This action might not be possible to undo. Are you sure you want to continue?
Auditing E-Commerce Activities
Mujahid Eshai FCA
International Auditing Practices Committee issued the International Auditing Practice Statement (IAPS) 1013 on ‘Electronic Commerce - Effect on the Audit of Financial Statements’ in March 2002. The purpose of said IAPS is to pro vide guidance to assist auditors of financial statements, where an entity engages in commercial activity that takes place through Internet (e-commerce). What if the level of assurance is not satisfactory? How the concept of ‘materiality’ will be applied and interpreted? 8. Is the preparation of the financial statements of an entity, conducting business electronically, significantly differs from the methodology adopted in conventional modes of business? If e-commerce merely relates to the booking of sales orders electronically and the goods are to be delivered through conventional modes, how it affects the assurance about recording of all transactions on a computer -based accounting system?
What comes first to mind...?
A change in the way an organisation conducts its activ ities using contemporar y technology s hould logically be reflected in the audit approach. Talking of e-commerce, for a discerning auditor the , ‘minimum’ is to seek guidance to the questions like: 1. Does the audit objective change in an yway because transactions are being conducted and recorded electronically? How does the auditors’ responsibilit y changes and what extra work, if any, is required for collecting the audit evidence that supports an unqualified audit opinion? How does computerization and electronic commerce, change the emphasis on ensuring effective accounting and internal controls? Does the possibility of fraud increase? If yes, how to tackle the issue? How does it impact the conduct of an audit? Is it mandatory to conduct a business impact analysis to determine the role of E-Commerce to the survival of the organization? How closely should the E-commerce activities be aligned to existing corporate strategy? Would this relationship impact the formation of a true and fair view? Is it fundamental to ensure that the Web servers and other systems (and processes) involved in the delivery of E-Commerce are a part of a contingency plan? Will the audit involve assessing the e-service providers to address the apparently high risk levels that exist in an e-commerce environment?
10. If the orders are booked electronically and goods delivered electronically, how substantial will the effect on the assurance regarding all tr ansactions being recorded? 11. How should auditor ensure that the sale transaction are genuine and the parties/customers actually exist? 12. How to verify that the sales were made to the territory wherefrom the orders actually arose? How will the Custom laws and regulations relating to imports be complied with?
This IAPS is written for situations where the entity engages in commercial activity over a public network, such as the Internet. Much of the guidance can also be applied when the entity uses a priv ate network. However the caveat here is that ‘while much of this , guidance will be helpful when auditing entities formed primarily for e-commerce activities (often called ‘dot coms’) it is not intended to deal with all audit issues that would be addressed in the audit of such entities.’ (Para 5, IAPS-1013). With direct reference to conduct of an audit, the burning question is: ‘Would other Auditing Standards and Statements be still applicable in its entirety or should they be applied as resolved by the Auditor on a ‘selective’ basis?’
The Pak istan Acco un ta nt
Jan-Feb 2 00 3
An unaddressed breakdown of system can cause loss of revenue and customers and loose customer confidence. checks. environment and associated concerns. E-commerce is the secure conduct of business functions between businesses. A successful and reliable E-commerce environment depends on a careful integration of process. the processes in use. security. Businesses and Customers are equally concerned about the confidentiality and privacy of information that is provided or shared. reliability and comparability – the four qualitative characteristics of financial statements. These elements ma y have a direct bearing on the compilation of financial information. reflecting the results of the operations conducted in an e-commerce en vironment. 8. e-business refers to ‘all’ business activities. On the other hand.E-Commmerce Auditing E-Commerce Activities Handbook What ‘E-Commerce’ means? 1. as well as the technology available to perform the work. more so in e-commerce. completeness. repudiation and technology outages and usage. relevance. privacy. 3. priorities. The audit plan for undertaking an audit of the financial statements. such as buying and selling of goods and services. operations and consumer packaged goods applications. What systems are in volved in delivering the service to customers? How does each segment of the system interact with each other to deliver the service to the customer? What is the ov erall security architecture and what are the ways in which it can be modified/ accessed or amended? 11. However. technology and implementation to achieve the final result. Technology includes the ov erall system and network architecture. a business in any environment. and it must operate as the customer expects it to (integrity). technology is only being used to implement already operational manual processes and procedures to reach a larger market. 9. as these are an essential part of operating a business and measuring the performance. tr ace ability. www. authenticity. 7. 2. it must be available whenever a customer wants to use it (availability). the associated risks and assessments of internal controls. will mirror the environment in which the business operates. The Professional Accountant and E-Commerce To ac hieve the obj ect ive o f u nderst an dabilit y. financial and non-financial. such as customer relations and communications. timeliness and accuracy.org technology is an important component of reliability. while some of the key vertical elements include financial services. 5. Horizontal elements include business-to-business (B2B) and business-to-consumer (B2C) processes. of International Auditing. and Ethics Pronouncements (2003 Edition) can be downloaded free of charge from 10. Such decision-making is supported with a r obust an d up dated sy stems and The Pak istan Acco un ta nt Jan-Feb 2 00 3 07 . The environment should cater for the collection of operational statistics. The environment must pro vide for suitable contingency plans in case there is a breakdown of the main system so that the customers can access business without interruption. ensures that all decisions. Assurance. The e-commerce environment must be reliable. Technology is only a part of the entire picture not the picture itself. The work of an accountant in an e-commerce environment will also reflect the introduction of certain new elements in audit approach. 12. The ecommerce environment has not only to assure that the legislation of the country where both the business and the customer are located is complied with but also sufficient and suitable controls are in place to safeguard the privacy of information provided or shared. An E-commerce environment is designed with confidentiality integrit y and av ailability as .ifac. Reliability is a major component of security. However the distinction is that . their partners and customers using electronic means such as the internet and computer based applications. In essence. 4. How the term ‘E-Commerce’ differs from ‘E-Business’? These terms are often used interchangeably. both transactional and non-tr ansactional. Achieving the final goal is depends on a comprehensive strategy. The electronic commerce landscape consists of horizontal and key vertical elements. The E-commerce environment is most affected by changing business models and regulatory issues than by changing technology only. that is. 6. Customers will not only want to have confidence in the reliability of the environment to deliver in a secure and private environment but also that if things go wrong they hav e a method of contacting the business for the timely resolving the problem. e-commerce is used to refer solely to ‘transactional activities’. are tak en in accordance with the best practices and codes of corporate go vernance. So far we hav e briefly defined the e-commerce . understanding legal and export issues.
Additional Qualitative Principles PRINCIPLE Confidentiality Integrity Av ailability Authorisation Authenticity Non-repudiation Completeness Accuracy Timeliness Structure Trace abilit y Unalterability CRITERIA Maintaining controls to protect transmission of information from unidentified recipients Maintaining controls to protect the E-commerce system against unauthorised modifications (firewalls) Maintaining controls to assure the defined av ailability of the E-commerce system Maintaining controls to assure that access is restricted to unauthorised individuals Maintaining controls to identify the customers exactly (digital signature) Maintaining controls to assure that E-commerce transactions are processed completely. An IT control system shou ld be com piled to secur e IT environment throughout the Organisation. Accordingly. structure. reliability. that ‘the guidance in this Statement is particularly relevant to the application of ISA 300. The IAPS does. auth ent icity. These principles and criteria followed to ensure proper accounting and security in e-commerce environment are stated in Table 1. in all material respects. it is logical to assume that all other IS As. Security.commerce environment. and audit trail. data and information within the IT system. author isat ion .E-Commmerce Auditing E-Commerce Activities procedures. integrity and availability of transactions. s torage and comm unicat ion of financial information and may affect the accounting and internal control systems employed by the entity. In an e. Security encompasses dat a pr otection. the principles and qualitativ e aspects in p reparation of f inanc ial statements remain unaltered but require adherence to opinion w hether t h e financial stat ements are prepared. ISA-200) A relevan t point h er e is that IAPS 1013 is a ‘Statement’ and not a ‘Standard’. c onfiden tiality. Knowledge of the Business’ and ISA 400. nature of competition and a host of other matters when planning and undertaking an audit. the processing . In addition. The IAPS are issued to p rov id e ‘practical as sistance to auditors in implementing the International Standards on Auditing or to promote good practice. non. as they stand and read today.Maintaining Accounting Information. However the use of a computer changes . The pr in ciples to follow in com piling financial records are completeness.’ (‘Objective and General Principles governing an A udit of Financial Statements’. the auditor gains knowledge of the business. The IT environment would include the infrastructure. accurately and in conformity with disclosed business procedures so that the entit y is bound to the contr act Complete processing of all transactions and relevant information tr ansmitted Accurate processing of all transactions and relevant information transmitted Recording of all transactions and relevant information when tr ansmitted Appropriate structure for all transactions and relevant transmissions Documentation of all transactions and relevant transmissions so that an independent third party can reconstruct the audit trail Documentation of all changes arising after the transmission of transactions and relevant information additional principles. correct to state that the Objectiv e of an audit as stated above does not undergo an y change at all because of the E-Commerce en vironment. in accordance with an identif ied f inancial reporting f ramework. the economic trends and gener al conditions.’ It would therefore be Table 1: E-commerce Activities . ‘The objective of an audit of financial statements is to enable the auditor to express an Th e P akista n Accou nt an t .’ Accordingly. are applicable to the audit of financial statements in an e-commerce en vironment. Planning. accuracy. ISA 310. Th e prer equisite f or ensur in g p roper accounting in an E-Commerce environment is the security s urrounding the ent ir e system. The Auditor requires necessary skills and knowledge to carry out risk assessments in each of these areas to the extent necessary in forming an audit opinion. timeliness. a CIS environment may effect: Jan-Feb 20 0 3 08 Using IAPC-1013 for implementing ISAs – AN OVERVIEW Audit Objectiv e. suitable but stringent principles of internal cont rol and check s. Risk Assessments and Internal Control. ‘The overall objectiv e and scope of an audit does not change in a CIS (Computer Information System) en vironment. however explain its scope by stating .repud iation. IT Applications and IT-aided business cycles.
E-Commmerce Auditing E-Commerce Activities The procedures followed by the auditor in obtaining a sufficient understanding of the accounting and internal control systems." (Para 7. timing and extent of audit procedures and in evaluating audit evidence. It ma y involve the use of third party Internet service providers or digital signature verifiers. including the security infr astructure and related controls. Accordingly.’ Matters considered by auditor in developing the overall au dit p lan inc lude know ledge of the bus in ess. It assists in determining the nature. The auditor’s design and performance of tests of control and substantiv e procedures appropriate to meet the audit objectiv e. The objectiv e of International Auditing and Assurance Standards Board (IAASB) is to improve auditing and assurance standards and the quality and uniformity of practice throughout the world thereby strengthening public confidence in the global auditing profession and serving public interest. as it affects the financial reporting process. The auditor considers whether the personnel assigned to the engagement have appropriate IT and Internet business knowledge to perform the audit. timing and . the management and auditor may draw wrong conclusions as a Going Concern. IS A-401) Service Providers in E-Commerce. To plan the audit work the ISA r equires th at ‘t h e audit or s hould dev elop and d ocumen t an overall audit plan descr ib in g th e expected scope and conduct of the audit. to ass ess the en tity’ s e-com merc e str ategy an d act ivities. The IAPS refers to ISA 402 'Audit Considerations Relating to Entities Using Service Organisations' on this matter. may have far reaching effect on the ability of an entity to maintain or undertake bu sin ess in futu re. should a component or location become una vailable. ISA-402) Other Issues The issues in an e. particularly the adequacy of the internal control system.’ (Para 6. going concern issues. supervision and review. It helps auditor consider the effect of the entity’s dependence on e-commerce activities on its ability to continue as a going concern. The issues relate to Connectivit y. risk and materialit y nature. the auditor should obtain sufficient information to understand the accounting and internal control systems and to assess control risk at either the maximum. The Pakistan Acco un ta nt Jan-Fe b 2 0 03 09 . E-commerce activities are conducted in a comput erised environment in real time and on-line. (A uditing in a Computer ’ Information S ystems Environment.commerce ac tivities aff ect t he fin ancial s tatem ent s.commerce environment are not restricted to the accou nting and inter nal control system of the client or the service organisation employed in that environment. Sim ilarly. The appropriateness of the audit plan will be subjected to the IT knowledge of the auditor and the latter’s ability to apply the same in drawing up the plan. IAPS-1013) The auditor requires the information technology (IT) and Internet business knowledge skills to understand how e. For example. or at a lower level if tests of control are performed. arr an gements f or or lack of immediate a vailability of alternative locations. Audit Planning ‘The auditor should plan the audit work so that the audit will be performed in an effectiv e manner (ISA. understanding the accounting and internal control systems. the tec hnology used to facilitate the entity’s e-commerce activities and the IT s kills and know ledge of ent ity personn el. Such situations affect overall business goals and targets and without its awareness. the auditor obtains a complete and comprehensiv e understanding of all components of the electronic en vironment in which the business operates. if the Internet connectivit y speed and capacity is low it can affect the business v olume and marketability of an entit y. The auditor assures the security and privacy issues surrounding the service pro viders and the effectiv eness of these measures. Contingency and Business continuit y Planning. The consideration of inherent risk and control risk through which the auditor arriv es at the risk assessment. coordination. direction. It is therefore evident that the IT expertise of auditors is to be quite thorough to carry out the task personally or through an IT expert (on whose work auditor relies). extent of procedures. "If the Client auditor concludes that the activities of the service organisation are significant to the entity and relevant to the audit. Auditor Knowledge of IT ‘The lev el of skills and knowledge required to understand the effect of e-commerce on the audit will vary with the complexity of the entit y’s e-commerce activities. Such knowledge help s auditor in assessing the r is ks involved in the entity’s use of e-commerce and the entit y’s approach to managing those risks.’ 300 ‘Planning’).
" ( IAP S. (Para 13. The recent failure of dotcom companies serves us as a reminder. The auditor will further consider management ’s ev aluation of how e-commerce affects the earning s of the en t ity and its finan cial requirements. IAPS 1013) It is almost ‘assumed’ that the auditor possesses a t hor ough know ledge and unders tanding of e-commerce and the related risks and issues and computerised environment generally to provide a high level of assurance to ‘stakeholders’. whether the entity will be acting as a principal or agent for goods or services sold). and management’s commitment to relevant codes of best pr ac tic e or web seal p rogram s. It clearly means that an educ at ed understanding of the IT environment and its effects on the business should be on display in audit work. how revenues are deter mined and set tled by the use Th e Paki st an Accou n tan t Jan-Feb 2 00 3 10 . translation of foreign currencies. such as: loss of tr ansaction integrity (compounded by the lack of an adequate audit tr ail in either paper or electronic form).40 0. This requ irement cannot be sat isf ied by ‘ass uming ’ adequacy of conventional appr oac hes to a n ew environment. misunderstanding of complex contractual arr angements. completeness. emplo yees and ot her s thr ough unau thorized access) . or whether it is intended to mak e existing activities more efficient or reach new markets for existing activities. or whether e-commerce is subject to ad hoc dev elopment responding to opportunities and risks as they arise. Auditor also considers the cash flows for the entity to see how these are changing (for example. The management ’s attitude to risk and h ow t his may af fec t th e r is k pr ofile of th e en t ity .’(Para 16. and reliability of the financial information produced. hence. allowances for warranties or returns) and revenue recognition issues (such as whether the entity is acting as principal or agent and whether gross sales or commission only are to be recognized if other entities are given advertisin g s pace on the ent ity’ s web site. it becomes more lik ely that new ways of transacting business will differ from tr aditional forms of business activity and will introduce new types of risks. To this. the response is that ‘as an entity becomes more involved with e-commerce. pervasive e-commerce securit y risks (example. title tr ansfer risks. capitalization of expenditures such as website development costs. We can argue that nothing really has changed except the mode of transacting a business. (Para 9. When considering the entit y’s e-commerce strategy the auditor’s understanding of the control environment include considering the involvement of management in aligning e-commerce activities with the entity’s overall bu siness strategy. IAPS-1043). virus attacks and the fr aud by customers. t he ex te nt t o w h ic h m an ag eme n t h as ide n tif i ed e-commerce opportunities and risks in a documented strategy that is supported by appropriate controls. an d e-comm erce business risks as identif ied so far as they aff ect the financial statements’. the conventional approaches to carry out the audit are valid. a birds’ eye view or a superficial knowledge of the technical and business en vironment for reaching an audit opinion on the Financial Statements prepared in an Electronic Commerce or Computerised environment. The auditor should use professional judgement to assess audit risk and to design audit procedures to ensure it is reduced to an ac ceptably low lev el. Audit Approach An entity’s e-commerce strategy affects the integrity of the f inancial records and the security. ar e also considered. and as its int ern al sy stems become m ore integr ated and complex. Auditor weights whether e-commerce supports a new activit y for the entity. ‘the auditor should obtain an understanding of the accounting and internal control systems sufficient to plan the audit and develop an effective audit approach. im proper accounting policies (for example.E-Commmerce Auditing E-Commerce Activities Knowledge of the Business ‘The aud it or ’s kn owled ge of t he bu siness is fundamental t o assess in g the s ig nifican ce of e-commerce to the entity’s business activities and any effect on audit risk. Risk Assessments and Internal Controls) Risk Identification Management faces man y business risks relating to the entit y’s e-com merce activities. Furthermore. IAPS-1013) This clearly establishes the impact of e-commerce on a bu siness. What goes to the trash bin is the already flawed idea that an auditor can have an outsiders’ view. The auditor considers changes in the entit y’s business environment at tribut able to e-com merce.
The bottom line here is that auditors will have to be re-skilled. may result in a material misstatement of the financial statements or have a significant effect on the auditor’s procedures or the audit report. which generally include measures to verify the identity of customers and suppliers. and systems and infrastructure failures or ‘crashes’. obtain agreement on terms of trade. Th e Paki stan Accou ntan t Jan-Feb 2 00 3 11 . transactions and practices related to business risks. ‘Factors that may give rise to taxes on e-commerce transactions include the place where: the entity is legally registered. including agreement of delivery and credit terms and dispute resolution processes. because its relatively easy to update an exclusiv e series to reflect contemporary technological developments. The need is there for the integration of IT into the existing ISA or perhaps an exclusive series of ISAs dealing with the auditing in an electronic environment. The auditor uses the knowledge of the business to identify events. Also. ensure the integrity of transactions. non-compliance with taxation and other legal and regulatory requirements. The associated risk is that taxes due on cross- S a f a Co n f e re n c e o n ‘ Th e A cco u n ti n g P r o fe s sio n : Wa y Forw a rd ’ wi ll b e h e ld o n 2 . auditors will need appropriate additional training and development. IFAC’s Information Technology Committee and CoChairman of WTO-SAFA Sub-Committee. Taxation. The later option is recommended. information protection protocols. in the auditor’s judgment. failure to ensure that contracts evidenced only by electronic means are binding. its web server is located. arising from the entity’s e-commerce activities that. IAPS 1013) These may all be in different jurisdictions. and its customers are located or goods and services delivered. acquire sufficient knowledge to understand the e-commerce trading environment and the technological issues involv ed. as the traditional business environment will continue for some time in large parts of the world. particularly when I nternet e-com mer ce tran sactions are conducted across international boundaries.safaconference. the t reatmen t of v olume discounts and introductory offers like free goods worth a certain amount. This surely calls for an appropriate training strategy from National Accounting Bodies. its physical operations are based. Mujahid Eshai is a Fellow member of ICAP and a practicing Chartered Accountant since 1985. whether sales are only recognized when goods and services ha ve been supplied). and establish privacy and . goods and services are supplied from. or secure credit facilities for customers. (See Table 2 for further guidance on physical goods and digital goods).com merc e thr ough the implemen tation of an ap propr iate security in frastr uctur e and related controls. To perform effectively in the new environment. Para 19 to 21) The entity addresses certain business risks arising in e. obtain payment from. He is a sitting member of ICAP Council. About the Author: Mr.com jurisdictional transactions are not appropriately recognized. Registra t io n d et a il s a t www .’ (Para 22. (IAPS 1013. cut off (for example.3 Ma y 2 0 0 3 a t K ara ch i . which may address tracking of transactions and procedures to ensure a party to a tr ansaction cannot later deny having agreed to specified terms (non-repudiation procedures). CONCLUSION The guidance made available in IAPS 1013 is a welcome addition. ov er reliance on e-commerce when placing significant business systems or other business transactions on the Internet.E-Commmerce Auditing E-Commerce Activities The of barter transactions.