Information Technology and Communication

Course Information
INFORMATION TECHNOLOGY AND COMMUNICATION

• Lecture Notes:
http://www.ece.rutgers.edu/~marsic/books/ SE

• References:
– Textbooks: Bruegge & Dutoit: Object-Oriented Software
Engineering: Using UML, Patterns and Java, Third Edition, Prentice Hall, 2010. | ISBN 0-13-6061257 – Web: http://www.ece.rutgers.edu/~marsic/Teaching/SE – Slide Handout

Dr ThuyNguyen Commercial University of VIETNAM

2

Course Information
 Grading:
• Attendance: 0,1 • Midterm Test: 0,3 • Final Test: 0,6

Chapter one: Information Technology and Communication Basic Concepts
• 1.1 ITC Basic concepts • 1.1.1.What is ITC?

3

4

1

ITC=ICT

ICT Definition
• is often used as an extended synonym for information technology (IT), but is a more specific term that stresses the role of unified communications[1] and the integration of telecommunications (telephone lines and wireless signals), computers as well as necessary enterprise software, middleware, storage, and audio-visual systems, which enable users to access, store, transmit, and manipulate information
5 6

ICT Definition
• An ICT system is a set-up consisting of hardware, software, data and the people who use them. It commonly includes communications technology, such as the Internet. • ICT Systems are used in a number of environments, such as:
– – – – – offices shops factories aircraft ships
7

The importance of ICT systems
• more productive - we can complete a greater number of tasks in the same time at reduced cost by using computers than we could prior to their invention • able to deal with vast amounts of information and process it quickly • able to transmit and receive information rapidly

8

2

Types of ICT
• Information systems
– This type of ICT system is focused on managing data and information. Examples of these are a sports club membership system or a supermarket stock system.

An ICT system diagram
• A system is an assembly of parts that together make a whole. ICT systems are made up of some or all of the parts shown in the diagram. Various devices are used for input, processing, output, and communication.

• Control systems
– These ICT systems mainly control machines. They use input, process and output, but the output may be moving a robot arm to weld a car chassis rather than information.

• Communications systems
– The output of these ICT systems is the successful transport of data from one place to another.
9 10

1.2 Introduction to project management process
• 1.2.1 The Systems Development Life Cycle • Any product development can be expected to proceed as an organized process that usually includes the following phases:
– – – – Planning / Specification Design Implementation Evaluation

The Role of Software Engg. (1)
A bridge from customer needs to programming implementation

Customer Programmer

First law of software engineering
Software engineer is willing to learn the problem domain
11

(problem cannot be solved without understanding it first)

12

3

The Role of Software Engg. (2)
Customer:
Requires a computer system to achieve some business goals by user interaction or interaction with the environment in a specified manner

Example: ATM Machine
Understanding the money-machine problem:

System-to-be Environment
7

User

Software-to-be

4

1

0

2 5 3 8 6 9

Communication link

Software Engineer’s task:
To understand how the system-to-be needs to interact with the user or the environment so that customer’s requirement is met and design the software-to-be May be the same person

ATM machine Bank customer
13

Bank’s remote datacenter

Programmer’s task:
To implement the software-to-be designed by the software engineer

14

How ATM Machine Might Work
Domain model created with help of domain expert
How may I help you?
Transaction record Cash

Cartoon Strip

: How ATM Machine Works
B
Verify this account

Domain Model

A

Enter your PIN

C

Verify account XYZ

D

Speakerphone

Bookkeeper Safe keeper Safe Phone

Typing in PIN number …

XYZ valid. Balance: $100

Account valid. Balance: $100

Window clerk Datacenter liaison

E

How may I help you?

F

Release $60

G

Record $60 less

Withdraw $60

Dispense $60

H
Please take your cash

Dispensing!

Dispenser

Customer

Bank’s remote datacenter

15

16

4

Software Development Methods
 Method = work strategy
 The Feynman Problem-Solving Algorithm: (i) Write down the problem (ii) think very hard, and (iii) write down the answer.

Waterfall Method
Requirements Design Implementation Testing Deployment & Maintenance

 A. Waterfall
 Unidirectional, finish this step before moving to the next

 B Iterative + Incremental
 Develop increment of functionality, repeat in a feedback loop

Waterfall method

 C. Agile
 User feedback essential; feedback loops on several levels of granularity
17

Unidirectional, no way back finish this step before moving to the next

18

Benefits and Drawbacks of the Waterfall Methodology
• 1. Requirements Specification • - Understanding the usage scenarios and deriving the static domain model • 2. Design • - Assigning responsibilities to objects and specifying detailed dynamics of their interactions under different usage scenarios • 3. Implementation • - Encoding the design in a programming language • 4. Testing • - Individual classes/components (unit testing) and the entire system (integration • testing) • 5. Operation and Maintenance • - Running the system; Fixing bugs and adding new features
19

• Benefits:
– – – – – – – – Disciplined process Forces to have complete requirements prior to start Forces analysis and design first No early feedback (prototyping) Slow to respond to change High cost for missed or unclear requirements It is optimized for hardware, thereby neglecting the essential characteristics of software .
20

• Drawbacks:

5

B Iterative + Incremental
• • • • Prototyping Incremental development The spiral methodology RUP (Rational Unified Process)

Prototyping
• Is the development approach of activities during software development, the creation of prototypes, i.e., incomplete versions of the software program being developed. • Basic principles:
– Not a standalone, complete development methodology, but rather an approach to handle selected parts of a larger, more traditional development methodology (i.e. incremental, spiral, or rapid application development (RAD)). – Attempts to reduce inherent project risk by breaking a project into smaller segments and providing more 22 ease-of-change during the development process.

21

• User is involved throughout the development process, which increases the likelihood of user acceptance of the final implementation. • Small-scale mock-ups of the system are developed following an iterative modification process until the prototype evolves to meet the users’ requirements. • While most prototypes are developed with the expectation that they will be discarded, it is possible in some cases to evolve from prototype to working system. • A basic understanding of the fundamental business problem is necessary to avoid solving the wrong problem.

23

24

6

Incremental development
• Iterative and Incremental development approach was developed in response to the weaknesses of the waterfall methodology . It starts with an initial planning and ends with deployment with the cyclic interactions in between. • Incremental: Additional functionality is implemented in each increment/release • Iterative: Repeat the cycle of design, build and test until the desired functionality is complete
25 26

27

28

7

The spiral methodology
• The spiral model is an IID developed in 1988 by Larry Boehm. • As originally envisioned, the iterations were typically 6 months to 2 years long • Combines prototyping and the waterfall model. The spiral model is intended for large, expensive, and complicated projects. • The aim of this methodology was to shift the emphasis to risk evaluation and resolution.
29 30

The Spiral Methodology

31

32

8

33

34

RUP (Rational Unified Process)
• The Rational Unified Process provides guidelines, templates and tools necessary for the entire team to take full advantage of among others the following best practices:
– – – – – – Develop software iteratively and incrementally Manage requirements using use cases Use component based architectures Visually model software using UML Verify software quality Control changes to software
35 36

9

Other practices
• The horizontal axis represents time and shows the dynamic aspect of the process and it is expressed in terms of cycles phases, iterations, and milestones. • The vertical axis represents the static aspect of the process: how it is described in terms of activities, artefacts, workers and workflows • Object-oriented development methodologies, such as Grady Booch's object-oriented design (OOD), also known as object-oriented analysis and design (OOAD). The Booch model includes six diagrams: class, object, state transition, interaction, module, and process.[7] • Top-down programming: evolved in the 1970s by IBM researcher Harlan Mills (and Niklaus Wirth) in developed structured programming.

37

38

UML – Language of Symbols
UML = Unified Modeling Language
«interface» BaseInterface ClassName # attribute_1 : int # attribute_2 : boolean # attribute_3 : String + operation_1() : void + operation_2() : String + operation_3(arg1 : int) Class1Implement + operation() Class2Implement + operation() + operation() Stereotype «  » provides additional info/ annotation/ explanation

Understanding the Problem Domain
• System to be developed • Actors
– Agents external to the system

Three common compartments: 1. 2. 3. Classifier name Attributes Operations

Inheritance relationship: BaseInterface is implemented by two classes

Software Class Software Interface Implementation

Actor

Comment

• Concepts/ Objects
– Agents working inside the system

instance1 : Class1

instance5 : Class2

instance8 : Class3

doSomething()

doSomethingElse()

Interaction Diagram
doSomethingYetElse()

• Use Cases
Online information: http://www.uml.org
39

– Scenarios for using the system
40

10

ATM: Gallery of Players

Gallery of Workers + Things

Window clerk
1

Datacenter liaison

Bookkeeper

Safe keeper

Dispenser

7

4
0

2

5 8 6 9

3

Bank customer

System (ATM machine)

Bank’s Bank’s remote datacenter

Speakerphone

Telephone

Transaction record

Safe

Cash

Actors

(Easy to identify because they are visible!)
41

Concepts (Hard to identify because they are invisible/imaginary!)

42

Use Case: Withdraw Cash
A B
Enter your PIN Verify account XYZ

How ATM Machine Works (2)
Domain Model (2)

C

How may I help you?

7

1 4 2 3 5 6 08 9

Alternative solution
1 4 2 7 8 5 63 0 9

Solution modification
Transaction record

How may I help you?

Typing in PIN number …

XYZ valid. Balance: $100

Withdraw $60
Speakerphone Bookkeeper

D
Please take your cash

Draftsman

E

XYZ withdrew $60

Window clerk

7

4

1

0

2 5 3 8 6 9

Collecting cash …

Dispenser

Acknowledged

43

Customer

11

How ATM Machine Works (3)
Domain Model (3)

Actual Design
Operator (includes motor and radio control mechanism)

Alternative solution
How may I help you? Transaction record

Solution modification

1
Remote control transmitter

2 6

5
Speakerphone Bookkeeper

7 4 8 5

3
Rail with a belt or chain

Courier

6

Window clerk

Pressing of a button on the remote control transmitter (1)
authenticates the device & activates the motor in the operator (2). The motor pulls the chain (or belt) along the rail (3) and winds the torsion spring (4). The torsion spring winds the cable on the pulleys (or drums) (5) on both sides of the door. The cables lift the door, pushing the different sections of the door into the horizontal tracks (6)
At the same time, the trolley (or traveler) (7) moves along the rail (3) and controls how far the door opens (or closes), Safety reversing sensor
as well as the force the garage door exerts by way of the curved door arm (8)   

Garage door
Dispenser

Customer

Which solution is the best or even feasible?

Remote bank

46

C. Agile Approaches
• Key principles : • Customer satisfaction by rapid, continuous delivery of useful software • Working software is delivered frequently (weeks rather than months) • Working software is the principal measure of progress. • Even late changes in requirements are welcomed.
47

• Close, daily, cooperation between business people and developers • Face to face conversation is the best form of communication. • Projects are built around motivated individuals, who should be trusted • Continuous attention to technical excellence and good design. • Self organizing teams • Regular adaptation to changing circumstances
48

12

How do I know if Agile is appropriate for my project?
• Consider using agile development in the following situations: • Environments experiencing rapid change • Unclear/emerging requirements • High Priority / Revenue - Producing Projects • When time to market is critical • Agile was designed for on-time delivery, and if required releasing early increments of functionality
49

• Project Remediation/Rescue • By focusing on immediate delivery of functionality • Constant delivery of working, bug-free software could quickly build the trust between the business and the delivery team.

50

1.3. Project Characteristic Analysis
• • • • • • • Size of the project team Rate of expected change Primary project goal Requirement Management Project Communication Customer Relationship Customer Organizational Culture

How to choose?
• A decision tree analysis is used to compare various methodologies • The ranking of the seven characteristics would have to be done by the project manager and architect with the assistance of the project leaders • The methodology used can also depends on the customer request

51

52

13

Exponential Cost of Estimation
100%

Estimation Error Over Time
Estimation error

Estimation accuracy

Estimation cost

Requirements

Design

Implementation

 Improving accuracy of estimation beyond a certain point requires huge cost and effort (known as the law of diminishing returns)  In the beginning of the curve, a modest effort investment yields huge gains in accuracy
53

Start

Completion

Time

The cone of uncertainty starts high and narrows down to zero as the project approaches completion.

Case Study: Home Access Control
• Objective: Design an electronic system for:
– Home access control
• Locks and lighting operation

Case Study – More Details
Alarm bell

System
1 2 3 4 5 X Y

– Intrusion detection and warning

Light bulb

Central Computer
Lock Photosensor Switch

Alarm bell

System
1 2 3 4 5 X Y

Backyard doors: External & Internal lock

Light bulb
Front doors: External & Internal lock

Lock

Photosensor

Switch

55

56

14

Know Your Problem
Mortise Lock Parts
1 6 9 2
4 5 1 Lock case 2 Latch bolt 3 Dead bolt 4 Strike plate 5 Strike box 6 Protective plate 7 Thumb-turn 8 Lock cylinder 9 Left hand lever

Concept Map for Home Access Control
tenant enters wishes key can be upper bound on failed attempts lock opened causes valid key invalid key may signal burglar launches can be prevented by enforcing

3 7 8

1 2 3 4 5 X Y

dictionary attack

57

58

States and Transition Rules
IF validKey AND holdOpenInterval THEN unlock IF validKey THEN unlock

1.2.2 Project Management
• Project management is the art of matching a project's goals, tasks, and resources to accomplish a goal. To accomplish a goal one need limited time, money, and resources (human and machinery). One can think of a project as a process that involves inputs and outputs.

locked

unlocked

IF pushLockButton THEN lock IF timeAfterUnlock ≥ max{ autoLockInterval, holdOpenInterval } THEN lock

… what seemed a simple problem, now is becoming complex

59

60

15

Project System

MANAGING A PROJECT
• Stage 1: Defining the goals of the project
– This part of the project should end with a document that lists the goals with a short statement providing some detail about the success rate and a vital few requirements that define the goal(s) to be accomplished

• Stage 2: Define project tasks/activities
– This is best done by listing the goals on the left side of a sheet of paper, then writing the tasks to their right. The group should agree that the specify task will accomplish the goals as per required in the definitions for success the team laid out in the previous stage

61

62

• Stage 3: Determine and verify resource requirements • – People • – Time • – Money • – Space • – Computers • – Software, e.t.c.

• Stage 4: Identify risks and develop mitigation (backup) plans • A member of the group should be responsible for monitoring this risk throughout the project.

63

64

16

• Stage 5: Develop a schedule • Use Pert charts and Gant charts are examples of useful tools used in scheduling activities

• Stage 6: Execute the schedule • Each group member should document their activities • Documentation is the responsibility of the team members and will often be a saving grace for them. • At the meetings the team should review the schedule and the status (complete or not complete) of the project goals. Once the goals are accomplished, the project is complete.
65 66

Project Requirements
• Stage 7: Finish the project and assessing performance • After the goals have been achieved, it is good practice to evaluate the performance of the project team. This is where a good deal of learning and experience is gained. It will help prevent similar problems in future projects. • • • • Requirements Engineering Components Requirements and User Stories Types of Requirements Effort Estimation (Agile Methods)

67

68

17

Requirements Process
Aspect-Oriented Requirements

Requirements Engineering Components
• Requirements gathering
– (a.k.a. “requirements elicitation”) helps the customer to define what is required: what is to be accomplished, how the system will fit into the needs of the business, and how the system will be used on a day-to-day basis

Object-Oriented Analysis & Design Requirements gathering Structured Analysis & Design Requirements analysis Requirements specification

• Requirements analysis
– refining and modifying the gathered requirements

• Requirements specification
Agile Development User Stories

– documenting the system requirements in a semiformal or formal manner to ensure clarity, consistency, and completeness
69 70

Example System Requirements

User Stories

Identifier Priority
REQ1 REQ2 REQ3 REQ4 REQ5 REQ6 REQ7

Requirement
The system shall keep the door locked at all times, unless commanded otherwise by authorized user. When the lock is disarmed, a countdown shall be initiated at the end of which the lock shall be automatically armed (if still disarmed). The system shall lock the door when commanded by pressing a dedicated button. The system shall, given a valid key code, unlock the door and activate other devices. The system should allow mistakes while entering the key code. However, to resist “dictionary attacks,” the number of allowed failed attempts shall be small, say three, after which the system will block and the alarm bell shall be sounded. The system shall maintain a history log of all attempted accesses for later review. The system should allow adding new authorized persons at runtime or removing existing ones. The system shall allow configuring the preferences for device activation when the user provides a valid key code, as well as when a burglary attempt is detected. The system should allow searching the history log by specifying one or more of these parameters: the time frame, the actor role, the door location, or the event type (unlock, lock, power failure, e tc.). This function shall be available over the Web by pointing a browser to a specified URL. The system should allow filing inquiries about “suspicious” accesses. This function shall be available over the Web.

As a tenant, I can unlock the doors to enter my apartment.
user-role (benefactor) capability business-value

5 2 5 4 2 2 2

• Similar to system requirements, but focus on the user benefits, instead on system features. • Preferred tool in agile methods.
71 72

REQ8

1 1

REQ9

18

Example User Stories
Identifier ST-1 User Story As an authorized person (tenant or landlord), I can keep the doors locked at all times. As an authorized person (tenant or landlord), I can lock the doors on demand. The lock should be automatically locked after a defined period of time. As an authorized person (tenant or landlord), I can unlock the doors. (Test: Allow a small number of mistakes, say three.) As a landlord, I can at runtime manage authorized persons. As an authorized person (tenant or landlord), I can view past accesses. As a tenant, I can configure the preferences for activation of various devices. As a tenant, I can file complaint about “suspicious” accesses. Size 4 points

Types of Requirements
• Functional Requirements • Non-functional requirements
– FURPS+ – Functionality (security), Usability, Reliability, Performance , Supportability

ST-2 ST-3

3 pts 6 pts

ST-4

9 points

ST-5 ST-6 ST-7 ST-8

10 pts 6 pts 6 pts 6 pts 73

• Requirements prioritization

74

Tools for Requirements Eng.
• Tools, such as user stories and use cases, used for
– Determining what exactly the user needs (“requirements analysis”) – Writing a description of what system will do (“requirements specification”)

Project Estimation using User Story Points
• Similar to “hedge pruning points” in the first lecture • Points assigned to individual user stories • Total work size estimate:
– Total size = 

 points-for-story

i

(i = 1..N)

• Difficult to use the same tool for different tasks

• Velocity (= productivity) estimated from experience • Estimate the work duration Project duration =
75

Path size Travel velocity
76

19

Example User Stories
Identifier ST-1 User Story As an authorized person (tenant or landlord), I can keep the doors locked at all times. As an authorized person (tenant or landlord), I can lock the doors on demand. The lock should be automatically locked after a defined period of time. As an authorized person (tenant or landlord), I can unlock the doors. (Test: Allow a small number of mistakes, say three.) As a landlord, I can at runtime manage authorized persons. As an authorized person (tenant or landlord), I can view past accesses. As a tenant, I can configure the preferences for activation of various devices. As a tenant, I can file complaint about “suspicious” accesses. Size 4 points

Agile Project Effort Estimation
Work backlog
1) ST-4: Unlock 15 days (9pts) 5 days (3pts) Items pulled by the team into an iteration 2) ST-2: Lock Estimated work duration

ST-2 ST-3

3 pts 6 pts

3) ST-5: Manage Users 16 days (10pts) 4) ST-7: Preferences 10 days (6pts) 10 days (6pts)

ST-4

9 points

5) ST-6: View History 6) ST-…

ST-5 ST-6 ST-7 ST-8

10 pts 6 pts 6 pts 6 pts 77
List prioritized by the customer 1st iteration 5 days Estimated completion date 2nd iteration n-th iteration Time Work items 21 days

78

How To Combine the Part Sizes?
B A

Additional Costs

(b)
City C City B B

C

A City A

C

(a)

(c)

Highway traffic-circle interchange

Traffic signs

Costs are not always additive But, solution (c) is not necessarily “cheaper” than (b) …
79 80

20

Agile Estimation of Project Effort
1) Prune Section 6 2) Prune Section 5 3) Prune Section 7 4) Prune Section 4 5) Prune Section 8 1 day (2pts) 2 days (4pts) 2 days (4pts) 1.5 days (3p) 3.5 days (7p) 2 points per day 1= 2= 3= 4= 5= 6= 7= 8= 4 pts (2 days) 7 pts (3.5 days) 10 pts (5 days) 3 pts (1.5 days) 4 pts (2 days) 2 pts (1 day) 4 pts (2 days) 7 pts (3.5 days)

Chapter 2: E-HRM Introduction
• 2.1. General Introduction • 2.1.1. Introduction and notations • Definition: E-HRM is a way of implementing HR strategies, policies, and practices in organization through a conscious and direct support of and/or with full use of webtechnology based channels. • e-HRM is the (planning, implementation and) application of information technology for both networking and supporting at least two individual or collective actors in their shared 82 performing of HR activities. This concept

Work backlog
1) ST-4: Unlock 2) ST-2: Lock 15 days (9pts) 5 days (3pts)

Estimated work duration

Items pulled by the team into an iteration

3) ST-5: Manage Users 16 days (10pts) 4) ST-7: Preferences 5) ST-6: View History 6) ST-… 10 days (6pts) 10 days (6pts)

Work items 21 days 1st iteration 5 days List prioritized by the customer Estimated completion date 2nd iteration n-th iteration

Time

HRM Functions
• First, technology is necessary to connect usually spatially segregated actors and enable interactions between them irrespective of their working in the same room or on different continents, i.e. technology serves as a medium with the aim of connection and integration. • Second, technology supports actors by partially – and sometimes even completely – substituting for them in executing HR activities.
83 84

21

• E-HRM is not the same as HRIS (Human resource information system) which refers to ICT systems used within HR departments. • E-HRM is in essence the devolution of HR functions to management and employees. They access these functions typically via intranet or other web-technology channels.

• OBJECTIVES:
– To offer an adequate, comprehensive and on-going information system about people and jobs at a reasonable cost; – To provide support for future planning and also for policy formulations; – To facilitate monitoring of human resources demand and supply imbalance – To automate employee related information – To enable faster response to employee related services and faster HR related decisions and; – To offer data security and personal privacy.
85 86

Model of an Organizational System Centered on HRIS

87

88

22

• • • •

BENEFITS OF E-HRM: Standardization Ease of recruitment, selection and assessment Ease of administering employee records Reductions to cost, time and labour • Access to ESS training enrollment and selfdevelopment • Cost and ESS • Location and timeliness
89

• -HRM goals: The main goals of e-HRM are as followed: • Improving the strategic orientation of HRM • Cost reduction/efficiency gains • Client service improvements/ facilitating management and employees.

90

• TYPES OF E-HRM • Operational HRM: e-HRM is concerned with administrative function like payroll, employee personal data, etc. • Relational HRM: e-HRM is concerned with supportive business process by the means of training, recruitment, performance management, and so forth. • Transformational HRM: e-HRM is concerned with strategic HR activities such as knowledge management, strategic re-orientation, etc.

• 2.1.2. E-HRM functions • E- Employee Profile: The E-Employee Profile web application provides a central point of access to the employee contact information and provides a comprehensive employee database solution, simplifying HR management and team building by providing an employee skills, organization chart and even pictures. EEmployee profile maintenance lies with the individual employee, the manager and the database manager.
91 92

23

• E-Employee profile consist of the following: • Certification, Honor/Award, Membership, Education, Past Work Experience, Assignment Skills, Competency, Employee Assignment Rules, Employee Availability, Employee Exception Hours, Employee Utilization, Employee tools, Job information, Sensitive job Information, Service Details, Calendar, Calendar Administration, Employee Locator.

• E-Recruitment: Organizations first started using computers as a recruiting tool by advertising jobs on a bulletin board service from which prospective applicants would contact employers. Then some companies began to take e-applications. Today the internet has become a primary means for employers to search for job candidates and for applicants to look for job. As many as 100,000 recruiting web sites are available to employers and job candidates and which to post jobs and review resumes of various types. But the explosive growth of internet recruiting also means the HR professionals can be overwhelmed by the breadth and scope of internet recruiting.
93 94

• E-Recruiting Methods: Job boards, Professional/Career,websites, Employer Websites.

95

• E-Selection: Most employers seem to be embracing Internet recruitment with enthusiasm, the penetration of online assessment tools such as personality assessments or ability tests, has so far been limited. A survey has shown that although more than half respondents organizations already use either psychometric or other assessment during the recruitment process, only few of these companies use on-line assessments prior to interview. Fewer still include a core fit questionnaire in the recruitment pages of their 96 websites.

24

• E-Learning: E-Learning refers to any programmed of learning, training or education where electronic devices, applications and processes are used for knowledge creation, management and transfer. E-Learning is a term covering a wide-set of applications and processes, such as web-based learning, computer-based learning, virtual class room, and digital collaboration. It includes the delivery of content via Internet, intranet/extranet (LAN/WAN), audio-and videotape, satellite broadcast, interactive TV, CD – Rom, and more. Training program

• Classical and Virtual Learning: This classical learning model especially from non-reversible flow of information. AT the beginning is the pedagogue, which governs the course. For students, pedagogue offers information, knowledge, and educational materials mostly in the representation of educational lecture notes for lessons. For the most part the feedback is weak, inconsistent, or even missing. Virtual education environment by its communications links collects the feedback of participants, simplifies teaching and simplifies teamwork of students with pedagogue. The virtual learning system enables horizontal and vertical communication. For required information, participant can often gets much more information than in classical model of education as here the other participant also share which is not a real happening in the classical model.
97
98

• Characteristics of E-Learning: • E-Learning outcomes extend beyond learning to strategic outcomes. • E-Learning is much more than e-training for skill outcomes. • E-Learning involves information and communication technology. • E-Learning is about people learning in a given context.
99

• E-Training: Most companies start to think of online learning primarily as a more efficient way to distribute training inside the organization, making it available ”any time”,” anywhere” reducing direct costs (instructors, printed materials, training facilities), and indirect costs (travel time, lodging and travel expenses, workforce downtimes). Attracted by these significant and measurable advantages, companies start to look for ways to make the most of their existing core training available online, and to manage and measure the 100 utilization of the new capabilities.

25

• • • • • • •

Characteristic of E-Training: Rich learning interface. Personalized training programs. Training from work place/home Virtual class room.

• E-Performance Management system: A webbased appraisal system can be defined as the system which uses the web(intranet and internet) to effectively evaluate the skills, knowledge and the performance of the employees.

101

102

2.1.3. Implementation of EHRM:
• E-Compensation: All companies whether small or large must engage in compensation planning. Compensation planning is the process of ensuring that managers allocate salary increases equitably across the organization while staying within budget guidelines. As organizations have started expanding their boundaries, usage of intranet and internet has become vital. The usage of intranet and internet for compensation planning is called ECompensation Management.
103

• Here are five main phases in the implementation of the E-HRM business solution. • Analysis (Infrastructure)
– Analyzing the existing infrastructure with regard to quantity of data and classification of business activities.

104

26

• Business processes in the company • After the existing processes have been analyzed, the options for automating these processes in the client’s environment are proposed. Finally a project plan is developed based on the model of the processes identified.

• Implementation
– After the fundamental analysis of the processes in the work team, individual modules are deployed in the client’s environment. With modular design a gradual implementation is possible. Company-specific functionalities are discussed with the client and built upon request.

• Implementation and Training
– A complete knowledge of the components of the solution is a key factor for successful implementation. The entire team of project managers, information technology professionals and human resources specialist are thus involved in user training and implementation.

105

106

• Maintenance
– Fast technological development and development of new modules make cooperation after the implementation indispensable. A maintenance contract typically includes: – Technical support experts available by phone, through e-mail or on-site – Adaptation of existing modules or development of new ones – Application software adjustment to changes in the system environment or – Operating system – Functionality improvement and software upgrades in the form of new versions – Consultation about further development of the system.
107

Advantages of E-HRM
• Collection and store of information regarding the work force, which will act as the basis for strategic decision-making • Integral support for the management of human resources and all other basic and support processes within the company. • Prompt insight into reporting and analysis • A more dynamic workflow in the business process, productivity and employee satisfaction
108

27

• • • •

A decisive step towards a paperless office Makes the work to get over fast Disadvantages of E-HRM Employees and line managers’ mindsets need to be changed: they have to realize and accept the usefulness of web-based HR tools. • They generally feel that they lack the time space needed to work quietly and thoughtfully with web-based HR tools and so, if there is no need, they will not do it.
109

• Guaranteeing the security and confidentiality of input data is an important issue foe employees in order that they should feel ‘safe’ when using web-based HR tools.

110

Software useful for e-HRM
• ERP (Enterprise Resource Planning) • Bio-red • SAP (System Approach & Product) • HR payroll system

2.2. E-HRM Tools
• 2.2.1. Payroll • The payroll module automates the pay process by gathering data on employee time and attendance, calculating various deductions and taxes, and generating periodic pay cheques and employee tax reports. Data is generally fed from the human resources and time keeping modules to calculate automatic deposit and manual cheque writing capabilities. This module can encompass all employee-related transactions as well as integrate with existing 112 financial management systems.

28

Benefits
• Payroll system to effectively manage the bank payment system. • The bank has the Allowance Management System to manage allowance properly. • Fully automated interactive payroll system for overtime, claims and other benefits. • State-of-the art Payroll/remunerations system.

Benefits
• An automated Loan Application System for staff to apply for loans on line. • Web based employee record keeping. • Employee record keeping system (having all personal files in a digital form). • Computer based employee record keeping system. • Managing employee’s data by using automated record keeping HR system
113 114

HR/Payroll System
• Integrated with other modules, monthly or daily payroll process is just as easy as a single click of a button. The whole salaries and wages calculation will be computed automatically. However the following are some of the highlights, supplied by you, that will be included for completing the modules.

Features of HR\Payroll system
• • • • • • • • • Employee Information Attendance Record Leave Record Emolument & PF Details Generate Pay Slips Annual Returns (TDS Forms) Form 16 Employee Training Identifier Training & Induction Programs

29

Example of Payroll

Salary Processing will create pay slips for the currently open salary period. Only one salary period can be open at

120

30

Payroll Functions
• Integrated Payroll Software One click Salary Processing User defined Salary Heads User defined Salary Structure User defined Formulae Import of Salary Details Bonus (India) PF (India) ESI (India) Gratuity (India) Professional Tax (India) TDS, Income Tax (India) Customizable Pay Slips Payslips with YTD Calculation History for each payslip Statutory Reports – PF, ESI and more (India) Printable Challan Reports (India) Salary data export to Excel Bulk email of pay slips to all employees in one click Modification History for payroll data (Who changed what and when?)

2.1.2. Time & Attendance
• The Time & Attendance Module automates time tracking related processes and enhances the organization's performance by eliminating paperwork and manual processes associated with time and attendance needs. The sophisticated module helps to efficiently organize labor data, improve the workforce management and minimize errors in enforcement of company's attendance policies. •
121 122

Functions
• Complete Attendance Software Graphical Attendance Views (Day, Work Week, Week, Month, Year views) Automated Overtime Calculation Automated Late-In/Early-Out Calculation Grace Periods for Work Start/End Times Attendance Data Re-processing User defined Attendance Types Real-time and Editable Attendance Overtime Management User-defined Leave Types Entitlements Late-In, Early-Out Reports Overtime Reports Sickness Reports Actual & Planned Work time Reports Daily/Monthly/Yearly Attendance Reports Settings for Customization Modification History for attendance data (Who changed what and when?)

http://lenvica.in/hr-software/
• s

123

124

31

Overtime paid

125

126

http://ehr.com.vn/Upload/file/c hamcong.png

2.1.3. Recruiting
• Online recruiting has become one of the primary methods employed by HR departments to garner potential candidates for available positions within an organization. Talent Management systems typically encompass: • analyzing personnel usage within an organization • identifying potential applicants • recruiting through company-facing listings • recruiting through online recruiting sites or publications that market to both recruiters and applicants. • The significant cost incurred in maintaining an organized recruitment effort, cross-posting within and across general or industry-specific job boards and maintaining a competitive exposure of availabilities has given rise to the development of a dedicated Applicant Tracking System, or 'ATS', module.

127

128

32

• Benefits Administration • The benefits administration module provides a system for organizations to administer and track employee participation in benefits programs. These typically encompass insurance, compensation, profit sharing and retirement.

129

• Training • The training module provides a system for organizations to administer and track employee training and development efforts. The system, normally called a Learning Management System if a stand alone product, allows HR to track education, qualifications and skills of the employees, as well as outlining what training courses, books, CDs, web based learning or materials are available to develop which skills. Courses can then be offered in date specific sessions, with delegates and training resources being mapped and managed within the same system. Sophisticated LMS allow managers to approve training, budgets and calendars alongside performance management and 130 appraisal metrics.

Chapter 3: Risks on Web Transaction
• 3.1. Web Risks Introduction • 3.1.1. General Introduction

PWC Global Survey – Nov, 2009
“Economic crime in a downturn”

• Sharp rise in accounting fraud over the past 12 months • Accounting fraud had grown to 38 percent of the economic crimes in 2009 • Employees face increased pressures to :
– meet performance targets – keep their jobs – keep access to funding

131

Managing the business risk of fraud

EZ-R Stats, LLC

33

What is a Fraud?
• Fraud is any intentional act or omission designed to deceive others, resulting in the victim suffering a loss and/or the perpetrator achieving a gain.
• All organizations are subject to fraud risks. • Large frauds have led to the downfall of entire organizations, massive investment losses, significant legal costs, incarceration of key individuals, and erosion of confidence in capital markets. • Publicized fraudulent behavior by key executives has negatively impacted the reputations, brands, and images of many organizations around the globe.
133

Key Principle prevent Fraud risks
• Principle 1: As part of an organization’s governance structure, a fraud risk management program6 should be in place, including a written policy (or policies) to convey the expectations of the board of directors and senior management regarding managing fraud risk. • Principle 2: Fraud risk exposure should be assessed periodically by the organization to identify specific potential schemes and events that the organization needs to mitigate.

134

Key Principle prevent Fraud risks
• Principle 3: Prevention techniques to avoid potential key fraud risk events should be established, where feasible, to mitigate possible impacts on the organization. • Principle 4: Detection techniques should be established to uncover fraud events when preventive measures fail or unmitigated risks are realized.

Key Principle prevent Fraud risks
• Principle 5: A reporting process should be in place to solicit input on potential fraud, and a coordinated approach to investigation and corrective action should be used to help ensure potential fraud is addressed appropriately and timely.

135

136

34

Fraud Risk Assessment 3 Levels:
• Enterprise-wide risk assessment (Today’s discussion)
– – – – Types of fraud Risk ownership Likelihood, given the control environment Impact

Fraud Triangle

• Business Process risk assessment (individual audits) • Fraud Penetration risk assessment (transaction level)

Types of Fraud Schemes
• Asset misappropriation (most common)
– – – – – – Embezzlement of funds Theft of an asset Misuse of assets No Business Purpose Payroll fraud Overbilling by vendors/suppliers

Types of Fraud Schemes
• Financial Misstatement (most costly)
– fictitious transactions – improper recognition – improper measurement (estimates, calculations, assumptions) – Improper disclosure or omission – Misapplication of GAAP

35

Types of Fraud Schemes
• Commercial Bribery, extortion or corruption
– – – – – Kickbacks Gifts, gratuities Diverting Business Bid rigging Conflicts of Interest

What is risk?
• Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization.

142

Risk management
• Risk management is the process that allows IT managers to balance the operational and economic costs of protective measures and achieve gains in mission capability by protecting the IT systems and data that support their organizations’ missions • Encompasses three processes: risk assessment, risk mitigation, and evaluation, and assessment. • • • • • • • • •

The risk assessment methodology (9 steps)
Step 1: System Characterization Step 2: Threat Identification Step 3: Vulnerability Identification Step 4: Control Analysis Step 5: Likelihood Determination Step 6: Impact Analysis Step 7: Risk Determination Step 8: Control Recommendations Step 9: Results Documentation
144

143

36

145

146

level of risk to the IT system
• To measure risk, a risk scale and a risk-level matrix must be developed. • The final determination of mission risk is derived by multiplying the ratings assigned for threat likelihood (e.g., probability) and threat impact • The matrix below is a 3 x 3 matrix of threat likelihood (High, Medium, and Low) and threat impact (High, Medium, and Low). Depending on the site’s requirements and the granularity of risk assessment desired, some sites may use a 4 x 4 or a 5 x 5 matrix. The latter can include a Very Low /Very High threat likelihood and a Very Low/Very High threat impact to generate a Very Low/Very High risk level. A “Very High” risk level may require possible system shutdown or stopping of all IT system integration and testing efforts 148

147

37

Example
• The probability assigned for each threat likelihood level is 1.0 for High, 0.5 for Medium, 0.1 for Low • The value assigned for each impact level is 100 for High, 50 for Medium, and 10 for Low.

149

150

Description of Risk Level (Scale)

RISK MITIGATION STRATEGY

151

152

38

Guide
• When vulnerability (or flaw, weakness) exists ➞ implement assurance techniques to reduce the likelihood of a vulnerability’s being exercised. • • When a vulnerability can be exercised ➞ apply layered protections, architectural designs, and administrative controls to minimize the risk of or prevent this occurrence. • •
153

• When the attacker’s cost is less than the potential gain ➞ apply protections to ecrease an attacker’s motivation by increasing the attacker’s cost (e.g., use of system controls such as limiting what a system user can access and do can significantly reduce an attacker’s gain). • When loss is too great ➞ apply design principles, architectural designs, and technical and nontechnical protections to limit the extent of the attack, thereby reducing the 154 potential for loss.

CONTROL IMPLEMENTATION
• • • • • • Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Plan • Step 7 Prioritize Actions Evaluate Recommended Control Options Conduct Cost-Benefit Analysis Select Control Assign Responsibility Develop a Safeguard Implementation Implement Selected Control(s)

155

156

39

EVALUATION AND ASSESSMENT
• The good practice and need for an ongoing risk evaluation and assessment and the factors that will lead to a successful risk management program. • risk assessment process is usually repeated at least every 3 years for federal agencies, However, risk management should be conducted and integrated in the SDLC for IT systems

157

158

Be integrated into the SDLC
• An IT system’s SDLC has five phases: initiation, development or acquisition, implementation, operation or maintenance, and disposal

159

160

40

KEY ROLES (Personal responsibilities
• Senior Management. Senior management, under the standard of due care and ultimate responsibility for mission accomplishment, must ensure that the necessary resources are effectively applied to develop the capabilities needed to accomplish the mission. They must also assess and incorporate results of the risk assessment activity into the decision making process. An effective risk management program that assesses and mitigates ITrelated mission risks requires the support and involvement of senior management. • Chief Information Officer (CIO). The CIO is responsible for the agency’s IT planning, budgeting, and performance including its information security components. Decisions made in these areas should be based on an effective risk management program.

161

162

• System and Information Owners. The system and information owners are responsible for ensuring that proper controls are in place to address integrity, confidentiality, and availability of the IT systems and data they own. Typically the system and information owners are responsible for changes to their IT systems. Thus, they usually have to approve and sign off on changes to their IT systems (e.g., system enhancement, major changes to the software and hardware). The system and information owners must therefore understand their role in the risk management a process and fully support this process
163

• Business and Functional Managers. The managers responsible for business operations and IT procurement process must take an active role in the risk management process. These managers are the individuals with the authority and responsibility for making the trade-off decisions essential to mission accomplishment. • Their involvement in the risk management process enables the achievement of proper • security for the IT systems, which, if managed properly, will provide mission effectiveness with a minimal expenditure of resources.
164

41

• IT Security Practitioners. IT security practitioners (e.g., network, system, application, and database administrators; computer specialists; security analysts; security consultants) are responsible for proper implementation of security requirements in their IT systems. As changes occur in the existing IT system environment (e.g., expansion in network connectivity, changes to the existing infrastructure and organizational policies, introduction of new technologies), the IT security practitioners must support or use the risk management process to identify and assess new potential risks and implement new security controls as 165 needed to safeguard their IT systems.

• Security Awareness Trainers (Security/Subject Matter Professionals). The organization’s personnel are the users of the IT systems. Use of the IT systems and data according to an organization’s policies, guidelines, and rules of behavior is critical to mitigating risk and protecting the organization’s IT resources. To minimize risk to the IT systems, it is essential that system and application users be provided with security awareness training. Therefore, the IT security trainers or security/subject matter professionals must understand the risk management process so that they can develop appropriate training materials and incorporate risk assessment into training programs to educate the end users.

166

SAMPLE RISK ASSESSMENT REPORT OUTLINE
• • • • • EXECUTIVE SUMMARY I. Introduction • Purpose • Scope of this risk assessment Describe the system components, elements, users, field site locations (if any), and any other • details about the system to be considered in the assessment.
167

• II. Risk Assessment Approach • Briefly describe the approach used to conduct the risk assessment, such as • The participants (e.g., risk assessment team members) • • The technique used to gather information (e.g., the use of tools, questionnaires) • • The development and description of risk scale (e.g., a 3 x 3, 4 x 4 , or 5 x 5 risk-level • matrix).
168

42

• III. System Characterization • Characterize the system, including hardware (server, router, switch), software (e.g., application, operating system, protocol), system interfaces (e.g., communication link), data, and users. • Provide connectivity diagram or system input and output flowchart to delineate the scope of this risk assessment effort.
169

• IV. Threat Statement • Compile and list the potential threat-sources and associated threat actions applicable to the system assessed.

170

• V. Risk Assessment Results • List the observations (vulnerability/threat pairs). Each observation must include: • Observation number and brief description of observation (e.g., Observation 1: User system passwords can be guessed or cracked) • • A discussion of the threat-source and vulnerability pair • • Identification of existing mitigating security controls • • Likelihood discussion and evaluation (e.g., High, Medium, or Low likelihood) • • Impact analysis discussion and evaluation (e.g., High, Medium, or Low impact) • • Risk rating based on the risk-level matrix (e.g., High, Medium, or Low risk level) • • Recommended controls or alternative options for reducing the risk.

• VI. Summary • Total the number of observations. Summarize the observations, the associated risk levels, the recommendations, and any comments in a table format to facilitate the implementation of recommended controls during the risk mitigation process.

171

172

43

Fraud Risk Governance
• While each organization needs to consider its size and complexity when determining what type of formal documentation is most appropriate, the following elements should be found within a fraud risk management program
– – – – – – – Roles and responsibilities. • Commitment. • Fraud awareness. • Affirmation process. • Conflict disclosure. • Fraud risk assessment. • Reporting procedures and whistleblower protection.

Fraud Risk Governance
• • • • Investigation process. • Corrective action. • Quality assurance. • Continuous monitoring.

173

174

Fraud Risk Assessment
• A structured fraud risk assessment, tailored to the organization’s size, complexity, industry, and goals, should be performed and updated periodically. • The assessment may be integrated with an overall organizational risk assessment or performed as a stand-alone exercise, but should, at a minimum, include risk identification, risk likelihood and significance assessment, and risk response.
175

• Individual organizations will have different risk tolerances. Fraud risks can be addressed by establishing practices and controls to mitigate the risk, accepting the risk — but monitoring actual exposure — or designing ongoing or specific fraud evaluation procedures to deal with individual fraud risks • Management and board members should ensure the organization has the appropriate control mix in place, recognizing their oversight duties and responsibilities in terms of the organization’s sustainability and their role as fiduciaries to stakeholders, depending on organizational form
176

44

Fraud Prevention and Detection
• Management is responsible for developing and executing mitigating controls to address fraud risks while ensuring controls are executed efficiently by competent and objective individuals. • Prevention encompasses policies, procedures, training, and communication that stop fraud from occurring • detection focuses on activities and techniques that promptly recognize timely whether fraud has occurred or is occurring

177

178

• One key to prevention is promoting from the board down throughout the organization an awareness of the fraud risk management program, including the types of fraud that may occur • one of the strongest fraud deterrents is the awareness that effective detective controls are in place

• Combined with preventive controls, detective controls enhance the effectiveness of a fraud risk management program by demonstrating that preventive controls are working as intended and by identifying fraud if it does occur. Although detective controls may provide evidence that fraud has occurred or is occurring, they are not intended to prevent fraud.

179

180

45

Fraud Risk Governance
• Every organization is susceptible to fraud, but not all fraud can be prevented, nor is it costeffective to try. An organization may determine it is more cost-effective to design its controls to detect, rather than prevent, certain fraud schemes. It is important that organizations consider both fraud prevention and fraud detection. • Principle 1: As part of an organization’s governance structure, a fraud risk management program should be in place, including a written policy (or policies) to convey the expectations of the board of directors and senior management regarding managing fraud risk.

181

182

• To help ensure an organization’s fraud risk management program effective, it is important to understand the roles and responsibilities that personnel at all levels of the organization have with respect to fraud risk management. • Policies, job descriptions, charters, and/or delegations of authority should define roles and responsibilities related to fraud risk management

• Board of Directors: first should ensure that the board itself is governed properly. This encompasses all aspects of board governance, including independent-minded board members who exercise control over board information, agenda, and access to management and outside advisers, and who independently carry out the responsibilities of the nominating/governance, compensation, audit, and other committees

183

184

46

The board should
• Understand fraud risks. • • Maintain oversight of the fraud risk assessment by ensuring that fraud risk has been considered as part of the organization’s risk assessment and strategic plans. This responsibility should be addressed under a periodic agenda item at board meetings when general risks to the organization are considered. • • Monitor management’s reports on fraud risks, policies, and control activities, which include obtaining assurance that the controls are effective. The board also should establish mechanisms to ensure it is receiving accurate and timely information from management, employees, internal and external auditors, 185 and other stakeholders regarding potential fraud occurrences.

• Oversee the internal controls established by management. • • Set the appropriate tone at the top through the CEO job description, hiring, evaluation, and succession-planning processes. • • Have the ability to retain and pay outside experts where needed. • • Provide external auditors with evidence regarding the board’s active involvement and concern about fraud risk management.
186

• should be composed of independent board members and should have at least one financial expert, preferably with an accounting background. • The committee should meet frequently enough, for long enough periods, and with sufficient preparation to adequately assess and respond to the risk of fraud, especially management fraud, because such fraud typically involves override of the organization’s internal controls
187

Audit Committee (or similar oversight body

• An audit committee of the board that is committed to a proactive approach to fraud risk management maintains an active role in the oversight of the organization’s assessment of fraud risks and uses internal auditors, or other designated personnel, to monitor fraud risks. • At each audit committee meeting: should meet separately from management with appropriate individuals, such as the chief internal audit executive and senior financial person. • should understand how internal and external audit strategies address fraud risk. • should not only focus on what the auditors are doing to detect fraud, but more importantly on what management is doing to prevent fraud, where possible.

188

47

Management
• should be aware that the organization’s external auditors have a responsibility to plan and perform the audit of the organization’s financial statements to obtain reasonable assurance about whether the financial statements are free of material misstatement, whether caused by error or fraud . • should also seek the advice of legal counsel whenever dealing with issues of allegations of fraud. Fraud allegations should be taken seriously since there may be a legal obligation 189 to investigate and/or report them. • Implementing adequate internal controls — including documenting fraud risk management policies and procedures and evaluating their effectiveness — aligned with the organization’s fraud risk assessment. • Reporting to the board on what actions have been taken to manage fraud risks and regularly reporting on the effectiveness of the fraud risk management program. This includes reporting any remedial steps that are needed, as well as reporting actual frauds.
190

Staff
• Have a basic understanding of fraud and be aware of the red flags. • • Understand their roles within the internal control framework. Staff members should understand how their job procedures are designed to manage fraud risks and when noncompliance may create an opportunity for fraud to occur or go undetected. • • Read and understand policies and procedures (e.g. the fraud policy, code of conduct, and whistleblower policy), as well as other operational policies and procedures, such as • As required, participate in the process of creating a strong control environment and designing and implementing fraud control activities, as well as participate in monitoring activities. • • Report suspicions or incidences of fraud. • • Cooperate in investigations.

191

192

48

Internal Auditing
• should provide objective assurance to the board and management that fraud controls are sufficient for identified fraud risks and ensure that the controls are functioning effectively. • Internal auditors may review the comprehensiveness and adequacy of the risks identified by management — especially with regard to management override risks • should interview and communicate regularly with those conducting the organization’s risk assessments, as well as others in key positions throughout the organization, to help them ensure that all fraud risks have been considered appropriately

193

194

3.1.2. Transaction Risks
• Managerial Implications

Example
• consumer-perceived risk is reduced with the • increase in institutional trust

195

196

49

Transaction risk
• Is the current and prospective risk to earnings and capital arising from fraud, error, and the inability to deliver products or services, maintain a competitive position, and manage information. • Risk is inherent in efforts to gain strategic advantage and in the failure to keep pace with changes in the financial services marketplace. Transaction risk is evident in each product and service offered. • Transaction risk encompasses product development and deliver, transaction processing, systems development, computing systems, complexity of products and services, and the internal control environment
197

Type of Risk
• • • • Fraud, Error, Negligence And the inability

198

Quantity of Transaction Risk Indicators
• Low
– Exposure to risk from fraud, errors, or processing disruptions is minimal given the volume of transactions, complexity of products and services, and state of systems development. Risk to earnings and capital is insignificant. – Risks, including transaction processing failures, from planned conversions, merger integration, or new products and services are minimal

199

• Moderate • Exposure to risk from fraud, errors, or processing disruptions is modest given the volume of transactions, complexity of products and services, and state of systems development. Deficiencies that have potential impact on earnings or capital can be addressed in the normal course of business. • Risks, including transaction processing failures, from planned conversions, merger integration, or new products and services are 200 manageable.

50

Quality of Transaction Risk Indicators
• High • Exposure to risk from fraud, errors, or processing disruptions is significant given the volume of transactions, complexity of products and services, and state of systems development. Deficiencies exist which represent significant risk to earnings and capital. • Risks, including transaction processing failures, from planned conversions, merger integration, or new products and services are 201 substantial. • Strong • Management anticipates and responds effectively to risks associated with operational changes, systems development, and emerging technologies. • Management has implemented sound operating processes, information systems, internal control, and audit coverage. • Management identifies weaknesses in transaction processing and takes timely and appropriate action 202

• Management information provides appropriate monitoring of transaction volumes, error, reporting fraud, suspicious activity, security violations, etc. MIS is accurate, timely, complete and reliable. • Management comprehensively provides for continuity and reliability of services, including services furnished by outside providers. • Appropriate processes and controls exist to manage and protect data. • Risks from new products and services, planned strategic initiatives, or acquisitions are well controlled and understood. • Management fully understands technology risks with available expertise to evaluate technology-related issues.
203

• Weak • Management does not take timely and appropriate actions to respond to operational changes, systems development, or emerging technologies. • Significant weaknesses exist in operating processes, information systems internal control, or audit coverage related to transaction processing. • Management does not recognize weaknesses in transaction processing or make the necessary corrections. • Management information systems for transaction processing exhibit significant weaknesses or may not exist. • Management has not provided for continuity and reliability of services furnished by outside providers. • Processes and controls to manage and protect data are seriously deficient or nonexistent

204

51

3.2. Payroll Risks
• Inadequate planning or due diligence expose the Bank to significant risk from activities such as the introduction of new products and services, strategic initiatives, or acquisitions. • Management does not understand, or has chosen to ignore, key aspects of transaction risk • 3.2.1. Introduction

205

206

3.2.2. Category payroll risks
• Incorrect processing/payment of payroll by mistake or with intention (fraud) • Incorrect input by mistake or with intention (fraud) of payroll information • Incorrect processing of payroll • Payroll payment (bank transmission) • Inaccurate Taxation (computation and reporting) • Payroll Accounting
207 208

52

• Payroll related documents are not kept as per legal requirements • Sensitive payroll information is not properly protected may lead to loss in reputation, loss of competitive advantage, loss of revenue, or legal consequences • See detail: Payroll Process-Fraud and error risks and controls to mitigate them.docx

209

210

3.2.3. Risk Protections and Managements
• Control Check list Pay Roll • Go Control Checklists_Payroll.xls

Payroll control objectives
• The following is a listing of practical guide to payroll control objectives that help ensure risks are properly minimized. • Reliability of Information

211

212

53

• Employee record changes are properly authorized and accurately recorded – all require the employee’s signature or their acknowledgement • All payroll costs are accurately calculated from authorized sources and recorded on a timely basis. • Recorded payroll balances are substantiated. • Recorded payroll balances are evaluated. • All payroll disbursements are accurately processed and recorded on a timely basis. • Payroll changes, costs, and disbursements are reliably processed and reported. • Performance measures used to control and 213 improve the process are reliable.

• Detection of unauthorized adjustments to the payroll activity and withholding accounts after distribution • Detection of duplicate payments • Detection of collusion • Detection of phantom employees • Detection of manipulation of earned benefit time

214

Payroll Preparation and Security
• Is a payroll master file maintained which includes all employees. The file should contain all information concerning current pay rates, withholding deductions, tax codes, etc. • Are procedures established to physically secure and protect master file information. • Changes should be restricted to properly autho • rized additions, deletions and changes which are supported by documentation in the employee's personnel file. • Are only authorized personnel allowed access to the Payroll department and its records 215

• Is the Payroll department promptly and formally notified ofthe termination or transfer of any employee or of payroll changes so that payroll records can be adjusted • Do non-exempt employees submit on a timely basis, time cards, time sheets or other authorized recording media before payroll processing is performed, either electronically or manually • Do department managers compare actual payroll costs to budgeted costs for reasonableness • Are all payroll disbursement accounts reconciled on a monthly basis by someone without any responsibility for the payroll cycle
216

54

• 10 practical steps to reduce the risk of a major payroll fraud occurring in your business

217

• Step 1: Review your bank reconciliation. Many frauds are discovered when a review of the bank reconciliation is conducted. A bank reconciliation ensures that the cash balance per the financial statements is the same as the cash balance in the company’s bank account. In many fraud cases, a review of the bank reconciliation reveals entries such as “Unadjusted balance”, “To be reviewed”, “Unknown Difference”, or “Immaterial Adjustment”. These descriptions often reveal that a process in the business is broken or worst case is that a fraud is being perpetrated. Reviewing your bank reconciliation on a regular basis is a basic yet very important control 218 for a business.

• Step 2: How do your staff complete their timesheets? Do your staff use a Time & Attendance book? What is the quality of information on these source documents? If staff are forgetting to sign or not including all required information, then it makes it difficult to detect more subtle behaviours that may be fraudulent in nature.

219

• Step 3: Do you have any ghost employees on your payroll? A ghost employee is where a fictitious entry has been created on your payroll for the purpose of defrauding the company of money. Some “ghosts” can be detected by looking for where two or more employees have the same bank account, or some other characteristic that is the same. For example this could include the same telephone number, same first, middle or last name or common address elements. Other ghosts might only be detected if the individual is physically sighted while at the workplace. If your company payroll is predominantly made up of permanent employees, then the risk of having a ghost employee may be minimal. However if you employ a large number of temporary and itinerant workers then we recommend that additional checks be put in place to manage this risk.

220

55

• Step 4: When was the last time you reviewed your end to end payroll process? Have you or someone in your company documented the payroll process and do you understand who performs which tasks and in what sequence? Not understanding and documenting the process is like trying to build a house without any architectural plans. Preventing payroll fraud (like any other fraud) is all about understanding which checks and balances exist, are they operating effectively and are there any key controls missing from the process? Once the payroll process has been documented into its components then the risks at each stage can be assessed. For example documenting your process for administering terminated employees may reveal an ability for former employees payroll details to be changed resulting in the creation of a ghost employee.
221

• Step 5: Have you divested control of your payroll department and have little or no oversight over the payroll function? Are you relying on your friendship or trust in your Payroll Manager instead of relying on proper management and review. If this is the case, then you need to go back to basics. Understand the process, identify any segregation of duty conflicts, ensure that the Payroll is approved by someone independent from its preparation, institute random checks to source documents and conduct regular data mining reviews. 222

• Step 6: Is your payroll manager a signatory to your company’s bank account? Clearly if this is the case, then there is a risk that the payroll manager can manipulate the payroll to their own advantage with little risk of detection. This is an obvious segregation of duty issue, however also review the process and identify if there other conflicts that exist in the payroll function.

• Step 7: What checks are conducted when a Payroll is being approved? What is the approver checking the reports to? If the approver is just signing what is put in front of them, then this control is clearly not working effectively. Implement a checklist of key steps that need to be conducted before sign off occurs. This could include reviewing the number of Ons and Offs since the previous pay run. Scan the hours worked or overtime for anomalies. Select an employee at random and request supporting information. These are just some of the tasks that can be performed which can significantly improve the level of control with any sign off process.
223 224

56

• Step 8: Are you aware of payroll staff sharing passwords and log in details. If this is the case it becomes very difficult to detect suspicious behaviour and may result in authorised pay amounts or other serious anomalies. Staff should be provided with their own password and ensure that staff are aware of the company’s Information Technology and other key policies.

• Step 9: Do you have a mechanism where staff can report suspicious, fraudulent or inappropriate behaviour? In our experience, many frauds are only discovered when the company is “tipped off” by another employee. This type of email or phone hotline can also be particularly beneficial when a company has many geographically remote sites

225

226

Control Activities
• Step 10: Do you make an employee background search a condition of employment for individuals working in sensitive positions for example, payroll and accounts payable? This can be another practical step you can take to improve the internal controls in your company. • The “Biggie” in terms of commitment – The responses to a threat or set of threats • Internal control activities are the policies, procedures, techniques, and mechanisms that help ensure that district management’s directives to minimize risks are carried out. • Control activities occur at all levels and functions of the district. • They include approvals, authorizations, verifications, reconciliations, performance reviews, and the production of records and documentation.

227

228

57

Threats in Employment Practices
• Hiring unqualified or trouble employees
– Thorough background checks, review of employment history (30% dishonest, 30% situationally dishonest, 40% honest) – Verify skills and references, including college degrees earned (Data released in March 2004 indicates that 50% of resumes contain false or embellished information) – Check at least three references (1 out of 3 will be gratuitously positive)

Threats in Employment Practices
• Violation of Employment Laws
– Carefully document all actions related to recruiting, hiring, and dismissal of employees. – Provide your payroll and human resource employees with continual training to keep them current with employment laws.
• State • Federal

Threats in Payroll Processing
• Unauthorized changes to the payroll master file
– Proper segregation of duties
• HR department approval for updates • HR department should not directly participate in payroll processing or distribution

Threats in Payroll Processing
• Inaccurate time data
– Automation can reduce unintentional inaccuracies. – Data entry programs should include edit checks.
• Edit checks for employee numbers and hours worked • Limit checks on hours worked

– Changes to the master file should be reviewed and approved by someone other than the person recommending the change. – Restrict access to the payroll system and logic code
• User IDs, passwords • Control terminals from which payroll data and programs can be accessed

– Segregation of duties can reduce intentional inaccuracies:
• People who process payroll should not have access to the payroll master file (to the extent practical).

– Supervisors should approve all time cards.

58

Threats in Payroll Processing
• Inaccurate processing of payroll
– Run and reconcile batch totals before and after processing
• Master file totals +/- changes

Threats in Payroll Processing
• Theft or fraudulent distribution of paychecks
– Restrict access to blank payroll checks and check signing machine. – All checks should be sequentially prenumbered and accounted for periodically. – Someone independent of the payroll process should reconcile the payroll bank account. – Segregate the duties between those who authorize and record payroll and those who distribute checks and transfer funds. – Unclaimed checks should be returned to district administration for prompt investigation.

– Use of a payroll clearing account
• Imprest system with a net zero balance in the control account

– On-going training for payroll employees

Monitoring
• Any control system must be continually monitored and updated in order to continue to work effectively. • The district should emphasize to managers that they have responsibility for internal control and that they should monitor the effectiveness of control activities as part of their regular duties. • Is the system re-evaluated when a breakdown in controls is uncovered? • The completion of each payroll provides you with a time for evaluation.
236

59