audit of advanced systems and electronic commerce · audit of advanced systems and electronic...

Chapter 21

Audit of Advanced Systems andElectronic Commerce

to accompany

AUDITING: An International ApproachSecond Canadian Edition

Jack C. Robertson, University of TexasWally J. Smieliauskas, University of Toronto

CHAPTER 21

Learning ObjectivesChapter 8 covered the general issues of planning audit testing within a computer environment. This chap-ter covers audit planning and testing issues associated with more advanced EDP systems and the rapidlyevolving world of electronic commerce, which is the generic term for all electronic messaging technologyincluding electronic data interchange (EDI), electronic funds transfer (EFT), e-mail, fax, telex, videotapeand electronic filing with the government.

The chapter is subdivided into four parts: (1) characteristics and control considerations of advancedEDP systems, (2) audit tests of advanced EDP systems, (3) computer abuse and fraud, and (4) some auditconsiderations of electronic commerce.

After you study Chapter 21, you should be able to:

2

1. List and describe the four fea-tures that characterize “ad-vanced” computer systems.

2. List and briefly describe sev-eral techniques applicable forauditing advanced computersystems.

3. Define and describe computerfraud and the controls that canbe used to prevent it.

4. Define and describe electroniccommerce, its impact on thebusiness environment, and themajor implication for auditors.

5. Define and describe the newtypes of assurance servicesarising from electronic com-merce.

AUDIT OF ADVANCED SYSTEMS AND

ELECTRONIC COMMERCE

ADVANCED SYSTEMS: CHARACTERISTICS AND CONTROL CONSIDERATIONS

Simple batch computer systems deal with one component of an organization at a time, suchas payroll or billing. Advanced applications involve immediate update utilizing a compa-nywide database, performing multiple functions simultaneously (EDP Audit Guidelines:EDP Environments—on-line computer systems; and EDP Environments—database sys-tems). Of course, you will encounter variations between simple batch and the mostadvanced systems. For example, terminals and workstations are commonly used for dataentry; but the transactions collected on disks for batch update or terminals may be forenquiry about the status of balances (e.g., perpetual inventory), while update is still bybatch. Further, while some processing may be updated immediately, such as order entry,other applications in the same company, such as payroll that has a natural periodic cycle,could be batch-processed.

Advanced systems have been described using many terms, such as time-sharing, on-line,real time, and distributed processing (see box). The problem with such terms from an auditpoint of view is that they describe hardware and software technology and do not focus on howaccounting transactions are processed. For purposes of evaluating control, advanced systemsare those systems (large or small) that possess one or more of the following characteristics:

• Data communication.

• Data integration.

• Automatic transaction initiation.

• Unconventional or temporary audit trial.

Data Communication

Data communication is a combination of electronic data transmission and the computer.The complexity of data communication networks may vary from a few remote terminalslinked to a microcomputer to a complex network utilizing time-sharing, on-line, real timeand distributed processing systems (terms defined in the box). The main “advanced” fea-ture is that programs, transactions and data files can be introduced, maintained, modifiedor accessed at locations distant from the central data processing installation.

Advanced computer systems are said to be transaction driven or event driven becausethe individual transaction triggers the processing activity and updates all relevant files. Incontrast a batch system could be said to be program driven because a specific program mustbe loaded into the computer to process all transactions that fit that program and its relatedfiles. In a transaction-driven system, the transaction-type identification code part of thetransaction input is the most sensitive part because it initiates all subsequent actions.

Control ImplicationsControl standards in advanced communication systems are difficult to maintain, yet con-trols at all locations that can access the system are essential. Especially crucial are proce-dures for identification and authorization of all users (e.g., passwords). Control weaknessesat any one location may compromise the control structure elsewhere.

L E A R N I N G O B J E C T I V E

1. List and describe the fourfeatures that character-ize “advanced” com-puter systems.

3

Data Integration

In batch processing, each application system has its own files. For example, the payroll pro-cessing utilizes the payroll master file. Some of the same information (such as employeenumbers and pay rates) also may be maintained on personnel files and labour cost account-ing files. Further, the master files in a batch system tend to become the property of a par-ticular user department. Periodic review must be made of identical fields in various userdepartment files to ensure that they are the same and to reconcile differences.

Advanced systems frequently include a new part of the system software called a data-base management system (DBMS) and an integrated “master file” called the database(EDP–6). The database contains all the information formerly maintained in separate userdepartment files. A particular piece of data, such as employee number, is stored only once(data integration), but through the DBMS it is made available to all programs (payroll, per-sonnel, cost accounting) that need that data. Thus, data redundancy (same data stored inseveral separate files) is eliminated. Since the traditional files having all the same recordformat do not exist, the concept of a field in a record no longer applies. The individualpieces of information (employee number, address, pay rate, balance) are called data ele-ments and are logically combined by the DBMS to provide programs with the records nec-

4 PART V Specialized Topics

ADVANCED COMPUTER TERMS

Time-sharing

Time-sharing is a computer system with a number of independent, relatively slow-speed terminal devices. The user has the impression that he or she is the sole user, dueto the slowness of input/output, when in reality the computer is sharing its time witha number of users. Time-sharing may be owned or utilized by many organizations.(The company providing the service for many users is called a “service bureau.”)

On-line

On-line is used with two different meanings. Data files are said to be on-line if theyare electronically available to the central processor and can be accessed without oper-ator intervention. On-line also refers to a user who is connected to the central proces-sor as described above under time-sharing. Data processing also is termed on-line (ordirect access or random) when transactions can be input into computer processingfrom the point of origin without first being sorted (EDP–5).

Real Time

Real time has a variety of meanings. Real time can refer to a quick response in a time-shared system, such as is necessary for airline reservations. Real time in an account-ing and production sense means that the system evaluates information and feeds back(return signals) in time to take action.

Distributed Processing

Distributed processing refers to the situation where two or more computers handlethe data processing. This is a form of extension of time-sharing, except that the ter-minals can be connected to one of a number of computers. Minicomputers may belocated at a remote site to handle local processing and to maintain local files, withsummary data transactions transmitted to a central location.

essary for the particular processing. The information in the database becomes a company-wide resource, rather than belonging to a particular user department.

Control ImplicationsThe DBMS contains controls that restrict access to the database. The database is composedof individual data elements, each with a unique storage space in the database. The entire pop-ulation of data elements is called the schema. Authorized users (including computer pro-grams) can be limited to only those portions of the database (called subschema) that areneeded. Thus, authorized employees in the payroll department may be able to enter the weeklyhours that update year-to-date gross pay, while being precluded from changing any pay rate.

Responsibility must be delegated for establishing, assigning and maintaining the author-ization procedures. This responsibility usually is assigned to a database administrator(DBA). The DBA is responsible for determining who should have access to each data ele-ment (that is, for defining each user’s subschema). Further, responsibility must be assignedby the DBA to users for each data element in the database. The database administratorshould have the following responsibilities:

• Design the content and organization of the database, including logical data relation-ships, physical storage strategy and access strategy.

• Protect the database and its software, including control over access to and use of thedata and DBMS, and provide for backup and recovery in the case of errors or destruc-tion of the database.

• Monitor the performance of the DBMS and improve its efficiency.

• Communicate with the database users, arbitrate disputes over data ownership and use,educate users about the DBMS and consult users when problems arise.

• Provide standards for data definition and use and document the database and its soft-ware.1

Since the DBA should have such extensive responsibilities, this function should be seg-regated from the other computer functions of systems development, programming, opera-tions and users described previously.

When auditors encounter a DBMS, the following control procedures should be evaluated:

DBMS Control Procedures Audit Consideration

Segregation of data administration functions. Segregation of data administration from incompatible functions.

User data controls. Segregation of duties within data administration, if possible.

User responsibility for data.User review of all changes.Periodic review and comparison with physical counts

and other evidence of correct data values.Accuracy controls. Use of standard data editing and validation procedures.Error-correction controls. Use of procedures for error correction.Access controls. Use of procedures to limit access to programs to

authorized personnel only.

Source: Gordon B. Davis et al., Auditing & EDP (New York: AICPA, 1983), p. 111.

Automatic Transaction Initiation

Automatic transaction initiation, present in some batch systems, usually is more extensivein advanced systems. Transactions can be computer-initiated to write invoices, cheques,shipping orders and purchase orders, without human review.

CHAPTER 21 Audit of Advanced Systems and Electronic Commerce 5

1 Davis et al., Auditing & EDP, p. 109.

Control ImplicationsWithout a human-readable document indicating the transaction event, the correctness ofautomatic transactions is difficult to judge. Authorization of transactions occurs when cer-tain flags are installed in program or records (e.g., inventory quantity falling below reorderpoint). Therefore, authorization is more difficult to trace to the proper person. Control pro-cedures must be designed into the system to ensure the genuineness and reasonableness ofautomatic transactions and to prevent or detect erroneous transactions.

Unconventional or Temporary Audit Trail

The audit trail of frequent printouts in simple systems and the hard-copy source documentssupporting keyed data entry gradually disappear as systems become more advanced. Theyare replaced by sensor-based data collection input and microfilm or machine-readable out-put. All advanced systems need an audit trail in case of transmission interruption or powersurge; however, the retention period may be short and the information available only inmachine-readable form.

Control ImplicationsAudit and control specifications for an audit trail need to be established at the time a sys-tem is designed or evaluated for lease or purchase. The loss of hard-copy documents andreports and the temporary nature of the audit trail may require external auditors to alter boththe timing and the nature of audit procedures. Greater co-operation and co-ordination arerequired between external and internal auditors.

A transaction-oriented environment is represented in Exhibit 21–1. The transactionprocessor keeps track of the remote input terminal sources of messages, performs prelim-inary message editing, checks authority and identifies the transaction type. Based on thetransaction code, a particular transaction module (such as the payroll update program) isinitiated. These modules edit the transactions for input errors. A query-only transaction (nochange to data elements in the database) will involve less complex transaction modules. Alltransactions must pass through the DBMS, where access authorization is tested and cer-tain data elements are made available for the return trip through the various steps. Such sys-tems require complex hardware and software.


• Message handling• Message editing• Identify TR type• Priority assignment• Scheduling• Error handling• Recovery log

User dataApplication program modulesSystems software Language UtilitiesDBMS components Schema Subschema Query language Security Recovery

Databasemanagementsystem

Transactionprocessor

DatabaseTransactionmodule(Type X)

Transactionmodule(Type Y )

Terminals

• Format control• Editing• Validation• Application task list Call Call Call

Stream of transactions

E X H I B I T 21–1 TRANSACTION-ORIENTED ENVIRONMENT

21.1 Define an audit trail. How might a computer system audit trail in an advanced sys-tem differ from one in a simple system or a manual system?

21.2 What are the characteristics of advanced computer systems?

21.3 Why are advanced computer systems said to be “transaction driven,” while batch sys-tems are said to be “program driven”?

21.4 How can each department “own” its computer data files when data processing isaccomplished in a simple batch system but lose ownership if a database managementsystem (DBMS) is used?

21.5 What are the responsibilities of the database administration (DBA) function?

21.6 What control procedures should be evaluated when a database is used instead of mas-ter files?

TESTS OF COMPUTER CONTROLS IN ADVANCED COMPUTER SYSTEMS

As explained in the beginning of Chapter 8, the internal control audit objectives do notchange when the environment changes from manual to computer data processing, or fromsimple batch computer processing to more advanced computer processing. Auditors muststill assess the control risk. However, the audit techniques must be adapted to the differentenvironment. The control features for advanced computer systems are summarized in thebox below.

Audit Tools and Techniques

The audit of advanced computer systems usually involves computer audit specialists withadvanced technical proficiency. However, “general” auditors (and you as a student of audit-ing) must possess some knowledge of the tools and techniques available in order to co-ordinate the specialist’s work with the other procedures to achieve the audit objective ofassessing control risks. Auditors also need to know the available techniques in order toadvise clients of the control concerns and potential audit aids. Most of the tools and tech-niques discussed below need to be designed into the system. Auditors should become moreinvolved in reviewing systems at the development stage to ensure that adequate controls areinstalled and that auditability is possible.


2. List and briefly describeseveral techniques ap-plicable for auditingadvanced computersystems.

R E V I E WC H E C K P O I N T S


CONTROL FEATURES

To achieve the control objectives in an advanced computer environment, the systemshould be designed to provide the following features:

1. User identification. The system should have the capability to uniquely identifyeach of the persons using the system.

2. Request authorization. The system should be able to determine if the processingor information request of a user is authorized.

3. Activity logging. The system should be capable of recording all user activity(such as the number of attempted log-ons, enquiries and the like), as well asrecording information about the processes executed.

Source: AICPA, Management, Control, and Audit of Advanced EDP Systems (New York: AICPA, 1977), p. 11.

The tools and techniques applicable to auditing in an advanced computer environmentcan be classified as those that (1) operate on-line on a real-time basis with live data,(2) operate on historical data, (3) utilize simulated or dummy data, and (4) utilize programanalysis techniques.

Techniques Using Live DataIn most cases these techniques require that special audit modules be designed and codedinto programs at the time of development. These audit hooks allow auditors to select spe-cific transactions of audit interest before or during processing and save them for subsequentaudit follow-up. (Program modules solely for audit or maintenance purposes are calledaudit hooks. The same concepts used for fraudulent purposes are called trap doors.)

Tagging Transactions. Transactions selected by the auditor are “tagged” with an indicator atinput. A computer trail of all processing steps of these transactions in the application sys-tem can be printed out or stored in computer files for subsequent evaluation.

Audit Files. Auditor-selected transactions are written to a special file for later verification.Two methods may be employed. Systems control audit review file (SCARF) is a methodby which auditors build into the data processing programs special limits, reasonablenessor other audit tests. These tests produce reports of transactions selected according to theauditor’s criteria, and the reports are delivered directly to the auditor for review and fol-low-up. The SCARF procedure is especially attractive to internal auditors. A sample auditreview file (SARF) technique is similar to SCARF, except that instead of programmingauditors’ test criteria, a random sampling selection scheme is programmed. The report ofsample transactions can be reviewed by auditors after each production run. The SARFmethod is efficient for producing representative samples of transactions processed over aperiod by the computer.

Snapshot. A “picture” of main memory of transactions and database elements is takenbefore and after computer processing operations have been performed. The picture is thenprinted out for auditor use. For example, the contents of an accounts receivable balance aresaved before a sales transaction is posted, and the contents after posting are saved. Thesebalances, along with the sales transaction, indicate whether update processing was correct.The auditor can trace and verify the decision process utilizing the results.

Monitoring Systems Activity. Hardware and software are available to analyse activity withina computer. These monitors are designed to determine computer efficiency. However, theymay be applied for financial audit purposes to determine who uses elements of the systemand for what operations. For example, a record of user ids or user names used to enteraccounting transactions can be captured and compared to the list of personnel authorizedto enter these transactions.

Extended Records. Special programs provide an audit trail of an individual transaction byaccumulating the results of all application programs that contributed to the processing ofa transaction. The accumulated results are stored either as additional fields of the transac-tion record or in a separate audit file. For example, the snapshot example of accountsreceivable balances before and after update processing could be added to the sales trans-action, making an extended transaction record. Thus, auditors can follow the flow of atransaction without reviewing several files at various times and stages of processing.

Techniques Using Historical DataThese techniques generally are designed to give auditors access to machine-sensible files.The parallel simulation concept of reprocessing data and comparing results to original pro-cessing, explained previously, is included in this class of techniques. Also included is gen-eralized audit software, which was discussed in Chapter 8. A particularly popular softwarefor analysing databases is Audit Command Language, or ACL.


Techniques Using Simulated or Dummy DataThe test data concept explained earlier is a technique that fits in this class, although it gen-erally is used in simple batch computer systems. An extension of the test data concept hasbeen expanded for use in advanced computer systems under the name of integrated testfacility.

Integrated Test Facility (ITF). This “minicompany” approach is a technique used by clients’program maintenance personnel, although it can be used by auditors. It involves creatinga dummy department or branch complete with records of employees, customers, vendors,receivables, payables and other accounts. The ITF has master file records (or databaserecords), carefully coded (such as “99”), included among the real master-file records.Simulated transactions (test data) are inserted along with real transactions, and the sameapplication programs operate on both the test data and the real transactions. Since the audi-tor knows what the ITF output should be, the actual results of processing (output reports,error reports) can be reviewed to determine whether the application program is function-ing properly. A great deal of care is required when ITF is used because the fictitious mas-ter-file records, the transactions and the account outputs are placed in the actual accountingsystem and in the business records. The account amounts and other output data must bereversed or adjusted out of the financial statements. Also, care must be taken not to dam-age or misstate any of the real master-file records and account balances.

Program Analysis TechniquesNumerous software packages are used by computer technicians for documentation, debug-ging and analysis. These tools also can be used for audit purposes in certain situations.Programs exist to take the source code (e.g., COBOL) and produce flowcharts or decisiontables that can be used to understand the logic of an application program. Cross-referenceprograms provide printed listings of every occurrence of each name used in an applicationprogram or a list of every file used in an application system. Auditors can use these listingsto follow the flow of transactions and identify significant data files. Program analysis soft-ware can be utilized by auditors to identify potential trapdoors created for fraudulent use.2

These advanced computer systems audit tools and techniques are summarized in Exhibit21–2. These audit tools and techniques should be studied carefully—especially the pur-poses, advantages and disadvantages. The next section of this chapter will focus on howauditors can use the computer to assist in auditing historical computer accounting records,primarily to support substantive audit procedures to gather evidence on account balances.

21.7 What are the names of the advanced control techniques that clients can imbed incomputer systems, classified according to categories (e.g., live data, historical data,dummy data, program analysis techniques)?

21.8 What is the difference between the test data technique and the integrated test facil-ity technique?

21.9 Which of the advanced audit tools and techniques would be used for test of controlsaudit procedures? for substantive audit procedures?

21.10 “The use of the test data technique (or the integrated test facility technique) to testthe client’s application control procedures is unprofessional. We don’t enter faketransactions into a client’s manual system. Why should we do it in their computersystem?” Evaluate this position and question posed by an audit partner.



2 This may be an oversimplification because computer systems may have multiple controls that create thousands of errorcombinations and possible test transactions. Computerized test data generators are available to help auditors overcome themagnitude of the test data creation task.

21.11 Evaluate the following statement made by a client’s data processing manager: “Whocares if we used identification numbers and passwords to access the inventory data-base and the update programs as long as the computer maintains a transaction log?”

COMPUTER ABUSE AND COMPUTER FRAUD

Computer fraud is a matter of concern for managers and investors as well as auditors.Experts in the field have coined two definitions related to computer chicanery: computerabuse is the broad definition, but computer fraud is probably the term used more often (seebox below).

Computer abuse and fraud includes such diverse acts as intentional damage or destruc-tion of a computer, use of the computer to assist in a fraud and use of the mystique of com-


3. Define and describecomputer fraud and thecontrols that can beused to prevent it.


E X H I B I T 21–2 ADVANCED COMPUTER SYSTEMS AUDIT TOOLS AND TECHNIQUES

Capability Technique Supplied by Used by Data Used Purpose Advantages Disadvantages

Tagging Vendor or Auditors and Live accounting. Test of controls Full range of Adds to overhead transactions application managers. and substantive selectivity. of system, special

system designer. audit. programming.

Audit files Systems designer. Auditors and Live accounting Test of controls Specified Cost.control personnel. and system. and substantive transactions

audit. logged for audit review.

Snapshot Systems designer. Programmers and Live system. Review system, Aids under- Special auditors. logic. standing flow of programming.

transaction processing.

Monitoring Vendor. Auditors and Live system. Review actual Shows what has Requires technical managers. system activity. happened. knowledge to

interpret.

Generalized audit Vendor and systems Auditors and Historical and live. Test of controls Retrieves data for Requires some software designer, software managers. and substantive audit puposes. programming

house, manufacturer, audit. Perform Relatively easy to knowledge by or audit firm. wide variety of use, not expensive. auditor. Presently

audit procedures. limited to types of files that can be accessed.

Simulation Auditors, internal Auditors. Historical. Determine Permits comparison Extensive use can and external with accuracy of data with real be large consumer program copy. processed tests of processing. of machine

controls audit. resources.

Extended records Design of client Auditors and Historical. Provide complete Provide complete Very costly use of applicaton. managers. trail for audit and account history. machine resources

management at presentpurposes.

Integrated test Auditors, mostly Auditors. Simulated. Test of controls Relatively Must be “backed facility internal. audit. inexpensive. out” very carefully.

Program analysis Special software, Auditors and Usually simulated. Authentication of Gives better Needs auditor techniques contractor or programmers. program oper-ation. understanding of knowledge of

vendor. Check of key application; gives programming; points in program assurance controls may be execution. are functioning. expensive; useful

only in certain circumstances.

Source: Adapted from AICPA, Management, Control, and Audit of Advanced EDP Systems.

puters to promote business. Computers have been damaged by vandals—an abuse best pre-vented by physical security measures. A computer was used by the perpetrators of theEquity Funding financial fraud to print thousands of fictitious records and documents thatotherwise would have occupied the time of hundreds of clerks. Some services (such as“computerized” dating services) promote business on the promise of using computers whennone are actually used. In a business environment auditors and managers are concernedparticularly with acts of computer theft or embezzlement of assets, and material misstate-ments in the financial statements. To perpetrate computer frauds, persons must have accessto one or more of the following:

• The computer itself, or a terminal.

• Data files.

• Computer programs.

• System information.

• Time and opportunity to convert assets to personal use.

Computer financial frauds range from the crude to the complex. They hit financial insti-tutions with alarming frequency, especially through credit card theft and abuse. They areapparently hard to detect in the ordinary course of business. The AICPA conducted a studyof computer frauds in the banking and insurance industry and found that customer com-plaints were the leading clues to discovery of fraud, while routine audits were credited withdiscovery of 18 percent. Auditors have some success, but they are not infallible detectives.The box below gives the range of detection incidence.


COMPUTER ABUSE AND COMPUTER FRAUD DEFINITIONS

Computer Abuse:Any incident associated with computer technology in which a victim suffered orcould have suffered a loss and a perpetrator by intention made or could have made again. (D.B. Parker, Crime by Computer (New York, Charles Scribner’s Sons, 1976,p. 12.)

Computer Fraud:Fraud is any intentional act designed to deceive or mislead another person with theresult that the victim suffers a loss or the perpetrator achieves a gain.

Computer fraud is any fraud that involves electronic data processing in the perpetra-tion or cover-up of the fraudulent acts.

HOW FRAUD IS DETECTED IN FINANCIAL INSTITUTIONS

Customer complaint or enquiry 24%Accident, tip-off, unusual perpetrator activity 22Controls 18Routine audit 18Nonroutine study 8Changes in operations, EDP, financial statements 6Unidentified 5

Source: Report on the Study of EDP-Related Fraud in the Banking and Insurance Industries (AICPA, 84).

Control Protection

Organizations can install controls designed to prevent and detect computer frauds and tolimit the extent of damage from them. These prevention, detection and limitation controlsare summarized in Exhibit 21–3.

Controls can be classified in three different levels. Administrative controls refer to gen-eral controls that affect the management of an organization’s computer resources.

The physical controls affect the computer equipment itself and related documents. The“inconspicuous location” control simply refers to placing microcomputers, terminals anddata processing centres in places out of the way of casual traffic. Of course, the equipmentused daily must be available in employees’ workplaces, but access must be controlled toprevent unauthorized persons from simply sitting down and invading the system and itsdata files.

Technical controls include some matters of electronic wizardry. “Encoding data” actu-ally means converting it to scrambled form or code so that it can look like garbled nonsensewhen transmitted or retrieved from a file. Since the collapse of the Soviet Union and thelessened need for Cold War intelligence work, industrial spying is predicted to increase;businesses should assume that data transmitted by wire and airwaves (e.g., satellite trans-mission) will be intercepted by public and private intelligence services and analysed for thepurpose of commercial advantage. Unscrupulous industrial spies may try to break into anorganization’s computer system, and elaborate password software will be necessary tothwart them. (Hackers have been known to program telephones to call random numbers tofind a computer system, then try millions of random passwords to try to get in!) The rangeand reasonableness checks refer to computer monitoring of transaction processing to try todetect potentially erroneous or fraudulent transactions. These are the equivalent of the low-tech imprint you may have seen on some negotiable cheques: “Not negotiable if over$500,” for example.


E X H I B I T 21–3 PROTECTING THE COMPUTER FROM FRAUD (selected controls)

Objective of Control

Prevention Detection Limitation

Administrative controls:Security checks on personnel XSegregation of duties XAccess and execution log records (properly reviewed) XProgram testing after modification XRotation of computer duties XTransaction limit amounts X

Physical controls:Inconspicuous location XControlled access XComputer room guard (after hours) XComputer room entry log record XPreprinted limits on documents (e.g., cheques) XData backup storage X

Technical controls:Encoding data XAccess control software and passwords XTransaction logging reports XControl totals (financial, hash) XProgram source comparison (comparing versions of programs) XRange checks on permitted transaction amounts XReasonableness check on permitted transaction amounts X

Source: Computer Fraud, Ernst & Whinney, 1987.

Embezzlement and Financial Statement Fraud

Computer experts generally agree that an ingenious programmer can commit theft or mis-appropriation of assets that will be difficult, if not impossible, to detect. Nonetheless, suchfrauds usually produce an unsupported debit balance in some asset account. For example,someone might manipulate the computer to cause purchased goods to be routed to his ownwarehouse. In this case the business inventory balance probably would be overstated. Onebank employee caused chequing account service charges to be credited to his own accountinstead of to the appropriate revenue account. In this case the service charge revenueaccount would be less than the sum of charges to the chequing account customers.Thorough auditing of accounting output records might result in detection of computer-assisted frauds such as these.

Noncomputer auditing methods, as well as some computer-assisted methods, may beemployed to try to detect computer frauds. Direct confirmations with independent outsideparties, analytical review of the output of the system for typical relationships and compar-ison of output with independently maintained files may reveal errors and irregularities incomputer-produced accounting records. However, all too often auditors and managers aresurprised by computer frauds reported to them by conscious-stricken participants, anony-mous telephone messages, tragic suicides or other haphazard means. Nevertheless, audi-tors working in a computer environment are expected to possess the expertise required toidentify serious computer control weaknesses. When such weaknesses are believed to exist,the best strategy is to use the services of a computer specialist to help plan and executetechnical procedures for further study and evaluation of the computer control systems.


MUGGINGS ON THE INTERNET

OTTAWA—The information highway is proving to be a mean street for many carelessCanadian businesses, according to a survey by Ernst & Young.

More than half the participants in the survey said they had been mugged on theInternet in the last year, and experienced security-related financial losses.

Twenty of the companies reported losses of more than $1 million. Most losseswere in the $250,000 range.

Inadvertent errors were cited as the more frequent cause of losses. More than 80percent said they were unable or unwilling to estimate the value of the loss in dollars.

A fifth of those who responded said hackers, former employees or crooked com-petitors had broken into or tried to crack their computer systems. Only three per centsaid they incurred financial losses as a result of the break-in, but 27 per cent saidsome disruption was caused.

Break-insNo less than 85 percent are convinced that security risks on the Internet haveincreased, and almost a third claim the risks have grown at a faster rate than com-puting itself.

Most of the companies contracted by Ernst & Young confessed that they do nothave adequate tools or properly trained staff to prevent security-related losses. Yetthere is evidence that companies are becoming increasingly aware of the need toplace a greater emphasis on security.

More than two-thirds of the companies surveyed also reported attacks by mali-cious computer viruses, but few caused significant financial losses or disruptions totheir organizations.

Source: Rennie MacKenzie, The Bottom Line, February 1996, p. 6.

Frauds can be ingenious, and the changing technology may make them even more diffi-cult to control. However, as the box above illustrates, careful clients can avoid sufferinglarge losses. Chapter 19 in this textbook covered many topics related to auditors’ awarenessof fraud possibilities, including computer-assisted embezzlement and financial statementfraud. Awareness of fraud signs and the ability to invent methods of gathering evidence ofthem are very important for auditors. Fraud detection is potentially a valuable service toaudit clients, and external auditors have not tried to exploit it as an audit product.

21.12 What are the five things a person must use to commit a computer fraud?

21.13 What controls can a company use to protect computer systems from fraud?

21.14 What is “book entry” recordkeeping in the securities industry?

ELECTRONIC COMMERCE: SOME IMPLICATIONS FOR AUDITORS

“Electronic commerce” is a term coined by Benjamin Wright in a landmark book titled TheLaw of Electronic Commerce that looks at the legal implications of the rapidly developingelectronic managing technology. Benjamin Wright’s work has influenced the CICA’sTechnology Task Force, and he has been invited to write a chapter in the second edition ofEDI for Managers and Auditors.

We will define electronic commerce (e-commerce) broadly here as any trade that takesplace by electronic means.

The most important part of electronic commerce to date has been that dealing with busi-ness-to-business transactions, with the most important component so far being electronicdata interchange. However, electronic transactions involving consumers are also becomingextremely important economically. We thus attempt to provide a brief overview of the majoraspects of electronic commerce, and its foreseeable impact on reporting and auditing. Webegin with a discussion of electronic data interchange and use that as a base to explore themore recent assurance issues associated with using the Internet for e-commerce.

Electronic commerce includes such contentious new issues as information propertyrights and the regulation of electronic financial markets. However, our scope here isrestricted to the messaging technology and we will cover the major areas in turn: EDI, fax,e-mail, and the Internet.

EDI

EDI stands for Electronic Data Interchange. It can be defined “as an exchange of electronicbusiness documents between economic trading partners, computer to computer, in a stan-dard format.”3 What distinguishes EDI from other electronic exchanges such as fax or e-mail is the use of a standard format and the computer-to-computer exchange. Theseexchanges can take place between quite different computer environments and for this rea-son the EDI standard protocol is intended to be both hardware and software independent.

EDI is an increasingly popular form of business communication in which companieslink their computer systems to swap documents electronically (invoices, purchase orders,credit notes).

Many large companies and the Canada Customs and Revenue Agency are already com-mitted to EDI and so by default are the many companies and individuals trading with them.Typically an EDI network gets started when a dominant purchaser insists that all its sup-pliers get on the network if they wish to continue to do business with the purchaser.


4. Define and describeelectronic commerce,its impact on the busi-ness environment, andthe major implicationfor auditors.



3 EDI for Managers and Auditors, 2nd edition, CICA, 1993, Toronto, p. 3.

EDI transforms the business environment by creating electronic exchanges of docu-ments in real time, on-line. Effectively, transactions and contracts are created through twointeracting computer systems. Public standards have been developed for EDI so that organ-izations with dissimilar computing environments can exchange electronic business docu-ments without using paper. The chief benefits of EDI include enhanced customer service,increased reliability of information and reinforcement of ties with business partners.However, these benefits come with costs: integration of client computer software with EDI,increased complexity associated with EDI technology and trading partner agreements(TPAs). The rapid growth of EDI globally in many industries indicates that the benefitsoutweigh the costs for most clients. EDI fundamentally changes the ways organizations dobusiness, and consequently it is having a pervasive impact on how the audit is conducted.

I. Nature of EDITo send or receive an EDI message, a company needs three basic elements: a generallyaccepted business format or EDI standards, a translation capability or EDI software, and amail service or value-added network.

Standards are agreements on how data are to be structured for electronic communica-tions. They define the acceptable contents of EDI messages and techniques for structuringthese messages into the electronic message equivalents of paper-based documents. Themost commonly used EDI standard in North America is ANSI SSC X12, developed by theAmerican National Standards Institute. Internationally, the United Nations–developedstandards of EDIFACT are prevalent for global use.

EDI translation software performs three basic functions: file conversion, EDI formattingand communications. File conversion software takes data stored in the company’s businessapplication and formats it for input into the formatting software. The formatting programoperates on this input data to translate it into the desired EDI format. Finally, the commu-nications software dials the trading partner or communications network and sends the EDI-formatted data using acceptable protocols. This process is repeated in the reverse order atthe receiving end.

The communication between sending and receiving partners’ computers can be direct orthrough a value-added network (VAN). In point-to-point communications, there is a directaccess from the computer of the sender to the computer of the receiver. This access is com-monly achieved through the use of telephone lines and a computer modem. This requiresthe trading partners to have the same communication protocols and, preferably, the samestandard. A VAN serves as an electronic post office. With a VAN the sender relays the elec-tronic message to the VAN, which either relays it to the receiver or holds it for later receiverpickup. It is a security risk to have computers linked directly to each other. By using a net-work that acts as a buffer between trading partners, the risk is avoided. Besides, mostnetworks keep an activity log showing what mail was sent, where it went, and what wasdeposited in the mailbox and its source. This activity log can be used by auditors as a use-ful audit trail.4 The advantages of VAN are summarized in the box on the next page.

II. Implementation of EDIThree general levels of implementation of EDI have been identified. The level of imple-mentation is associated with the degree of integration between EDI and the organization’sexisting processing applications.

Standard or “Door-to-Door” EDI. This involves a stand-alone computer, such as a PC, thatsends documents to the EDI trading partner in standard EDI format. This represents thelowest level of integration. When the EDI document is received, it is translated into com-pany-specific format, and is then usually keyed in manually into the recipient’s processingapplication.


4 D. Pirie and D. Sheehy, “Electronic Commerce,” CA Magazine, June/July 1996, p. 47.

Application Seamless Integration. On this more complex level, documents are received,authenticated and accepted into the “job stream” of the receiving computer applications.Careful attention must be given to which applications and business functions are affectedby EDI.

Fully Engineered Business Processes in a Paperless Environment. On this level the organization isdesigned to fully integrate business processes with EDI. Many of the conventional inter-mediate processes and steps are eliminated in such an environment. This creates somewhatof a shock for auditors because of the unavailability of paper documents, the dependenceon computer-based information systems, and the effect of an employee in one entity beingable to initiate a transaction in another organization. A special type of EDI called an elec-tronic funds transfer (EFT) completes the automation of sales/collection and purchases/payments, as depicted in Exhibit 21–4.

III. Benefits of EDIEDI is capable of delivering significant benefits. A 1992 survey conducted by the EDICouncil of Canada identified the most significant benefits of EDI as reinforcement of tieswith a business partner, enhanced customer service, reduction of errors and increased reli-ability of information.

Business Survival. EDI has become a requirement to remain competitive in many industries.The speed with which a company responds to a business opportunity holds the key to itssuccess. Furthermore, as EDI becomes an industrial norm, those without it will be unableto compete. Even if EDI is not a “requirement” in a certain industry today, it is likely tobecome a requirement in the future. The ability to receive and send electronic transmissionshas already become a necessity in a number of diverse industries. It is believed that EDIwill eventually become a vendor selection criterion. Examples of this pressure can be found


ADVANTAGES OF VAN

• It reduces communication and data protocol problems, since most VANs havethe appropriate facilities to deal with different protocols; the fact that the senderand receiver are not directly connected eliminates the need for them to agree onand implement a common protocol.

• The mailbox facility of the VAN allows one trader to deal with many partnerswithout establishing numerous point-to-point connections.

• It reduces scheduling problems, since sender and receiver do not directly com-municate; the receiver can, at its convenience, request delivery of the informa-tion from the VAN.

• The VAN is more likely than an organization that runs a point-to-point systemto provide a third-party report for its customers (pursuant to Handbook Section5900, “Opinions on Control Procedures at a Service Organization,” and AICPASAS No. 70, Reports on the Processing of Transactions by Service Organizations).[Note the new SysTrust assurance service to be discussed later in this chapter isincreasingly likely to replace Section 5900 in the future.]

• In some cases, the VAN provides value-added services, such as translating theapplication format to a standard format; the partner sending the data does nothave to reformat.

• The VAN can provide increased security as it contributes to authentication ofsender and recipient and can act as a network “firewall” to protect the entity.

Source: CICA, Audit Implications of EDI, CICA, 1996, p. 10.

in the Buick Division of General Motors, which sent a letter to its suppliers saying that tocontinue to do business with Buick, suppliers would be required to implement EDI withina given period of time.

Cost Efficiencies. There is a tremendous potential for cost savings. These savings result fromthe reduction in document processing tasks, better use of personnel, reduction in the cost ofcarrying and storing the inventory, and reduction of other costs such as premium freight andspecial handling. Also eliminated are manual sorting, matching, filing, reconciling and sim-ilar tasks. A recent study showed that the cost of generating a traditional purchase order isabout $10. If you use EDI, the cost for a similar transaction drops to less than $1.5

Improved Internal Processes. Before it is possible to replace the manual system with elec-tronic flows, the manual system must be understood. This usually results in an exhaustivereview of the current operations and their organization as companies are forced to “take ahard look at themselves.” The result of a review is not only better understanding of theoperations but also elimination of unnecessary steps and streamlining of operations.

One of the first areas of implementation of EDI was purchasing. Due to near-instantaneouscommunication with vendors acting as trading partners, the purchasing process cycletime has been drastically reduced. Studies have shown that purchasing cycles can bereduced from 7 to 10 days down to less than a day. International business trading can expe-rience greater cycle time reduction. As a direct result, EDI can be used to better plan pur-chasing requirements due to closer ties with vendors and reduced cycle time. Furthermore,the level of inventory can be reduced to a bare minimum, which frees up vital storage formore value-added activities and lays the foundation for the implementation of just-in-time(JIT) inventory management systems. Such a demand pull process also reduces the work-ing capital requirement. If EFT is also used, the cash cycle can be improved as cus-tomers can pay quickly and billing time and errors can be reduced. The prolonged impacton a corporation’s cash flow can be enormous. As the use of EDI spills over into other


E X H I B I T 21–4 SAMPLE INTEGRATED EDI/EFT SYSTEM

Source: Exhibit 1.1, Audit Implications of EDI, CICA, 1996, p. 2.

Buyer

Purchase order

Shipping notice

Invoice

Acknowledgments

Purchase order

Shipping notice

Invoice

Acknowledgments

Payment order and remittance

Acknowledgments

Ack

now

ledg

men

tof

rec

eipt

Ack

now

ledg

men

t

Paym

ent a

dvic

e

Paym

ent o

rder

Payment order and remittance

Acknowledgments

Supplier

Supplier’sbank

Electronicmailbox

Electronicmailbox

Electronicmailbox

Electronicmailbox

Buyer’sbank

5 A. Salmon, “It’s Electronic Data Interchange or the Highway.” The Bottom Line, September 1996, p. 8.

areas, further improvements will result, allowing companies to re-form strategic goals. Forexample, ICL in the United Kingdom reported over $200 million in inventory reductionsand 70 percent reduction in administration costs due to JIT implementation through EDI.Refer to Exhibit 21–5 for a summary of the effects of a recent implementation of EDI atCanadian Tire.

Enhanced Customer Service. Through EDI a company has access to much more accurateinformation, and has access to that information in a timely manner. Accordingly, manage-ment can use information on a real-time basis and can more effectively address the con-cerns of customers. Reduced billing errors and ease of payment are examples of tangiblebenefits available to customers. “EDI improves customer service by disseminating productinformation and taking orders through a wide EDI network [which] increases market pen-etration and distribution significantly.”

Better Supply Chain Management. Relationships with suppliers can be improved because theco-operation and co-ordination required to implement EDI tends to build trust between thetrading partners. EDI also helps to reduce the number of vendors as the firm concentrateson few and long-term suppliers who are more responsive to the firm’s needs.

Improved Ability to Compete Internationally. Because of increased market segmentation, prod-uct proliferation and shorter product life cycles, manufacturers must be able to respond tochanges in the market and to introduce new products quickly. Concurrent product/processdevelopment helps manufacturers to respond quickly by cutting down the time it takes toget a new product to the market. For this type of development to work, EDI is necessary tohelp manufacturers and suppliers exchange information quickly and efficiently. Also, EDIallows for significant improvements in both accuracy and speed of processing internationaldocumentation involving numerous trading partners, ranging from freight forwarders, bro-kers and banks to insurers, customs and government agencies. Those organizations havingmastered the correct technical infrastructure will find they have a definite competitive edgeto enter global markets, and link up with new trading partners through common goals andbusiness practice. “There are reports suggesting that the removal of trade barriers in


E X H I B I T 21–5 SUMMARY OF IMPLEMENTATION AND RESULTS AT CANADIAN TIRE CORPORATION

Implementation• Implementation began January 1994.• 419 stores linked to EDI system via satellite transmission.• Mission statement of CTC, “to be the best at what our customers value most.”• Senior management fit their mission statement to EDI implementation.• CTC goals include:

1) reduced cycle times2) reduced “stock-outs”3) reduced supplier changing costs4) reduced manual errors5) elimination of paper

• The ANSI X12 standard was adopted and all CTC trade partners were mandated to abide by this standard.• A forecasting model and JIT were integrated with EDI system.

Efficiency Improvements1) Cycle times—Typical order-filling cycle time was 10 days. Following EDI implementation, cycle time reduced to

an average of 3 days.2) Reduced “stock-outs”—EDI implementation allowed a 35% reduction in standing orders to be achieved.3) Reduced supplier changing costs—Changing suppliers no longer requires lengthy renegotiation of contracts and

tedious paperwork. Now CTC accesses a menu and with a keystroke changes a vendor immediately.4) Reduced errors—Due to the massive amount of human interaction in the traditional system, the potential for error

was large. With EDI the elimination has decreased the occurrence of errors by approximately 75%.5) Elimination of paper—The CTC/vendor partnerships that have converted to EDI have enjoyed a 100%

elimination of paper in their product transfer programs.

Europe is likely to cause an explosion in EDI. Vendors are now talking in terms of globaltrading partners management and global software.”6

Improved Planning and Forecasting. Companies can better forecast and plan for receipt ofgoods and orders, which, in turn, streamlines the planning of manufacturing and assem-bling schedules. Financial aspects such as financing can be better timed and simplified byinvolving banks into the system. Furthermore, by capturing trading information directlyfrom EDI transactions, companies can automatically produce a wealth of statistics for mar-ket research and strategic planning.

IV. Risks and ControlThe objective of EDI to entice a large pool of economic partners into a fully integrated net-work exposes a business to greater interdependence and vulnerability. There will be moreforward and backward integration with customers and suppliers with EDI. If there were tobe a technical error in the system, the problem would extend beyond the business to thesuppliers and customers. As a result, managers will have to establish contingency plans andauditors will have to monitor these plans by assessing reliance on controls to minimize therisk of mutual dependence among trading partners to an acceptable level.

When an auditor first encounters a client who has changed to EDI, there are many riskissues related to using EDI. Most have a bearing on the internal control structure. EDI altersthe effectiveness of internal controls designed for processing transactions in a conventionalway. New controls should be designed into an EDI system to effectively reduce the risksassociated with using this type of data communication system. In particular, there is a lossin the paper audit trail.

Although EDI reduces paperwork, the loss of the traditional paper trail poses a problemto the auditor. In the past paper-source documents have provided substantive evidence ofauthorization and execution. Without this evidence there is a risk that unauthorized personsmay approve or even tamper with transactions. Consequently, management must providestrict controls to ensure that automated transactions through EDI are properly adhered to.Furthermore, emphasis must be placed upon careful retention of records in magneticmedia. If sufficient controls are not properly implemented, auditability of lost or contam-inated data may be compromised.

Problems of Reorganization. Introducing EDI successfully requires that all those who will beaffected by it fully understand how it will change the way the company operates currentlyand how it will function in the future. Top management support, early user involvement andorganizationwide training are needed to develop EDI as a part of an overall change man-agement strategy; otherwise, as an independent implementation, it will fail to achieve itsfull potential. Such a change strategy should include the corresponding arrangement ofcompany structure, people and processes as it implements what amounts to an organiza-tionwide engineering effort. The commitment of top management is pivotal and sometimesis described as the crucial factor in the success of a proposed project—no support, no go.This implies that the starting point should be enquiry of top management of their planning,detailing the need and benefits of such a project. Furthermore, client employees need to bewon over through information sessions, training seminars and other similar steps. These arenecessary to realize the full benefits of EDI technology.

In order to further minimize reorganization problems, management should research thehardware, software, standards, network and communication needs. This can be done throughgroups, conferences and affiliations with EDI councils and standards-setting bodies for theindustry. The reorganization process should be an interactive and participative one.

The successful implementation of EDI is dependent upon a commitment from the entireorganization. A co-operative atmosphere must be established between all stakeholders.Auditors, managers, third-party providers and trade partners must all form project teams


6 CICA, EDI for Managers and Auditors (2nd Edition), CICA, 1993, p. 29.

to carry out carefully prepared plans. Auditors should participate early in the planningstages of EDI development to have their views addressed early. There must be open com-munication and a creative freedom for all parties so that the new EDI system will be effec-tive and accepted. Finally, it is paramount that the EDI implementation plan be marketedand integrated into the corporate strategic plan. In addition, however, there are risks to beaddressed with a new EDI system. Just as a strategic plan must be formulated, an assess-ment of the risks must be analysed by all of the stakeholders.

Accuracy and Completeness. The records and details of transactions are all initiated, trans-mitted and retained in electronic media. In the absence of a comprehensive system of datavalidation and security, transmission and transaction error will happen without detection,and data could be subjected to unauthorized amendment or disclosure to third parties.Therefore, it would be difficult to have faith in the integrity of any document received. Thiscould result in additional cost from inaccurate processing and loss of competitive advan-tage leading to potential financial loss. The risk is acute in EDI, especially when EDIinvolves the electronic transmission of payments, where there must be trust between thesender and the recipient of the payment transmission. In order to prevent loss, omission orfraud, sufficient controls should be implemented to ensure the accuracy and completenessof input, processing and transmission of messages. Guidelines should be set to ensure thatonly mandated personnel are authorized to originate the transmission. Adequate validationsystems should be designed to validate a record’s existence and authenticity, with excep-tion reporting of irregularities at regular intervals.

Security. Another major concern with EDI systems is security. Obviously, access controlbecomes a greater concern when EDI is used, and this forces almost complete reliance onpreventive controls. All confidential, significant data should be protected against unautho-rized disclosure or modification during storage and transmission, and physical access toEDI equipment should be restricted.

Cryptographic security may be used to provide authorization control and audit trail ofarchives. There are two types of cryptographic security that are in use for EDI data. One isencryption, which protects confidentiality of messages, and the other is authentication.Encryption is the coding of a message into unreadable data. The sender of the messageshould use a special data encryption standard (DES) algorithm or key to transform read-able text into unreadable coded text. The unreadable coded text is transmitted to the trad-ing partner, who uses the same DES algorithm to decode the message.

On the other hand, authentication protects the integrity of the message, since any mod-ification of the data becomes obvious. With authentication, a DES algorithm is applied toan EDI message. The algorithm produces a coded, shortened version of the message, calleda message authentication code (MAC). The MAC is usually a 64-bit string of data. TheMAC is attached to the original message and both are sent to the trading partner. Uponreceipt of the message with an MAC, the receiver recomputes the MAC using the originalmessage and the DES algorithm key. If the two MACs are identical, the receiver knows thatthere has been no modification to the original message during transmission.

While the use of encryption and authentication can help to control transferring and val-idation of EDI data, additional controls are still needed to restrict physical access to EDIequipment. The use of authorization codes, passwords and smart cards, for example, canhelp to prevent unauthorized use of physical equipment.

Application Failure. Application failures or even systems downtime can have a significantnegative effect on partners within the business cycle. The risk of failure of an applicationexposes the trading partners to potentially material losses unless effective contingencyplans are in place to allow fast recovery. This is made worse where the EDI application isclosely integrated with inventory management and production processing. Managementshould ensure that the appropriate backup, retention and contingency plans are in place tominimize the domino effect of such failures on existing system or other trading partnersalong the EDI time line. Adequate contingency planning should include alternative meth-


ods of transmitting data and processing data during the application failure; managementshould also plan for recovering the EDI application within the tolerance period.

Risks of Integration. Whenever information systems applications such as order processingbecome integrated with other business applications such as inventory management and pro-duction control, as in EDI, the risk of a domino effect resulting from errors, omissions andfailures is markedly increased. The speed of transactions and the lack of human inter-vention in EDI systems increases the magnitude of consequences several fold. Integratingsignals a higher level of complexity, sophistication, dependency, vulnerability and contin-gency. Therefore, cost is proportionately higher, unless adequate compensating controlsand contingency plans are implemented along with EDI. Vigorous testing and auditor’searly participation in the development is strongly recommended.

Interdependence and Cross Vulnerabilities. EDI enlists a large number of partners into a widedata communication network to be used as a fully integrated tool to support transactionsand business decisions. With an increased number of partners, there is a correspondingincrease in the level of interdependence upstream from suppliers and downstream to cus-tomers. The mishaps of one partner within the EDI business cycle can start a chain reac-tion, making other trading partners vulnerable. The mutual reliance between tradingpartners exposes both parties to certain levels of uncontrolled risks, especially as EDIinvolves high speed and low human intervention. A proactive plan to identify and preventproblems becomes necessary. No longer can transactions simply be subject to the controlsunique to one organization. Internal controls must be expanded in a co-ordinated and co-operative manner to include one’s trading partners and even the value-added networks.Mutual control must ensure that transactions are initiated, transmitted over a public-switched network and received in a manner that retains the integrity and confidentiality ofthe paper-based system.

Managing the trading partner in the value chain is also vital for competitive advantage.Companies have to ensure that they choose committed trading partners, who understand thebenefits of EDI and whose internal processes and systems can be adapted to EDI technol-ogy. Care should be taken in selecting trading partners, and sufficient data should be gath-ered using tools such as questionnaires to ensure technological and strategic compatibility.It is a good idea to document the standards and guidelines in the trading partner and net-work agreements to ensure that there is a mutual understanding of respective responsibil-ity and obligation. Besides, understanding the way your trading partner conducts businessis crucial to enhancing partnership quality.

As the use of EDI and e-commerce grows in Canada, organizations will share more infor-mation with their trading partners. This merging of interorganizational data exposes organ-izations to substantial reliance between trading partners. To reduce the risk of exposing firmsto a total paralysis in their interdependent systems, managers implementing EDI must makeconcerted efforts to understand their trading partners’ business. It is no longer acceptable towithhold information and remain secretive. The level of interdependence between tradingpartners must be clearly understood. Performance measures including cost structures andmarket share must be shared, and improvements in efficiency must be set by all trading part-ners. An atmosphere of collaboration, co-operation and mutual trust is required to make anEDI network successful. This illustrates that in the new electronic commerce economy thatis evolving, interdependence may be a key characteristic for remaining competitive. Thissuggests that the economic dependence and related party transaction issues discussed inChapter 14 will become more important in the new, interconnected global economy.

Risks of Third Party Network Providers. EDI depends on numerous software and services sup-plied by third-party network providers. Using third-party network providers to transmitEDI transactions to trading partners gives rise to a number of potential risks. For example,confidential information could be disclosed to unauthorized third parties; unauthorizedtransactions could be introduced by third parties; transactions could be lost, causing busi-ness losses and inaccurate financial reporting; and audit trails could be lost.


Controls to deal with third-party relationships should be used, such as requesting an audi-tor’s report on the overall control of the service organization, assessing the service provided,specifying each necessary obligation and responsibility in the third-party network contract,especially the confidentiality guarantee and conducting regular meetings with third-partynetwork providers to review problems and ensure appropriate corrective actions.

Uncertain Legal Status of EDI Contracts. EDI technology has outpaced the legal system’s abil-ity to keep pace with technological change. Many legal disputes may be related to the elec-tronic transactions of EDI (e.g., evidence, enforceability and liability). In most countriesthere is little legal precedent concerning responsibility and liability for transactions exe-cuted via EDI. Many jurisdictions have yet to decide on the legality of electronic docu-ments and what effectively constitutes a legal electronic signature to bind parties to acontract.

The controls for potential legal risk that management can pursue include enlisting third-party arbitration, signing formal agreements and understanding current documents, such asthe EDI Model Trading Partner Agreement, the Canadian Payment Association Standardsand Guidelines Applicable to EDI, and the EDI Payments Capable Guidelines.

According to J. Babe in “The Legal Pitfalls of EDI” (The Lawyers Weekly, May 23, 1997,p. 3): “The need for paper based contracts continues because the law is not there to other-wise regulate or interpret [a business] relationship, absent such contract.” She continues:

Businesses are advised to enter into “interchange agreements” or “trading partner agreements”at the start of their relationship, to document on paper the terms of their deal and the standardswhich will apply to their transmissions. These agreements provide for not only the terms ofthe deal, but also for hardware and software issues such as transmission standards, deemedreceipt, etc. . . .

Drafters of these agreements should at least start with one of the standard forms of inter-change agreements for that industry, or with the Uniform Rules for Conduct of InternationalTrade Data Teletransmission, to ensure the coverage of the numerous legal and technical issuesbetween the trading partners, and with any VAN or VANs linking the parties and their similaror dissimilar technologies.

Drafters can then use these standards as mandated by the customer or industry, and add cus-tom drafting to tailor the deal as necessary.

The CICA Study Audit Implications of EDI outlines a model agreement as shown in thebox on the next page.

Babe also identifies rules of evidence as a crucial issue. Generally the rules relating torecords or documents are that they will be accepted by the courts if they:

are from highly reliable sources, e.g., bank records, government records and records of otherpublic bodies which have no interest to the action and which prepared the record in the regu-lar course of their work. Case law has endeavoured to apply these foregoing rules on records—formulated for paper-based documents—to electronically produced or stored records.Unhappily, these cases are not consistent (see R. v. Bell, [1985] 2 S.C.r., 287 and R. v.McMullen (1979), 25 O.R. (2d) 301 (C.A.) . . . To provide certainty, New Brunswick enactedAn Act to Amend the Evidence Act, which received Royal Assent on April 25, 1996.

Correct Approach?Not everyone agrees that this legislation—which generically includes as evidence documentsin electronic formats, if the original copy has been destroyed—was the correct approach.There are concerns about the lack of required proof of the software or electronic imaging sys-tem integrity in copying, storing or reproducing such documents. Altered electronic recordsare hard to spot. The validity of such electronic records relies largely on the systems used andsecurity of those systems.

The Uniform Law Conference of Canada has published its Proposal for a Uniform EvidenceAct. This proposal has been circulated for input from Canadian Bar Association members andother law reform conferences, and requires that evidence be given on methods and security forelectronic records creation and storage. The Nova Scotia Law Reform Commission is also draft-ing new legislation for both electronic evidence and electronic signatures.

In short, business is progressing, but the law has a lot to do to catch up.


Auditability Issue. The general implications for auditors relate to the loss of an audit trailresulting from the paperless environment and lack of human intervention, which in turnresults in total dependence on the electronic system. All of this significantly increases risk,making control assurance the key objective for EDI environments. This in turn gives riseto a need for monitoring (EDI) controls throughout the period under audit.

Trading partner agreements frequently include an obligation to report and disclose com-pliance with a set of specified standards of EDI control. Increasingly, auditors will be askedto provide opinions on the EDI control environment, such as the new SysTrust assuranceservice discussed later in this chapter, largely to satisfy the reliability requirements of therecord-keeping system for legal purposes, as noted above. Eventually, such opinions arelikely to be made mandatory and fully generalized. This will require further developmentof control standards and criteria. Also, auditors will have to be better trained in this emerg-ing area of information technology (IT).

An audit trail can be defined as those documents, records, journals, ledgers, magneticmedia transactions master files and accounting reports that enable an auditor to trace a trans-action from source document to summarized total in an accounting report and vice versa.EDI alters the traditional transaction audit trail, and thus there is a risk that unauthorized per-sons might initiate transactions or modify the transaction trail (refer to Exhibit 21–6). Thecontrol objective should be to maintain adequate audit trails with regard to transactions andthe ability to preverify and adequately monitor electronic authorization controls andintegrity controls. Automated controls involving electronic signatures, approvals and author-izations should be designed and implemented to establish effective operational control.

Since EDI extends beyond one company, it poses a serious problem for the auditor’sevaluation of internal controls in an EDI system. It is difficult enough to focus on the inter-


TRADING PARTNER AGREEMENT (TPA) MODEL

The following represents an outline model of the various clauses expected to beincluded in a typical TPA agreement. Generally, a TPA would cover these coreclauses. It remains a matter of tailoring according to the specific local governing lawsand adding whatever other clauses the contracting parties, assisted by legal counsel,would choose to include. This is the case for the American Bar Association (ABA)TPA model, the EDI Council of Canada TPA model (prepared by the Legal and AuditCommittee), the Australian model and various European models.

Outline1. Identification of EDI standards.2. Identification of third-party service providers.3. Obligation to conduct EDI competently.4. Adoption of signatures.5. Place and time of message receipt.6. Functional acknowledgments.7. Application acknowledgments.8. Garbled transmissions.9. Trade terms and conditions.

10. Disclaimer of confidentiality.11. Legal enforceability of transactions.12. Termination of agreement.13. Disclaimer of obligation to enter into transactions.14. Limitation of liability.15. Arbitration.

Source: CICA, Audit Implications of EDI, CICA, 1996, p. 23, Exhibit 3–3.

nal controls of one separate entity. However, in an EDI system the auditor is faced withlooking at how EDI affects the internal controls of the entity and the interconnected par-ties; this complicates how auditors examine internal control. In other words, the distinc-tion between where one set of internal controls ends and another begins gets blurred in EDIsystems. The box below summarizes the difference between EDI and more traditionalcomputerized environments.

V. Internal Control in the Context of an Audit

1. Auditing Objective. The objective of auditing is to obtain a level of assurance that man-agement representation as expressed in financial statements is a fair representation of theactual economic activities of the organization. The general accepted auditing standards requirethat any opinion offered by the auditor be supported with sufficient persuasive evidence.

In arriving at an opinion, the auditor must obtain assurance regarding the overall con-trol environment of the organization, identify the areas where there is risk and identify the


E X H I B I T 21–6 SUMMARY OF EDI’S IMPACT ON THE AUDIT TRAIL

In using EDI, the audit trail is affected in the following ways:

1. Source documents are transcribed into machine-readable form and are difficult to access.2. Traditional source documents may be eliminated.3. Ledger summaries are replaced by master files.4. The data processing file does not necessarily provide a transaction listing or journal.5. Files are maintained in a magnetic medium and can only be read by computer.6. Because processing activities are done inside the computer and through electronic media, the transaction trail

cannot be directly observed.

TRADITIONAL VERSUS EDI COMPUTERIZED ENVIRONMENTS

• The traditional computerized audit environment has boundaries between theaudit client and other parties to the transactions. As a result of the boundaries,documents are produced as evidence of the transaction. In an EDI environment,transactions flow seamlessly from one party to another, with little or no physi-cal evidence that the transaction has occurred.

• In an EDI environment, data security and controls need to include the protec-tion of information that has physically left the entity and is en route to othertrading partners. The information that is being sent must be protected againstalteration, physical mishaps, sabotage and theft.

• To evaluate EDI evidence that exists only in an electronic form may require theauditor to use data extraction tools that were not essential in a traditional com-puterized audit environment.

• In an EDI environment, authorization, completeness and accuracy of transac-tions may not be as evident as in a more traditional environment. They may beexpressed in the trading partner agreement and in program logic, and perhapsevidenced in cryptic digital authentication codes. To assess these applicationcontrol objectives, the auditor is likely to need knowledge of the agreements andof system processes.

• In an EDI environment, the use of third-party service providers (such as VANs)is prevalent. These present separate audit considerations.

Source: Audit Implications of EDI, CICA, 1996, p. 26.

potential errors in the transaction cycles. This involves identifying and testing the controlsin place to prevent the occurrence of errors and to ensure the detection of errors. The rel-ative materiality of the transactions processed using EDI, the volume of the transactions,the impact of the environmental controls on the EDI platform and the level of sophistica-tion of the EDI system will impact the audit approach. An understanding of the EDI envi-ronment is mandatory before the risks can be analysed and determined. The identificationof controls in EDI can then be conducted and the appropriate level of testing determined.In designing the audit approach, the auditor should keep in mind that the traditional audittools may not be adequate to audit EDI.

While some form of substantive testing is required for year-end purposes, the level oftesting is a direct function of the degree of reliance on the controls. There must be a cost-effective balance between the two. Recognizing the complexity of the technology affect-ing the transient nature of the audit trail, substantive procedures may not be an acceptablealternative. Where substantive procedures are not an alternative, the auditor must be ableto rely on the systems. If insufficient assurance exists, the auditor should adjust the reportaccordingly. These issues are further discussed in the continuous auditing section later inthis chapter.

2. Auditability. With information systems, an organization should focus concurrently onthree objectives: strategic support, control assurance and cost effectiveness. In the EDIenvironment the transient nature of the audit trail, the resulting paperless environment andthe lack of human intervention combine to create a significant increase in risk. That is whycontrol assurance should become the key objective for EDI environments.

With respect to the objective of control assurance, the key concern has to be the auditabil-ity of the EDI environment and associated system. As defined in the CICA’s study, EDI forManagers and Auditors (2nd ed., p. 132): “Information is auditable in the context of mod-ern information systems when it can be substantiated by tracing it to source documents,which can be based on paper or paperless media, or when reliance can be placed on pre-verified, certified and continually monitored control processes.” This means that manage-ment should implement adequate preverified and certified monitoring systems to ensurecontinued control functionality of the computer applications.

Auditors, on the other hand, are faced with a paperless trail and are dependent upon thesystem output that generates the financial statements. Auditors should be concerned aboutraising enough evidence necessary to support an opinion regarding the fairness of thesefinancial statements. Furthermore, they need to constantly monitor the control environmentthrough substantial compliance testing to provide assurance that these EDI financial state-ments are reliable. This is achieved by analysing and testing the application controls of thebusiness. This creates a shift in traditional auditing. In the past auditors would have to focuson a point in time and perform significant substantive tests. EDI, on the other hand, requiresoperations review on a continuous basis. Hence, many auditors see EDI implementationshifting audits from a balance sheet focus to an operations/compliance approach. Also,there is even more reliance on environmental and general controls because of the “migra-tion” of application controls to general control.

According to the CICA’s study Audit Implications of EDI (1996, p. 33):

Because of the impact of EDI on the client’s business, a substantive audit approach may nolonger be cost-effective. It should be noted that effective application and general controls areimportant for effective EDI transaction processing. As a result, there should be a number of effec-tive internal controls and the auditor should be able to assess control risk at below maximum.

To assess control risk below maximum, the auditor will need to be able to perform tests ofcontrols. This involves knowledge of the controls that should be present and knowledge of theaudit techniques that might be followed.

D. Pirie and D. Sheehy review the major audit techniques for EDI in their article“Electronic Commerce” (CA Magazine, June/July 1996, pp. 47):

An ITF is a fictitious entity on a live data file. It enables an auditor to enter test transactionsinto the system without corrupting the integrity of real operational or financial data. Most, if


not all, EDI software vendors provide built in ITF capability. This is why it currently is themost popular EDI audit technique. An auditor can launch test transactions through the VANto test controls that are part of the systems under evaluation. (The client would have to author-ize the VAN to accept transactions from the auditor and forward them to the client’s mailbox.)The auditor could launch these test transactions on a continuous or periodic basis and com-pare expected processing results. An alternative would be to set up audit transaction types (reg-istered with the VAN) that duplicate current transactions and process these back to the auditor.The box below gives an illustration of an ITF.

Embedded audit modules enable continuous monitoring and analysing of transaction pro-cessing, which is particularly effective in high-volume, real-time systems in which timeliness,completeness, accuracy and validity of transactions are essential. Embedded audit modules areoften implemented for the applications that pose the highest risk, particularly when transac-tions files may not be available for subsequent analysis.

These modules allow the auditor to select samples at any time because the data are selectedduring the normal production process.

A concurrent audit tool, while similar in purpose to an embedded audit module, is designedand controlled by the auditor and linked into the organization’s information system rather thanbeing part of the system. It allows an auditor to evaluate the client’s controls when a transac-tion is being processed without disrupting the client’s normal operations. It can be linked intothe system for a short time to perform tests and provide audit evidence. For clients with weakcontrols, a concurrent audit tool gives an auditor the opportunity to perform analytical proce-dures and substantive testing on data captured by the tool. When client controls are strong, theauditor can use the tool to test controls. The major application controls can be classified bymajor audit assertions.

In an EDI environment, there are no classic “batch total” control procedures for complete-ness. Therefore, the program must establish this control when a transaction is initiated orreceived. Controls can be built into any or all of the application, translation or communicationlevels of software to assure all transactions are complete. Some combination of sequentiallynumbering and computer matching EDI transactons is typically used. The auditor needs toknow how the client tracks EDI transactions through its software layers and what reconcilia-tion procedures are performed by the application software, or by special control programs thatanalyse the EDI transaction log files and other control files.

Message authentication allows each party to verify that data received are genuine and havenot been altered (existence/occurrence).

Pricing or valuation information for a transaction may come from the EDI purchase orderor a mutually controlled pricing catalogue maintained by trading partners.

The EDI trading partner agreement specifies measurement/ownership (rights and obliga-tions) of goods, which is often independent of their physical flow.

In EDI audits, the extent of substantive testing may be minimal compared to compliancetesting. Upon completing the testing of the EDI systems, the auditor must decide on thelevel of assurance that has been obtained. The testing may reveal the need to audit relatedsystems of trade partners, or the extent of substantive testing of year-end balances. With


Example—One example of an integrated test facility application is in a large health insur-ance organization that electronically receives and pays claims from hospitals. Using theauditor account at the VAN, or other access into the organization’s system, the auditor sub-mits a series of claims (e.g., dental claims, surgical claims, etc.) via EDI and reviews theclaims register to determine which claims were paid and the amount of payment. The testclaims include a variety of conditions, including claims both for individuals who are enti-tled to benefits and fictitious individuals. In addition, procedures such as heart surgery thatare payable by the insurance company, and procedures such as cosmetic surgery that arenot covered by insurance, as well as charges within and in excess of reimbursable limits,are tested. The test data go through the system and output is routed to the test division ordummy account. This file is then reviewed online by the auditor.

respect to year-end testing, the appendix to Chapter 10 of this text has already consideredthe impact of EDI on auditing of payables. The 1996 CICA study Audit Implications of EDIhas this say about auditing year-end balances electronically:

Confirmations may also be performed electronically between the auditor and the client’s trad-ing partners. To work successfully, however, trading-related applications may need to be mod-ified to automatically retrieve the requested information, format it in an EDI transaction set,and transmit it to the requesting auditor. The development of an EDI confirmation transactiondepends, to a large extent, on the relevance of confirmations in future audits. In an integratedEDI environment, where the higher velocity of transactions could result in immaterial receiv-able and payable balances, confirmations may be unnecessary. Subsequent payment reviewwould probably be more efficient . . .

[However], because of the impact of EDI on the client’s business, a substantive auditapproach may no longer be cost-effective. It should be noted that effective application andgeneral controls are important for effective EDI transaction processing. As a result, thereshould be a number of effective internal controls and the auditor should be able to assess con-trol risk at below maximum.

To assess control risk at below maximum, the auditor will need to be able to perform testsof controls. This involves knowledge of the controls that should be present and knowledge ofthe audit techniques that might be followed. Appendix C [of this study] also sets out a generalaudit program that might be considered when performing tests of controls and conducting sub-stantive tests in an EDI environment.

It is clear that the integrity of controls is the primary concern for the auditor in EDI sys-tems. In addition to the application controls reviewed earlier, the auditor needs to considersuch general controls as access controls for third-party trading partners, controls regardingprogram and file changes, controls of network service procedures and appropriate retention,back-up and contingency plans. As noted in Chapter 8, most auditors consider the generalcontrols more important than application controls to the point that if general controls areweak, auditors are much less likely to place reliance on application controls. This audit strat-egy is even more true of advanced systems because as noted earlier, in advanced systemsthere tends to be a migration of controls from specific applications to more general controls.

The comprehensive guidance provided in Criteria for Control (COCO) discussed inChapter 15 provides a consistent and comprehensive framework for evaluating the effec-tiveness of a company’s internal control system, in particular challenges created by EDIsystems. Auditors are being encouraged to apply the principles identified in COCO to allkinds of systems. With experience perhaps the impact of COCO on EDI system evaluationwill become more evident. If, after the evaluation, there is high enough risk of seriousweaknesses in the EDI control system, the auditor may need to issue an opinion reserva-tion. In other words, the EDI controls may be so important that the auditor may not be ableto get enough assurance without some reliance on them.

Other Issues

1. Institute’s Role

a) Standard setting. EDI is a new technology that is adding to the challenges facing theauditing profession. There is a need for PA professional groups in increase their own knowl-edge of EDI technology and issue guidelines, standards and other technical assistance toauditors in the field attempting to cope with these activities. The existing CICA guidelineson advanced systems do not directly concern themselves with EDI or electronic commerce.

However, recently there have been co-operative efforts with the AICPA on developingaudit technique studies. These technique studies often precede any guidelines or standardsthat eventually appear in the Handbook. Two such recent studies are Audit Implications ofEDI (1996) and Audit Implications of Electronic Document Management (1997).

b) Proper training. The institute should provide proper training to the auditors so that theyhave the necessary knowledge and expertise to exert professional judgment to assess and


report on the existence and effectiveness of internal control systems in the EDI context. Toevaluate the adequacy of control, auditors must understand hardware and software controlfeatures such as cryptographic control techniques. Specialized audit technique studies area useful beginning for such training.

2. Auditor’s Expanding Role

a) Co-operate with internal auditors. The external auditor has a responsibility toward theexternal users and therefore will have different overall objectives than the internal auditor.However, with regard to the review of the entity’s internal control systems, the externalauditor may place reliance on the work of the internal auditor. The external auditor wouldalso need to consider the internal auditor’s competence and objectivity and evaluate his orher work. In practice, the external auditor and internal auditor should work jointly indesigning the audit procedures to be applied. The existence of the internal auditor does notrelieve the external auditor of the responsibility to conduct such audit procedures as areconsidered necessary to support the audit opinion. The external auditor must have the com-petence and level of knowledge to be able to review the internal auditor’s work and con-clude on its adequacy in meeting the external auditor’s objective. For additional details onreliance on the work of internal auditors, see Chapter 6.

b) Work as proactive consultant to the client. “Some of the audit benefits of EDI include acompressed business cycle (thereby reducing year-end account balances for receivables,payables and inventories), improved completeness of transaction data because of agreed-upon standards for messages and data transmission and improved accuracy of transactiondata because of the standardization of data formats and the absence of rekeying” (A. Pirieand D. Sheehy, “Electronic Commerce,” CA Magazine, June/July 1996, p. 45). But suchbenefits are possible only when the EDI system is well designed. The auditor should act asa control consultant, assessing the viability of the compliance program or control self-assessment program as a way to implement the new controls required of the EDI system.Auditors should also be proactive in providing value-added input to the EDI project byassessing the adequacy of internal controls.

An auditor can provide valuable service to the EDI project management team by focus-ing on the following:

• Evidence of proactive planning versus reactive response.

• Existing manual controls that have been substituted with automated ones. The rule ofthumb is that the new controls must be at least as good as the old ones.

• Controls differentiation between PC-based EDI systems and mainframe EDI.

• Definition of responsibilities for maintaining versions of standards and trading part-ner directory.

• Co-operative problem solving and relationship building with trading partners.

• Identification of qualified co-ordinator to deal competently with functional areas alongthe EDI time line.

• Industry affiliation and appropriate level of participation.

• Criteria for implementation sign-off by executives, if applicable, that include consid-erations transcending organizational boundaries.

c) Help in EDI system development. From an audit standpoint the development and docu-mentation of the EDI system is an important time in which to emphasize control.Application controls should be built in before the EDI system becomes operational, sothat the system will be reliable at the outset. Some companies involve internal auditorsat the systems development stage. However, there is controversy arising about the roleof independent external auditors during EDI system development. One view favours alimited role for the external auditors at the development stage since it affects auditor’sindependence. The other view asserts that external auditors should contribute their knowl-


edge to the design and testing of the system because of their expertise in the area of inter-nal control.

The external auditor’s role during the design and development of EDI systems is crucialfor providing reasonable assurance to management that auditable and properly controlledsystems are being developed. During the development of an EDI application, the auditorshould perform a review of the design of the controls structure and provide input to thedevelopment effort. Any control weaknesses must be identified at the early stages of devel-opment, since the cost of modifying the systems after implementation can be prohibitive.The auditor should work with the development and implementation teams through to theacceptance testing stage. However, this may raise concerns about auditor independence.This issue is discussed in more detail in the continuous audit section later in this chapter.

3. Audit Implication of Legal Liability.When EDI is only used to transmit informational data, legal issues do not normally arise.However, when EDI is used as a basis of forming a legally binding agreement such as acontract, legal concerns will come into play. Of all the components required for a legallyenforceable contract, the requirement of writing and signing is the most pertinent to EDI.With an EDI transaction, the concern is that the agreement is not in writing and does nothave a signature.

The courts have been accepting other forms of electronic transmission, such astelegrams and faxes, as acceptable when addressing the question of writing and signature.An EDI purchase order or contract could be purely electronic, however, while the otherforms of electronic transmission all result in a physical document. As no court ruling hasyet examined a completely electronic transmission under the writing and signing provision,there is still room for argument over whether EDI will qualify under the writing and sign-ing requirements for a valid contract. For this reason, many companies use a trading part-ner agreement to specifically address this issue. The writing issue can be solved byexpressing in the trading partner agreement that the EDI messages shall be deemed writ-ten and would become fixed in a tangible medium of expression. Likewise, the parties canagree in the trading partner agreement that a particular identification code or messageauthentication code will be accepted as a signature between the two parties.

Another area of EDI activity that often raises legal questions is the liability of EDI third-party vendors, particularly value-added networks and Internet service providers. As withthe other EDI issues, no specific EDI case has yet been brought before the courts.Nevertheless, cases involving the other forms of electronic transmission can be considered.In the case of Postal Telegraph Cable Co. v. Lathrop, the telegraph carrier was liable forthe damages suffered by the innocent party caused by its proven negligence. This seems tosuggest that a VAN that has a close relationship with its customer and is likely to be awareof the potential for damages could be liable for consequential damages in the case of a fail-ure on the part of the network. As a result, most VANs require that customers sign a con-tract that significantly limits the VAN’s liability. The warranty and contract remedydisclaimer clauses that are commonly used are generally effective.

In assessing the risk of the clients and the planned level of audit risk, auditors shouldexamine the trading partner agreement to evaluate the enforceability of the electronic trans-mitted message, and the probability of bearing the legal liability if things go wrong withthe transaction.

In the United States legislation is pending that places the onus on banks, financial insti-tutions and corporations to prove the audit trail in electronic environments such as EDI.Under the legislation, EDI users are required to take reasonable security measures to pro-tect their messages. The court will assign legal liability to the party that breaks the audittrail. It is likely that a similar law will soon find application in Canadian courts. As notedearlier, New Brunswick has already enacted legislation, and there is a proposal before theCanadian Bar Association to amend legal rules of evidence with respect to electronic doc-uments. It may be that a client’s risk of being successfully sued will be higher as a result


of failing to maintain an adequate audit trail. Accordingly, the disclosure of the risk andcontingent liability in the financial statements may be necessary.

Fax

Although fax technology has been around for decades, its use skyrocketed in the 1980s. Faxis sometimes referred to as telecopy, and it is a form of electronic transmission that conformsto facsimile standards of telegraph and telephone companies. The typical fax machine scansa paper document and converts it to a digital signal that is then sent through the telephonesystem. The fax machine can also receive signals and print the image on a sheet of paper. Thecheaper, older systems print on thermal paper that archives poorly. The newer machines printon plain paper. Faxes can be configured with computers but there is no widely available sys-tem that can store the fax as alphanumeric information just like any other computer record.

According to Wright [1991; pp. 19–20], many businesses use faxes for legal transac-tions, including contracts. Bidding is sometimes done by fax, orders can be made, and billscan be sent by fax.7

The major use of faxes in auditing is to obtain confirmations. However, according to aCA Magazine article, “Fax Magic” (May 1993), by D.J. Cockburn, the increasing use offax machines to obtain confirmations results in insufficient audit evidence. The problem isthat a dishonest client can easily falsify a confirmation through use of photocopies of theappropriate letterhead and signature. The faxed copy can’t distinguish between a photo-copy and an original. Hence, without proof of origin, confirmations by fax cannot be heldas totally reliable audit evidence.

This problem can be avoided by having the call initiated by the receiver rather than thesender. Since not all machines are equipped with this “pull” capability, the next best proce-dure is to call the purported sender to ensure that the confirmation received was valid.Optimally, faxed confirmations should be used as backup of interim evidence until the orig-inal confirmations are received. Many faxes (on thermal paper) tend to fade anyway so thatphotocopies of the fax should be filed, rather than or in addition to the original fax document.

E-mail

Electronic mail (e-mail) is the telecommunication of messages between computers. Thelink is usually through a special network, the most famous being the Internet. The mostpopular form of message is simple text and informal messages, and e-mail is rapidly replac-ing mail service as it requires no paper. The messages can be stored in computer memoryon magnetic disk or printed on paper; however, the communication can also be made withno record of the message.

Wright [1991, p. 20] notes that traders frequently use e-mail to negotiate and concludedeals. In such applications the auditor would be concerned that at least an electronic audittrail be maintained, recording transactions in chronological order on magnetic media. LikeEDI, fax and e-mail present challenges to the legal profession as to what constitutes writ-ings and signature in electronic messaging environments. A client should create trading part-ner agreements with all parties with whom it has extensive electronic commercial dealings.

The Internet

The Internet is a public network allowing communication between computers. The Internetis a rapidly growing alternative to VANs and proprietary networks.8

The Internet is growing at an explosive rate, more than doubling in size every year. Itpromises to revolutionize the business world and turn it into electronic commerce in itsbroadest sense.


7 B. Wright, The Law of Electronic Commerce, Little Brown & Co., 1991.8 Audit Implications of EDI, CICA, 1996, p. 11.

The Internet is a public communication system [that is] universally accessible and unregulated.It is a worldwide network of computers that communicate with each other over phone linesand fibre optic cables. The Internet itself is free. However access to the Internet involves somecosts, either what it costs you to build your own access or the fees you pay an Internet serv-ice provider (ISP) for access.

The World Wide Web (WWW) or Web is a part of the Internet in which users can exchangegraphics and video as well as the more traditional text and databases that were part of the orig-inal Internet. Users can create their own sites that other users can tap into to share data. Manyusers of the Web employ an ISP at a low monthly rate for unlimited access.9

The Web is at the heart of the Information Highway that is being discussed just abouteverywhere. The Internet already profoundly affects PAs. One of the most important waysis that it can bring vast amounts of information to the computer screen. For example, avail-able on the Net are regulatory filings, legislative proceedings, legal information, informa-tion on client companies (provided either by the companies themselves or by stock traderinformation hot lines such as Motley Fool), currency exchange rates, software downloads,university research materials and professional forums for exchanging information—andthis is just a few of the resources for PAs. (We have indicated useful on-line informationsources for PAs in the end covers and in various chapters throughout this textbook.) To takefull advantage of the Internet’s information potential, PAs need to make use of browsersoftware such as Netscape Navigator or Internet Explorer, which allow searches on theInternet. A search engine or intelligent agent is a more intelligent piece of software thatallows searches for specific information using titles or document headers, entire documentsor directories. This has been made necessary because of rapid proliferation, abandonmentand obsolescence of Web sites.

However, our focus here is on how the Internet affects electronic commerce. So far themost important applications have been in what are called business-to-business (B2B) trans-actions. This has been achieved primarily by using the Internet to replace VANs in EDI.This has further reduced the cost processing of transactions and accelerated the integrationof operations and other advantages created by B2B electronic commerce. Approximately80 percent of all electronic commerce (e-commerce) involves B2B transactions.

Although B2B e-commerce has so far shown the most growth, consumer-related trans-actions of various types are also becoming more common. A March 2000 issue ofthe Economist magazine identifies three segments of consumer oriented e-commerce:“. . . business-to-consumer (B2C), consumer-to-business (C2B), and consumer-to-consumer (C2C). The first embraces normal retail activities on the web, such as booksellingby Amazon.com or online stockbrokering by Charles Schwab. The second, as yet smaller,takes advantage of the Internet’s power to drive transactions the other way round: would-be passengers bidding for airline tickets on Priceline.com, for example, leaving the airlinesto decide whether to accept these offers. The third covers the new fashion for consumers’auctions, epitomized by the auction site eBay.com.”10

Generally, “low touch” goods such as software, tickets, financial services and any con-tent that can be put in digital form (for example, music, film, books) and delivered over theInternet have been more successfully sold to consumers than “high touch” goods (forexample, clothes, groceries, cars); although this may change over time.

Despite these developments in consumer related transactions, B2B e-commerce seemsto be the dominant one in the foreseeable future. “International Data Corp. (Canada) Ltd.projects that the B2B market will grow by more than eightfold in Canada over the next fouryears to US$56.1-billion in 2003 from $6.6-billion in 1999. The B2C market, meanwhile,is expected to grow to $8.5-billion in 2003, from $1-billion in 1999.”11 Despite this suc-cess, there are severe problems with copyrighted goods as the box below indicates.


9 Journal of Accountancy, March 1997, p. 51.10 The Economist, February 26, 2000, pg. 11 of survey.11 The Globe and Mail, March 16, 2000, p. T1.


SONG TRADING PROGRAM HASU.S. MUSIC INDUSTRY CRYING FOUL

BALTIMORE, MD.—Imagine walking into a music store, handing over a list of hundredsof your favourite songs, and leaving with all of them for free.

That’s virtually what tens of thousands of people are doing, only they go to theInternet instead of a retail outlet. What’s made it possible is Napster (www.napster.com), a song-trading program that has the U.S. music industry in an uproar over whatit calls “a giant online pirate bazaar.”

The Recording Industry Association of America (RIAA) has filed a copyrightinfringement lawsuit against Napster’s publisher, charging that the California com-pany has provided the ultimate burglary tool for music thieves. But so far, it hasstopped hardly anyone.

Such a lawsuit is not yet possible in Canada, says Brian Robertson, president ofthe Canadian Recording Industry Association (CRIA). Our copyright law is outdated,he explains, and lacks the teeth to go after Internet infringement. But the issue is therecord industry’s No. 1 concern, estimated to cost at least $1.5 billion worldwide inlost retail and tax revenue.

“Canada has the second-largest volume of MP3 sites in the world,” Robertsonsays, adding that CRIA’s anti-piracy unit has one employee whose sole job is to trackdown Canadian sites distributing pirated MP3 sound files.

Napster is a free Windows program available to anyone over the Internet, but itsheaviest users are on university campuses, where students often enjoy high-speedInternet access in their dorm rooms. Fast connections enable Napster to downloadMP3s, the computer-coded music files, in as little as 10 seconds.

Anyone running Napster can enter an “on-line music community” populated atany time by thousands of other visitors. A similar program called Macster givesApple Macintosh users entrée to the network.

Each visitor makes available five to 1,500 songs for others to download at the clickof a mouse button. Ranging from Elvis to Nine Inch Nails to the Backstreet Boys,almost all the music is copyrighted, and transferring it is usually illegal.

For a sampling, as of yesterday the Napster database, with 670,000 titles, con-tained 104 copies of Britney Spears’ pop hit “Baby One More Time” and 124 ofCeline Dion’s “That’s The Way It Is.” Dr. Dre’s 2001 album turned up 193 files, theTragically Hip logged 82 and Sarah McLachlan 86.

But the site is not exclusive to the hit parade. Canadian jazz legend Oscar Peterson,for example, had five files linked there, while French flamenco group the Gipsy Kingshad more than 70. There has even appeared to be a classical resurgence on Napster,with 166 Mozart titles among the offerings.

Threatened by the prospect of losing millions in revenue, the record industry isready to go to war.

“We are being robbed,” says Ron Stone, president of Gold MountainEntertainment, which represents such recording artists as Bonnie Raitt and ZiggyMarley. . . .

Napster was written last year by Shawn Fanning, a 19-year-old student at Boston’sNortheastern University. The program became an instant sensation among Internetmusic seekers who have found that most pirate MP3 Web sites are shut down quicklyby the RIAA.

Napster has an advantage over traditional MP3 sites: Since it only provided avehicle for others to trade files, it does not possess any copyrighted material.

Source: Mike James, “Song Trading Program,” The Toronto Star, March 10, 2000, p. D16.

A CICA study authored by G. Trite lists the following reasons for the success of e-commerce.

1. Lost cost of transacting business.

2. Reach to new markets and customers.

3. Growing access to the Internet.

4. Development of sound security infrastructures.

5. Development of secure, convenient payment systems.12

Examples of the magnitude of savings possible with the Internet includes $8 cost of tra-ditional booking of airline ticket versus $1 cost of electronic ticket direct with the airline.Another example is banking transactions: a traditional transaction through a branch bankcosts about $1, whereas a transaction processed through the Internet costs about one penny.


THERE’S GOLD IN THAT THERE DATA

The situation was desperate for the National Basketball Association’s OrlandoMagic. The team was down two games in a five-gave playoff series against the heav-ily favored Miami Heat. At that time, the spring of 1997, only five teams in NBAplayoff history had ever managed to capture a best-of-five series after losing the firsttwo games. Moreover, several key injuries had played havoc with Orlando’s regularstarting lineup.

Instead of working harder, it was time to work smarter. Orlando’s coaching staffturned to data mining for help.

Using an IBM data mining tool called Advanced Scout, developed specifically forthe NBA, game statistics can be analyzed to detect patterns. Those in turn can sug-gest effective player combinations that might not otherwise be readily apparent.

In this case, the Magic’s coaching staff uncovered something startling. In thetwo playoff games so far, Orlando was outscored by a combined 52 points. Despitethat, Orlando outscored Miami by 22 points during certain stretches when DarrellArmstrong, then a little-known backup point guard, was in play.

“When a pattern like that emerged, the coaching staff was totally taken aback,”says Inderpal Bhandari, the inventor of Advanced Scout.

“They began to understand that Darrell Armstrong was a centrepiece in thatanomaly. In response, they completely changed their game plan. They gave him a lotmore playing time and the starter’s playing time they cut down completely. Miamididn’t have an answer to that.”

In the third game, Armstrong had 21 points and eight assists, helping lock in an88-75 Orlando victory.

The team went on to win game four. Although their luck ran out in game five,which they lost 91-83, they avoided a sweep and then some.

“I don’t think Miami quite figured out what exactly was happening,” says Mr.Bhandari. “Miami was clearly the superior team, but Orlando was able to stretch theseries out.

“That’s data mining at its most dramatic, when you’re actually finding somethingwhich you don’t know or appreciate at all.”

Source: Greg Crone, Financial Post, December 3, 1998, p. C13.

12 G. Trites, Strategic Internet Commerce, CICA, 1999, p. 56.

An example of reaching new markets and consumers is through data mining that allowscreation of customer profiles and customized marketing. “Everything can be recorded: notjust every transaction, but which web pages a customer visits, how long he spends thereand what banner ads he clicks on. This can produce a formidable array of data that makespossible both one-to-one marketing—directing sales pitches at particular individuals—and“mass customization”—changing product specifications, for instance for jeans or comput-ers, to match individual orders to the individual customer’s preferences . . . The Internetcould, in short, overturn much of the traditional economics of retailing.”13

Conversely, customers can use intelligent agents or navigators to find the best buys on theInternet. Such agents can also act as “infomediaries,” addressing the customer’s concernsabout privacy and security. All this contributes to what Bill Gates calls “frictionless capi-talism.” The box above gives a rather dramatic illustration of the power of data mining.

These advantages of e-commerce come at a cost, however. The biggest problems appearto be logistical: order fulfillment and on-time delivery problems. (See box below.) Solvingthese logistical problems is very costly because they may require whole new types of deliv-ery systems. For example, it may require building warehouses and using delivery vans thatare greared to delivering individual orders to people’s homes. One of the reasonsAmazon.com, the most successful Internet firm in terms of market capitalization, has nevershown a profit is because of huge investments (over U.S. $300 million in 1999 alone) increating “seamless integration” between the on-line and supporting “offline” operations.Amazon, like many e-commerce pioneers, started with the more glamorous functions ofWeb site design and marketing. The more mundane functions of order checking and dis-


CONSUMERS DETAIL ON-LINE SHOPPINGFRUSTRATIONS FOR E-COMMERCE STUDY

E-tailers urged to live up to promise of Internet

If you don’t think Internet retailers give you the best bang for your buck, you aren’talone, according to a new e-commerce study.

In fact, the Boston Consulting Group Inc.’s (BCG) latest collection data across theU.S. and Canada spells a cautionary note for vendors on the Internet: no matter howmuch the e-tailer promises, the experience rarely lives up to the hype.

“Surprisingly, 28 percent of all attempted online transactions have failed,” saidDavid Pecaut, BCG’s global e-commerce leader, during a teleconference on March7. “That’s a significant number.”

And it’s a number retailers would do well to watch. Many transactions fail due totechnical problems consumers encounter on Web sites, poor selection or convolutedorganization of products, or delivery problems after the sale.

“Whether they have been surfing the Web for years or they’re Net newbies, 44 per-cent of respondents say they still have concerns about credit-card security.

Breakdowns in the purchase process were “a major irritant” according to BCG’sresearch. Almost 30 percent of those who experienced problems with their onlinetransaction stopped shopping on the Internet; 23 percent simply avoided the offend-ing Web site, while six percent went so far as to avoid the Web vendor’s bricks-and-mortar outlets as well.

“Internet retailers have a long way to go before they make the Internet experienceworthwhile,” Pecaut said.

Source: Stefan Dubowski, Canada Computes, April 2000, p. 28.

13 The Economist, February 26, 2000, p. 12.

trubition were outsourced. But it turns out that the off-line functions are key to consumerdriven e-marketing since, after all, the convenience of Internet shopping meant that theproduct had to be delivered to each consumer’s door, on time. This convenience is one ofthe features that gives e-commerce the edge over traditional shopping. For this reasonInternet firms are forced to invest more and more on their unique logistical systems.

Another costly feature of consumer-related e-commerce is the cost of advertising on theInternet. Some Internet companies have had to spend three quarters of all their capital onmarketing. These costs of advertising, order filling and customized delivery are much lessin B2B e-commerce.

Problems that are common to all types of Internet based e-commerce are the level ofsecurity demanded on all aspects of e-commerce, tax and regulatory issues, and legalissues. These are all important in the audit of e-commerce systems. The key security fea-tures can be summarized by the concepts of firewalls, encryption and security policies.Firewalls are defined in a CICA study as “a gateway server and a set of related computerprograms and security policies that protect the resources of a private network from unau-thorized outside users. An enterprise that has any kind of linkage of its internal systemswith the Internet should install a firewall to prevent unauthorized intrustion from theInternet . . . a firewall is a comprehensive system of hardware, software and corporate poli-cies. The hardware consists of a dedicated computer and various hardware devices that con-nect the corporate network with the Internet. . . . The corporate network can be an intranetwhich uses Internet protocols but has only one or more gateway computers to theInternet . . . The corporate network can also be extended to an extranet which is an intranetextended to users outside the company such as suppliers, vendors, partners, customers orother businesses.”14 Firewalls are customized to fit the organization’s policies. Firewalls,for example, can restrict browsing and other Internet capabilities to certain classes of users,or at certain times. “Ethical hacking” is the term used to describe a type of test of a fire-wall’s vulnerabilities and limitations from unauthorized attempts to access the system fromoutside, usually via the Internet.

All firewalls have certain limitations. They are prone to people problems such as indi-viduals who lose or forget their passwords, or who give their password to outsiders. In addi-tion, since firewalls cannot protect an internal network from viruses, users need to beeducated to scan all diskettes, freeware and other external files with virus-scanning software.

Encryption has already been introduced within the context of EDI. Encryptions are crit-ical for preserving the integrity of an e-commerce system, and help form the legal basis fordigital signatures. Encryption is the conversion of data to make it unreadable exceptthrough use of a key (“scrambled” data). “Two keys may be reversible in the sense thateither can be used to encrypt a message and the other could be used to decrypt a messageto make it readable again (“unscramble” the data). By allowing one key to be public andkeeping the other private, a sender S could transmit a message to receiver R under S’s pri-vate key, and R could then decrypt the message under S’s public key. Security efforts there-fore focus only on private key that does not have to be distributed.”15 Also under thisincreasingly popular encryption system, R can authenticate that S is the unique sender bydetermining that the message was encrypted using S’s private key. As we will see, effec-tive authentication of transactions is very important for legal purposes.

Encryption, however, involves specialized software that gets more complex the greaterthe need to prevent “cracking” or breaking the code by unauthorized outsiders using theirown deciphering software. For example, an encryption system based on 1024 bits (128 pos-sible characters) is twice as hard to break as a 512-bit system. The logic behind encryptionsystems is to create a mathematical problem that’s impossible, or virtually impossible, tosolve with today’s computers unless the key is known. However, this security comes at acost. Software-based encryption slows down the entire transaction processing becausenothing else can be accomplished while the e-commerce system is encrypting or decrypt-


14 G. Trites, Strategic Internet Commerce, CICA, 1999, p. 156.15 R. Weber, Computer Auditing, (Prentice-Hall, 1999), p. 375.

ing. For example, the current, standard, 64-bit encryption system in business use requirespassing through 16 rounds of encipherment. This slow up in processing combined with ahigh volume of transactions requires that software encyrption keys be relatively short, offixed length and capable of repeated use.

The alternative to software encryption is hardware-based systems in which encryptionand decryption is offloaded to special machines while the client’s server handles the restof the application processing. This is the increasingly common way to make the encryp-tion code harder to break yet not reduce processing speed. “If you don’t have access to thehardware, you can’t hack into it. If you can’t hack into it, you can’t break the code. It’sinexpensive insurance that pays for itself.”16 For this reason, hardware encryption is thesolution of choice for all important transactions such as fund transfers, payment systemsand stock market trades.

Encryption is a key tool for implementing authentication. This is an important legalissue for the enforcement of e-commerce contracts. There are three main types of authen-tication information: (1) remembered information such as passwords or PIN numbers;(2) possessed objects such as badges or plastic cards; and (3) personal characteristics suchas fingerprint, voiceprint or retinal pattern. The most common types are 1 and 2, with 3being the most foolproof but also the most costly. Nevertheless, authentication based onpersonal characteristics is likely to result in the best authentication because it is basedon unique characteristics of an individual, which are impossible to forge.

An important way to achieve the three types of authentication information is through useof digital signatures.

Digital signatures use algorithms to distort or alter the data in a specific way before transmis-sions are encrypted. Recipients can verify the identity at the other end by examining the spe-cific way the data have been altered . . . A Public Key Infrastructure (PKI) system for themanagement of the creation and distribution of public/private key pairs, and the publishing ofpublic keys with the user’s identification as “certificates” need to be set up for effective digitalsignatures. PKI regulation is an area where governments will likely play an increasingly activerole . . . One financial institution that issues both digital signatures and certificates is mbanx.“They’ve really turned on e-commerce,” says Colin Henderson, Senior Manager, Marketing.

The mbanx certificates are 1024-bit encrypted, an amazing level of coding. Not only arethe bank’s electronic messages and signatures encrypted, but the electronic envelopes that sur-round them are, too. This allows the bank to determine whether the message was received,tampered with en route or tampered with at the recipient’s end. “It’s like registered mail gonecrazy,” Mr. Henderson says.17

Taxation and Other Regulatory Issues of E-Commerce

One of the reasons for the explosive growth of e-commerce is the preferential treatmentInternet transactions get over off-line transactions. Generally, Internet purchases areexempted from sales taxes so long as the seller has no physical presence in the tax juris-diction. This, of course, has brought an outcry from physical retailers in the tax jurisdic-tions, and this controversy will only increase as e-commerce grows. Physical retailers, thatis, those maintaining a bricks and mortar presence in a jurisdiction, will rightfully arguethat the tax system subsidizes e-commerce and that as e-commerce grows, the sales taxbase will suffer along with the physical retailers. It’s estimated that already in 1999$170 million in tax revenues was lost by U.S. states due to Internet sales. This will obvi-ously become a major factor influencing the future growth of the Internet. See the boxbelow for additional details.

The tax issue will take on even more significance as e-commerce goes global. For exam-ple, the value added tax (VAT), which is closely related to North American sales taxes,amount for up to 40% of Europe’s tax revenues. It’s unlikely that goods and services sold


16 The Globe and Mail, November 10, 1998, p. C9.17 The Globe and Mail, November 10, 1998, p. C12.


INTERNET BLURS TAX BOUNDARIES

The explosive growth of electronic commerce conducted over the Internet has senttax authorities around the world back to the drawing board. Their objective is todetermine whether the existing tax rules, most of which were written decades ago,are flexible enough to handle this new means of conducting business or whether newregulations are needed.

While the Finance Department recently began a review of the issues, its U.S. coun-terpart, the U.S. Treasury Department, issued a detailed discussion paper on elec-tronic commerce last November. The document suggests taxation remain neutral, andthat no additional taxes be created that would impede the growth of electronic com-merce. But it seeks to ensure that companies conducting business over the Internetdo not avoid taxation and gain a fiscal advantage over existing channels of commerce.

Many companies use the Internet as a global advertising medium by setting up ahome page to display their products or services. Prospective customers around theworld can view these products and place an order. The product is shipped to the cus-tomer using conventional means.

The technology drastically reduces the cost of participating in global markets andhas allowed many companies—especially those selling consumer goods—to signif-icantly expand their sales territories.

From a taxation perspective, this type of activity should not create any additionalcomplexities, since the advertising could be viewed as analogous to advertising in anewspaper or magazine. Furthermore, it should not be relevant where the Internetserver happens to be located, if all it is being used for is to display and describe prod-ucts and services.

However, issues can arise when products or services are transmitted electronically,such as software, music, videos or online publications. Customers can download theproduct from anywhere in the world, eliminating the need for a worldwide networkof sales offices or warehouses. It is this type of activity that has created a problemfor tax authorities because it effectively eliminates national borders and blurs thesource and characterization of income.

What further complicates matters is that Internet servers can be located anywhere inthe world. For example, a Canadian software company can be selling electronically intothe U.S. market by using a server located there, or perhaps even in a third country.

The U.S. taxes companies earning income that is “effectively connected with a U.S.trade or business” and also taxes other U.S. source income, such as royalties. However,the Canada–U.S. tax treaty limits the U.S.’s right to tax Canadian-based businesses toincome earned through a permanent establishment in the U.S. A permanent establish-ment is traditionally thought of as a physical facility such as an office or a plant.

With electronic commerce, the question arises as to whether, for example, anInternet server located in the U.S. would constitute a permanent establishment orsimply a warehouse, which generally would not constitute a permanent establishmentunder the Canada–U.S. tax treaty. The Treasury Department paper suggests it is pos-sible that no permanent establishment exists if the activities are limited to a serverbeing maintained in the U.S . . .

The application of other taxes—including sales taxes, customs, duties and provin-cial and state income taxes—to Internet users also requires review . . .

The questions surrounding who has the right to tax what may shift the emphasisfrom the traditional concept of source-based taxation—levying tax on income in thejurisdiction where it is earned—to that of residence-based taxation, or taxing wherethe seller is based. This may also create a range of tax-planning opportunities.

Source: By David Leslie, FCA, and Charles Chaho, CA, CPA, Ernst & Young. Full text of this article first appearedin The Financial Post, May 27, 1997.


LEGAL WHIRLWIND OVER WEB SALES

“For many people, e-commerce has raised a great deal of uncertainty,” says TheoLing, an associate at the Toronto law firm of Baker & McKenzie. Mr. Ling is one ofthe firm’s young e-commerce legal whizzes, sitting on the Special Task Force onElectronic Commerce created by the Uniform Law Conference of Canada. As such,he’s right in the centre of the legal whirlwind.

“Paper has its own uniqueness,” Mr. Ling says. “You can prove a person who signsa piece of paper is who he says he is. Not so with anything electronic; it’s just a seriesof bits and bytes. You can’t have any confidence in any form of electronic commerceunless there’s some sort of security system overlying it.”

This idiosyncrasy—the lack of those pieces of paper and verifiable signatures sobeloved by lawyers—has created five basic legal issues, according to Mr. Ling, andthey’re issues that have to be resolved before any mass confidence in doing businesselectronically is possible. They are:

• Authentication: How can you be sure the document or message is coming fromthe person or corporation you think?

• Integrity: How can you be sure a third party hasn’t altered the information orwording?

• Non-repudiation: How can you be sure the sender won’t be able to claim hedidn’t send all or part of the electronic transmission?

• Confidentiality: How can you be sure someone isn’t monitoring the transmissionillegally?

• Enforceability: How can you be sure an electronic agreement or contract willstand up in court? This is the big legal issue.

The first four issues seem to be resolving themselves fairly quickly through a com-bination of encryption devices—both software and hardware—and digital signatures,he says. The enforceability issue, however, remains a legal question mark, althoughmany lawyers are coming down on the yes side.

The final issue—the big issue—is enforceability. There are three basic tests for thevalidity of a contract, learned by every lawyer in first-year contract law, Mr. Longsays. They are: Is there an offer? Is there an acceptance? Is there a consideration? Thequestion is, do these tests apply to simple Internet contracts?

“You buy something on the Internet and a screen pops up setting out the terms andconditions of the sale,” Mr. Ling explains. “Then there’s a statement that says ‘Iaccept’ or ‘I agree.’ Now, does clicking on ‘I agree’ constitute a contract? There’s nopaper document, no signature.”

Mr. Ling’s view is that it does constitute a contract, signature or not. The bestanalogy he can draw is parking your car in a commercial parking lot. On the back ofyour ticket is printed the terms and conditions for use of that spot. That’s a bindingcontract, recognized by the courts. You haven’t signed anything, but by the sampleact of parking your car and accepting the ticket, you’re legally bound.

Mr. Ling sits on the Special Task Force on Electronic Commerce, which is assess-ing the need for new legislation. It’s part of an overall look at ways to harmonize fed-eral and provincial laws being undertaken by the Uniform Law Conference ofCanada. The Organization for Economic Co-operation and Development is also look-ing into the matter.

“What we’re trying to do is create laws that are technology neutral; laws that applyto paper and electronic both.”

Source: The Globe and Mail, November 10, 1998, p. C12.

over the Internet will be allowed to avoid such important taxes indefinitely. Increasingly,the principle is evolving (as agreed to by the U.S. and Canada in 1999) that “tax should belevied on goods sold electronically, at the rate prevailing in the country where the consumeris based.”18

In addition to tax, other issues that will affect global e-commerce are different nationalregulations concerning advertising through the Internet, and regulations protecting data andprivacy. For example, “. . . The European Union (EU) has adopted a directive that, if imple-mented, would prevent the transfer of data about consumers to third countries where thelevel of data protection is, in the EU’s terms, ‘inadequate.’ Because American data protec-tion is non-statutory and there is no government data-protection office, it is regarded asinadequate by definition.”19

Interestingly, the Canadian government passed legislation late in 1999, Bill C54, that inthree years will cover all commercial activities in the public and private sectors, and allcross-border flows of commerce. This Bill was specifically designed to provide the dataprotection required by the EU Directorate to allow transfer of business data betweenCanada and Europe, and therefore facilitate Canadian–European e-commerce.

Legal Issues of E-Commerce

In addition to the regulatory tax issues, there are some fundamental legal issues related toe-commerce. The legal profession is trying to create new harmonized federal and provin-cial laws that are technologically neutral. That is, laws that apply to paper and electronicmedia both. The issues are summarized in the boxes on page 38 and below.


18 The Economist, February 26, 2000, p. 53.19 Ibid.

LAW PLAYING CATCH-UP WITH INTERNET

A digital signature should not be confused with a digitized handwritten signature[Ms. Perdue said].

A “digitized signed” document is one transmitted using public and private keyencryption codes, which enable the recipient to verify the authenticity and integrityof the contents.

If such a document is tampered with in transmission the message will be receivedas gibberish.

A number of U.S. states now have digital signature legislation pending, and theU.N. Committee on International Trade Law is currently drafting model legislationon the subject.

Another growing area of concern is juridiction: Does a Web site confer jurisdic-tion everywhere?

“It depends,” [said Ms. Perdue].In the U.S. decisions have tended to come down in favour of exercising jurisdic-

tion over foreign Web sites, she said.One of the biggest problems faced by business is the “wild west mentality” inher-

ent in the Net, she added.“There are a lot of individuals with no respect for authority” who do not want to

see the Net regulated, she explained.

Source: M. Conrod, The Lawyer’s Weekly, April 25, 1997, p. 9. Reprinted with permission.

INTERNET-BASED AND CONTINUOUS FINANCIAL REPORTING

E-commerce and technology are also affecting the financial reporting function in a revo-lutionary way. A growing number of companies are putting financial statements on theirInternet sites. Moreover the information being provided is increasingly going well beyondtraditional financial statements to include non-financial and other information to under-stand the business. In addition to financial reporting, technology is now being used to dis-tribute information on reports to regulators and discussions with analysts. The technologyalso allows easy access to selected company internal data, distribution of CD-disks, distri-bution of video tapes and access to e-mail and chat sites. All these new capabilities are rais-ing fundamental questions about the changing role of financial reporting in society.20

There are some novel issues brought on by the new information technology, includingissues of boundaries of on-line reports, jurisdictions of standard setting when users areglobal and the media of reporting are websites on the Internet, and the multimedia effectsof Internet reporting.

The boundaries issue refers to the fact Web site reporting on the Internet can involve useof hyperlinks to other Web sites, such as independent analysts’ reports on client or indus-try sites. The problem then arises of blurring annual report information with other infor-mation, and the accuracy and security of the financial information on the client’s and thelinked Web site. Note, in the past there was no boundary problem because the traditionalhard-copy annual report created a tangible, physical boundary. There were no difficultiesabout deciding where the report began or ended, or in the sequencing of the report. This isnot the case with Internet reporting using hyperlinks, however.

There are several ways of addressing the boundaries problem. They include some assur-ance seal displayed on the Web site (to be discussed later in this chapter), development ofnew guidelines on when hyperlinks are allowed and what kind of information could belinked to the financial statements and the creation of electronic signposts or other markersindicating the boundaries of financial reporting.

“Electronic signposts are simply screen displays that tell users when they are about toleave the established boundaries of the information they are viewing, or when they are leav-ing the home server. It has also been suggested that background colour and distinctive bound-aries could be used to identify a document and assist users in determining when a documenthas been left. A similar approach can be used for audited versus unaudited information.”21

The use of multimedia (video clips, slide shows) on Web sites is also creating newreporting problems. Multimedia can be used to present more meaningful information yetat the same time, like graphics in general, they can be used to distort the facts. “Consider,for example, a situation where an executive is describing the steps his logging company hastaken to preserve the forests it cuts. Suppose also that the company engages in clear-cuttingwith minimal use of reforestation. The executive may be providing a general summary ofthe policies of the company. At the same time, the video might be scanning scenes of pris-tine forests that have never been touched by loggers. The impression might be left for theviewers that the forest is one that has been restored by the company (without the executivehaving said so). Further study is needed in this area.”22

Finally, international Web site access brings to the forefront the need for more harmo-nized international accounting standards in Web site reporting. In particular, a new quali-tative concept of accounting information is coming to the fore: that of responsiveness.“Responsiveness means that the business information directly relevant to the need of themoment must be released in time to have an efficient impact on the decisions that need tobe made. Accordingly, responsiveness embodies both relevance and timeliness, as rede-


20 G. Trites, The Impact of Technology on Financial and Business Reporting, CICA, 1999, pp. 1–2.21 Ibid, p. 22.22 Ibid, p. 38.

fined (i.e., weekly or shorter) . . . It seems, moreover, that the reporting system must allowfor the production of increased information about the current values of various assets,including those not presently given much recognition in the financial statements, such asintellectual or knowledge-based assets.”23 The concept of responsiveness is thus an impor-tant new accounting concept raised by e-commerce in the information technology age.

The CICA Research Study summarizes the impact of e-commerce and information tech-nology on accounting as follows.

• There is a move away from the old concept of periodicity to a more flexible conceptof continuous reporting on a basis closer to real-time reporting. This has implicationsfor the meaning of timeliness and, less directly, of relevance.

• There is a move towards using more complex technology on a real-time basis that hasan effect on reliability.

• There is an increasing realization that users are becoming more involved in the designof reports, by drawing down data and creating their own reports.

• Reporting is moving beyond financial measures to include non-financial measures.Balances scorecard, value reporting and the Jenkins model are all variations on this shift.

• The traditional model was static and unilateral. The new model will be dynamic andinteractive.

• There is a move towards measurement of value creation, a more comprehensive con-cept than income measurement, to supplant traditional financial reporting.

• There is a trend towards increased integration of concepts of internal reporting withexternal reporting.24

INTERNET-BASED AND CONTINUOUS AUDITING

A CICA research report attempts to begin the process of addressing the issues associatedwith providing audit level assurance on Internet-based and continuous reporting.25 Theresearch report is based on the following definition: A continuous audit is a methodologythat enables independent auditors to provide written assurance on a subject matter usinga series of auditors’ reports issued simultaneously with, or a short period of time after, theoccurrence of events underlying the subject matter.26

The research report then provides a framework using the above definition, identifyingthe subject matter that could be reported on, identifying the timing of release of continu-ous audit reports and identifying the conditions necessary for a continuous audit. This sec-tion outlines these and other issues associated with implementing continuous audits. Theseissues are summarized in Exhibit 21–7.

The CICA research report identifies many examples of subject matters of continuousaudits. These can be summarized as follows. “Unlike the traditional financial statement audit,the continuous audit could focus on any type of information relevant to decision making.Such information could relate, for example, to the authenticity, integrity and non-repudiationof economic commerce transactions, the effective operation of controls over a publiclyaccessible database or to various non-financial measures of an entity’s performance.”27

The timing of release of continuous audits is significantly shorter than traditional finan-cial reporting (annually, quarterly, monthly). The CICA contemplates continuous auditingas including weekly, daily or real time (immediate) reporting. In immediate reporting there


23 Ibid, pp. 78–79.24 Ibid, p. 78.25 Continuous Auditing, CICA, 1999.26 Ibid, p. 5.27 G. Shields, ”Non-stop auditing,” CAmagazine, September 1998, p. 39.

is “virtually no delay between occurrence of events underlying the subject matter . . . andthe auditor’s report on it.”28

Chapter 2 of the CICA research report identifies the conditions necessary for an effec-tive continuous audit as follows.

1. The subject matter has suitable characteristics. The suitability varies dependingon whether the data is “hard” and routine (e.g., quantities, prices), “hard” and non-routine (e.g., changes in credit limits for customers), and “soft” (e.g., estimates of theallowance for doubtful accounts). Generally, routine hard data are easily handledby automation and continuous auditing, whereas soft data is more difficult to auditcontinuously.

2. The systems providing the subject matter are reliable. That is, the system will continueto function effectively over a given period of time and under specified conditions.

3. Highly automated audit procedures can provide most of the audit evidence.

4. There is a reliable means of obtaining the results of audit procedures on a timely basis.

5. It is possible to make auditor reports available on a timely basis.

6. The auditor must be highly proficient in information technology and the audited sub-ject matter.29

Generally, the more immediate the audit report the more the auditor needs to rely oncontrols, automated audit procedures such as embedded audit modules and knowledge ofthe client’s business. The most important controls are the general preventive controls. The


E X H I B I T 21–7 INFORMATION AND AUDIT FLOWS

Source: Continuous Auditing, CICA, 1999, Figure 2.2, p. 9.

Continuous auditors’ reportsproviding timely assuranceregarding the fairness ofinformation

Use of Management’s systems,processes & controls tocontinuously convert data intoinformation

Informationmade continuously available toexternal stakeholders for use in

making decisions about an entity

Continuous auditing proceduresapplied to:• Financial and non-financial

information used directly for decision-making; and/or

• Information on theeffectiveness of controls usedin producing decision-makinginformation

ContinuousUse of Information

ContinuousConversion ofData intoInformation

ContinuousOccurrence ofTransactions &Other Events

Process for Developing and Reportingof Continuous Information Continuous Audit

Routine hard data

Non-routinehard data

Soft data

28 Continuous Auditing, CICA, 1999, pp. 10–11.29 Ibid., Chapter 2.

knowledge of the business required is similar to that required in VFM audits and SSA auditapproaches.

Other important issues for continuous audit engagements are the more traditional onesof applying the audit risk model and specifying materiality for continuous audit engage-ments. These are especially important in immediate audit reporting that require relianceon automated procedures such as “alarm triggers . . . to warn of situations where the num-ber of errors detected over a given time period exceeds a pre-determined acceptablemaximum . . .”30 As noted in Chapter 20, use of DUS facilitates this type of continuousmonitoring and there is no need to use different concepts of audit risk or materiality in con-tinuous audit engagements, so long as these engagements are intended to be consistent withthe traditional financial statement audit. This is likely to be the case in many continuousreporting engagements since, as noted in the preceding section, the most important differ-ence between continuous and traditional financial reporting seems to be the responsivenessdimension.

An especially important issue in continuous auditing is the potential compromising ofauditor independence raised by the need to more highly integrate continuous audit toolswith the client’s systems. “Because the audit tools would be embedded in systems overwhich management has effective control, there would be a possibility that the modulescould be modified without the auditor’s knowledge. This possibility could exist even if theauditors were to completely control the design and implementation of the modules.”31 Waysto get around such potential independence problems include more extensive use of encryp-tion techniques by the auditor, and reliance on general, preventive controls such as theclient’s internal auditors (assuming that the internal auditors are sufficiently competent andindependent of management).

In the next section we deal with specific types of continuous audit engagements that arecurrently evolving to satisfy the needs of e-commerce.

ASSURANCE ENGAGEMENTS FOR E-COMMERCE

In response to the new user needs created by Internet-based and continuous reporting, theCICA has developed not only research studies but also begun setting guidelines for assur-ance engagements to meet those needs. There are three sets of guidelines in various stagesof development: WebTrust, SysTrust and ISP Trust.

WebTrust

The first guideline, that of WebTrust, was created jointly with the AICPA in September1997. The purpose of WebTrust is to provide assurance to users of websites that they cantrust a company for on-line transactions, and that their expectations in dealing with the siteare met. Such expectations can include security and privacy protection and that the statedterms and conditions of the on-line sales are met.

Companies that meet the WebTrust criteria can, in turn, post a protected “seal” on their websites to demonstrate that they’ve passed the test. CA WebTrust isn’t about guaranteeing prod-ucts ordered online; rather, it’s a means of assuring consumers that a commercial site on theWorld Wide Web will actually deliver on its promises.32

The criteria a client must pass can include all aspects of the seamless integrationrequired of e-commerce as discussed earlier. Hence, the auditor will need to check for


30 Ibid., p. 32.31 Ibid., p. 57.32 J. Lorinc, “Rest Assured,” CAmagazine, Jan/Feb 1998, p. 17.

physical and electronic access to its Web site server, including encryption methods, andreview the company’s business practices such as delivery and return policies and successin addressing consumer complaints. WebTrust must comply with Section 5900 of the CICAHandbook, which sets out the criteria for issuance on controls as of a point in time or overa given time period.

According to the CICA Web site, the CA WebTrust criteria encompass three broad principles:

1. Business Practices Disclosures: The entity discloses how it does business with itselectronic commerce customers.

2. Transaction Integrity: The entity (Web site operator) maintains effective controls andpractices to ensure that customers’ orders placed using electronic commerce are com-pleted and billed as agreed.

3. Information Protection: The entity maintains effective controls and practices toensure that private customer information is protected from uses not related to theentity’s business.”33

Also according to the CICA Web site, the client’s management will make representa-tions or assertions similar to the following:

• Disclosed its business practices for electronic commerce transactions and executedtransactions in accordance with its disclosed business practices.

• Maintained effective controls to provide reasonable assurance that customers’ trans-actions using electronic commerce were completed and billed as agreed.

• Maintained effective controls to provide reasonable assurance that private customerinformation obtained as a result of electronic commerce was protected from uses notrelated to ABC’s business.34


Customers are wary because many questions remain unanswered about online stores,such as the following:

• Is this a real company? (The authentication problem.)

• Is this a trustworthy company? (The reputation problem.)

• If I send credit card or bank information, is it safe? (The payment problem.)

• If I provide information to a company on its Web site, where will the informa-tion end up? (The privacy problem.)

• If I place an order, will I receive what I asked for?

• Will I receive delivery when promised?

• Will any problems I have be resolved quickly?

• Is the money-back guarantee honoured?

• How soon will I get credit for returned items?

• How quickly will the company perform service on warranty items?

• Will the company be able to send me necessary replacement parts quickly?

CPAs, by virtue of education and experience, are in an excellent position to pro-vide assurance to consumers on these questions and thus remove some of the obsta-cles hindering further growth of Internet commerce.

Source: G.L. Gray and R. Debreceny, “Electronic Frontier,” Journal of Accountancy, May 1988, pp. 32–33.

33 G. Trites, Strategic Internet Commerce, CICA, 1999, p. 124.34 G. Trites, Strategic Internet Commerce, CICA, 1999, p. 124.

The practitioner will then perform tests of these representations under AICPA or CICAprofessional standards and provide a professional opinion to add credibility to the repre-sentations of management.

A WebTrust engagement normally starts out by having the company fill out a “self-assessment” questionnaire, detailing its systems. Then the auditor tests for compliancewith the three general WebTrust principles noted above. If the WebTrust criteria are metthe company can display the WebTrust logo on its Web site. However, WebTrust requiresthat a site be recertified at least every 90 days in order to retain the logo. Thus WebTrust isa type of logo service. “The logo offers reassurance to concerned buyers that the sellermeets the standards established by a trusted third party. Typically, the logo itself is tamper-resistant and is linked to the assurance provider’s site, where the user can go to find outmore detailed information about the meaning and scope of the logo service.”35

However, there are several other logo services competing with WebTrust, including alogo provided by the Better Business Bureau, BBBOnLine, and the TRUSTe logo whichaddresses primarily privacy issues. WebTrust is the most comprehensive service and reliesmuch less on self reporting. The boxes below provide first a description of the logo serv-ice used by WebTrust along with a box illustrating a WebTrust case study and an illustra-tion of a WebTrust seal.


WEBTRUST: A NEW APPROACH TO E-COMMERCE

The movie Casablanca revolves around stolen “letters of transit,” which allow thebearer to cross borders. People with the proper papers can escape to the UnitedStates; those without them get shot. A half-century later, with European borders com-ing down, these issues may appear to belong to the past.

But the Internet has revived the need for letters of transit. Since 1995, VeriSignhas provided digital certificates, the Internet equivalent of a passport. Such online“papers” can authenticate the identity of a given company, verify an e-mail messagehas not been corrupted and ensure privacy. Last year, VeriSign certificates became akey part of the AICPA’s first new assurance service, CPA WebTrust. Provided exclu-sively by CPAs (and chartered accountants in Canada), the WebTrust logo servicemerges the traditional attestation engagement with new technology.

For example, to earn the WebTrust logo a company must disclose and follow itsbusiness practices for online transactions and maintain effective controls to ensureproper fulfillment and billing of orders. The CPA also has to confirm that the com-pany has a physical location. The VeriSign certificate is the security portion of theengagement: Consumers click on the logo to call up a certificate. They can viewonline WebTrust papers issued by a CPA and proceed to VeriSign’s site, which main-tains a secured list of all WebTrust companies as well as a digital certificate online.

The technologically curious should feel free to go VeriSign’s site to read the com-pany’s lengthy technical descriptions of the different kinds of certificates and whatthey do. For everyone else, it’s enough to note that WebTrust, like every financialstatement audit, has a CPA behind it. Everett C. Johnson, Deloitte & Touche partnerand chairman of the Institute’s electronic task force, summarized the importance ofWebTrust: It provides assurance on privacy and security along with assurance onsound business, something CPAs have been doing for over a century.

Source: G. Gray and R. Debreceny, “Electronic Frontier,” Journal of Accountancy, May 1998, p. 38.

35 G. Gray and R. Debreceny, “Electronic Frontier,” Journal of Accountancy, May 1998, p. 33.


CASE STUDY:Dollars, Marks and Beer

Money makes the world go around, as the song goes, and today the Internet makesmoney go around the world. Sonnet Financial has gone into the business of sellingmoney over the Web—all over the world—quickly, cheaply and securely. If you haveto purchase $100,000 in supplies in Paris tomorrow, Sonnet will convert the dollarsto francs. All you need is a modem.

Sonnet, founded in 1992 to provide discount currency exchanges for companies,introduced a new product this year called FXWeb (www.sonnet-financial.com). Nonew software is necessary. Once you sign up with Sonnet, you can enter a password-protected page and set up one or more source accounts—such as your company’sbank account in New York—and destination accounts—such as a parts supplier inTokyo or your company’s branch office in Oslo. You type in the amount and the typeof currency and hit “OK.” You’re done. FXWeb follows up with an online confirma-tion and organizes all your transactions in to a report you can download into a gen-eral ledger or spreadsheet program.

Sonnet is not a credit company—its clients must send the actual transaction fundsthe same day—and it does not speculate in the currency markets. Its business isorganizing the transactions and it makes its money entirely from fees it charges itscustomers. “Think of us as the air traffic controllers of currency exchange,” saidSonnet Senior Vice-President Daniel A. Carmel.

Hassle-Free Environment

The Internet gives Sonnet and its small to midsize business clients several advantagesover banks. The first is cost: Sonnet’s online system can easily gather all the dollar-to-yen transactions, for example, and combine them in one transaction. This givessmaller companies the same favourable transaction rates as the world’s largest cor-porations. Companies don’t have to worry if their banks can’t handle certain inter-national transactions or waste time shopping around for a better rate: Sonnet workswith 25 U.S. banks to negotiate the best rate for a given transaction.

Customers don’t have to keep banker’s hours. “We have a client who buys beerwholesale in Germany for export to Canada,” said Carmel. “At the end of the day, heplugs his laptop into a jack in his hotel room and posts all his transfers.” Sonnet per-forms the transfers three times a day and charges fixed fees ranging from $40 to $150,depending on the size of the transaction.

Security

Sonnet relies on a VeriSign digital certificate to ensure security of transactions.(VeriSign is the security arm of CPA WebTrust. Currently, it uses 40-bit encryptiontechnology, although it expects to go to the even more secure 128-bit technology inthe near future. (Each bit doubles the encoding power.) Sonnet’s site allows cus-tomers to set up a double log-in process so no one person in the company can makea transaction solely on his or her own authority. A CEO or CFO, for example, canhave a high-level supervisory log-in password to administer other employees’ author-ity. “If someone quits—or is fired—it takes just minutes to cancel that employee’slog-in authority,” said Carmel.

For the small business people who want their piece of the global market, theInternet is simplifying the business of doing business.

Source: G. Gray and R. Debreceny, “Electronic Frontier,” Journal of Accountancy, May 1998, p. 36.

Systrust

SysTrust is the latest e-commerce assurance guidance offered jointly by the CICA and theAICPA. SysTrust is based on the assurance standards of Section 5025 and thus has definedexplicit suitable criteria for assessing the reliability of all types of systems. A “system” isan infrastructure of hardware, software, people, procedures and data that—together in abusiness context—produces information. “A system may be as simple as a personal com-puter. Or it may be as complex as a multiapplication, multicomputer banking systemaccessed by virtually an unlimited number of users inside and outside the entity.36 The rea-sons for creating the SysTrust service are set out in the boxes on page 48.

The three categories listed above are quite broad and can be further refined into 58 cri-teria for internal controls that are needed to provide reasonable assurance that a system isreliable. The CICA’s Web site www.cica.ca provides additional details on SysTrust princi-ples and criteria. The SysTrust engagement essentially provides assurance that the controlsfor meeting the criteria are effective.

Important features of the SysTrust framework is that it is derived from the Section 5025concept, it is a general use report and it is not restricted to controls on financial statementassertions. SysTrust is broader than WebTrust in that WebTrust is restricted to Internetbased systems. Also SysTrust reports can be qualified but not WebTrust reports.

An example of an unqualified SysTrust report is given in the box on page 49.


WEBTRUST

© Copyright 1998–2000 E*TRADE Securities, Inc. and VERSUS Brokerage Services Inc.http://www.canada.etrade.com/webtrust/main.shtml

36 E. Boritz, E. Mackler and D. McPhie, “Reporting on Systems Reliability,” Journal of Accountancy, November 1999, p. 79.


RELIABILITY WHERE IT COUNTS

What are the forces driving the need for assurance on system reliability? Entitiesincreasingly depend on information systems to deliver their services to customers andto manage their internal processes. And they increasingly rely on their business part-ners’ systems as well. The task force on systems reliability examined how such assur-ance might benefit the internal and external stakeholders of entities engaged ininformation-based commercial activity, and came up with the following possibilities:

• Systems users could gain assurance about the reliability of the systems they usein e-commerce or for which they pay user fees.

• Outsourcing service providers, system integrators and system vendors couldprovide assurance about the reliability of their systems and services.

• System builders and consultants could use the principles and criteria underly-ing such assurance as a framework in the design of reliable systems.

• Management and boards of directors could ascertain whether internal systemsare subject to appropriate controls, and use this assurance in the marketplace.

• Internal auditors and system owners could also rely on the principles and crite-ria of such assurance.

Source: E. Boritz, D. McPhie and B. Walker, “In systems we trust,” CAmagazine, March 2000, p. 48.

A reliable system is one that operates without material error, fault or failure duringa specified time in a specified environment. The four essential principles underlyingsuch systems are

1. Availability. The system is available for operation and use at times set forth inservice agreements.

2. Security. The system is protected against unauthorized physical and logical access.(Logical access is the ability to read or manipulate data through remote access.)

3. Integrity. System processing is complete, accurate, timely and in accordance withthe entity’s transaction approval and output distribution policy.

4. Maintainability. The system can be updated in a manner that provides continuousavailability, security and integrity.

For each principle, criteria enable a practitioner to determine if an entity’s systemmet it. The criteria are organized into three categories:

1. Communications.The entity has defined and communicated performance objectives,policies and standards for system availability, security, integrity and maintainability.

2. Procedures. The entity uses procedures, people, software, data and infrastructureto achieve system availability, security, integrity and maintainability objectives inaccordance with established policies and standards.

3. Monitoring. The entity monitors the system and takes action to achieve compli-ance with system availability, security, integrity and maintainability objectives,policies and standards.

A system must satisfy all of the SysTrust criteria to be deemed reliable. To obtainevidence that criteria have been met, a practitioner examines the controls related tothe criteria.

Source: E. Boritz, E. Mackler and D. McPhie, “Reporting on Systems Reliability,” Journal of Accountancy, November1999, p. 81.


INDEPENDENT ACCOUNTANT’S REPORT*

We have examined the accompanying assertion by the management of ABC Corp.that it maintained effective controls over the Financial Services System to providereasonable assurance that—

• The system was available for operation and use at times set forth in service-levelstatements or agreements. (Availability)

• The system was protected against unauthorized physical and logical access.(Security)

• The system processing was complete, accurate, timely and authorized. (Integrity)

• The system could be updated when required in a manner that continues to pro-vide for system availability, security and integrity. (Maintainability)

during the period Month X, 200X, to Month XX, 200X, based on the SysTrust prin-ciples and criteria established by the American Institute of CPAs and the CanadianInstitute of Chartered Accountants. This assertion is the responsibility of the man-agement of ABC Corp. Our responsibility is to express an opinion on the aforemen-tioned assertion based on our examination.

Additional information about the AICPA/CICA SysTrust principles and criteriamay be obtained from the AICPA Web site, www.aicpa.org. Management’s sum-marized description of the aspects of the financial services system covered by thisreport is presented in the accompanying description of ABC Corp.’s financial serv-ices system.

Our examination was conducted in accordance with attestation standards estab-lished by the American Institute of CPAs and, accordingly, included examining on atest basis evidence supporting management’s assertion and performing such otherprocedures as we considered necessary in the circumstances. We believe that ourexamination provides a reasonable basis for our opinion.

Because of the inherent limitations of controls, errors or fraud may occur and notbe detected. Furthermore, the projection of any conclusions based on our findings tofuture periods is subject to the risk that changes made to the system or controls,changes in processing requirements, or the failure to make changes to the systemwhen required may alter the validity of such conclusions.

In our opinion, management’s assertion that it maintained effective controls overthe financial services system to provide reasonable assurance that—

• The system was available for operation and use at times set forth in service-levelstatements or agreements. (Availability)

• The system was protected against unauthorized physical and logical access.(Security)

• The system processing was complete, accurate, timely and authorized. (Integrity)• The system can be updated when required in a manner that continues to provide

for system availability, security and integrity. (Maintainability)

during the period Month X, 200X, to Month XX, 200X, based on the AICPA/CICASysTrust principles and criteria, is fairly stated in all material respects.

[Signature][Date]

*Draft report. Actual wording may change.Source: E. Boritz, E. Mackler and D. McPhie, “Reporting on Systems Reliability,” Journal of Accountancy, November1999, p. 82.

ISPTrust

ISPTrust is another assurance service being designed for Internet-based systems. This newservice is being developed to evaluate Internet service providers (ISPs). While WebTrustand ISPTrust focus primarily on controls over Internet-based transactions, SysTrustfocuses specifically on the reliability of the systems themselves.

Illustrations for Sources of Demand of ElectronicAssurance Services

The assurance services covered in this section are designed to help address the types ofproblems associated with e-commerce illustrated in the boxes below.


HMV MUSIC NET SITE BLOCKED BY HACKERS

Toronto retailer seeks U.S. help to confirm attack

Internet vandals crippled Toronto-based music retailer HMV.com with a denial-of-service attack last Monday, the same day Internet giants Yahoo.com and Amazon.comfell to similar attacks.

But while U.S. investigators have devoted massive resources to tracking down thehackers of the American sites, the RCMP’s specialized computer crime division inOntario yesterday hadn’t even heard of the HMV.com attack four hours after it wasreported.

When reached by telephone yesterday afternoon, RCMP Constable Ron Rimnyak,one of only two RCMP computer crime specialists in the province, said local RCMPinvestigators hadn’t yet informed him of the hit on HMV.

Corporal Frank Koenig, an RCMP commercial crime officer in Toronto handlingthe investigation, wouldn’t comment on the case. When asked if the case was urgent,he said, “Everything here is urgent.”

Canadian authorities at all levels have complained they don’t have the resourcesto investigate most computer crimes. Computer security experts have warned that thetrail of information left by the type of attack launched this week gets cold quickly.

The hackers in these latest attacks commandeered scores of slave computers andused them to route huge quantities of information to overload the victim sites.Investigators have to try to find the slave computers, then to examine them for cluesas to where the attack was ultimately launched.

Frank Koblum, director of consumer e-commerce at HMV.com, said the site washit at 3 p.m. Monday.

“People here working on our Internet site realized that it was very slow to respondor it was not responding,” Koblum said.

“Our information technology guys looked into it and they discovered our systemwas working at 100 per cent—it was ready to go down.”

They ended up closing the site for an hour, Koblum said.But HMV.com didn’t release information about the attack until yesterday morn-

ing. Koblum said they hadn’t experienced such an attack until then. They sent thedata logged in the attack to International Business Machines Corp. in the UnitedStates for analysis.

IBM told HMV officials Thursday afternoon that the site had been flooded by a“distributed denial of service.”

Source: C. Nuttall-Smith, The Toronto Star, February 12, 2000, p. D1.


CYBER COPS BELIEVE TRANSBORDER ENFORCEMENTIS THE BEST WAY TO TACKLE E-CRIME

Unlimited income. Make money fast. Excellent assay results. Do these Web siteoffers sound too good? Maybe they are. As any good cyber cop can tell you, elec-tronic criminal activity—e-crime—is rife on the Net.

“The Net poses some new sorts of twists,” says Hugh Stevenson, assistant direc-tor of the U.S. Federal Trade Commission marketing practices division. “Peoplemaking certain offerings can reach a very large audience with a single posting in away they couldn’t with a single phone call.”

The types of crimes are not new, says Michael Duncan, a management analystwith the Royal Canadian Mounted Police’s technological crime section in Ottawa.“Many of the crimes now committed on the Internet are simply variations of age-oldschemes.”

The RCMP’s Duncan says he gets three or four reports daily about illegal chainletters or pyramid schemes on the Net—frequently from vigilantes, who cruise theNet searching for the latest scams.

Many customers do not report fraud—often because they are too embarrassed.Earlier this year, the FTC recovered US$2.8 million from Fortuna Alliance LLC,

a Bellingham, Wash., firm that raised an estimated US$13 million from more than25,000 Net users. Several were from Prince Edward Island’s brokerage community.Investors were promised a return of more than US$5,000 a month from a US$250investment. When Fortuna got the money, it was wired to offshore trust accounts inAntigua.

Watch out for illegal gambling, job placement scams, and “pump and dump” chatrooms that promote the sale of near-worthless shares, several involving listings on theAlberta and Vancouver stock exchanges.

“The Internet creates novel opportunities to create crimes,” says Tom Pownall,computer crime program analyst for the RCMP.

International co-operation is key to curbing crime on the Net, says Pownall. Theprosecution of economic crime is “geared for the paper-based crime . . . Now weneed mutual legal assistance treaties so we can freeze data instantly.”

Top 10 Internet Scams

• Pyramids or illegal multilevel marketing schemes.

• Sales of computer equipment and software—either not delivered or misrep-resented.

• Sales of Internet services and products.

• Business opportunities with misleading earnings potential.

• Work-at-home plans, including sale of computer graphics software packagesthat often don’t work.

• Buyers’ club memberships that misrepresent savings.

• Magazine sales by people unconnected to the magazine.

• Investments of all types, such as near-worthless securities.

• Scholarship services.

• Prize offers.

Source (article): Margaret Brady, The Financial Post, July 19, 1997, pp. 18–19.Source (list): National Fraud Information Centre, Washington, D.C., Phone 1-800-876-7060. Web site: www.fraud.org.,E-mail: fraudinfosint.com.

Summary of Electronic Commerce

In summary, electronic commerce is fundamentally restructuring the way business is con-ducted. For auditors the implications are significant and pervasive. There are unique newrisks associated with electronic commerce; electronic commerce greatly complicates theinternal control system, yet forces the auditor to rely on controls, especially preventive con-trols, more than ever before. And finally the new risks may result in new contingencieswhich the auditor needs to consider for proper disclosure in the financial statements, forexample, contingent liabilities as a result of failing to maintain an adequate audit trail.

Electronic commerce is here to stay because its benefits far outweigh the risks. Thesebenefits include moving goods, money and information much more efficiently.

It is clear that EDI and electronic commerce will become an established part of the busi-ness environment and that auditors will have to learn to deal with it. This is evident fromthe newly evolving concept of continuous audits as described in this chapter.

SUMMARY

The technical work in a computer environment can take different forms. Auditors can try toaudit “around” the computer, and act like it does not exist except as a very fast and accuratemanual accounting processor. They can adopt computer expertise and audit “through” thecomputer to test its control features. They can audit “with” the computer to assess controlrisk and obtain substantive evidence, thus taking full advantage of its power and versatility.

Auditors must assess the control risk in a client’s organization, no matter what technol-ogy is used for preparing the financial statements. This means that general and applicationcomputer controls will need to be studied and tested for compliance with the company’s con-trol procedures (if the detail test of controls is necessary in the circumstances). Tests of con-trols are described in the chapter for advanced systems. When advanced systems are usedby a client, auditors can make use of some equally advanced techniques and devices. Amongthem are the live data techniques (audit hooks, tagging transactions, SCARF, SARF, snap-shot, monitoring systems activity and extended records), the historical data techniques (par-allel processing and generalized software applications), the simulated data processing (testdata and ITF) and the program analysis techniques (computerized program flowcharting andcross reference programs). The chapter explains these advanced methods briefly.

Using the computer to obtain substantive evidence is explained in the context of gener-alized audit software (GAS). Its advantages and phases of application are described inChapter 8. The future no doubt holds significant promise for developments in decision aidsand expert systems.

The chapter also provides coverage of computer-oriented auditing with a section oncomputer-related fraud considerations. Controls and potential problems are discussed. Areview of Chapter 8 (Fraud Awareness Auditing) is recommended. It covers a variety offraud considerations that are relevant to both computer and noncomputer fraud detection.

Chapter 21 concludes with a review of issues associated with the rapidly evolving worldof electronic commerce focusing on EDI, fax, e-mail, and the Internet. It is clear that con-tinued rapid growth in electronic commerce will revolutionize the way the majority ofaudits are conducted and greatly influence the types of assurance engagements that mayevolve in the future.


21.18 Which of the following client computersystems generally can be audited withoutexamining or directly testing the com-puter programs of the system?a. A system that performs relatively un-

complicated processes and producesdetailed output.

b. A system that affects a number of mas-ter files and produces a limited output.

c. A system that updates a few masterfiles and produces no other printedoutput than final balances.

d. A system that performs relativelycomplicated processing and producesvery little detailed output.

21.19 Control procedures within the computersystem may leave no visible evidence in-dicating that the procedures were per-formed. In such instances the auditorshould test these computer controls by:a. Making corroborative inquiries.b. Observing the separation of duties of

personnel.c. Reviewing transactions submitted for

processing and comparing them to re-lated output.

d. Reviewing the run manual.

21.20 An auditor will use the test data methodto gain certain assurances with respect tothe computer:a. Input data.b. Machine capacity.c. Control procedures contained within

the program.d. General control procedures.

21.21 After obtaining a preliminary understand-ing of a client’s computer control struc-ture, an auditor may decide not to performtest of controls auditing related to thecontrol procedures within the computer-ized portion of the client’s control system.Which of the following would not be avalid reason for choosing to omit tests ofcontrols auditing?a. The client’s computer control proce-

dures duplicate manual control pro-cedures existing elsewhere in the system.

b. There appear to be major weaknessesthat indicate a higher control risk.

c. The time and dollar costs of testing ex-ceed the time and dollar savings insubstantive work if the tests of com-

puter controls show the controls to op-erate effectively.

d. The client’s control procedures appearadequate enough to justify a low con-trol risk assessment.

21.22 Which of the following is likely to be ofleast importance to an auditor when ob-taining an understanding of the computercontrol procedures in a company with acomputerized accounting system?a. The segregation of duties within the

computer function.b. The control procedures over source

documents.c. The documentation maintained for ac-

counting applications.d. The cost/benefit ratio of computer op-

erations.

21.23 Which of the following would lessen in-ternal control in a computer system?a. The computer librarian maintains cus-

tody of computer program instructionsand detailed listings.

b. Computer operators have access to op-erator instructions and detailed pro-gram listings.

c. The control group is solely responsiblefor the distribution of all computeroutput.

d. Computer programmers write and de-bug programs that perform routinesdesigned by the systems analyst.

21.24 Assume an auditor estimates that 10,000cash disbursement cheques were issuedduring the accounting period. If a com-puter application control, which performsa limit check for each cheque request, isto be subjected to the auditor’s test-dataapproach, the same should include:a. Approximately 1,000 test items.b. A number of test items determined by

the auditor to be sufficient under thecircumstances.

c. A number of test items under the cir-cumstances.

d. One transaction.

21.25 When an on-line, real-time (OLRT) com-puter system is in use, the computer con-trol procedures can be strengthened by:a. Providing for the separation of duties

between data input and error listingoperations.


MULTIPLE-CHOICE QUESTIONS FOR PRACTICE AND REVIEW

Exercises 21.15–21.17 are located on the accompanying CD-ROM.

b. Attaching plastic file protection ringsto reels of magnetic tape before newdata can be entered on the file.

c. Preparing batch totals to provide as-surance that file updates are made forthe entire input.

d. Making a validity check of an identifi-cation number before a user can obtainaccess to the computer files.

21.26 When auditing a computerized account-ing system, which of the following is nottrue of the test data approach?a. Test data are processed by the client’s

computer programs under the auditor’scontrol.

b. The test data must consist of all possi-ble valid and invalid conditions.

c. The test data need consist of onlythose valid and invalid conditions inwhich the auditor is interested.

d. Only one transaction of each type needbe tested.

21.27 A primary advantage of using generalizedaudit packages in the audit of an advancedcomputer system is that it enables the au-ditor to:a. Substantiate the accuracy of data

through self-checking digits and hashtotals.

b. Utilize the speed and accuracy of thecomputer.

c. Verify the performance of machine op-erations which leave visible evidenceof occurrence.

d. Gather and store large quantities of sup-portive evidential matter in machine-readable form.

21.28 Which of the following is an advantage ofgeneralized computer audit packages?a. They are all written in one identical

computer language.b. They can be used for audits of clients

that use differing computer equipmentand file formats.

c. They have reduced the need for the au-ditor to study input controls for com-puter-related procedures.

d. Their use can be substituted for a rela-tively large part of the required testing.

21.29 An auditor cannot test the reliable op-eration of computerized control proce-dures by:a. Submission at several different times

of test data for processing on the com-puter program the company uses foractual transaction processing.

b. Manual comparison of detail transac-tions internal auditors used to test aprogram to the program’s actual errormessages.

c. Programming a model transaction pro-cessing system and processing actualclient transactions for comparison tothe output produced by the client’sprogram.

d. Manual reperformance of actual trans-action processing with comparison ofresults to the actual system output.

21.30 An auditor can get evidence of the properfunctioning of password access control toa computer system by:a. Writing a computer program that sim-

ulates the logic of a good passwordcontrol system.

b. Selecting a random sample of theclient’s completed transactions tocheck the existence of proper author-ization.

c. Attempting to sign onto the computersystem with a false password.

d. Obtaining written representations fromthe client’s computer personnel thatthe password control prevents unau-thorized entry.

21.31 An auditor would most likely use gener-alized audit software (GAS) to:a. Make copies of client data files for

controlled reprocessing.b. Construct a parallel simulation to test

the client’s computer controls.c. Perform tests of a client’s hardware

controls.d. Test the operative effectiveness of a

client’s password access control.


EXERCISES AND PROBLEMS

21.32 Audit “Around” Versus Audit“Through” Computers. PAs may audit“around” or “through” computers in theexamination of financial statements ofclients who utilize computers to processaccounting data.

Required:a. Describe the auditing approach referred

to as auditing “around” the computer.b. Under what conditions does the PA

decide to audit “through” the computerinstead of “around” the computer?

c. In auditing “through” the computer,the PA may use “test data.”(1) What is the “test data” test of con-

trols audit procedure?(2) Why does the PA use the “test

data” procedure?d. How can the PA be satisfied that the

computer program tested by him or heractually is being used by the client toprocess its accounting data?

(AICPA adapted)

21.33 Payroll Audit Procedures, Computer,and Sampling. You are the senior auditorin charge of the annual audit on OnwardManufacturing Corporation for the yearending December 31. The company is ofmedium size, having only 300 employees,but the payroll system work is performedby a computer. All 300 employees areunion members paid by the hour at ratesset forth in a union contract, a copy ofwhich is furnished to you. Job and payrate classifications are determined by ajoint union–management conference, anda formal memorandum is placed in eachemployee’s personnel file.

Every week, clock cards prepared andapproved in the shop are collected andtransmitted to the payroll department.The total of labour hours is summed on anadding machine and entered on eachclock card. Batch and hash totals are ob-tained for the following: (1) labour hoursand (2) last four digits of social insurancenumbers. These data are keyed into a diskfile, batch balanced and converted to tapestorage for batch processing. The clockcards (with cost classification data) aresent to the cost accounting department.

Payroll cheques are written by thecomputer. As each person’s payroll recordis processed, the social insurance numberis matched to a table (in a separate mastertable file) to obtain job classification andpay rate data, then the pay rate is multi-plied by the number of hours and thecheque is printed. (Ignore payroll deduc-tions for the following requirements.)

Required:a. What audit procedures would you rec-

ommend to obtain evidence that payrolldata are accurately totalled and trans-formed into machine-readable records?What deviation rate might you expect?What tolerable deviation rate wouldyou set? What “items” would you sam-ple? What factors should be consideredin setting the size of your sample?

b. What audit procedures would you rec-ommend to obtain evidence that thepay rates are appropriately assignedand used in figuring gross pay? Inwhat way, if any, would these proce-dures be different if the gross pay werecalculated by hand instead of on acomputer?

21.34 GAS Application—Phases and Docu-mentation. The phases and documenta-tion of developing a GAS application arevery similar to the phases and documen-tation when the client develops a newcomputer system. Refer to Chapter 8 andprepare a table of phases and the relateddocumentation when the client developsa new system. Based on the material inChapter 20, prepare a table of the phasesand the related documentation when theauditor develops a GAS application. Or-ganize your answer as follows:

Client’s System Auditor’s Development GAS Application

Phases Documentation Phases Documentation

21.35 GAS Application—Receivables Confir-mation. You are using generalized auditsoftware to prepare accounts receivableconfirmations during the annual audit ofthe Eastern Sunrise Services Club. Thecompany has the following data files:

Master file—debtor credit record.Master file—debtor name and address.Master file—account detail.Ledger number.Sales code.Customer account number.Date of last billing.Balance (gross).Discount available to customer (memoaccount only).Date to last purchase.The discount field represents the

amount of discount available to the cus-tomer if the customer pays within 30 daysof the invoicing date. The discount field iscleared for expired amounts during thedaily updating. You have determined thatthis is properly executed.

Required:List the information from the data filesshown above that you would include on theconfirmation requests. Identify the file fromwhich the information can be obtained.

21.36 GAS Application—Fixed Assets. Youare supervising the audit field work of


Sparta Springs Company and need certaininformation from Sparta’s fixed assetrecords, which are maintained on mag-netic disk. The particular information is(1) net book value of assets, so that yourassistant can reconcile the subsidiaryledger to the general ledger control ac-counts (the general ledger contains an ac-count for each asset type at each planlocation), and (2) sufficient data to en-able your assistant to find and inspect se-lected assets.

Record layout of the fixed asset masterfile:

Asset number.Description.Asset type.Location code.Year acquired.Cost.Accumulated amortization, end of

year (includes accumulated amortizationat the beginning of the year plus amorti-zation for year to date).

Amortization for the year to date.Useful life.

Required:a. From the data file described above, list

the information needed to verify cor-respondence of the subsidiary detailrecords with the general ledger ac-counts. Does this work complete theaudit of fixed assets?

b. What additional data are needed toenable your assistant to inspect theassets?

21.37 GAS Application—Inventory. Yourclient, Boos & Becker, Inc., is a medium-sized manufacturer of products for theleisure-time activities market (campingequipment, scuba gear, bows and arrows,and the like). During the past year, a mini-computer system was installed and inven-tory records of finished goods and partswere converted to computer processing.Each record of the inventory master filecontains the following information:

Item or part number.Description.Size.Quantity on hand.Cost per unit.Total value of inventory on hand, at

cost.Date of last sale or use.Quantity used or sold this year.Reorder point (quantity).Economic order quantity.

Code number of major vendor.Code number of secondary vendor.In preparation for year-end inventory,

the client has two identical sets of pre-printed, prepunched inventory cards pre-pared from the master file. One set is forthe client’s inventory counts, and theother is for your use to make audit testcounts. The following information hasbeen keypunched into the cards andprinted on their face:

Item or part number.Description.Size.Unit of measure code.In taking the year-end count, the

client’s personnel will write the actualcounted quantity on the face of each card.When all counts are complete, thecounted quantity will be processedagainst the master file, and quantity-on-hand figures will be adjusted to reflect theactual count. A computer listing will beprepared to show any missing inventorycount cards and all quantity adjustmentsof more than $100 in value. These itemswill be investigated by client personneland all required adjustments will bemade. When adjustments have been com-pleted, the final year-end balances willbe computed and posted to the generalledger.

Your firm has available a generalizedaudit software package that will run onthe client’s computer and can process bothcards and disk master files.

Required:a. In general and without regard to the

facts above, discuss the nature of gen-eralized audit software packages andlist the various audit uses of suchpackages.

b. List and describe at least five ways aGAS package can be used to assist inall aspects of the audit of the inventoryof Boos & Becker, Inc. (For example,the package can be used to read theinventory master file and list items andparts with a high unit cost or total value.Such items can be included in the testcounts to increase the dollar coverageof the audit verification.) Hint: Think ofthe normal audit procedures in gather-ing evidence on inventory when theclient makes a periodic count, thenthink of how the GAS could help in thisparticular client situation.

(AICPA adapted)


21.38 Roche Island Quarry—Evidence Col-lection in an On-line System. Your firmhas audited the Roche Island Quarry Com-pany for several years. Roche Island’smain revenue comes from selling crushedrock to construction companies from sev-eral quarries owned by the company inQuebec and Ontario. The rock is priced byweight, quality and crushed size.

PAST PROCEDURETrucks owned by purchasing contractorsor by Roche Island needed to display acurrent certified empty weight receipt orbe weighed in. The quarry yard weigh-master recorded the empty weight on ahand-written “scale ticket” along with thepurchasing company name, the trucknumber and the date. After the truck wasloaded, it was required to leave via thescale where the loaded weight and rockgrade were recorded on the “scale tick-ets.” The scale tickets were sorted weeklyby grade and manually recorded on asummary sheet, which was forwarded tothe home office. Scale tickets were pre-numbered and accounted for in the homeoffice.

Revenue (and receivables) audit proce-dures involved evaluating the controls atselected quarries (rotated each year) andvouching a statistical sample of weighttickets to weekly summaries. Weeklysummaries were traced through pricingand invoicing to the general ledger on asample basis, and general ledger entrieswere vouched back to weekly summarieson a sample basis. Few material discrep-ancies were found.

NEW PROCEDURESAt the beginning of the current year,Roche Island converted to a distributednetwork of microcomputers to gather theinformation formerly entered manuallyon the “weight ticket.” This conversionwas done with your knowledge but with-out your advice or input. Now, all enter-ing trucks must weigh in. The yardweighmaster enters NEW on the terminalkeyboard, and a form appears on thescreen that is similar to the old scaleticket, except the quarry number, transac-tion number, date and incoming emptyweight are automatically entered. Cus-tomer and truck numbers are keyed in.

After the weigh-in, the weighmaster en-ters HOLD through the terminal. Theweight ticket record is stored in the mi-crocomputer until weigh-out.

When a truck is loaded and stops onthe scale, the weighmaster enters OLDand a directory of all open transactionsappears on the screen. The weighmasterselects the proper one and enters OUT.The truck out-weight and the rock weightare computed and entered automatically.The weighmaster must enter the propernumber for the rock grade. The weigh-master cannot change any automaticallyentered field. When satisfied that thescreen weight ticket is correct, the weigh-master enters SOLD and the transaction isautomatically transmitted to the home of-fice computer, and the appropriate ac-counting data-base elements are updated.

One copy of a scale ticket is printedand given to the truck driver. There isno written evidence of the sale kept byRoche Island.

Required:It is now midyear for Roche Island andyou are planning for this year’s audit.a. What control procedures (manual and

computer) should you expect to find inthis system for recording quarry sales?

b. The computer programs that processthe rock sales and perform the account-ing reside at the home office and at thequarries. What implications does thishave on your planned audit procedures?

c. What are you going to do to gathersubstantive audit evidence now thatthere are no written “scale tickets”?

21.39 Auditor Control of GAS Software. Twoaudit partners were discussing computer-ized audit techniques. One said: “Weshould not leave the firm’s generalizedaudit software on the client’s computersystem. This would be no different fromleaving our audit program with the client.Likewise, we should not rely on the client’sgeneralized audit software package.”

Required:Evaluate and discuss the partner’s statement.

21.40 Discovering Intentional Financial Mis-statements in Transactions and Ac-count Balances—Using the Computer.AMI International was a large office prod-


DISCUSSION CASES

ucts company. Headquarters managementimposed pressure on operating divisionmanagers to meet profit forecasts. The di-vision managers met these profit goalsusing several accounting manipulations in-volving the record-keeping system, whichmaintained all transactions and accountbalances on computer files. Employeeswho operated the computer accountingsystem were aware of the modifications ofpolicy and managers ordered to accom-plish the financial statement manipula-tions. The management and employeescarried out these activities:1. Inventory write-downs for obsolete

and damaged goods were deferred.2. The sales entry system was kept open

after the quarterly and annual cutoff

dates, recording sales of goods shippedafter the cutoff dates.

3. Transactions coded as leases of officeequipment were recorded as sales.

4. Shipments to branch offices were re-corded as sales.

5. Vendors’ invoices for parts and serv-ices were not recorded until later, butthe actual invoice date was faithfullyentered according to accounting policy.

Required:Describe one or more procedures thatcould be performed with generalized au-dit software to detect signs of each ofthese transaction manipulations. Limityour answer to the actual work accom-plished by the computer software.


audit of advanced systems and electronic commerce · audit of advanced systems and electronic...

Documents