In reviewing the overall controls over e-commerce throughout the organization, generally, the auditor will need to fix the standards, control and procedures which ensure the safe and efficient day-to-day operation of the facilities. Also the procedures which the organization adopts when determining the need for and acquisition of computing facilities and the arrangements made by management to ensure that the facilities are used effectively and efficiently. However, those primary issues of e-commerce presents to auditors are audit trail, interrogation, repudiation, security, reliability and privacy in respect of control, policies, procedures and standards.
Audit trail:
Audit trail associated with paperless transactions. Part of the problem is that auditors need to see the opposite of what their clients want to provide. They want to reduce their paper flow and human error. The problem is that auditors need to verify transactions. So they have to develop ways to meet this challenge. Nevertheless, audit trail is capable of leading a firm to follow each customer transaction from its initiation through collection of the receipt and delivery of the product. If a firm wants to stay in business, you must be able to deal effectively with customer complaints and provide timely resolution. Records supporting individual transactions must support the regular reconciliation of sales to product delivery. Moreover, it maintains detail transaction data for a sufficient period of time to resolve any receipt reconciliation problems related to sales, or inventory issues. Of equal importance is the need to maintain this data to resolve any customer service problem. Without a good audit trail you may have difficulty dealing with customer inquiries, particularly for older transactions. If organizations don’t reconcile all receipts to ledger control, they are vulnerable to errors and omissions that can affect the fiscal viability of operation.
Interrogation:
Another audit-related issue to consider is whether all transactions can interrogate. Auditors need to ensure that records are complete – they need to understand and be able to verify that all transactions have been captured.
Repudiation
There is issue of repudiation, the so-called sender may refuse to accept that he or she typed the instruction that she gave the order.
Security:
Security, which is a balance between degrees of protection, convenience levels and intended investment, is the most controversial issue. When people entering personal data or bank account information into an on-line system, they may worry about someone tapping into the data from the network, or stealing the information from the recipient. Despite the development of security systems, such as triple-DES and public key cryptography, the number of security break-ins is still growing rapidly. Although many security breaches are prank rather than crimes leading to actual financial loss, they understandably increase public security fears-particularly in the wake of dramatic computer crimes such as those perpetrated by hackers. It is no doubt that no system is 100 percentages secure.
Reliability:
The reliability question is also an issue. Companies trading heavily on the Internet need to have reliable computer and back-up systems. If their systems are down and they cannot trade, even for a short time, they may lose valuable customers. Furthermore, ‘does the digital contract be truly verified as the original that the two parties agreed to?’ In other words can there be assurance that its content is complete and unaltered? Is there proof that the electronic communications involved in the business transactions actually came from the parties that they purport to come from? Those issues are necessary to be considered by auditors.
Privacy:
Privacy has now emerged as one of the hottest public policy issues and challenges facing auditors in any multinational company active in the on-line environment. E-privacy is an area on which every company must develop a coherent position and policy. Techniques created to collect data in the on-line environment have given rise widespread concern over the potential for inappropriate collection and use of data. Surveys show that over 85 percent of consumers on-line are concerned about threats to their personal privacy. However, e-privacy is no longer a concern for only a handful of companies at the leading-edge of internet development nowadays, large multinational corporations, active ‘clicks-and-mortar’ companies and ‘pure-play’ dotcoms are all grappling with the complexity of e-privacy issue.
For the control issues should be taken into account by considerably care by auditors. They are EDI controls, file controls, PC controls, network controls, Internet controls and data protection.
EDI controls:
For EDI controls, auditors are necessary to ask to see the evaluation report and assess whether the objectives reflect a wider consideration of the organization’s business and IT strategies in term of the interests of the organization. Alternatively, they are required to enquire whether a contractual agreement has been drawn up with the third part and ask whether the organization’s legal department was involved in its compilation and agreement. In addition, auditors should check that the overall IT environment where EDI processing being performed is secure and the procedures ensure that transactions are input and accepted for processing once only and that batching, sequence numbering and one-for-one checking against a control file is employed; transactions received are input properly and passed to the appropriate system once only; EDI documents are transmitted completely between partners, and standard communications software techniques such as bit checking provide adequate control; errors are prevented and detected. In addition, auditors are necessary to check that procedures are sufficient to ensure that only valid and properly authorized transactions are processed. Also check that during processing by the EDI interface, the identification codes and type of transaction being received are checked against approved codes in some form of trading partner master file. Lastly, they ought to check that procedures are sufficient to ensure that during sign-on, procedures including identification and password verification are sufficient.
.
File controls:
For the security on the file control, security policy and procedures should be checked by auditors whether it comply with the Data Protection Act and Computer Misuse Act and up to date respectively. Alternatively, control of the physical access of files and the custody of digital media must be checked whether it is well control and applied out of normal office hours. Once it has been audit, a user IDs require use of password should be checked. Review the procedure for recording and controlling small computer system programs and determine that master copies are stored in a secure location in order to discourage unauthorized coping of PC programs and data files and assess their adequacy. Then obtain a list of users and their associated rights of access and check with the appropriate management that these rights are still required. Finally, determine whether back-up files are periodically verified against the original to confirm that the back up has worked correctly and where back-up files are stored off-site determine when the security of the site was last reviewed and what action was taken to correct any deficiencies.
PC control:
The PC controls, both the existing strategies and acquisition procedure are necessary to assessed by auditors. Then auditors should ensure whether the existences of the standards for end user and/or PC applications development are in adequate scope. Guidance available to staff who manage and use PCs should be examined. Furthermore, identify management responsibilities for each PC system and determine risk of unauthorized physical access of PCs are those necessary actions should be taken by auditors. For reviewing the physical access of PCs, test check log-on procedure and the software to control log-on procedures ought to be under consideration. Review the purposes for which the PCs are used and the degree of vulnerability to the effects of interruptions to service and the appropriateness of locations of PCs and the general levels of threat and protection.
Network controls:
For network controls, firstly, auditors is necessary to obtain a copy of the organization’s IS/IT strategy and a network diagram to ensure it whether it addresses network investment and the design promotes an appropriate level of security and resilience for the organization. Next step is to find out the network’s responsible person whether he has adequate and appropriate training, then to examine the documentation for network management system and check whether it has been used and by whom. Moreover, see whether the instructions documented about the general usage of the network are up-to-date in user guide. Auditors should identify controls in place to identify unauthorized network connection to ensure that adequate controls are in place to stop unauthorized examination and amendment of networking protocols and settings. Furthermore, auditors ought to ask what policy the organization has on the use of encryption for the transmission of confidential data. Consequently, the determination of the location, date and identity of the latest full back-up copy of network management software. Finally auditors should look for the evidence that management have considered the risk and that back-up procedures and up-to-date contingency plans exist.
Internet controls:
The Internet is perhaps best described as a loosely organized worldwide network of computer. According to that, the business plan for the use of the e-commerce on the Internet should be examined by auditors to ensure that use is based on sound business reasoning with clear objectives and benefits. After fulfilling this, auditors are responsible for looking for documented evidence of a risk assessment having been carried out. Then, check both the security policy governing usage of the Internet and the appropriate contracts and service level agreements do exist to ensure that the organization’s interests are suitably protected as the customer of the service. Next, to find out how organization monitors the Internet connection and what it does to investigate incidents, so the training of security and control emphasis for staff is necessary to be determined. Alternatively, determination of what controls the organization has implemented to minimize the risks of unauthorized access to its network from the Internet by checking the record of authorized users. Eventually auditors ought to review the inherent security risks in the network design to assess and keep up to date with the organization’s Internet security issues.
Data protection:
The Data Protection Act (DPA) 1984 was the UK’s response to the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. The Act gives certain rights to individuals (data subjects) about whom information is held on computer. The Act places obligations on those organizations or individuals who record and use personal data (data users). The 1984 Act only covers personal information held on a computer although EU Directive 95/46/EC adopted in October 1995 will extend the scope of the Act to certain manual records and will increase the right of individual to privacy. Auditors are necessary to review the arrangements in place for notifying the person or persons responsible for data protection of systems containing personal data which may need to be registered and changes to the content of those systems, or in the way in which they, are used, which may require an amendment to the register entry. Audit should liaise with those individuals responsible for data protection issues and ensure that there are processes in place to review procedures for collecting personal information to ensure that persons supplying information are clear as to who the information is for, why it is being held and to whom it will be disclosed; ensure that systems using personal data have registered all the intended purposes for that data; ensure that personal data is not used or disclosed in a way which is incompatible with the registered purpose; review the safeguards in place to ensure that only the minimum amount of personal data required to satisfy a specific purpose is collected; monitor the forms used for collecting personal information to ensure that they collect only the right amount and type of information; all reasonable steps are taken to ensure that personal data collected by the data user is accurate; system reviews include checks to ensure that procedures for data entry do not introduce inaccuracies into personal data and that the system itself does not introduce inaccuracies into personal data; procedures are in place to ensure that personal data is kept up to date where to not do so might cause damage or distress to individual; guidance on the accepted ‘life’ of personal data is provided to all data users and is regularly reviewed and updated; arrangements are in place, for all systems registered under the DPA, to produce all the information held about an individual in a format which can be easily read and understood; assessment of the risk of damage or distress to individuals from a breach of security is undertaken to determine appropriate security measures; all staff are aware of their responsibilities with regard to the security of personal data; all security breaches are investigated and remedied; disciplinary procedures take account of the requirements of the DPA and are enforced; printed output containing personal data is stored and disposed of securely.
Finally, as there are business to customer e-commerce and business-to-business e-commerce around the world, so we need different type of controls for each of it.
Business to customer e-commerce controls
Organizations should use a digital certificate on the web server indicating to customers that they have reached the legitimate machine of the merchant; encrypt sensitive information-for example, credit card numbers. Secure Socket Layer (SSL) is used primarily now, but Secure Electronic Transaction (SET) is still coming, albeit slowly; encrypt credit card information, personal details, and other sensitive information when stored on merchant systems; post a privacy and security policy on the web site; implement a order tracking systems to ensure that all orders are processed completely, accurately, as the customer requested, and within acceptable time limits; incorporate fraud detection metrics on the merchant server (assuming credit card usage); use firewalls to isolate commerce server from other merchant networks and systems; store sensitive information like credit card numbers on back-end machines that are better protected than the commerce server; send e-mail confirmation of orders, indications of shipping status etc with all confidential information like credit card number masked (to prevent unauthorized use); implement strict review, testing, change control, and documentation process surrounding all changes (e.g., home-grown CGI scripts may inadvertently open a door to an intruder).
Business to business e-commerce controls
If two businesses are doing business regularly, then replace SSL with VPNs and replace privacy and security policy with a written agreement. If it is only a single transaction, it is much the same as business to consumer. Under encryption, in many cases, organization can use link encryption or frame relay encryptors to protect inter-business transactions. In the worst case, organizations should use SSL to protect transactions. Moreover, many, if not most, organizations do not use firewalls between their internal networks and their business partners. Organizations should have the same systemic controls between themselves and any network not under their administrative control. For risk sharing, it is no doubt that when a business partner goes to great lengths to assure that their networks are secure, and their employees trustworthy, but then blanch when we ask them to contractually agree to share any economic loss form a security breach. These are usually the same ones that do not want a third-party assessment of their system and network security. Ensure that information security risk sharing is part of contractual negotiations. Alternatively, organization should use digital certificates, as already noted, can mitigate many of the process risks in e-commerce. In this case, though, there are additional benefits from defining a specific relationship for a business partner. The bottom line is that organizations ought not cut corners just because there are contractual constraints on the business partner's activities.
Nevertheless, for running the business efficiently and effectively, which is the responsibility of auditors, the following controls for e-commerce should be taken considerable care.
Firewalls
Firewall is the basic and traditional way for Internet security between the local network and the Internet. It ensures all communications between an enterprise’s network and then Internet conforms to all enterprise’s security policy. A firewall must obtain, store, retrieve and manipulate information derived from all communication layers and from other applications. The correct firewall infrastructure is crucial to a secure perimeter architecture.
Systems integrity
Internal attackers can often install anything they please on Internet web servers, sometimes with the help of the system administrator. The organization’s information security group or internal audit team needs a way to independently verify the integrity of every file on production system.
Logging and monitoring
Many organizations turn off system logging. Those that collect system logs frequently roll them over without reading or archiving them. There are many cases where a system log can alert the administrator that something is amiss. Fewer attackers can quickly and completely cover their tracks than can break into a web server.
Intrusion detection
Intrusion detection systems collect information from a variety of vantage points within computer systems and network. Moreover, it analyzes this information for symptoms of security breaches. Intrusion detection is the logical complement to network firewalls, extending the security management capabilities of system administrators to include security audit, monitoring, attack recognition and response. An intrusion detection system can help find those attackers that are able to subvert the web server but not any of the other inbound processes. There are a number of good commercial intrusion detection systems, such as the ISS Realsecure system. If the organization is not comfortable monitoring their own intrusion detection systems, they can hire an outside team to build and monitor their intrusion detection systems.
Compartmentalization
Organization should protect the overall site design from its own contractors and employees.
Access control
Organization should minimize the number of people who have access to the perimeter systems.
Change management
An internal attacker can compromise perimeter systems of he can get someone else to install software for him. Solid change management procedures can help detect unauthorized changes that originate on development systems.
Secure middleware
Dynamic content and remote data sources can provide immeasurably increased security.
Network segregation
Segregate the networks. Keep front-line systems on one network segment, and move data access systems to a second or third network segment. Keep the whole perimeter infrastructure segregated both from the inside and the Internet.
External review
Hire an external and disinterested organization to conduct a technical architecture review. Note that this is very different from a SAS-70 audit report, and very different from a penetration test. Even some very large and capable organizations lack experience in this environment and can benefit from competent external help.
Dedicated staff
The systems administrators and security personnel who take care of the e-commerce systems on a daily basis should be people who truly love their work if possible. This is less tangible than the other recommendations here, but no less important. A system administrator who views the web server as ‘just another system to back up’ will not pay as much heed to subtle indications of problems as someone who has a high personal stake in the machine’s operation and performance. In the same vein, assigning a junior level security administrator to read the logs will not result in solid intrusion detection.
System security
The web server, database servers, middleware servers, access control devices, and physical controls should all be configured with the same level of integrity, control, and countermeasures as the firewalls.
However, with every business opportunity there lies risk, and the Internet is no different. Challenging times lie ahead, for both auditors and their clients. Given that the Internet is accessible to everyone, there are definite risks associated with control and security. Generally, control awareness is not as high in East Asia as it is in the West. This attitude must change – not only in auditors and business managers, but also in the members of the general public. Until now auditors have been able to adopt either a substantive or compliance approach. In an e-commerce environment, traditional audit tests may not carry much meaning – so new method of assurance an auditing techniques need to be developed.
Nevertheless, the primary issues of e-commerce presents to auditors of a business conducting trading through internet are audit trail, interrogation, security, reliability and privacy in respect of control, policies, procedures and standards. For the control issues should be taken into account by considerably care by auditors, the following elements should also be discussed. They are EDI controls, file controls, PC controls, network controls, Internet controls and data protection.
The timeframe for wider acceptance of e-commerce is difficult to determine but there is every likelihood that digital cash and virtual shopping will be a common feature of business activity in both the public and private sectors in the next few year.
(4291 words)
Bibliography:
-
Auditing, 7th edition, A H Millichamp, 1996, Letts Educational
-
Doing Business on the Internet, 3rd edition, Simon Collin, 1999, Kogan Page Limited
- Electronic Commerce: A Managerial Perspective, Efraim Turban, Jae Lee, David King and H. Michael Chung, 2000, Prentice Hall International, Inc.
-
Electronic Commerce and Business Communication, 2nd printing, Michael Chesher and Rukesh Kaura, 1999, Springer
- Interactive Media International, No. 3, Vol. 14, March 2000
- Secure E-commerce, Databased Web Advisor, p14-27, March 1998
- Web Solutions, E-business Advisor, p18-27 & p58-63, April 1998
- Year 2000 Solutions, E-business Advisor, p36-39, December 1998