Electronic Commerce Systems:Implications for the Accounting Profession

By -

Implications for the Accounting Profession

The issues discussed in this chapter carry many implications for auditors and the public accounting profession. As key functions such as inventory procurement, sales processing, shipping notification, and cash disbursements are performed automatically, digitally, and in real time, auditors are faced with the challenge of developing new techniques for assessing control adequacy and verifying the occurrence and accuracy of economic events. The following describes issues of increasing importance to auditors in the electronic commerce age.

PRIVACY VIOLATION

Privacy pertains to the level of confidentiality that an organization employs in managing customer and trading partner data. Privacy applies also to data that Web sites collect from visitors who are not customers. Specific concerns include:

• Does the organization have a stated privacy policy?

• What mechanisms are in place to ensure the consistent application of stated privacy policies?

• What information on customers, trading partners, and visitors does the company capture?

• Does the organization share or sell its customer, trading partner, or visitor information?

• Can individuals and business entities verify and update the information captured about them?

The growing reliance on Internet technologies for conducting business has placed the spotlight on privacy violation as a factor that is detrimental to a client entity. In response to this threat, several firms have developed assurance services for evaluating their client’s privacy violation risk. A KPMG white paper examines the importance customers place on their privacy.9 The paper suggests that developing a set of privacy protection policies may prove to be a significant differentiation factor for commercial companies. As such, auditors engaged in certifying management’s practices and established privacy policy need to exert particular care.

The Safe Harbor Agreement implemented in 1995 reasserts the importance of privacy. The two-way agreement between the United States and the European Union establishes standards for information transmittal. Approved by the European Commission in July 2000, the Safe Harbor principles essentially en- able U.S. companies to do business in the European Union by establishing what is deemed to be an adequate level of privacy protection. Although the document is still evolving, it establishes that companies need to enter the Safe Harbor Agreement or provide evidence that they are abiding by the privacy regulations set forth in it. Noncompliant organizations may be effectively banned from doing business in the European Union. Compliance with the Safe Harbor Agreement requires that a company meet six conditions that are described next.10

NOTICE. Organizations must provide individuals with clear notice of ‘‘the purposes for which it collects and uses information about them, the types of third parties to which it discloses the information, and how to contact the company with inquiries or complaints.’’

CHOICE. Before any data are collected, an organization must give its customers the opportunity to choose whether to share their sensitive information (for example, data related to factors such as health, race, or religion).

ONWARD TRANSFER. Unless they have the individual’s permission to do otherwise, organizations may share information only with those third parties that belong to the Safe Harbor Agreement or follow its principles.

SECURITY AND DATA INTEGRITY. Organizations need to ensure that the data they maintain are accurate, complete, and current, and thus reliable for use. They must also ensure the security of the information by protecting it against loss, misuse, unauthorized access, disclosure, alteration, and destruction.

ACCESS. Unless they would be unduly burdened or violate the rights of others, organizations must give individuals ‘‘access to personal data about themselves and provide an opportunity to correct, amend, or delete such data.’’

ENFORCEMENT. Organizations must ‘‘enforce compliance, provide recourse for individuals who believe their privacy rights have been violated, and impose sanctions on their employees and agents for non-compliance.’’

CONTINUOUS AUDITING

Continuous auditing techniques need to be developed that will enable the auditor to review transactions at frequent intervals or as they occur. To be effective, such an approach will need to employ intelligent control agents (computer programs) that embody auditor-defined heuristics that search electronic transactions for anomalies. Upon finding unusual events, the control agent will first search for similar events to identify a pattern. If the anomaly cannot be explained, the agent alerts the auditor with an alarm or exception report.

ELECTRONIC AUDIT TRAILS

In an EDI environment, a client’s trading partner’s computer automatically generates electronic transactions, which are relayed across a value-added network (VAN),11 and the client’s computer processes the transactions without human intervention. In such a setting, audits may need to be extended to critical systems of all parties involved in the transactions. Validating EDI transactions may involve the client, its trading partners, and the VAN that connects them. This could take the form of direct review of these systems or collaboration between the auditors of the trading partners and VANs.

CONFIDENTIALITY OF DATA

As system designs become increasingly open to accommodate trading partner transactions, mission-critical information is at risk of being exposed to intruders both from inside and outside the organization. Accountants need to understand the cryptographic techniques used to protect the confidentiality of stored and transmitted data. They need to assess the quality of encryption tools used and the effectiveness of key management procedures that CAs use. Furthermore, the term mission-critical defines a set of information that extends beyond the traditional financial concerns of accountants. This broader set demands a more holistic approach to assessing internal controls that ensure the confidentiality of data.

AUTHENTICATION

In traditional systems, the business paper on which it was written determines the authenticity of a sales order from a trading partner or customer. In electronic commerce systems, determining the identity of the customer is not as simple a task. With no physical forms to review and approve, authentication is accomplished through digital signatures and digital certificates. To perform their assurance function, accountants must develop the skill set needed to understand these technologies and their application.

NONREPUDIATION

Accountants are responsible for assessing the accuracy, completeness, and validity of transactions that constitute client sales, accounts receivable, purchases, and liabilities. Transactions that a trading partner can unilaterally repudiate can lead to uncollected revenues or legal action. In traditional systems, signed invoices, sales agreements, and other physical documents provide proof that a transaction occurred. As with the problem of authentication, electronic commerce systems can also use digital signatures and digital certificates to promote nonrepudiation.

DATA INTEGRITY

A nonrepudiated transaction from an authentic trading partner may still be intercepted and rendered inaccurate in a material way. In a paper-based environment, such alterations are easy to detect. Digital trans- missions, however, pose much more of a problem. To assess data integrity, accountants must become familiar with the concept of computing a digest of a document and the role of digital signatures in data transmissions.

ACCESS CONTROLS

Controls need to be in place that prevent or detect unauthorized access to an organization’s information system. Organizations whose systems are connected to the Internet are at greatest risk from outside intruders. Accounting firms need to be expert in assessing their clients’ access controls. Many firms are now performing penetration tests, designed to assess the adequacy of their clients’ access control by imitating known techniques that hackers and crackers use.

A CHANGING LEGAL ENVIRONMENT

Accountants have traditionally served their clients by assessing risk (both business and legal) and devising techniques to mitigate and control risk. This risk-assessment role is greatly expanded by Internet commerce, whose legal framework is still evolving in a business environment fraught with new and unforeseen risks. To estimate a client’s exposure to legal liability in this setting, the public accountant must understand the potential legal implications (both domestic and international) of transactions that the client’s electronic commerce system processes. For example, a Web page from which customers order goods opens the organization to national and international business communities and exposes it to multiple and possibly conflicting legal statutes. Legal issues relating to taxes, privacy, security, intellectual property rights, and libel create new challenges for the accounting profession, which must provide their clients with rapid and accurate advice on a wide range of legal questions.

Comments

Post a Comment

Popular posts from this blog

The Conversion Cycle:The Traditional Manufacturing Environment

By -
Image
The Traditional Manufacturing Environment The conversion cycle consists of both physical and information activities related to manufacturing products for sale. The context-level data flow diagram (DFD) in Figure 7-1 illustrates the central role of the conversion cycle and its interactions with other business cycles. Production is triggered by customer orders from the revenue cycle and/or by sales forecasts from marketing. These inputs are used to set a production target and prepare a production plan, which drives production activities. Purchase requisitions for the raw materials needed to meet production objectives are sent to the purchases procedures (expenditure cycle), which prepares purchase orders for vendors. Labor used in production is transmitted to the payroll system (expenditure cycle) for payroll processing. Manufacturing costs associated with intermediate work-in-process and finished goods (FG) are sent to the general ledger (GL) and financial reporting system. Dependin
Read more

The Revenue Cycle:Manual Systems

By -
Image
Manual Systems The purpose of this section is to support the system concepts presented in the previous section with models depicting people, organizational units, and physical documents and files. This section should help you envision the segregation of duties and independent verifications, which are essential to effective internal control regardless of the technology in place. In addition, we highlight inefficiencies intrinsic to manual systems, which gave rise to modern systems using improved technologies. SALES ORDER PROCESSING The system flowchart in Figure 4-12 shows the procedures and the documents typical to a manual sales order system. In manual systems, maintaining physical files of source documents is critical to the audit trail. As we walk through the flowchart, notice that in each department, after completion of the assigned task, one or more documents are filed as evidence that the task was completed. Sales Department The sales process begins with a customer cont
Read more

HIPO (hierarchy plus input-process-output)

By -
Image
HIPO (hierarchy plus input-process-output) 64.1 Purpose The HIPO (Hierarchy plus Input-Process-Output) technique is a tool for planning and/or documenting a computer program. A HIPO model consists of a hierarchy chart that graphically represents the program’s control structure and a set of IPO (Input-Process-Output) charts that describe the inputs to, the outputs from, and the functions (or processes) performed by each module on the hierarchy chart. 64.2 Strengths, weaknesses, and limitations Using the HIPO technique, designers can evaluate and refine a program’s design, and correct flaws prior to implementation. Given the graphic nature of HIPO, users and managers can easily follow a program’s structure. The hierarchy chart serves as a useful planning and visualization document for managing the program development process. The IPO charts define for the programmer each module’s inputs, outputs, and algorithms. In theory, HIPO provides valuable long-term documentation. However
Read more