Information Technology and Communication

7/27/2019 Information Technology and Communication

1/59

1

Dr ThuyNguyen

Commercial University of VIETNAM

INFORMATION

TECHNOLOGY AND

COMMUNICATION

Course Information

Lecture Notes:http://www.ece.rutgers.edu/~marsic/books/SE

References: Textbooks: Bruegge & Dutoit: Object-Oriented Software

Engineering: Using UML, Patterns and Java,Third Edition,Prentice Hall, 2010. | ISBN 0-13-6061257

Web:http://www.ece.rutgers.edu/~marsic/Teaching/SE

Slide Handout

2

Course Information

Grading:Attendance: 0,1

Midterm Test: 0,3

Final Test: 0,6

3

C apter one: In ormation Tec no ogyand Communication Basic Concepts

1.1 ITC Basic concepts

1.1.1.What is ITC?

4


2/59

2

ITC=ICT

5

ICT Definition

is often used as an extended synonym forinformation technology (IT), but is a morespecific term that stresses the role of unifiedcommunications[1] and the integration oftelecommunications (telephone lines andwireless signals), computers as well asnecessary enterprise software, middleware,storage, and audio-visual systems, which enableusers to access, store, transmit, andmanipulate information

6

ICT Definition

An ICT system is a set-up consisting ofhardware, software, data and the people whouse them. It commonly includes communicationstechnology, such as the Internet.

ICT Systems are used in a number ofenvironments, such as: offices

shops

factories

aircraft

ships7

The importance of ICTsystems

more productive - we can complete a greaternumber of tasks in the same time at reducedcost by using computers than we could prior totheir invention

able to deal with vast amounts of informationand process it quickly

able to transmit and receive informationrapidly

8


3/59

3

Types of ICT

Information systems This type of ICT system is focused on managing data

and information. Examples of these are a sports clubmembership system or a supermarket stock system.

Control systems These ICT systems mainly control machines. They use

input, process and output, but the output may bemoving a robot arm to weld a car chassis rather thaninformation.

Communications systems

The output of these ICT systems is the successfultransport of data from one place to another.9

An ICT system diagram

A system is an assembly of parts that togethermake a whole. ICT systems are made up ofsome or all of the parts shown in the diagram.Various devices are used for input, processing,output, and communication.

10

1.2 Introduction to projectmanagement process

1.2.1 The Systems Development Life Cycle

Any product development can be expected toproceed as an organized process that usuallyincludes the following phases: Planning / Specification

Design

Implementation

Evaluation

11

The Role of Software Engg. (1)

Customer

Programmer

A bri dge from cus tomer needs to p rog rammi ng implementat ion

First law of softw are engineeringSoftware engineer is w illin g to learn the problem domain(problem cannot be solved without understanding it first) 12


4/59


5/59

5

Software Development Methods

Method = work strategy The Feynman Problem-Solving Algorithm:

(i) Write down the problem (ii) think very hard, and (iii) write down

the answer.

A. Waterfall Unidirectional, finish this step before moving to the next

B Iterative + Incremental Develop increment of functionality, repeat in a feedback loop

C. Agile User feedback essential; feedback loops on several levels of

granularity

17

Waterfall Method

Deployment &Maintenance

Requirements

Design

Implementation

TestingWaterfallmethod

18Unidirectional, no w ay backfinish this step before moving to the next

1. Requirements Specification

- Understanding the usage scenarios and deriving the staticdomain model

2. Design

- Assigning responsibilities to objects and specifying detaileddynamics of their interactions under different usage scenarios

3. Implementation

- Encoding the design in a programming language

4. Testing

- Individual classes/components (unit testing) and the entiresystem (integration

testing) 5. Operation and Maintenance

- Running the system; Fixing bugs and adding new features19

Benefits and Drawbacks of theWaterfall Methodology

Benefits: Disciplined process

Forces to have complete

requirements prior to start

Forces analysis and design first

Drawbacks: No early feedback (prototyping)

Slow to respond to change

High cost for missed or unclear requirements

It is optimized for hardware, thereby neglecting theessential characteristics of software .

20


6/59

6

B Iterative + Incremental

Prototyping

Incremental development

The spiral methodology

RUP (Rational Unified Process)

21

Prototyping

Is the development approach of activitiesduring software development, the creation ofprototypes, i.e., incomplete versions of thesoftware program being developed.

Basic principles: Not a standalone, complete developmentmethodology,

but rather an approach to handle selected parts of alarger, more traditional development methodology (i.e.incremental, spiral, or rapid application development(RAD)).

Attempts to reduce inherent project risk by breaking aproject into smaller segments and providing moreease-of-chan e durin the develo ment rocess.

22

User is involved throughout the development process,which increases the likelihood of user acceptance ofthe final implementation.

Small-scale mock-ups of the system are developedfollowing an iterative modification process until theprototype evolves to meet the users requirements.

While most prototypes are developed with theexpectation that they will be discarded, it is possiblein some cases to evolve from prototype to workingsystem.

A basic understanding of the fundamental businessproblem is necessary to avoid solving the wrongproblem.

23 24


7/59

7

25

Incremental development

Iterative and Incremental developmentapproach was developed in response to theweaknesses of the waterfall methodology . Itstarts with an initial planning and ends withdeployment with the cyclic interactions inbetween.

Incremental: Additional functionality isimplemented in each increment/release

Iterative: Repeat the cycle of design, build andtest until the desired functionality is complete

26

27 28


8/59

8

29

The spiral methodology

The spiral model is an IID developed in 1988by Larry Boehm.

As originally envisioned, the iterations weretypically 6 months to 2 years long

Combines prototyping and the waterfall model.The spiral model is intended for large,expensive, and complicated projects.

The aim of this methodology was to shift theemphasis to risk evaluation and resolution.

30

The Spiral Methodology

31 32


9/59

9

33 34

RUP (Rational Unified Process)

The Rational Unified Process providesguidelines, templates and tools necessary forthe entire team to take full advantage ofamong others the following best practices: Develop software iteratively and incrementally

Manage requirements using use cases

Use component based architectures

Visually model software using UML

Verify software quality

Control changes to software

35 36


10/59

10

The horizontal axis represents time and showsthe dynamic aspect of the process and it isexpressed in terms of cycles phases,iterations, and milestones.

The vertical axis represents the static aspectof the process: how it is described in terms ofactivities, artefacts, workers and workflows

37

Other practices

Object-oriented development methodologies,such as Grady Booch's object-oriented design(OOD), also known as object-oriented analysisand design (OOAD). The Booch model includessix diagrams: class, object, state transition,interaction, module, and process.[7]

Top-down programming: evolved in the 1970sby IBM researcher Harlan Mills (and NiklausWirth) in developed structured programming.

38

UML Language of Symbols

interfaceBaseInterface

+ operation()

Actor

ClassName

# attribute_1 : int# attribute_2 : boolean

# attribute_3 : String

+ operation_1() : void

+ operation_2() : String+ operation_3(arg1 : int)

Software Class

Three commoncompartments:

1. C lass if ier name

2. Attri bute s

3. O pe rati ons

Comment

Class1Implement

+ o peration()

Class2Implement

+ operation()

Software Interface Implementation

Interaction Diagram

doSomething()

instance1 : Class1 instance5 : Class2 instance8 : Class3

doSomethingElse()

doSomethingYetElse()

Inheritance

relationship:BaseInterfaceis implemented

bytwo classes

Stereo type

providesadditional info/annotation/explanation

39

UML = Unified Modeling Language

Online information:

http://www.uml.org

Understanding the Problem Domain

System to be developed

Actors

Agents external to the system

Concepts/ Objects

Agents working inside the system

Use Cases

Scenarios for using the system

40


11/59


12/59

12

How ATM Machine Works (3)Domain Model (3)

Remotebank

Window clerk

Bookkeeper

Dispenser

Transactionrecord

Speaker phone

How may Ihelp you?

Customer

Courier

Solutionmodification

Solutionmodification

Alternativesolution

Which solution is the best or even feasible?

Actual Design

46

Rail with a belt orchain

Operator (includes motor and radio control mechanism)

Garage door

Safetyreversing sensor

Pressing of a button on the remote control transmitter (1)authenticates the device & activates the motor in the operator (2).

The motor pulls the chain (or belt) along the rail (3) and windsthe torsion spring (4).

The torsion spring winds the cable on the pulleys (or drums) (5)on both sides of the door.

The cables lift the door, pushing the different sections of the doorinto the horizontal tracks (6)At the same time, the trolley (or traveler) (7) moves along the rail (3)and controls howfar the dooropens (or closes),aswell as theforcethegarage door exerts bywayofthecurveddoor arm(8)

Remote control transmitter2

1

3

4 5

5

6

6

7

8

C. Agile Approaches

Key principles :

Customer satisfaction by rapid, continuousdelivery of useful software

Working software is delivered frequently(weeks rather than months)

Working software is the principal measure ofprogress.

Even late changes in requirements are

welcomed.

47

Close, daily, cooperation between businesspeople and developers

Face to face conversation is the best form ofcommunication.

Projects are built around motivated individuals,who should be trusted

Continuous attention to technical excellenceand good design.

Self organizing teams Regular adaptation to changing circumstances

48


13/59

13

How do I know if Agile isappropriate for my project?

Consider using agile development in thefollowing situations:

Environments experiencing rapid change

Unclear/emerging requirements

High Priority / Revenue - Producing Projects

When time to market is critical

Agile was designed for on-time delivery, and ifrequired releasing early increments offunctionality

49

Project Remediation/Rescue

By focusing on immediate delivery offunctionality

Constant delivery of working, bug-freesoftware could quickly build the trust betweenthe business and the delivery team.

50

1.3. Project CharacteristicAnalysis

Size of the project team

Rate of expected change

Primary project goal

Requirement Management

Project Communication

Customer Relationship

Customer Organizational Culture

51

How to choose?

A decision tree analysis is used to comparevarious methodologies

The ranking of the seven characteristics wouldhave to be done by the project manager andarchitect with the assistance of the projectleaders

The methodology used can also depends on thecustomer request

52


14/59

14

Exponential Cost of Estimation

Estimation cost

Estimationaccuracy

100%

Improving accuracy of estimation beyond a certain point requires huge

cost and effort (known as the law of dimi nishing returns)

In the beginning of the cu rve, a modest effort investment yields huge

gains in accuracy53

Estimation Error Over Time

Time

Estimationerror

CompletionStart

Thecone of uncertainty starts high and narrows down to zeroas the project approaches completion.

Requirements Design ImplementationImplementation

Case Study: Home AccessControl

Objective: Design an electronic system for: Home access control

Locks and lighting operation

Intrusion detection and warning

System

Lock Photosensor Switch

Light bulb

Alarm bell

1

2

3

4

5

X

Y

1

2

3

4

5

X

Y

55

Case Study More Details

System

Lock Photosensor Switch

Light bulb

Alarmbell

1

2

3

4

5

X

Y

1

2

3

4

5

X

Y CentralComputer

Backyard doors:External &

Internal lock

Front doors:External &

Internal lock

CentralComputer

Backyard doors:External &

Internal lock

Front doors:External &

Internal lock56


15/59

15

Know Your Problem

1

9

7

8

6

2

3

54

7 Thumb-turn

1 Lock case

2 Latch bolt

3 Dead bolt

9 Left hand lever

8 Lock cylinder

6 Protective plate

5 Strike box

4 Strike plate

Mortise Lock Parts

1

2

3

4

5

X

Y

1

2

3

4

5

X

Y

57

Concept Map for Home AccessControl

tenant

key

can be prevented by enforcinglock opened

wishes

causes

enters

val id key inval id key

can be

dictionary attack

may signal

upper bound on failed attempts

b ur gl ar laun ches

58

States and Transition Rules

locked unlocked

IF validKey THEN unlock

IF pushLockButton THEN lock

IF timeAfterUnlock max{ autoLockInterval, holdOpenInterval }THEN lock

IF validKey AND holdOpenInterval THEN unlock

59 what seemed a simple problem, now is becoming complex

1.2.2 Project Management

Project management is the art of matching aproject's goals, tasks, and resources toaccomplish a goal. To accomplish a goal oneneed limited time, money, and resources(human and machinery). One can think of aproject as a process that involves inputs andoutputs.

60


16/59

16

Project System

61

MANAGING A PROJECT

Stage 1: Defining the goals of the project This part of the project should end with a document

that lists the goals with a short statement providingsome detail about the success rate and a vital fewrequirements that define the goal(s) to beaccomplished

Stage 2: Define project tasks/activities This is best done by listing the goals on the left side of

a sheet of paper, then writing the tasks to their right.Thegroup should agree that the specify task willaccomplish th e goals as per required in t he

definitions for success the team laid out in theprevious stage 62

Stage 3: Determine and verify resourcerequirements

People

Time

Money

Space

Computers

Software, e.t.c.

63

Stage 4: Identify risks and developmitigation (backup) plans

A member of the group should be responsiblefor monitoring this risk throughout theproject.

64


17/59

17

Stage 5: Develop a schedule

Use Pert charts and Gant charts are examplesof useful tools used in scheduling activities

65

Stage 6: Execute the schedule

Each group member should document theiractivities

Documentation is the responsibility of theteam members and will often be a saving gracefor them.

At the meetings the team should review theschedule and the status (complete or notcomplete) of the project goals. Once the goalsare accomplished, the project is complete.

66

Stage 7: Finish the project and assessingperformance

After the goals have been achieved, it is goodpractice to evaluate the performance of theproject team. This is where a good deal oflearning and experience is gained. It will helpprevent similar problems in future projects.

67

Project Requirements

Requirements Engineering Components

Requirements and User Stories

Types of Requirements

Effort Estimation (Agile Methods)

68


18/59

18

69

Requirements Process

Requirementsanalysis

Requirementsgathering

Requirementsspecification

Agile DevelopmentUser Stories

Aspect-OrientedRequirements

Object-OrientedAnalysis & Design

StructuredAnalysis & Design

70

Requirements EngineeringComponents

Requirements gathering (a.k.a. requirements elicitation) helps the customer to

define what is required: what is to be accomplished,how the system will fit into the needs of the business,and how the system will be used on a day-to-day basis

Requirements analysis refining and modifying the gathered requirements

Requirements specification documenting the system requirements in a semiformal

or formal manner to ensure clarity, consistency, andcompleteness

71

Example System Requirements

Identifier Priority Requirement

REQ1 5The system shall keep the door locked at all times, unless commanded otherwise by authorized

user. When the lock is disarmed, a countdown shall be initiated at the end of which the lock shall

be automatically armed (if still disarmed).

REQ2 2 The system shall lock the door when commanded by pressing a dedicated button.

REQ3 5 The system shall, given a valid key code, unlock the door and activate other devices.

REQ4 4

The system should allow mistakes while entering the key code. However, to resist dictionary

attacks, the number of allowed failed attempts shall be small, say three, after which the system

will block and the alarm bell shall be sounded.

REQ5 2 The system shall maintain a history log of all attemp ted accesses for later review.

REQ6 2 The system should allow adding new authorized persons at runtime or removing existing ones.

REQ7 2The system shall allow configuring the preferences for device activation when the user provides a

valid key code, as well as when a burglary attempt is detecte d.

REQ8 1The system should allow searching the history log by specifying one or more of these parameters:the time frame, the actor role , the door location , or the event type (unlock, lock, power failur e, etc.).

This function shall be available o ver the Web by pointing a bro wser to a specified URL.

REQ9 1The system should allow filing inquiries about suspicious accesse s. This function shall be

available over the Web. 72

User Stories

As a tenant, I can unlock the doors to enter my apartment.

user-role(benefactor)

capabi li ty bus iness-value

Similar to systemrequirements, but focus on the user benefits, instead on systemfeatures.

Preferred tool in agile methods.


19/59

19

73

Example User Stories

Identifier User Story Size

ST-1As an authorized person (tenant or landlord), I can keep the doors locked at alltimes.

4 points

ST-2 As an authorized person (tenant or landlord), I can lock the doors on demand. 3 pts

ST-3 The lock should be automatically locked after a defined period of time. 6 pts

ST-4As an authorized person (tenant or landlord), I can unlock the doors.(Test: Allow a small number of mistakes, say three.) 9 points

ST-5 As a landlord, I can at runtime manage authorized persons. 10 pts

ST-6 As an authorized person (tenant or landlord), I can view past accesses. 6 pts

ST-7 As a tenant, I can configure the preferences for activation of various devices. 6 pts

ST-8 As a tenant, I can file complaint about suspicious accesses. 6 pts

74

Types of Requirements

Functional Requirements

Non-functional requirements FURPS+

Functionality (security), Usability, Reliability,Performance , Supportability

Requirements prioritization

75

Tools for Requirements Eng.

Tools, such as user stories and use cases,used for Determining what exactly the user needs

(requirements analysis)

Writing a description of what system will do(requirements specification)

Difficult to use the same tool for differenttasks

76

Project Estimationusing User Story Points

Similar to hedge pruning points in the firstlecture

Points assigned to individual user stories Total work size estimate:

Total size = points-for-story i (i = 1..N)

Velocity (= productivity) estimated from experience

Estimate the work duration

Project duration =Path size

Travel velocity


20/59

20

77

Example User Stories

Identifier User Story Size

ST-1As an authorized person (tenant or landlord), I can keep the doors locked at alltimes.

4 points

ST-2 As an authorized person (tenant or landlord), I can lock the doors on demand. 3 pts

ST-3 The lock should be automatically locked after a defined period of time. 6 pts

ST-4As an authorized person (tenant or landlord), I can unlock the doors.(Test: Allow a small number of mistakes, say three.) 9 points

ST-5 As a landlord, I can at runtime manage authorized persons. 10 pts

ST-6 As an authorized person (tenant or landlord), I can view past accesses. 6 pts

ST-7 As a tenant, I can configure the preferences for activation of various devices. 6 pts

ST-8 As a tenant, I can file complaint about suspicious accesses. 6 pts

Agile Project Effort Estimation

78

Time

2nd iteration n-th iteration

Estimated completion date

Items pulled by the team into an iteration

1) ST-4: Unlock 15 days (9pts)

Work backlog

2) ST-2: Lock 5 days (3pts)

3) ST-5: Manage Users 16 days (10pts)

4) ST-7: Preferences 10 days (6pts)

1st iteration

5) ST-6: View History 10 days (6pts)

6) ST-

Work items

21 days

5 daysList prioritized by the customer

Estimated work duration

79

How To Combine the Part Sizes?

City A

City C

City B

A

B

C

A

B

C

A

B

CA

B

C

(a)

(b)

(c)

Costs are not always additiveBut, solution (c) is not necessarily cheaper than (b)

80

Additional Costs

Highway traffic-circle interchange Traffic signs


21/59

21

2pointsperday

1=4 pts(2days)

2=7 pts(3.5days)3=10pts(5 days)

4=3 pts(1.5days)5=4 pts(2days)

6=2 pts(1day)7=4 pts(2days)

8=7 pts(3.5days)

1) Prune Section 6 1day(2pts)

2) Prune Section 5 2days (4pts)

3) Prune Section 7 2days (4pts)

4) Prune Section 4 1.5days (3p)

5) Prune Section 8 3.5days (7p)

Agile Estimation of Project Effort

Time

2nd i te ra ti on n -t h i te ra ti on

Estimated completion date

Items pulled by the teaminto an i teration

1)ST -4:Unlock 15days(9pts)

Work backlog

2)ST-2: Lock 5 days(3pts)

3)ST-5: Manage Users16 days(10pts)

4) ST-7: Preferences 10days (6pts)

1stiteration

5) ST-6: ViewHistory 10days(6pts)

6)ST-

Work items

21days

5daysList prioritized bythe customer

Estimated work duration

Chapter 2: E-HRM Introduction

2.1. General Introduction

2.1.1. Introduction and notations

Definition: E-HRM is a way of implementing HRstrategies, policies, and practices inorganization through a conscious and directsupport of and/or with full use of web-technology based channels.

e-HRM is the (planning, implementation and)application of information technology for bothnetworking and supporting at least twoindividual or collective actors in their shared

82

First, technology is necessary to connectusually spatially segregated actors and enableinteractions between them irrespective oftheir working in the same room or on differentcontinents, i.e. technology serves as a mediumwith the aim of connection and integration.

Second, technology supports actors bypartially and sometimes even completely substituting for them in executing HR

activities.

83

HRM Functions

84


22/59

22

E-HRM is not the same as HRIS (Humanresource information system) which refers toICT systems used within HR departments.

E-HRM is in essence the devolution of HRfunctions to management and employees. Theyaccess these functions typically via intranet orother web-technology channels.

85

OBJECTIVES: To offer an adequate, comprehensive and on-going

information system about people and jobs at areasonable cost;

To provide support for future planning and also forpolicy formulations;

To facilitate monitoring of human resources demandand supply imbalance

To automate employee related information

To enable faster response to employee relatedservices and faster HR related decisions and;

To offer data security and personal privacy.86

87

Model of an OrganizationalSystem Centered on HRIS

88


23/59

23

BENEFITS OF E-HRM:

Standardization

Ease of recruitment, selection and assessment

Ease of administering employee recordsReductions to cost, time and labour

Access to ESS training enrollment and self-development

Cost and ESS

Location and timeliness

89

-HRM goals: The main goals of e-HRM are asfollowed:

Improving the strategic orientation of HRM

Cost reduction/efficiency gains

Client service improvements/ facilitatingmanagement and employees.

90

TYPES OF E-HRM

Operational HRM: e-HRM is concerned withadministrative function like payroll, employeepersonal data, etc.

Relational HRM: e-HRM is concerned withsupportive business process by the means oftraining, recruitment, performancemanagement, and so forth.

Transformational HRM: e-HRM is concernedwith strategic HR activities such as knowledgemanagement, strategic re-orientation, etc.

91

2.1.2. E-HRM functions

E- Employee Profile: The E-Employee Profileweb application provides a central point ofaccess to the employee contact informationand provides a comprehensive employeedatabase solution, simplifying HR managementand team building by providing an employeeskills, organization chart and even pictures. E-Employee profile maintenance lies with the

individual employee, the manager and thedatabase manager.

92


24/59

24

E-Employee profile consist of the following:

Certification, Honor/Award, Membership,Education, Past Work Experience, AssignmentSkills, Competency, Employee AssignmentRules, Employee Availability, EmployeeException Hours, Employee Utilization,Employee tools, Job information, Sensitive jobInformation, Service Details, Calendar,Calendar Administration, Employee Locator.

93

E-Recruitment: Organizations first startedusing computers as a recruiting tool byadvertising jobs on a bulletin board servicefrom which prospective applicants wouldcontact employers. Then some companies beganto take e-applications. Today the internet hasbecome a primary means for employers tosearch for job candidates and for applicants tolook for job. As many as 100,000 recruitingweb sites are available to employers and jobcandidates and which to post jobs and reviewresumes of various types. But the explosivegrowth of internet recruiting also means theHR professionals can be overwhelmed by the

breadth and scope of internet recruiting.94

E-Recruiting Methods: Job boards,Professional/Career,websites, EmployerWebsites.

95

E-Selection: Most employers seem to beembracing Internet recruitment withenthusiasm, the penetration of on-line assessment tools such as personalityassessments or ability tests, has so far beenlimited. A survey has shown that although morethan half respondents organizations alreadyuse either psychometric or other assessmentduring the recruitment process, only few of

these companies use on-line assessments priorto interview. Fewer still include a core fitquestionnaire in the recruitment pages of their 96


25/59

25

E-Learning: E-Learning refers to anyprogrammed of learning, training or educationwhere electronic devices, applications andprocesses are used for knowledge creation,management and transfer. E-Learning is a termcovering a wide-set of applications andprocesses, such as web-based learning,computer-based learning, virtual class room,and digital collaboration. It includes thedelivery of content via Internet,

intranet/extranet (LAN/WAN), audio-andvideotape, satellite broadcast, interactive 97

Classical and Virtual Learning: This classical learningmodel especially from non-reversible flow ofinformation. AT the beginning is the pedagogue, whichgoverns the course. For students, pedagogue offersinformation, knowledge, and educational materialsmostly in the representation of educational lecturenotes for lessons. For the most part the feedback isweak, inconsistent, or even missing. Virtual educationenvironment by its communications links collects thefeedback of participants, simplifies teaching andsimplifies teamwork of students with pedagogue. Thevirtual learning system enables horizontal and verticalcommunication. For required information, participantcan often gets much more information than in classicalmodel of education as here the other participant alsoshare which is not a real happening in the classical

model.98

Characteristics of E-Learning:

E-Learning outcomes extend beyond learning tostrategic outcomes.

E-Learning is much more than e-training forskill outcomes.

E-Learning involves information andcommunication technology.

E-Learning is about people learning in a given

context.

99

E-Training: Most companies start to think ofonline learning primarily as a more efficientway to distribute training inside theorganization, making it available any time,anywhere reducing direct costs (instructors,printed materials, training facilities), andindirect costs (travel time, lodging and travelexpenses, workforce downtimes). Attracted bythese significant and measurable advantages,

companies start to look for ways to make themost of their existing core training availableonline, and to manage and measure the 100


26/59

26

Characteristic of E-Training:

Rich learning interface.

Personalized training programs.

Training from

work place/home

Virtual

class room.

101

E-Performance Management system: A web-based appraisal system can be defined as thesystem which uses the web(intranet andinternet) to effectively evaluate the skills,knowledge and the performance of theemployees.

102

E-Compensation: All companies whether smallor large must engage in compensation planning.Compensation planning is the process ofensuring that managers allocate salaryincreases equitably across the organizationwhile staying within budget guidelines. Asorganizations have started expanding theirboundaries, usage of intranet and internet hasbecome vital. The usage of intranet and

internet for compensation planning is called E-Compensation Management.

103

2.1.3. Implementation of E-HRM:

Here are five main phases in theimplementation of the E-HRM businesssolution.

Analysis (Infrastructure) Analyzing the existing infrastructure with regard to

quantity of data and classification of business activities.

104


27/59

27

Business processes in the company

After the existing processes have beenanalyzed, the options for automating theseprocesses in the clients environment areproposed. Finally a project plan is developedbased on the model of the processesidentified.

105

Implementation After the fundamental analysis of the processes in the

work team, individual modules are deployed in theclients environment. With modular design a gradualimplementation is possible. Company-specificfunctionalities are discussed with the client and builtupon request.

Implementation and Training A complete knowledge of the components of the

solution is a key factor for successful implementation.The entire team of project managers, information

technology professionals and human resourcesspecialist are thus involved in user training and 106

Maintenance Fast technological development and development of

new modules make cooperation after theimplementation indispensable. A maintenance contracttypically includes:

Technical support experts available by phone, throughe-mail or on-site

Adaptation of existing modules or development of newones

Application software adjustment to changes in thesystem environment or

Operating system

Functionality improvement and software upgrades inthe form of new versions

Consultation about further development of the system.

107

Advantages of E-HRM

Collection and store of information regardingthe work force, which will act as the basis forstrategic decision-making

Integral support for the management of humanresources and all other basic and supportprocesses within the company.

Prompt insight into reporting and analysis

A more dynamic workflow in the business

process, productivity and employeesatisfaction

108


28/59

28

A decisive step towards a paperless office

Makes the work to get over fast

Disadvantages of E-HRM

Employees and line managers mindsets need tobe changed: they have to realize and acceptthe usefulness of web-based HR tools.

They generally feel that they lack the timespace needed to work quietly and thoughtfullywith web-based HR tools and so, if there is no

need, they will not do it.109

Guaranteeing the security and confidentialityof input data is an important issue foeemployees in order that they should feel safewhen using web-based HR tools.

110

ERP (Enterprise Resource Planning)

Bio-red

SAP (System Approach & Product)

HR payroll system

Software useful for e-HRM 2.2. E-HRM Tools

2.2.1. Payroll

The payroll module automates the pay processby gathering data on employee time andattendance, calculating various deductions andtaxes, and generating periodic pay cheques andemployee tax reports. Data is generally fedfrom the human resources and time keepingmodules to calculate automatic deposit andmanual cheque writing capabilities. This module

can encompass all employee-relatedtransactions as well as integrate with existingfinancial management systems. 112


29/59

29

Benefits

Payroll system to effectively manage the bankpayment system.

The bank has the Allowance ManagementSystem to manage allowance properly.

Fully automated interactive payroll system forovertime, claims and other benefits.

State-of-the art Payroll/remunerationssystem.

113

Benefits

An automated Loan Application System forstaff to apply for loans on line.

Web based employee record keeping.

Employee record keeping system (having allpersonal files in a digital form).

Computer based employee record keepingsystem.

Managing employees data by using automatedrecord keeping HR system

114

Integrated with other modules, monthly or dailypayroll process is just as easy as a single click ofa button. The whole salaries and wages calculationwill be computed automatically. However thefollowing are some of the highlights, supplied by

you, that will be included for completing themodules.

HR/Payroll System

Employee Information

Attendance Record

Leave Record

Emolument & PF Details

Generate Pay Slips

Annual Returns (TDS Forms)

Form 16

Employee Training Identifier Training & Induction Programs

Features of HR\Payroll system


30/59

30

Example of Payroll

120

Salary Processing w ill create pay slips for the currently

open salary period. Only one salary period can be open at


31/59

31

Payroll Functions

Integrated Payroll Software One click Salary ProcessingUser defined Salary HeadsUser defined Salary StructureUser defined FormulaeImport of Salary DetailsBonus (India)PF (India)ESI (India)Gratuity (India)Professional Tax (India)TDS, Income Tax (India)Customizable Pay SlipsPayslips with YTDCalculation History for each pays lipStatutory Reports PF, ESI and more (India)Printable Challan Reports (India)

Salary data export to ExcelBulk email of pay slips to all employees in one clickModification History for payrol l data (Who changed what and when?)

121

2.1.2. Time & Attendance

The Time & Attendance Module automatestime tracking related processes and enhancesthe organization's performance by eliminatingpaperwork and manual processes associatedwith time and attendance needs. Thesophisticated module helps to efficientlyorganize labor data, improve the workforcemanagement and minimize errors inenforcement of company's attendance policies.

122

Functions

Complete Attendance Software Graphical Attendance Views (Day, WorkWeek, Week, Month, Year views)Automated Overtime CalculationAutomated Late-In/Early-Out CalculationGrace Periods for Work Start/End TimesAttendance Data Re-processingUser defined Attendance TypesReal-time and Editable AttendanceOvertime ManagementUser-defined Leave TypesEntitlementsLate-In, Early-Out ReportsOvertime ReportsSickness Reports

Actual & Planned Work time ReportsDaily/Monthly/Yearly Attendance ReportsSettings for CustomizationModification History for attendance data (Who changed what and when?)

123

http://lenvica.in/hr-software/

s

124


32/59

32

Overtime paid

125 126

http://ehr.com.vn/Upload/file/chamcong.png

127

2.1.3. Recruiting

Online recruiting has become one of the primary methodsemployed by HR departments to garner potential candidates foravailable positions within an organization. Talent Managementsystems typically encompass:

analyzing personnel usage within an organization

identifying potential applicants

recruiting through company-facing listings

recruiting through online recruiting sites or publications thatmarket to both recru iters and applicants.

The significant cost incurred in maintaining an organizedrecruitment effort, cross-posting within and across general orindustry-specific job boards and maintaining a competitive

exposure of availabilities has given rise to the development of adedicated Applicant Tracking System, or 'ATS', module.

128


33/59

33

Benefits Administration

The benefits administration module provides asystem for organizations to administer andtrack employee participation in benefitsprograms. These typically encompass insurance,compensation, profit sharing and retirement.

129

Training

The training module provides a system fororganizations to administer and track employeetraining and development efforts. The system, normallycalled a Learning Management System if a stand aloneproduct, allows HR to track education, qualificationsand skills of the employees, as well as outlining whattraining courses, books, CDs, web based learning ormaterials are available to develop which skills. Coursescan then be offered in date specific sessions, withdelegates and training resources being mapped andmanaged within the same system. Sophisticated LMS

allow managers to approve training, budgets andcalendars alongside performance management and130

Chapter 3: Risks on WebTransaction

3.1. Web Risks Introduction

3.1.1. General Introduction

131Managing the business

risk of fraud

EZ-R Stats, LLC

PWC Global Survey Nov, 2009Economic crime in a downturn

Sharp rise in accounting fraudover the past 12 months

Accounting fraud had grown to38 percent of the economiccrimes in 2009

Employees face increasedpressures to : meet performance targets

keep their jobs

keep access to funding


34/59

34

What is a Fraud?

Fraud is any intentional act or omissiondesigned to deceive others, resulting in thevictim suffering a loss and/or theperpetrator achieving a gain.

All organizations are subject to fraud risks.

Large frauds have led to the downfall of entireorganizations, massive investment losses, significantlegal costs, incarceration of key individuals, anderosion of confidence in capital markets.

Publicized fraudulent behavior by key executives hasnegatively impacted the reputations, brands, andimages of many organizations around the globe.

133

Key Principle prevent Fraudrisks

Principle 1: As part of an organizationsgovernance structure, a fraud riskmanagement program6 should be in place,including a written policy (or policies) toconvey the expectations of the board ofdirectors and senior management regardingmanaging fraud risk.

Principle 2: Fraud risk exposure should beassessed periodically by the organization toidentify specific potential schemes and

events that the organization needs tomitigate. 134


Principle 3: Prevention techniques to avoidpotential key fraud risk events should beestablished, where feasible, to mitigatepossible impacts on the organization.

Principle 4: Detection techniques should beestablished to uncover fraud events whenpreventive measures fail or unmitigated risksare realized.

135


Principle 5: A reporting process should be inplace to solicit input on potential fraud, anda coordinated approach to investigation andcorrective action should be used to helpensure potential fraud is addressedappropriately and timely.

136


35/59

35

Fraud Risk Assessment3 Levels:

Enterprise-wide risk assessment (Todaysdiscussion) Types of fraud

Risk ownership

Likelihood, given the control environment

Impact

Business Process risk assessment (individualaudits)

Fraud Penetration risk assessment (transactionlevel)

Fraud Triangle

Types of Fraud Schemes

Asset misappropriation (most common) Embezzlement of funds

Theft of an asset

Misuse of assets

No Business Purpose

Payroll fraud

Overbilling by vendors/suppliers


Financial Misstatement (most costly) fictitious transactions

improper recognition

improper measurement (estimates, calculations,assumptions)

Improper disclosure or omission

Misapplication of GAAP


36/59

36


Commercial Bribery, extortion or corruption Kickbacks

Gifts, gratuities

Diverting Business

Bid rigging

Conflicts of Interest

What is risk?

Risk is a function of the likelihood of a giventhreat- sources exercising a particularpotential vulnerability, and the resultingimpact of that adverse event on theorganization.

142

Risk management

Risk management is the process that allows ITmanagers to balance the operational andeconomic costs of protective measures andachieve gains in mission capability byprotecting the IT systems and data thatsupport their organizations missions

Encompasses three processes: risk assessment,risk mitigation, and evaluation, and assessment.

143

The risk assessmentmethodology (9 steps)

Step 1: System Characterization

Step 2: Threat Identification

Step 3: Vulnerability Identification

Step 4: Control Analysis

Step 5: Likelihood Determination

Step 6: Impact Analysis

Step 7: Risk Determination

Step 8: Control Recommendations

Step 9: Results Documentation

144


37/59

37

145 146

level of risk to the IT system

To measure risk, a risk scale and a risk-levelmatrix must be developed.

The final determination of mission risk isderived by multiplying the ratings assigned forthreat likelihood (e.g., probability) and threatimpact

147

The matrix below is a 3 x 3 matrix of threatlikelihood (High, Medium, and Low) and threatimpact (High, Medium, and Low). Depending onthe sites requirements and the granularity ofrisk assessment desired, some sites may use a4 x 4 or a 5 x 5 matrix. The latter can includea Very Low /Very High threat likelihood and aVery Low/Very High threat impact to generatea Very Low/Very High risk level. A Very High

risk level may require possible systemshutdown or stopping of all IT systemintegration and testing efforts 148


38/59

38

Example

The probability assigned for each threatlikelihood level is 1.0 for High, 0.5 for Medium,0.1 for Low

The value assigned for each impact level is 100for High, 50 for Medium, and 10 for Low.

149 150

Description of Risk Level(Scale)

151

RISK MITIGATIONSTRATEGY

152


39/59

39

Guide

When vulnerability (or flaw, weakness) exists implement assurance techniques to reducethe likelihood of a vulnerabilitys beingexercised.

When a vulnerability can be exercised apply layered protections, architecturaldesigns, and administrative controls tominimize the risk of or prevent thisoccurrence.

153

When the attackers cost is less than thepotential gain apply protections toecrease an attackers motivation by increasingthe attackers cost (e.g., use of systemcontrols such as limiting what a system usercan access and do can significantly reduce anattackers gain).

When loss is too great apply designprinciples, architectural designs, andtechnical and nontechnical protections to limit

the extent of the attack, thereby reducing thepotential for loss. 154

CONTROL IMPLEMENTATION

Step 1Prioritize Actions

Step 2Evaluate Recommended Control Options

Step 3Conduct Cost-Benefit Analysis

Step 4Select Control

Step 5Assign Responsibility

Step 6Develop a Safeguard ImplementationPlan

Step 7Implement Selected Control(s)

155 156


40/59

40

157

EVALUATION ANDASSESSMENT

The good practice and need for an ongoing riskevaluation and assessment and the factors thatwill lead to a successful risk managementprogram.

risk assessment process is usually repeated atleast every 3 years for federal agencies,However, risk management should beconducted and integrated in the SDLC for ITsystems

158

Be integrated into the SDLC

An IT systems SDLC has five phases:initiation, development or acquisition,implementation, operation or maintenance, anddisposal

159 160


41/59

41

KEY ROLES (Personalresponsibilities

Senior Management. Senior management,under the standard of due care and ultimateresponsibility for mission accomplishment,must ensure that the necessary resources areeffectively applied to develop the capabilitiesneeded to accomplish the mission. They mustalso assess and incorporate results of the riskassessment activity into the decision makingprocess. An effective risk managementprogram that assesses and mitigates IT-

related mission risks requires the support andinvolvement of senior management. 161

Chief Information Officer (CIO). The CIO isresponsible for the agencys IT planning,budgeting, and performance including itsinformation security components. Decisionsmade in these areas should be based on aneffective risk management program.

162

System and Information Owners. The system andinformation owners are responsible for ensuring thatproper controls are in place to address integrity,confidentiality, and availability of the IT systems anddata they own. Typically the system and informationowners are responsible for changes to their ITsystems. Thus, they usually have to approve and signoff on changes to their IT systems (e.g., systemenhancement, major changes to the software andhardware). The system and information owners musttherefore understand their role in the riskmanagement a process and fully support this process

163

Business and Functional Managers. Themanagers responsible for business operationsand IT procurement process must take anactive role in the risk management process.These managers are the individuals with theauthority and responsibility for making thetrade-off decisions essential to missionaccomplishment.

Their involvement in the risk managementprocess enables the achievement of proper

security for the IT systems, which, if managed

properly, will provide mission effectivenesswith a minimal expenditure of resources.164


42/59

42

IT Security Practitioners. IT securitypractitioners (e.g., network, system,application, and database administrators;computer specialists; security analysts;security consultants) are responsible forproper implementation of securityrequirements in their IT systems. As changesoccur in the existing IT system environment(e.g., expansion in network connectivity,changes to the existing infrastructure andorganizational policies, introduction of newtechnologies), the IT security practitionersmust support or use the risk managementprocess to identify and assess new potential

risks and implement new security controls asneeded to safeguard their IT systems. 165

Security Awareness Trainers(Security/Subject Matter Professionals).The organizations personnel are the users ofthe IT systems. Use of the IT systems anddata according to an organizations policies,guidelines, and rules of behavior is critical tomitigating risk and protecting theorganizations IT resources. To minimize riskto the IT systems, it is essential that systemand application users be provided with securityawareness training. Therefore, the IT securitytrainers or security/subject matterprofessionals must understand the riskmanagement process so that they can develop

appropriate training materials and incorporaterisk assessment into training programs to 166

SAMPLE RISK ASSESSMENTREPORT OUTLINE

EXECUTIVE SUMMARY

I. Introduction

Purpose

Scope of this risk assessment

Describe the system components, elements,users, field site locations (if any), and anyother

details about the system to be considered in

the assessment.

167

II. Risk Assessment Approach

Briefly describe the approach used to conductthe risk assessment, such as

The participants (e.g., risk assessment teammembers)

The technique used to gather information(e.g., the use of tools, questionnaires)

The development and description of risk scale

(e.g., a 3 x 3, 4 x 4 , or 5 x 5 risk-level matrix).

168


43/59

43

III. System Characterization

Characterize the system, including hardware(server, router, switch), software (e.g.,application, operating system, protocol),system interfaces (e.g., communication link),data, and users.

Provide connectivity diagram or system inputand output flowchart to delineate the scope ofthis risk assessment effort.

169

IV. Threat Statement

Compile and list the potential threat-sourcesand associated threat actions applicable to thesystem assessed.

170

V. Risk Assessment Results

List the observations (vulnerability/threat pairs). Eachobservation must include:

Observation number and brief description ofobservation (e.g., Observation 1: User systempasswords can be guessed or cracked)

A discussion of the threat-source and vulnerabilitypair

Identification of existing mitigating security controls

Likelihood discussion and evaluation (e.g., High,Medium, or Low likelihood)

Impact analysis discussion and evaluation (e.g., High,Medium, or Low impact)

Risk rating based on the risk-level matrix (e.g., High,Medium, or Low risk level)

Recommended controls or alternative options forreducing the risk. 171

VI. Summary

Total the number of observations. Summarizethe observations, the associated risk levels,the recommendations, and any comments in atable format to facilitate the implementationof recommended controls during the riskmitigation process.

172


44/59

44

Fraud Risk Governance While each organization needs to consider its

size and complexity when determining whattype of formal documentation is mostappropriate, the following elements should befound within a fraud risk management program Roles and responsibilities.

Commitment.

Fraud awareness.

Affirmation process.

Conflict disclosure.

Fraud risk assessment. Reporting procedures and whistleblower protection. 173

Fraud Risk Governance Investigation process.

Corrective action.

Quality assurance.

Continuous monitoring.

174

Fraud Risk Assessment A structured fraud risk assessment, tailored

to the organizations size, complexity, industry,and goals, should be performed and updatedperiodically.

The assessment may be integrated with anoverall organizational risk assessment orperformed as a stand-alone exercise, butshould, at a minimum, include riskidentification, risk likelihood and significance

assessment, and risk response.

175

Individual organizations will have different risktolerances. Fraud risks can be addressed byestablishing practices and controls to mitigate therisk, accepting the risk but monitoring actualexposure or designing ongoing or specific fraudevaluation procedures to deal with individual fraudrisks

Management and board members should ensure theorganization has the appropriate control mix in place,recognizing their oversight duties and responsibilities

in terms of the organizations sustainability and theirrole as fiduciaries to stakeholders, depending onorganizational form

176


45/59

45

Management is responsible for developing andexecuting mitigating controls to address fraudrisks while ensuring controls are executedefficiently by competent and objectiveindividuals.

177

Fraud Prevention and Detection Prevention encompasses policies, procedures,

training, and communication that stop fraudfrom occurring

detection focuses on activities and techniquesthat promptly recognize timely whether fraudhas occurred or is occurring

178

One key to prevention is promoting from theboard down throughout the organization anawareness of the fraud risk managementprogram, including the types of fraud that mayoccur

one of the strongest fraud deterrents is theawareness that effective detective controlsare in place

179

Combined with preventive controls, detectivecontrols enhance the effectiveness of a fraudrisk management program by demonstratingthat preventive controls are working asintended and by identifying fraud if it doesoccur. Although detective controls may provideevidence that fraud has occurred or isoccurring, they are not intended to preventfraud.

180


46/59

46

Every organization is susceptible to fraud, butnot all fraud can be prevented, nor is it cost-effective to try. An organization maydetermine it is more cost-effective to designits controls to detect, rather than prevent,certain fraud schemes. It is important thatorganizations consider both fraud preventionand fraud detection.

181

Fraud Risk Governance

Principle 1: As part of an organizationsgovernance structure, a fraud riskmanagement program should be in place,including a written policy (or policies) toconvey the expectations of the board ofdirectors and senior management regardingmanaging fraud risk.

182

To help ensure an organizations fraud riskmanagement program effective, it is importantto understand the roles and responsibilitiesthat personnel at all levels of the organizationhave with respect to fraud risk management.

Policies, job descriptions, charters, and/ordelegations of authority should define rolesand responsibilities related to fraud riskmanagement

183

Board of Directors: first should ensure thatthe board itself is governed properly. Thisencompasses all aspects of board governance,including independent-minded board memberswho exercise control over board information,agenda, and access to management and outsideadvisers, and who independently carry out theresponsibilities of the nominating/governance,compensation, audit, and other committees

184


47/59

47

The board should Understand fraud risks.

Maintain oversight of the fraud risk assessment byensuring that fraud risk has been considered as partof the organizations risk assessment and strategicplans. This responsibility should be addressed under aperiodic agenda item at board meetings when generalrisks to the organization are considered.

Monitor managements reports on fraud risks,policies, and control activities, which include obtainingassurance that the controls are effective. The boardalso should establish mechanisms to ensure it isreceiving accurate and timely information frommanagement, employees, internal and external auditors,and other stakeholders re ardin otential fraud

185

Oversee the internal controls established bymanagement.

Set the appropriate tone at the top throughthe CEO job description, hiring, evaluation, andsuccession-planning processes.

Have the ability to retain and pay outsideexperts where needed.

Provide external auditors with evidenceregarding the boards active involvement andconcern about fraud risk management.

186

Audit Committee (or similaroversight body

should be composed of independent boardmembers and should have at least one financialexpert, preferably with an accountingbackground.

The committee should meet frequently enough,for long enough periods, and with sufficientpreparation to adequately assess and respondto the risk of fraud, especially managementfraud, because such fraud typically involves

override of the organizations internal controls

187

An audit committee of the board that is committed to a proactiveapproach to fraud risk management maintains an active role in theoversight of the organizations assessment of fraud risks and usesinternal auditors, or other designated personnel, to monitor fraudrisks.

At each audit committee meeting: should meet separately frommanagement with appropriate individuals, such as the chiefinternal audit executive and senior financial person.

should understand how internal and external audit strategiesaddress fraud risk.

should not only focus on what the auditors are doing to detectfraud, but more importantly on what management is doing to

prevent fraud, where possible.

188


48/59

48

should be aware that the organizationsexternal auditors have a responsibility to planand perform the audit of the organizationsfinancial statements to obtain reasonableassurance about whether the financialstatements are free of material misstatement,whether caused by error or fraud .

should also seek the advice of legal counselwhenever dealing with issues of allegations offraud. Fraud allegations should be taken

seriously since there may be a legal obligationto investigate and/or report them. 189

Management Implementing adequate internal controls

including documenting fraud risk managementpolicies and procedures and evaluating theireffectiveness aligned with the organizationsfraud risk assessment.

Reporting to the board on what actions havebeen taken to manage fraud risks and regularlyreporting on the effectiveness of the fraudrisk management program. This includesreporting any remedial steps that are needed,

as well as reporting actual frauds.190

Staff Have a basic understanding of fraud and be

aware of the red flags.

Understand their roles within the internalcontrol framework. Staff members shouldunderstand how their job procedures aredesigned to manage fraud risks and whennoncompliance may create an opportunity forfraud to occur or go undetected.

Read and understand policies and procedures(e.g. the fraud policy, code of conduct, andwhistleblower policy), as well as othero erational olicies and rocedures, such as 191

As required, participate in the process ofcreating a strong control environment anddesigning and implementing fraud controlactivities, as well as participate in monitoringactivities.

Report suspicions or incidences of fraud.

Cooperate in investigations.

192


49/59

49

Internal Auditing should provide objective assurance to the

board and management that fraud controls aresufficient for identified fraud risks andensure that the controls are functioningeffectively.

Internal auditors may review thecomprehensiveness and adequacy of the risksidentified by management especially withregard to management override risks

193

should interview and communicate regularlywith those conducting the organizations riskassessments, as well as others in key positionsthroughout the organization, to help themensure that all fraud risks have beenconsidered appropriately

194

3.1.2. Transaction Risks

Managerial Implications

195

Example

consumer-perceived risk is reduced with the

increase in institutional trust

196


50/59

50

Transaction risk

Is the current and prospective risk to earnings andcapital arising from fraud, error, and the inability todeliver products or services, maintain a competitiveposition, and manage information.

Risk is inherent in efforts to gain strategic advantageand in the failure to keep pace with changes in thefinancial services marketplace. Transaction risk isevident in each product and service offered.

Transaction risk encompasses product development anddeliver, transaction processing, systems development,computing systems, complexity of products andservices, and the internal control environment

197

Type of Risk

Fraud,

Error,

Negligence

And the inability

198

Quantity of Transaction RiskIndicators

Low Exposure to risk from fraud, errors, or processing

disruptions is minimal given the volume of transactions,complexity of products and services, and state ofsystems development. Risk to earnings and capital isinsignificant.

Risks, including transaction processing failures, fromplanned conversions, merger integration, or newproducts and services are minimal

199

Moderate

Exposure to risk from fraud, errors, orprocessing disruptions is modest given thevolume of transactions, complexity of productsand services, and state of systemsdevelopment. Deficiencies that have potentialimpact on earnings or capital can be addressedin the normal course of business.

Risks, including transaction processingfailures, from planned conversions, mergerintegration, or new products and services aremana eable. 200


51/59

51

High

Exposure to risk from fraud, errors, orprocessing disruptions is significant given thevolume of transactions, complexity of productsand services, and state of systemsdevelopment. Deficiencies exist whichrepresent significant risk to earnings andcapital.

Risks, including transaction processingfailures, from planned conversions, merger

integration, or new products and services aresubstantial. 201

Quality of Transaction RiskIndicators

Strong

Management anticipates and respondseffectively to risks associated with operationalchanges, systems development, and emergingtechnologies.

Management has implemented sound operatingprocesses, information systems, internalcontrol, and audit coverage.

Management identifies weaknesses intransaction processing and takes timely andappropriate action

202

Management information provides appropriatemonitoring of transaction volumes, error, reportingfraud, suspicious activity, security violations, etc. MISis accurate, timely, complete and reliable.

Management comprehensively provides for continuityand reliability of services, including services furnishedby outside providers.

Appropriate processes and controls exist to manageand protect data.

Risks from new products and services, plannedstrategic initiatives, or acquisitions are well controlledand understood.

Management fully understands technology risks withavailable expertise to evaluate technology-related

issues.

203

Weak

Management does not take timely and appropriate actions torespond to operational changes, systems development, oremerging technologies.

Significant weaknesses exist in operating processes, informationsystems internal control, or audit coverage related to transactionprocessing.

Management does not recognize weaknesses in transactionprocessing or make the necessary corrections.

Management information systems for transaction processingexhibit significant weaknesses or may not exist.

Management has not provided for continuity and reliability ofservices furnished by outside providers.

Processes and controls to manage and protect data are seriouslydeficient or nonexistent

204


52/59

52

Inadequate planning or due diligence exposethe Bank to significant risk from activitiessuch as the introduction of new products andservices, strategic initiatives, or acquisitions.

Management does not understand, or haschosen to ignore, key aspects of transactionrisk

205

3.2. Payroll Risks

3.2.1. Introduction

206

207

3.2.2. Category payroll risks

Incorrect processing/payment of payroll bymistake or with intention (fraud)

Incorrect input by mistake or withintention (fraud) of payroll information

Incorrect processing of payroll

Payroll payment (bank transmission)

Inaccurate Taxation (computation andreporting)

Payroll Accounting

208


53/59

53

Payroll related documents are not kept as perlegal requirements

Sensitive payroll information is not properlyprotected may lead to loss in reputation, lossof competitive advantage, loss of revenue, orlegal consequences

See detail: Payroll Process-Fraud and errorrisks and controls to mitigate them.docx

209 210

3.2.3. Risk Protections andManagements

Control Check list Pay Roll

Go Control Checklists_Payroll.xls

211

Payroll control objectives

The following is a listing of practical guide topayroll control objectives that help ensurerisks are properly minimized.

Reliability of Information

212


54/59

54

Employee record changes are properlyauthorized and accurately recorded allrequire the employees signature or theiracknowledgement

All payroll costs are accurately calculated fromauthorized sources and recorded on a timelybasis.

Recorded payroll balances are substantiated.

Recorded payroll balances are evaluated.

All payroll disbursements are accuratelyprocessed and recorded on a timely basis.

Payroll changes, costs, and disbursements arereliably processed and reported.

Performance measures used to control andim rove the rocess are reliable. 213

Detection of unauthorized adjustments to thepayroll activity and withholding accounts afterdistribution

Detection of duplicate payments

Detection of collusion

Detection of phantom employees

Detection of manipulation of earned benefittime

214

Payroll Preparation and Security Is a payroll master file maintained which

includes all employees. The file should containall information concerning current pay rates,withholding deductions, tax codes, etc.

Are procedures established to physicallysecure and protect master file information.

Changes should be restricted to properly autho

rized additions, deletions and changes whichare supported by documentation in the

employee's personnel file. Are only authorized personnel allowed access

to the Payroll department and its records 215

Is the Payroll department promptly and formallynotified ofthe termination or transfer of any employeeor of payroll changes so that payroll records can beadjusted

Do non-exempt employees submit on a timely basis,time cards, time sheets or other authorized recordingmedia before payroll processing is performed, eitherelectronically or manually

Do department managers compare actual payroll coststo budgeted costs for reasonableness

Are all payroll disbursement accounts reconciled on amonthly basis by someone without any responsibility

for the payroll cycle

216


55/59

55

10 practical steps to reduce the risk of amajor payroll fraud occurring in yourbusiness

217

Step 1: Review your bank reconciliation. Many fraudsare discovered when a review of the bankreconciliation is conducted. A bank reconciliationensures that the cash balance per the financialstatements is the same as the cash balance in thecompanys bank account. In many fraud cases, a reviewof the bank reconciliation reveals entries such asUnadjusted balance, To be reviewed, UnknownDifference, or Immaterial Adjustment. Thesedescriptions often reveal that a process in thebusiness is broken or worst case is that a fraud isbeing perpetrated. Reviewing your bank reconciliation

on a regular basis is a basic yet very important controlfor a business. 218

Step 2: How do your staff complete theirtimesheets? Do your staff use a Time &Attendance book? What is the quality ofinformation on these source documents? Ifstaff are forgetting to sign or not including allrequired information, then it makes it difficultto detect more subtle behaviours that may befraudulent in nature.

219

Step 3: Do you have any ghost employees on yourpayroll? A ghost employee is where a fictitious entryhas been created on your payroll for the purpose ofdefrauding the company of money. Some ghosts canbe detected by looking for where two or moreemployees have the same bank account, or some othercharacteristic that is the same. For example this couldinclude the same telephone number, same first, middleor last name or common address elements. Otherghosts might only be detected if the individual isphysically sighted while at the workplace. If yourcompany payroll is predominantly made up ofpermanent employees, then the risk of having a ghostemployee may be minimal. However if you employ a

large number of temporary and itinerant workers thenwe recommend that additional checks be put in place tomanage this risk.

220


56/59

56

Step 4: When was the last time you reviewed your endto end payroll process? Have you or someone in yourcompany documented the payroll process and do youunderstand who performs which tasks and in whatsequence? Not understanding and documenting theprocess is like trying to build a house without anyarchitectural plans. Preventing payroll fraud (like anyother fraud) is all about understanding which checksand balances exist, are they operating effectively andare there any key controls missing from the process?Once the payroll process has been documented into itscomponents then the risks at each stage can beassessed. For example documenting your process foradministering terminated employees may reveal anability for former employees payroll details to bechanged resulting in the creation of a ghost employee.

221

Step 5: Have you divested control of yourpayroll department and have little or nooversight over the payroll function? Are yourelying on your friendship or trust in yourPayroll Manager instead of relying on propermanagement and review. If this is the case,then you need to go back to basics. Understandthe process, identify any segregation of dutyconflicts, ensure that the Payroll is approvedby someone independent from its preparation,

institute random checks to source documentsand conduct regular data mining reviews. 222

Step 6: Is your payroll manager a signatory toyour companys bank account? Clearly if this isthe case, then there is a risk that the payrollmanager can manipulate the payroll to theirown advantage with little risk of detection.This is an obvious segregation of duty issue,however also review the process and identify ifthere other conflicts that exist in the payrollfunction.

223

Step 7: What checks are conducted when a Payroll isbeing approved? What is the approver checking thereports to? If the approver is just signing what is putin front of them, then this control is clearly notworking effectively. Implement a checklist of keysteps that need to be conducted before sign offoccurs. This could include reviewing the number of Onsand Offs since the previous pay run. Scan the hoursworked or overtime for anomalies. Select an employeeat random and request supporting information. Theseare just some of the tasks that can be performedwhich can significantly improve the level of controlwith any sign off process.

224


57/59

57

Step 8: Are you aware of payroll staff sharingpasswords and log in details. If this is the caseit becomes very difficult to detect suspiciousbehaviour and may result in authorised payamounts or other serious anomalies. Staffshould be provided with their own passwordand ensure that staff are aware of thecompanys Information Technology and otherkey policies.

225

Step 9:Do you have a mechanism where staff canreport suspicious, fraudulent or inappropriatebehaviour? In our experience, many frauds areonly discovered when the company is tippedoff by another employee. This type of email orphone hotline can also be particularly beneficialwhen a company has many geographicallyremote sites

226

Step 10: Do you make an employee backgroundsearch a condition of employment forindividuals working in sensitive positions forexample, payroll and accounts payable? Thiscan be another practical step you can take toimprove the internal controls in your company.

227

Control Activities

The Biggie in terms of commitment Theresponses to a threat or set of threats

Internal control activities are the policies,procedures, techniques, and mechanisms thathelp ensure that district managementsdirectives to minimize risks are carried out.

Control activities occur at all levels andfunctions of the district.

They include approvals, authorizations,verifications, reconciliations, performancereviews, and the production of records and

228


58/59

58

Hiring unqualified or trouble employees Thorough background checks, review of employment

history (30% dishonest, 30% situationally dishonest,40% honest)

Verify skills and references, including college degreesearned (Data released in March 2004 indicates that50% of resumes contain false or embellishedinformation)

Check at least three references (1 out of 3 will begratuitously positive)

Threats in Employment Practices

Violation of Employment Laws Carefully document all actions related to recruiting,

hiring, and dismissal of employees.

Provide your payroll and human resource employeeswith continual training to keep them current withemployment laws.

State

Federal

Threats in Employment Practices

Unauthorized changes to the payroll master file Proper segregation of duties

HR department approval for updates

HR department should not directly participate in payroll processing ordistribution

Changes to the master file should be reviewed andapproved by someone other than the person recommendingthe change.

Restrict access to the payroll system and logic code

User IDs, passwords

Control terminals from which payroll data and programs can be accessed

Threats in Payroll Processing

Inaccurate time data Automation can reduce unintentional inaccuracies.

Data entry programs should include edit checks. Edit checks for employee numbers and hours worked

Limit checks on hours worked

Segregation of duties can reduce intentionalinaccuracies:

People who process payroll should not have access to the payrollmaster file (to the extent prac tical).

Supervisors should approve all time cards.



59/59

Inaccurate processing of payroll Run and reconcile batch totals before and after

processing

Master file totals +/- changes

Use of a payroll clearing account

Imprest system with a net zero balance in the control account

On-going training for payroll employees


Theft or fraudulent distribution of paychecks Restrict access to blank payroll checks and check signing

machine.

All checks should be sequentially prenumberedandaccounted for periodically.

Someone independent of the payroll process shouldreconcile the payroll bank account.

Segregate the duties between those who authorize andrecord payroll and those who distribute checks and transferfunds.

Unclaimed checks should be returned to districtadministration for prompt investigation.


Any control system must be continually monitoredand updated in order to continue to workeffectively.

The district should emphasize to managers thatthey have responsibility for internal control andthat they should monitor the effectiveness ofcontrol activities as part of their regular duties.

Is the system re-evaluated when a breakdown incontrols is uncovered?

The completion of each payroll provides you with a

time for evaluation.

Monitoring

236

Information Technology and Communication

Documents

Transcript of Information Technology and Communication