10

APPENDIX 7E

E-Commerce: Implications for Auditors

APPENDIX 7E: E-COMMERCE: IMPLICATIONS

FOR

AUDITORS

The appendix presents several topics related to auditing the financial statements of organizations conducting business activities over the Internet. It first provides an overview of the effects of ecommerce on the auditees business processes and risks. It then discusses specialized technical considerations related to the security of payments made over the Internet. Finally, it outlines the impact ecommerce activities will have on conducting the audit, and the need to use IT audit experts on the engagement.

E-COMMERCE IMPLICATIONS FOR AUDITORS

LEARNING 1 OBJECTIVE

Describe the effects of e-commerce activities on an auditees business processes and risks.

Electronic commerce is a term coined by Benjamin Wright in a landmark book titled The Law of Electronic Commerce that looks at the legal implications of the rapidly developing electronic managing technology. Benjamin Wrights work has inuenced the CICAs Technology Task Force, and he was invited to write a chapter in the second edition of EDI for Managers and Auditors. We will dene electronic commerce (e-commerce) broadly here as any trade that takes place by electronic means. An important part of e-commerce is business-to-business (B2B) in which companies use the Internet for buying from and selling to each other. This economic activity has been greatly facilitated by the growing use and power of the Internet. The Internet is a public network allowing communication between computers, which is growing at an explosive rate, greatly increasing in size every year. It promises to revolutionize the business world and turn it into electronic commerce in its broadest sense. The Internet is a public communication system [that is] universally accessible and unregulated. It is a worldwide network of computers that communicate with each other using cables and wireless transmission. The World Wide Web (WWW) or Web is a part of the Internet in which users can exchange graphics, audio, video, and software as well as the more traditional text and databases that were part of the original Internet.3 The Web is at the heart of the Information Highway that is being discussed just about everywhere. The Internet already profoundly affects PAs. One of the most important ways is that it can bring vast amounts of information to the computer screen. For example, available on the Net are nancial and other information on clients, regulatory lings, legislative proceedings, legal information, information on client companies (provided either by the companies themselves or by stock trader information hot lines such as Motley Fool), currency exchange rates, software downloads, university research materials, and professional forums for exchanging informationand these are just a few of the resources for PAs. The entire CICA Handbook, professional engagement manuals, and other PA practice guidance resources can be accessed online by subscribers. (We have indicated useful online information sources for PAs in the end covers and in various chapters throughout this text.) To take full advantage of the Internets information potential, PAs need to make use of browser software such as Internet Explorer or Mozilla Firefox, which allow searches on the Internet. A search engine or intelligent agent, Google for example, is a more intelligent piece of software that allows searches for specic information
3

Adapted from Journal of Accountancy, March 1997, p. 51.

APPENDIX 7E

E-Commerce: Implications for Auditors

11

using titles or document headers, entire documents, or directories. This has been made necessary by the rapid proliferation, abandonment, and obsolescence of websites. However, our focus here is on how the Internet affects electronic business. So far the most important applications have been in what are called business-to-business (B2B) transactions. There are now many B2B websites to choose from: different types of auctions, trading pits, virtual malls, as well as more traditional ofine intermediaries. The B2B marketplace provides fast, efcient (low-cost), and effective worldwide trading networks for nearly every conceivable product and service. There are as many B2B sites as there are markets and industries. B2B sites are particularly useful in dealing with sudden changes in demand or supply due to unpredictable events like strikes or other disruptions. For all these reasons, the traditional relationship-based model in which commercial buyers and sellers deal with an established pool of suppliers and customers is being replaced by B2B relationships. In particular, B2B on the Internet is replacing the more complex, rigid, hierarchical, and expensive electronic data interchanges (EDI) of the 1990s. Exhibit 7E1 provides an overview of a special type of B2B electronic funds transfer (EFT), which completes the automation of sales/collection and purchases/payments.

EXHIBIT 7E1

ECOMMERCE: IMPLICATIONS FOR AUDITORS

Purchase order Shipping notice Buyer Invoice Acknowledgments Electronic mailbox Purchase order Shipping notice Invoice Acknowledgments Supplier

Acknowledgment of receipt

Electronic mailbox

Electronic mailbox

Payment order and remittance Buyers bank Acknowledgments Electronic mailbox

Payment order and remittance Suppliers bank Acknowledgments

Source: Exhibit 1.1, Audit Implications of EDI, CICA, 1996, p. 2.

In addition to B2B e-commerce, consumer-related transactions of various types are also very common. The Economist magazine identied three segments of consumer oriented e-commerce: . . . business-to-consumer (B2C), consumer-to-business (C2B), and consumer-to-consumer (C2C). The rst embraces normal retail activities on the Web, such as bookselling by Amazon.com. . . . The second, as yet smaller, takes advantage of the Internets power to drive transactions the other way round: would-be passengers bidding for airline tickets on Priceline.com. . . . The third covers the new fashion for consumers auctions, epitomized by the auction site eBay.com.4
4

The Economist, February 26, 2000, p. 11 of survey.

Acknowledgment

Payment advice

Payment order

12

APPENDIX 7E

E-Commerce: Implications for Auditors

Generally, low touch goods such as software, tickets, nancial services, and any content that can be put in digital form (for example, music, lm, books) and delivered over the Internet have been more successfully sold to consumers than high touch goods (for example, clothes, groceries, cars), although this may change over time. A CICA study authored by G. Trites lists the following reasons for the success of e-commerce. 1. 2. 3. 4. 5. low cost of transacting business reach to new markets and customers growing access to the Internet development of sound security infrastructures development of secure, convenient payment systems5

Examples of the magnitude of savings possible with the Internet: traditional booking of an airline ticket costs $8 versus $1 cost of an electronic ticket direct with the airline. Another example is banking transactions: a traditional transaction through a branch bank costs about $1, whereas a transaction processed through the Internet costs about one penny. An example of reaching new markets and consumers is through data mining that allows creation of customer proles and customized marketing. Everything can be recorded: not just every transaction, but which web pages a customer visits, how long he spends there and what banner ads he clicks on.6 Conversely, customers can use intelligent agents or navigators to nd the best buys on the Internet. Such agents can also act as infomediaries, addressing the customers concerns about privacy and security. All this contributes to what Bill Gates calls frictionlesscapitalism. In order to better reect these profound changes in the business world, the term e-commerce is being replaced by the even broader concept of e-business. E-commerce can be described as the procurement and distribution of goods and services over the Internet using IT. The more encompassing term, e-business, can be dened as including all activities carried out by a business via the Internet. This denition of e-business extends beyond the definition of e-commerce to include the exchange of information not related to the actual buying and selling of goods, for example, providing customer support over the Internet or recruiting employees via the Internet. The most recent trends in e-business include collaborative business in which customers and suppliers collaborate to design and deliver services and products as part of a larger corporate strategy. Another advance is mobile business models based on wireless communications which create additional strategic opportunities and related control and security issues because of the wireless elements. A good way to characterize the progress of e-business development in a rm is through the capabilities of the rms website. This is summarized in Exhibit 7E2, which views business as an evolutionary process reecting the experience of many rms. In the rst phase, the rms website is used to provide information about the rm with the website acting as a shop window or catalogue for business for browsing purposes. At this phase, information is carried in only one direction. In the second phase, the customer has limited interaction with the website, for example, checking only on the availability of goods and services. The third phase is the e-commerce phase where the websites applications allow the procurement of goods and services that lead to creation of nancial transactions. Customers place orders for goods and services and make payments electronically, frequently by credit card. The e-business phase is the complete integration of the Internet-based purchase of goods and services with other parts of the rms IT system.

5 6

Trites, G., Strategic Internet Commerce, CICA, 1999, p. 56. The Economist, February 26, 2000, p. 12.

APPENDIX 7E

E-Commerce: Implications for Auditors

13

EXHIBIT 7E2
Application

THE EFFECTS OF E-COMMERCE ON THE AUDIT PROCESS

Evolution of E-Business
4 3 2 Transactions Interaction Online sales/purchases Acceptance of rights and obligations Integration Integration of purchasing logistics production Coordination with suppliers and customers

1 Information Public relations Product information

Information on demand Online enquiries: e.g., stock availability enquiries

Website

E-Communication

E-Commerce

E-Business

Maturity/Experience
Source: International Federation of Accountants, Financial Reporting on the Internet, August 2002, p. 5.

There are many business models that have evolved on the wide-open Internet. In addition to B2B, B2C, and C2C discussed previously, other models include business to employeetypically a system enabling intercompany (intragroup) emails over the Internet to be directed to the correct department, business to governmentelectronic submission of corporate tax returns and regulatory lings, and customer to governmentelectronic submission of individual tax returns. It is evident that the Internet and IT have affected all aspects of the business world and management. What auditors are mainly concerned with, however, is the security of IT processing, especially as it affects the accuracy and reliability of the accounting function. IT is evolving rapidly. The International Federation of Accountants suggests it is useful to look at IT in terms of the following elements: IT business processes, IT applications, and IT infrastructure. IT business processes relate to operations of the business in which IT is used. IT applications are the application software used by the IT. And IT infrastructure reects all the technical resources necessary for the operation of the IT system, for example, hardware, operating system software, and communications facilities to support internal and external networks. The IT control system controls how these elements operate together to achieve their objectives while reducing risk to a tolerable level. The IT control system is part of the internal control system.
IT Risks and eCommerce

Here we briey review the major risks facing IT systems and the key concepts of e-business associated with these risks. In the following section we then take a closer look at audit issues associated with a key IT process application that affects even the smallest businesses that of some e-business credit card payment mechanisms. Lack of condentiality relates to inability to keep information private, for example, credit card numbers or other critical information. This is a key risk for e-business because studies have shown that concerns about security of credit card information is the biggest single barrier to using credit cards to conduct business on the Internet. The most effective technology protecting privacy is through encryption. Encryption is the conversion of data

14

APPENDIX 7E

E-Commerce: Implications for Auditors

to make it unreadable except through the use of a key (scrambled data). Two keys may be reversible in the sense that either can be used to encrypt a message and the other could be used to decrypt a message to make it readable again (unscrambled data). By allowing one key to be public and keeping the other private, a sender S could transmit a message to receiver R under Ss private key, and R could then decrypt the message under Ss public key. Security efforts therefore focus on the private key that does not have to be distributed.7 Also under this increasingly popular encryption system, R can authenticate that S is the unique sender by determining that the message is encrypted using Ss private key. As we will see, effective authentication of transactions is very important. A digital signature is a way to bind the message originator with the exact contents of a message. There needs to be at least one private key because only secret keys can be assigned to an individual. Digital signatures act like handwritten signatures on hard copy contracts. Traditional paper contracts bind a message and its contents to the writer of the contract. Lack of message integrity means the message has been altered, intentionally or unintentionally, in some way. Message integrity provides assurance to the sender and receiver that the message received is exactly the same as what the originator sent. A primary way to achieve control of the integrity risk is through hashing, where a hash acts like a type of check digit. A hash of the message is an added code, which is computed using an algorithm along with the original contents. The receiver, by applying the algorithm to the message and comparing the calculated hash with that in the message, gets additional assurance that the message has not been altered in transit. Hashing is normally used with encryption to provide added security. Authentication is a way of verifying that a sender is who he or she claims to be. Authentication can be achieved through password controls, personal identication numbers (PINs), badges, digital signatures as discussed above, or other identication such as those based on physical features like photos, ngerprints, and voice recognition (biometrics). Risk of repudiation occurs when a party to a transaction claims that no transactions were authorized and therefore fails to honour the contract. This risk is reduced in a well-designed e-business system through nonrepudiation evidence. Such evidence takes the form of establishing a system of controls documenting proof of origin, proof of receipt, and proof of content. These objectives are achieved through digital signatures, use of certification authorities that issue certicates linking an individual to a key used in digital signatures and conrmation services that attest to message contents and the exact time a message is sent and received. All these controls can provide convincing evidence to support nonrepudiation and thus validity of transactions in an e-business environment. Thus, for example, the existence objective in the recognition of sales and receivables is supported by nonrepudiation evidence in the form of reconciliations of conrmations sent to conrmation services and certication authorities (substantive tests), and testing of the existence of digital signatures in recorded transactions (compliance test). The concepts of compliance and substantive tests and their basic objectives remain the same; only the form of the evidence has changed. Access controls limit access to data and systems to authorized users only. Some form of authentication procedures is typically used to restrict access to specic parts of the system. An important type of access control is rewalls. Firewalls are techniques used to limit and control access to hardware, software and data from users outside the rms network. The problem is to develop selective access so that data can be shared with appropriate partners outside the organization in accordance with the objectives of the e-business. The basic objective of rewall controls is to allow employees in a corporate network to access resources on other networks (such as the Internet) while preventing unauthorized users on these other networks access to systems in the rms network. Firewalls are normally layered to provide the most security for the most sensitive data. There might be a level that allows a certain amount of Internet access, another level that allows data access necessary to engage in e-business with outsiders, and a third level to protect the most

Weber, R., Computer Auditing. Prentice-Hall, 1999, p. 375.

APPENDIX 7E

E-Commerce: Implications for Auditors

15

sensitive and condential data restricted only to key personnel, for example, medical information on employees or grade information on students at a university. Each rewall or level represents another barrier to a hacker or other intruder trying to access sensitive data or programs. The amount of resources devoted to rewalls should be commensurate with the risks associated with the various threats. Each rewall layer adds to the cost and the response time for those parties interacting with the rms site. So there are denite tradeoffs in the level of access security and costs to obtain the security, just as there are tradeoffs in designing any internal control system. A major threat to rewalls is remote logging by telecommuting employees. Many home and laptop computers do not have personal rewall packages installed, thus creating a weak link for hackers to target the corporate rewall. Features of good rewalls include but should not be limited to: audit logs for monitoring trafc and highlighting suspicious activity, deny capability that can deny all services except those permitted by policy, authentication controls that allow reliable verication of a message source, and ltering that examines each incoming message and either forwards it to the intended recipients, or is denied access based on the rms policy. The use of laptops with wireless communication for access creates new security risks. Firewalls can be complex and therefore they need to be well documented in case the original designer or subsequent modiers to the system are no longer available. Maintenance of the rewall system can thus represent a major security problem. It should also be noted that rewalls do not protect the rm from abuses by employees within the organization. People are usually the weakest link in security controls. These risks would need to be addressed by additional security measures such as further up-to-authentication controls and separation of duties via password and physical controls. It should be noted that these controls are largely general controls that can affect many specic applications. General controls are necessary to support reliable functioning of the applications. As a consequence, the audit strategy in e-business systems is to rst evaluate the general controls and then consider the appropriate application controls and their effect on the transaction cycles. In the next section we review the application controls of specic types of the e-business payment mechanisms involving credit cards. These will have a primary impact on the sales and collection and purchases and acquisition cycles of e-business rms.

CREDIT CARD PAYMENTS IN B2C USING SSL AND SET

LEARNING 2 OBJECTIVE

Explain how the security of credit card payments is ensured by an organization involved in e-commerce.

E-business, even for the smallest companies, has been greatly facilitated through transmission of credit card information over the Internet. This is an especially important topic for B2C transactions. The primary concern is the security of transmission of individual messages containing the credit card information. While the Internet has greatly facilitated communications through its smooth, easy-to-use operations, it was designed for exibility and openness to everyone. Security, in particular, was not a top priority in the design of the Internet. In order to get the needed security for commercial applications, special communication protocols and additional infrastructure has evolved, and is still involving. We describe two such protocols that are being used to process credit information: secure socket layers (SSL) and secure electronic transactions (SET). Both SSL and SET are transmission protocols with strong condentiality features via encryption. However, SSL does not have as strong an authentication feature. Both protocols have been developed by private organizations but SET is much broader based, including the major credit card companies. SET is designed to support secure e-business with the following objectives: provide condentiality of information insure payment integrity

16

APPENDIX 7E

E-Commerce: Implications for Auditors

authenticate both merchants and cardholders interoperate with other protocols (SET specications 1997). The last objective, interoperability, is a necessary condition of data sharing on the Internet. It is dened as the capability for applications running at different computers to exchange information and cooperatively use this information. Interoperability requires a certain degree of compatibility for physical data transfer and controls for representing the message content. Protocols are standardized methods of communicating and transmitting data between telecommunication devices. The most widely used protocol on the Internet is Transmission Control Protocol /Internet Protocol (TCP/IP). These protocols allow the creation of sites and links in the network that can be interpreted and read by users using different types of hardware and software. The nodes of the Internet use packet switching standards, which are the basis of todays data transfer methods. Packets are groups of data that include parts of the message text, destination address, source address, and protocol used. SET provides more security features for authentication because it allows cardholder as well as merchant authentication through the use of digital signatures and certicates. Also included in the SET protocol are methods to track individual merchandise and transaction totals, as well as merchant credit policies. Essentially, SET is helping expand many of the features of EDI/EFT to the Internet, thus allowing even the smallest companies to obtain many of these security features. But these additional features require additional infrastructure and processing capabilities, especially in getting agreements between credit card companies, financial institutions, merchants, and the general public. These additional complexities and costs have slowed the adoption of SET. SSL, which provides less security, is lower in cost and, so far, this tradeoff has resulted in more widespread acceptance of SSL. Because of the weaker security features of SSL, auditors will tend to do more substantive work in SSL systems, especially as it relates to the validity of transactions. This is especially important in light of the new fraud standards that are explicitly requiring auditors to treat improper revenue recognition as a fraud risk on every engagement. This will likely mean higher assessed fraud risks for merchants using SSL systems. All Internet vendors that want to advertise their conformity with SET control requirements and objectives are allowed to use a SET logo on their site if they meet certain criteria. The main requirement is to pass the results of compliance testing performed on the site security controls. The tests are performed by a SET compliance administrator using test data. Less extensive reviews are performed every year to renew the site logo. Internet merchants using the logo must be able to demonstrate that all software used by the site is SET compliance approved. This illustrates the increased importance of thirdparty assurance in the evolving world of e-business, and the increasing importance of compliance testing in providing assurance in the e-business environment. It should be clear by now that audits of SSL and SET systems, like e-business in general, will require increased reliance on internal controls, especially that of general controls of IT. Because of this increased importance of internal controls and the fact that electronic records may exist for only a short period of time depending on the clients backup and retention policies, auditors are less likely to rely on substantive tests for all their assurance in e-business environments. In addition, increased auditor responsibilities for detecting fraudulent reporting is putting greater importance in relying on internal controls and less reliance on substantive tests. Thus, for SSL and SET systems, auditors will need to compliance test the authentication, access, and condentiality controls. This may need to be done on a continuous basis. Substantive procedures would include reconciling records of electronic fund transfers with bank statements, as well as other substantive procedures, such as conrming receivables, testing the validity of sales and purchases, receivables, and payables as discussed in Chapters 9 and 10. The main difference in e-business systems is that both substantive and compliance testing may need to be done on a continuous and ongoing basis. Also,

APPENDIX 7E

E-Commerce: Implications for Auditors

17

since auditing standards in Canada and internationally are now putting increased stress on the existence of revenues and related receivables due to concerns about improper revenue recognition fraud risk, authentication controls will become more important and increase the need for testing these controls.
EXHIBIT 7E.3

CREDIT CARD PAYMENTS IN B2C USING SSL AND SET

Cardholder browses through merchandise via some form of catalogue

Cardholder selects items to be purchased

Cardholder completes order form after possible price negotiation

Cardholder selects payment mechanism

Cardholder gives payment instruction Both order and payment instructions have digital signatures

Merchant requests payment authorization from cardholder's financial institution

Confirmation sent by merchant to cardholder

Merchant ships goods to cardholder

Merchant requests payment from cardholder's financial institution

THE EFFECTS OF E-COMMERCE ON THE AUDIT PROCESS

LEARNING 3 OBJECTIVE

Outline how e-commerce affects the conduct of the audit and use of IT experts on the audit team.

Web-based infrastructures for doing business are readily available on the Internet for even the smallest clients. This means that information technology sophistication is independent of the size of business. For example, many e-business consultants offer a start-to-nish process for launching a business online, including registering a domain for the organization, creating email addresses, building or editing a website, selling products or services online, and managing or monitoring site activity. Typically, the sites rely on links to accounting software for nancial recordkeeping, and database software for collecting data such as orders on electronic forms from site visitors. Protection can be provided by using major commercial encryption standards such as PGP (Pretty Good Privacy) and S/MIME (Secure Multipurpose Internet Mail Extensions). Although the specic details will change with the rapidly changing technology, e-business IT has several broad effects on auditors. First, auditors should expect to encounter IT systems and electronic records rather than paper-based documents on all audits. Second, audit strategy will increasingly be affected by the need to put more reliance on internal controls. This increased reliance arises because the quality of audit evidence will be very dependent on the controls the business maintains over the accuracy and completeness of its records, and the fact that electronic records are frequently transitory in many systems. For traditional businesses, the auditors consideration of internal control typically involves updating prior year checklists, questionnaires, and procedural narratives. Using a

18

APPENDIX 7E

E-Commerce: Implications for Auditors

traditional approach for e-business clients would be insufcient because, in the e-business environment, almost all of the evidence of transactions is electronic. Critical records may consist of email, database records, electronic documents, spreadsheets, and server logs. In addition, e-business transactions are subject to the intentional and unintentional alteration and manipulation at many points between transaction initiation and summarization in the nancial statements. Because e-businesses generally lack much of the physical evidence found in audits of traditional businesses, your approach to understanding internal controls when planning the e-business audit and determining the nature and extent of the substantive tests must take this into account. A major consideration for auditors is the credibility of the evidence obtained. For e-business audits, there may be few or no physical documents to examine. Without testing the internal controls surrounding the electronic evidence (for example, controls over generation, storage, manipulation, and transmission), the auditor may not recognize a lack of credibility. (AICPA, Audit Risk Alerts: E-Business Industry Developments2001/02, AICPA, 2001, 34 and 39) In particular, in e-business, IT auditors will need to put more emphasis on understanding software controls. Important software controls include digital signatures, server certicates to authenticate the parties to a transaction, and monitoring via rewalls, Web servers, databases, and operating systems. A log of transactions and security events helps establish the validity of transactions, especially if someone independent of IT reviews the log for unusual or suspicious events. This shows that the traditional segregation of duties is an important feature of even the most modern IT systems. Auditors should look for the separation of the security administration, systems administration, and software modication functions. Authorization for access to selected software, data, and hardware should be given only to authenticated users in conformity with their job responsibilities. All electronic records should be sequentially numbered to control for completeness, just as in a manual system. Thus, internal control for e-business IT has important manual as well as software components. The overall objective of the transaction controls remains the same: assurance that the occurrence and measurement assertions are not materially misstated. Another key issue with respect to e-commerce audits is identifying the boundaries of the control system under audit. B2B transactions are frequently highly integrated with other organizations such as suppliers or customers. This is what helps create the efciencies that make B2B so attractive economically. However, if transactions can be automatically initiated between customers and supplier computers, the auditor needs assurance that the initiator of the transaction is dealing with the intended partys computer (for example, that the website you visit is a legitimate business and not just a scam to get your credit card information). Digital signatures deal with repudiation or alteration of records that initiate a transaction. But a different control assurance is needed for the initiator of a transaction. The initiators problem is identifying trustworthy partners to a transaction. This assurance is addressed by an independent auditors report or seal of approval on controls at the other party. This is a special type of assurance engagement associated with e-business and is covered in Chapter 16. While some control elements of e-business, like segregation of duties and sequentially numbered transactions, are similar to those in a manual system, the monitoring, authentication, and authorization controls can take on new forms such as through the use of rewalls, digital signatures, and certication authorities. IT specialists may be required to perform appropriate IT control and substantive testing. Because the entire nancial reporting process exists only in electronic form, it is not sufcient for e-commerce auditors to look at copies of the output. Journal entries may be made directly online or in batch mode from physical documents. Auditors will need to become familiar with the design of any controls over journal entries and other adjustments, and learn whether these controls have been placed in continuous operation. Auditors will need to have more extensive access to the e-business system. This leads to the concept of continuous auditing, which is covered in more advanced IT auditing courses.