E-commence audit can be defined as the application of auditing skills to the technological aspects of an organization's business processes. It embraces the independent reviewing and testing of the organization's practices and procedure relating to the secure provision of business processing; the processes for developing and acquiring new systems and facilities; the economy, efficiency and effectiveness of the use and exploitation of IT facilities. All auditors should be familiar with the board concepts of the application of technology to the organization's primary business activities.
This includes an understanding of and an ability to use technology to assist in the audit processes. The increasing complexity and diversity in the application of technology means that management in most organizations will need to call upon more specialized skills for at least a part of their activities if they are to demonstrate their ability to support their objectives of maximizing their investment in IT and empower the audit function to work professionally and competently in a computerized environment.
The following extract from the UK Auditing Practices Board's Guideline reflects the general responsibilities of audit which can be applied to all IT audit activities: "It is a management responsibility to maintain the internal control system and to ensure that the organization's resources are properly applied on the manner and on the activities intended. This includes responsibility for the prevention and detection of fraud and other illegal acts. " Where an organization use e-commerce as a medium of running its business, the auditor has three board areas to consider.
They are aspects relating to management of e-commerce, those concerning the security of the e-commerce facilities and those controls relating to each application which makes use of those facilities. As more concern is expressed about the value for money from e-commerce investment, so audit needs to devote resources to exploring how the benefits from e-commerce have been realized. This will involve attention being given to the strategic direction of e-commerce throughout the organization and to such issues as the acquisition procedures and methods of costing and charging for the IT service.
In reviewing the overall controls over e-commerce throughout the organization, generally, the auditor will need to fix the standards, control and procedures which ensure the safe and efficient day-to-day operation of the facilities. Also the procedures which the organization adopts when determining the need for and acquisition of computing facilities and the arrangements made by management to ensure that the facilities are used effectively and efficiently.
However, those primary issues of e-commerce presents to auditors are audit trail, interrogation, repudiation, security, reliability and privacy in respect of control, policies, procedures and standards. Audit trail: Audit trail associated with paperless transactions. Part of the problem is that auditors need to see the opposite of what their clients want to provide. They want to reduce their paper flow and human error. The problem is that auditors need to verify transactions. So they have to develop ways to meet this challenge.
Nevertheless, audit trail is capable of leading a firm to follow each customer transaction from its initiation through collection of the receipt and delivery of the product. If a firm wants to stay in business, you must be able to deal effectively with customer complaints and provide timely resolution. Records supporting individual transactions must support the regular reconciliation of sales to product delivery. Moreover, it maintains detail transaction data for a sufficient period of time to resolve any receipt reconciliation problems related to sales, or inventory issues.
Of equal importance is the need to maintain this data to resolve any customer service problem. Without a good audit trail you may have difficulty dealing with customer inquiries, particularly for older transactions. If organizations don't reconcile all receipts to ledger control, they are vulnerable to errors and omissions that can affect the fiscal viability of operation. Interrogation: Another audit-related issue to consider is whether all transactions can interrogate. Auditors need to ensure that records are complete - they need to understand and be able to verify that all transactions have been captured.
Repudiation There is issue of repudiation, the so-called sender may refuse to accept that he or she typed the instruction that she gave the order. Security: Security, which is a balance between degrees of protection, convenience levels and intended investment, is the most controversial issue. When people entering personal data or bank account information into an on-line system, they may worry about someone tapping into the data from the network, or stealing the information from the recipient.
Despite the development of security systems, such as triple-DES and public key cryptography, the number of security break-ins is still growing rapidly. Although many security breaches are prank rather than crimes leading to actual financial loss, they understandably increase public security fears-particularly in the wake of dramatic computer crimes such as those perpetrated by hackers. It is no doubt that no system is 100 percentages secure. Reliability: The reliability question is also an issue.
Companies trading heavily on the Internet need to have reliable computer and back-up systems. If their systems are down and they cannot trade, even for a short time, they may lose valuable customers. Furthermore, 'does the digital contract be truly verified as the original that the two parties agreed to? ' In other words can there be assurance that its content is complete and unaltered? Is there proof that the electronic communications involved in the business transactions actually came from the parties that they purport to come from?
Those issues are necessary to be considered by auditors. Privacy: Privacy has now emerged as one of the hottest public policy issues and challenges facing auditors in any multinational company active in the on-line environment. E-privacy is an area on which every company must develop a coherent position and policy. Techniques created to collect data in the on-line environment have given rise widespread concern over the potential for inappropriate collection and use of data.
This includes an understanding of and an ability to use technology to assist in the audit processes. The increasing complexity and diversity in the application of technology means that management in most organizations will need to call upon more specialized skills for at least a part of their activities if they are to demonstrate their ability to support their objectives of maximizing their investment in IT and empower the audit function to work professionally and competently in a computerized environment.
The following extract from the UK Auditing Practices Board's Guideline reflects the general responsibilities of audit which can be applied to all IT audit activities: "It is a management responsibility to maintain the internal control system and to ensure that the organization's resources are properly applied on the manner and on the activities intended. This includes responsibility for the prevention and detection of fraud and other illegal acts. " Where an organization use e-commerce as a medium of running its business, the auditor has three board areas to consider.
They are aspects relating to management of e-commerce, those concerning the security of the e-commerce facilities and those controls relating to each application which makes use of those facilities. As more concern is expressed about the value for money from e-commerce investment, so audit needs to devote resources to exploring how the benefits from e-commerce have been realized. This will involve attention being given to the strategic direction of e-commerce throughout the organization and to such issues as the acquisition procedures and methods of costing and charging for the IT service.
In reviewing the overall controls over e-commerce throughout the organization, generally, the auditor will need to fix the standards, control and procedures which ensure the safe and efficient day-to-day operation of the facilities. Also the procedures which the organization adopts when determining the need for and acquisition of computing facilities and the arrangements made by management to ensure that the facilities are used effectively and efficiently.
However, those primary issues of e-commerce presents to auditors are audit trail, interrogation, repudiation, security, reliability and privacy in respect of control, policies, procedures and standards. Audit trail: Audit trail associated with paperless transactions. Part of the problem is that auditors need to see the opposite of what their clients want to provide. They want to reduce their paper flow and human error. The problem is that auditors need to verify transactions. So they have to develop ways to meet this challenge.
Nevertheless, audit trail is capable of leading a firm to follow each customer transaction from its initiation through collection of the receipt and delivery of the product. If a firm wants to stay in business, you must be able to deal effectively with customer complaints and provide timely resolution. Records supporting individual transactions must support the regular reconciliation of sales to product delivery. Moreover, it maintains detail transaction data for a sufficient period of time to resolve any receipt reconciliation problems related to sales, or inventory issues.
Of equal importance is the need to maintain this data to resolve any customer service problem. Without a good audit trail you may have difficulty dealing with customer inquiries, particularly for older transactions. If organizations don't reconcile all receipts to ledger control, they are vulnerable to errors and omissions that can affect the fiscal viability of operation. Interrogation: Another audit-related issue to consider is whether all transactions can interrogate. Auditors need to ensure that records are complete - they need to understand and be able to verify that all transactions have been captured.
Repudiation There is issue of repudiation, the so-called sender may refuse to accept that he or she typed the instruction that she gave the order. Security: Security, which is a balance between degrees of protection, convenience levels and intended investment, is the most controversial issue. When people entering personal data or bank account information into an on-line system, they may worry about someone tapping into the data from the network, or stealing the information from the recipient.
Despite the development of security systems, such as triple-DES and public key cryptography, the number of security break-ins is still growing rapidly. Although many security breaches are prank rather than crimes leading to actual financial loss, they understandably increase public security fears-particularly in the wake of dramatic computer crimes such as those perpetrated by hackers. It is no doubt that no system is 100 percentages secure. Reliability: The reliability question is also an issue.
Companies trading heavily on the Internet need to have reliable computer and back-up systems. If their systems are down and they cannot trade, even for a short time, they may lose valuable customers. Furthermore, 'does the digital contract be truly verified as the original that the two parties agreed to? ' In other words can there be assurance that its content is complete and unaltered? Is there proof that the electronic communications involved in the business transactions actually came from the parties that they purport to come from?
Those issues are necessary to be considered by auditors. Privacy: Privacy has now emerged as one of the hottest public policy issues and challenges facing auditors in any multinational company active in the on-line environment. E-privacy is an area on which every company must develop a coherent position and policy. Techniques created to collect data in the on-line environment have given rise widespread concern over the potential for inappropriate collection and use of data.
Comments
Post a Comment