Electronic Commerce Systems:Implications for the Accounting Profession
Implications for the Accounting Profession
The issues discussed in this chapter carry many implications for auditors and the public accounting profession. As key functions such as inventory procurement, sales processing, shipping notification, and cash disbursements are performed automatically, digitally, and in real time, auditors are faced with the challenge of developing new techniques for assessing control adequacy and verifying the occurrence and accuracy of economic events. The following describes issues of increasing importance to auditors in the electronic commerce age.
PRIVACY VIOLATION
Privacy pertains to the level of confidentiality that an organization employs in managing customer and trading partner data. Privacy applies also to data that Web sites collect from visitors who are not customers. Specific concerns include:
• Does the organization have a stated privacy policy?
• What mechanisms are in place to ensure the consistent application of stated privacy policies?
• What information on customers, trading partners, and visitors does the company capture?
• Does the organization share or sell its customer, trading partner, or visitor information?
• Can individuals and business entities verify and update the information captured about them?
The growing reliance on Internet technologies for conducting business has placed the spotlight on privacy violation as a factor that is detrimental to a client entity. In response to this threat, several firms have developed assurance services for evaluating their client’s privacy violation risk. A KPMG white paper examines the importance customers place on their privacy.9 The paper suggests that developing a set of privacy protection policies may prove to be a significant differentiation factor for commercial companies. As such, auditors engaged in certifying management’s practices and established privacy policy need to exert particular care.
The Safe Harbor Agreement implemented in 1995 reasserts the importance of privacy. The two-way agreement between the United States and the European Union establishes standards for information transmittal. Approved by the European Commission in July 2000, the Safe Harbor principles essentially en- able U.S. companies to do business in the European Union by establishing what is deemed to be an adequate level of privacy protection. Although the document is still evolving, it establishes that companies need to enter the Safe Harbor Agreement or provide evidence that they are abiding by the privacy regulations set forth in it. Noncompliant organizations may be effectively banned from doing business in the European Union. Compliance with the Safe Harbor Agreement requires that a company meet six conditions that are described next.10
NOTICE. Organizations must provide individuals with clear notice of ‘‘the purposes for which it collects and uses information about them, the types of third parties to which it discloses the information, and how to contact the company with inquiries or complaints.’’
CHOICE. Before any data are collected, an organization must give its customers the opportunity to choose whether to share their sensitive information (for example, data related to factors such as health, race, or religion).
ONWARD TRANSFER. Unless they have the individual’s permission to do otherwise, organizations may share information only with those third parties that belong to the Safe Harbor Agreement or follow its principles.
SECURITY AND DATA INTEGRITY. Organizations need to ensure that the data they maintain are accurate, complete, and current, and thus reliable for use. They must also ensure the security of the information by protecting it against loss, misuse, unauthorized access, disclosure, alteration, and destruction.
ACCESS. Unless they would be unduly burdened or violate the rights of others, organizations must give individuals ‘‘access to personal data about themselves and provide an opportunity to correct, amend, or delete such data.’’
ENFORCEMENT. Organizations must ‘‘enforce compliance, provide recourse for individuals who believe their privacy rights have been violated, and impose sanctions on their employees and agents for non-compliance.’’
CONTINUOUS AUDITING
Continuous auditing techniques need to be developed that will enable the auditor to review transactions at frequent intervals or as they occur. To be effective, such an approach will need to employ intelligent control agents (computer programs) that embody auditor-defined heuristics that search electronic transactions for anomalies. Upon finding unusual events, the control agent will first search for similar events to identify a pattern. If the anomaly cannot be explained, the agent alerts the auditor with an alarm or exception report.
ELECTRONIC AUDIT TRAILS
In an EDI environment, a client’s trading partner’s computer automatically generates electronic transactions, which are relayed across a value-added network (VAN),11 and the client’s computer processes the transactions without human intervention. In such a setting, audits may need to be extended to critical systems of all parties involved in the transactions. Validating EDI transactions may involve the client, its trading partners, and the VAN that connects them. This could take the form of direct review of these systems or collaboration between the auditors of the trading partners and VANs.
CONFIDENTIALITY OF DATA
As system designs become increasingly open to accommodate trading partner transactions, mission-critical information is at risk of being exposed to intruders both from inside and outside the organization. Accountants need to understand the cryptographic techniques used to protect the confidentiality of stored and transmitted data. They need to assess the quality of encryption tools used and the effectiveness of key management procedures that CAs use. Furthermore, the term mission-critical defines a set of information that extends beyond the traditional financial concerns of accountants. This broader set demands a more holistic approach to assessing internal controls that ensure the confidentiality of data.
AUTHENTICATION
In traditional systems, the business paper on which it was written determines the authenticity of a sales order from a trading partner or customer. In electronic commerce systems, determining the identity of the customer is not as simple a task. With no physical forms to review and approve, authentication is accomplished through digital signatures and digital certificates. To perform their assurance function, accountants must develop the skill set needed to understand these technologies and their application.
NONREPUDIATION
Accountants are responsible for assessing the accuracy, completeness, and validity of transactions that constitute client sales, accounts receivable, purchases, and liabilities. Transactions that a trading partner can unilaterally repudiate can lead to uncollected revenues or legal action. In traditional systems, signed invoices, sales agreements, and other physical documents provide proof that a transaction occurred. As with the problem of authentication, electronic commerce systems can also use digital signatures and digital certificates to promote nonrepudiation.
DATA INTEGRITY
A nonrepudiated transaction from an authentic trading partner may still be intercepted and rendered inaccurate in a material way. In a paper-based environment, such alterations are easy to detect. Digital trans- missions, however, pose much more of a problem. To assess data integrity, accountants must become familiar with the concept of computing a digest of a document and the role of digital signatures in data transmissions.
ACCESS CONTROLS
Controls need to be in place that prevent or detect unauthorized access to an organization’s information system. Organizations whose systems are connected to the Internet are at greatest risk from outside intruders. Accounting firms need to be expert in assessing their clients’ access controls. Many firms are now performing penetration tests, designed to assess the adequacy of their clients’ access control by imitating known techniques that hackers and crackers use.
A CHANGING LEGAL ENVIRONMENT
Accountants have traditionally served their clients by assessing risk (both business and legal) and devising techniques to mitigate and control risk. This risk-assessment role is greatly expanded by Internet commerce, whose legal framework is still evolving in a business environment fraught with new and unforeseen risks. To estimate a client’s exposure to legal liability in this setting, the public accountant must understand the potential legal implications (both domestic and international) of transactions that the client’s electronic commerce system processes. For example, a Web page from which customers order goods opens the organization to national and international business communities and exposes it to multiple and possibly conflicting legal statutes. Legal issues relating to taxes, privacy, security, intellectual property rights, and libel create new challenges for the accounting profession, which must provide their clients with rapid and accurate advice on a wide range of legal questions.
Comments
Post a Comment