Professional Documents
Culture Documents
Audit Implications of Electronic Commerce
Audit Implications of Electronic Commerce
Audit Implications of Electronic Commerce
Electronic commerce introduces a new set of concerns for companies such as designing and
positioning a site to attract customers, making sales and purchase transactions secure, and ensuring
customer privacy. What are some of the control features an auditor should be looking for in order to
address these concerns? Highlight both technological controls as well as organizational controls.
DEFINING E-COMMERCE:
Ecommerce, also known as electronic commerce or internet commerce, refers to the buying and
selling of goods or services using the internet, and the transfer of money and data to execute
these transactions. Ecommerce is often used to refer to the sale of physical products online, but
it can also describe any kind of commercial transaction that is facilitated through the internet.
Whereas e-business refers to all aspects of operating an online business, ecommerce refers
specifically to the transaction of goods and services.
The history of ecommerce begins with the first ever online sale: on the August 11, 1994 a man
sold a CD by the band Sting to his friend through his website NetMarket, an American retail
platform. This is the first example of a consumer purchasing a product from a business through
the World Wide Web—or “ecommerce” as we commonly know it today.
Since then, ecommerce has evolved to make products easier to discover and purchase through
online retailers and marketplaces. Independent freelancers, small businesses, and large
corporations have all benefited from ecommerce, which enables them to sell their goods and
services at a scale that was not possible with traditional offline retail.
There are four main types of ecommerce models that can describe almost every transaction that
takes place between consumers and businesses.
Examples of Ecommerce
Ecommerce can take on a variety of forms involving different transactional relationships
between businesses and consumers, as well as different objects being exchanged as part of
these transactions.
1. Retail:
The sale of a product by a business directly to a customer without any intermediary.
2. Wholesale:
The sale of products in bulk, often to a retailer that then sells them directly to consumers.
3. Dropshipping:
The sale of a product, which is manufactured and shipped to the consumer by a third party.
4. Crowdfunding:
The collection of money from consumers in advance of a product being available in order to
raise the startup capital necessary to bring it to market.
5. Subscription:
The automatic recurring purchase of a product or service on a regular basis until the subscriber
chooses to cancel.
6. Physical products:
Any tangible good that requires inventory to be replenished and orders to be physically shipped
to customers as sales are made.
7. Digital products:
Downloadable digital goods, templates, and courses, or media that must be purchased for
consumption or licensed for use.
8. Services:
A skill or set of skills provided in exchange for compensation. The service provider’s time can be
purchased for a fee.
EDI consists of the exchange of electronic documents between two companies. Effectively,
transactions and contracts are created through two interacting computer systems. EDI allows
organizations with dissimilar computing environments to exchange electronic business documents
without using paper.
What are the benefits of EDI?
Some obvious benefits are the elimination of paperwork, the reduction of document processing
costs, access to more information on a timely basis, and increased accuracy of recordkeeping. There
are some drawbacks as well, but the increasing use of EDI suggests that the benefits outweigh the
costs.
The implications for auditors are the loss of audit trail resulting from the paperless environment and
lack of human intervention resulting in total dependence on the electronic system. These
characteristics significantly increase risk, making control assurance the key objective for EDI
environments. Auditors, in turn, need to monitor EDI controls throughout the period under audit, for
example, through the use of software that allows tagging of transactions to trace their processing.
To control potential legal risks, businesses may require their trading partners to enter into trading
partner agreements (TPAs). TPAs frequently include an obligation to report and disclose compliance
with a set of specified standards of EDI control. Increasingly, auditors will be asked to provide
opinions on the EDI control environment. Such audit opinions may become mandatory, which will
likely encourage development of generalized control standards and criteria. Consequently, auditors
will have to be better trained in this emerging area of information technology.
10.6 Approaches To CIS Auditing
Change in hardware and software have changed the conceptual approach to auditing. The computers
are being used in two ways;
• As a tool of the auditor aiding in the performance of audit such as printing confirmation requests.
• As the target of audit where data are submitted to the computer and the result are analyzed for
processing reliability and accuracy of the computer program.
Audit Trail Audit Trail is a situation where it is possible to relate on ‘one-to-one’ basis, the
original input with the final output. i.e. tracing the details of processed
between the input and the output. When there is significant visible audit trial,
the auditor’s work is not affected and he need not change his approach to
audit. Absence of audit trail may be due to factors such as : -
Direct data entry in to the system. .
• Direct posting of transactions to master file.
• Elimination of reports as information in supplied on-line.
The auditor may use special techniques to overcome the loss or changes in
audit trial. Some measures to overcome that loss of audit trial may include : -
Testing on total basis.
• Programmed Interrogation facilities.
• Arranging for special printouts containing additional information.
• Reliance on alternative tests.
Auditing Around Auditing around the Computer - Auditing around the computer involves
the Computer arriving at an audit opinion through examining the internal control system for
(Black Box
Approach) a computer installation and the input and output only for application systems.
On the basis of the quality of the in put and output of the application system,
the auditor infers the quality of the processing carried out. Application system
processing is not examined directly. The auditor views the computer as a
black box.
The auditor can usually audit around the computer when either of the
following situations applies to application systems existing in the installation:
There are two major disadvantages to the approach. First, the type of
computer system where it is applicable is very restricted. It should not be used
for systems having any complexity in terms of size or type of processing.
Second, the auditor cannot assess very well the likelihood of the system
degrading if the environment changes. The auditor should be concerned with
the ability of the system to cope with a changed environment. Systems can be
designed and programs can be written in certain ways so that a change in the
environment will not cause the system to process data incorrectly or for it to
degrade quickly
Auditing Through Auditing through the Computer - The auditor can use the computer to test: (a)
Computer
the logic and controls existing within the system and (b) the records produced
by the system. Depending upon the complexity of the application system
being audited, the approach may be fairly simple or require extensive
technical competence on the part of the auditor.
There are several circumstances where auditing through the computer must
be used:
The primary disadvantages of the approach are the high costs sometimes
involved and the need for extensive technical expertise when systems are
complex. However, these disadvantages are really spurious if auditing
through the computer is the only viable method of carrying out the audit.
COBIT stands for Control Objectives for Information and Related Technology. It is a
framework created by the ISACA (Information Systems Audit and Control Association)
for IT governance and management. It was designed to be a supportive tool for
managers—and allows bridging the crucial gap between technical issues, business
risks, and control requirements. COBIT is a thoroughly recognized guideline that can be
applied to any organization in any industry. Overall, COBIT ensures quality, control, and
reliability of information systems in an organization, which is also the most important
aspect of every modern business.
Benefits of COBIT
Additionally, COBIT provides organizations with access to quality information that drives
optimal decisions and business goals. The latest version of COBIT integrates well with
existing frameworks such as ITIL and TOGAF, enabling organizations to utilize a
combination of tools according to specific tasks and practices.