Audit implications of electronic commerce

Electronic commerce introduces a new set of concerns for companies such as designing and
positioning a site to attract customers, making sales and purchase transactions secure, and ensuring
customer privacy. What are some of the control features an auditor should be looking for in order to
address these concerns? Highlight both technological controls as well as organizational controls.

DEFINING E-COMMERCE:
Ecommerce, also known as electronic commerce or internet commerce, refers to the buying and
selling of goods or services using the internet, and the transfer of money and data to execute
these transactions. Ecommerce is often used to refer to the sale of physical products online, but
it can also describe any kind of commercial transaction that is facilitated through the internet.

Whereas e-business refers to all aspects of operating an online business, ecommerce refers
specifically to the transaction of goods and services.

The history of ecommerce begins with the first ever online sale: on the August 11, 1994 a man
sold a CD by the band Sting to his friend through his website NetMarket, an American retail
platform. This is the first example of a consumer purchasing a product from a business through
the World Wide Web—or “ecommerce” as we commonly know it today.

Since then, ecommerce has evolved to make products easier to discover and purchase through
online retailers and marketplaces.  Independent freelancers, small businesses, and large
corporations have all benefited from ecommerce, which enables them to sell their goods and
services at a scale that was not possible with traditional offline retail.

Global retail ecommerce sales are projected to reach $27 trillion by 2020.

Types of Ecommerce Models

There are four main types of ecommerce models that can describe almost every transaction that
takes place between consumers and businesses.

1. Business to Consumer (B2C):

When a business sells a good or service to an individual consumer (e.g. You buy a pair of
shoes from an online retailer).

2. Business to Business (B2B):

When a business sells a good or service to another business (e.g. A business sells software-as-
a-service for other businesses to use)  

3. Consumer to Consumer (C2C):

When a consumer sells a good or service to another consumer (e.g. You sell your old furniture
on eBay to another consumer).
4. Consumer to Business (C2B):
When a consumer sells their own products or services to a business or organization (e.g. An
influencer offers exposure to their online audience in exchange for a fee, or a photographer
licenses their photo for a business to use).

Examples of Ecommerce
Ecommerce can take on a variety of forms involving different transactional relationships
between businesses and consumers, as well as different objects being exchanged as part of
these transactions.

1. Retail:
The sale of a product by a business directly to a customer without any intermediary.

2. Wholesale:
The sale of products in bulk, often to a retailer that then sells them directly to consumers.

3. Dropshipping:
The sale of a product, which is manufactured and shipped to the consumer by a third party.

4. Crowdfunding:
The collection of money from consumers in advance of a product being available in order to
raise the startup capital necessary to bring it to market.

5. Subscription:
The automatic recurring purchase of a product or service on a regular basis until the subscriber
chooses to cancel.

6. Physical products:
Any tangible good that requires inventory to be replenished and orders to be physically shipped
to customers as sales are made.

7. Digital products:
Downloadable digital goods, templates, and courses, or media that must be purchased for
consumption or licensed for use.

8. Services:
A skill or set of skills provided in exchange for compensation. The service provider’s time can be
purchased for a fee.

EDI (Electronic data interchange)

EDI consists of the exchange of electronic documents between two companies. Effectively,
transactions and contracts are created through two interacting computer systems. EDI allows
organizations with dissimilar computing environments to exchange electronic business documents
without using paper.
What are the benefits of EDI?

Some obvious benefits are the elimination of paperwork, the reduction of document processing
costs, access to more information on a timely basis, and increased accuracy of recordkeeping. There
are some drawbacks as well, but the increasing use of EDI suggests that the benefits outweigh the
costs.

How do EDI transactions affect the auditor’s work?

The implications for auditors are the loss of audit trail resulting from the paperless environment and
lack of human intervention resulting in total dependence on the electronic system. These
characteristics significantly increase risk, making control assurance the key objective for EDI
environments. Auditors, in turn, need to monitor EDI controls throughout the period under audit, for
example, through the use of software that allows tagging of transactions to trace their processing.

To control potential legal risks, businesses may require their trading partners to enter into trading
partner agreements (TPAs). TPAs frequently include an obligation to report and disclose compliance
with a set of specified standards of EDI control. Increasingly, auditors will be asked to provide
opinions on the EDI control environment. Such audit opinions may become mandatory, which will
likely encourage development of generalized control standards and criteria. Consequently, auditors
will have to be better trained in this emerging area of information technology.
10.6 Approaches To CIS Auditing

Change in hardware and software have changed the conceptual approach to auditing. The computers
are being used in two ways;
• As a tool of the auditor aiding in the performance of audit such as printing confirmation requests.
• As the target of audit where data are submitted to the computer and the result are analyzed for
processing reliability and accuracy of the computer program.
Audit Trail Audit Trail is a situation where it is possible to relate on ‘one-to-one’ basis, the
original input with the final output. i.e. tracing the details of processed

between the input and the output. When there is significant visible audit trial,
the auditor’s work is not affected and he need not change his approach to
audit. Absence of audit trail may be due to factors such as : -
 Direct data entry in to the system. .
• Direct posting of transactions to master file.
• Elimination of reports as information in supplied on-line.
The auditor may use special techniques to overcome the loss or changes in
audit trial. Some measures to overcome that loss of audit trial may include : -
 Testing on total basis.
• Programmed Interrogation facilities.
• Arranging for special printouts containing additional information.
• Reliance on alternative tests.
Auditing Around Auditing around the Computer - Auditing around the computer involves
the Computer arriving at an audit opinion through examining the internal control system for
(Black Box
Approach) a computer installation and the input and output only for application systems.
On the basis of the quality of the in put and output of the application system,
the auditor infers the quality of the processing carried out. Application system
processing is not examined directly. The auditor views the computer as a
black box.

The auditor can usually audit around the computer when either of the
following situations applies to application systems existing in the installation:

• The system is simple and batch oriented.

• The system uses generalized software that is well-tested and used widely
by many installations.
Sometimes batch computer systems are just an extension of manual systems.
These systems have the following attributes:

• The system logic is straightforward and there are no special routines

resulting from the use of the computer to process data.
• Input transactions are batched and control can be maintained through the
normal methods, for example, separation of duties and management
supervision.
• Processing primarily consists of sorting the input data and updating the
master file sequentially.
• There is a clear audit trail and detailed reports are prepared at key
processing points within the system.
• The task environment is relatively constant and few stresses are placed on
the system.
For these well-defined systems, generalized software packages often are
available. For example, software vendors have developed payroll, accounts
receivable, and accounts payable packages. If these packages are provided by
a reputable vendor, have received widespread use, and appear error-free, the
auditor may decide not to test directly the processing aspects of the system.
 The auditor must ensure, however, that the installation has not modified the
package in any way and that adequate controls exist, to prevent unauthorized
modification of the package.

Not all generalized software packages make application systems amenable to

auditing around the computer. Some packages provide a set of generalized
functions that still must be selected and combined to accomplish application
system purposes. For example, database management system software may
provide generalized update functions, but a high-level program still must be
written to combine these functions in the required way. In this situation the
auditor is less able to infer the quality of processing from simply examining
the system’s input and output.

The primary advantage of auditing around the computer is simplicity.

Auditors having little technical knowledge of computers can be trained easily
to perform the audit.

There are two major disadvantages to the approach. First, the type of
computer system where it is applicable is very restricted. It should not be used
for systems having any complexity in terms of size or type of processing.
Second, the auditor cannot assess very well the likelihood of the system
degrading if the environment changes. The auditor should be concerned with
the ability of the system to cope with a changed environment. Systems can be
designed and programs can be written in certain ways so that a change in the
environment will not cause the system to process data incorrectly or for it to
degrade quickly
Auditing Through Auditing through the Computer - The auditor can use the computer to test: (a)
Computer
the logic and controls existing within the system and (b) the records produced
by the system. Depending upon the complexity of the application system
being audited, the approach may be fairly simple or require extensive
technical competence on the part of the auditor.

There are several circumstances where auditing through the computer must
be used:

• The application system processes large volumes of input and produces

large volumes of output that make extensive direct examination of the
validity of input and output difficult.
• Significant parts of the internal control system are embodied in the
computer system. For example, in an online banking system a computer
 program may batch transactions for individual tellers to provide control
totals for reconciliation at the end of the day’s processing.
• The logic of the system is complex and there are large portions that
facilitate use of the system or efficient processing.
 Because of cost-benefit considerations, there are substantial gaps in the
visible audit trail.
The primary advantage of this approach is that the auditor has increased
power to effectively test a computer system. The range and capability of tests
that can be performed increases and the auditor acquires greater confidence
that data processing is correct. By examining the system’s processing the
auditor also can assess the system’s ability to cope with environment change.

The primary disadvantages of the approach are the high costs sometimes
involved and the need for extensive technical expertise when systems are
complex. However, these disadvantages are really spurious if auditing
through the computer is the only viable method of carrying out the audit.

Understanding Cobit Standards

COBIT stands for Control Objectives for Information and Related Technology. It is a
framework created by the ISACA (Information Systems Audit and Control Association)
for IT governance and management. It was designed to be a supportive tool for
managers—and allows bridging the crucial gap between technical issues, business
risks, and control requirements. COBIT is a thoroughly recognized guideline that can be
applied to any organization in any industry. Overall, COBIT ensures quality, control, and
reliability of information systems in an organization, which is also the most important
aspect of every modern business.

COBIT (control objectives for information and related technologies) is a framework

applied in the best practices of IT governance and management. Organizations apply
COBIT in the development, implementation, monitoring, and improvement of IT
structures. COBIT is the most commonly used framework in the U.S. for compliance
with the Sarbanes-Oxley Act that deters fraudulent financial reporting. 

The COBIT framework comprises various key components such as frameworks,

process descriptions, control objectives, maturity models, and management
guidelines. At its core, the COBIT framework serves as a multifunctional support tool
that helps IT managers align business risks, technical issues, and control prerequisites
within the organization. 

Benefits of COBIT

The COBIT framework help organizations optimize their IT management and

governance processes by meeting contractual agreements and complying with the
latest regulatory and legal requirements. COBIT provides tools that establish and
prioritize clear and actionable IT goals. For example, COBIT’s maturity model can help
users assess the required level of performance for an IT element to fulfill an
organizational task.   

Additionally, COBIT provides organizations with access to quality information that drives
optimal decisions and business goals. The latest version of COBIT integrates well with
existing frameworks such as ITIL and TOGAF, enabling organizations to utilize a
combination of tools according to specific tasks and practices.