l OM oARc PSD|85 08 4 38

Auditing in CIS Environment

 l OM oARc PSD|85 08 4 38

AUDITING IN A COMPUTER INFORMATION SYSTEMS (CIS) ENVIRONMENT

Introduction

When computers first became part of the information processing systems, many auditors felt that they would have
little impact on the audit process. Hence, the auditors would continue to AUDIT AROUND the computer by reviewing
and examining source documents or input and checking the final output based on those documents. However, as
computer systems became more "fully integrated" and the volume of transactions increased, it became increasingly
difficult to audit around the computer because much of the audit trail was lost within the computer. Consequently,
auditors learned more about computer systems and their emphasis switched to AUDITING THROUGH the computer.
An auditor focuses upon all EDP functions, particularly the controls over input, processing and output. This means
that the auditor investigates the data processing system by feeding the computer with hypothetical transactions
covering all types of situations in which he is instructed and ascertaining the answers produced are correct and wrong
data are rejected. If the system is satisfactorily controlled, the auditor relies upon the system and infers that the
financial accounting information processed by the system is correct. This indicates that the audit procedures have
changed to adapt to the increasing computer environment.

When auditing in an CIS environment an auditor focuses upon the adequacy of controls over transactions, not upon
the transactions themselves, as in manual systems.

Effects of Computers on the Audit Process

 The overall objective and scope of an audit does not change in a CIS environment. However, the use of a
computer changes the processing, storage and communication of financial information and may affect the
accounting and internal control systems employed by the entity. Accordingly, a CIS environment may affect:

 The procedures followed by the auditor in obtaining a sufficient understanding of the accounting and internal
control systems.

 The consideration of inherent risk and control risk through which the auditor arrives at the risk assessment.
The auditor's design and performance of tests of control and substantive procedures appropriate to meet the
audit objective..

The auditor should have sufficient knowledge of the CIS to plan, direct. supervise and review the work performed.
The auditor should consider whether specialized CIS skills are needed in an audit. These may be needed to:

 Obtain a sufficient understanding of the accounting and internal control systems affected by the CIS
environment.

 Determine the effect of the CIS environment on the assessment of overall risk and of risk at the account
balance and class of transactions level.

 Design and perform appropriate tests of control and substantive procedures.

 l OM oARc PSD|85 08 4 38

If specialized skills are needed, the auditor would seek the assistance of a professional possessing such skills, who
may be either on the auditor's staff or an outside professional. If the use of such a professional is planned, the auditor
should obtain sufficient appropriate audit evidence that such work is adequate for the purposes of the audit, in
accordance with PSA 620, "Using the Work of an Expert"

Planning

In accordance with PSA 315 (Clarified), "Understanding the Entity and Its Environment and Assessing the Risks of
Material Misstatement, the auditor should obtain an understanding of the accounting and internal control systems
sufficient to plan the audit and develop an effective audit approach.

In planning the portions of the audit which may be affected by the client's CIS environment, the auditor should obtain
an understanding of the significance and complexity of the CIS activities and the availability of data for use in the
audit. This understanding would include such matters as:

The significance and complexity of computer processing in each significant accounting application. Significance
relates to materiality of the financial statement assertions affected by the computer processing. An application may be
considered to be complex when, for example:

 The volume of transactions is such that users would find it difficult to identify and correct errors in
processing.

 The computer automatically generates material transactions or entries directly to another application

 The computer performs complicated computations of financial information and/or automatically generates
material transactions or entries that cannot be (or are not) validated independently.

 Transactions are exchanged electronically with other organizations [as in electronic data interchange (EDI)
systems] without manual review for propriety or reasonableness.

The organizational structure of the client's CIS activities and the extent of concentration or distribution of computer
processing throughout the entity, particularly as they may affect segregation of duties.

The availability of data. Source documents, certain computer files, and other evidential matter that may be required
by the auditor may exist for only a short period or only in machine-readable form. Client CIS may generate internal
reporting that may be useful in performing substantive tests (particularly analytical procedures). The potential for use
of computer-assisted audit techniques may permit increased efficiency in the performance of audit procedures, or
may enable the auditor to economically apply certain procedures to an entire population of accounts or transactions.

When the CIS are significant, the auditor should also obtain an understanding of the CIS environment and whether it
may influence the assessment of inherent and control risks. The nature of the risks and the internal control
characteristics in CIS environments include the following:

 Lack of transaction trails. Some CIS are designed so that a complete transaction trail that is useful for audit
purposes might exist for only a short period of time or only in computer readable form.. Where a complex
application system performs a large number of processing steps, there may not be a complete trail.
Accordingly, errors embedded in an application's program logic may be difficult to detect on a timely basis by
manual (user) procedures.

 Uniform processing of transactions. Computer processing uniformly processes like transactions with the
same processing instructions. Thus, the clerical errors ordinarily associated with manual processing are
 l OM oARc PSD|85 08 4 38

virtually eliminated. Conversely, programming errors (or other systematic errors in hardware or software) will
ordinarily result in all transactions being processed incorrectly.

 Lack of segregation of functions. Many control procedures that would ordinarily be performed by separate
individuals in manual systems may be concentrated in CIS. Thus, an individual who has access to computer
programs, processing or data may be in a position to perform incompatible functions.

 Potential for errors and irregularities. The potential for human error in the development, maintenance and
execution of CIS may be greater than in manual systems, partially because of the level of detail inherent in
these activities. Also, the potential for individuals to gain unauthorized access to data or to alter data without
visible evidence may be greater in CIS than in manual systems.

In addition, decreased human involvement in handling transactions processed by CIS can reduce the potential for
observing errors and irregularities. Errors or irregularities occurring during the design or modification of application
programs or systems software can remain undetected for long periods of time.

 Initiation or execution of transactions. CIS may include the capability to initiate or cause the execution of
certain types of transactions. automatically. The authorization of these transactions or procedures may not
be documented in the same way as those in a manual system, and management's authorization of these
transactions may be implicit in its acceptance of the design of the CIS and subsequent modification.

 Dependence of other controls over computer processing. Computer processing may produce reports and
other output that are used in performing manual control procedures. The effectiveness of these manual
control procedures can be dependent on the effectiveness of controls over the completeness and accuracy
of computer processing. In turn, the effectiveness and consistent operation of transaction processing
controls in computer applications is often dependent on the effectiveness of general CIS controls.

 Potential for increased management supervision. CIS can offer management a variety of analytical tools that
may be used to review and supervise the operations of the entity. The availability of these additional
controls, if used, may serve to enhance the entire internal control structure.

 Potential for the use of computer-assisted audit techniques. The case of processing and analyzing large
quantities of data using computers may provide the auditor with opportunities to apply general or specialized
computer audit techniques and tools in the execution of audit tests.

 Both the risks and the controls introduced as a result of these characteristics of CIS have a potential impact
on the auditor's assessment of risk, and the nature, timing and extent of audit procedures.

Assessment of Risk

The inherent risks and control risks in a CIS environment may have both a pervasive effect and an account-specific
effect on the likelihood of material misstatements, as follows:

 The risks may result from deficiencies in pervasive CIS activities such as program development and
maintenance, systems software support, operations, physical CIS security, and control over access to
networks, operating systems, programs and databases. These deficiencies would tend to have a pervasive
impact on all application systems that are processed on the computer.

 The risks may increase the potential for errors or fraudulent activities in specific applications, in specific data
bases or master files, or in specific processing activities. For example, errors are not uncommon in systems
that perform complex logic or calculations, or that must deal with many different exception conditions.
 l OM oARc PSD|85 08 4 38

Systems that control cash disbursements or other liquid assets are susceptible to fraudulent actions by
users or by CIS personnel.

As new CIS technologies emerge, they are frequently employed by clients to build increasingly complex computer
systems that may include internet/extranet /intranet technologies, distributed data bases, end-user processing, and
business management systems that feed information directly into the accounting systems. Such systems increase the
overall sophistication of CIS and the complexity of the specific applications that they affect. As a result, they may
increase risk and require further consideration.

Audit Clients Using Computer Information Systems (CIS)

The auditor's specific audit objectives do not change whether accounting data is processed manually or by computer.
However, the methods of applying audit procedures to gather evidence may be influenced by the methods of
computer processing. The auditor can use either manual audit procedures, computer assisted audit techniques, or a
combination of both to obtain sufficient evidential matter. However, in some accounting systems that use a computer
for processing significant applications, it may be difficult or impossible for the auditor to obtain certain data for
inspection, inquiry, or confirmation without computer assistance.

The audit procedures applicable to evaluating the internal controls in CIS systems are

1. Review of the system

2. Tests of compliance

3. Evaluation to determine the extent of the substantive tests

A. Review of the System

If a client uses CIS, the auditor must be capable of understanding the entire system to evaluate the client's internal
control. The auditor's primary concern therefore is to determine whether the system provides reasonable assurance
that errors and irregularities have been and will be prevented or detected on a timely basis by employees in the
course of their normal activities.

B. Compliance Testing of CIS Controls

After reviewing the CIS controls, the auditor attempts to gather evidence to provide reasonable assurance that the
prescribed controls are functioning properly. Depending upon the sophistication of the EDP equipment, the nature of
the system, the adequacy of the audit trail and the audit objectives the auditor chooses to either:

a. Audit around the computer or

b. /Audit through the computer.

1) Auditing around (without using) the computer means the auditor does not use the computer to perform tests, select
samples, etc. If there is an adequate audit trail, the auditor can do the following:

a) Examine for evidence of controls i.e., error logs, batch control records, etc.

b) Trace transactions using printouts to follow input documents. through to final report.

c) Process sample transactions manually, process a batch of transaction and compare with the printouts.

2) Auditing through (with the use of) computer. Computers are useful in performing the audit. The auditor can use a
computer program (provided by the client or prepared by the auditor) to examine data files and perform many of the
clerical tasks previously performed by a junior auditor.
 l OM oARc PSD|85 08 4 38

Because of the speed of the computers these tests can sometimes be performed for an entire file rather than for only
a sample of transactions. Many auditors have generalized computer audit packages which will run on most
computers and perform many audit tasks.

C. Substantive Testing of Computer-based Records

Substantive testing like compliance testing can be performed either with or without the use of the computer.

1. Substantive testing without using the computer

Printouts are used to test the correctness of accounts and as a basis from which samples will be
selected for further testing or confirmation.

2. Substantive testing with the use of (through) a computer

Auditor uses a program written to gain access to the computer-based records. Once access has been
achieved, the auditor can use the computer to perform those procedures which are clerical in nature.
Sources of programs are:

a) Auditor written programs

Specifically written to client's files.

b) Auditee programs

Coded by the company's own programmer to meet the auditor's needs. This will require additional
precautions on the part of the auditor.

c) Utility programs

Provided by software vendors and used to obtain data.

d) Generalized computer audit programs

These programs offer audit-oriented functions for use in accessing and testing records.

Audit Techniques Using Computers

There are many techniques which auditors can use to audit through the computer to test EDP applications. Some of
the more common techniques are described below.

a. Audit Software - The auditor may use various types of software on either microcomputers or mainframe
computers. For example, auditors often use microcomputer electronic spreadsheets to prepare working trial
balances, lead, and other schedules. Such spreadsheets may significantly simplify the computational aspects of tasks
such as incorporating adjustments and reclassifications on a worksheet. Three other software may be used on either
a microcomputer or a mainframe computer: generalized audit software, system utility software, and customized
(written specially for one client) audit programs. Generalized audit software is used most frequently because it allows
the auditor to access various client's computer files. Some of the audit procedures that may be performed by
generalized audit software include:

(1) Testing client calculations

(2) Making additional calculations

(3) Extracting data from the client files

(4) Examining records which meet criteria specified by the auditor (e.g., property acquisitions in excess of
P10,000)
 l OM oARc PSD|85 08 4 38

(5) Selecting audit samples

(6) Comparing data that exist on separate files

(7) Summarizing data

(8) Comparing data obtained through other audit procedures with client records

(9) Identify weaknesses in internal control

(10) Prepare flowcharts of client transaction cycles and of client programs

(11) Prepare graphic displays of data for easier analysis

(12) Correspondence (engagement letters, representation letters,attorney's letters)

b. Test Data- A set of dummy transactions is developed by the auditor and processed by the client's computer
programs to determine whether the controls which the auditor intends to rely on are functioning as expected. Some of
these transactions may include errors to test the effectiveness of programmed controls and to determine how
transactions are handled. Every possible transaction value need not be tested. In fact, prior exam questions have
suggested that each control need only be tested once. Several possible problems associated with test data are that
the auditor must:

(1) Make certain the test data is not included in the client's accounting records.

(2) Determine that the program tested is actually used by the client to process data.

(3) Devote the necessary time to develop adequate data to test key controls.

c. Concurrent Audit Techniques - These techniques collect evidence as transactions are processed, immediately
reporting information requested by the auditor or storing it for later access. They are appropriate when an auditor
desires to perform tests of controls or substantive tests. Three concurrent techniques are integrated test facilities,
snapshots, and system control audit review files (SCARF).

(1) Integrated Test Facility (ITF)-- This method introduces dummy transactions into a system in the midst of
live transactions and is usually built into the system during the original design. One way to accomplish this is
to incorporate a simulated division or subsidiary into the accounting system with the sole purpose of running
test data through it. The test data approach is similar, therefore, its limitations are also similar, yet the test
data approach does not run simultaneously through the live system. The running of dummy transactions in
the midst of live transactions makes the task of keeping the two transaction types separate more difficult.

(2) Snapshots -- Auditors embed software routines at different points within an application to capture and
report images called snapshots of a selected transaction as it is processed at preselected points in a
program. For example, in an accounts receivable application, an auditor can have snapshots taken of the
available credit limit before and after the selected sales transaction is processed to make sure that an
appropriate credit limit is carried forward.

(3) System Control Audit Review File (SCARF) - This uses audit software embedded in the client's system,
called an embedded audit module, to gather information at predetermined points in a system. This
information is stored in special file and is reported only to the auditors at predetermined intervals. For
example, an auditor may establish an audit module that counts the number of times the credit manager
overrides established credit limits. SCARFS can be used to test controls and also for substantive tests.
 l OM oARc PSD|85 08 4 38

d. Parallel Simulation (Also known as controlled processing / reprocessing) - This method processes actual client
data through an auditor's software program (and frequently, although not necessarily, the auditor's computer). After
processing the data, the auditor compares the output obtained with output obtained from the client. This method
verifies processing of actual transactions (as opposed to test data and ITF that use dummy transactions) and allows
the auditor to verify actual client results. The limitations of this method include:

(1) The time it takes the auditor to build an exact duplicate of the client's system

(2) Incompatibility between auditor and client software

(3) The time involved in reprocessing large quantities of data

However, the auditor can simply test portions of the system to reduce the overall time and concentrate on key
controls.
e. Code Comparison -- In the performance of code comparison, an auditor examines two versions of a program to
determine whether they are identical. One version of the program, frequently called the blueprint is known to be the
appropriate program. In many cases, the auditor has tested the blueprint during a previous audit. The other version of
the program is the one in current use by the client. Code comparison can be done by visually comparing the coding of
the two programs or by using a computer program to make the comparison.

f. Audit Workstation -- More internal audit departments and a few external auditing firms are ending their
dependence on audit software programs run on a mainframe by using an audit workstation. Using a microcomputer
and the necessary software, the auditor extracts the necessary data from the client's files and performs the desired
tests directly on the microcomputer. There are seven steps in the use of an audit workstation.

(1) Determine data needed at this step the auditor analyzes the information stored on the mainframe and
determines what information would be useful.

(2) Write extract routine on a one-time basis, the auditor writes specifications that extract the information
required and place it in a format that can be transferred to the audit microcomputer.

(3) Rum extract program -- as often as required, the extract program is run to create the file that will be
transferred to the microcomputer.

(4) Download extracted file - moving the files from the mainframe to the microcomputer makes this the most
technical step in the process. However, there are new software packages available for the mainframe and
the microcomputer that make this process relatively simple.

(5) Perform analysis - the auditor is now free of the mainframe and is able to perform the desired analysis.
Using a spreadsheet package, the auditor can prepare financial statements, generate ratios, and prepare
totals. Using a data base package that the auditor can run statistical analyses.

(6) Prepare report the auditor now has the necessary analyses to develop a more substantial analytical
report.

(7) Workpapers - to document the process, the auditor can write a report using a word processing package
and can save the results electronically.
 l OM oARc PSD|85 08 4 38

The audit workstation may eventually replace manual workpapers. Every auditor would then have his/her own laptop
computer.

Microcomputer-based Systems

A number of auditors use commercially available software, often referred to as data manager to download client data
to the auditor's microcomputer. After the client data been downloaded, the auditor uses commercially available
software to perform specific audit procedures. For example, an auditor may download a client's account receivable
file and age it to compare to the client's aging.

Using the Microcomputer in Administration of an Audit

The availability of powerful, low-cost microcomputers and software are cost effective tools that many auditors have
found helpful in administering and performing an audit. These are commercially available software and software
developed by public accounting firms that can assist the auditor in

1. preparing working papers,

2. executing audit procedures,

3. research,

4. engagement management, and

5. time budgeting.

Some public accounting firms have placed on CD-ROM and hard disks professional standards and firm literature that
could facilitate research in the field both by professionals and undergraduate accounting students.

Among the commercially available software that auditors have found useful are:

(a) word processors,

(b) electronic spreadsheets,

(c) graphic packages to present data, and

(d) communication programs.

To increase the efficiency of these programs, auditors have designed templates that contain

(a) predesigned working papers

(b) formulas with which to check computations made in a working paper.

Auditors use word processors to prepare working papers, financial statements and accompanying notes,
management letters, and other documents. There are also other types of commercially available software that can
assist in engagement management, such as

1. audit program generators that assist in developing audit programs

 l OM oARc PSD|85 08 4 38

2. preparation of flowchart

3. performance analytical procedures

4. preparation of working papers.

Some auditing firms have begun developing expert systems, which are programs designed to mimic the decision-
making processes of an expert in the field. Expert systems were first developed to assist physicians in making
informed diagnoses. These systems are "user friendly," asking the user for specific information and then reporting on
the decision. Some have the capacity to produce a "map" on how they reached a conclusion. Newly developed expert
systems for accounting include programs for computation of income taxes and evaluation of loss reserves for a bank.

Expert systems are costly to develop and will require a substantial amount of investment to produce results that are
useful to auditors.

Specialized Audit Programs and Additional Techniques

Specialized audit programs may be developed to perform specific audit tasks. For example, programs have been
written to generate computer-made flowcharts of other programs. A trained auditor can examine the flowcharts to test
the logic of application programs and to ensure that the client's documentation describes the program that is actually
being used.

Another audit technique that may be used i Tagging and Tracing Transactions. This process involves tagging or
specifically marking or highlighting certain transactions by the auditor at the time of their input. The computer provides
the auditor with a printout of the details of the steps in processing tagged transactions. This printout is examined for
evidence of unauthorized program steps. Some auditors use utility programs during their audits. Utility programs are
provided by major systems vendors to provide programmers and computer operators with working tools. For
example, a utility program can copy files, make comparisons or sort data.

Electronic Commerce Effect on the Audit of Financial Statements (PAPS 1013)

The purpose of PAPS 1013 is to provide guidance to assist auditors of financial statements where an entity engages
in commercial activity that takes place by means of connected computers over a public network, such as the Internet
(e commerce').

Communications and transactions over networks and through computers are not new features of the business
environment. For example, business processes frequently involve interaction with a remote computer, the use of
computer networks, or electronic data interchange (EDI). However the increasing use of the Internet for business to
consumer, business to business, business to government and business to employee e-commerce is introducing new
elements of risk to be addressed by the entity and considered by the auditor when planning and performing the audit
of the financial statements.

The Internet refers to the worldwide network of computer networks, it is a shared public network that enables
communication with other entities and individuals around the world. It is interoperable, which means that any
computer connected to the Internet can communicate with any other computer connected to the Internet. The Internet
is a public network, in contrast to a private network that only allows access to authorized persons or entities. The use
of a public network introduces special risks to be addressed by the entity. Growth of Internet activity without due
attention by the entity to those risks may affect the auditor's assessment of risk.

Skills and Knowledge

 l OM oARc PSD|85 08 4 38

The level of skills and knowledge required to understand the effect of e commerce on the audit will vary with the
complexity of the entity's e-commerce activities. The auditor considers whether the personnel assigned to the
engagement have appropriate IT and Internet business knowledge to perform the audit. When e-commerce has a
significant effect on the entity's business, appropriate levels of both information technology (IT) and Internet business
knowledge may be required to:

 Understand, so far as they may affect the financial statements:

- The entity's e-commerce strategy and activities;

- The technology used to facilitate the entity's e-commerce activities and the IT skills and
knowledge of entity personnel;

- The risks involved in the entity's use of e-commerce and the entity's approach to
managing those risks, particularly the adequacy of the internal control system, including
the security infrastructure and related controls, as it affects the financial reporting process;

 Determine the nature, timing and extent of audit procedures and evaluate audit evidence;

 Consider the effect of the entity's dependence on e-commerce activities on its ability to continue as
a going concern.

In some circumstances, the auditor may decide to use the work of an expert, for example if the auditor considers it
appropriate to test controls by attempting to break through the security layers of the entity's system (vulnerability or
penetration testing). When the work of an expert is used, the auditor obtains sufficient appropriate audit evidence that
such work is adequate for the purposes of the audit, in accordance with PSA 620, "Using the Work of an Expert." The
auditor also considers how the work of the expert is integrated with the work of others on the audit, and what
procedures are undertaken regarding risks identified through the expert's work.

Knowledge of the Business

PSA 315 (Clarified) requires that the auditor obtain a knowledge of the business sufficient to enable the auditor to
identify and understand the events, transactions and practices that may have a significant effect on the financial
statements or on the audit report. Knowledge of the business includes a general knowledge of the economy and the
industry within which the entity operates. The growth of e commerce may have a significant effect on the entity's
traditional business environment.

The auditor's knowledge of the business is fundamental to assessing the significance of e-commerce to the entity's
business activities and any effect on audit risk. The auditor considers changes in the entity's business environment
attributable to e-commerce, and e-commerce business risks as identified so far as they affect the financial
statements. Although the auditor obtains much information from inquiries of those responsible for financial reporting,
making inquiries of personnel directly involved with the entity's e-commerce activities, such as the Chief Information
Officer or equivalent, may also be useful. In obtaining or updating knowledge of the entity's business, the auditor
considers, so far as they affect the financial statements:

 The entity's business activities and industry:

 The entity's e-commerce strategy; ins

 The extent of the entity's e-commerce activities; and The entity's outsourcing arrangements.

Each of these is discussed next.

The Entity's Business Activities and Industry

 l OM oARc PSD|85 08 4 38

E-commerce activities may be complementary to an entity's traditional business activity. For example, the entity may
use the Internet to sell conventional products (such as books or CDs), delivered by conventional methods from a
contract executed on the Internet. In contrast, e-commerce may represent a new line of business and the entity may
use its web site to both sell and deliver digital products via the Internet.

The Internet lacks the clear, fixed geographic lines of transit that traditionally have characterized the physical trade of
many goods and services. In many cases, particularly where goods or services can be delivered via the Internet, e
commerce has been able to reduce or eliminate many of the limitations imposed by time and distance.

Certain industries are more conducive to the use of e-commerce, therefore e commerce in these industries is in a
more mature phase of development. When an entity's industry has been significantly influenced by e-commerce over
the Internet, business risks that may affect the financial statements may be greater.

Examples of industries that are being transformed by e-commerce include:

1. Computer software;

2. Securities trading;

3. Banking;

4. Travel services;

5. Books and magazines;

6. Recorded music;

7. Advertising;

8. News media; and

9. Education.

In addition many other industries, in all business sectors, have been significantly affected by e-commerce.

The Entity's E-Commerce Strategy

The entity's e-commerce strategy, including the way it uses IT for e-commerce and its assessment of acceptable risk
levels, may affect the security of the financial records and the completeness and reliability of the financial information
produced. Matters that may be relevant to the auditor when considering the entity's e-commerce strategy in the
context of the auditor's understanding of the control environment, include:

 Involvement of those charged with governance in considering the alignment of e-commerce activities with
the entity's overall business strategy;

 Whether e-commerce supports a new activity for the entity, or whether it is intended to make existing
activities more efficient or reach new markets for existing activities;
 Sources of revenue for the entity and how these are changing (for example, whether the entity will be acting
as a principal or agent for goods or services sold);

 Management's evaluation of how e-commerce affects the earnings of the

 entity and its financial requirements; Management's attitude to risk and how this may affect the risk profile of
the entity;
 l OM oARc PSD|85 08 4 38

 The extent which management has identified e-commerce to opportunities and risks in a documented
strategy that is supported by appropriate controls, or whether e-commerce is subject to ad hoc development
responding to opportunities and risks as they arise; and

 Management's commitment to relevant codes of best practice or web sealprograms.

 The Extent of the Entity's E-commerce Activities

 Different entities use e-commerce in different ways. For example, e-commerce might be used to: Provide
only information about the entity and its activities, which can be accessed by third parties such as investors,
customers, suppliers, finance providers, and employees; Facilitate transactions with established customers
whereby transactions are entered via the Internet;

 Gain access to new markets and new customers by providing information and transaction processing via the
Internet;

 Access Application Service Providers (ASPs); and

 Create an entirely new business model.

The extent of e-commerce use affects the nature of risks to be addressed by the entity. Security issues may arise
whenever the entity has a web site. Even if there is no third party interactive access, information-only pages can
provide an access point to the entity's financial records. The security infrastructure and related controls can be
expected to be more extensive where the web site is used for transacting with business partners, or where systems
are highly integrated.

As an entity becomes more involved with e-commerce, and as its internal. systems become more integrated and
complex, it becomes more likely that new ways of transacting business will differ from traditional forms of business
activity and will introduce new types of risks.

The Entity's Outsourcing Arrangements

Many entities do not have the technical expertise to establish and operate in house systems needed to undertake e-
commerce. These entities may depend on service organizations such as Internet Service Providers (ISPs),
Application Service Providers (ASPs) and data hosting companies to provide many or all of the IT requirements of e-
commerce. The entity may also use service organizations for various other functions in relation to its e-commerce
activities such as order fulfillment, delivery of goods, operation of call centers and certain accounting functions.

When the entity uses a service organization, certain policies, procedures and records maintained by the service
organization may be relevant to the audit of the entity's financial statements. The auditor considers the outsourcing
arrangements used by the entity to identify how the entity responds to risks arising from the outsourced activities.

Risk Identification

Management faces many business risks relating to the entity's e-commerce activities, including:

 Loss of transaction integrity, the effects of which may be compounded by the lack of an adequate audit trail
in either paper or electronic form;

 Pervasive e-commerce security risks, including virus attacks and the potential for the entity to suffer fraud by
customers, employees and others through unauthorized access.
 Improper accounting policies related to, for example, capitalization of expenditures such as website
development costs, misunderstanding of complex contractual arrangements, title transfer risks, translation of
foreign currencies, allowances for warranties or returns, and revenue recognition issues such as:

o Whether the entity is acting as principal or agent and whether gross sales or commission only are
to be recognized;
 l OM oARc PSD|85 08 4 38

o If other entities are given advertising space on the entity's web site, how revenues are determined
and settled (for example, by the use of barter transactions);

o The treatment of volume discounts and introductory offers (for example, free goods worth a certain
amount);

o Cut off (for example, whether sales are only recognized when goods and services have been
supplied);

 Noncompliance with taxation and other legal and regulatory requirements, particularly when 'Internet e-
commerce transactions are conducted across international boundaries;

 Failure to ensure that contracts evidenced only by electronic means are binding:

 Over reliance on e-commerce when placing significant business systems or other business transactions on
the Internet; and
 Systems and infrastructure failures or "crashes".

The entity addresses certain business risks arising in e-commerce through the implementation of an appropriate
security infrastructure and related controls. which generally include measures to:

 Verify the identity of customers and suppliers;

 Ensure the integrity of transactions;

 Obtain agreement on terms of trade, including agreement of delivery and credit ter and dispute resolution
processes, which may address tracking of transactions and procedures to ensure a party to a transaction
cannot later deny having agreed to specified terms (non-repudiation procedures)
 Obtain payment from, or secure credit facilities for, customers; and

 Establish privacy and information protection protocols.

The auditor uses the knowledge of the business obtained to identify those events, transactions and practices related
to business risks arising from the entity's e commerce activities that, in the auditor's judgment, may result in a
material of the financial statements or have a significant effect on the auditor's procedures or the audit report.

Legal and Regulatory Issues

A comprehensive international legal framework for e-commerce and an efficient infrastructure to support such a
framework (electronic signatures, document registries, dispute mechanisms, consumer protection etc) does not yet
exist. Legal frameworks in different jurisdictions vary in their recognition of e commerce. Nonetheless, management
needs to consider legal and regulatory issues related to the entity's e-commerce activities, for example, whether the
entity has adequate mechanisms for recognition of taxation liabilities, particularly sales or value-added taxes, in
various jurisdictions. Factors that may give rise to taxes on e-commerce transactions include the place where:

 The entity is legally registered

 Its physical operations are based;

 Its web server is located;

 Goods and services are supplied from; and

 Its customers are Incated or goods and services are delivered.

These may all be in different jurisdictions. This may give rise to a risk that taxes due on cross-jurisdictional
transactions are not appropriately recognized.

 Legal or regulatory issues that may be particularly relevant in an e-commerce environment include:
 l OM oARc PSD|85 08 4 38

 Adherence to national and international privacy requirements:

 Adherence to national and international requirements for regulated industries

 The enforceability of contracts;

 The legality of particular activities, for example Internet gambling

 . The risk of money laundering: and

 Violation of intellectual property rights.

PSA 250, "Consideration of Laws and Regulations in an Audit of Financial Statements requires that when planning
and performing audit procedures and in evaluating and reporting the results thereof, the auditor recognize that
noncompliance by the entity with laws and regulations may materially affect the financial statements. PSA 250 also
requires that, in order to plan the audit, the auditor should obtain a general understanding of the legal and regulatory
framework applicable to the entity and the industry and how the entity is complying with that framework. That
framework may, in the particular circumstances of the entity, include certain legal and regulatory issues related to its
e-commerce activities. While PSA 250 recognizes that an audit cannot be expected to detect noncompliance with all
laws and regulations, the auditor is specifically required to perform procedures to help identify instances of
noncompliance with those laws and regulations where noncompliance should be considered when preparing financial
statements. When a legal or regulatory issue arises that, in the auditor's judgment, may result in a material
misstatement of the financial statements or have a significant effect on the auditor's procedures or the audit report,
the auditor considers management's response to the issue. In some cases, the advice of a lawyer with particular
expertise in e-commerce issues may be necessary when considering legal and regulatory issues arising from an
entity's e-commerce activity.

Internal Control Considerations

Internal controls can be used to mitigate many of the risks associated with e commerce activities. The auditor
considers the control environment and control procedures the entity has applied to its e-commerce activities to the
extent they are relevant to the financial statement assertions. In some circumstances, for example when electronic
commerce systems are highly automated, when transaction volumes are high, or when electronic evidence
comprising the audit trail is not retained, the auditor may determine that it is not possible to reduce audit risk to an
acceptably low level by using only substantive procedures. CAATS are often used in such circumstances.

As well as addressing security, transaction integrity and process alignment, as discussed below, the following
aspects of internal control are particularly relevant when the entity engages in e-commerce:

 Maintaining the integrity of control procedures in the quickly changing e-commerce environment;

 Ensuring access to relevant records for the entity's needs and for audit purposes.

Security

The entity's security infrastructure and related controls are a particularly important feature of its internal control
system when external parties are able to access the entity's information system using a public network such as the
Internet. Information is secure to the extent that the requirements for its authorization, authenticity, confidentiality,
integrity, non-repudiation and availability have been satisfied.

The entity will ordinarily address security risks related to the recording and processing of e-commerce transactions
through its security infrastructure and related controls. The security infrastructure and related controls may include an
information security policy, an information security risk assessment, and standards, measures, practices, and
 l OM oARc PSD|85 08 4 38

procedures within which individual systems are introduced and maintained, including both physical measures and
logical and other technical safeguards such as user identifiers, passwords and firewalls. To the extent they are
relevant to the financial statement assertions the auditor considers such matters as:

 The effective use of firewalls and virus protection software to protect its systems from the introduction of
unauthorized or harmful software, data or other material in electronic form,
 The effective use of encryption, including both

o Maintaining the privacy and security of transmissions through, for example, authorization of decryption
keys; and

o Preventing the misuse of encryption technology through, for example, controlling and safeguarding
private decryption keys;

 Controls over the development and implementation of systems used to support e-commerce activities;

 Whether security controls in place continue to be effective as new technologies that can be used to attack
Internet security become available

 Whether the control environment supports the control procedures implemented. For example, while some
control procedures, such as digital certificate-based encryption systems, can be technically advanced, they
may not be effective if they operate within an inadequate control environment.

Transaction Integrity

The auditor considers the completeness, accuracy, timeliness and authorization of information provided for recording
and processing in the entity's financial records (transaction integrity). The nature and the level of sophistication of an
entity's e-commerce ctivities influence the nature and extent of risks related to the recording and processing of e-
commerce transactions.

Audit procedures regarding the integrity of information in the accounting system relating to e-commerce transactions
are largely concerned with evaluating the reliability of the systems in use for capturing and processing such
information. In a sophisticated system, the originating action, for example receipt of a customer order over the
Internet, will automatically initiate all other steps, in processing the transaction. Therefore, in contrast to audit
procedures for traditional business activities, which ordinarily focus separately on control processes relating to each
stage of transaction capture and processing, audit procedures for sophisticated e-commerce often focus on
automated controls that relate to the integrity of transactions as they are captured and then immediately and
automatically processed.

In an e-commerce environment, controls relating to transaction integrity are often designed to, for example:

 Validate input;

 Prevent duplication or omission of transactions;

 Ensure the terms of trade have been agreed before an order is processed, including delivery and credit
terms, which may require, for example, that payment is obtained when an order is placed:
 Distinguish between customer browsing and orders placed, ensure a party to a transaction cannot later deny
having agreed to specified terms (non-repudiation), and ensure transactions are with approved parties when
appropriate,

 Prevent incomplete processing by ensuring all steps are completed and recorded (for example, for a
business to consumer transaction: order accepted, payment received, goods/services delivered and
accounting system updated) or if all steps are not completed and recorded, by rejecting the order;

 Ensure the proper distribution of transaction details across multiple systems in a network (for example, when
data is collected centrally and is communicated to various resource managers to execute the transaction);
and
 l OM oARc PSD|85 08 4 38

 Ensure records are properly retained, backed-up and secured.

Process Alignment

Process alignment refers to the way various IT systems are integrated with one another and thus operate, in effect,
as one system. in the e-commerce environment, it is important that transactions generated from an entity's web site
are processed properly by the entity's internal systems, such as the accounting system, customer relationship
management systems and inventory management systems (often known as "back office" systems). Many web sites
are not automatically integrated with internal systems.

The way e-commerce transactions are captured and transferred to the entity's accounting system may affect such
matters as:

 The completeness and accuracy of transaction processing and information storage; The timing of the
recognition of sales revenues, purchases and other

 transactions, and
When it is relevant to the financial statement assertions, the auditor considers the controls governing the integration
of e-commerce transactions with internal systems, and the controls over systems changes and data conversion to
automate process alignment.
The Effect of Electronic Records on Audit Evidence

There may not be any paper records for e-commerce transactions, and electronic records may be more easily
destroyed or altered than paper records without leaving evidence of such destruction or alteration. The auditor
considers whether the entity's security of information policies, and security controls as implemented, are adequate to
prevent unauthorized changes to the accounting system or records, or to systems that provide data to the accounting
system.

The auditor may test automated controls, such as record integrity checks, electronic date stamps, digital signatures,
and version controls when considering the integrity of electronic evidence. Depending on the auditor's assessment of
these controls, the auditor may also consider the need to perform additional procedures such as confirming
transaction details or account balances with third parties (refer to PSA 505, "External Confirmations").