A Study of E-Commerce System Audit

Transcription

1 A Study of E-Commerce Audit 1 Hongming Chen, 2 Ke Zheng 1 College of Economics & Management, Changsha University of Science and Technology, Changsha, China, chmdsh@163.com 2 College of Economics & Management, Changsha University of Science and Technology, Changsha, China, Zhengke00000@126.com Abstract The changes of the environment of ing bring about the changes of content and forms. With the development of e-commerce, the of electronic commerce system is particularly important, and the target, content also has its characteristics. Previous literatures on the of electronic commerce system focus on data-based, mainly on the authenticity, legitimacy and validity of economic business, and those literatures are lack of the research of the of electronic commerce system itself. This paper based on information system carry out an comprehensive analysis of the electronic commerce system and its economic business, which will perfect our work under the electronic commerce environment. Referring to the relative research, on the basis of the goal of the electronic commerce system, this paper synthetically analyses the characteristics and content of E-Commerce. 1. Introduction Key words: E-commerce, Audit Characteristics, Audit Content Electronic business is business activity, based on computer technology, network technology and communication technology [1], to realize electronic, digital and network of the whole business process. As electronic business enterprise development, the changes of the mode of traditional enterprise management inevitably lead to the changes of patterns, as well as the ing environment, the risk, the content and the methods. Thus, ors may no longer only face the difficulties of about its accounting information system, which may bring the ors huge challenges. A number of techniques and practices are no longer ideal or applicable in an E-commence environment, such as traditional paper-based evidence and year-end approach [2] [3]. A lot of literatures [4] [5] suggest that the financial ors are often unable to use the key technologies for the new mode, real-time. At present, we do not take attention on training the ors with specialized IT skills [4] [6] [7]. Over the last decade, the use of information technology in accountancy [8] and the process [9] [10] has been steadily growing. Auditors have been adopted new techniques in order to accommodate the unique features of e-commerce. Some people have focused on the use of computer aided tools [11]. For example, E-commerce security has always been the core and key issue [12] [13], and a lot of modes are proposed to assist ors to assess e-commerce security, such as: AHP, an adaptive secure methodology [14], credit risk comprehensive evaluation method [15], public key encryption methods [16]. While there may be differences between the specific technologies, used by ors, there are sufficient commonalties to group them as Business Risk Audit methodologies [17].However, compared with these ing models based on data-based,the analysis of e-commerce system based on information system have been received very little attention. Literatures mainly concentrate on the framework, the control models and the goals of information system [18] [19] [20] [21], which result in the ors lack of a comprehensive understanding of the e-commerce system. This study set out to explore the of electronic commerce system based on information system, which maybe the most difficult part of e-business. Because the ors need to analyze the function and drawback of e-business system, which is originally the duty of system developers. In this paper,we only presented the goal, characteristics and content of the electronic commerce system. Advances in information Sciences and Service Sciences(AISS) Volume5, Number2, Jan 2013 doi: /AISS.vol5.issue

2 2. The target and characteristics of e-commerce system 2.1.The target of e-commerce system The objectives of E-commerce include two aspects: one is the ees' economic transaction and an operational matter, the other is the electronic commerce system. Of the two, the targets are not the same, both different and complement each other. The first one is to utilize information technology, to the ees' financial statements, relevant information and business activities, and to express an opinion on the financial statements of legality, fairness, consistency, which play a role in supervision and verification and service. The second one is to the ees' information system, including electronic commerce system, in protecting assets security, data integrity and system effectiveness and efficiency, and then to express an opinion. In essence, the economic business mainly uses the computer technology to auxiliary analysis, is closer to the traditional manual. And then the article does not give unnecessary descriptions. In this paper, we only discuss how to the electronic commerce system. 2.2.The characteristics of e-commerce system Electronic data The transaction data and program/system operating data of Electronic-commerce enterprise are stored in the database. To collect the data, the ors must adopt interface technology, and then obtain the analysis data through cleaning and converting the data into a data warehouse. The application of computer-aided technologies (CAATs) Because the e-commerce business and program/system operating data is fully electronic, ors must use computer-aided technologies, otherwise they are unable to get clues to carry out compliance test and substantive test, and also unable to draw any conclusion. At present, the computer-aided technologies can be divided into two classes: system-oriented CAATs and data-oriented CAATs. The former is used for verificating procedure and system, the latter is applied to the analysis of electronic data. The change of risk control People want to know more about what is going to happen tomorrow. The rules of business and the economy are changing [22].With the technological innovations being used as commercial weapons, the growth of risk in e-commerce has been more or less contemporaneous. Many changes tell the ors little about how to identify the new risks,assess them, control them and who is responsible for them. While the traditional is transaction based and the risk management goal is oriented towards compliance,the evolving used in e-commerce is risk based and its risk management goal is to establish a complete system of risk control to caution the risk effectively. At that time, risk control becomes a service and can create value. The key differences between traditional risk control and E-commerce risk control are shown as below: Table 1. Comparison of traditional and E-commerce Risk Control Traditional risk control E-commerce Risk control Risk assessment occurs periodically Risk assessment is a continuous process Accounting, treasury, and internal e-commerce risk identification and control responsible for identifying risks and managing controls management are the responsibility of all members of the organization Fragmentation every function behaves independently Connection Business risk assessment and control are focused and coordinated with senior level over Control is focused on financial risk avoidance Control is focused in the avoidance of unacceptable business risk, followed closely by management of other unavoidable business risks to reduce them to an acceptable level Business risk controls policies, if established, A formal risk controls policy is approved by 414

3 generally do not have the full support of upper management or are inadequately communicated throughout the company Inspected and detect business risk, then react at the source Ineffective people are the primary source of business risk management and board and communicated throughout the company Anticipate and prevent business risk, and monitor business risk controls continuously Ineffective processes are the primary source of business risk Source:KPMG: The innovation of the report content Besides the disclosure of traditional handicraft information, the report of E-commerce system also include: the security of economic transaction information and customer privacy information; ensuring customer private information will not be used for other irrelevant aspects; electronic clearing system and its security; Change especially in the highlight of ing its internal control. Real-time Real-time is an mode, which makes use of computer technology, network and communication technology, establishing real-time connection with the ees' information system, and then obtaining evidence, updating its content, and providing real-time report. In an e-commerce environment, economic transactions are measured and reported on a real-time basis without internal human intervention. And accordingly, the information produced by e-commerce system needs to be ed on a real-time basis. Along with the arrival of the era of e-commerce, the traditional mode having been inevitable changing into the real-time mode. 3. The content of e-commerce system We will divided it into seven aspects :the system development life cycle, system hardware and software resources, system security, system management, internal control ing, e-commerce business, disaster recovery and business continuity plan. Its content and target diagram is shown as below: The content of e-commerce system The system Internal Electronic Disaster developmen hardware security managem control commerce recovery t lifecycle and ent ing business and software business resources continuity plan Protecting Data integrity assets effectiveness efficiency Audit conclusion Figure 1. The content of e-commerce system 415

4 3.1. The system development life cycle The system life cycle is the process of setting up a computer system, which is built up by system analyst, software engineer, Programmer and users. The of the systems life cycle can be divided into five parts: 1 planning stage : whether to adopt reasonable system programming method (critical success factor method, strategy set transformation method, business system planning, etc.); whether or not take feasibility analysis; whether have enough fund, technician to support the development of information system. 2The system development phase : to make sure the development process is in compliance with the established policies and to get relevant examination and approval; to confirm the system development files is existed, accurate and complete; to confirm whether to implement total quality control during this time; 3 acceptance stage : whether to conduct a comprehensive test, and achieve system planning standards; system development or purchase cost is reasonable. 4 The system operation stage : determine the system function is perfect, effective; whether those systems receive timely maintenance. 5 maintenance phase : to affirm whether the enterprise exist and carry out the maintenance plan; whether the staff change system settings on key issues without permission during maintenance; whether to take some necessary protections and restoration measures, such as creating Protection point, data backups, etc.; to determine whether to take a full test to ensure the system function integrity and data accuracy after maintenance; whether there are system maintenance records, including maintenance scope, backup dates and the relevant responsible persons hardware and software resources The goal: to confirm the authenticity,integrity and legality of the ees software and hardware; whether the hardware and software resources can meet the needs of e-commerce business; whether those software and hardware resources be up to national laws and regulations, such as Financial information technology accounting software data interface drafted China Auditing Administration, organized and actualized by China National Standards Committee security 1Network data security Network data security consists of the network data security technology and its safety management. The or can usually it from the following several aspects: network anti-virus technology and its realization ways (antivirus technology, monitoring virus technology, network killing virus technique), firewall technology, data encryption technology, the authentication technology (digital signature technology, the identification technology, digital digest, digital certificate, etc.) and authorization and the implementation of those technologies; analyze the security log; review the implementation of relevant laws and regulations, such as the safety protection regulations of computer information system. 2Network access control The network access control consists of authority control and user authentication. Authority control check mainly on whether there are authority when customer access resources nodes and user nodes. Resource nodes provide service or data, user nodes access resources services provided by the resource nodes. For example, if the customers access to electronic business system, who can only check some resources data (products name, price, quantity) under authorization, but cannot visit the data(purchase price, inventories amount, pricing strategy, etc.) without authorization. The method of user authentication can be divided into general user/password authentication, token authentication, the biological characteristics of the authentication, etc., and the former two methods are widely used of. The content of user authentication: these kinds of the authentication method and their implementation. 416

5 3.4. management The electronic commerce system management can be divided into three aspects:system monitoring, system configuration and system operation management; event correlation and automation processing; business impact management. The goal is to guarantee the performance of the system and its usability; guarantee the integrity of data and other information resources; system security. The content is: 1The system monitoring, system configuration and system operation management; whether to register and update the hardware and software; whether to schedule and apply job sequencing and job plan, etc. 2The event correlation and automation processing: overall analysis different reasons leading to error report, these reasons may be from network, server system, database or application logic; find the root causes and do corresponding disposal, such as giving a alarm or starting a engine procedures, etc. 3Business impact management is a system management, which can guarantee the business service at a high level, and will connect the business system performance with all the possible influencing factors, which will help the user find the change of the performance and the reason of these changes. The contents of the business impact management in e-commerce system are as follows: the overall security customer privacy information, which means enterprises do not share customer information with a third party without authorization and protect customer information from leakage; whether there are security mechanism to ensure 24 x7 hour of continuous service; whether there is a control mechanism of maximum response time, such as no more than 3 seconds, etc Internal control Internal control ing includes two aspects: the of general control and the of application control. The of general control mainly concentrates on internal control environment, including the management concept of the e-commerce system, organizational culture and staff s loyalty and the sense of belonging, the information system structure and the rationality of the division of responsibilities, human resources policies. Application control focuses on effectiveness, legality and propriety of control activities, mainly including authorization, separation of incompatible duties, accounts being consistent with the fact, the necessary risk control activities and its countermeasures. Additionally, the or should check the risk of data processing in internal control activities. Namely, check the accuracy, integrity and security of the data, and goes as follows: 1 The system and program can t correctly deal with data, process the incorrect data or two circumstances coexist; 2 Whether there is unauthorized access to data, it may lead to modifying or even damaging the data. 3 Whether there is unauthorized access phenomenon, which may damage original labor division in the e-commerce system. 4 Without authorization, change the main document data. 5 Without authorization, the adaptation of system or program. 6Cannot do the necessary configuration or modify to programs. 7 Inappropriate human intervention. 8 May lost data or unable to access data E-commerce business At present, there are many types of e-commerce, but most of them can be classified by distribution channels into two kinds: online direct trading platform (such as JingDong mall) and online indirect trading platform (such as Alibaba). Although the business process is not the same, both of them include three core parts: emotion communication, capital delivery, commodity distribution. So, we don t distinguish commodities trading process in the e-commerce business. In order to ensure the authenticity, reliability and integrity of the trading information, ors have to the following information: 417

6 1 The basic information of commodities, including name, price, performance, etc. 2 The commodity trading information, such as the delivery time, distance, payment terms, the return policy, etc. 3 After-sales service and related technical support, such as warranty time, three packets of policy, etc. 4 The related process risk and processing procedures, such as delivery errors, lost and legal dispute processing scheme, etc. 5The customer rights and obligations. To ensure that the above information is, the or needs to make the following work: 1 The customer electronic contract situation test: check every transaction or service accuracy, integrity, authenticity, after the deal to reconfirm. 2 Payment system test: before the payment by electronic bill, review sales price and all related expenses; according to the electronic bill,carry out the liquidation; if the staff make mistakes in electronic bill, whether the man in charge inform the customer timely or not. 3 The goods distribution test: goods are distribution in the right place at the right time, with good quantity; whether the enterprise promptly notify the customer, and take remedial measures when they meet some special circumstances. 4 The client id information and transaction records test: confirm whether there are customer id information and transaction records preservation measures, including the integrity, accuracy and authenticity of those records; test the implementation and execution of those management. 5 Supervision test: trade authenticity is effectively monitoring; if the enterprise fails to carry out control measures, they shall promptly issue a public notice and take remedial measures Disaster recovery and business continuity plan Disaster recovery and business continuity plan is a plan, which can prevent business behavior from interruption in the case of natural or man-made disasters. The main content of the test is: whether this plan has feasibility and validity or not. Confirm the related resources (hardware and software) would have been backup and evaluate its safety; whether the test results meet the expected requirements or not. 4. Conclusion At present, the research on information system in our country is still in the primary stage, although our country issued a series of computer information system standards,such as in computer environment, risk assessment and internal control computer information system environment characteristics and consideration, computer information system environment database system, computer aided ing technique, those standards are lack of systematic,structural understanding and lack of necessary guide; information system in different industry also has its own characteristics. This paper uses systematic and structural method, analyses the content of electronic commerce system. This paper has certain limitation, such as no combined the content with specific technology to design the procedures. To improve the work of electronic commerce in China, on the one hand, we can draw lessons from the United States, Canada and other western developed countries to develop independent electronic business standards, continue to enrich ing standards of e-commerce system in China; On the one hand, we should culture ors with computer aided ing skills, and promote the application of corresponding computer aided ing techniques. 5. References [1] Kotb A, Roberts C, "The impact of e-business on the process: an investigation of the factors leading to change", International Journal of Auditing, Vol.15, pp ,

7 [2] Shaikh J. "E-commerce impact: emerging technology electronic ing", Managerial Auditing Journal,Vol.20, pp ,2005. [3] Chou C, Chang J, "Continuous ing for web-released financial information", Review of Accounting and Finance, Vol.9, pp.4 32, [4] Pathak J, Lind M, "Empirical assessment of effective e-commerce judgment", [accessed ], [5] Brazel J, "How do financial statement ors and IT ors work together? ", The CPA Journal, Vol.78, pp.38-41, [6] Bedard J, Chi M, "Expertise in ing. Auditing", A Journal of Practice & Theory, Vol.12, pp.21-45, [7] Coe M, "Integrating IT into the AIS course", Review of Business Information s, Vol.10, pp , [8] Caglio A, "Enterprise resource planning systems and accountants: towards hybridization?" European Accounting Review, Vol.12, pp , [9] Shaikh J., "E-commerce impact: emerging technology electronic ing", Managerial Auditing Journal,Vol.20,pp ,2005. [10] KPMG, "Continuous ing and monitoring: are promised benefits now being realised?" London:KPMG, [11] Bierstaker J, Burnaby P, Thibodeau J, "The impact of information technology on the process: an assessment of the state of the art and implications for the future", Managerial Auditing Journal, Vol.16, pp , [12] Gerber, M., Vonsolms, R.,"From risk analysis to security requirements, Computers and Security, Vol.20, pp ,2001. [13] Ngai, E., "Selection of web sites for online advertising using the AHP tools ", Information and Management, Vol.40, pp , [14] Tak, S. W., Park, E. K.,"A software framework for non-repudiation service based on adaptive secure methodology in electronic commerce, Information s Frontiers, Vol.6, pp.47-66, [15] Kun Fan, "Credit risk comprehensive method for online trading company", AISS: Advances in Information Sciences and Service Sciences, Vol.4, No.6, pp , [16] Ma Jun, "Research of electronic business security based on public key encryption methods", IJACT: international journal of advancements in computing technology, Vol.4, No.2, pp.50-57, [17] Winograd, B. N., Gerson, J. S., Berlin, B. L.,"Audit practices of Price waterhouse Coopers" Auditing,A Journal of Practice and Theory, Vol.19, No.3, pp , [18] He XiaoLing, "A study of information system and its control framework", Shanghai Management Science, Vol.4, No.12, pp.41-43, [19] Wang ZhenWu, Zhang ZiJin, "Information system theory structure research", Friends of Accounting, Vol.7, No21, pp.91-96,2011. [20] Wu QinHong, "The analysis of information system s content", Finance and Accounting Monthly, Vol.10, No.2, pp.62-63,2008. [21] Lai MingMin, YanShuJi,"Computer information system criterion comparative study", journal of accounting communications, Vol.4, No.6, pp.47-49, [22] Elliott, R. K., Rasmussen, T. A., Rucker, S. C., Strange, J. T., &Williamson, A. L., "The Wnancial statement : why a new age requires an evolving methodology" Assurance and Advisory Services USA:KPMG LLP,