Enterprise Information Systems: Ntermediate Ourse

INTERMEDIATE COURSE
PAPER : 7A
Enterprise Information
Systems
BOOKLET ON MCQS &

CASE SCENARIOS
BOARD OF STUDIES
THE INSTITUTE OF CHARTERED ACCOUNTANTS OF INDIA
© The Institute of Chartered Accountants of India

This Booklet has been prepared by the faculty of the Board of Studies. The
objective of the Booklet is to provide teaching material to the students to enable
them to obtain knowledge in the subject. In case students need any clarifications
or have any suggestions to make for further improvement of the material
contained herein, they may write to the Director of Studies.
All care has been taken to provide interpretations and discussions in a manner
useful for the students. However, the Booklet has not been specifically discussed
by the Council of the Institute or any of its Committees and the views expressed
herein may not be taken to necessarily represent the views of the Council or any
of its Committees.
Permission of the Institute is essential for reproduction of any portion of this
Booklet.
© The I nstitute of Chartered Accountants of India
All rights reserved. No part of this book may be reproduced, stored in a retrieval
system, or transmitted, in any form, or by any means, electronic, mechanical,
photocopying, recording, or otherwise, without prior permission, in writing, from
the publisher.
Revised Edition : January, 2022
Website : www.icai.org
E-mail : bosnoida@icai.in
Committee/Department : Board of Studies
ISBN No. :
Price : `
Published by : The Publication Department on behalf of The

Institute of Chartered Accountants of India, ICAI
Bhawan, Post Box No. 7100, Indraprastha Marg,
New Delhi 110 002, India.
Printed by :

Preface
This booklet on Independent/Case-scenario based Multiple Choice Questions

on Enterprise Information Systems is the collection of various techniques and
technologies used in various business processes involved in Financial and
Accounting Systems, E-Commerce & M-Commerce transactions, emerging
technologies and Core Banking Systems. These case scenarios and Multiple
Choice Questions reflect the changes in business having borderless economies
consequent to giant leap in e-commerce, emergence of new financial
instruments, emphasis on corporate social responsibility and significant
developments in the field of information technology.
This booklet is comprised of some significant cases that have a lasting effect
on the application of emerging technologies, banking systems and financial
processes. Enterprise Information Systems, as a subject at Intermediate level
helps you inculcate the requisite IT skill-sets necessary for achieving the
desired professional competence. The issues under information technology in
the prevailing scenario can be better understood through the relative case
scenarios.
As a part of its continuous endeavour towards enrichment of knowledge, Board
of Studies, through this booklet wishes to create awareness amongst the
students about the various significant strategies and techniques relating to
information technology. This edition of booklet includes 35 Case Scenarios and
120 Multiple Choice Questions under Paper 7A: Enterprise Information Systems
of Intermediate Course. Being the part of examination, this value addition will
lead to understanding of above on the interpretational, application and analysis
of information technology techniques therein. This publication contains the
summarized version of the facts of the fundamental concepts of Information
systems and business process flows, Financial and Accounting systems, Core
Banking Systems and e-commerce and m-commerce transactions.
This booklet is relevant for May 2022 Examination and onwards.
W ishing you happy reading!
iii

MULTIPLE CHOICE QUESTIONS
1. An Enterprise Information System (EIS) provides a technology

platform that enables organizations to integrate and coordinate their
business processes on a robust foundation. Identify the statement that
does not fall under the list of objectives of EIS.
(a) Reduce service cycles
(b) Identify manual processes
(c) Reduce costs
(d) Increase operational efficiency
2. Depending on the size, nature of work and complexity involved in the
processes of an organization; business processes are often broken up
into different categories – Primary, Secondary and Management
Processes. Which one of the following falls under the purview of
Primary Processes?
(a) Deals with legal compliance
(b) Deals with the core business and value chain
(c) Deals with core processes and functions within an organization
(d) Deals with measuring, monitoring and control activities
3. A manufacturing company is facing an issue of not being able to
provide timely supply of its products to the customers. Mr. Anil, an IS
Auditor of this company identified that the delay is due to the manual
processing of certain processes involved in the company. He suggested
that the company should adopt _______ to overcome the problem.
(a) Core Banking Systems
(b) Strategic Level Systems
(c) Business Process Automation
(d) Expert Systems

2 ENTERPRISE INFORMATION SYSTEMS
4. Mr. X has setup his new business of manufacturing color pens. He is

well known about various kinds of risks involved in his business;
however, he unintentionally violated some industry regulations while
setting up his business. Which category of the risk does this refer to?
(a) Strategic
(b) Financial
(c) Compliance
(d) Operational
5. Gigs and Gigs, the food court in a shopping mall wants to automate its
manual cash counter into an automated card system. Same card can
be used at various food outlets in the food court. This automation
optimizes the information flow in service and billing. Identify from the
following objectives of Business Process Automation that Gigs and Gigs
is achieving by using this method.
(a) Governance & Reliability
(b) Reduced Costs
(c) Reduced Turnaround Time
(d) Quality and consistency
6. Mr. Z is pursuing the course of MCA and is undergoing the practical
training in an e-Commerce company. He has been given a task to
prepare a flowchart describing the flow of transactions through various
modes of payment used by customers to pay the bill to company.
Identify the terminology that is irrelevant to the process of making of
flowcharts.
(a) Process
(b) Decision
(c) Document
(d) Risk
7. Enterprise Risk Management (ERM) framework consists of interrelated
components that are used to identify events that are relevant to

MCQs & CASE SCENARIOS 3
organization’s objective. Identify which of the following is not a

component of ERM Framework.
(a) Internal environment
(b) Organization chart
(c) Objective setting
(d) Event identification
8. The objective of Internal Control is to enable an organization to
manage its challenges or disruptions seamlessly. Identify which of the
following is not an objective of Internal Control.
(a) Compliance with applicable laws and regulations
(b) Meeting sales targets
(c) Reliability of reporting
(d) Effectiveness and efficiency of operations
9. Which one of the following deals with Section 143 of the Companies
Act, 2013?
(a) Acquisition and Mergers
(b) Powers and duties of Board of Directors
(c) Powers and duties of auditors and auditing standards
(d) Penalties due to non-compliance
10. ABC Corporative bank strictly follows the policy of Sensitive Personal
Information. Choose the attribute that is not defined as Sensitive
Personal Information.
(a) Home address
(b) Password
(c) Financial information
(d) Biometric information
11. Mr. Shravan, HR Manager of a Multinational Company (MNC) asked his
subordinate to prepare the files of various processes involved in

Human Resource Management. Which of the following does not form

part of HR Management?
(a) Training and Development
(b) Career Development
(c) Leadership Development
(d) Invoicing
12. To make a success in the business and to reduce the timing of manual
work, the organization should implement Business Process Automation
(BPA) which involves documentation as well. Which of the following is
not a benefit of documentation of BPA implementation?
(a) Clarity on the process
(b) To find the bottlenecks
(c) Identify the source of inefficiency
(d) Design new policy format
13. An online store follows a process of intimating about whole tracking of
the order placed by the customers through SMS on their registered
mobile numbers. This activity is a perfect example of ______.
(a) Supply Chain Management
(b) Customer Relationship Management
(c) Order to Cash Cycle
(d) Procure to Pay
14. A huge oil spilled from an oil well run by British Petroleum, one of
largest oil companies in world, and resulted in an assessed
environmental damage of about USD 20 Billion. The company
expanded an amount of USD 2 Billion on promotional ads informing
the world that it is an environment friendly company. The promotional
advertisements were done to prevent the company from ___ damage.
(a) Strategic
(b) Operational

(c) Financial
(d) Reputational
15. A bank shares financial data of its borrowers with third-party without
consent of borrowers. Identify the rule of Sensitive Information and
Personal Data Rules, 2011 that bank has violated.
(a) Rule 3
(b) Rule 4
(c) Rule 5
(d) Rule 6
16. As an internal auditor of a steel company, Mr. Ajay observed that the
vendor supplying the material to manufacture steel has begun to
supply the damaged material. He reported this issue to the company’s
top management. Which of the following risk management strategy
would be followed by top management of company, if they decided to
seek for more capable supplier and leave the current supplier?
(a) Accept the Risk
(b) Transfer the risk
(c) Terminate the Risk
(d) Treat the risk
17. In the bi-annual meeting of DEF Hotel Group, the senior officials are
discussing risks that could impact hotel’s effective working in relation
to customer satisfaction and change integration. Which of the
following business risk is being discussed in the meeting?
(a) Financial risk
(b) Compliance risk
(c) Operational risk
(d) Hazard risk
18. Identify from the following controls that does not belong to
Information Technology General Controls.

(a) Management of Systems Acquisition and Implementation

(a) Change Management
(c) Exception Reporting
(d) User Training and qualification of Operations personnel
19. A&B Financial Ltd. company provides loans against gold. The company
has created policy to ensure each disbursed loan has been properly
documented, gold accepted as security has been properly valued and
same is kept in secured vaults. _________ would ensure
management’s directives to mitigate risks to the achievement of
objectives are carried out. Fill in the blank with appropriate option
from the following.
(a) Control Activities
(b) Control Environment
(c) Risk Assessment
(d) Information and Communication
20. K&K son’s Ltd. automated all its business processes to operate
efficiently and effectively. Identify the factor that is responsible to
ensure that no unauthorized amendments can be made in its data
after implementing Business Process Automation.
(a) Availability
(b) Integrity
(c) Timeliness
(d) Confidentiality
21. Mr. X is responsible to maintain the inventory of newly opened
showroom of electronic goods in Delhi. From the following, identify the
item which does not form part of Inventory Master Data.
(a) Stock Item
(b) Stock Group
(c) Salary Structure of stores in-charge

(d) Godown
22. XYZ Ltd. is an ink manufacturing company that implemented
enterprise-wide information system to coordinate all resources and
activities required to complete various business processes. Choose the
main characteristic of ERP System from following.
(a) Separate data maintenance by each department
(b) Centralized Database
(c) No direct inter department communication
(d) No change in cycle time.
23. To sustain in today’s competitive world and make the business a
success, organizations are implementing ERP system and getting many
benefits from the same. From the following, which is not a benefit of
ERP?
(a) Information integration
(b) Reduction of lead-time
(c) Reduction in Cycle Time
(d) Enhanced Quality Costs
24. Mr. Rajesh has developed Accounting software for a private firm.
While explaining the benefits of software to company’s Management,
he made a false statement about the back end of software. Identify
from the following statements which he would have said about Back
End.
(a) Communicates with user directly
(b) Processes the data
(c) Communicates with front end directly
(d) Generates the report
25. Mr. X works on Financial and Accounting System of a private firm and
maintains different types of master data in the system. Which of the
following master data is not controlled by the user and depends on the
changes recommended by the government time-to-time?

(a) Payroll Master data

(b) Statutory Master data
(c) Inventory Master data
(d) Accounting Master data
26. All of the following represents the attributes of information provided
by Management Information System except one. Identify the odd one
which does not belong to this category.
(a) Relevant
(b) Timely
(c) Accurate
(d) Scalable
27. Mr. Rajiv, a system administrator installed application software for
attendance system of employees in automated working environment of
Raj and Sons Ltd. During the briefing session about the system to
management of Raj and Sons Ltd., he made certain statements
mentioned below. Out of these, choose the statement that is not true
for Installed software application.
(a) It is installed on the hard disc of the computer of the user.
(b) The access of the application is dependent on the speed of the
internet.
(c) The user has full physical control over the data.
(d) Installed applications cannot be used from any other stand-
alone computer.
28. The implementation of _________ involves Extract, Transform and
Load (ETL) procedures in coordination with a data warehouse and then
using one or more reporting tools.
(a) Business Reporting
(b) Inventory Accounting
(c) Financial Accounting

(d) Payroll Accounting

29. While presenting data analytics report to the members of top
management of his firm, Mr. X used acronym of various Data analytics
tools which were non-understandable by many members. One of the
terms that he often referred was OLAP. Help the members in solving
confusion and finding the full form of OLAP.
(a) Offline Application Processing
(b) Online Analytical Processing
(c) Online Analytical Product
(d) Offline Application Product
30. Sales and distribution module is one of an important modules of ERP
Package. Which of the following activity does not belong to Sales and
Distribution Process?
(a) Pre-sales Activities
(b) Payment
(c) Delivery of product to customer
(d) Production Planning
31. If an organization does not want to install Financial Application on its
own System to avoid the hassles of its implementation and
maintenance, they can use _______ Applications as an alternative of
the same.
(a) Cloud-based
(b) Software
(c) Installed
(d) Mobile
32. Mr. B, who works for private firm ABC Ltd., is required to make an
entry in the Accounting system for maintaining a record of physical
receipts of goods purchased from one of the firm’s vendor. Which type
of voucher shall he use to do the same?
(a) Delivery note

(b) Receipt note

(c) Sales
(d) Purchase
33. In Accounting System, various types of vouchers are required to
maintain transactions within organization. Which of the following
transaction is not recorded in the voucher type "Contra" of the
Accounting System?
(a) Cash deposit in bank
(b) Cash withdrawal in bank
(c) Cash transfer from one location to another
(d) Recording of all types of trading sales by any mode
34. Mr. R is an accountant of an engineering college who works on
accounting system of the college. He is responsible to record all types
of payments - salaries and incentives, made to teaching and non-
teaching staff through any mode. Identify the type of voucher of
accounting module used for this purpose.
(a) Receipt
(b) Contra
(c) Journal
(d) Payment
35. Mr. Anil is a clerk in accounts department of GBS Public school who
works on accounting system well implemented in the school. He is
supposed to record the details of purchase/sale of fixed assets on
credit. Identify the voucher from following which is being used by him
for this work.
(a) Contra
(b) Receipt
(c) Journal
(d) Payment

36. JKM Pvt. Ltd. is an apparel manufacturing company well equipped with
ERP. MM group approached JKM Pvt. Ltd. with a requisition of 1000
pieces of female black formal suits. Mr. Y, a senior manager of JKM
Pvt. Ltd. wants to evaluate the current stock position and purchase
order pending position of his company before accepting the
requisition. Which of following module of ERP will help Mr. Y in this?
(a) Sales and Distribution Module
(b) Material Management Module
(c) Production Planning Module
(d) Supply Chain Management Module
37. VV Enterprises is a publication house that publishes kids’ newspaper,
reading and activity books. The management of VV Enterprises from
its R&D department demanded an analysis on consumer behaviour on
purchase of its publications during summer break and exam time.
Which of the following Data Analytical tool would be helpful to R&D
department?
(a) Machine Learning
(b) Predictive Analytics
(c) Data Mining
(d) Qualitative Data Analysis
38. Identify the false statement from the following statements on various
modules of ERP.
(a) Controlling Module evaluates the profit or loss of individuals.
(b) Sales and Distribution Module includes product enquiries,
placing order and scheduling activities.
(c) Plant Maintenance Module involves the process of planning the
production activities.
(d) Human Resource Module deals with financial entries like
advances or loan to employees.

39. Organizations implementing ERP should be abreast of latest

technological development. The control where care must be taken
while selecting the vendor and upgrade contracts should be signed to
minimize the risks, it belongs to _______ aspect of technological risks.
(a) Technological Obsolescence
(b) Application Portfolio Management
(c) Enhancement and Upgrades
(d) Software Functionality
40. ABC Company started using SAP as application software for its HR and
Accounting department. Which of the following layer of the software
carries the instruction and processes them using data stored in
database?
(a) The Database Layer
(b) The Application Layer
(c) The Operating System Layer
(d) The Network Layer
41. Information Systems not only establish communication but also
support decision making within an organization. Below mentioned are
the components that comprise an Information system except one.
Identify that odd one out.
(a) People
(b) Data
(c) Network
(d) Transaction
42. Communication controls responsible to handle exposures caused
during the internetwork communication are categorized further based
on the specific functions performed. Which of the following
communication control incorporates features that mitigate the possible
effects of exposure?
(a) Line Error Control

(b) Flow Control

(c) Channel Access Control
(d) Physical Component Control
43. In a computer system, a ______ memory which is volatile in nature
and can read and modify the information is also referred as ______.
(a) Primary, Random Access Memory
(b) Secondary, Random Access Memory
(c) Secondary, Cache Memory
(d) Primary, Virtual Memory
44. In DBMS, Relational Database Model allows the data and its related
operations like storage, retrieval, and integrity in a Table structure. All
the terms mentioned below are associated with Relational Database
Model except one. Pick that odd one out.
(a) Relations
(b) Attributes
(c) Objects
(d) Domains
45. Corrective controls are designed to reduce the impact or correct an
error once it has been detected. Which of the following is not an
example of Corrective Control?
(a) Backup Procedure
(b) Rerun Procedure
(c) Contingency Planning
(d) Hash Total
46. Mr. Y, a senior network administrator of HKL Pvt Ltd., sent a
confidential data of the company to its Chief Financial Officer. For
secure data transmission in a network, __________is a technique that
converts data into a secret code for storage in databases.
(a) Encapsulation

(b) Encryption
(c) Decryption
(d) Logging
47. The data entry operator of GC College is responsible to enter the
amount of fees paid by the students. Accidentally, while making the
entry, the fee amount of Ms. X of the amount ` 9854 was entered as
` 8954 in the software, leading to the reverse of two digits in the
amount. Under Data Coding Control, which of the following error is
made by data entry operator in this case?
(a) Transposition Error
(b) Substitution Error
(c) Addition Error
(d) Truncation Error
48. As a system administrator of a newly established start-up KJL Ltd., Mr.
Kamal sets up its computer network in such a way that enables the
network to recover from any kind of error like connection failure, loss
of data etc. In computer network, which of the following term’s
definition takes care of the said activities?
(a) Routing
(b) Resilience
(c) Contention
(d) Bandwidth
49. Every time when a user attempts to gain access to and employs
system resources in an application, the chronology of each such event
is maintained. Which Application Control is responsible to do so?
(a) Boundary Controls
(b) Input Controls
(c) Communication Controls
(d) Processing Controls of Information Systems

50. Under Application Controls of Information Systems, __________

maintains the chronology of events that occur either to the database
definition or the database itself.
(a) Output Controls
(b) Input Controls
(c) Database Controls
(d) Processing Controls
51. Big Data has captured the attention of businesses for its processing
power to analyse the data for many benefits that it provides. Below
mentioned are some of its benefits, except one. Identify it.
(a) Access to social data from search Engine.
(b) Early identification of risks to the services.
(c) Big data can be used to read and evaluate consumers’
response.
(d) Increases computational power of application software.
52. Ms. Shilpi is a final year student of B.Tech who is required to submit
her project report on Library Management System based on Relational
Database Model. Which of the following example does not belong to
Relational Database?
(a) Microsoft Access
(b) MySQL
(c) Java
(d) Oracle
53. Nice Collection is women apparel store with many branches in various
cities of India. The management of store uses data mining technique
to make analysis to determine the sale on weekends of festive month
in cities with population less than 70,000. Which of the following is not
involved in the technique used?
(a) Data Integration
(b) Data Selection

(c) Data Transformation

(d) Data Distribution
54. An IS Auditor is using an audit tool that involves embedding audit
software modules within a host application system to provide
continuous monitoring of system’s transactions. Which audit tool does
this refer to?
(a) Audit hooks
(b) System Control Audit Review File (SCARF)
(c) Integrated Test Facility (ITF)
(d) Continuous and Intermittent Simulation (CIS)
55. Mr. Ashu works in a Network Service provider Company where his job
responsibility includes performing routine tasks in the network such as
making minor configuration changes and monitoring event logs. Which
of the following role does he perform in the company?
(a) Network Administrator
(b) Network Architect
(c) Network Engineer
(d) System Analyst
56. Mr. Y used duplicate keys to enter in prohibited area zone of JKH Ltd.
company and stole some important documents of the company. Which
of the following control you think has been compromised to make such
an incident happen?
(a) Environmental Control
(b) Physical Access Control
(c) Network Access Control
(d) Logical Access Control
57. Below mentioned are the steps that are involved in the Data Mining
process. Select the step wherein the data is collected from all the
different sources to initiate the process.

(a) Data Selection

(b) Data Integration
(c) Data Transformation
(d) Data Cleaning
58. Output Controls are responsible to ensure that the data delivered to
users will be presented, formatted, and delivered in a consistent and
secured manner. Which of the following activity does not fall under the
purview of Output Control?
(a) Spooling
(b) Storage and Logging of sensitive, critical forms
(c) Asset Safeguarding
(d) Control over printing
59. Which of following statement does not belong to Read Only Memory?
(a) Non-volatile in nature.
(b) Used by manufacturers to store the data.
(c) Used to store small amount of information for quick reference
by Central Processing Unit.
(d) It is a secondary memory.
60. Operating System Software provides Application Program Interfaces
(API) which can be used by application developers to create
application software. This is referred to as ______.
(a) Memory Management
(b) Hardware Independence
(c) Task Management
(d) File Management
61. Operating system acts as an interface between user and hardware; be
it a Smartphone, tablet, or PC. Which of the following is not an
example of Operating System?

(a) Android
(b) Blackberry OS
(c) Apple OS
(d) Chrome
62. In two-tier network architecture, ______________ is an interface that
allows user to interact with the e-commerce / m-commerce vendor.
(a) Presentation Tier
(b) Database Tier
(c) Physical Tier
(d) Application Tier
63. Ms. Komal a technical product developer at FEGO Ltd. suggested the
company to manufacture a model of self-driving car based on image
and text recognition. This is a good example of ______.
(a) Machine Learning
(b) Expert System
(c) Cloud Computing
(d) Mobile Computing
64. ABC Company as its business policy allows employees of managerial
level to use their preferred computing devices for business purpose.
While working, Mr. Suraj connected his laptop to company’s network
and an application virus infected the company’s database. Which of
the following risks best describes the above situation?
(a) Implementation Risk
(b) Network Risk
(c) Application Risk
(d) Device Risk
65. Mr. X is buying clothes for his kids at Royal’s Showroom. He makes
payment using BHIM (Bharat Interface for Money) App which is an
example of _________.

(a) UPI App

(b) Mobile Hardware
(c) Digital Library
(d) Mobile Wallet
66. Which of the following is not a best practice under Green Computing?
(a) Dispose e-waste according to central, state, and local
regulations.
(b) Purchase of desktop computers, notebooks and monitors based
on environmental attributes.
(c) Power-down the CPU and all peripherals during extended
periods of inactivity.
(d) Use Cathode Ray Tube (CRT) monitors rather than Liquid
Crystal Display (LCD) monitors.
67. Choose the incorrect statement from following statements on
Traditional commerce and e-commerce.
(a) Traditional commerce works on manual processing and e-
commerce works on electronic mode.
(b) Resource focus of Traditional commerce is on demand side
whereas e-commerce focuses on Supply side.
(c) Traditional commerce is limited to particular area whereas e-
commerce has worldwide reach.
(d) Unlike Traditional commerce, e-commerce provides a uniform
platform for information exchange.
68. The following steps are involved in the working of Mobile Computing.
(i) The user enters or accesses data using the application on
handheld computing device.
(ii) Now, both systems (handheld and site’s computer) have the
same information and are in sync.
(iii) The process works the same way starting from the other
direction.

(iv) Using one of several connecting technologies, the new data are
transmitted from handheld to site’s information system where files
are updated and the new data are accessible to other system
user.
Identify from following the correct sequence.
(a) (i), (ii), (iii), (iv)
(b) (iv), (iii), (ii), (i)
(c) (i), (ii), (iv), (iii)
(d) (i), (iv), (ii), (iii)
69. If an organization wants to start its e-business in India, which of the
following law will regulate its practices that it does not engage in any
predatory practices?
(a) Indian Contract Act, 1872
(b) The Customs Act, 1962
(c) The Competition Act, 2002
(d) The Competition Act, 2004
70. In Cloud Computing, which instance of Software as a Service (SaaS)
allows users to explore functionality of Web services such as Google
Maps, Payroll processing and Credit Card processing services etc.?
(a) Testing as a Service (TaaS)
(b) Communication as a Service (CaaS)
(c) Data as a Service (DaaS)
(d) API as a Service (APIaaS)
71. Mr. Jayesh sets up an online start-up which is like conglomeration of
different shops situated in a convenient location of e-commerce where
customers can buy apparels, footwear, and fitness accessories.
Identify from the following, which type of e-market has he setup?
(a) Buyer Aggregator
(b) e-Mall

(c) e- Shop
(d) Portal
72. Ms. Radha started her business through a website www.tastyfood.com
wherein few food vendors and restaurants are associated with her as
the partner. The customers can place order for the food of his/her
choice of vendor through the website. This is a good example of ____.
(a) e-Auction
(b) Buyer Aggregators
(c) e-Mall
(d) e-shops
73. Taste and tasty, an online tiffin service vendor has started a new
policy wherein it provides certain credit points to customers whose
bills are above ` 1000 per order. Customers can avail these credit
points in the next order they place. Which of the following is taken
care by Taste and tasty tiffin service as an e-commerce vendor?
(a) Privacy Policy
(b) Marketing and Loyalty program
(c) Different Ordering Method
(d) Supply Chain Management
74. PMP Ltd. is a network service provider company that has consolidated
many physical servers into one large physical server to make the
effective use of its processor. Which of the following concept does this
refer to?
(a) Network Virtualization
(b) Grid Computing
(c) Storage Virtualization
(d) Hardware Virtualization
75. Which of the following statement does not belong to security
constraints of Grid Computing?

(a) The coordination between processors must be secure and for

this there is no such policy.
(b) User password and private keys should be protected.
(c) User once authenticated, should be able to acquire resources.
(d) The code can use large number of encryptions at a time.
76. Amazon Web Service (AWS) gives its users ability to access database
service without the need to install and maintain it on the pay per use
basis. Which of the following instance of Cloud Computing is being
used by AWS?
(a) Database as a Service
(b) Storage as a Service
(c) Network as a Service
(d) Software as a Service
77. Which of the following is not an advantage of Cloud Computing?
(a) Improved flexibility
(b) Streamline business processes
(c) Interoperability
(d) Reduce Capital Costs
78. Which of the following is not an instance of Infrastructure as a Service
(IaaS) model of Cloud Computing?
(a) Backend as a Service (BaaS)
(b) Storage as a Service (STaaS)
(c) Network as a Service (NaaS)
(d) Email as a Service (EaaS)
79. Which layer of e-Commerce architecture allows the consumers to
check the products available on merchant’s website?
(a) Network Layer
(b) Application Layer

(c) Database Layer

(d) Client/User Interface
80. Which business model of e-commerce supports the activities within the
customer chain that generally focuses on sell-side activities of Online
retailers?
(a) Business to Business model (B2B)
(b) Consumer to Consumer model (C2C)
(c) Consumer to Business model (C2B)
(d) Business to Consumer model (B2C)
81. Small BV, a newly established bank in Karnal city is providing core
banking services to its customers seamlessly. From the following,
identify the service which is not provided by the bank.
(a) Advances
(b) Letters of Credit
(c) Querying
(d) Deposits
82. Mr. X selected some groceries in a retail store. When he tried making
the payment using his credit card, an error message displayed stating
that the aggregate limit of out-standing amount has exceeded his
assigned credit card limit. Identify the risk related to credit card
process for which this key control has been applied resulting on the
display of error message.
(a) Credit Line setup is unauthorized and not in line with the bank’s
policy.
(b) Masters defined for the customer are not in accordance with
the Pre-Disbursement Certificate.
(c) Credit Line setup can be breached.
(d) Inaccurate reconciliations performed.
83. VV enterprises opened its Initial Public Offering (IPO) in 2017. After
two years in 2019, the company earned a huge profit. In March 2019,

the company distributed the dividend received against IPO to all its
IPO holders from its bank account. Which of the following service is
used by the company?
(a) Electronic Clearing Services (ECS) Debit
(b) Electronic Clearing Services (ECS) Credit
(c) Advances
(d) Remittances
84. CBS has added many features to service delivery of a bank. Identify
the activity from the following that falls under its purview.
(a) On-line real-time processing
(b) Transactions are posted in batches
(c) Databases are maintained at branch level
(d) Loan processing is done at branch
85. The deployment and implementation of CBS is controlled at various
stages. In which of the following stage, bank should choose the right
solution considering various parameters to meet business objectives?
(a) Approval
(b) Support
(c) Selection
(d) Planning
86. ABC Ltd. is a financial company using the control ‘Logging the access
to sensitive data and regularly being reviewed by the management’ for
Information Security. Identify from the following risk for which this
control is being used by company.
(a) Unauthorized data access due to Trojans.
(b) Lack of Management direction.
(c) User accountability is not established.
(d) Security breaches may go undetected.

87. Which of the following statement best describes the concept of Money
Laundering?
(a) Converting proceeds of crime and projecting it as untainted
property
(b) Tax Planning as per provision of IT Act, 2000
(c) Gifting immoveable property to relatives
(d) Transferring fixed deposit to employees
88. IT Act, 2000 provides the legal recognition for transaction through any
means of electronic communication. Which of the following is not
computer related offence as per IT Act, 2000?
(a) Theft of confidential information in computer systems
(b) Removal, concealment, transfer, or delivery of property to
prevent tax recovery
(c) Credit Card fraud
(d) Source Code theft
89. The key provisions of IT related offences are for the smooth working
of bank. In purview of same, what is the primary objective of SPDI?
(a) Protecting Computer Software
(b) Securing critical Information
(c) Sensitive Personal Information
(d) Identifying sensitive Information
90. Which of the following activity risks is the computer related crime of
the banking sector of India?
(a) Breaking into ATM
(b) Physical theft at branch
(c) Software piracy
(d) Altering name in demand draft

91. In the Core Banking Systems, _______ is a service which is defined as

an undertaking by a bank to the payee to pay to him on behalf of the
applicant any amount up to the limit/terms and conditions specified.
(a) Guarantees
(b) Letter of Credit
(c) Granting of Advances
(d) Acceptance of deposit
92. Which of the following statement is incorrect w.r.t. Core Banking
System?
(a) CBS software enables integration of all third-party applications.
(b) CBS has a common database in a central server giving a
consolidated view of bank’s operations.
(c) Branches function as delivery channels providing services to its
customers.
(d) CBS has non-modular structure capable of being implemented
in stages as per bank’s requirements.
93. The Central Server of Core Banking System relates to many modules of
Back-End and Front-End applications which, some of them are
mentioned below.
i. ATM Switch
ii. Internet Banking
iii. Data Warehouse
iv. Branch Banking
Which of the above is not a part of front-end application?
(a) i,ii,iii
(b) ii,iv
(c) ii,iii,iv
(d) i,iii

94. KK cooperative bank has its four branches in Pune city. Each branch
confines itself to many key functions as mentioned below. Identify the
option which does not fall under the key functions of branches of KK
cooperative bank.
(a) End of Day (EOD) Operations
(b) Internal Authorization
(c) Quality Assurance
(d) Reviewing reports for control and error correction
95. Mr. Y has a savings account with S&N Bank. He used Internet banking
services of the bank first time with the login id and password as
provided by the bank to him. Immediately after the first login, he
changed his password. Which of the following server would store Mr.
Y’s password for further logins?
(a) Web Server
(b) Application Server
(c) Internet Server
(d) Internet Banking Channel Server
96. Money Laundering is defined as the process by which the proceeds of
the crime and the true ownership of those proceeds are concealed or
made opaque so that the proceeds appear to come from a legitimate
source. This process involves many stages as mentioned below:
i. Layering
ii. Integration
iii. Placement
Choose the correct sequence.
(a) i-ii-iii
(b) iii-ii-i
(c) ii-iii-i
(d) iii-i-ii

97. Which of the following section of Information Technology Act, 2000

deals with punishment for cheating by personation by using computer
resource?
(a) Section 66E
(b) Section 66D
(c) Section 66B
(d) Section 66C
98. In CBS environment, which of the following is one of the key
components of banking business with controls?
(a) Organization Structure
(b) Planning
(c) Layering
(d) Integration
99. In CBS environment, different servers have different roles to perform.
Which of the following server is responsible to host all internet related
software?
(a) Proxy Server
(b) Database Server
(c) Web Server
(d) Application Server
100. Considering risks associated with CBS, __________is defined as an
exposure to legal penalties, financial penalties, and material loss an
organization faces when it fails to act in accordance with industry laws
and regulations, internal policies or prescribed best practices.
(a) Strategic Risk
(b) Compliance Risk
(c) Market Risk
(d) Operational Risk

101. Mr. X and Mr. Y are employees of XYZ Ltd. In the office during lunch
time when Mr. Y was not on his seat, Mr. X stole the pen drive of Mr. Y
containing some confidential information. Under which of the following
section of Information Technology Act 2000, is Mr. X punishable?
(a) Section 66B
(b) Section 66C
(c) Section 66D
(d) Section 43
102. In case the management of an organization XYZ anticipates that the
impact and probability of occurrence of risk is very low, which risk
management strategy shall then be followed by XYZ?
(a) Tolerate the risk
(b) Terminate the risk
(c) Share the risk
(d) Treat the risk
103. The success of any Business Process Automation (BPA) shall only be
achieved when BPA ensures certain characteristics. Which of the
following is not included in those characteristics?
(a) Diligence
(b) Integrity
(c) Availability
(d) Timeliness
104. Mr. Anil is working with XYZ Company that is under the process of
adopting Enterprise Resource Management (ERM) framework. He
prepared a list of policies and procedures that need to be established
and executed to ensure that the risk responses that management
selected are effectively carried out. Which component of ERM is
referred here during this activity?
(a) Risk Assessment
(b) Control Activities

(c) Information and Communication

(d) Monitoring
105. Mr. Amit is an auditor of a company XYZ Ltd. While evaluating controls
over ERP systems, he had to audit the controls which were
administered through the computer center/computer operations group
and the built-in operating system controls. Which of the following
controls are referred here?
(a) Environmental Controls
(b) Application controls
(c) Management Controls
(d) Audit Controls
106. Mr. Chaitanya is a software developer associated with a company for
which he developed application software. The developed software is
needed to be installed on hard disc of every computer used by users,
one by one. Which of the following application is developed by him?
(a) Integrated Application
(b) Operating System Application
(c) Installed Application
(d) Cloud based Application
107. Mr. Rajiv is an accountant of XYZ Private Ltd. Company who takes care
of all the transactions made by company. He is making a voucher for
transfer of fund from company’s one bank account to company’s other
bank account. Which of the following voucher is Mr. Rajiv preparing?
(a) Contra
(b) Payment
(c) Receipt
(d) Journal
108. Which of the following statement is not correct for eXtensible Business
Reporting Language (XBRL)?

(a) XBRL runs on XML technologies such as XML schema and

ensures that financial and non-financial data is tagged to form
a comparable reporting format.
(b) XBRL has the capability to allow the tagging of transactions
that can themselves be aggregated into XBRL reports.
(c) To publish performance information and allow straight through
information processing are key features of XBRL.
(d) XBRL is an open standard reporting language which is governed
by XBRL, a non-profit organization.
109. Identify from the following controls of Information System that deals
with framing of high-level IT policies, procedures, and standards on a
holistic view.
(a) Management Controls
(b) Environmental Controls
(c) Access Controls
(d) Physical Controls
110. Mr. Neeraj is working on a project on healthcare system where he has
to perform data mining on the database of patients of last five years in
ABC Hospital. The hospital provided him inconsistent data with lots of
errors and missing values. He has to apply various techniques to get
rid of these anomalies. Identify from the following process which he
can use to get rid of these anomalies.
(a) Data Cleaning
(b) Data Selection
(c) Data Integration
(d) Data Transformation
111. The Chief sales head of the company wants to evaluate an annual sale
made by sales revenue of the company’s branches in different regions.
Being the Sales manager of the company, Mr. Kumar is asked to
prepare the spreadsheets using computer software. Which of the
following software he may be working on?

(a) Application Software

(b) Operating Systems Software
(c) System Software
(d) Asset Management Software
112. A Database Model is a type of data model that determines the logical
structure of a database and fundamentally determines in which
manner can data be stored, organized, and manipulated. Which of the
following database model stores and organizes data in a table
structure?
(a) Network Database model
(b) Hierarchical Database model
(c) Object oriented Database model
(d) Relational Database model
113. Which of the following statement is not true about Cloud Computing?
(a) Data and information can be accessed with minimal upfront
spending in a pay-as-you-go approach.
(b) Getting more work done in less time with less resources are
possible in cloud computing.
(c) Customers may have to face restrictions on the availability of
applications, operating systems and infrastructure options.
(d) It is feasible to confine within budgetary allocations and can be
ahead of completion cycle times.
114. Mr. A owns a bakery shop which is running successfully currently. He
wants his business to be expanded further through online mode for
which he hired a technical person Mr. X who could guide him in
adopting to online business. Mr. X is supposed to give a presentation
to Mr. A on technological infrastructure requirement for the proposed
business. Identify the option which should not form part of his
presentation.
(a) Payment gateway

(b) Web portal

(c) Data Interchange
(d) Type of vendors
115. XYZ is a service provider company that decides to adopt Three tier
client-server architecture for setting up of network architecture for a
shoe making company. What would be the sequence of three tiers that
are used in three-tier client-server architecture?
(a) Presentation tier, Middle tier, Database tier
(b) Middle tier, Database tier, Presentation tier
(c) Database tier, Logic tier, Client tier
(d) Client tier, Data tier, Database tier
116. Mr. Raju wants to purchase a new laptop of BBCN Company through
online mode. Hence, he is checking all the products available on BBCN
website. From the following layers of e-commerce architecture,
identify the layer on which he is working.
(a) Application Layer
(b) Database Layer
(c) Client /user Interface
(d) Communication Layer
117. The full-scale banking solution is a scalable, integrated e-banking
system that meets the deployment requirements in traditional and
non-traditional banking environments with some key aspects in its
architecture. Which of the following aspect is not used in Core Banking
System architecture?
(a) Customer centric
(b) Regulatory Compliance
(c) Resource optimization
(d) Employees’ selection

118. Sneha purchased a new dress for her birthday online from
fashionnpoint.com. She used internet banking facility by using her
username and password to make the payment for her dress. Which of
the following bank server will the transaction be referred to for
verification?
(a) Internet Banking Channel Server
(b) Internet Banking Application Server
(c) Web server
(d) Database Server
119. Identify the full-scale Banking solution which is scalable and integrated
that meets the deployment requirements in traditional and non-
traditional banking environments.
(a) Financle
(b) Flexcube
(c) bankMate
(d) Finnone
120. Money Laundering is commonly used by criminals to make dirty money
appear legitimate. In this context, which stage of Money Laundering
involves the bank transfers between different accounts in different
names in different countries making frequent deposits and
withdrawals?
(a) Placement
(b) Layering
(c) Integration
(d) Financing
Answer Key
Question No. Answer
1 (b) Identify manual processes
2 (b) Deals with the core business and value chain

3 (c) Business Process Automation

4 (c) Compliance
5 (c) Reduced Turnaround Time
6 (d) Risk
7 (b) Organization chart
8 (b) Meeting sales targets
9 (c) Powers and duties of auditors and auditing
standards
10 (a) Home address
11 (d) Invoicing
12 (d) Design new policy format
13 (b) Customer Relationship Management
14 (d) Reputational
15 (d) Rule 6
16 (c) Terminate the Risk
17 (c) Operational Risk
18 (c) Exception Reporting
19 (a) Control Activities
20 (b) Integrity
21 (c) Salary Structure of stores in-charge
22 (b) Centralized Database
23 (d) Enhanced Quality Costs
24 (a) Communicates with user directly
25 (b) Statutory Master data
26 (d) Scalable
27 (b) The access of the application is dependent on
the speed of the internet.
28 (a) Business Reporting
29 (b) Online Analytical Processing
30 (d) Production Planning
31 (a) Cloud-based

32 (b) Receipt Note

33 (d) Recording of all types of trading sales by any
mode
34 (d) Payment
35 (c) Journal
36 (b) Material Management Module
37 (b) Predictive Analytics
38 (c) Plant Maintenance Module involves the
process of planning the production activities.
39 (c) Enhancement and Upgrades
40 (c) The Operating System Layer
41 (d) Transaction
42 (d) Physical Component Control
43 (a) Primary, Random Access Memory
44 (c) Objects
45 (d) Hash Total
46 (b) Encryption
47 (a) Transposition Error
48 (b) Resilience
49 (a) Boundary Controls
50 (c) Database Controls
51 (d) Increases computational power of application
software.
52 (c) Java
53 (d) Data Distribution
54 (b) System Control Audit Review File (SCARF)
55 (a) Network Administrator
56 (b) Physical Access Control
57 (b) Data Integration
58 (c) Asset Safeguarding
59 (d) It is a secondary memory.

60 (b) Hardware Independence

61 (d) Chrome
62 (a) Presentation Tier
63 (a) Machine Learning
64 (c) Application Risk
65 (a) UPI App
66 (d) Use Cathode Ray Tube (CRT) monitors than
Liquid Crystal Display (LCD) monitors
67 (b) Resource focus of Traditional commerce is on
demand side whereas e-commerce focuses on
Supply side
68 (d) (i), (iv), (ii), (iii)
69 (c) The Competition Act, 2002
70 (d) API as a Service (APIaaS)
71 (b) e-Mall
72 (b) Buyer Aggregators
73 (b) Marketing and Loyalty program
74 (d) Hardware Virtualization
75 (d) The code can use large number of encryptions
at a time.
76 (a) Database as a Service
77 (c) Interoperability
78 (d) Email as a Service (EaaS)
79 (b) Application Layer
80 (d) Business to Consumer model (B2C)
81 (c) Querying
82 (c) Credit Line setup can be breached.
83 (b) Electronic Clearing Services (ECS) Credit
84 (a) On-line real-time processing
85 (c) Selection
86 (d) Security breaches may go undetected.
87 (a) Converting proceeds of crime and projecting it

as untainted property
88 (b) Removal, concealment, transfer, or delivery of
property to prevent tax recovery
89 (c) Securing Personal Information
90 (c) Software piracy
91 (b) Letter of Credit
92 (d) CBS has non-modular structure capable of
being implemented in stages as per bank’s
requirements.
93 (d) i,iii
94 (c) Quality Assurance
95 (d) Internet Banking Channel Server
96 (d) iii-i-ii
97 (b) Section 66D
98 (a) Organization Structure
99 (c) Web Server
100 (b) Compliance Risk
101 (a) Section 66B
102 (a) Tolerate the risk
103 (a) Diligence
104 (b) Control Activities
105 (a) Environmental Controls
106 (c) Installed Application
107 (a) Contra
108 (a) XBRL runs on XML technologies such as XML
schema and ensures that financial and non-
financial data is tagged to form a comparable
reporting format.
109 (a) Management Controls
110 (a) Data Cleaning
111 (a) Application Software
112 (d) Relational Database model

113 (c) Customers may have to face restrictions on

the availability of applications, operating
systems, and infrastructure options.
114 (d) Type of vendors
115 (a) Presentation tier, Middle tier, Database tier
116 (a) Application Layer
117 (d) Employees’ selection
118 (a) Internet Banking Channel Server
119 (c) bankMate
120 (b) Layering

CASE SCENARIOS
1. Ind Milk Dairy is an Indian based Asia’s largest dairy product company
that got established in year 2014-15 that targeted a turnover of
` 50,000/- Crores by 2020-21. By the Financial year 2018-19, the
company had achieved a turnover of ` 33,150/- Crores. The Company
procures milk through various collection centers created at the level of
different villages state-wise. Each collection center is run by co-
operatives created in each district of the state. The total members of
these co-operatives are more than 1.5 Crores as on 31st April 2020.
Other than retail sales, few other major revenue sources of the
company are as follows:
- Department of Defence, Government of India
- Corporate Customers
- Export Customers
To achieve the target company’s turnover of ` 50,000/- Crores by
2020-21; Board of Directors of the company decides a two-prong
strategy - Business Strategy and System Strategy which are as
follows.
The Business Strategy includes the following:
- Launch new products.
- Get into new markets for existing products.
- Increase per capita consumption of products in existing market.
The System Strategy includes the following:
- Company needs to create infrastructure that could cater to ever
changing needs of business. This includes robust network
infrastructure as well as database configuration also.
- The proposed database structure needs to cater to needs of
business and to store complex data like identification of animals
through their images, health-card system etc.
- Creates a system to keep track of target on monthly basis.

- At village level, Company shall install a computer system at

each milk collection center. These systems shall be connected
to main server of the company. There are 50,000 villages to be
covered.
Based on the facts of the case scenario given above, choose
the most appropriate answer to Q. Nos 1.1. to 1.5.
1.1. The company Ind Milk Dairy decides to have a database
structure where each member of the district level cooperative
society shall be part of database defined as “OWNER”. Each
Owner record shall have images of their milk giving animals
with its health cards. Identify the best database structure the
company may use to store such complex data.
(a) Hierarchical Database Model
(b) Network Database Model
(c) Object Oriented Database Model
(d) Relational Database Model
1.2. The company Ind Milk Dairy decides to have a system to track
its target on monthly basis. This can be achieved using ______.
(a) Big Data
(b) Artificial Intelligence
(c) Management Information System
(d) Knowledge Management System
1.3. The stakeholders of the company Ind Milk Dairy requires
updated information regarding the availability and management
of the milk for which available at various centres of the
company. Therefore, the company decides to have systems in
its collection centres at village level that requires updating of
data into central server in online/real time basis. This will
improve ____________business cycle of the company.
(a) Order to Cash (O2C)
(b) Procure to Pay (P2P)

(c) Raw Material to Finished Goods

(d) Debtors Management
1.4. The Ind Milk Dairy company’s decision to increase its turnover
to ` 50,000/- crores by 2020-21 is a strategic decision. Which
ERP functional module supports this type of decision making?
(a) Project Management
(b) Sales and Distribution
(c) Financial Accounting
(d) Materials Management
1.5. In purview of above case scenario, the company’s central
server shall keep the data of each milk collection center and
shall also perform the task of backup, archiving and recovery.
Which of the following technology can be useful in this case?
(a) Storage Virtualization
(b) Network Virtualization
(c) Hardware Virtualization
(d) Software Virtualization
Answer Key
Question No. Answer
1.1. (c) Object Oriented Database Model
1.2. (c) Management Information System
1.3. (b) Procure to Pay (P2P)
1.4. (c) Financial Accounting
1.5. (a) Storage Virtualization
2. M/s. XY & Co, the IS auditors of Mahadevi Bank, a multi-state

scheduled bank operating in Mumbai have issued a comprehensive
systems and control audit report, of which points of special interest to
the audit committee are extracted and put forth as hereunder:

♦ M/s. BA Child Welfare Association is an NGO that has been

operating from Bangalore since October 2016. It had opened a
current account with the Mahadevi Bank’s Panjim branch on
12th April 2017. The auditors noted that several small value
cash deposits have been made from NGO’s Bank account to a
current account since then and the ledger summation is being `
29.49 Lakhs for the year 2017-18. There have been two
instances of high value RTGS (Real-Time Gross Settlement)
transfers from this account to another account of a nationalized
bank’s branch located at Delhi, the first executed for ` 12 Lakhs
on 07th March 2018 and the second for ` 10 Lakhs on 29th
March 2018. The Bank Manager initiated an email on 29th March
2018 to NGO’s email-id available with the branch, requesting
for the details of the parties to whom the transactions were
initiated and the reason for the same. The NGO’s Bangalore
office replied that though it cannot share specific party details,
the transactions were initiated for fund remittances to another
Delhi based NGO having similar philanthropic purposes. The
auditors suspect this as a case of money laundering.
♦ The auditors recommended that the bank should initiate
integration to BHIM (Bharat Interface for Money) application to
provide better services to its account holders.
♦ The auditors suggested that a separate automated control
report to be generated in bank for each day-end closure which
will total all the centralized printed cheque book count and
cross-check the printed cheque book dispatch register.
♦ The Auditors observed that Letter of Credits (LCs) are currently
set in the bank to auto renew on expiry date.
♦ The auditor found that there are five thumb impression based
biometric units that are connected to terminals but are not
working.


2.1. For monitoring of suspected money laundering within a banking
environment, identify which type of nature and time frame of
the records the bank needs to maintain.
(a) All transaction details of the NGO for five years starting
from 12th December 2017.
(b) All transaction details of the NGO for five years starting
from 29th March 2018.
(c) All transaction details of the NGO for five years starting
from 07th March 2018.
(d) All transaction details of the NGO and other beneficiaries
for eight years starting from 07th March 2018.
2.2. Which of the following legal implications will be entailed on the
denial by the M/s BA Child Welfare Association for not sharing
third party specific information?
(a) It will be treated as a case of proven money laundering,
and the bank can immediately suspend the operations of
the account.
(b) Invoking of Section 13 of the PMLA that states of
penalty in the form of fine ranging from ten thousand to
one lakh per failure to report on the bank.
(c) The non-compliance of Know Your Customer (KYC)
Process.
(d) The NGO is right not to share information as it is private
information. It has explained the nature of the
transactions being a philanthropic entity and that
ensures compliance with AML guidelines from RBI.
2.3. The IS auditors of the Mahadevi bank recommended that the
bank should initiate its integration with BHIM application to
provide better services to its account holders. Which of the

following option, in the context of BHIM application, is not

correct?
(a) BHIM application requires the account holder to create a
VPA (Virtual Payment Address) or UPI (Unified Payment
Interface) Id.
(b) BHIM application can be used for bank transfers even
with non-UPI based platform.
(c) BHIM application is built on the immediate payment
infrastructure, and hence any person can transfer funds
between two bank accounts instantly.
(d) BHIM application can be used by both United Payment
Interface (UPI) users as well as non-UPI users.
2.4. The auditor’s suggestion of a separate control report is
generated in Banking System for each day-end closure that will
provide the total of all the centralized printed cheque book
counts. Which of the following control will solve the purpose as
suggested by auditors?
(a) Input Validation control
(b) Batch control
(c) Data coding control
(d) Data Validation control
2.5. Identify the appropriate risk management strategy from the
following on the finding of the auditor on ‘The Letter of Credits
(LCs) getting auto renewed on the expiry date’.
(a) Eliminate the risk by removing these LC records.
(b) Mitigate the risk by transferring the LCs back to the
suppliers.
(c) Tolerate the risk by ignoring the risk as these LCs will
get expired.
(d) Accept the risk and make adequate provision in the
books of accounts till the expiry date.

2.6. The auditor’s observation that having five non-operational

biometric thumb impression units would be an indication of
having a control lapse in an ERP module. Identify the module in
which the lapse could have occurred.
(a) Human Resource Module
(b) Controlling Module
(c) Credit and Risk Module
(d) Customer Relationship Management module
Answer Key
Question No. Answer
2.1. (a) All transaction details of the NGO for five
years starting from 12th December 2017.
2.2. (c) The non-compliance of Know Your Customer
(KYC) Process.
2.3. (b) BHIM application can be used for bank
transfers even with non-UPI based platform.
2.4. (b) Batch Control
2.5. (c) Tolerate the risk by ignoring the risk as
these LCs will get expired.
2.6. (a) Human Resource Module
3. Kartikeyan LLP (KKLP) Ltd. is an online start-up registered in 2018

under the URL www.onlinescrap.com with the intention of bringing
together small entrepreneurs engaged in scrap sale of core metals. It
has garnered tremendous response with almost five thousand small
vendors registered on its site. The management now wants to upgrade
the platform and roll out a partnership model where premium vendors
can buy and later also sell core scrap metals under the brand name of
KKLP Ltd. on the website www.onlinescrap.com to external parties as
well as registered vendors. The management defined following
parameters for the growth of company:

i. An Order to Cash (O2C) process implementation which will start

with the tracking of availability of required scrap to receiving
payments on tender basis.
ii. Decision to either go for an own ERP or to sign an SLA (Services
Level Agreement) with a cloud service provider who will be
required to host the entire portal on its cloud servers.
iii. Hiring of an IT manager who will help to create and maintain
various control aspects.
iv. Defining proper IT related policies.
3.1. In purview of above case scenario, which of the following e-
market business model is implemented by the management of
KKLP Ltd.?
(a) E-auction
(b) Buyer Aggregator
(c) Virtual Community
(d) E-Shop
3.2. KKLP Ltd. is in the process of implementing ‘Order to Cash
(O2C)’ cycle that involves following sub-processes:
i. Order booking
ii. Order fulfilment
iii. Invoice generation
iv. Delivery Note
v. General Ledger Accounting
vi Collections
Which of the following represents the correct sequence flow of
sub-processes for O2C, in your opinion, for the present
scenario?

(a) i – ii – iii - iv – v – vi
(b) ii – iii – iv – v – vi - i
(c) i – ii – iv – iii – vi – v
(d) ii – iii – v – iv – vi – i
3.3. Which of the following clause will not be a part of the KKLP
Ltd.’s Service Level Agreement (SLA) in case the company opts
to hire the services provided by a Cloud service provider?
(a) The responsibility of the service provider to maintain
data connectivity 24x7.
(b) The responsibility of the service provider for providing
alternative data recovery plan.
(c) The rights and responsibilities of both KKLP and service
provider towards the SLA.
(d) The responsibility of the service provider for storage of
data and data security.
3.4. The management of KKLP requires its IT manager to generate
an exception report on daily basis for those vendors who have
placed orders in excess to their permissible account limits and
to trigger a lock on their accounts from further operations,
which can be unlocked only by remitting funds to the extent of
the excess in limit. This activity can be done by the IT Manager
by ________.
(a) introducing a detective control for monitoring limits
versus order balances at account level for each vendor.
(b) introducing a preventive control for past due accounts
report on each day end basis at account level for each
vendor.
(c) introducing a detective control for variance reporting
and auto emailing system to all exception flagged
vendors.

(d) introducing a preventive control based on hash totals

between permissible account limits and order placed
values where the excess will be reported for hash total
violation rules.
3.5. The IT manager of KKLP Ltd. is responsible to ensure that no
one is permitted to download, copy or extract any information
from its website. However, a premium registered vendor Mr.
Amit could manage to copy and replicate some vital information
from the company’s website. Under which Section of IT Act,
2000 can Mr. Amit be held liable?
(a) Section 66D
(b) Section 43A
(c) Section 43
(d) Section 65
Answer Key
Question No. Answer
3.1. (b) Buyer Aggregator
3.2. (c) i – ii – iv – iii – vi – v
3.3. (a) The responsibility of the service provider to
maintain data connectivity 24x7.
3.4. (a) introducing a detective control for
monitoring limits versus order balances at
account level for each vendor.
3.5. (c) Section 43
4. XYZ Ltd. started as a small business company that in its early years;
sold homemade organic soaps, serums, face washes and creams. With
time, the company added more beauty products in its list and
launched its e-business through website. All the business processes of
the company are automated and therefore all the related data is
stored in various database tables are managed at the backend in
database. The company hired more employees to promote and sell its
products across the country and initiated selling its products through

online mode to reach customers worldwide. Subsequently the company

has grown as a big brand in the competitive market and has started
receiving orders from worldwide customers.
To make optimal use and quick sharing of data, the company started
keeping all its data on Google cloud. Now the marketing personnel and
salespersons of the company have readily available data related to
inventory and online orders anywhere, anytime. Also, they can update
their status and targets achieved on company’s website instantly.
Initially, the company got 15GB free space on cloud, but in due course
of time, the demand for the data storage increased, so it subscribed
for more space on cloud. The company is satisfied with the cloud
service as it isolates the company completely from server failures and
needs to pay for only amount of storage it uses.
The company uses digital mode of payment for both the customers
and suppliers and uses modules of Enterprise Resource Planning
system. The organization has some controls in the system that
restricts unauthorized entry into the premises. Some controls also have
been designed to detect errors, omissions and malicious act
occurrence and report that occurrence. The company also appoints an
IS auditor to ensure the completeness, accuracy, and validity of data.
On a certain day, the IT Head of a team of 10 members of the
company, Mr. Sushil observed that while accessing the home page of
company’s website; some content depicting children in sexually explicit
act was available on the website’s home page. He immediately
deactivated the website and informed the management of the
company about the incident, which in turn reported about this to cyber
security cell. On investigation, it was found that Mr. Biswas, one of the
team members of IT Department, out of anger and desperation, had
hosted the same on the company’s website so as to bring bad repute
to the company.
4.1. Google Cloud frees XYZ Ltd. completely from the issues related
to server in terms of its maintenance, failure, storage capacity

etc. Which of the following feature of Cloud Computing does it

represent?
(a) Virtualization
(b) Reliability
(c) Resiliency
(d) Scalability
4.2. In purview of above case scenario, identify the kind of cyber-
attack faced by XYZ Ltd.
(a) Web defacement
(b) Denial of Service
(c) Cyber Terrorism
(d) Phishing
4.3. According to the case scenario, what could be the main
objective for which an IS auditor has been appointed by XYZ
Ltd.?
(a) Asset Safeguarding
(b) Data Integrity
(c) System Efficiency
(d) System Effectiveness
4.4. XYZ Ltd. uses Enterprise Resource Planning System which
integrates all the modules with Financial and Accounting
System of the organization. Which of following point is not valid
with the integration of modules?
(a) Master data across all the modules must be same and
must be shared with other modules whenever required.
(b) Common transactions must be shared with other
modules whenever required.
(c) There is no need of separate voucher types to be used
for each module.

(d) Figures and transaction may flow across the

department.
4.5. In purview of above case scenario, under which Section of
Information Technology Act 2000, is Mr. Biswas punishable?
(a) Section 65
(b) Section 67
(c) Section 43
(d) Section 67B
Answer Key
Question No. Answer
4.1. (c) Resiliency
4.2. (a) Web Defacement
4.3. (b) Data Integrity
4.4. (c) There is no need of separate voucher types
to be used for each module.
4.5. (d) Section 67B
5. PQR Ltd. is a grocery store that has multiple outlets in various cities
across the country. It has automated all its data processing activities
and maintains its entire data in an integrated data center. All data
processing activities, servers, backup, and recovery is managed by IT
department of PQR Ltd. All the devices are connected to company’s
network and communicate with each other using Unique Identification
Number.
The regular customers of grocery store have been provided a
membership number and a membership card. When a purchase is
made by a customer; all the details related to purchase are recorded in
database against that membership number. As a part of promotional
campaign activity, the PQR Ltd. offers various discounts and schemes
to draw attention of new customers and provides satisfactory services
to its existing customers. These schemes are developed by top
management of PQR Ltd. based on purchase patterns, market trends
and association of purchases done by customers. The company is

using software for this which provides the details that enable the top
management in efficient decision making.
PQR Ltd. maintains all the data in common database. The setting of
parameters and menu options to be displayed in the software is done
first time when the software is installed. A specific menu option can be
viewed or activated by authorized employees only. These access
restrictions are applied in software so that no user can access data
which he is not authorized to use. This is done to maintain the security
of the system.
The IS auditor appointed by the management, reviews the information
system, and recommends using real time audit which may help the
company to close the gap between occurrence of transaction and
review of transaction. This real time audit will also help in timely,
comprehensive, and cost-effective audit of the transactions. Based on
the recommendation of IS auditor, the company implements the
concurrent audit technique which tends to review all the updates in
database and replica in the system. It also traps exceptions in the
database management system.
Management of PQR Ltd. establishes the formal mechanisms to
monitor the working of software on regular basis. The company finds
some issues in processing and connectivity in the software. To resolve
these problems, the company modifies the programs according to
various reliable processing requirements. Latest changes made in the
software are according to upgradation of Operating system from
Windows 7 to Windows 10 in all its systems because some of the
modules of software were not compatible with windows 7.
5.1. Which type of maintenance is done by the PQR Ltd. while
upgrading the Operating System from Windows 7 to Windows
10?
(a) Perfective Maintenance
(b) Corrective Maintenance

(c) Adaptive Maintenance

(d) Preventive Maintenance
5.2. To remain competitive in the market; PQR Ltd. needs to extract
the relevant information regarding the purchase patterns and
market trends from the market’s humongous numerical data
containing quantifiable variables. It also helps PQR Ltd. to offer
various discounts and schemes time-to-time. Which of the
following methodology of Data Analysis can be used to identify
such a trend?
(a) Exploratory Data Analysis
(b) Quantitative Data Analysis
(c) Qualitative Data Analysis
(d) Confirmatory Data Analysis
5.3. Assume that you are appointed as an IS auditor of PQR Ltd. to
review the security mechanism of its systems. While performing
your duty, at which level of Information System will you review
the controls to ensure that users can see only particular menu
options according to job assigned to them?
(a) Master
(b) Transaction
(c) Risk
(d) Configuration
5.4. In PQR Ltd., the customers have been provided a membership
card with a membership number and all purchase details of
customer are recorded in database against that membership
number. Identify the incorrect statement from following that
does not support the above comment.
(a) Membership number is unique for each customer.
(b) In company’s database, Membership number represents
a primary key in the member database table.

(c) Membership number can be same for two customers.

(d) Membership number can be used to check for all the
transactions done by the customer.
5.5. According to the case scenario, which audit tool has been
implemented by company to trap exceptions in its Database
Management System?
(a) Audit Hook
(b) Continuous and Intermittent Simulation
(c) Audit trail
(d) Integrated Test Facility
Answer Key
Question No. Answer
5.1. (c) Adaptive Maintenance
5.2. (b) Quantitative Data Analysis
5.3. (d) Configuration
5.4. (c) Membership number can be same for two
customers.
5.5. (b) Continuous and Intermittent Simulation
6. XYZ is a life insurance company which offers various products keeping

in mind the different needs of the people. It has more than 100
branches in India and all branches are computerized. The company
has a wide variety of insurance plans like protection, retirement,
health, saving and investment, child education and travel insurance
plans etc., which cater to the risk management and insurance
requirements of individuals as well as groups. Each plan offers
adequate risk coverage at low rates through a simple application
process. It offers rewards for healthy lifestyle at relatively low
premium and certain tax benefits as per the applicable Tax Laws.
With the goal to grow more, the company has given the facility to its
customers to purchase its plans online. All the data related to
investors, claims, policies, and marketing agents are stored in a

database which can be accessed online. All data and website of the
company are hosted on a cloud. The performance of the XYZ
insurance company about planning, implementation and monitoring of
computerization process has been reviewed by an IS auditor Mr. Anil
for past 5 years. The audit of Data Centre and Information System
department was conducted with a view to obtain a reasonable
assurance on accuracy and consistency of data. Existence and
adequacy of IT controls and network controls are also reviewed.
The audit was conducted at 12 various branches selected on random
basis. The audit was performed against various frameworks,
standards, laws, guidelines, and policies relevant to insurance business
as well as IT. Audit findings and recommendations of Mr. Anil that
were reported to Management are as follows:
i. All computers should be provided indirect network connections
with other networking services or servers.
ii. There is a need to make huge volumes of data available from
cloud at peak time.
iii. The controls that ensure the availability of system in case of
data loss due to unauthorized access and equipment failure etc.
are not adequate.
iv. There is a need to establish a mechanism to transfer the data
in an encrypted form so that it would be safe and other users
who are not authenticated cannot access that data.
v. Mr. Ajay dishonestly used electronic signature of the branch
manager of Z branch of Company and passed the false claim of
one of the buyers and allowed him to withdraw the funds. The
legal action must be taken against him.
vi. Special audit routines are advised to highlight and notify
suspicious records with frequent change in name and address
so that the system becomes less vulnerable to frauds like funds
withdrawal because of false claims.


6.1. The IS auditor Mr. Anil had found that Mr. Ajay dishonestly
made use of electronic signature of the branch manager of Z
branch of the company and passed the false claim of one of the
buyers. Under which Section of IT Act, 2000 is Mr. Ajay
punishable?
(a) Section 66B
(b) Section 66C
(c) Section 66D
(d) Section 43
6.2. What kind of server has been recommended by IS auditor to
provide networking services to all computers of XYZ company?
(a) Proxy Server
(b) Web Server
(c) Database Server
(d) Application Server
6.3. In purview of above case scenario, which type of audit routines
can be recommended by IS auditor Mr. Anil to avoid withdrawal
of funds due to false claims?
(a) Continuous and Intermittent Simulation
(b) Snapshot
(c) System Control and Review File
(d) Audit Hook
6.4. The company started using wearable smart watches and bands
for its customer to investigate the medical condition of
individual who wishes to buy life insurance. In this pretext,
identify the risk management strategy adopted by the
company.
(a) Tolerate the risk

(b) Terminate the risk

(c) Transfer the risk
(d) Treat the risk
Answer Key
Question No. Answer
6.1. (b) Section 66C
6.2. (a) Proxy Server
6.3. (d) Audit Hook
6.4. (b) Terminate the risk
7. ABC is a car rental company running its business through m-

commerce. Its mobile app is very popular amongst the people who can
book a car online through it and the company is earning a good profit.
It collects the information of large number of taxi providers, makes
them its partner and sells their rental services to large number of
buyers under its name. The company follows its employees’ health and
safety regulations and pays all the taxes on time.
Because of the growing competition in the market, the ABC Company
wants to use some technology to stay in sustainable position in
comparison to others and to reveal its capabilities and market
conditions so that it can take good strategic and tactical decisions to
maintain its repute in the market.
The company uses controls to protect its data and information on its
private network from the external as well as internal network by
filtering the information, thus allowing only authorized traffic to pass
through the network.
Despite of all its functioning and care, a case has been reported where
two drivers of the company had transported the cash of `12 lakhs
from Delhi to Jaipur without any bill or proof while taking the
passengers in the company’s cab without the notification of the
company’s higher authority. Hence, there is a need of legal action
against them.


7.1. Under which section of Prevention of Money Laundering Act,
the two reported drivers of the ABC Company are liable?
(a) Punishment of cheating by personation
(b) Punishment to give false information
(c) Offence of Money Laundering
(d) Punishment of abetment
7.2. In purview of above case scenario, ABC Company wants to use
some technologies to stay in sustainable position. Which
technology can help the company to make well-informed
business decision and be the source of competitive advantage?
(a) Artificial Intelligence
(b) eXtensible Business Reporting Language (XBRL)
(c) Internet of Things
(d) Business Intelligence
7.3. According to case scenario, what kind of business risk ABC
Company tries to avoid by giving health safety facilities to
employees?
(a) Regulatory risks
(b) Financial risks
(c) Hazard risks
(d) Technology risks
7.4. In purview of above case scenario, what kind of business
market model is being followed by ABC Company?
(a) E-shop

(c) Virtual community

(d) E-market
7.5. What kind of network access controls are being used by the
ABC Company to ensure network security?
(a) Firewall
(b) Call back device
(c) Encryption
(d) Enforced Path
Answer Key
Question No. Answer
7.1. (c) Offence of money laundering
7.2. (d) Business Intelligence
7.3. (a) Regulatory risks
7.5. (a) Firewall
8. ABC is a multi-speciality hospital that provides best known healthcare

facilities to large number of patients. The hospital has three more
branches in three different states. All the branches record their related
data including personal details and other comprehensive medical
history of the patient and the medical services being provided to the
patient such as investigations, diagnoses, treatments, follow up
reports and important medical decisions. These branches have been
managing all the operations related to administrative, financial, clinical
aspects and health care facilities manually in their respective branches.
Lately, the management of the hospital wants to streamline and
optimize all its business operations in all its branches. After consulting
the experts, the management decides a strategy to implement a
comprehensive, integrated, and specialized system which is designed
to manage the administrative, financial, and clinical aspects of hospital
and healthcare facilities of all its departments in single software and
maintains a centralized database for all the relevant data.

• This proposed system is planned to be developed in-house

during which an IS Auditor Mr. Kamal is responsible to provide
his valuable inputs and supervise the development and working
of the system from auditor’s aspects.
• The proposed software or system would make available up-to-
date data that bring workflow efficiency in hospital
management.
• All its branches would be interconnected with each other
through intranet and share data with each other.
• Also, few authorized administrative staff could track the status
of funds, patients’ records, doctors’ details etc. very easily just
on the click of a button.
• Each employee shall have a unique login Id and certain access
privileges depending on his/her job profile and designation.
• The proposed software has facility of electronic funds transfer
for its various stakeholders like vendors, patients, staff, and
doctors to provide them more satisfaction.
With the implementation of the new system, the security of the
confidential data of its patients that is being stored, processed, and
maintained in the centralised database is a serious concern for the top
management of the hospital. The hospital is also facing frequent
connectivity and security issues in its intranet due to which the data
transmission between its branches has been getting disrupted. The
hospital management considers various risks associated with this,
including cyber risks and infringe of various IT laws and also plans to
out appropriate controls in place to combat these speculated risks. The
controls are expected to ensure that firstly the risks do not materialise
and if at all the risks become real, their impact should be minimal on
hospital’s operations and services. It also keeps a check that no
unlawful activity can take place.


8.1. Which strategy is used by ABC hospital that streamlined and
optimized its operations?
(a) Database Management System
(b) Business Process Reengineering
(c) Business Process Automation
(d) Bring Your Own Device
8.2. Identify the control mechanism that has been implemented by
ABC hospital to restrict its system access to authorized users
only so that they can access only that information which is
required by them to perform their duties?
(a) Mandatory Access Control
(b) Rule Based Access Control
(c) Privacy policy
(d) Role Based Access Control
8.3. ABC hospital considers various controls related to system
automation with the main objective of securing the confidential
data of its stakeholders. In the context of ABC Hospital, which
of the following is not included in Sensitive Personal Data
Information?
(a) Patients’ history
(b) Credit Card Details
(c) Hospital’s Healthcare Services
(d) Staff details
8.4. In purview of above case scenario, identify the type of audit
which Mr. Kamal is/can be involved in.
(a) Post Implementation Audit
(b) Concurrent Audit

(c) General Audit

(d) Control Audit
8.5. In your opinion, which of the following is a secondary process
of ABC hospital?
(a) Recruitment and Staffing
(b) Management of infrastructure
(c) Strategic Planning
(d) Budgeting
Answer Key
Question No. Answer
8.1. (c) Business Process Automation
8.2. (d) Role Based Access Control
8.3. (c) Hospital’s Healthcare Services
8.4. (b) Concurrent Audit
8.5. (a) Recruitment and Staffing
9. HAK Systems Private Limited (HAKSPL) has two distinct business lines
– viz. Engineering Services and Cloud-based server solutions. The
Chief Operating Officer (COO) observed that the company is facing
many problems by keeping data on disparate systems which now
needs to be centralized. As a preliminary exercise, he prescribed
following operational rules which are as under:
i. Central database for the engineering business line to be
modelled on a relational database model deploying RDB -
Oracle. This software can be installed on each system to
maintain the database.
ii. The rules pertaining to a sale invoice is written as:
a. Invoice Amount: Primary Key
b. Invoice Date: Attribute
c. Product Name in Invoice: Relation

iii. Access rights are to be well defined and implemented.

iv. Running a backup procedure each day at 22:00 hours.
v. Internally created ERP software to be deployed, which will be
efficient in terms of cost and performance.
vi. The COO wants to implement Voice over Internet Protocol
(VoIP) for efficient time management in terms of call recording,
custom caller ID, or voicemail to e-mail etc.
vii. Penalty to be enforced on any employee who misuses company
data stored in the company servers and computers.
9.1. In context with the case scenario, what do you think about the
statement that ‘The access rights are defined on user
preference basis’?
(a) False, as access rights are defined on need-to-know
basis only.
(b) False, as access rights are defined on need to know and
need to do basis.
(c) False, as access rights are defined on need to know and
compliance basis.
(d) True, as access controls are defined on user preference
and utility basis.
9.2. Which control is adopted in the case of HAKSPL running a
backup procedure each day at 22:00 hours?
(a) Preventive Control
(b) Corrective Control
(c) Detective Control
(d) Application and Monitoring System Access Control
9.3. One of the business lines of HAKSPL is that of Cloud-based
server solutions. There exists several pros and cons of using

Cloud based services vis-à-vis Installed Applications. Identify

the incorrect statement in this context.
(a) Installation and maintenance of Installed application
software takes lot of time and efforts as compared to
Cloud-based application.
(b) The Capital Expenditure (CAPEX) spent for an installed
software application will be higher than the CAPEX for a
cloud-based application.
(c) The access of cloud-based applications is based on the
speed of internet which is not the case in case of
Installed applications.
(d) As Service Level Agreements (SLAs) provide details of
backup and disaster recovery alternatives, the data
security is easier in Cloud based application as compared
to the installed application software.
9.4. HAKSPL has Cloud based server solution business line. As per
suggestion of the COO, which of the following Service Model of
cloud computing will be used in VoIP?
(a) Platform as a Service (PAAS)
(b) API as a Service (APIaaS)
(c) Software as a Service (SaaS)
(d) Communication as a Service (CaaS)
9.5. Referring to the IT Act 2000, the COO suggested the penalty
for a person who extracts or copies any data from the
computer system of the company without prior approval. What
is the penalty defined under which section of IT Act, 2000 for
such an offence?
(a) Imprisonment for a term upto 3 years or with penalty
upto ` 5 lakh or with both under Section 66.
(b) Imprisonment for a term upto 5 years and with penalty
upto ` 5 lakh under Section 43A.

(c) Either imprisonment for a term upto 3 years or with

penalty upto ` 10 lakh under Section 66.
(d) Imprisonment for a term upto 5 years and penalty upto
` 3 lakh under Section 43A.
Answer Key
Question No. Answer
9.1. (b) False, access controls are defined on need to
know and need to do basis.
9.2. (b) Corrective Control
9.3. (d) As Service Level Agreement (SLA) provides
details of backup and disaster recovery
alternatives, the data security is easier in
Cloud based application as compared to the
installed application software.
9.4. (d) Communication as a Service (CaaS)
9.5. (a) Imprisonment for a term upto 3 years or
with penalty upto ` 5 lakh or with both
under Section 66.
10. Small Bank Limited (SBL), Bhopal (MP) is registered as a Small Finance
Bank (SFB) with Reserve Bank of India (RBI), New Delhi which was
provided license under the Government of India’s initiative to promote
financial inclusion. SBL has started operations in April 2018 and has
100 branches spread across three states including Madhya Pradesh,
Rajasthan and Tamil Nadu. SBL balance sheet as on 31/03/2020 shows
following key performance parameters.
1. Advances: ` 550/- Crores (75% in category of agricultural
Advances)
2. Gross NPA (In %): 2.5%
3. Net NPA (In %): 0.5 %
4. Deposits under CASA Accounts: ` 1,000/- Crores
5. Number of CASA account holders: ` 2,50,000 Lakhs
6. Number of Employees: 450

ISSUE
SBL started their business operations immediately after getting the RBI
License. They started using a Banking ERP by the name SmlCBS (Small
Core Bank Solution System), launched by a company named VBank
Limited (VBL), Pune (Maharashtra) which has been selling its products
to various co-operative banks across India since 2005.
The software was purchased by SBL bank without going through the
formal process of benchmarking the software to bank’s strategic and
future business needs and launched its operations with lot of publicity
and fanfare. SBL Board had organized a public launch function for the
new software by inviting IT ministers of all three states where bank
has its operation.
Lately an article in a National Daily newspaper got published that
claimed that due to adoption of SmlCBS, there has been miscalculation
of interests on deposits of account holders’ saving bank accounts. The
article highlighted the details of few account holders of bank and
published a detailed report. The key facts published were as follows:
Example 1 Example 2
Name of Customer Mr. X, Mr. J, Salem
Satna (MP) (Tamil Nadu)
The newspaper published the June 2018 July 2018
account statement for month of
___.
Interest credited by bank ` 150.70 ` 3,825.20
Interest as per calculation ` 150.75 ` 3,825.25
The newspaper article ended by stating that bank has 2,50,000

account holders. If each account holder loses ` 0.05 (Five Paisa) each
month, that means bank is gaining and transferring ` 12,500/- per
month to an authorized account thereby meaning profit of ` 1,50,000/-
per year.
MANAGEMENT ACTION ON ISSUE
As soon as the matter came in public domain, the management of SBL
realized that some swift action is needed on urgent basis. SBL board

called for a high-profile meeting and discussed the matter. At the end
of the meeting, the management took firm decision to get the bank’s
system audited by IS Auditors. Subsequently, Mr. Aman was hired to
conduct the audit which he completed and submitted his report with
following observations:
i. Many important reports like Asset Liability Management (ALM),
Cash Reserve Ratio (CRR), Statutory Liquidity Ratio (SLR)
reports are not being provided by the SmlCBS.
ii. SmlCBS does not have capability to add a new report that may
be needed in future.
ii SmlCBS does not have any disaster recovery plan.
iii SmlCBS does not provide mobile banking facility.
Mr. Aman recommended the management of SBL Bank to procure ne
Core Banking Solution. The board immediately decided to change the
software. SBL this time went through the due process of software
selection and implemented new software.
10.1. The implementation of SmlCBS in SBL did not involve any
formal process whereas the CBS implementation needs to be
controlled and monitored. Which aspect of CBS deployment has
critically been compromised in this situation primarily?
(a) Support
(b) Selection
(c) Planning
(d) Testing
10.2. In purview of above case scenario, the published key facts in
the newspaper represented a fraudulent way of interest
calculation which was due to inherent weakness in system. This
would be classified as a ____________.
(a) Risk

(b) Vulnerability
(c) Threat
(d) Impact
10.3. The newspaper national daily pointed the error in interest
calculation where each account holder loses ` 0.05 (Five Paisa)
each month. It is most likely to be classified as ____.
(a) Spoofing
(b) Bomb
(c) Piggybacking
(d) Rounding Down
10.4. Mr. Aman’s report highlighted that SmlCBS does not have any
disaster recovery plan. In case of disaster, the bank may be
subject to grave risk. These types of risk are addressed through
having _________.
(a) Data Management Control
(b) Programming Management Control
(c) System Development Control
(d) Security Management Control
Answer Key
Question No. Answer
10.1. (c) Planning
10.2. (b) Vulnerability
10.3. (d) Rounding Down
10.4. (d) Security Management Control
11. LMN Company manufactures home decorative products since 2006.

However, over the past few years, rising manufacturing costs have
significantly eroded the company’s operating profit margins. Currently,

the machined manufacturing process and manual labour process

represent 30% and 70% of the total production costs, respectively.
To combat this negative operating trend, company’s management
hired ENY Company, a consulting firm to consider both Business
Process Management and Business Process Reengineering and to
assess the benefits, risks, and control objectives associated with the
company.
After performing due diligence, the consulting firm recommended a
Business Process Management (BPM) plan that involved cutting 10%
of the production workforce over the next three years and replacing
15% of the manual production process with newly designed machines.
The firm also completed an analysis on Business Process
Reengineering (BPR) plan that would eliminate 80% of the current
production workforce over the next three years and fully automate the
production process over cloud server except for the Quality control
function and packaging supervision, along with adoption of E-
commerce environment and implementation of information system to
integrate all the functions. Upfront cost to implement the Business
Process Reengineering program is more significant than the BPM.
The ENY Company submitted both the recommendations to LMN’s
management, highlighting the recommendations for general controls
for computerized systems and other IT related Internal controls, who
must decide whether incremental change or radical change is more
appropriate given the upfront costs to execute the plans and the
expected annual cost savings associated with each plan.
11.1. During the Board meeting of LMN Company, the management
reviewed both the plans submitted by ENY Company. and
noticed that unlike BPR, the business process management
works on 3E’s for business process. Which of the following does
not belong to this category?
(a) Execution

(b) Effectiveness
(c) Efficiency
(d) Economy
11.2. The management of LMN Company would like to implement
overall business management systems with common database
to integrate all functional areas within the company and allow
information exchange and collaboration among all parties
involved in business operations. Identify from the following the
most effective system for this application.
(a) A Decision Support System
(b) An Executive Information System
(c) An Office Automation System
(d) An Enterprise Resource Planning System
11.3. ENY Company recommended general controls for successful
implementation of IT Systems in LMN Company Which of the
following statement represents an example of a general control
for a computerized system?
(a) Limiting entry of sales transactions to only valid credit
customers.
(b) Creating hash totals from Unique ID numbers for the
weekly payroll.
(c) Restricting entry of accounts payable transactions to
only authorized users.
(d) Restricting access to the computer center by use of
biometric devices.
11.4. As per the recommendations of ENY Company on Information
Technology General Controls (ITGC), the management of LMN
Co. decided to implement Segregation of Duties (SoD) as one
of the primary ITGC. Which of the following statements best
describes the importance of SoD?

(a) Within the IT department; the duties of system analysts,

computer programmers, computer operators, and
security administrators should all be the responsibility of
one individual.
(b) Good internal control requires that no single employee
be given too much responsibility over business
transactions or processes. An employee should not be in
a position to commit and conceal fraud.
(c) Segregation of Duties is defined as dividing
responsibilities for different portions of a transaction
(authorization, recording, and custody) for those
employees who are on probation.
(d) The objective of SoD is to encourage any one person
from having total control over all aspects of the
transaction.
Answer Key
Question No. Answer
11.1. (a) Execution
11.2. (d) An Enterprise Resource Planning System
11.3. (d) Restricting access to the computer center by
use of biometric devices.
11.4. (b) Good internal control requires that no single
employee be given too much responsibility
over business transactions or processes. An
employee should not be in a position to
commit and conceal fraud.
12. Ridonix, a Pune based Data Analytics firm has a workforce of 15 data
scientists and 50 analysts and has been specializing in the field of
Finance and Costing analytics. It has served many major hotel chains
of the country and has been successful since its inception.
Ghoomo Hotels having a chain of 25 hotels all over India, was going
through a huge cash crunch and on the verge of closure. They
approached Ridonix to find solutions to reduce costs and implement

effective pricing models to lure customers. The objective given to

Ridonix is to bring the hotel chain at break-even point in next two
years.
The analysts’ team from Ridonix gathered relevant information from
Ghoomo’s operations team and found many genuine loop-holes in their
systems. Followings were the observations of Ridonix:
♦ There were multiple booking partners to operationalize the
online bookings in hotels for which high commissions/discounts
were being paid but no proper checks on payouts to these
booking partners were in place.
♦ Further, there were three banking gateway partners associated
throughout who were charging higher than industry standards
as their convenience fees.
♦ The booking system was also internally flawed as it could not
manage and update cancellations online which means that the
systems reported rooms as booked to new customers whereas
they had actually been cancelled online.
♦ Due to lack of clear implementation of Segregation of Duties,
major confidentiality breach was reported, wherein two
employees Mr. Rajesh and Mr. Ajay could gain access to
confidential data of customers and their preferences and had
sold the huge data to Ghoomo’s competitors in the market.
♦ The entire internal reporting system was redundant and needed
a corrective update.
The system advisory report from Ridonix suggested the
management of Ghoomo Hotels to take the following corrective
measures:
a. To call in change management of the existing reporting
software so that any cancellation through any booking
partner/customer gets promptly reflected to all the
online booking partners/customers.

b. To implement an integrated payment system rather than

relying on multiple gateways of multiple banks to save
costs in banking transactions.
c. To create a dummy entity in the application system files
to verify periodically the availability of timely and
accurate information to all the customers/booking
partners.
e. To get legal contracts drafted by legal experts and put
them up on the website and application of Ghoomo
Hotels so that the business from data privacy litigations
in future may be safeguarded.
f. IT department of Ghoomo hotels to clearly demarcate
the duties for different personnel to ensure that there
are no Segregation of Duties (SoD) conflicts.
12.1. Identify the cheapest and most effective payment mechanism
to get implemented as an integrated payment channel for
Ghoomo Hotels.
(a) Aadhar Enabled Payment Services (AEPS)
(b) UPI based Application
(c) Immediate Payment Service (IMPS)
(d) Mobile Wallets
12.2. Ridonix advised its client to focus on change management as
the first and foremost step for strengthening its Information
System. What kind of control have they advised Ghoomo Hotels
to focus on here?
(a) Data Resource Management Control
(b) Application Control
(c) Managerial Control
(d) Preventive Control

12.3. One of the biggest challenges for Ghoomo Hotel is the situation
where no corresponding update in the systems is occurring in
case of cancellations, thereby leading to huge revenue loss.
Which of the following tool would be best suited to Ghoomo
Hotel in order to keep pace with Ridonix’s advice?
(a) SCARF (System Control Audit Review File)
(b) Audit Hooks
(c) Audit Trail
(d) Integrated Test Facility (ITF)
12.4. With a strong ERP System in place as suggested by Ridonix,
which of the following controls would best curb the confidential
data misuse by its employees?
(a) Server Back Up Arrangement
(b) Network Access Control
(c) Role Based Access Controls
(d) Physical Access Controls
12.5. Mr. Rajesh and Mr. Ajay could gain the confidential data of
Ghoomo’s customers and misused it for profit making purpose.
Under which Section of Information Technology Act 2000 can
they be punished for misusing and selling the confidential data
they had access to?
(a) Section 67
(b) Section 66C
(c) Section 66D
(d) Section 43
Answer Key
Question No. Answer

12.1. (b) UPI based Application
12.2. (b) Application Control

12.3. (d) Integrated Test Facility (ITF)

12.4. (c) Role Based Access Controls
12.5. (d) Section 43
13. 1K Pvt. Ltd. is a new generation sports drink manufacturer company.

The company recently took a loan of ` 1.50 crores from Dhan Bank, its
banking partner for the e-commerce portal, to double-up their
manufacturing unit in Aurangabad. The business is focused on a niche
target market with immense potential in India. The owners are quite
satisfied with the results so far, but also face few challenges as they
plan to scale up.
Ms. Kumari G., the founder of the 1K Pvt. Ltd., hired a market
research firm to ratify her instinct that the teenage segment in India is
increasingly focused on sports and fitness, and has available
disposable income to spend on themselves. The market firm did an in-
depth data analysis and reported that it has indeed a potential market
with 10x growth visibility in coming 5 years.
The Company with recent plans of scaling up operations called for a
special meeting to find solid solutions of identified concerns. The
major concern of the management was regarding the Purchase
Department. Firstly, delays in posting accurate information regarding
raw material inventory were creating undue pressure on the
production line. Proper reporting mechanism was suggested to be put
in place. Secondly, major concern was cash leakage from the system.
Internal Audit experts were notified to put in strong audit trails to
mark red flag transactions and further block those transaction owners
temporarily.
1K Pvt. Ltd.’s core of being of new age company focused on teenagers
is also mandated in its office campus. The employees are encouraged
to continue working at their owned devices at work also and are
reimbursed the cost of internet if they use their personal hotspots. It
creates an environment of individuality and freedom amongst workers.
It has also helped the company in saving good amount of money in IT
infrastructure and network provider costs.

The company reported revenue of ` 3.00 crores last year, and with
scale up of operations, it is projected that numbers would cross `
10.00 crores in the coming year.
13.1. To save on IT infrastructure costs, 1K Pvt. Ltd. encouraged
employees its employees to continue working at their owned
devices at work. Which of the following would not be a risk
associated with this practice?
(a) Network Risk
(b) Loss of Device Risk
(c) Reduced IT Support
(d) Application Viruses and Malware
13.2. Referring to the case, which of the following phase in Inventory
Cycle is the pressure point for 1K Pvt. Ltd.?
(a) Production Phase
(b) Ordering Phase
(c) Delivery Phase
(d) Sales Return Phase
13.3. The flow of transactions’ data between the Dhan Bank’s server
and 1K Pvt. Ltd.’s server when a customer initiates a purchase
on the company’s website, include the following steps:
(i) Customer Places Order on Website.
(ii) Request flows to Payment Gateway.
(iii) Request for Bank’s confirmation is generated.
(iv) Order request sent to Merchant’s Server.
(v) Updated status on Merchant’s Server.
(vi) Confirmation sent to Payment Gateway.

(vii) Request accepted and approved by bank and funds

transferred to merchant.
(viii) User is notified about payment and order is placed.
What would be the correct sequence of aforementioned steps?
(a) (i), (iv), (iii), (ii), (v), (vii), (vi), (viii)
(b) (i), (v), (iii), (ii), (vii), (iv), (vi), (viii)
(c) (i), (iv), (ii), (iii), (vii), (vi), (v), (viii)
(d) (i), (ii), (iii), (iv), (v), (vi), (vii), (viii)
13.4. Which of the following will not be ensured by the audit tool
used to protect 1K Pvt. Ltd. from cash leakage in the system?
(a) Detect Unauthorised Access
(b) Block Cash Outflow Ledgers
(c) Reconstruct flow of Events
(d) Monitor user activity
Answer Key
Question No. Answer
13.1. (c) Reduced IT Support
13.2. (b) Ordering Phase
13.3. (c) (i), (iv), (ii), (iii), (vii), (vi), (v), (viii)
13.4. (b) Block Cash Outflow Ledgers
14. ABC Ltd., a leading manufacturer of the Water Purifiers all over the
country having customized ERP System, decided to launch a new Wi-Fi
enabled water purifier “Purity” with UltraViolet Filters and advance
technology. The purifier Purity can be connected with the home Wi-Fi
and when the purifying agents deplete, the user may inform the
service agents of the company for which the management has already
outsourced the servicing process and Annual Maintenance Contract
(AMC) to different local agencies.

At the time of manufacturing of the product, the company for making

the payment of raw material purchased from the supplier, opted for a
Bank Guarantee from the Amy Bank.
The company also changed the collection of payment policy for
debtors by giving them more payment options as well as introducing
the discount policies on bulk purchases and timing of the payments.
Additionally, with an objective to reduce the paper consumption and
cost-saving, the management preferred online marketing over paper-
based marketing and online invoicing.
To increase the awareness of their product “Purity” and ease to its
customers to use it, the management decided to register itself on
famous e-commerce websites so that the product can be delivered to
its customers at their doorsteps. Now, the customer can purchase
Purity online as well as offline. They also decided to open Cash on
Delivery (CoD) option for its customers with free shipping and easy
returns.
14.1. In the purview of the above case, the advertisement and sale
of product can be made using either online or offline means.
The order will be fulfilled, invoice created, payment received
and then accounting will be done. Which business process
consists of these multiple sub-processes?
(a) Inventory Cycle
(b) Order to Cash
(c) Purchase to Pay
(d) Fixed Assets
14.2. As the Bank Guarantee of ABC Ltd. has been approved by the
company Amy Bank, the bank accrued certain amount over the
tenure of the bank guarantee. The amount which the Bank
receives from the ABC Ltd. can be termed as ______.
(a) Interest Income
(b) Discounting Income

(c) Commission Income

(d) Guarantee Charges
14.3. Since ABC Ltd. has decided to outsource the working of the
service agents and AMC, the company is required to establish
certain controls to well examine it. Under which Managerial
Control, the monitoring of the outsource contracts can be
done?
(a) Data Resource Management Controls
(b) Quality Assurance Management Controls
(c) Security Management Controls
(d) Operations Management Controls
14.4. ABC Ltd. had adopted online marketing rather than paper-
based marketing and online invoicing to their customers. Which
technology follows this practice?
(a) Grid Computing
(b) BYOD
(c) Mobile Computing
(d) Green Computing
Answer Key
Question No. Answer
14.1. (b) Order to Cash
14.2. (c) Commission Income
14.3. (d) Operations Management Controls
14.4. (d) Green Computing
15. KPL Bank is a new entrant in the banking sector that got established in
2019, after getting approval from the Reserve Bank of India for setting
up a universal bank. The Directors decided to change the regular
banking style by adopting some of the new ideas which will assist in
catering to the market and gain competitive advantage over other
banks.

♦ The bank decided to implement the Core Banking System that

will help in assessing the same bank data by all the branches
and ATMs.
♦ The management of KPL Bank decided to introduce “Tab
Banking” wherein the bank officials would go to the customer’s
place and open the bank account at their premise by clicking
the customer’s photographs and scanning the required
documents using tab.
♦ They decided to provide banking services at doorstep to senior
citizens and differently abled customers wherein the bank may
help these people in deposit and withdrawal of the cash, and
other banking services at their doorstep.
♦ A mobile application named "mKPL" would be created that may
allow the customers to make financial transactions, check
balance, transfer money, and perform other banking operations
using their smart phones or tablets.
♦ Banks being the backbone of the economy, KPL Bank decided
to be better equipped with technology to minimize fraud and
control exposure risks. Hence the management also aimed to
strengthen its Information Technology department with proper
segregation of duties among personnel. This step will help in
establishing proper controls with risk management.
♦ They worked towards the establishment of branches in rural
areas all over the country and providing the farmers with loans
and different savings options.
♦ The bank adheres to all the regulatory and compliance
requirements applicable to them. Their focus is on using IT in
the best possible ways and achieves higher customer
satisfaction by rendering them all the products and services.
15.1. The Reserve Bank of India has given approval to “KPL Bank” to
start operations as universal bank. Which among the following

Act gives the power to the Reserve Bank of India to license new
banks to start operations?
(a) Reserve Bank of India Act, 1934
(b) Banking Regulation Act, 1949
(c) Prevention of Money Laundering Act, 2002
(d) Information Technology Act, 2000
15.2. As a part of risk management, the KPL Bank is deploying a
separate Information Technology organization structure with
proper segregation of duties for different personnel within IT
department. This type of risk management comes under which
control?
(a) Application Control
(b) Internal Control
(c) Semi-Automated Control
(d) Infrastructure Control
15.3. In the purview of the above case, KPL Bank wants to be better
equipped to minimize frauds and control exposure risks. Which
technology will help in examining those data sets?
(a) eXtensive Business Reporting Language
(b) MIS Reporting
(c) Data Analytics
(d) Grid Computing
15.4. As per the above, the application of KPL Bank named “mKPL” is
created to help the customers to perform the transactions at
their convenience. Identify the emerging technology on which
“mKPL” works?
(a) Cloud Computing
(b) Grid Computing
(c) Mobile Computing

(d) Green Computing

15.5. KPL Bank is using the Core Banking System that has a server
which provides consolidated view of all the bank’s operations,
and the bank data can be accessed from a server by all the
branches as well as the ATMs. In which part of the system,
bank data is stored?
(a) Proxy Server
(b) Central Server
(c) Local Server
(d) Print Server
Answer Key
Question No. Answer
15.1. (b) Banking Regulation Act, 1949
15.2. (d) Infrastructure Control
15.3. (c) Data Analytics
15.4. (c) Mobile Computing
15.5. (b) Central Server
16. New India Global Healthcare Private Limited (NIGHPL) is a medical

insurance service provider company in India. Presently, the company is
working on its software called “Nirogaya” to maintain all records such
as details of all policyholders, premium and outstanding premium, and
various reports that may require further customization on manual
basis. However, due to system vulnerability and lack in appropriate
controls, recently an incident took place wherein an employee Mr.
Ramesh was caught sharing confidential records of 1000+
policyholders to NIGHPL’s competitor Satyam Cell Marketing Global
Private Limited.
Mr. Sumit appointed as an IS auditor of NIGHPL conducted its’ IS audit
and highlighted some key control weakness issues and comments on
company’s password policy that was prepared but not implemented by
the Information Technology (IT) Department. He submitted his audit

report to Board of Directors of NIGHPL and recommended an

immediate attention of management to address the issues as specified
in the report. With a need for immediate action, Board of Directors of
NIGHPL held a meeting with its’ senior members of the management
including Chief Information Officer, Chief Financial Officer and Chief
Executive Officer. The decisions taken in the meeting was as follows:
♦ To approach Big 4 System Development and Service Provider to
develop ERP system and its implementation at various locations
across the country with in-built effective and efficient IT
Controls in place.
♦ To implement Balance Scorecard, a strategy performance
management tool to identify and improve various
internal business functions and their resulting external
outcomes.
♦ To provide no access to details of policyholders to any
employee without prior permission of IT head.
Mr. Sukant an employee of Big 4 system development and service
provider was assigned the job to understand the requirements for the
proposed system of NIGHPL. For that, he frequently visited the
company and interacted with users of the computer system. The
Company also approached to Amazon Web Services to provide them
access to Virtual Machines for data processing. Company had also
prepared the backup strategy whereby the data is taken from the live
environment to backup drive.
16.1. In the light of IT Act, 2000; who will be held responsible for
paying compensation to the policyholders of NIGHPL whose
data got leaked for failure to protect their data?
(a) Directors of Satyam Cell Marketing Global Private
Limited
(b) Directors of New India Global Healthcare Private Limited

(c) Shareholders of New India Global Healthcare Private

Limited
(d) Directors of Big 4 system development and service
provider
16.2. IS auditor has observed that the NIGHPL has not implemented
password policy properly and allowed users to keep short-
length login passwords for system access and not aware for
frequently changing it. This refers to ________ in purview of
Information System Concepts.
(a) Exposure
(b) Threat
(c) Vulnerability
(d) Attack
16.3. NIGHPL approached to Amazon Web Services to provide them
access to Virtual Machines for data processing. Which of the
following Cloud Computing Service Model will be useful for this?
(a) Network as a Service (NaaS)
(b) Infrastructure as a Service (IaaS)
(c) Platform as a Service (PaaS)
(d) Software as a Service (SaaS)
16.4. If you were requested to advice NIGHPL’s management on its
Password Policy to be followed by its users to protect its data,
which of the following feature will you recommend making the
password control strong?
(a) Password length should at least be of 4 characters.
(b) Password should be changed once in a year.
(c) Password should always be in numeric form.
(d) Password of user should be blocked after three
unsuccessful login attempts.

Answer Key
Question No. Answer
16.1. (b) Directors of New India Global Healthcare
Private Limited
16.2. (c) Vulnerability
16.3. (b) Infrastructure as a Service (IaaS)
16.4. (d) Password of user should be blocked after
three unsuccessful login attempts.
17. CBZ Singapore Global Insurance Limited is a reputed Insurance

Company with its Head Office located in Singapore. With an aim to
expand its business, the company started a subsidiary company in
India in the year 2019 and obtained the license from Insurance
Regulatory and Development Authority (IRDA).
In India, IRDA is an autonomous statutory body tasked with regulating
and promoting the insurance and re-insurance industries in India. It
protects the interest of policy holders; and regulates, promotes and
ensures orderly growth of the insurance in India. Information Systems
Audit has a significant role in the emerging insurance sector.
CBZ Singapore Global Insurance Limited has framed and setup a
committee of ten personnel for implementation of ERP to automate all
business processes in their company and also responsible for the
compliance of various rules and regulations of IRDA and other
applicable laws.
The Company adopts Mobile Computing to sell its insurance products
online. Also, the company establishes 50 branches throughout India to
appoint agents to promote the selling of its insurance products.
Company uses a Wide Area Network to allow its agents away from
home office to obtain current rates and client information and to
submit approved claim using notebook computers and dial in modems.
17.1. In the given case scenario, the technology Mobile Computing
adopted by CBZ Singapore Global Insurance Limited will have

its own limitation. Which of the following will fall under the list
of limitations of Mobile Computing?
(a) Ensuring reduced travel time for employees.
(b) Ensuring mobile workforce with remote access to work
order details.
(c) Increased information flow enables in improving
management effectiveness.
(d) The users’ disrupted access of information due to
insufficient bandwidth.
17.2. In the given scenario, suppose if there is a leakage of
sensitive/confidential data of any policy holder. Who will be
held liable to pay compensation for failure to protect
policyholder’s data under IT Act, 2000?
(a) Directors of CBZ Singapore Global Insurance Limited
(b) Shareholders of CBZ Singapore Global Insurance Limited
(c) Officer of Telecom Regulatory Authority of India
(d) Agents of CBZ Singapore Global Insurance Limited
17.3. Suppose you are appointed as an IS auditor of CBZ Singapore
Global Insurance Limited. When you are going to audit the
implementation of Physical Access Controls, which of the
following activity is not undertaken by you?
(a) You must check that the risk assessment procedure
adequately covers periodic and timely assessment of all
physical access threats.
(b) You must check whether the physical access controls are
adequately in place.
(c) You must examine the relevant documents such as
security policies and procedures are prepared.
(d) You must develop and document an overall audit plan
describing the expected scope and conduct of the audit.

Answer Key
Question No. Answer
17.1. (d) The users’ disrupted access of information due
to insufficient bandwidth.
17.2. (a) Directors of CBZ Singapore Global Insurance
Limited
17.3. (d) You must develop and document an overall
audit plan describing the expected scope and
conduct of the audit.
18. M/s XTC Ltd., a FMCG company dealing home care, personal care, and
health care products. The company has been seeing drop in sales over
past few years. Company has traditional distribution channels which
include wholesale dealers, retailers, and agents. Company has been
using a legacy integrated system since 2004. To get better
understanding for the reasons for decline in sales, XTC Ltd. decides to
appoint a consultant. The company appoints Ms. Venus Andromida
(Ms. VA) as business consultant.
Ms. VA has more than a decade of experience and is a MBA from IIMA
plus qualified CISA, CISM expert. Ms. VA has been given six months to
analyse the reasons for decline in sales and submit her report for the
same. Ms. VA submits her reports in two parts with Part one dealing
with identification of key reasons for business decline and Part two
proposing the solution to identified problems.
Report’s Part I: Ms. VA finds that Customer order execution
(Turnaround Time: TAT) is twice the market norms. In the present
system, retailers’ orders are accepted by sales representatives who
send the same to HO on email where the Sales head takes the
necessary actions. This process is having many human interfaces
leading to delay in supply of goods to customers once email has been
sent for orders. Many times, the received goods and ordered goods do
not match. All these factors result in untimely delivery of products
thereby leading to dissatisfaction amongst its customers.
Report’s Part II: Ms. VA suggested following solutions:

1. XTC Ltd. needs to implement ERP system that shall integrate all
departments of the company including key departments - Sales
and Distribution, Material Management, Financial Management,
Production and Planning and Costing & Human Resources. This
shall help the company optimize resource utilization and
increase profitability.
2. The proposed system shall have an online mobile APP enabled
system of order acceptance from retailers and wholesalers.
Mobile APP to be installed on all sales representative systems.
3. In the new system, the reorders levels for various products for
each wholesaler shall be preloaded individually to make
inventory management better. As soon as inventory level of a
product will reach reorder level, system will send a purchase
order for Re-order Quantity/Economic Order Quantity to
vendor. This shall significantly reduce the Turnaround Time.
18.1. Ms. VA proposed to implement ERP System in XTC Ltd. with an
objective of getting benefitted in terms of various aspects.
Identify the factor not achieved with ERP implementation.
(a) Reduction in Cycle time
(b) Better utilization of resources
(c) Enhanced decision-making capability
(d) Reduced implementation time
18.2 Ms. VA in first part of her report mentioned the increase in
customer dissatisfaction due to delay in product delivery to
customers. Which type of business risk applies to such event?
(a) Operational Risk
(b) Hazard Risk
(c) Compliance Risk
(d) Technology Risk

18.3. Ms. VA suggested in her report that XTC Ltd. shall implement
ERP system to manage its database in centralized manner.
Identify which amongst the following is not an advantage of
Database Management System.
(a) Minimizing data redundancy
(b) Enhanced Data sharing
(c) Program and file consistency
(d) Independent file formats
Answer Key
Question No. Answer
18.1. (d) Reduced implementation time
18.2. (a) Operational Risk
18.3. (d) Independent file formats
19. VK Textile Cotton Fabrics Private Limited is an export-oriented unit

established in the year 2016. The company manufactures Cotton
Fabrics in India and exports it to some Asia-pacific countries also. In
December 2019; the company acquired a manufacturing unit of Dubai
(UAE). Presently, the company is going in the process of listing in
Bombay Stock Exchange and National Stock Exchange for listing its
securities. Mr. Sameer Jain joined the Company as Chief Executive
Officer (CEO) with effect from 01st January 2020. After taking his duty
charge, he held various meetings with the company’s management,
directors and stakeholders and presented a unified proposal on future
of the company in meeting which are as given below:
♦ Expansion of the company business in other foreign countries
including European Countries and Gulf Countries.
♦ With best quality product under reasonable price i.e., called
value for money for its customers worldwide.
♦ Spreading out more e-commerce business activities and online
presence worldwide.

♦ Development & Implementation of Information System security

policy.
♦ Adoption of new and emerging IT technologies includes Cloud
Computing, Mobile Computing, Green Computing etc. for the
company.
♦ Reciprocal agreement for disaster recovery with another
company called G.K. Global Textile and Cotton Fabrics Limited
(already a listed entity in Bombay Stock Exchange) w.e.f. 5th
January 2020 wherein they both agree to provide backup
facilities to each other in the event of one suffering a disaster.
19.1. VK Textile Cotton Fabrics Private Limited has entered into a
reciprocal agreement as one of the strategies of Disaster
Recovery Planning. Which of the following risk treatment
approach does it indicate?
(a) Risk Transfer
(b) Risk Elimination
(c) Risk Mitigation
(d) Risk Acceptance
19.2. In purview of above case scenario, which of the following
technology as suggested in unified proposal is a practice of
using computers and IT resources in a more efficient
environmentally friendly and responsible way?
(a) Grid Computing
(b) Cloud Computing
(c) Virtualization
(d) Green Computing
19.3. Under which sub process of Information Security, the company
can implement security at configuration and security for any
transaction?

(a) Database Security

(b) Network Security
(c) Application Security
(d) Operating System Security
Answer Key
Question No. Answer
19.1. (a) Risk Transfer
19.2. (d) Green Computing
19.3. (c) Application Security
20. KD Health and Medical Care Limited provides a medical health check
and other medical outsource services to its various its
clients/customers that includes pharmacists, physicians, patients,
educational institutions, day care establishments, government agencies
and insurance companies. The company is located in Agra with all its
100 employees living on the private land space situated at Agra.
The Company has a policy of allocating the super-user password to
General Manager (GM) in Finance Department. The same is defined in
the Job Profile of GM (Finance) who is responsible to supervise the
allocation, deletion, modification, and suspension of user rights to
employees based on approvals made by HR Department. On 26th
September 2018; the General Manager (Finance) resigned from the
Company and on 1st October 2018; a new joinee who joined the
company as GM was given another super-user password.
In due course of time, the Company hired Mr. John as its internal
auditor in the month of March 2019. After the due procedure, he
submitted his draft IS Audit Report to Chief Executive Officer (CEO)
and Managing Director highlighting following key control issues:
♦ There is no basic configuration in the accounting system to
restrict cash payment in excess of ` 10,000/- that result in the
expense being disallowed as a business expense. That shall
lead to increase in the tax liability of the company.

♦ There is no effective internal control system regarding user

management, creation, and modification of accounting voucher.
♦ Since the joining of Mr. Amit as an accountant, there have been
some audit logs in which some dates were missing and altered
in some other cases.
♦ There are unused computer systems lying idle. There is no
antivirus or security mechanism existing in the computer
systems of the employees carrying out day to day transactions.
♦ There are versions of unauthorized software installed on
numerous computer systems.
♦ There is no physical and environmental control policy for
safeguarding of company assets.
IS auditor recommended a proposed solution to overcome the
aforementioned issues. To implement the same, he recommended a
strategy to adopt new accounting system with the old and new
systems both being used alongside each other, both being able to
operate independently. If all goes well, the old system is stopped and
new system carries on as only system.
20.1. Mr. Amit could modify few vouchers for which he was not
authorised to, hence the audit logs in some cases were altered,
which indicates the violation of Segregation of Duties control.
Under which of the following category this control falls?
(b) Environmental Control
(c) Corrective Control
(d) Detection Control
20.2. In the given case scenario, IS auditor used a concurrent audit
technique to check whether the accounting system restricting
the cash payment in excess of ` 10000/- or not. Identify from

the following concurrent audit techniques which would be

useful in above case.
(a) Use of System Control Audit Review File (SCARF)
(b) Use of Integrated Test Facility (ITF)
(c) Use of Continuous and Intermittent Simulation (CIS)
(d) Use of Snapshot
20.3. In the given case scenario, if a junior employee Mr. AB from
finance department sends email to banker for request for
money transfer and pertained to be as GM (Finance) of
Company. Under which of the following section of Information
Technology Act, 2000 Mr. AB will be punished?
(a) Section 66A
(b) Section 66B
(c) Section 66C
(d) Section 66D
20.4. In purview of above case scenario, there is no effective internal
control system regarding creation and modification of
accounting voucher. An employee used the incorrect vouchers
to record the physical receipt of goods purchased from vendor.
Which of the following voucher he should use for correction?
(a) Delivery Note
(b) Receipt Note
(c) Debit Note
(d) Credit Note
Answer Key
Question No. Answer
20.1. (a) Preventive Control
20.2. (b) Use of Integrated Test Facility (ITF)

20.3. (d) Section 66D

20.4. (b) Receipt Note
21. SMS Limited is a multinational company engaged in providing financial

services in all over India. Most of the transactions are done online.
Presently, SMS Limited has Centralized Data Server which can be
accessed by users from various geographical locations. However, it’s
current system is unable to cope up with the growing volume of
transactions. Frequent connectivity problems, slow processing and few
instances of virus attacks and phishing attacks were also reported
since last few months wherein hackers acquired sensitive information
by masquerading as a trustworthy entity. Hence, the Company has
decided to develop more comprehensive robust in-house software for
providing good governance and sufficient use of computer and IT
resources with implementation of effective and efficient controls
provided in the system to ensure the data integrity, confidentiality,
and availability.
Also, an updated backup plan is to be prepared to ensure and specify
the type of backup to be kept, frequency with which backup is to be
undertaken, procedures for making a backup, location of backup
resources, site where the resources can be assembled and operations
restarted, personnel who are responsible for gathering backup
resources and restarting operations, priorities to be assigned to
recover various systems and a time frame for the recovery of each
system. SMS Limited has taken various types of insurance coverage for
safeguarding of its assets and to avoid unexpected future liabilities
due to uninterrupted event or disaster.
21.1. In purview of above case scenario, a few instances of phishing
attacks were also reported. Which of the following section of
Information Technology Act, 2000 fixes liability on the company
to secure data of their customers?
(a) Section 43A

(b) Section 46
(c) Section 66D
(d) Section 75
21.2. Suppose you are appointed as an IS auditor by SMS Limited for
auditing its Information Systems. You are determining what
controls are exercised to maintain data integrity for which you
might also interview database users to determine their level of
awareness of these controls. Which of the following Control are
you working on?
(a) Data Resource Management Control
(b) Security Management Control
(c) Operation Management Control
(d) Quality Assurance Control
21.3. SMS Limited has taken various types of insurance coverage for
safeguarding of its assets and to avoid unexpected future
liabilities due to uninterrupted event or disaster. These
insurance coverage falls under which type of specific risk
management strategy.
(a) Terminate the Risk
(b) Mitigate the Risk
(c) Accept the Risk
(d) Share the Risk
21.4. In order to protect its critical data from virus attack; SMS
Limited decided to limit the access to the social networking
sites by its employees in future. What type of risk response the
company exercised in this case?
(a) Terminate the Risk
(b) Treat the Risk
(c) Tolerate the Risk
(d) Transfer the Risk

Answer Key
Question No. Answer
21.1. (c) Section 66D
21.2. (a) Data Resource Management Control
21.3. (d) Share the Risk
21.4. (b) Treat the Risk
22. Ms. Queen was appointed as Manager – Operational Risk and

Compliance in ABC Company. HR of ABC Company had completed all
the formalities for her appointment. Mr. Maharana, the Head of Human
Resource (HR) Department had signed her joining letter with black ink
pen and delivered the same to her. On her joining, she was handed
over a well written document by the HR Department that provided
instructions to its employees briefing upon what kind of behavior or
resource usage is required and acceptable in the Company. It also
contained detailed information on how to protect company’s
information asset and instruction regarding acceptable practices and
behavior. In a week’s time, she got to meet Mr. Raja, Chief Executive
Officer (CEO) of the company who instructed her to conduct broad
review of Human Resource Department Process to determine the
probable risks and to analyze the effectiveness and efficiency of
existing controls in HR process. Based on that, Ms. Queen started to
review HR processes and controls implemented in the company and
highlighted following key matters in her report submitted to CEO:
♦ Absence of Rotation of duties control
♦ Absence of Segregation of duties control
♦ Lack of maker and checker concept
♦ Manual authorization procedure exists
♦ Manual attendance registers.
♦ Using Social Networking Websites like Facebook, Twitter etc.
by employees during office timings on computer resources.
♦ Plan & Budget approved for development of Robust & Fully
Automated Payroll Software but not implemented till date.

♦ Suggested to implement BYOD.

Mr. Raja appreciated the detailed report of Ms. Queen and started
taking corrective steps for improvement.
22.1. Which of the following would BEST provide assurance of the
integrity of Ms. Queen (new staff) that might be treated as
preventive control measure for ABC Company?
(a) Employing qualified personnel
(b) References
(c) Bonding
(d) Qualifications listed on a resume
22.2. During review, Ms. Queen found that an employee Mr. X is
using social networking websites like Facebook and Twitter
during office hours. Under which of the following section of
Information Technology Act, 2000; shall he be punishable?
(a) Under section 43
(b) Under Section 66A
(c) Unser Section 66D
(d) Not be punishable unless they come under the
provisions of the Indian Penal Code, 1860
22.3. In the given case scenario, Ms. Queen’s suggestion to
implementation of Bring Your Device (BYOD) policy may make
the ABC Company’s systems vulnerable to related threats. Any
lost or stolen device could result in an enormous financial and
reputational embarrassment to the company. Which of the risk
does this refer to?
(a) Device Risk
(b) Implementation Risk

(c) Confidentiality Risk

(d) Application Risk
Answer Key
Question No. Answer
22.1. (a) Employing qualifies personnel
22.2. (d) Not be punishable unless they come under
the provisions of Indian Penal Code, 1860
22.3. (a) Device Risk
23. Gold Silver Watch India Limited (GSWIL) is a company domiciled in

India, with its registered office situated at Mumbai. The Company has
been incorporated under the provisions of the Indian Companies Act
and its equity shares are listed on the National Stock Exchange (NSE)
and Bombay Stock Exchange (BSE) in India. The Company is primarily
involved in manufacturing and sale of Gold and Silver Watches,
Jewelry, Eyewear and other related accessories and products.
Company has 200 retail stores all over India and launched Loyalty
Card for its customers. The customer data for the loyalty card is picked
from a form filed by the customer on the retail store of the company.
The data from the form is entered into the software by data entry
operators who report to a manager. In order to protect customer data,
Segregation of Duties are built in the software in such a way that the
operators have permission only to enter data. After submission of
form, any editing or modification in the form can be done only by the
manager. The retail stores across India collects customer data for
loyalty programs consolidated into one database and accessible from a
centralized server anytime anywhere and also the company maintained
a separate fully equipped facility where the company can move
immediately after disaster and resume its business. In Company’s
Data Centre Housing, about 350 employees are involved in handling
business processes of the company. Hence, for security reasons,
management decides to shift its network server and mail server to a
secluded room with restricted entry. The management decides to give
a smart card to authorised people to make entry in the server room.

On the recommendation of Chief Information Officer of the Company,

existing system of the company is being extensively enhanced by
extracting and reusing design and program components.
23.1. GSWIL uses a control on the access to the software application
by segregating entry level and updating level duties. What type
of Internal Control does this amount to?
(a) Physical Implementation of a Control
(b) Corrective Control
(c) Detective Control
(d) Preventive Control
23.2. In purview of above case, GSWIL decides to shift its network
server and mail server to a secluded room with restricted entry.
What kind of internal control is applied by the company in this
case?
(a) Manual Preventive Control
(b) Manual Detective Control
(c) Computerized Preventive Control
(d) Computerized Corrective Control
23.3. The software of GSWIL has embedded modules for auditing so
as to continuously monitor the system transactions. Which of
the following IS audit tools exemplifies this case?
(a) Continuous and intermittent Solution (CIS)
(b) Audit Hooks
(c) System Control Audit Review File (SCARF)
(d) Integrated Test Facility (ITF)
23.4. For Loyalty Cards, the customers provide their personal
information to GSWIL. If the company has been found
negligent in handling personal information of customers, then

company’s liability to damages is covered under _______ of

Information Technology Act, 2000.
(a) Section 67
(b) Section 43A
(c) Section 43A
(d) Section 66B
Answer Key
Question No. Answer
23.1. (d) Preventive Control
23.2. (c) Computerized Preventive Control
23.3. (c) System Control Audit Review File (SCARF)
23.4. (c) Section 43A
24. ABC Capital Finance Limited (ACFL) was inaugurated on 21st July 2019
with its Head Office/Corporate Office situated at Mumbai. The
Company is registered with the Reserve Bank of India (RBI) as a Non-
Banking Financial Company vide. Certificate No. N-13.14.2019. The
Company is primarily engaged in Lending Business. There are 10
Regional offices and 255 branches located all over the country that use
various types of remote access information systems for smooth and
fast processing of different types of loan applications all over branches
and regional offices.
Company has adopted an internal control work in line with section
134(5)(e) of the Companies Act, 2013 and as per Clause 49 V(C) and
(D) of SEBI, Equity Listing Agreement ensuring the orderly and
efficient conduct of its business, including adherence to the Company’s
policies, safeguarding of its assets and prevention and detection of
frauds and errors, accuracy, and completeness of Information to
various stakeholders. Company is hosted on a robust Data Centre (DR)
and Disaster Recovery Centre has been designed on fundamental
principles – data security, data integrity, data availability and data
scalability and has strict information security procedures. The company
periodically reviews the potential risks however they are considered

minor due to their low impact and probability of occurrence. The

Management of company appointed a reputed Mumbai-based
Chartered Accountancy Firm called as DKT specialized in IS audit for
conducting Information System Audit of the Company.
Further, the Company is now gearing up to enhance its technological
capabilities across other areas such as mobile computing, cloud
computing, and Bring Your Own Device (BYOD).
24.1. An IS auditor requires to check whether the Application System
is calculating correct interest on loan provided by ABC Capital
Finance Limited using creation of a dummy entity in the
application system. Identify which of the following auditing
technique is this process referring to so that authenticity and
accuracy of the processes can be verified?
(a) Snapshot
(b) Integrated Test Facility (ITF)
(c) Audit Hooks
(d) Audit Trail
24.2. ABC Capital Finance Limited has robust Data Centre (DR) and
Disaster Recovery Centre however, the periodic review may
indicate some minor risks having low impact on the company’s
working environment. However, as the probability of
occurrence of such risks is considered to be low, identify the
risk treatment approach adopted by the company in this case?
(a) Risk Transfer
(b) Risk Termination
(c) Risk Mitigation
(d) Risk Acceptance
24.3. ACFL has given a contract to XYZ Limited which is a Data
Processing Service provider for its various loan processing

activities. XYZ Limited has limited Personal Computers at its

office, so it approached Amazon Web Service to provide them
access to Virtual Machines for data processing. Which Cloud
Computing Service Model is being used by XYZ Limited?
(a) Software as a Service (SaaS)
(b) Platform as a Service (PaaS)
(c) Infrastructure as a Service (IaaS)
(d) Network as a Service (NaaS)
24.4. For smooth working and functioning, ACFL has effective
internal control system that also includes Segregation of Duties.
Is Segregation of duties useful for Company or not and why?
(a) Yes, it reduces employee cost.
(b) No, it complicates the role of the manager who has to
manage more employees.
(c) Yes, it reduces fraud risk & facilitates accuracy check of
one person’s work by another.
(d) No, it is not an advantage; it increases employee cost.
Answer Key
Question No. Answer
24.1. (b) Integrated Test Facility (ITF)
24.2. (d) Risk Acceptance
24.3. (c) Infrastructure as a Service (IaaS)
24.4. (c) Yes, it reduces fraud risk & facilitates accuracy

check of one person’s work by another.
25. Great India Gramin Co-Operative Society Bank Limited established in
the year 2000. It is a single state scheduled rural cooperative bank
that provides banking facility to few villages of Rajasthan only. In
2001, an internal review was conducted by a team of inspection and
supervision department of National Bank for Agriculture & Rural

Development (NABARD) that highlighted certain key controls issues

that are as follows:
♦ The password policies were prescribed but not implemented by
the bank.
♦ Branches use outdated security manual or documentation of
security procedures.
♦ There was only one ATM machine near Bank Premises which
had deposits as well as withdrawal facility. Its maintenance was
outsourced through third party. The service level agreement
was not renewed since last three years and also there is no
security guard placed outside the ATM.
♦ During the inspection, it was observed that while refilling cash
in ATM machine, the presence of security guard was not
mandatory.
♦ Illegal and unauthorized software were also installed on few
computer systems of the Bank.
♦ Antivirus software was not updated on few computers of the
bank’s branches.
♦ Disaster Recovery Plan existed but was not tested by the
employees.
♦ During inspection, the team observed a fraud where an
employee Mr. X had transferred a small amount of money from
various account holders to his own account while rounding off
in computerized banking system. That fraud turned around to
be of ` 2,49,587/-.
After review report, the NABARD instructed the Great India Gramin Co-
Operative Society Bank Limited to sort out the security control
weakness and demanded a reasonable assurance for better security
control in future in effective and efficient manner. Subsequently, Bank
worked on all the observations made by NABARD and established the
following controls:
♦ Highly qualified IT personnel were appointed in every branch.

♦ Strict follow up and compliance of Information Security and

Password Policy for all users.
♦ Fulfilled the mandatory requirement of presence of security
guard along with two personnel of bank for accessing and
refilling cash in the ATM machine.
♦ Predefined role and responsibility of each employee.
♦ Regular training on risk awareness was to be given to every
employee on periodically basis.
♦ Updated Antivirus software, Intrusion Detection System and
firewall on all computers.
♦ CCTV cameras were installed in every branch of the Bank.
♦ Bio-metric attendance system was made compulsory for every
employee of the Bank.
♦ New service level agreement with ATM Caretaker company was
renewed to provide ATM security guard.

25.1. Inspection team observed a fraud of ` 2,49,587/- made by Mr.
X. Identify the appropriate example of Rounding down
Technique from given below which might have been used by
Mr. X.
(a) Turning ` 102.02 to ` 102.00
(b) Turning ` 102.02 to ` 102.10
(c) Turning ` 102.02 to ` 102.50
(d) Turning ` 102.02 to ` 102.05
25.2. From the given case scenario, it is observed that proper division
of work and responsibility are necessary to ensure that one
person cannot single-handedly commit a fraud. This can be
achieved by using the concept of __________.
(a) Access Control

(b) Segregation of Duties

(c) Need to know
(d) Least privilege
25.3. Great India Gramin Co-Operative Society Bank Limited has
password policy but not implemented properly, therefore, users
were able to keep short length passwords for their convenience
to access the banking system. It refers to _______ under
Information System concepts.
(a) Threat
(b) Exposure
(c) Vulnerability
(d) Attack
25.4. Great India Gramin Co-Operative Society Bank Limited
implemented a new and strict password policy where users
have to keep minimum 8 characters alpha-numeric login
password and that password must be reset after 30 days to get
access in the Banking System. As per classification of the
Information System controls, which type of control is this?
(b) Detective Control
(c) Corrective Control
(d) Compensatory Control
Answer Key
Question No. Answer
25.1. (a) Turning ` 102.02 to ` 102.00
25.2. (b) Segregation of Duties
25.3. (c) Vulnerability
25.4. (a) Preventive Control
26. SciLabs, is an upcoming robotics company in India providing innovative
solutions for different verticals. The company has adopted the concept of

Cloud Computing using the cloud type - which is small, most secure,
controlled, maintained internally, and used to perform critical activities of
the company. For every new project undertaken by them, the functional
requirement documents are prepared, and the initial design requirements
are communicated to programmers via algorithms and flowcharts. All the
customer requirements are tracked, assembling materials are ordered
and the details regarding entire cost incurred for training, research and
full-fledged development of the product are managed through the
implemented SAP ERP system.
Furthermore, different versions of all the documents and white papers
related to the ongoing research are stored in the Relational Database
Management Systems (RDBMS) Teradata warehouse periodically to
maintain record of all the changes a said project undergoes during its
entire life cycle. Such methodology enables SciLabs to maintain and
compare the data between different time periods based on the time
stamps the data is stored in the data warehouse. SciLabs has also
implemented stringent controls so that the high-level architectural
diagrams of the new project are kept with utmost confidentiality.
Based on the facts of the case scenario given above, choose the
most appropriate answer to Q. Nos 26.1. to 26.5.
26.1. Flowcharts are used by SciLabs to communicate the
requirements to the programmers. Which among the following
would be the initial step in developing flowcharts?
(a) Identifying the activities in each process step.
(b) Preparing an initial rough diagram.
(c) Identifying the business processes to be documented.
(d) Identifying the starting point of the process.
26.2. SciLabs uses SAP ERP system, one of its modules that enables
to create detailed scheduling, material requirement planning,
and refine production integration. Which of the following
module of SAP ERP support all these features?
(a) Material Management
(b) Supply Chain

(c) Production Planning

(d) Sales and Distribution
26.3. The documents and white papers related to the research
carried out by the SciLabs analysts are loaded in Teradata
warehouse so as to have comparisons of the different versioned
files. Which feature of a Teradata tool is referred here?
(a) Standardized
(b) Time Variant
(c) Non-operational data
(d) Consistency
26.4. SciLabs initially has adopted the concept of Cloud Computing
using the cloud type - which is small, most secure, controlled
and maintained internally. However, with the expansion in its
business, the management decided to deploy another cloud
named _______ for its non-critical activities and usage of
additional resources. Identify the cloud to be deployed.
(a) Private Cloud
(b) Public Cloud
(c) Hybrid Cloud
(d) Community Cloud
26.5. Though stringent controls are implemented by SciLabs, one of
its development team members, Mr. Atul accesses the
confidential architectural diagrams of the new project and
downloads them on his personal computer for wrongful
reasons. Under which Section of the Information Technology
Act, 2000; is Mr. Atul punishable?
(a) Section 65
(b) Section 43
(c) Section 66
(d) Section 66D

Answer Key
Question No. Answer
26.1. (c) Identifying the business processes to be
documented.
26.2. (b) Supply Chain
26.3. (b) Time Variant
26.4. (b) Public Cloud
26.5. (b) Section 43
27. SureSuccess Trainers is one of the most popular training institutions

nationwide. During their start in 2007, they provided physical sessions
in selected cities on career counselling, mock interviews, competitive
exams, and group discussions to prepare under-graduate and post-
graduate students for their job placements. Due to high success
placement rate of its trained students, they revamped their business
model and launched their mobile app in the year 2017. To meet out
the expenses associated with new requirement of using mobile
technology, SureSuccess Trainers had taken loan of ` 20 Lakh from
BNC Bank. Since then, the SureSuccess mobile app is catering to the
needs of many aspirants all over India by providing them online
classes through virtual mode. The app further provides various
features like registering for new course, notifications, preparatory
material, audios, videos etc. During registration into a particular
course, the students need to make online payments of the course
through various modes - Net banking, Debit Card and Credit Card.
After making payment, every student is allotted a unique user id and
password to access their course through mobile app. The mobile app
allows the registered students to login into the SureSuccess Trainers
App from their unique user-ids and join the live sessions they are
enrolled in. Since the launch of its mobile app, the SureSuccess
Trainers has been utilizing specialized tools for analyzing the future
trend and scope for online coaching and their current position in the
coaching industry on the regular basis. They have been performing
well and has lately been awarded nation-wide second rank by
Corecourse Magazine. The Corecourse Magazine has awarded the rank

based on the performance analysis report of various nationwide

training institutions on different parameters.
27.1. The SureSuccess Trainers App provides the facility to request
for the change in his/her course even after registration in case
a student wishes to. A registered student can generate the
course change request through the app which subsequently is
restricted to be approved by only authorized administrative
personnel of SureSuccess Trainers. Such restriction refers to
which factors of Business Process Automation?
(a) Confidentiality
(b) Integrity
(c) Availability
(d) Timeliness
27.2. Corecourse Magazine analyzed the performance of various
training institutions on different parameters based on which
nation-wide second ranking was awarded to SureSuccess
Trainers. Which among the following technologies is utilized by
Corecourse Magazine for collecting data of various institutions
from internal systems and external sources, prepare the data
for analyses, develop, and run queries against the query and to
create a report based on the evaluated data?
(a) Data warehouse
(b) Business Intelligence
(c) Machine Learning
(d) Data Mining
27.3. SureSuccess Trainers App has controls implemented at the
operating system level such that each registered student has
access to only his/her registered course and its relevant
content. Identify which type of Operating system controls is
being implemented here?

(a) Automatic terminal identification

(b) User identification and Authentication
(c) Terminal time out
(d) Access token
27.4. The mode of digital payment allowed in SureSuccess Trainers
App through which a student can register in any course are Net
banking, Debit Card and Credit Card. Which of the following
statement does not hold true for these modes of payment?
(a) Through Debit Card of BNJ bank, Mr. Bhola successfully
paid ` 3,000 online for his desired course through
SureSuccess Trainers App which led to the deduction of
said amount from his bank account immediately.
(b) If Ms. Rita has successfully paid ` 5,000 online for
registration in a new course through SureSuccess Mobile
App using her Credit Card of ABC Bank, this implies that
there should have been sufficient balance in her bank
account for the transaction to get completed.
(c) Using the Credit Card of KLU Bank, Ms. Doly paid `
4,800 for the desired course in SureSuccess Mobile App
and the transaction got over with charge of some fixed
amount as transaction fees by the Credit Card issuer
KLU bank.
(d) If the payment for the course has been done by Mr.
Ram using his Debit Card of DLF bank, that indicates
that he must be having a bank account in the DLF bank.
27.5. SureSuccess Trainers has approached BNC Bank for the loan of
` 20 Lakh. To do so, the BNC bank will undergo the process of
creating a master for the institution in its Loan Disbursement
System. After filling the loan application form, following steps
are involved in the creation of masters in Loan Disbursement
System.

i. BNC bank seeks for KYC and other relevant documents

from SureSuccess Trainers.
ii. BNC Bank issues Sanction letter to SureSuccess Trainers
mentioning the terms of facilities and loan amount.
iii. The credit team of BNC Bank verifies the documents of
SureSuccess Trainers in terms of its financial and credit
worthiness.
iv. The SureSuccess Trainers’ account and master gets
created in the BNC Bank’s Loan Disbursement System.
v. Disbursement team prepares Pre-Disbursement
certificate containing the details of all the facilities and
limit of ` 20 Lakh approved for SureSuccess Trainer.
What would be the correct sequence of the process?
(a) i,iii,ii,v,iv
(b) iii,ii,i,iv,v
(c) v,iv,i,ii,iii
(d) i,ii,iii,iv,v
Answer Key
Question No. Answer
27.1. (b) Integrity
27.2. (b) Business Intelligence
27.3. (d) Access token
27.4. (b) If Ms. Rita has successfully paid ` 5,000
online for registration in a new course
through SureSuccess Mobile App using her
Credit Card, this implies that there should
have been sufficient balance in her bank
account for the transaction to get completed.
27.5. (a) i,iii,ii,v,iv

28. HEALTHY MAASALA Ltd., a FMCG company is dealing in homemade

and organic spices. Considering the expansion of company, the
company planned to start online sales for its products through online
merchants like Amazon, Flipkart, and BigBasket. To start the new line
of business, company decides to get a detailed study done for the
proposed system; for which the company hires the services of JS
Developers. The detailed study performed by JS developers listed few
critical issues that are required to be taken care to achieve goals and
success which the company intends to achieve. On the basis of its
analysis of present system, JS developers prepared a report and
submitted it to management of HEALTHY MAASALA Ltd. In annual
board meeting, the management considers the report of JS developers
on various issues and submits its response on the same. The issues
raised by JS developers and action plan of HEALTHY MAASALA Ltd. are
listed below.
Critical Issues (as
S. Management Response of
mentioned in report
No. HEALTHY MAASALA Ltd.
of JS developers)
Management agrees to expand
resources, time, and guidance to
start new line of online business
Company needs to and also showed its concern on
streamline, upgrade authentication of customer.
1 its processes of order
and supply for its Management decides to engage an
new line of business. auditor as a part of development
team to ensure that the developed
system would be as per the need
of new line of business.
The success of online Management considers this point

business depends on as an important factor and feels
the timely supply of that same should be taken care by
2 products to streamlining and upgrading the
customer. processes as the standard of online
Therefore, the industry for TAT is changed to 24
company should work hours.

on Turn-Around-Time
(TAT).
The business Management highlights this as an
managers need to be essential feature of being able to
3 provided MIS reports generate relevant MIS reports
on demand. through proposed system.
Apart from above issues, the company extracts the relevant data on
market trend of homemade and organic spices and purchase pattern
of customer of these products. Also, the cybercrimes and their counter
provisions under IT Act, 2000 governing e-commerce transactions are
to be considered while developing the new system.
28.1. TAT represents the time gap between receipt of order and
dispatch of order and considered to be an important factor in
Order to Cash process flow. The phases of Order to Cash
business process are as follows:
(i) Customer Order
(ii) Order fulfilment
(iii) Collections
(iv) Accounting
(v) Invoice
(vi) Delivery Note
Choose the correct set of phases of order to cash business
process flow wherein the TAT can be applicable.
(a) (i), (ii),(vi),(v),(iii),(iv)
(b) (i),(ii),(v), (vi),(iii),(iv)
(c) (ii),(iv),(v),(vi),(i), (iii)
(d) (ii),(iii),(iv),(v),(i),(vi)

28.2. In the proposed system, the business managers shall have the
facility to generate relevant MIS reports. Identify the incorrect
about Management Information System (MIS).
(a) Business mangers rely on reports to evaluate
businesses’ daily activities and make decision.
(b) The warehouse mangers require MIS reports to gain
information about product inventory and shipping
information.
(c) Finance and accounting managers would require
information about sales revenue and business expenses.
(d) Different MIS reports automatically suggest the best
solution to its stakeholders.
28.3. The company does not have its own website and hence the
management of HEALTHY MAASALA Ltd. decides to sell its
products through online intermediary merchants like Amazon
and BigBasket etc. Identify the business model of e-Commerce
being used by the company in this case.
(a) Business to Consumer e-Commerce
(b) Business to Business e-Commerce
(c) Consumer to Business e-Commerce
(d) Consumer to Consumer e-Commerce
28.4. In purview of above case scenario, the management of
HEALTHY MAASALA Ltd. observes that the company must
follow IT Act, 2000 that provides the legal recognition for all
transactions that are made electronically. As per IT Act 2000;
which of the following activity does not fall under the purview
of computer related offences?
(a) Violation of Privacy
(b) Stealing Computer resource and computer source
document

(c) Theft of Identity

(d) Removal, transfer of property to prevent tax recovery
28.5. In purview of case scenario, the decision of management to
engage an auditor as a part of system development team is to
ensure that the developed system is as per the need of new
line of online business. This engagement of Auditor is classified
as ______ audit.
(a) Post Implementation
(b) Internal
(c) Concurrent
(d) General
Answer Key
Question No. Answer
28.1. (a) (i), (ii),(vi),(v),(iii),(iv)
28.2. (d) Different MIS reports automatically suggest
the best solution to its stakeholders.
28.3. (a) Business to Consumer e-Commerce
28.4. (d) Removal, transfer of property to prevent tax
recovery
28.5. (c) Concurrent
29. GK Sports Ltd. is one of the largest manufacturers of various sports

equipment with its head office at Delhi. The company sells its products
in both offline as well as online mode through its website. Analysing
the good response of customers in India, the company decides to sell
its products across the countries- Australia, New Zealand, Canada, US
and Germany through online mode. The company offers various
payment modes to its customers for their ease like credit card, debit
card and UPI. During expansion Mr. Ajay has been recruited as an
internal auditor to review the business process. The company uses
proper automation for its various business processes and practicing
the regular auditing. During assessment, he observes that there exist
technical difficulties in integrating the sales amounts received through

various payment gateways available on its website across the

countries. In order to scrutinize the potential fraud involved, the
management of company hires ABC Ltd. to identify the gaps in various
payment gateways. ABC Ltd. prepares an inspection summary report
mentioning the names of Mr. Ajay and Mr Ravi, managers of the
company who used to slice a small amount of money from every
computerized transaction made through the portal.
The management decides to book the fraudsters for dishonesty and
fraud under the provisions of Information Technology Act, 2000.
Learning lesson from the untoward event, the management also finds
it necessary to adopt stringent security measures in its information
system.
29.1. Which kind of business risk does the management of GK sports
Ltd. experiences when Mr. Ajay and Mr. Ravi were found
involved in fraud of online transactions?
(a) Strategic risk
(b) Financial risk
(c) Regulatory risk
(d) Operational risk
29.2. In purview of above case scenario, identify the technique used
by the fraudster employees and also identify the section under
the Information Technology Act, 2000 for they can be booked?
(a) Data Diddling, Section 66
(b) Salami Technique, Section 66
(c) Data Diddling, Section 70
(d) Salami Technique, Section 70
29.3. The management of GK Sports Ltd. wishes to implement some
type of access control approach to restrict system access to
authorized users, wherein employees having access rights can

only access the information they need to do their jobs and

prevent them from accessing information which doesn’t pertain
to them. What type of security measure is being adopted by GK
Sports Ltd. in its information system?
(a) General controls
(b) Role-based access controls
(c) Security Management controls
(d) Application controls
29.4. GK Sports Ltd. decides to sell its products across some
countries through online mode. Which of the following e-
commerce commercial law would it need to follow as a
regulation for augmenting exports from India?
(a) Companies Act, 2013
(b) Foreign Trade (Development and Regulation) Act, 1992
(c) Foreign Trade (Development and Regulation) Act, 1994
(d) Companies Act, 2002
Answer Key
Question No. Answer
29.1. (d) Operational risk
29.2. (b) Salami Technique, Section 66
29.3. (b) Role-based access controls
29.4. (b) Foreign Trade (Development and Regulation)
Act, 1992
30. Sweet & Sour is a well-established food chain with five branches at
different locations within Delhi. In 2018, the management decided to
start a tiffin service with 24x7 facility on regular basis. To do so, they
decided to acquire software which would be an online assistant to its
customers by providing them complete detail about their services. The
Management asked its manager to present them a report mentioning
the benefits, risks and control objectives and above all highlighting any
changes that are required in the working of food chain. The

management settled on a plan to benefit all its customers by providing

them discounted coupons in case they recommend their services to
others and customer ensuring to provide the food chain of three new
customers to avail the discounted coupons.
To maintain the list of its customers, the data management team of
Sweet & Sour implemented certain changes in its database design of
their billing software. Now, the billing system is centralized, and it is
mandatory to add customer’s name and phone number for each bill
that systems generate. Subsequently, the security and maintenance of
the database has become essential to protect the system against any
unlawful activity as the database now contains the personal details of
its customers.
30.1. The software which food chain decided to buy, to help their
customer and provide them online help falls under which of the
following technology?
(a) Artificial Intelligence
(b) Data Mining
(c) Cloud Computing
(d) Mobile Computing
30.2. The Manager prepared a document wherein he needs to define
the business process of the food chain in diagrammatic form.
Which of the following diagram will he use to present pre-
defined process?
(a)
(b)
(c)
(d)
30.3. The data management team of Sweet & Sour food chain was
working to implement changes in database as per the

requirement of management. Which of the following person will

carry out routine data maintenance and monitor the task?
(a) Database Administrator
(b) Database Architect
(c) Database Analyst
(d) Database Advisor
30.4. The management of Sweet & Sour has shown its concern what
would happen if any of its employees dishonestly make use of
personal information of customer. Which of the following IT
Act, 2000 will help Sweet & Sour to deal with this situation?
(a) Section 43A
(b) Section 43
(c) Section 66E
(d) Section 66B
Answer Key
Question No. Answer
30.1. (a) Artificial Intelligence
30.2. (c)
30.3. (c) Database Analyst

30.4. (a) Section 43A
31. GoCart is one amongst the popular e-commerce shopping portals. It

recently entered into a Service Level Agreement (SLA) with Google,
wherein Google would provide the necessary application framework
and testing tools to GoCart to develop and deploy its application
online. On successful deployment of its application and in order to get
a competitive advantage over other e-Commerce providers, GoCart
launches a multi-saver sale wherein huge discount on the best brands
are available, complimentary gifts for purchases above a certain
amount and express free delivery are also provided. All the revenue
generated through the multi-saver sale will be routed through a

separate current account maintained with CSC Bank, from where

GoCart has already taken a loan.
With the increase in the cybercrimes and misuse of customer data,
GoCart has implemented stringent controls to prevent any
unauthorized access to data and has opened up new job roles
exclusively with objective of ensuring security at network and
operating system levels. Further to comply with the regulatory
requirements, GoCart books of accounts are well maintained and
subjected to annual statutory audit and the business reporting is done
through XBRL.
the most appropriate answer to Q. Nos. 31.1. to 31.5.
31.1. The multi-saver sale launched by GoCart was initially a success.
However, a week after the sale was on, various feedbacks were
received by GoCart regarding products, their packaging and
delivery. The feedback analysis concluded that the customer
satisfaction was just average. Which among the following risk
would GoCart be subjected to in this case?
(a) Hazard Risk
(b) Operational Risk
(c) Financial Risk
(d) Residual Risk
31.2. For GoCart, the business reporting is done using XBRL. Identify
the feature of XBRL which stops poor quality information being
sent to a regulator, when the draft report is being run by one
of its staff who had prepared the same?
(a) Clear Definition
(b) Multilingual support
(c) Strong Software Support
(d) Testable Business Rules

31.3. With the objective of maintaining utmost security, GoCart

recruited Mr. Yash to examine logs from firewalls, intrusion
detection system and to issue security advisories to other
members in IT department. Which of the following job role best
fits into job profile of Mr. Yash?
(a) Operations Manager
(b) Network Architect
(c) Security Analyst
(d) Database Administrator
31.4. With the recently entered Service Level Agreement (SLA) with
Google, GoCart successfully developed and deployed its new
application. Identify the type of Cloud service utilized by GoCart
in the application which is developed online?
(a) Infrastructure as a Service
(b) Platform as a Service
(c) Software as a Service
(d) Network as a Service
31.5. In addition to routing the revenue in accounts maintained with
CSC Bank, GoCart also has taken various loans and advances
from CSC Bank. If CSC Bank faces the application risk of
duplicate asset accounts created for GoCart, which control
would be best suggested for this?
(a) The system parameters are set up as per business
process rules of the bank.
(b) System validations have been implemented to restrict
set up of duplicate customer master records.
(c) Unique Id is created for each asset.
(d) Access for changes made to the configuration, parameter
settings are restricted to authorized user.

Answer Key
Question No. Answer
31.1. (b) Operational Risk
31.2. (d) Testable Business Rules
31.3. (c) Security Analyst
31.4. (b) Platform as a Service
31.5. (c) Unique Id is created for each asset.
32. XYZ Pvt. Ltd. is an e-commerce marketplace connecting businesses

desiring to outsource digital services to willing freelancers wherein
businesses can find the quality freelancers by browsing their samples of
previous work and reading their profile reviews. The freelancers can bid
for projects on the basis of title, description and area of expertise. The
company makes money primarily through transaction fees and service
fees from both businesses and freelancers for offering set of services in
many categories. The company’s aim is to provide fast, accurate, and
timely services to its customers. The necessary control policies of
company are being in place for early detection and prevention of unlawful
events that arise from inaccurate, incomplete and redundant inputs that
enter into the system.
The company intends to enter into market as Data Analytics Service
Provider by offering services at maximum level of computer optimization.
The company would arrange the data to help the businesses identify
market gaps, marketing strategy, and product development. Seeking the
huge investment in this expansion, the company decides to hire JJ
Services for various resources like network, servers, development
platforms, storage and software.
32.1. XYZ Pvt. Ltd. hires JJ Services for various resources like
network, server, storage and deploying applications to be used
in Data Analytic services. Which of the following cloud
computing service models has been adopted by JJ Services to
cater to the requirements of XYZ Pvt. Ltd.?

(a) Software as a Service

(c) Infrastructure as a Service
(d) Server as a Service
32.2. In purview of above case scenario, XYZ Pvt. Ltd. hinges on
Business Process Automation (BPA) whose success depends on
following factors except one. Identify it.
(a) Availability
(b) Integration
(c) Timeliness
(d) Substitution
32.3. Which type of business model is being followed by XYZ Pvt. Ltd.
through its e-commerce marketplace?
(a) Business-to-Business (B2B) e-Commerce
(b) Business-to-Consumer (B2C) e-Commerce
(c) Consumer-to-Business (C2B) e-Commerce
(d) Consumer-to-Consumer (C2C) e-Commerce
32.4. XYZ Pvt. Ltd. uses a feedback system before hiring JJ Services
for various resources’ requirement. Which of the following
would not be the criteria of Information System used by XYZ
Pvt. Ltd. to capture and analyze the feedback data?
(a) Structured
(b) Timely
(c) Operation
(d) Accurate
Answer Key
Question No. Answer

32.1. (b) Platform as a Service

32.2. (d) Substitution

32.3. (c) Consumer-to-Business (C2B) e-Commerce
32.4. (c) Operation
33. M/s TAS & Sons is an automobile manufacturer of spare parts of four
wheelers in India. The company does the business in both offline and
online mode. The company has four manufacturing units in various
locations across the country. It also has two branch offices located in
Pune and Hyderabad to handle activities like orders, delivery, complaints,
and stock operations. Sometime ago, the company’s business processes
like accounting, purchase, sales, and inventory were maintained in
manual mode. The management of the company observed that the
manual processing of these activities hinders the overall working of the
business-related daily operations. This resulted in a huge gap in the flow
of information, pending orders, delayed deliveries, and delayed decision
making due to lack of business reports and therefore overall non-
performance.
Therefore, the management committee decides to adopt the process of
automation of its various processes so that information flow would be
timely and consolidated within its branches and manufacturing units. To
attain this objective, the service models of Cloud Computing are proposed
to be adopted so that the branches and manufacturing units are
interconnected with centralized mechanism of data sharing and storage.
The proposed system with well-implemented access controls will provide
robust data security among its systems of branches and manufacturing
units. Not only the record keeping, but also data maintenance and
reports generation would become simpler after the implementation of
proposed system. The management is looking for better prospects of
adhering to the legal compliances of the country and also to initiate its
business operations through online mode.
The company hires a consultant Mr. Sumit to carry out the Feasibility
study of its proposed system who prepares a feasibility report and
submitted the same to the management. Based on the go ahead report
of Mr. Sumit’s report, a project team is constituted who will work under
him to execute the project and ensure its delivery on time.


33.1. The Management committee of M/s TAS & Sons decides to
automate its entire business processes anticipating to reap
better benefits for the company. Which of the following does
not come under the category of benefits of Automation?
(a) Consistency of automated processes

(b) Automating redundant processes
(c) Reduction of turnaround time
(d) Better utilization of employees’ time
33.2. In purview of above case scenario, the management decides to
adopt the process of automation for its various business
processes so that information flow would be timely and
consolidated. The data is centralized and in case of loss of any
set of data from this location, whole business may come to
stand still. Identify from the following controls that may be
useful to overcome the aforementioned risk.
(a) It can be controlled by removing redundant data.
(b) Back up arrangement needs to be strong.
(c) To allocate some funds in case of contingencies.
(d) Overhauling of organizational structure is required.
33.3. If the company hires XYZ Ltd. as Cloud Computing service
provider, which of the following model of Cloud Computing
would be useful for M/s TAS & Sons if XYZ Ltd. hosts and
manages the company’s application at its data center over the
internet to make it accessible to the customers of M/s TAS &
Sons?
(a) Infrastructure as a Service

(c) Software as a Service

(d) Database as a Service
33.4. In purview of the above case scenario, the company decides to
install firewall for its business application through online mode
in order to make the network secure. Which type of control the
company is planning to work on?
(a) Corrective Control
(b) Preventive Control
(c) Network Control
(d) Detective Control
33.5. In purview of above case, if ABC Bank faces the application risk
of incorrect classification and provisioning of Non-Performing
Asset (NPA) resulting in financial mismanagement, which
control would be best suggested for this?
(a) Access for changes made to the configuration,
parameter settings should be restricted to authorized
user.
(b) Unique Id should be created for each asset.
(c) The system parameters need to be set up as per
business process rules of the bank.
(d) Existence of configuration/customization in the
application to perform NPA classification as per relevant
RBI guidelines.
Answer Key
Question No. Answer
33.1. (b) Automating redundant processes
33.2. (b) Back up arrangement needs to be strong.
33.3. (c) Software as a Service
33.4. (b) Preventive control

33.5. (d) Existence of Configuration/customization in

the application to perform NPA classification
as per relevant RBI guidelines.
34. Established in 2016, Fit&Fine is one of the renowned gymnasium in

South Delhi. The gym is very famous for its health tips, latest
equipment, cordial environment, and trainers for guidance. The
Fit&Fine gym management has excellent arrangement for its
customers as well as employees. A Dietician and a physician are also
associated with gym during the gym timings of 5:00 am to 10:00 pm
all days.
On the occasion of Diwali in 2019, the gym also launched an online
Fit&Fine Gym Aggregator service application to reach out to more
customers through various gyms located in West Delhi and North
Delhi. For its e-business as online gym aggregator, Fit&Fine entered
into various electronic agreements with many other gyms in West
Delhi and North Delhi prescribing the specific terms and conditions of
the agreement. All these gyms associated with Fit&Fine are required to
provide fitness related best services to its customers.
The services of various associated gyms can be availed by the
customers either through the Gym Aggregator service application or
through physical visit at the registered gyms in the app by paying
annual membership fees of ` 3000 to get unique membership-id and
PIN number to avail the facilities at the gym centre. The member can
either book for his physical visit or online session with any of these
registered gyms associated with Fit&Fine using their unique
membership id.
34.1. Though Fit&Fine Gym and other registered gyms have excellent
arrangements for health and safety of its employees; yet the
management of the gym remains concerned about any
negligence that may occur and the risks that can expose it to
various penalties posed by any regulatory agency. Which type
of business risk is the management here referring to?
(a) Strategic Risk

(b) Compliance Risk

(c) Hazard Risk
(d) Operational Risk
34.2. The IT team managing the Fit&Fine Gym Aggregator application
manages the MIS Report on various parameters like number of
bookings for online sessions/physical meetings done each day,
joining of new members per month etc. The information so
extracted through these MIS reports fulfill following criterions
except one. Identify it.
(a) Relevant
(b) Accurate
(c) Timely
(d) Confidential
34.3. Fit&Fine gym provides unique membership-id and PIN number
as an access control mechanism to its customers to avail the
facilities provided through Gym aggregator service app. From
the following controls, identify the Application control under
which this specific access control mechanism falls.
(a) Physical Control

(b) Boundary Control
(c) Communication Control
(d) Management Control
34.4. In purview of above case scenario, there can be a possibility
that any registered gym with Fit&Fine Gym aggregator online
service may deny the terms and conditions of the agreement
done between the two. Which type of risk is associated with
this e-Commerce transaction?
(a) Lack of authenticity of transaction
(b) Problem of anonymity

(c) Repudiation of Contract

(d) Privacy and security
34.5. In purview of above case scenario, customer can pay his/her
membership fees online through credit card to Fit&Fine. Which
risk is taken care in case the Banking system key control is
established that transaction cannot be made if the aggregate
limit of outstanding amount exceeds the credit limit assigned
to customer?
(a) Credit Line setup is unauthorized and not in line with the
bank’s policy.
(b) Credit Line setup can be breached.
(c) Masters defined for the customer are not in accordance
with the Pre-Disbursement Certificate.
(d) Inaccurate reconciliations performed.
Answer Key
Question No. Answer
34.1. (b) Compliance Risk
34.2. (d) Confidential
34.3. (b) Boundary Control
34.4. (c) Repudiation of Contract
34.5. (b) Credit Line setup can be breached.
35. XYZ is a well - established food chain with ten branches at different
locations within Delhi. The company wants to come out with an IPO
(Initial Public Offering). The Management asked the Financial Manager to
present a report pertaining the benefits, risks, and control objective and
above all if there is any change required in the working of food chain.
XYZ has decided to buy software which will be an online assistant to
customers and will provide them complete detail about the IPO and
solve their queries. In order to avoid any delay in its operation, XYZ
has bought the digital signatures for its authorized members of

management. Furthermore, XYZ decides to give benefits/preference to

its regular customers who had visits to any of its food chain regularly
since last six months. Therefore, the company decides to get the
personal details of such customers like phone number, date of birth
and date of wedding anniversary etc.
To attain a safe and secure working environment for its customers as
well as its employees, XYZ takes a firm decision to implement certain
controls to avoid any unlawful activity defined under provisions of IT
Act, 2000. XYZ follows Customer Relationship Management (CRM)
practices; hence, it is famous to take care of its customers and
provides them good services.
35.1. In purview of case scenario, XYZ food chain follows CRM
practices to manage its relationship with its customers. Which
of the following is not the key benefit of CRM module?
(a) Helps to take actions needed to measure quality.
(b) Gives an idea to company about customer wants, needs
and patterns of purchase.
(c) Sharing of customer data between different departments
will enable them to work as a team.
(d) Enables the company to identify the correct time to
market its product to customers.
35.2. The management of XYZ food chain has shown its concern over
the condition in case any of its employees dishonestly make use
of electronic signature of authorized Committee member of the
management. Identify the section from IT Act, 2000 that will
help XYZ to deal with this situation.
(a) Section 43
(b) Section 66C
(c) Section 66E
(d) Section 66B

35.3. The management of XYZ food chain collects the information

about various small restaurants, makes them its partners, and
sells their food-items under the name of his own start up.
Under which category of e-market, the XYZ food chain model
comes?
(a) Virtual Community
(c) e-Shops
(d) e-Auctions
Answer Key
Question No. Answer
35.1. (a) Helps to take actions needed to measure
quality.
35.2. (b) Section 66C

Enterprise Information Systems: Ntermediate Ourse

Uploaded by

Copyright:

Available Formats

Enterprise Information Systems: Ntermediate Ourse

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Enterprise Information Systems: Ntermediate Ourse

Uploaded by

Copyright:

Available Formats

INTERMEDIATE COURSE

BOOKLET ON MCQS &

© The Institute of Chartered Accountants of India

© The I nstitute of Chartered Accountants of India

Committee/Department : Board of Studies

Published by : The Publication Department on behalf of The

© The Institute of Chartered Accountants of India

This booklet on Independent/Case-scenario based Multiple Choice Questions

W ishing you happy reading!

© The Institute of Chartered Accountants of India

1. An Enterprise Information System (EIS) provides a technology

© The Institute of Chartered Accountants of India

4. Mr. X has setup his new business of manufacturing color pens. He is

© The Institute of Chartered Accountants of India

organization’s objective. Identify which of the following is not a

© The Institute of Chartered Accountants of India

Human Resource Management. Which of the following does not form

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

(a) Management of Systems Acquisition and Implementation

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

(a) Payroll Master data

© The Institute of Chartered Accountants of India

(d) Payroll Accounting

© The Institute of Chartered Accountants of India

(b) Receipt note

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

39. Organizations implementing ERP should be abreast of latest

© The Institute of Chartered Accountants of India

(b) Flow Control

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

50. Under Application Controls of Information Systems, __________

© The Institute of Chartered Accountants of India

(c) Data Transformation

© The Institute of Chartered Accountants of India

(a) Data Selection

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

(a) UPI App

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

(a) The coordination between processors must be secure and for

© The Institute of Chartered Accountants of India

(c) Database Layer

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

91. In the Core Banking Systems, _______ is a service which is defined as

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

97. Which of the following section of Information Technology Act, 2000

© The Institute of Chartered Accountants of India

© The Institute of Chartered Accountants of India

(c) Information and Communication

© The Institute of Chartered Accountants of India