In April 2001 the Auditing Practices Board published a Bulletin E-business: Identifying Financial Statement Risks and in October 2001, IFAC’s International Auditing Practices Committee issued an Exposure Draft1 of a Proposed International Auditing Practice Statement Electronic Commerce Using the Internet or Other Public Networks – Effect on the Audit of Financial Statements.
Both the Bulletin and the ED IAPS explain that the terms ‘e-commerce’ and ‘e-business’ have no standard definitions and are often used interchangeably. Where a distinction is made it is typically that e-commerce refers solely to transactional activities (e.g. buying and selling goods and services) whereas e-business is wider and also encompasses non-transactional business activities (e.g. customer relations).
This article focuses on the effect of e-business/e-commerce as a current development in auditing. It does not describe the nature of e-commerce, B2B, EDI, etc.
The purpose of the proposed IAPS is to:
provide guidance on the application of Auditing Standards where the reporting entity uses the Internet (or other public network) for e-commerce; and
enhance awareness of the audit issues in this developing area.
Auditing standards relevant to the Bulletin and the IAPS include those on:
Planning (ISA 300/SAS 200);
Knowledge of the business (ISA 310/SAS 210);
Risk assessments and internal control (ISA 400/SAS 300);
Auditing in a computer information systems environment (ISA 4012).
Clearly the purpose of an audit of financial statements, where the reporting entity is engaged in ‘Internet e-com’, is no different to any other audit of financial statements. The proposed IAPS has not been written for:
assurance engagements required to form an opinion on an entity’s Internet e-com systems or activities; or
‘dot coms’ (i.e. entities formed primarily for Internet e-com activities), though some of the guidance may be helpful.
For the purposes of this article ‘Internet e-com’ and ‘e-business’ will be referred to simply as ‘e-com’.
Skills and knowledge
The auditor requires appropriate levels of IT and e-com skills and knowledge to understand the potential impact on the financial statements of:
the entity’s e-com strategy and activities;
the technology used and the IT skills and knowledge of entity staff;
the risks arising from the entity’s use of e-com;
the entity’s approach to managing those risks; and
the adequacy of the internal control system as it affects the financial reporting process.
Specialist skills and knowledge may be required, for example:
to understand the inherent risks and management’s response to them;
to make suitable enquiries and understand the implications of responses received;
to determine the nature, extent and timing (‘NET’) of audit procedures and evaluate audit evidence in terms of its relevance, reliability and sufficiency (‘RRS’);
to evaluate the effect of the entity’s ability to continue as a going concern (having regard for its dependence on e-com activities).
If the auditor uses the work of an expert (e.g. if it is appropriate for a professional to test security through vulnerability or penetration tests) ISA 620 Using the Work of an Expert (equivalent to SAS 520) will be relevant.
Knowledge of the business
ISA 310 and SAS 210 require that the auditor obtain a knowledge of the business sufficient to enable the auditor to identify and understand the events, transactions and practices that may have a significant effect on the financial statements or the auditors’ report thereon. This includes general knowledge of:
the industry within which the entity operates; and
the effect e-com may have on the traditional business environment.
In considering the impact of e-com business risks on the reporting entity’s financial statements the auditor should assess the entity’s:
involvement with e-com;
business activities and industry; and
Extent of involvement in Internet e-com
Internet e-com can be used to:
provide only information (e.g. about the entity’s activities) which can be accessed by third parties (e.g. investors, customers, suppliers, providers of finance and employees);
process business transactions with established customers;
gain access to new markets and new customers by providing information and transaction processing via the Internet;
access Application Service Providers (ASPs);
create an entirely new business model.
The risks of simply providing information without third party interactive access, are relatively low, whereas the security infrastructure and related controls will need to be more extensive when a website is used for transacting business. Also, conducting business through a public network is inherently riskier than through a private network.
Business activities and industry
E-com activities may:
be complementary to a traditional business activity (e.g. selling books, CDs, or other conventional products, delivered by conventional methods from a contract initiated via the website); or
represent a new line of business (e.g. selling and delivering downloadable products via the Internet).
The effect of business risks on an entity’s financial statements may be greater in those industries that have been most influenced by e-com. For example:
computer software and hardware;
banking and securities trading;
travel and holiday services;
books, magazines and recorded music;
advertising, news and media;
gifts and ‘mail order’;
Internet e-com strategy
The security, completeness and reliability of an entity’s financial information may be affected by:
the way IT is used for e-com; and
the entity’s assessment of acceptable risk levels.
An e-com strategy should consider business risks, including risks inherent in the technology used. Although these risks may be mitigated by the internal control system, particularly the security infrastructure and related controls, there will always be some residual risk that cannot be eliminated (e.g. arising from ‘hackers’).
Management must therefore determine the level of risk it is willing to accept regarding its e-com activities based on a trade-off between:
the entity’s tolerance for risk; and
the cost-effectiveness of added controls and other risk management techniques.
In considering the entity’s e-com strategy, and how it fits with its overall business strategy, the auditor should assess:
whether e-com supports a new activity or is expected to improve the efficiency of existing activities;
sources of revenue and how these are changing (e.g. whether the entity will be acting as a principal or agent for goods or services sold);
management’s evaluation of how e-com affects earnings and financial requirements;
management’s attitude to risk and how this may affect the entity’s risk profile;
the extent to which e-com opportunities and risks have been identified in a documented strategy that is supported by appropriate controls (or whether development of e-com is on an ad hoc basis – responding to opportunities and risks as they arise).
The auditor should identify those business risks arising from e-com activities that may have a material effect on the financial statements, the conduct of the audit or the auditor’s report, e.g:
loss of transaction integrity (which may be compounded by a lack of ‘audit trail’);
pervasive e-com security risks (e.g. denial-of-service, viruses and fraud through unauthorised access – see also below);
non-compliance with legal and regulatory requirements (including taxation), especially when transacting across international boundaries;
failure to ensure that contracts evidenced only by electronic means are binding (e.g. by failing to ensure the authenticity of third parties);
systems and infrastructure failures or ‘crashes’;
improper accounting policies related to capitalisation (e.g. of website development costs) and revenue recognition issues;
going concern risks.
Revenue recognition issues include:
whether the entity is acting as principal or agent;
whether gross sales or commission only should be recognised;
how revenues are determined and settled (e.g. by the use of barter transactions) if other entities are given advertising space on the entity’s web site;
the treatment of volume or ‘bulk’ discounts and introductory offers (e.g. free goods or ‘money off’ vouchers);
cut-off (e.g. whether sales are only recognised when goods and services have been supplied).
Recording and processing e-com transactions – security risks
When a private network is used for commercial activities (e.g. EDI), transactions are transmitted between trading partners through a dedicated ‘pipeline’ with secure access provided only to trading partners. However, when commercial activities are carried out over the Internet, the ‘pipeline’ is a ‘public highway’ and, if appropriate security controls are not established, the information in the ‘pipeline’ might be intentionally or accidentally accessed by unauthorised parties. There are pervasive security risks associated with e-com because, for example:
internet protocols may carry no identity, so anyone can hold themselves out to be someone else;
the network, transport and data layers of the Internet may not have been designed with security in mind;
there is no central management of the Internet.
Further security risks arise from processing transactions over the Internet. For example:
reliance on relevant and adequate systems design to prevent or detect and report exceptions for human intervention;
reliance on programmed controls dealing with large volumes of transactions at fast processing speeds, with adequate controls to prevent errors or detect abuses; and
risks arising from remote transactions initiated by users, including controls to distinguish between a customer or supplier, an employee and a hacker.
Management may be particularly concerned with the adequacy of security measures where:
there is direct access via a public network to the entity’s systems and to customer information;
payments (e.g. electronic funds transfers and credit card payments) are processed via the Internet;
failure of encryption-based security could allow crimes to be carried out more easily over the Internet.
Security infrastructure and related controls
Some business risks arising in e-com should be addressed through the implementation of an appropriate security infrastructure and related controls to:
confirm the identity of customers and suppliers;
ensure the integrity of transactions;
obtain payment from, or secure credit facilities for customers;
facilitate the return of goods and claims under product warranties;
establish privacy and information protection protocols;
meet taxation and other legal and regulatory compliance issues;
agree terms of trade including transaction tracking and non-repudiation procedures (i.e. procedures to ensure a party to a transaction cannot later deny having agreed to specified terms).
Legal and regulatory issues
Currently there is no international legal framework for e-com nor an efficient infrastructure to support such a framework (e.g. electronic signatures, document registries, dispute mechanisms, consumer protection, etc). However, ISA 250 Consideration of Laws and Regulations in an Audit of Financial Statements (equivalent to SAS 120) requires that an auditor recognises that non-compliance with laws and regulations may materially affect the financial statements when planning and performing audit procedures and in evaluating and reporting the results thereof.
Although an auditor cannot be expected to detect non-compliance with all laws and regulations, he may need to consider whether the entity’s mechanisms for recognition of taxation liabilities in various jurisdictions are adequate. Taxes on e-com transactions may arise depending on where:
the entity is legally registered;
physical operations are based;
the web server is located;
goods and services are supplied from;
customers are located.
These may be in different jurisdictions with differing mechanisms for double tax relief.
Other legal or regulatory issues that may affect the financial statements include:
complying with national and international privacy requirements;
meeting requirements for regulated industries;
the enforceability of contracts;
the legality of particular activities (e.g. Internet gambling);
the risk of money laundering (not in the Paper 3.1 syllabus); and
contravention of intellectual property rights.
The auditor should consider management’s responses to these issues and seek advice of an informed legal practitioner, as necessary.
Internal control considerations
The auditor should consider the effectiveness of the control environment and control procedures which can mitigate many of the risks associated with e-com activities (to the extent they are relevant to the financial statement assertions) in accordance with ISA 400 Risk Assessments and Internal Control (SAS 300).
The following aspects of internal control, which are described below, are particularly relevant:
transaction integrity; and
maintaining the integrity of control procedures in a rapidly changing technological environment;
ensuring access to relevant records to meet the entity’s needs and for audit purposes.
When external parties are able to access an entity’s information system using a public network, the entity’s security infrastructure and related controls will be a particularly important feature of its internal control system. Information is only secure to the extent that all requirements for its authorisation, authenticity, confidentiality, integrity and availability have been satisfied.
The security infrastructure and related controls may include:
an information security policy;
an information security risk assessment;
physical measures; and
logical and other technical safeguards (e.g. user identifiers, passwords and firewalls).
Security risks related to the recording and processing of e-com transactions will usually be addressed through the security infrastructure and related controls. To the extent that they are relevant to the financial statement assertions the auditor considers, for example:
the use of firewalls to protect systems from unauthorised or harmful software, data or other material in electronic form;
the use of encryption to maintain the privacy and security of transmissions (e.g. through authorized decryption keys);
controls over the development and implementation of systems used to support e-com activities;
whether existing security controls continue to be effective as new technologies that can be used to attack Internet security become available;
whether the control environment supports the control procedures implemented – as with any system, even sophisticated control procedures may not be effective if they operate within an inadequate control environment.
The nature and extent of risks related to the completeness, accuracy, timeliness and authorisation of information provided for recording and processing in the financial records (transaction integrity) depends on the nature and the level of sophistication of e-com activities.
Audit procedures regarding transaction integrity seek to evaluate the reliability of the systems in use for capturing and processing information to the accounting records. Manual or poor interfaces between e-com and the accounting records may result in incomplete or otherwise inaccurate data capture and/or transfer.
When the originating action (e.g. receipt of a customer order over the Internet) automatically initiates all other stages in processing the transaction, audit procedures will focus on the automated controls that relate to the integrity of transactions as they are captured and then immediately and automatically processed. Such controls are often designed to:
prevent duplication or omission of transactions;
ensure transactions are recorded in the correct accounting period;
ensure the terms of trade have been agreed before an order is processed (e.g. if payment is required when an order is placed);
distinguish between customer browsing and orders placed (so that browsing is not incorrectly treated as an order);
ensure non-repudiation (i.e. a party to a transaction cannot later deny having agreed to specified terms);
ensure transactions are with approved parties (when appropriate);
address issues that might cause any part of the transaction to fail (e.g. credit card authorisation failure);
prevent incomplete processing by ensuring all steps are completed and recorded or otherwise rejecting the order (e.g. for a B2C transaction: order accepted, payment received, goods/services despatched and accounting system updated);
ensure the proper distribution of transaction details (e.g. when data is collected centrally and communicated to others to execute the transaction);
ensure records are properly retained and accounts balance after each transaction.
The way different IT systems are integrated with one another so as to operate as one system (i.e. process alignment) is particularly important for e-com. Transactions generated on a website must be properly processed by internal ‘back office’ systems (e.g. accounts, customer relationships and inventory management). Many websites are not automatically integrated with such systems.
The way e-com transactions are captured and transferred to the entity's accounting system may affect:
the completeness and accuracy of transaction processing and information storage;
the timing of revenue recognition (also purchases and other transactions);
identification and recording of disputed transactions.
When it is relevant to the financial statement assertions, the auditor considers the controls over:
the integration of e-com transactions with internal systems (e.g. full integration with accounting systems is relatively rare); and
systems changes to automate process alignment (including the entity’s ability to facilitate change management and to train existing staff).
Audit evidence – the effect of electronic records
There may not be any paper records for e-com transactions and electronic records may be more easily destroyed or altered than paper records without leaving evidence of destruction or alteration. The auditor must therefore consider whether security of information policies and the security controls implemented are adequate to prevent unauthorised changes to the accounting system.
When considering the integrity of electronic evidence the auditor may test automated controls including:
record integrity checks;
electronic date stamps;
digital signatures; and
Depending on the auditor’s assessment of the appropriateness of design and effectiveness of these controls, the auditor may also consider the need for external confirmation of transaction details or account balances (ISA 505).
Systems and infrastructure failures
Systems failures can be caused by:
disk system failure; or
software failure, either at the entity or at a service organization (used for outsourced functions).
Infrastructure failures are not ordinarily within the direct control of the entity and may be caused by:
major trunk line failure; or
Systems and infrastructure failures may result in:
damage to an entity’s reputation with potential loss of customers;
loss of data; and
loss of payment subsequent to the delivery of a product or service.
When e-com activities are significant the auditor should consider the measures taken by the entity to:
prevent systems failures; and
ensure business continuity in the event of a system or infrastructure failure.
Entities which do not have the necessary technical expertise may depend on service organizations, e.g:
Internet Service Providers (ISPs);
Application Service Providers (ASPs); and
data hosting companies.
Service organisations may also be used for e-com related activities (e.g. order fulfilment, delivery of goods, call centre operations and some accounting functions). Certain policies, procedures and records maintained by the service organisation may then be relevant to the audit of the entity’s financial statements. The auditor considers how the entity responds to risks arising from the outsourced activities in accordance with ISA 402 Audit Considerations Relating to Entities Using Service Organizations (SAS 480) including business continuity plans and service level agreements (e.g. security response times and back-up), if relevant.
Many businesses report losses on e-com activities (which can be expensive to implement and support) when starting up. Significant losses may cast doubt on the going concern basis. When e-com is particularly important to an industry in which an entity’s own e-com activities are not well developed, questions about the entity’s business prospects may cast significant doubt on its ability to continue as a going concern – especially when cash is spent more quickly than it is earned. When significant doubt exists, the auditor considers ISA 570 Going Concern (SAS 130) and the need to obtain information concerning the entity’s liquidity position and its financing arrangements.
Students should appreciate that this article considers only one aspect of the impact of IT developments on current auditing, namely its impact on the audit of financial statements. Another aspect arises from the increasing trend towards the publication of performance measures and projections, both financial and non-financial (e.g. the number of registered users, ‘hits’ or downloads). Where such indicators are published with financial statements, ISA 720 Other Information in Documents Containing Audited Financial Statements (SAS 160) will clearly be relevant.