e-commerce implications for auditors

10 APPENDIX 7E E-Commerce: Implications for Auditors

APPENDIX 7E:

E-COMMERCE: IMPLICATIONS FOR AUDITORS

The appendix presents several topics related to auditing the fi nancial statements of orga-nizations conducting business activities over the Internet. It fi rst provides an overview of the effects of ecommerce on the auditee’s business processes and risks. It then discusses specialized technical considerations related to the security of payments made over the Internet. Finally, it outlines the impact ecommerce activities will have on conducting the audit, and the need to use IT audit experts on the engagement.

E-COMMERCE IMPLICATIONS FOR AUDITORS

“Electronic commerce” is a term coined by Benjamin Wright in a landmark book titled The Law of Electronic Commerce that looks at the legal implications of the rapidly devel-oping electronic managing technology. Benjamin Wright’s work has influenced the CICA’s Technology Task Force, and he was invited to write a chapter in the second edition of EDI for Managers and Auditors. We will define electronic commerce (e-commerce) broadly here as any trade that takes place by electronic means. An important part of e-commerce is business-to-business (B2B) in which companies use the Internet for buying from and selling to each other. This economic activity has been greatly facilitated by the growing use and power of the Internet. The Internet is a public network allowing communication between computers, which is growing at an explosive rate, greatly increasing in size every year. It promises to revolutionize the business world and turn it into electronic commerce in its broadest sense.

The Internet is a public communication system [that is] universally accessible and unregulated. It is a worldwide network of computers that communicate with each other using cables and wireless transmission.

The World Wide Web (WWW) or Web is a part of the Internet in which users can exchange graphics, audio, video, and software as well as the more traditional text and databases that were part of the original Internet.3

The Web is at the heart of the Information Highway that is being discussed just about everywhere. The Internet already profoundly affects PAs. One of the most important ways is that it can bring vast amounts of information to the computer screen. For example, available on the Net are financial and other information on clients, regulatory filings, legislative proceedings, legal information, information on client companies (provided either by the companies themselves or by stock trader information hot lines such as Motley Fool), currency exchange rates, software downloads, university research materials, and professional forums for exchanging information—and these are just a few of the resources for PAs. The entire CICA Handbook, professional engagement manuals, and other PA practice guidance resources can be accessed online by subscribers. (We have indicated useful online information sources for PAs in the end covers and in various chapters throughout this text.) To take full advantage of the Internet’s information potential, PAs need to make use of browser software such as Internet Explorer or Mozilla Firefox, which allow searches on the Internet. A search engine or intelligent agent, Google for example, is a more intelligent piece of software that allows searches for specific information

L E A R N I N G O B J E C T I V E

1 Describe the effects of e-commerce activities on an auditee’s business pro-cesses and risks.

3 Adapted from Journal of Accountancy, March 1997, p. 51.

smi68292_app7A_001-027.indd 0 12/7/09 9:10:47 AM user-s180smi68292_app7A_001-027.indd Page 10 12/7/09 9:10:47 AM user-s180 /Volumes/MHRL-New/MHRL026/smi68292_disk1of1%0/smi68292_pagefiles/Volumes/MHRL-New/MHRL026/smi68292_disk1of1%0/smi68292_pagefiles

APPENDIX 7E E-Commerce: Implications for Auditors 11

using titles or document headers, entire documents, or directories. This has been made necessary by the rapid proliferation, abandonment, and obsolescence of websites. However, our focus here is on how the Internet affects electronic business. So far the most important applications have been in what are called business-to-business (B2B) transactions. There are now many B2B websites to choose from: different types of auctions, trading pits, virtual malls, as well as more traditional offline intermediaries. The B2B marketplace provides fast, efficient (low-cost), and effective worldwide trading networks for nearly every conceivable product and service. There are as many B2B sites as there are markets and industries. B2B sites are particularly useful in dealing with sudden changes in demand or supply due to unpredictable events like strikes or other disruptions. For all these reasons, the traditional relationship-based model in which commercial buyers and sellers deal with an established pool of suppliers and customers is being replaced by B2B relationships. In particular, B2B on the Internet is replacing the more complex, rigid, hierarchical, and expensive electronic data inter-changes (EDI) of the 1990s. Exhibit 7E–1 provides an overview of a special type of B2B—electronic funds transfer (EFT), which completes the automation of sales/collection and purchases/payments.

4 The Economist, February 26, 2000, p. 11 of survey.

E X H I B I T 7 E – 1 ECOMMERCE: IMPLICATIONS FOR AUDITORS

Buyer

Purchase order

Shipping notice

Invoice

Acknowledgments

Purchase order

Shipping notice

Invoice

Acknowledgments

Payment order and remittance

Acknowledgments

Ack

now

ledg

men

tof

rece

ipt

Ack

now

ledg

men

t

Paym

ent a

dvic

e

Paym

ent o

rder

Payment order and remittance

Acknowledgments

Supplier

Supplier’sbank

Electronicmailbox

Electronicmailbox

Electronicmailbox

Electronicmailbox

Buyer’sbank

Source: Exhibit 1.1, Audit Implications of EDI, CICA, 1996, p. 2.

In addition to B2B e-commerce, consumer-related transactions of various types are also very common. The Economist magazine identified three segments of consumer ori-ented e-commerce: “. . . business-to-consumer (B2C), consumer-to-business (C2B), and consumer-to-consumer (C2C). The first embraces normal retail activities on the Web, such as bookselling by Amazon.com. . . . The second, as yet smaller, takes advan-tage of the Internet’s power to drive transactions the other way round: would-be passengers bidding for airline tickets on Priceline.com. . . . The third covers the new fashion for con-sumers’ auctions, epitomized by the auction site eBay.com.”4

smi68292_app7A_001-027.indd Page 11 12/7/09 9:20:05 AM user-s180smi68292_app7A_001-027.indd Page 11 12/7/09 9:20:05 AM user-s180 /Volumes/MHRL-New/MHRL026/smi68292_disk1of1%0/smi68292_pagefiles/Volumes/MHRL-New/MHRL026/smi68292_disk1of1%0/smi68292_pagefiles

Generally, “low touch” goods such as software, tickets, financial services, and any con-tent that can be put in digital form (for example, music, film, books) and delivered over the Internet have been more successfully sold to consumers than “high touch” goods (for example, clothes, groceries, cars), although this may change over time. A CICA study authored by G. Trites lists the following reasons for the success of e-commerce.

1. low cost of transacting business

2. reach to new markets and customers

3. growing access to the Internet

4. development of sound security infrastructures

5. development of secure, convenient payment systems5

Examples of the magnitude of savings possible with the Internet: traditional booking of an airline ticket costs $8 versus $1 cost of an electronic ticket direct with the airline. Another example is banking transactions: a traditional transaction through a branch bank costs about $1, whereas a transaction processed through the Internet costs about one penny. An example of reaching new markets and consumers is through data mining that allows creation of customer profiles and customized marketing. “Everything can be recorded: not just every transaction, but which web pages a customer visits, how long he spends there and what banner ads he clicks on.6

Conversely, customers can use intelligent agents or navigators to find the best buys on the Internet. Such agents can also act as “infomediaries,” addressing the customer’s con-cerns about privacy and security. All this contributes to what Bill Gates calls “frictionless-capitalism.” In order to better reflect these profound changes in the business world, the term e-com-merce is being replaced by the even broader concept of e-business. E-commerce can be described as the procurement and distribution of goods and services over the Internet using IT. The more encompassing term, e-business, can be defined as including all activ-ities carried out by a business via the Internet. This definition of e-business extends beyond the defi nition of e-commerce to include the exchange of information not related to the actual buying and selling of goods, for example, providing customer support over the Internet or recruiting employees via the Internet. The most recent trends in e-business include collaborative business in which customers and suppliers collaborate to design and deliver services and products as part of a larger corporate strategy. Another advance is mobile business models based on wireless communications which create additional strategic opportunities and related control and security issues because of the wireless elements. A good way to characterize the progress of e-business development in a firm is through the capabilities of the firm’s website. This is summarized in Exhibit 7E–2, which views business as an evolutionary process reflecting the experience of many firms. In the first phase, the firm’s website is used to provide information about the firm with the website acting as a shop window or catalogue for business for browsing purposes. At this phase, information is carried in only one direction. In the second phase, the customer has limited interaction with the website, for example, checking only on the availability of goods and services. The third phase is the e-commerce phase where the website’s applications allow the procurement of goods and services that lead to creation of financial transactions. Customers place orders for goods and services and make payments electronically, frequently by credit card. The e-business phase is the complete integration of the Internet-based purchase of goods and services with other parts of the firm’s IT system.

5 Trites, G., Strategic Internet Commerce, CICA, 1999, p. 56.6 The Economist, February 26, 2000, p. 12.


smi68292_app7A_001-027.indd Page 12 11/25/09 8:02:10 PM user-s180smi68292_app7A_001-027.indd Page 12 11/25/09 8:02:10 PM user-s180 /Volumes/MHRL-New/MHRL026/smi68292_disk1of1%0/smi68292_pagefiles/Volumes/MHRL-New/MHRL026/smi68292_disk1of1%0/smi68292_pagefiles

There are many business models that have evolved on the wide-open Internet. In addi-tion to B2B, B2C, and C2C discussed previously, other models include business to employee—typically a system enabling intercompany (intragroup) emails over the Internet to be directed to the correct department, business to government—electronic submission of corporate tax returns and regulatory filings, and customer to government—electronic submission of individual tax returns. It is evident that the Internet and IT have affected all aspects of the business world and management. What auditors are mainly concerned with, however, is the security of IT pro-cessing, especially as it affects the accuracy and reliability of the accounting function. IT is evolving rapidly. The International Federation of Accountants suggests it is useful to look at IT in terms of the following elements: IT business processes, IT applications, and IT infrastructure. IT business processes relate to operations of the business in which IT is used. IT applications are the application software used by the IT. And IT infrastruc-ture reflects all the technical resources necessary for the operation of the IT system, for example, hardware, operating system software, and communications facilities to support internal and external networks. The IT control system controls how these elements operate together to achieve their objectives while reducing risk to a tolerable level. The IT control system is part of the internal control system.

IT Risks and eCommerceHere we briefly review the major risks facing IT systems and the key concepts of e-business associated with these risks. In the following section we then take a closer look at audit issues associated with a key IT process application that affects even the smallest businesses—that of some e-business credit card payment mechanisms. Lack of confidentiality relates to inability to keep information private, for example, credit card numbers or other critical information. This is a key risk for e-business because studies have shown that concerns about security of credit card information is the biggest single barrier to using credit cards to conduct business on the Internet. The most effective technology protecting privacy is through encryption. Encryption is the conversion of data

• Public relations• Product information

Evolution of E-Business

Maturity/Experience

Application

Website E-Communication E-Commerce E-Business

1

Information • Information on demand• Online enquiries: e.g., stock availability enquiries

2

Interaction • Online sales/purchases• Acceptance of rights and obligations

3

Transactions • Integration of purchasing logistics production• Coordination with suppliers and customers

4

Integration

E X H I B I T 7 E – 2 THE EFFECTS OF E-COMMERCE ON THE AUDIT PROCESS

Source: International Federation of Accountants, Financial Reporting on the Internet, August 2002, p. 5.



to make it unreadable except through the use of a key (“scrambled” data). “Two keys may be reversible in the sense that either can be used to encrypt a message and the other could be used to decrypt a message to make it readable again (“unscrambled” data). By allow-ing one key to be public and keeping the other private, a sender S could transmit a mes-sage to receiver R under S’s private key, and R could then decrypt the message under S’s public key. Security efforts therefore focus on the private key that does not have to be distributed.”7 Also under this increasingly popular encryption system, R can authenticate that S is the unique sender by determining that the message is encrypted using S’s private key. As we will see, effective authentication of transactions is very important. A digital signature is a way to bind the message originator with the exact contents of a message. There needs to be at least one private key because only secret keys can be assigned to an individual. Digital signatures act like handwritten signatures on hard copy contracts. Traditional paper contracts bind a message and its contents to the writer of the contract. Lack of message integrity means the message has been altered, intentionally or uninten-tionally, in some way. Message integrity provides assurance to the sender and receiver that the message received is exactly the same as what the originator sent. A primary way to achieve control of the integrity risk is through hashing, where a “hash” acts like a type of check digit. A “hash” of the message is an added code, which is computed using an algorithm along with the original contents. The receiver, by applying the algorithm to the message and comparing the calculated “hash” with that in the message, gets additional assurance that the message has not been altered in transit. Hashing is normally used with encryption to provide added security. Authentication is a way of verifying that a sender is who he or she claims to be. Authentication can be achieved through password controls, personal identification numbers (PINs), badges, digital signatures as discussed above, or other identification such as those based on physical features like photos, fingerprints, and voice recognition (biometrics). Risk of repudiation occurs when a party to a transaction claims that no transactions were authorized and therefore fails to honour the contract. This risk is reduced in a well-designed e-business system through nonrepudiation evidence. Such evidence takes the form of estab-lishing a system of controls documenting proof of origin, proof of receipt, and proof of content. These objectives are achieved through digital signatures, use of certifi cation author-ities that issue certificates linking an individual to a key used in digital signatures and confirmation services that attest to message contents and the exact time a message is sent and received. All these controls can provide convincing evidence to support nonrepudiation and thus validity of transactions in an e-business environment. Thus, for example, the existence objective in the recognition of sales and receivables is supported by nonrepudiation evidence in the form of reconciliations of confirmations sent to confirmation services and certification authorities (substantive tests), and testing of the existence of digital signatures in recorded transactions (compliance test). The concepts of compliance and substantive tests and their basic objectives remain the same; only the form of the evidence has changed. Access controls limit access to data and systems to authorized users only. Some form of authentication procedures is typically used to restrict access to specific parts of the system. An important type of access control is firewalls. Firewalls are techniques used to limit and control access to hardware, software and data from users outside the firm’s network. The problem is to develop selective access so that data can be shared with appro-priate partners outside the organization in accordance with the objectives of the e-business. The basic objective of firewall controls is to allow employees in a corporate network to access resources on other networks (such as the Internet) while preventing unauthorized users on these other networks access to systems in the firm’s network. Firewalls are nor-mally layered to provide the most security for the most sensitive data. There might be a level that allows a certain amount of Internet access, another level that allows data access necessary to engage in e-business with outsiders, and a third level to protect the most

7 Weber, R., Computer Auditing. Prentice-Hall, 1999, p. 375.



sensitive and confidential data restricted only to key personnel, for example, medical information on employees or grade information on students at a university. Each firewall or level represents another barrier to a hacker or other intruder trying to access sensitive data or programs. The amount of resources devoted to firewalls should be commensurate with the risks associated with the various threats. Each firewall layer adds to the cost and the response time for those parties interacting with the firm’s site. So there are definite tradeoffs in the level of access security and costs to obtain the security, just as there are tradeoffs in designing any internal control system. A major threat to firewalls is remote logging by telecommuting employees. Many home and laptop computers do not have personal firewall packages installed, thus creating a weak link for hackers to target the corporate firewall. Features of good firewalls include but should not be limited to: audit logs for monitoring traffic and highlighting suspicious activity, deny capability that can deny all services except those permitted by policy, authen-tication controls that allow reliable verification of a message source, and filtering that examines each incoming message and either forwards it to the intended recipients, or is denied access based on the firm’s policy. The use of laptops with wireless communication for access creates new security risks. Firewalls can be complex and therefore they need to be well documented in case the original designer or subsequent modifiers to the system are no longer available. Maintenance of the firewall system can thus represent a major security problem. It should also be noted that firewalls do not protect the firm from abuses by employees within the organization. People are usually the weakest link in security controls. These risks would need to be addressed by additional security measures such as further up-to-authentication controls and separation of duties via password and physical controls. It should be noted that these controls are largely general controls that can affect many specific applications. General controls are necessary to support reliable functioning of the applications. As a consequence, the audit strategy in e-business systems is to first evaluate the general controls and then consider the appropriate application controls and their effect on the transaction cycles. In the next section we review the application con-trols of specific types of the e-business payment mechanisms involving credit cards. These will have a primary impact on the sales and collection and purchases and acquisi-tion cycles of e-business firms.

CREDIT CARD PAYMENTS IN B2C USING SSL AND SET

E-business, even for the smallest companies, has been greatly facilitated through transmis-sion of credit card information over the Internet. This is an especially important topic for B2C transactions. The primary concern is the security of transmission of individual mes-sages containing the credit card information. While the Internet has greatly facilitated communications through its smooth, easy-to-use operations, it was designed for flexibility and openness to everyone. Security, in particular, was not a top priority in the design of the Internet. In order to get the needed security for commercial applications, special com-munication protocols and additional infrastructure has evolved, and is still involving. We describe two such protocols that are being used to process credit information: secure socket layers (SSL) and secure electronic transactions (SET). Both SSL and SET are transmission protocols with strong confidentiality features via encryption. However, SSL does not have as strong an authentication feature. Both protocols have been developed by private organizations but SET is much broader based, including the major credit card companies. SET is designed to support secure e-business with the following objectives:

• provide confidentiality of information

• insure payment integrity


2 Explain how the security of credit card payments is ensured by an organization involved in e-commerce.



• authenticate both merchants and cardholders

• interoperate with other protocols (SET specifications 1997).

The last objective, interoperability, is a necessary condition of data sharing on the Internet. It is defined as the “capability for applications running at different computers to exchange information and cooperatively use this information.” Interoperability requires a certain degree of compatibility for physical data transfer and controls for representing the message content. Protocols are standardized methods of communicating and transmitting data between telecommunication devices. The most widely used protocol on the Internet is Transmission Control Protocol /Internet Protocol (TCP/IP). These protocols allow the creation of sites and links in the network that can be interpreted and read by users using different types of hardware and software. The nodes of the Internet use packet switching standards, which are the basis of today’s data transfer methods. Packets are groups of data that include parts of the message text, destination address, source address, and protocol used. SET provides more security features for authentication because it allows cardholder as well as merchant authentication through the use of digital signatures and certificates. Also included in the SET protocol are methods to track individual merchandise and transaction totals, as well as merchant credit policies. Essentially, SET is helping expand many of the features of EDI/EFT to the Internet, thus allowing even the smallest companies to obtain many of these security features. But these additional features require additional infrastructure and processing capabilities, especially in getting agreements between credit card companies, fi nancial institutions, merchants, and the general public. These additional complexities and costs have slowed the adoption of SET. SSL, which provides less security, is lower in cost and, so far, this tradeoff has resulted in more widespread acceptance of SSL. Because of the weaker security features of SSL, auditors will tend to do more substantive work in SSL systems, especially as it relates to the validity of transactions. This is especially important in light of the new fraud standards that are explicitly requiring auditors to treat improper revenue recognition as a fraud risk on every engagement. This will likely mean higher assessed fraud risks for merchants using SSL systems. All Internet vendors that want to advertise their conformity with SET control require-ments and objectives are allowed to use a SET logo on their site if they meet certain criteria. The main requirement is to pass the results of compliance testing performed on the site security controls. The tests are performed by a SET compliance administrator using test data. Less extensive reviews are performed every year to renew the site logo. Internet merchants using the logo must be able to demonstrate that all software used by the site is SET compliance approved. This illustrates the increased importance of third-party assurance in the evolving world of e-business, and the increasing importance of compliance testing in providing assurance in the e-business environment. It should be clear by now that audits of SSL and SET systems, like e-business in gen-eral, will require increased reliance on internal controls, especially that of general controls of IT. Because of this increased importance of internal controls and the fact that electronic records may exist for only a short period of time depending on the client’s backup and retention policies, auditors are less likely to rely on substantive tests for all their assurance in e-business environments. In addition, increased auditor responsibilities for detecting fraudulent reporting is putting greater importance in relying on internal controls and less reliance on substantive tests. Thus, for SSL and SET systems, auditors will need to compliance test the authentication, access, and confidentiality controls. This may need to be done on a continuous basis.Substantive procedures would include reconciling records of electronic fund transfers with bank statements, as well as other substantive procedures, such as confirming receivables, testing the validity of sales and purchases, receivables, and payables as discussed in Chapters 9 and 10. The main difference in e-business systems is that both substantive and compliance testing may need to be done on a continuous and ongoing basis. Also,



since auditing standards in Canada and internationally are now putting increased stress on the existence of revenues and related receivables due to concerns about improper revenue recognition fraud risk, authentication controls will become more important and increase the need for testing these controls.


3 Outline how e-commerce affects the conduct of the audit and use of IT experts on the audit team.


E X H I B I T 7 E . 3 CREDIT CARD PAYMENTS IN B2C USING SSL AND SET

Cardholder browsesthrough merchandise

via some form ofcatalogue

Cardholder selectsitems to bepurchased

Cardholder completesorder form afterpossible pricenegotiation

Cardholder selectspayment mechanism

Cardholder givespayment instruction

Both order and paymentinstructions have digital signatures

Merchant requestspayment authorization

from cardholder'sfinancial institution

Confirmation sentby merchant to

cardholder

Merchant shipsgoods to

cardholder

Merchant requestspayment fromcardholder's

financial institution

THE EFFECTS OF E-COMMERCE ON THE AUDIT PROCESS

Web-based infrastructures for doing business are readily available on the Internet for even the smallest clients. This means that information technology sophistication is independent of the size of business. For example, many e-business consultants offer a start-to-finish process for launching a business online, including registering a domain for the organization, creating email addresses, building or editing a website, selling products or services online, and managing or monitoring site activity. Typically, the sites rely on links to accounting software for financial recordkeeping, and database software for collecting data such as orders on electronic forms from site visitors. Protection can be provided by using major commercial encryption standards such as PGP (Pretty Good Privacy) and S/MIME (Secure Multipurpose Internet Mail Extensions). Although the specific details will change with the rapidly changing technology, e-business IT has several broad effects on auditors. First, auditors should expect to encounter IT systems and electronic records rather than paper-based documents on all audits. Second, audit strategy will increasingly be affected by the need to put more reliance on internal controls. This increased reliance arises because the quality of audit evidence will be very dependent on the controls the business maintains over the accuracy and completeness of its records, and the fact that electronic records are frequently transitory in many systems. “For traditional businesses, the auditor’s consideration of internal control typically involves updating prior year checklists, questionnaires, and procedural narratives. Using a


traditional approach for e-business clients would be insufficient because, in the e-business environment, almost all of the evidence of transactions is electronic. Critical records may consist of email, database records, electronic documents, spreadsheets, and server logs. In addition, e-business transactions are subject to the intentional and unintentional alteration and manipulation at many points between transaction initiation and summarization in the financial statements. Because e-businesses generally lack much of the physical evidence found in audits of traditional businesses, your approach to understanding internal controls when planning the e-business audit and determining the nature and extent of the substantive tests must take this into account. “A major consideration for auditors is the credibility of the evidence obtained. For e-business audits, there may be few or no physical documents to examine. Without testing the internal controls surrounding the electronic evidence (for example, controls over gen-eration, storage, manipulation, and transmission), the auditor may not recognize a lack of credibility.” (AICPA, Audit Risk Alerts: E-Business Industry Developments—2001/02, AICPA, 2001, 34 and 39) In particular, in e-business, IT auditors will need to put more emphasis on understanding software controls. Important software controls include digital signatures, server certificates to authenticate the parties to a transaction, and monitoring via firewalls, Web servers, databases, and operating systems. A log of transactions and security events helps establish the validity of transactions, especially if someone independent of IT reviews the log for unusual or suspicious events. This shows that the traditional segregation of duties is an important feature of even the most modern IT systems. Auditors should look for the separation of the security administration, systems administration, and software modification functions. Authorization for access to selected software, data, and hardware should be given only to authenticated users in conformity with their job responsibilities. All elec-tronic records should be sequentially numbered to control for completeness, just as in a manual system. Thus, internal control for e-business IT has important manual as well as software components. The overall objective of the transaction controls remains the same: assurance that the occurrence and measurement assertions are not materially misstated. Another key issue with respect to e-commerce audits is identifying the boundaries of the control system under audit. B2B transactions are frequently highly integrated with other organizations such as suppliers or customers. This is what helps create the efficiencies that make B2B so attractive economically. However, if transactions can be automatically initiated between customers and supplier computers, the auditor needs assurance that the initiator of the transaction is dealing with the intended party’s computer (for example, that the website you visit is a legitimate business and not just a scam to get your credit card information). Digital signatures deal with repudiation or alteration of records that initiate a transaction. But a different control assurance is needed for the initiator of a transaction. The initiator’s problem is identifying trustworthy partners to a transaction. This assurance is addressed by an independent auditor’s report or seal of approval on controls at the other party. This is a special type of assurance engagement associated with e-business and is covered in Chapter 16. While some control elements of e-business, like segregation of duties and sequentially numbered transactions, are similar to those in a manual system, the monitoring, authenti-cation, and authorization controls can take on new forms such as through the use of firewalls, digital signatures, and certification authorities. IT specialists may be required to perform appropriate IT control and substantive testing. Because the entire financial reporting process exists only in electronic form, it is not sufficient for e-commerce auditors to look at copies of the output. Journal entries may be made directly online or in batch mode from physical documents. Auditors will need to become familiar with the design of any controls over journal entries and other adjustments, and learn whether these controls have been placed in continuous operation. Auditors will need to have more extensive access to the e-business system. This leads to the concept of continuous auditing, which is covered in more advanced IT auditing courses.



e-commerce implications for auditors

Documents