STATEMENT OF AUDITING PRACTICE SAP 1013 Electrnic Cmmerce - Effect n the Audit f Financial Statements This Statement f Auditing Practice was apprved by the Cuncil f the Institute f Certified Public Accuntants f Singapre in August 2002. SAP 1013 supersedes the SAP f the same title in June 2004. N substantive changes have been made t the riginal apprved text and all crss references have been updated, as apprpriate.
CONTENTS paragraphs Intrductin 1-5 Skills and Knwledge 6 7 Knwledge f the Business 8 18 The Entity s Business Activities and Industry 10 12 The Entity s E-Cmmerce Strategy 13 The Extent f Entity s E-Cmmerce Activities 14-16 The Entity s Outsurcing Arrangements 17-18 Risk Identificatin 19-24 Legal and Regulatry Issues 22 24 Internal Cntrl Cnsideratins 25 34 Security 27-28 Transactin Integrity 29 31 Prcess Alignment 32 34 The Effect f Electrnic Recrds n Audit Evidence 35 36
STATEMENT OF AUDITING PRACTICE SAP 1013 Electrnic Cmmerce Effect n the Audit f Financial Statements Intrductin 1. The purpse f this Statement is t prvide guidance t assist auditrs f financial statements where an entity engages in cmmercial activity that takes place by means f cnnected cmputers ver a public netwrk, such as the Internet (e-cmmerce 1 ). The guidance in this Statement is particularly relevant t the applicatin f SSA 300, Planning, SSA 310, Knwledge f the Business and SSA 400, Risk Assessments and Internal Cntrl. 2. This Statement identifies specific matters t assist the auditr when cnsidering the significance f e-cmmerce t the entity's business activities and the effect f e-cmmerce n the auditrs assessments f risk fr the purpse f frming an pinin n the financial statements. The purpse f the auditr's cnsideratin is nt t frm an pinin r prvide cnsulting advice cncerning the entity's e-cmmerce systems r activities in their wn right. 3. Cmmunicatins and transactins ver netwrks and thrugh cmputers are nt new features f the business envirnment. Fr example, business prcesses frequently invlve interactin with a remte cmputer, the use f cmputer netwrks, r electrnic data interchange (EDI). Hwever the increasing use f the Internet fr business t cnsumer, business t business, business t gvernment and business t emplyee e-cmmerce is intrducing new elements f risk t be addressed by the entity and cnsidered by the auditr when planning and perfrming the audit f the financial statements. 4. The Internet refers t the wrldwide netwrk f cmputer netwrks, it is a shared public netwrk that enables cmmunicatin with ther entities and individuals arund the wrld. It is interperable, which means that any cmputer cnnected t the Internet can cmmunicate with any ther cmputer cnnected t the Internet. The Internet is a public netwrk, in cntrast t a private netwrk that nly allws access t authrized persns r entities. The use f a public netwrk intrduces special risks t be addressed by the entity. Grwth f Internet activity withut due attentin by the entity t thse risks may affect the auditr's assessment f risk. 5. While this Statement has been written fr situatins where the entity engages in cmmercial activity ver a public netwrk such as the Internet, much f the guidance it cntains can als be applied when the entity uses a private netwrk. Similarly, while much f this guidance will be helpful when auditing entities frmed primarily fr e-cmmerce activities (ften called "dt cms") it is nt intended t deal with all audit issues that wuld be addressed in the audit f such entities. Skills and Knwledge 1 The term e-cmmerce is used in this SAP. E-business is als cmmnly used in a similar cntext. There are n generally accepted definitins f these terms, and e-cmmerce and e-business are ften used interchangeably. Where a distinctin is made, e-cmmerce is smetimes used t refer slely t transactinal activities (such as the buying and selling f gds and services) and e-business is used t refer t all business activities, bth transactinal and nn-transactinal, such as custmer relatins and cmmunicatins. 1
6. The level f skills and knwledge required t understand the effect f e-cmmerce n the audit will vary with the cmplexity f the entity's e-cmmerce activities. The auditr cnsiders whether the persnnel assigned t the engagement have apprpriate IT 2 and Internet business knwledge t perfrm the audit. When e-cmmerce has a significant effect n the entity's business, apprpriate levels f bth infrmatin technlgy (IT) and Internet business knwledge may be required t: Understand, s far as they may affect the financial statements: The entity's e-cmmerce strategy and activities, The technlgy used t facilitate the entity's e-cmmerce activities and the IT skills and knwledge f entity persnnel, The risks invlved in the entity's use f e-cmmerce and the entity's apprach t managing thse risks, particularly the adequacy f the internal cntrl system, including the security infrastructure and related cntrls, as it affects the financial reprting prcess, Determine the nature, timing and extent f audit prcedures and evaluate audit evidence, Cnsider the effect f the entity's dependence n e-cmmerce activities n its ability t cntinue as a ging cncern. 7. In sme circumstances, the auditr may decide t use the wrk f an expert, fr example if the auditr cnsiders it apprpriate t test cntrls by attempting t break thrugh the security layers f the entity's system (vulnerability r penetratin testing). When the wrk f an expert is used, the auditr btains sufficient apprpriate audit evidence that such wrk is adequate fr the purpses f the audit, in accrdance with SSA 620, Using the Wrk f an Expert. The auditr als cnsiders hw the wrk f the expert is integrated with the wrk f thers n the audit, and what prcedures are undertaken regarding risks identified thrugh the expert's wrk. 8. SSA 310, Knwledge f the Business requires that the auditr btain a knwledge f the business sufficient t enable the auditr t identify and understand the events, transactins and practices that may have a significant effect n the financial statements r n the audit reprt. Knwledge f the business includes a general knwledge f the ecnmy and the industry within which the entity perates. The grwth f e-cmmerce may have a significant effect n the entity's traditinal business envirnment. Knwledge f the Business 9. The auditr's knwledge f the business is fundamental t assessing the significance f e- cmmerce t the entity's business activities and any effect n audit risk. The auditr cnsiders changes in the entity's business envirnment attributable t e-cmmerce, and e- cmmerce business risks as identified s far as they affect the financial statements. Althugh the auditr btains much infrmatin frm inquiries f thse respnsible fr financial reprting, making inquiries f persnnel directly invlved with the entity's e-cmmerce activities, such as the Chief Infrmatin Officer r equivalent, may als be useful. In btaining r updating knwledge f the entity's business, the auditr cnsiders, s far as they affect the financial statements: the entity's business activities and industry (paragraphs 10-12), the entity's e-cmmerce strategy (paragraph 13), the extent f the entity's e-cmmerce activities (paragraphs 14-16), and the entity's utsurcing arrangements (paragraphs 17-18). Each f these is discussed belw. 2 Internatinal Educatin Guideline IEG II, "Infrmatin Technlgy in the Accunting Curriculum" issued by the Educatin Cmmittee f IFAC, which defines the brad cntent areas and specific skills and knwledge required by all prfessinal accuntants in cnnectin with IT applied in a business cntext, may assist the auditr in identifying apprpriate skills and knwledge. 2
The Entity s Business Activities and Industry 10. E-cmmerce activities may be cmplementary t an entity's traditinal business activity. Fr example, the entity may use the Internet t sell cnventinal prducts (such as bks r CDs), delivered by cnventinal methds frm a cntract executed n the Internet. In cntrast, e-cmmerce may represent a new line f business and the entity may use its web site t bth sell and deliver digital prducts via the Internet. 11. The Internet lacks the clear, fixed gegraphic lines f transit that traditinally have characterized the physical trade f many gds and services. In many cases, particularly where gds r services can be delivered via the Internet, e-cmmerce has been able t reduce r eliminate many f the limitatins impsed by time and distance. 12. Certain industries are mre cnducive t the use f e-cmmerce, therefre e-cmmerce in these industries is in a mre mature phase f develpment. When an entity's industry has been significantly influenced by e-cmmerce ver the Internet, business risks that may affect the financial statements may be greater. Examples f industries that are being transfrmed by e-cmmerce include: cmputer sftware, securities trading, banking, travel services, bks and magazines, recrded music, advertising, news media, and educatin. In additin many ther industries, in all business sectrs, have been significantly affected by e-cmmerce. The Entity s E-Cmmerce Strategy 13. The entity's e-cmmerce strategy, including the way it uses IT fr e-cmmerce and its assessment f acceptable risk levels, may affect the security f the financial recrds and the cmpleteness and reliability f the financial infrmatin prduced. Matters that may be relevant t the auditr when cnsidering the entity's e-cmmerce strategy in the cntext f the auditr's understanding f the cntrl envirnment, include: invlvement f thse charged with gvernance in cnsidering the alignment f e- cmmerce activities with the entity's verall business strategy, whether e-cmmerce supprts a new activity fr the entity, r whether it is intended t make existing activities mre efficient r reach new markets fr existing activities, surces f revenue fr the entity and hw these are changing (fr example, whether the entity will be acting as a principal r agent fr gds r services sld), management's evaluatin f hw e-cmmerce affects the earnings f the entity and its financial requirements, management's attitude t risk and hw this may affect the risk prfile f the entity, the extent t which management has identified e-cmmerce pprtunities and risks in a dcumented strategy that is supprted by apprpriate cntrls, r whether e-cmmerce is subject t ad hc develpment respnding t pprtunities and risks as they arise, and management's cmmitment t relevant cdes f best practice r web seal prgrams. 3
The Extent f the Entity s E-cmmerce Activities 14. Different entities use e-cmmerce in different ways. Fr example, e-cmmerce might be used t: prvide nly infrmatin abut the entity and its activities, which can be accessed by third parties such as investrs, custmers, suppliers, finance prviders, and emplyees, facilitate transactins with established custmers whereby transactins are entered via the Internet, gain access t new markets and new custmers by prviding infrmatin and transactin prcessing via the Internet, access Applicatin Service Prviders (ASPs), and create an entirely new business mdel. 15. The extent f e-cmmerce use affects the nature f risks t be addressed by the entity. Security issues may arise whenever the entity has a web site. Even if there is n third party interactive access, infrmatin-nly pages can prvide an access pint t the entity's financial recrds. The security infrastructure and related cntrls can be expected t be mre extensive where the web site is used fr transacting with business partners, r where systems are highly integrated (see paragraphs 32-34). 16. As an entity becmes mre invlved with e-cmmerce, and as its internal systems becme mre integrated and cmplex, it becmes mre likely that new ways f transacting business will differ frm traditinal frms f business activity and will intrduce new types f risks. The Entity s Outsurcing Arrangements 17. Many entities d nt have the technical expertise t establish and perate in-huse systems needed t undertake e-cmmerce. These entities may depend n service rganizatins such as Internet Service Prviders (ISPs), Applicatin Service Prviders (ASPs) and data hsting cmpanies t prvide many r all f the IT requirements f e-cmmerce. The entity may als use service rganizatins fr varius ther functins in relatin t its e-cmmerce activities such as rder fulfilment, delivery f gds, peratin f call centres and certain accunting functins. 18. When the entity uses a service rganizatin, certain plicies, prcedures and recrds maintained by the service rganizatin may be relevant t the audit f the entity's financial statements. The auditr cnsiders the utsurcing arrangements used by the entity t identify hw the entity respnds t risks arising frm the utsurced activities. SSA 402, Risk Assessments and Internal Cntrl - Audit Cnsideratins Relating t Entities Using Service Organisatins prvides guidance n assessing the effect that the service entity has n cntrl risk. Risk Identificatin 19. Management faces many business risks relating t the entity's e-cmmerce activities, including: lss f transactin integrity, the effects f which may be cmpunded by the lack f an adequate audit trail in either paper r electrnic frm, pervasive e-cmmerce security risks, including virus attacks and the ptential fr the entity t suffer fraud by custmers, emplyees and thers thrugh unauthrized access, imprper accunting plicies related t, fr example, capitalizatin f expenditures such as website develpment csts, misunderstanding f cmplex cntractual arrangements, title transfer risks, translatin f freign currencies, allwances fr warranties r returns, and revenue recgnitin issues such as: 4
whether the entity is acting as principal r agent and whether grss sales r cmmissin nly are t be recgnized, if ther entities are given advertising space n the entity's web site, hw revenues are determined and settled (fr example, by the use f barter transactins), the treatment f vlume discunts and intrductry ffers (fr example, free gds wrth a certain amunt), cut ff (fr example, whether sales are nly recgnized when gds and services have been supplied), nncmpliance with taxatin and ther legal and regulatry requirements, particularly when Internet e-cmmerce transactins are cnducted acrss internatinal bundaries, failure t ensure that cntracts evidenced nly by electrnic means are binding, ver reliance n e-cmmerce when placing significant business systems r ther business transactins n the Internet, and systems and infrastructure failures r "crashes". 20. The entity addresses certain business risks arising in e-cmmerce thrugh the implementatin f an apprpriate security infrastructure and related cntrls, which generally include measures t: verify the identity f custmers and suppliers, ensure the integrity f transactins, btain agreement n terms f trade, including agreement f delivery and credit terms and dispute reslutin prcesses, which may address tracking f transactins and prcedures t ensure a party t a transactin cannt later deny having agreed t specified terms (nnrepudiatin prcedures), btain payment frm, r secure credit facilities fr, custmers, and establish privacy and infrmatin prtectin prtcls. 21. The auditr uses the knwledge f the business btained t identify thse events, transactins and practices related t business risks arising frm the entity's e-cmmerce activities that, in the auditr's judgment, may result in a material misstatement f the financial statements r have a significant effect n the auditr's prcedures r the audit reprt. Legal and Regulatry Issues 22. A cmprehensive internatinal legal framewrk fr e-cmmerce and an efficient infrastructure t supprt such a framewrk (electrnic signatures, dcument registries, dispute mechanisms, cnsumer prtectin etc) des nt yet exist. Legal framewrks in different jurisdictins vary in their recgnitin f e-cmmerce. Nnetheless, management needs t cnsider legal and regulatry issues related t the entity's e-cmmerce activities, fr example, whether the entity has adequate mechanisms fr recgnitin f taxatin liabilities, particularly sales r value-added taxes, in varius jurisdictins. Factrs that may give rise t taxes n e- cmmerce transactins include the place where: the entity is legally registered, its physical peratins are based, its web server is lcated, gds and services are supplied frm, and its custmers are lcated r gds and services are delivered. These may all be in different jurisdictins. This may give rise t a risk that taxes due n crssjurisdictinal transactins are nt apprpriately recgnized. 5
23. Legal r regulatry issues that may be particularly relevant in an e-cmmerce envirnment include: adherence t natinal and internatinal privacy requirements: adherence t natinal and internatinal requirements fr regulated industries, the enfrceability f cntracts, the legality f particular activities, fr example Internet gambling, the risk f mney laundering, and vilatin f intellectual prperty rights. 24. SSA 250, Cnsideratin f Laws and Regulatins in an Audit f Financial Statements requires that when planning and perfrming audit prcedures and in evaluating and reprting the results theref, the auditr recgnize that nncmpliance by the entity with laws and regulatins may materially affect the financial statements. SSA 250 als requires that, in rder t plan the audit, the auditr shuld btain a general understanding f the legal and regulatry framewrk applicable t the entity and the industry and hw the entity is cmplying with that framewrk. That framewrk may, in the particular circumstances f the entity, include certain legal and regulatry issues related t its e-cmmerce activities. While SSA 250 recgnizes that an audit cannt be expected t detect nncmpliance with all laws and regulatins, the auditr is specifically required t perfrm prcedures t help identify instances f nncmpliance with thse laws and regulatins where nncmpliance shuld be cnsidered when preparing financial statements. When a legal r regulatry issue arises that, in the auditr's judgment, may result in a material misstatement f the financial statements r have a significant effect n the auditr's prcedures r the audit reprt, the auditr cnsiders management's respnse t the issue. In sme cases, the advice f a lawyer with particular expertise in e-cmmerce issues may be necessary when cnsidering legal and regulatry issues arising frm an entity's e-cmmerce activity. Internal Cntrl Cnsideratins 25. Internal cntrls can be used t mitigate many f the risks assciated with e-cmmerce activities. In accrdance with SSA 400, Risk Assessments and Internal Cntrl, the auditr cnsiders the cntrl envirnment and cntrl prcedures the entity has applied t its e- cmmerce activities t the extent they are relevant t the financial statement assertins. In sme circumstances, fr example when electrnic cmmerce systems are highly autmated, when transactin vlumes are high, r when electrnic evidence cmprising the audit trail is nt retained, the auditr may determine that it is nt pssible t reduce audit risk t an acceptably lw level by using nly substantive prcedures. CAATs are ften used in such circumstances (refer t SAP 1009, Cmputer-Assisted Audit Techniques). 26. As well as addressing security, transactin integrity and prcess alignment, as discussed belw, the fllwing aspects f internal cntrl are particularly relevant when the entity engages in e-cmmerce: Security maintaining the integrity f cntrl prcedures in the quickly changing e-cmmerce envirnment, ensuring access t relevant recrds fr the entity's needs and fr audit purpses. 27. The entity's security infrastructure and related cntrls are a particularly imprtant feature f its internal cntrl system when external parties are able t access the entity's infrmatin system using a public netwrk such as the Internet. Infrmatin is secure t the extent that the requirements fr its authrizatin, authenticity, cnfidentiality, integrity, nn-repudiatin and availability have been satisfied. 28. The entity will rdinarily address security risks related t the recrding and prcessing f e- cmmerce transactins thrugh its security infrastructure and related cntrls. The security 6
infrastructure and related cntrls may include an infrmatin security plicy, an infrmatin security risk assessment, and standards, measures, practices, and prcedures within which individual systems are intrduced and maintained, including bth physical measures and lgical and ther technical safeguards such as user identifiers, passwrds and firewalls. T the extent they are relevant t the financial statement assertins the auditr cnsiders such matters as: the effective use f firewalls and virus prtectin sftware t prtect its systems frm the intrductin f unauthrized r harmful sftware, data r ther material in electrnic frm, the effective use f encryptin, including bth: maintaining the privacy and security f transmissins thrugh, fr example, authrizatin f decryptin keys, and preventing the misuse f encryptin technlgy thrugh, fr example, cntrlling and safeguarding private decryptin keys, cntrls ver the develpment and implementatin f systems used t supprt e- cmmerce activities, whether security cntrls in place cntinue t be effective as new technlgies that can be used t attack Internet security becme available, whether the cntrl envirnment supprts the cntrl prcedures implemented. Fr example, while sme cntrl prcedures, such as digital certificate-based encryptin systems, can be technically advanced, they may nt be effective if they perate within an inadequate cntrl envirnment. Transactin Integrity 29. The auditr cnsiders the cmpleteness, accuracy, timeliness and authrizatin f infrmatin prvided fr recrding and prcessing in the entity's financial recrds (transactin integrity). The nature and the level f sphisticatin f an entity's e-cmmerce activities influence the nature and extent f risks related t the recrding and prcessing f e- cmmerce transactins. 30. Audit prcedures regarding the integrity f infrmatin in the accunting system relating t e- cmmerce transactins are largely cncerned with evaluating the reliability f the systems in use fr capturing and prcessing such infrmatin. In a sphisticated system, the riginating actin, fr example receipt f a custmer rder ver the Internet, will autmatically initiate all ther steps in prcessing the transactin. Therefre, in cntrast t audit prcedures fr traditinal business activities, which rdinarily fcus separately n cntrl prcesses relating t each stage f transactin capture and prcessing, audit prcedures fr sphisticated e- cmmerce ften fcus n autmated cntrls that relate t the integrity f transactins as they are captured and then immediately and autmatically prcessed. 31. In an e-cmmerce envirnment, cntrls relating t transactin integrity are ften designed t, fr example: validate input, prevent duplicatin r missin f transactins, ensure the terms f trade have been agreed befre an rder is prcessed, including delivery and credit terms, which, may require, fr example, that payment is btained when an rder is placed, distinguish between custmer brwsing and rders placed, ensure a party t a transactin cannt later deny having agreed t specified terms (nn-repudiatin), and ensure transactins are with apprved parties when apprpriate, prevent incmplete prcessing by ensuring all steps are cmpleted and recrded (fr example, fr a business t cnsumer transactin: rder accepted, payment received, gds/services delivered and accunting system updated) r if all steps are nt cmpleted and recrded, by rejecting the rder, 7
ensure the prper distributin f transactin details acrss multiple systems in a netwrk (fr example, when data is cllected centrally and is cmmunicated t varius resurce managers t execute the transactin), and ensure recrds are prperly retained, backed-up and secured. Prcess Alignment 32. Prcess alignment refers t the way varius IT systems are integrated with ne anther and thus perate, in effect, as ne system. In the e-cmmerce envirnment, it is imprtant that transactins generated frm an entity's web site are prcessed prperly by the entity's internal systems, such as the accunting system, custmer relatinship management systems and inventry management systems (ften knwn as "back ffice" systems). Many web sites are nt autmatically integrated with internal systems. 33. The way e-cmmerce transactins are captured and transferred t the entity's accunting system may affect such matters as: the cmpleteness and accuracy f transactin prcessing and infrmatin strage, the timing f the recgnitin f sales revenues, purchases and ther transactins, and identificatin and recrding f disputed transactins. 34. When it is relevant t the financial statement assertins, the auditr cnsiders the cntrls gverning the integratin f e-cmmerce transactins with internal systems, and the cntrls ver systems changes and data cnversin t autmate prcess alignment. The Effect f Electrnic Recrds n Audit Evidence 35. There may nt be any paper recrds fr e-cmmerce transactins, and electrnic recrds may be mre easily destryed r altered than paper recrds withut leaving evidence f such destructin r alteratin. The auditr cnsiders whether the entity's security f infrmatin plicies, and security cntrls as implemented, are adequate t prevent unauthrized changes t the accunting system r recrds, r t systems that prvide data t the accunting system. 36. The auditr may test autmated cntrls, such as recrd integrity checks, electrnic date stamps, digital signatures, and versin cntrls when cnsidering the integrity f electrnic evidence. Depending n the auditr's assessment f these cntrls, the auditr may als cnsider the need t perfrm additinal prcedures such as cnfirming transactin details r accunt balances with third parties (refer t SSA 505, External Cnfirmatins ). 8