.
○​ Weaknesses: Potential quality issues, inconsistency risks.
6.​ Agile Model​

○​ Iterative and incremental, promoting collaboration and flexibility.

○​ Strengths: Adaptive to change, high-quality outcomes.
○​ Weaknesses: Lack of documentation and challenges in long-term planning.

51 (Set D Notes by Mansi)

Chapter 8 Information Systems Controls and Classification

1. Learning Outcomes

●​ Understand the Internal Control Framework and its components.

●​ Classify various types of controls under different criteria, including objectives, resources,
audit perspectives, and control activities.
●​ Analyze controls aimed at safeguarding assets, maintaining data integrity, and ensuring
efficient use of resources.
●​ Evaluate the role of auditors in assessing and enforcing these controls.

2. Illustrative Case Study

●​ ABC Multispecialty Hospital faced operational challenges, resulting in:

○​ Reduction in profits due to regulatory changes.
○​ Implementation of Business Process Reengineering to cut operating costs.
○​ Internal control issues, such as hiring based on nepotism and lack of adherence
to policies, led to fraud within the financial system.
○​ Discovery and resolution of fraud emphasized the importance of stringent
controls and auditor roles in maintaining system integrity.

3. Introduction to Information Systems Control

●​ Definition of Controls: Policies, procedures, and organizational structures designed to

provide assurance in achieving objectives.
●​ Objectives of Information Systems (IS) Controls:
○​ Safeguarding assets.
○​ Maintaining data integrity.
○​ Achieving organizational objectives efficiently.
●​ Internal Control Framework: Combines preventive, detective, and corrective measures
to manage risks.

4. Classification of Controls

Controls are classified based on objectives, nature of resources, audit perspectives, and
activities.

4.1 Based on Objectives of Controls

52 (Set D Notes by Mansi)

 ●​ Preventive Controls:
○​ Designed to prevent errors or malicious acts.
○​ Examples: Firewalls, antivirus software, and segregation of duties.
●​ Detective Controls:
○​ Identify and report errors or incidents that elude preventive controls.
○​ Examples: Intrusion detection systems, internal audits.
●​ Corrective Controls:
○​ Address errors or incidents after detection.
○​ Examples: Backup restoration, updating IT access rights.
●​ Directive Controls:
○​ Provide guidance to manage risks.
○​ Examples: SOPs, training manuals.

4.2 Based on Nature of Information System Resources

●​ Environmental Controls:
○​ Mitigate risks from fire, electrical surges, water damage, and pollution.
○​ Examples: Smoke detectors, UPS systems, water-proofing measures.
●​ Physical Access Controls:
○​ Protect physical resources and facilities.
○​ Examples: Security guards, CCTV, biometric authentication.
●​ Logical Access Controls:
○​ Restrict access to data and systems.
○​ Examples: Password policies, encryption, firewalls.

4.3 Based on Audit Perspective

●​ Management Control Framework:

○​ Involves senior management's role in planning, organizing, leading, and
controlling IS functions.
○​ Covers strategic IT policies, security management, and disaster recovery plans.
●​ Application Control Framework:
○​ Focuses on controls within specific software applications.
○​ Examples: Input controls, processing controls, output controls.

53 (Set D Notes by Mansi)

4.4 Based on Control Activities

●​ IT Controls:

54 (Set D Notes by Mansi)

 ○​ Focus on safeguarding information systems through hardware, software, and
network management.
●​ Physical Controls:
○​ Secure assets like documents and infrastructure.
●​ Application Controls:
○​ Ensure accuracy and consistency in application-specific operations.

### Summary

1. **User Training and Qualification of Operations Personnel**: Staff must possess the
necessary skills and competencies to monitor and operate the IT environment, with training as a
tool for further skill development.

2. **Change Management**: IT solutions undergo change to adapt to new technology and

business needs. A structured change management process is crucial to manage transitions
effectively.

3. **Backup, Recovery, and Business Continuity**: Given the dependence on IT, organizations
must ensure resilience through proper backup and recovery strategies to minimize disruption.

4. **Application Software Development and Implementation**: Controls during software

development are essential for alignment with organizational standards, maintaining budget, and
ensuring security and quality.

5. **Confidentiality, Integrity, and Availability of Data**: Security should safeguard sensitive

information, ensuring that controls are in place to protect data integrity and availability.

6. **Incident Response Management**: It’s vital to have procedures for addressing system
failures promptly to mitigate impacts.

55 (Set D Notes by Mansi)

7. **Monitoring Applications and Supporting Services**: Continuous oversight of servers and
applications is necessary to ensure they perform as per established standards.

8. **General IT Controls**:

- **Information Security Policy**: A comprehensive policy to protect information assets across

the organization.

- **Access Controls**: Measures to restrict system access to authorized users only.

- **Separation of IT Functions**: Clear demarcation of roles within the IT Department to avoid

conflicts.

- **Management of Systems Acquisition**: Establish protocols for the secure acquisition and
implementation of IT systems.

Summary of Section 8.4: Role of Auditors

Auditors play a critical role in evaluating and ensuring the effectiveness of information systems
(IS) and related controls. Their responsibilities span various stages of system evaluation and
auditing, focusing on both technical and procedural aspects.

Key Responsibilities of Auditors

1. Ensuring Asset Safeguarding

●​ Verify that organizational assets such as hardware, software, data, and infrastructure are
protected against unauthorized access or misuse.
●​ Evaluate the implementation of physical and logical access controls.

2. Assessing Data Integrity

●​ Ensure the accuracy, completeness, and reliability of data throughout its lifecycle (input,
processing, storage, and output).
●​ Evaluate systems for proper error detection, validation checks, and consistent data
handling.

3. Evaluating System Effectiveness

●​ Review whether the information system meets user needs and supports decision-making
processes.

56 (Set D Notes by Mansi)

 ●​ Ensure that the system facilitates timely and accurate reporting for stakeholders.

4. Promoting System Efficiency

●​ Analyze whether resources such as system time, labor, and peripherals are being
optimally utilized.
●​ Recommend improvements to reduce resource wastage and enhance system
performance.

5. Monitoring Compliance

●​ Verify that the organization adheres to relevant legal, regulatory, and internal policy
requirements.
●​ Check for adherence to frameworks like ISO standards, GDPR, or other compliance
regulations.

6. Conducting Risk Assessments

●​ Identify potential risks in system design, implementation, and operation.

●​ Evaluate controls in place to mitigate risks like unauthorized access, data breaches, or
system failures.

7. Providing Recommendations

●​ Offer actionable suggestions for improving system controls, efficiency, and compliance.
●​ Advise management on optimizing IT governance frameworks and processes.

Skills and Tools Utilized by Auditors

●​ Proficiency in Computer-Assisted Audit Techniques (CAATs) to automate testing and

data analysis.
●​ Expertise in evaluating both management and application controls.
●​ Use of techniques like Integrated Test Facility (ITF), transaction tagging, and
simulations to validate system performance.

57 (Set D Notes by Mansi)

Chapter 9 Information Technology Tools and Digital Ecosystem Controls

1. Learning Outcomes

●​ Distinguishing Information Systems and IT: Understand their components and roles
in auditing.
●​ Information Systems Audit (ISA): Learn the steps, objectives, and factors influencing
IS audits.
●​ IT Tools Overview: Comprehend tools like CAATs (Computer Assisted Audit
Techniques) and their applications.
●​ Risks and Controls: Analyze risks in specific business processes (P2P, O2C, HR,
CASA, etc.) and related controls.

2. Key Concepts

2.1 Information Systems vs. Information Technology

●​ Information Systems (IS): Comprise people, processes, and technology to manage

data.
●​ Information Technology (IT): Hardware, software, and communication elements within
IS.
●​ Auditor Skills: Auditors require proficiency in IT tools for financial, internal security, and
compliance audits.

2.2 Importance of IT Auditing

●​ Objective: Evaluate systems to ensure they meet data processing, control, and security
needs.
●​ Methods: Utilize tools like internal control questionnaires, interviews, and document
reviews.

3. Controls and Inspection of Information Systems

Factors Influencing Controls

1.​ Data Loss Costs: Accurate data enhances adaptability and prevents substantial losses.
2.​ Incorrect Decision Costs: Decisions rely on MIS reports; errors can impact
stakeholders.
3.​ Computer Abuse Costs: Includes unauthorized access, malware, and data leaks,
harming reputation.

58 (Set D Notes by Mansi)

 4.​ Hardware/Software Value: IT infrastructure disruptions can affect business
competitiveness.
5.​ High Costs of Errors: Errors in processing (e.g., incorrect orders) can lead to significant
financial damage.
6.​ Privacy Maintenance: Adhering to regulations like the Digital Personal Data Protection
Act ensures security.
7.​ Controlled Evolution: Regular monitoring and updating of IT systems are critical for
reliability.

4. Information Systems Auditing (ISA)

Objectives

●​ Safeguarding Assets: Protect hardware, software, data, and facilities from

unauthorized access.
●​ Data Integrity: Ensure accuracy, reliability, and transparency throughout the data
lifecycle.
●​ System Effectiveness and Efficiency: Align systems with user needs while minimizing
resource use.

Audit Approaches

1.​ Auditing Around the Computer: Focus on inputs and outputs without reviewing
program logic.
2.​ Auditing Through the Computer: Evaluate system controls using techniques like
embedded modules, transaction tagging, and simulations.

5. Steps in Information Systems Audit

1.​ Scoping and Pre-Audit Survey: Identify focus areas and collect preliminary data.
2.​ Planning: Develop a risk-control matrix and work plan.
3.​ Fieldwork: Gather evidence through interviews and process observations.
4.​ Analysis: Use methods like SWOT or PEST analysis to evaluate findings.
5.​ Reporting: Share findings with management and obtain explanations for observations.
6.​ Closure: Prepare for follow-up audits and ensure action on recommendations.

59 (Set D Notes by Mansi)

6. IT Audit Tools

6.1 Computer-Assisted Audit Techniques (CAATs)

●​ Usage: Automate audit processes, analyze data, and validate application controls.
●​ Examples: ACL, IDEA, Excel for data analysis, and regression.

6.2 Integrated Test Facility (ITF) Tally me dummy company open karke entries karna

●​ Purpose: Test application systems using dummy entities to verify processing.

●​ Advantages: Continuous monitoring during regular operations.

6.3 Test Data

60 (Set D Notes by Mansi)

 ●​ Method: Test valid and invalid transactions to evaluate system responses.
●​ Applications: Detect flaws in credit card processing or inventory adjustments.

6.4 Parallel Simulation

●​ Concept: Maintain a copy of production programs to validate processing accuracy.

●​ Advantage: Ensures program logic consistency without disrupting operations.

61 (Set D Notes by Mansi)

CIS - Exception trapping

62 (Set D Notes by Mansi)

7. Business Processes – Risks and Controls

7.1 Procure to Pay (P2P)

●​ Risks: Unauthorized changes to supplier data, delayed processing, and inaccurate

entries.
●​ Controls: Access restrictions, validation of requisitions, and timely processing.

7.2 Order to Cash (O2C)

●​ Risks: Invalid customer data, unauthorized credit approvals, and incorrect invoicing.
●​ Controls: Credit checks, accurate data transfers, and system-generated reports.

7.3 Inventory Cycle

●​ Risks: Mismanagement of inventory records, delayed updates, and incorrect

transactions.

63 (Set D Notes by Mansi)

 ●​ Controls: Regular updates to master files, validation of shipments, and segregation of
duties.

7.4 Human Resources

●​ Risks: Unauthorized access, incorrect payroll entries, and outdated master files.
●​ Controls: Restrict access to payroll systems, ensure timely updates, and conduct
regular reviews.

7.5 Fixed Assets

●​ Risks: Inaccurate asset records, missed depreciation entries, and unauthorized

disposals.
●​ Controls: Validate acquisitions, ensure proper depreciation, and track disposals
accurately.

General ledger

64 (Set D Notes by Mansi)

65 (Set D Notes by Mansi)
66 (Set D Notes by Mansi)
CHAPTER 10

UNIT IV: DIGITAL DATA AND ANALYSIS

1. Introduction

●​ Organizations gather data during operations for effective analysis and decision-making.
●​ Data analysis transforms raw data into actionable insights, enhancing productivity, HR
policies, and expense optimization.

2. Data Protection

●​ Definition: Protection of digital data against unauthorized access or loss.

●​ Components:
○​ Data Privacy: Guidelines for proper data handling and accessibility.

○​ Data Security: Techniques for preventing unauthorized data access or misuse.

○​ Data Protection Strategies: Encryption, access control, and multifactor
authentication.

67 (Set D Notes by Mansi)

3. Fair Information Practices

●​ Principles for ethical data handling:

○​ Collection Limitation: Standardized and minimal data collection.
○​ Data Quality: Accurate and relevant data collection.
○​ Purpose Specification: Clear usage objectives with encryption.
○​ Use Limitation: Restricted data use through authentication.
○​ Security Safeguards: Encryption during data storage and transit.
○​ Individual Participation: Rights to data access, correction, and erasure.
○​ Accountability: Data handlers ensure these practices are followed.

4. Data Security Tools

●​ Encryption: Secures data by converting it into unreadable formats.

●​ Firewalls: Monitors and filters network traffic.
●​ Two-Factor Authentication (2FA): Adds an extra verification step for access.
●​ Access Control: Limits access to authorized personnel.
●​ Data Loss Prevention (DLP): Protects data from unauthorized deletion or copying.

68 (Set D Notes by Mansi)

5. Data Analysis

●​ Types of data:
○​ Internal Data: Business operations and performance metrics.
○​ External Data: Consumer and market trends.
○​ Qualitative Data: Non-statistical insights (e.g., interviews, documents).
○​ Quantitative Data: Measurable data (e.g., surveys, metrics).

Stages of Data Analysis

1.​ Requirement Gathering: Define objectives.

2.​ Data Collection: Identify data sources.
3.​ Data Cleaning: Eliminate irrelevant data.
4.​ Data Analysis: Use techniques like data mining or predictive analytics.
5.​ Data Visualization: Represent data via charts and graphs.

6. Data Analysis Tools

●​ Examples:
○​ Microsoft Power BI: For visualization and analytics.
○​ Tableau: For data dashboards.
○​ Python & R: For programming-based analytics.
○​ KNIME: Open-source data mining.
○​ MS Excel: Widely used for basic analysis.

69 (Set D Notes by Mansi)

7. Data Analytics

●​ Definition: Turning analyzed data into actionable insights.

●​ Types:
○​ Descriptive Analytics: Summarizes past data.
○​ Diagnostic Analytics: Explains causes of past events.
○​ Predictive Analytics: Forecasts future trends.
○​ Prescriptive Analytics: Recommends actions for specific goals.

70 (Set D Notes by Mansi)

8. Data Assurance

●​ Ensures data quality through:

○​ Data Governance: Managing data standards and policies.
○​ Data Profiling & Matching: Identifying issues and duplicates.
○​ Data Quality Reporting: Enforcing rules and monitoring data integrity.
○​ Master Data Management (MDM): Centralizing key data.
○​ Customer Data Integration: Consolidating customer data for analytics.

71 (Set D Notes by Mansi)

9. Information Technology Act, 2000

●​ Governs cybercrimes, electronic records, and digital signatures.

●​ Key sections:
○​ Section 43: Penalties for unauthorized data access.
○​ Section 66: Punishment for cyber offenses like identity theft.
○​ Section 67: Penalties for obscene material online.
●​ 2008 amendments introduced stricter cybersecurity measures and data protection.

72 (Set D Notes by Mansi)

10. Digital Personal Data Protection Act, 2023

●​ Applicability: Covers all digital personal data in India and data related to services
offered in India.
●​ Key Features:
○​ Consent: Data processed only with individual consent.
○​ Rights: Access, correction, and erasure of personal data.
○​ Obligations of Data Fiduciaries: Safeguards to prevent data breaches.
○​ Exemptions: For government activities and legal obligations.
○​ Data Protection Board: Ensures compliance and imposes penalties.

Summary of the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR), a unified data privacy law across the
European Union (EU) and European Economic Area (EEA), focuses on protecting personal data
and clarifying rules for organizations handling such data. Below are the key aspects of GDPR:

Objectives of GDPR

●​ Protect individuals' personal data from unauthorized access, use, or destruction.

●​ Strengthen individual rights in the digital age.
●​ Ensure organizations collect and process data responsibly.

Principles of GDPR

1.​ Lawfulness, Fairness, and Transparency:​

○​ Data must be processed lawfully and transparently, with individuals informed

about its purpose.
2.​ Purpose Limitation:​

○​ Data must be collected for specific, explicit, and legitimate purposes only.
3.​ Data Minimization:​

○​ Data collection must be limited to what is strictly necessary.

4.​ Accuracy:​

○​ Data must be kept accurate and up-to-date, with errors corrected promptly.
5.​ Storage Limitation:​

73 (Set D Notes by Mansi)

 ○​ Personal data should only be stored as long as necessary for its intended
purpose.
6.​ Integrity and Confidentiality:​

○​ Adequate security measures must be taken to protect data from breaches.

7.​ Accountability:​

○​ Organizations must demonstrate compliance with GDPR by implementing

appropriate measures.

GDPR and the European Data Protection Board

●​ GDPR established the European Data Protection Board (EDPB) to ensure consistent
application of rules across member states.
●​ National bodies in European countries are tasked with protecting personal data at the
local level.

Similarities Between GDPR and India’s Digital Personal Data Protection Act
(DPDPA)

●​ Both laws regulate organizations handling personal data.

●​ Provisions for reporting data breaches and imposing penalties for non-compliance.
●​ Data subjects have rights such as access, correction, and deletion of their data.

Differences Between GDPR and DPDPA

1.​ Geographical Scope:​

○​ GDPR applies to organizations processing data of individuals within the EU,

regardless of the organization's location.
○​ DPDPA applies to organizations processing personal data within India or offering
goods and services to Indian residents.
2.​ Scope of Data:​

○​ GDPR includes data available publicly and has special categories like racial
origin or political views.
○​ DPDPA excludes publicly available data and lacks these special categories.
3.​ Processing Basis:​

74 (Set D Notes by Mansi)

 ○​ GDPR includes broader legitimate interests for data processing.
○​ DPDPA is more consent-centric.
4.​ Consent Age:​

○​ GDPR allows member states to set the age of consent between 13-16 years.
○​ DPDPA sets the age of consent at 18 years, requiring parental consent for
minors.
5.​ Digitized vs. Non-Digitized Data:​

○​ GDPR applies to all personal data, whether digital or non-digital.

○​ DPDPA focuses only on digitized personal data.

75 (Set D Notes by Mansi)

CHAPTER 11 Business Intelligence

Learning Outcomes

●​ Understand the concept and functionalities of Business Intelligence (BI).

●​ Appreciate the usage of BI tools in organizations.

1. Introduction

●​ Definition: BI is the process of analyzing raw data to generate insights that inform
business decisions.
●​ Functions: Helps businesses understand marketing strategies, financial performance,
market trends, and consumer behavior.
●​ Modern BI: Employs advanced tools like dashboards, graphs, and data visualizations to
empower decision-making.

2. Functionalities of Business Intelligence

1.​ Analytics: Extracts insights from historical and current data using techniques like trend
analysis and modeling.
2.​ Dashboards: Displays role-relevant data using visualizations and key performance
indicators (KPIs).
3.​ Data Mining: Uses machine learning and statistical tools to find patterns in large
datasets.
4.​ ETL (Extract, Transform, Load): Processes raw data into a data warehouse for
analysis.
5.​ Model Visualization: Converts raw data into charts, graphs, and other visuals.
6.​ OLAP (Online Analytical Processing): Analyzes multi-dimensional data for tasks like
financial forecasting.
7.​ Predictive Modeling: Uses statistical methods to predict trends and outcomes.
8.​ Reporting: Provides comprehensive reports and visualizations for better business
understanding.
9.​ Scorecards: Measures KPIs and tracks business progress.
10.​Real-Time Monitoring: Offers tools to analyze data in real-time for quick
decision-making.
11.​Collaborative BI: Shares insights with stakeholders for team collaboration.
12.​Mobile BI: Makes BI data accessible on mobile devices.

76 (Set D Notes by Mansi)

3. Business Intelligence Life Cycle

1.​ Analyze Business Requirements: Identify business needs and required analysis.
2.​ Design Data Model: Create a logical model to represent data relationships.
3.​ Design Physical Schema: Build a schema to define data warehouse structure.
4.​ Build Data Warehouse: Populate the warehouse with structured data.
5.​ Create BI Project Structure: Develop metadata for mapping tables and processes.
6.​ Develop BI Objects: Create dashboards, reports, and metrics for data analysis.
7.​ Administer and Maintain: Continuously monitor and update BI projects.

4. Business Intelligence Tools

●​ BI tools aggregate and analyze data from various sources like CRM systems, ERP
systems, and external databases.
●​ Advantages:
○​ Centralized data.
○​ Automated reporting.
○​ Real-time access and easy exports.
○​ Compatibility with other systems.
○​ Cost reduction and predictive insights.
●​ Popular BI Tools:
○​ Microsoft Power BI: Integrates with multiple data sources, offers real-time
monitoring, and provides predictive analytics.
○​ Tableau: Known for intuitive data visualization and supports various databases.
○​ QlikSense: Focuses on self-service analytics and user-friendly interfaces.
○​ Dundas BI: Flexible and allows independent data analysis.
○​ Sisense: Simplifies analytics with customizable dashboards.
○​ Other tools: SAS Visual Analytics, Zoho Analytics, SAP Business Objects,
Google Data Studio.

5. Chart Types in Power BI

1.​ Line Charts: Show trends over time.

2.​ Bar Charts: Represent absolute data and can display negative values.
3.​ Pie Charts: Divide data into proportional slices.
4.​ Doughnut Charts: Similar to pie charts but with a hole in the middle.
5.​ Funnel Charts: Visualize data flow through stages.

6. Business Intelligence vs Data Analytics

77 (Set D Notes by Mansi)

 Business Intelligence Data Analytics

Provides decision-making Modifies raw data into meaningful formats.

support.

Focuses on past data for strategy. Uses past data for forecasting.

Utilizes structured data. Uses structured and unstructured data.

Primarily for leadership teams. For analysts and data scientists.

7. Case Studies

●​ Heathrow Airport:​

○​ Used Microsoft Power BI and Azure for real-time data visualization and
operational efficiency.
○​ Improved passenger flow and pre-empted potential disruptions.
●​ SkullCandy:​

○​ Adopted Sisense for data integration and real-time reporting.

○​ Improved departmental collaboration and reduced data inaccuracies.

8. Benefits of BI in Retail

1.​ Improved Customer Experience: Ensures customer satisfaction at every stage.

2.​ Predictive Modeling: Combines data to identify trends and predict customer
preferences.
3.​ Price Optimization: Adjusts prices based on supply, demand, and trends.

78 (Set D Notes by Mansi)

Chapter 12 – ABCD of FinTech

Learning Outcomes

After studying this chapter, learners will:

1.​ Comprehend the ABCD technologies (AI, Blockchain, Cloud Computing, Big Data) used
in FinTech.
2.​ Understand the real-time usage of Artificial Intelligence.
3.​ Grasp Blockchain concepts in financial institutions.
4.​ Explore the role of Cloud Computing and Big Data in finance.

12.1 Introduction to FinTech

●​ Definition: FinTech refers to the innovative use of technology in financial

services/products like lending, insurance, investment management, and payments.
●​ FinTech Segments:
1.​ Business-to-Consumer (B2C): Services offered to end consumers.
2.​ Business-to-Business (B2B): Services designed for businesses.
●​ Key Technologies in FinTech: Artificial Intelligence (AI), Blockchain, Cloud Computing,
and Big Data.
●​ Examples of FinTech Products:
1.​ Peer-to-Peer (P2P) Lending: Matches lenders and borrowers directly using
technology.
2.​ Crowdfunding: Raises small amounts from multiple investors via online platforms.
3.​ Distributed Ledger Technology (DLT): Decentralized databases where all
participants maintain identical copies of shared ledgers (e.g., blockchain).
4.​ Robo-Advisors: Algorithm-driven platforms offering financial planning with
minimal human intervention.

Objectives and Advantages of FinTech

1.​ Objectives: Simplify financial transactions and provide services efficiently via
smartphones.
2.​ Why FinTech Over Banks:
○​ Lower fees, better rates, and greater convenience.
○​ Advanced technology (e.g., AI and big data) for market analysis and credit
scoring.
3.​ Trends in FinTech:

79 (Set D Notes by Mansi)

 ○​ Growth in digital banking, blockchain adoption, and AI/ML technologies for fraud
detection and automation.

12.2 Artificial Intelligence (AI)

●​ Definition: AI involves building smart systems capable of human-like tasks (e.g., speech
recognition, decision-making).
●​ Applications in Finance:
○​ Robotic Process Automation (RPA) for repetitive tasks like reconciliation.
○​ Fraud detection, risk management, and customer satisfaction enhancement.
●​ Types of AI:
○​ Based on Capabilities:
1.​ Weak/Narrow AI: Performs specific tasks (e.g., Siri).
2.​ General AI: Mimics human intelligence (currently theoretical).
3.​ Super AI: Surpasses human intelligence (hypothetical).
○​ Based on Functionalities:
1.​ Reactive AI: Focuses on current tasks (e.g., chess programs).
2.​ Limited Memory AI: Learns from past experiences (e.g., self-driving cars).
3.​ Theory-of-Mind AI: Understands emotions (in research).
4.​ Self-Aware AI: Machines with consciousness (future concept).

12.3 Blockchain

●​ Definition: A decentralized digital ledger that securely records transactions across a

peer-to-peer network.
●​ Structure:
○​ Block: A record of transactions.
○​ Chain: Cryptographic linking of blocks.
○​ Network: Decentralized nodes validating transactions.
●​ Types of Blockchain:
○​ Permissioned (Private and Consortium), Permissionless (Public), and Hybrid
Blockchain.
●​ Applications:
○​ Cryptocurrencies (e.g., Bitcoin).
○​ Supply chain management for transparency.
○​ Real estate, healthcare, and cross-border payments.

12.4 Cloud Computing

80 (Set D Notes by Mansi)

●​ Definition: Delivery of computing resources (e.g., storage, applications) over the
Internet.
●​ Characteristics:
○​ On-demand self-service, scalability, broad network access, and resource pooling.
●​ Service Models:
○​ Software as a Service (SaaS). - software application
○​ Platform as a Service (PaaS). - operating system, programming language,
database
○​ Infrastructure as a Service (IaaS). - hardware
●​ Deployment Models:
○​ Private, Public, Hybrid, and Community Clouds.
●​ Advantages:
○​ Cost efficiency, flexibility, backup, and global accessibility.
●​ Drawbacks:
○​ Internet dependency, security risks, and vendor-specific limitations.

81 (Set D Notes by Mansi)

82 (Set D Notes by Mansi)
83 (Set D Notes by Mansi)
12.5 Big Data

●​ Definition: Analysis of massive datasets for insights.

●​ Usage in Finance:
○​ Predicting market trends, customer behavior, and fraud prevention.
●​ Obstacles:
○​ Complexity, integration challenges, and privacy concerns.

84 (Set D Notes by Mansi)

Benefits and Challenges of FinTech

Benefits:

1.​ Increased speed and efficiency in transactions.

2.​ Financial inclusion in underserved regions.
3.​ Improved insights through big data analytics.
4.​ Resilient systems with distributed ledger technology.

Challenges:

1.​ Lack of regulatory protections for consumers.

2.​ Risks of scams, fraud, and data misuse.
3.​ Exclusion of non-tech-savvy populations.
4.​ Technical failures disrupting services.

This summary includes all key points and subpoints from the chapter. Let me know if you'd like
to delve deeper into any section!

85 (Set D Notes by Mansi)

Chapter 13 - Emerging Technologies

Learning Outcomes

1.​ Understanding e-business, its risks, and controls.

2.​ Comprehending digital payments along with their advantages and disadvantages.
3.​ Exploring paradigms of Internet of Things (IoT) and its application in finance and
accounting.
4.​ Gaining knowledge about quantum computing and its advantages for financial
organizations.
5.​ Understanding RegTech technology and its role.
6.​ Conceptualizing mobile computing and its benefits.

Digital Ecosystem and Controls

1. Introduction

●​ Emerging technologies like Mobile Computing, Quantum Computing, 3D Printing, and

Cloud Computing are transforming work styles and global challenges.
●​ Technologies are interlinked; e.g., mobile technology integrates with social media for
predictive analysis.
●​ The transition to technology-based financial transactions boosts transparency and
efficiency.

2. Digital Payments

●​ Overview: Digital payment systems revolutionize business transactions, making them

easier and safer.

Benefits:

1.​ Convenience: Click-based, secure transactions.

2.​ 24/7 Accessibility: Payments anytime, anywhere.
3.​ Government Incentives: Tax discounts for using digital channels.
4.​ Log Maintenance: Automatic recording of transactions.
5.​ Low Risk: MPIN and PIN provide security.
6.​ Business Edge: Increases customer base.
7.​ Environmentally Friendly: Encourages "Green Computing."

Types of Digital Payments:

86 (Set D Notes by Mansi)

 1.​ Unified Payments Interface (UPI): Instant transactions via mobile apps, supporting P2P
and P2M transfers.
2.​ Unstructured Supplementary Service Data (USSD): Payments without smartphones
or internet.
3.​ Aadhar Enabled Payment Services (AEPS): Aadhaar-based fund transfers and KYC
verification.
4.​ Mobile Wallets: Store payment data securely; cashback and discounts offered.
5.​ Immediate Payment Service (IMPS): Real-time, 24/7 fund transfer service.
6.​ Bharat Interface for Money (BHIM): UPI-based app for seamless transactions.
7.​ RuPay Cards: Promotes a cashless economy; includes ATM withdrawal and PoS
transactions.
8.​ e-RUPI: QR code or SMS-based digital voucher for specific purposes.

3. E-Business

●​ Definition: The sale/purchase of goods and services electronically.

●​ Benefits:
○​ Convenience, time-saving, comparison options, and 24/7 accessibility for
customers.
○​ Increased market reach, reduced costs, and operational efficiency for
businesses.
○​ Governments benefit through reduced corruption and ecologically friendly
practices.
●​ Disadvantages: High startup costs, legal issues, cultural resistance, and security
concerns.
●​ Risks & Controls: Address unauthorized access, downtime, data privacy, and
compliance through robust policies and disaster recovery plans.

4. Emerging Technologies

4.1 Internet of Things (IoT)

●​ Definition: Interconnected devices collect and transmit data over networks.​

●​ Applications in Finance and Accounting:​

○​ Debt Collection: Monitors debtor activities via IoT-enabled devices.

○​ Fraud Prevention: Secures PoS systems using IoT.
○​ Personalized Rewards: Tailors offers based on consumer behavior.
○​ Capacity Planning: Optimizes branch and ATM operations.

87 (Set D Notes by Mansi)

 ●​ Challenges:​

○​ Hardware compatibility, connectivity, and data accuracy issues.

○​ Data security concerns.

4.2 Quantum Computing

●​ Concept: Utilizes qubits that exist in multiple states simultaneously, solving complex
problems much faster.
●​ Advantages:
○​ Targeting Models: Better customer insights and fraud detection.
○​ Trading Optimization: Simulates scenarios for portfolio management.
○​ Risk Profiling: Faster simulations for risk assessments.
●​ Threats: Quantum computers can potentially break cryptographic protocols.

4.3 RegTech (Regulatory Technology)

●​ Definition: Uses IT to handle compliance, monitoring, and reporting in finance.

●​ Advantages:
1.​ Enhances financial inclusion through automation.
2.​ Detects unfair practices and fraud.
3.​ Strengthens AML (Anti-Money Laundering) processes.
4.​ Tracks illegal phoenixing activities.
5.​ Reduces compliance costs.

4.4 Mobile Computing

●​ Definition: The ability to work remotely using mobile devices.

●​ Components:
○​ Mobile Communication: WLAN, satellite, GSM, etc.
○​ Mobile Hardware: Smartphones, laptops, and servers.
○​ Mobile Software: Apps and operating systems (e.g., Android, iOS).
●​ Benefits:
○​ Enhances flexibility, productivity, and real-time communication.
○​ Improves operational efficiency and customer service.

88 (Set D Notes by Mansi)