CHAPTER 7 E-BUSINESS RISKS CHAPTER CONTENTS INTRODUCTION E-BUSINESS MODELS THE TECHNOLOGY OF E-BUSINESS Protocols, Software, and Hardware HTML and XML UNDERSTANDING E-BUSINESS RISK Privacy and Confidentiality Securing Information and Maintaining System Availability Transaction Integrity and Business Policies SPECIALIZED E-BUSINESS APPLICATIONS EDI Collaborative Commerce E-mail Security and Privacy MANAGING THIRD-PARTY PROVIDERS THIRD-PARTY ASSURANCE SERVICES SUMMARY DISCUSSION QUESTIONS EXERCISES REFERENCES AND RECOMME! Web Sites NOTES NDED READINGS Dipinai dengan Camscanner152 CHAPTER7 E-BUSINESS RISKS oo INTRODUCTION —__ ‘ kent (On the Internet there are totally new ways to get taker es, e-business brings with ita new sct of risks. For example, busineasee cnnmecting tothe Internet run the risk that outsiders will aecess their interna etwork aystems, Ava result the development of the Internet and e-business pose many Thallenges for IT auditors beyond those they face in securing traditional network systems, This chapter describes e-business models, ranging from electronic data interchange (EDD te collaborative commerce. The levels of risk and the need for controls vary along the continnum, These risks include threats to privaey and confidentiality, security and information system availability, and transaction integrity. Not only do risks and controls vary across the spectrum of e-business models, but there are also special risk and control jeauee associated with specialized e-business technologies like EDI, collaborative com- merce, and e-mail, This chapter discusses all these risks, as well as the controls over them, ‘Apart from nev sets of risks and controls, e-business also creates more third-party services and reliance on these services by others. IT auditors may find themselves in the position of validating the work of other auditors and of offering additional e-business risk and assurance services themselves. As this quotation indi E-BUSINESS MODELS We frequently use the terms “e-business” and “e-commerce” interchangeably, but they don't really mean the same thing, E-commerce means using IT to buy and sell goods and services electronically. E-business is a broader term, covering not just goods and services ‘exchanges, but also all forms of business conducted using electronic transmission of data and information. For example, e-business includes using the Intemet or intranets for employee training or customer support. While it may seem that e-business just suddenly appeared, in reality it has developed over some time. Figure 7-1 shows this evolution. Various entities and individuals may be at any point along the spectrum, E-business began when customers and suppliers recognized the advantages of exchanging documents such as purchase orders and invoices electronically, rather than through the postal service. This electronic data interchange (EDI) could speed ordering and fulfillment dramatically. The advent of the Internet allowed businesses, organizations and individuals to publish World Wide Web pages and communicate to broader audiences {At first, Web pages were mirrors of paper documents, But as they increased in sophistica- tion, users recognized that there were things they could do with Web pages that weren't possible with paper media. For instance, they could capture information aboxt the mtn ber of times someone accessed Web page (number of hits). They could also ask for into mation from those perusing a Web page. As Internet usage and Web page developmest evolved, managers learned to take advantage of the Intemet’s unique nature in nt ways. For example, retailers realized changing the price of an item required a few Ke)” strokes on the Internet versus reprinting promotional materials and price lists in an ofin® environment, The transparency of the Intemet, or the ability for mass instantancous st ing of information, also created an almost perfectly efficient marketplace for goods andl es. The next stage in the evolution of e-business was to distribute its use throughout an organization, This came in the form of intranets. Businesses ereated these inter! ae tpallow employees to ommunisite with one mother and exchang information san example of intranet functionality. Through internal networ Dipinai dengan Camscanner4 DI THETECHNOLOGY oF E-nUst - NOLOGY OF Eu 58 nts Vc exchange of Source docu tw ~~ nents between jy eis phase ll—Web Pages Development of Web pages that documents ‘mirrored paper communication features Hou of Itornet Phase IV Intranets Ise of Internet capabil Uae of txerret capabilites to improve business within Phase V—Supply Chain Use of Internet capabilt ee of tere capebiites io improve business across the Phase VI—Collaborative Commerce Use ot tern capabi business “virtually” aut FIGURE 7-1. The Evolution of E-business enployees can complete expense forms change their tax deduction information, apply for jnsurance, request vacation time, and so on, (Once enterprises mastered internal communications through their intranets, they med outward. The link to customers occurred early on—with the first Web pages. THe Fetof the supply chain linkage took place inthe next stag ofthe evolution ‘businesses bean expanding on their connections to suppliers, customers and distributors. These ‘neluded adding supply chain management (SCM) and customes relationship management (CRM) functionality. Portals allowed ‘customers and suppliers to link more closely with an enterprise. The canrent state of e-business is rally e-business, where the “e” stands for collabo- tative. In e-business, the boundaries among enterpri'™ bpecome blurred. Businesses up and down the supply chain work together fo achieve objectives that maximize praia iy for all of them. For example, in the “real” world, Customer C places an order wh Enterprise B. Enterprise B then requests supplies from Supplier A. Sulit “ roids she foods to B, which distributes them wo C. Fe virtual” e-commerce world, Custom " is goi gl ough B int y i C's order is going right through a i ed rea en it adds value to Supplier A's materials oF rea time. B is involved only tothe extent ak forkelping A and C to get together. THE TECHNOLOGY OF E software, and communi general in Chalet 6 BUSINESS The Interne Tn fact, the tarernet ‘a network of hardware val computer SyStEMs Of the network features described im s or syetworke ma P Thousands of omer I compu se a eet newt thowriety or specialized protocols, sofware a ss alized sofware language ing business over the Internet reauites © aires spe "ousers and servers. In additions &-PUSPS ae | Dipinal dengan Camscanner154 cHapren7 E-BUSINESS RISKS Protocols, Software, and Hardware asmission Control Protocol/Interey ot ig an international network of | reD. The internet is at international nets cca ith no single controlling site. TCP/IP allows com, Jn computer or network connected to the Intemey ‘the Internet requires an IP address fop One ofthe most widely used ofall protocols isthe Tr Protocol (TCP/IP), shown in Fig area networks (LANs) and compute! manication among Intemet nodes, and ¢ must support it. Each message transmission ave both the sender and receiver a station The ID adkiress is the numerical transh ‘The 1 ne vat I ulestination information Each address is unique and consists of includes both source and destination vorath ofan IP address varies, depending on the classifi. a nctwork and host address, The tent of 7 nl Se nytt ned seeveks and host computers; in fact, this class ean accommodate tore ae ee eo example of ah IP adress would be 251.36,220., ‘The first proup of numbers identifies a geographic region, the next group is for a specific oreanizational entity, the third sot is the group of computers or network identification, and the last mumber references a specific computer. Finally, IP addresses may be static or dynamic. Static IP addresses are assigned and stay the same from one computing session to another, With a dynamic addressing approach, a computer, typically a client, receives a new IP address for each computing session. A server may maintain a set of dynamic addresses for this purpose. Based on TCP/IP, the Intemet supports other protocols for specialized tasks. Hypertext Transmission Protocol (HTTP) is one of these. HTTP is the standardized rule set that governs data transmission over the World Wide Web, the graphical component of ‘the Internet. ‘The main hardware component in e-commerce is the Web server, which hosts an organization's Web pages and the program that gets network requests and sends back HTML files in response. These pages are in hypertext markup language (HTML) format. ‘The Web server sends and receives messages from users in HTTP message format. ‘Two basic client/server architectures support e-business systems. A two-tiered system includes a client browser and a Web server. The three-tiered configuration consists of a client browser, 2 Web server, and a database server. Network routers can be either bard- ware devices or software, and they control the flow of traffic across the Internet network. Routers, Jocated at various points across the network, determine where to forward a packet or data file. fof the text address. The IP address cation, For example, a Class A 1P identify many than sixtecn million host compute ‘Application Translates messages into the host's Layer computer application software for screen presentation, Presentation Breaks messages intoTCP pack i ors ‘Transport called datagrams and attaches, Layer header plus information on reassembling, and ensures dat delivery. nae ioe. Protocol | Breaks down packets further and foutes them from sender to receiver. Network terface | Handles addressing and tho yer interface between raquosting and receiving computers. FIGURE 7-2 The TCP/IP Model Dipinai dengan Camscanner AUsers connect tothe Intemet vig W, METHSINONOGY OF EauEiESS 155 sjahspeed connection. An Internet oy io ave Eniemnet Access without yy ach POP is an Internet access, pin Mil require E sxions maintained by ISPs als, curl ret SPS also provide their cient Ce provider Py ale inttaininy, na modem or other form of allows individual user compute nee (POP) on the Internet auldress. The high-speed con- et communications 1 8 with f HTML and XML HTML is a formatting language that speein, e Web, There al specifies the wworkd Wide Web. There is no question th i " we ment of the Intemet, However, e-businese Mt vin ane! manipulation of information see Sle markup Tanguage (XML) 7S He Intemet network pplication systems st application systems store data in a variety of is age for communicating and manipulating information Ho converte da a common X information. By converting dat sya common XML fora diferent ermputr stan can 6 en ihn would be possible otherwise. Databases can alo stone data in ROME forme whee allows disparate applications to easily retrieve wil lee in XML format, which thas by H ion watinn over the Fundamental to the develop. another language to enable the transimis- This languags tain Like HTML, XML is a markup language. It ws Uolie HTML, these tags deseribe te daar hanson aos te del sere. For ua ETL a fr Sep 02, ih pa, w a ted in the body of text that a Web browser will view. HTML describes how the data are displayed. An XML tag for the same date might read ‘edate>, describing what the data mean. ‘Another way that XML differs from HTML is that it is extensible, another word for expandable. There is a fixed set of markup tags for HTML, but users and software design- ais can create new tags for XML. Of course, if each software developer or user creates a separate set of tags, there goes the common standard, As a result, user groups are work= ing to create specialized sets of industry tags, which, in a sense, represent that industry's oprietery language. The accounting and finance industry is developing extensible busi- test reporting language (XBRL), which is to be used for business reporting over the Intemet, Most businesses report some type of financial information over the Internet, but asset there is no way of retrieving that data easily for comparison and manipulation Par> poses, For example, if you wanted to find the 2003 revenues for a particular retail chain, a search using the slore’s name and “revenue” would not likely yield the result you Wanted. Further, if you did manage to find the data, you would not have it in a form that il XBRL tags would ™ » it with similar data for another company: BRL tag: see eee da q {the information so that com- i i ipulation o casute retrieval of similar data and allow for marupll for ot cone Persons would be possible. An advantage of XBRU- ‘will be that business entities can sto weit as needed fora variety of reporting purposes te data once in XBRL format an ow ee development if e-business XML oe Another industry-specific langues ra 8 COXML. The mission tthe developers working on this specification -pased infrastructure “ a mn in an interoperable, secure Jpxml.org) mnabling the global use of stent To provide an open XML-bat ‘and co electronic business informatio manner by all parties. (WWW - ‘ut ‘exchange of business ¢ EDI standard languages ss souree document data amon facie the ilar to the Way unication of bus I's hoped that this standard will emet supply chain in a fashion s FACT and X12) facilitated the comm “ating partners. ee Dipinai dengan Camscanner156 cHAPTER7 E-BUSINESS FISKS UNDERSTANDING E-BUSINESS RISK _ — UNDERSTANDING | sn organization infaration ste, inte ae of dedicated Web sen tackerscamoten find ge of ncwess to some part of wuhorized access, The use as we discussed in Chapter 6, allow at any stage there is the threat of should esti that aecess, alton er hacker ‘ay inte even highly sceue networks. Other risks wary more with the st sage sinyply in publishing n Iuion. For instance, when onzanizations engage simply in pubis 4 Web site the isk is that the site might be altered, An active Web pa . Suppliers bay and sel online is siject fo the threat of service interruption. In ¢-commere, ‘an interruption in service eon literally bring business to 3 hal. This section of the chapter discusses specific risks and controls associated with sey. eral categories of risk related to e-business, These are privacy and confidentiality, security bility, transaction integrity, and business policies. business ev, keting materials gq e whiere customers an Privacy and Confidentiality Privacy concems the protection afforded to proprietary information, including personal information and information related to an exchange or transaction. The protection may be against unauthorized access, or it may be policies ensuring that users who access informa. tion do not use it for any purpose other than what is allowed by the information provider Confidentiality is similar to privacy, except that it focuses on information that is specif- cally designated to be confidential or secret. Privacy and confidentiality are extremely important in e-business for three reasons First, e-business provides an opportunity to collect more data about buyers and sellers, than is possible ina brick and mortar world, Second, the Intemet allows for dissemination of information 10 more people more easily than through any other communication chan- nel. Finally, the information obtained in e-business exchanges may be captured without the information provider’s knowledge. For example, in making an online purchase, cus- tomers provide sellers with demographic and credit eard information. This is overt, and customers are aware they are parting with personal information. However, customers also provide information subconsciously. For instance, the pages the customer peruses atthe retailer's Web site provide some information about that customer's shopping pattern. Each time a Web browser accesses a page, the Web server’s log files record the access. Case- in-Point 7-1 describes one privacy issue stemming from e-business. ' Case-in-Point 7-1 Citibank, in looking to improve its electronic communications with customers, hired Acxiom Corp. to collect its credit-card customers’ e-mail addresses. The bank then engaged Touchwood Technologies, Ine. to send e-mails to these cus tomers, inviting them to access their own account information either online oF bY @-mail. The initiative led to privacy concerns because it was possible that some of the e-mail addresses did not belong to account holders, thus risking disclosure of sensitive financial data to the wrong parties.2 Many individuals wron; aly think they don’t need to be concemed about priv’ ree have no sserels.” Unfortunately, tha is no key the ease Even ths 8 in crafting their e-mail would likely not want the text of those e-mails expose to the world, Nor would they necessarily want othe Y how they ime online thas, whet es ten said Waters to know how they spend hi Dipinal dengan CamscannerUNDERSTAND ary tnsections restr ving STANDING E-BUSINESS RISK 157 wy and personalization. By ceding poe pcvaed Y ceding privacy, ani i peer understand Our Needs, Whe unaton sient cursive eas siihubie ere to dea selves, we allow businesses an onl reference. You may like HW the line on th 1 nits record of your pri ine boo his may be a matter of individ whine fs en, eae at ofthe year ©" gested in the more ge ths Miter hand, a somewhat spooky world otf eet custome personaly and oie Mom erie fate pooky wor essonal history that brings home the ide; Play a level of famili macy at somne level. a that maybe perso n which sales ity with the customers? ization isn’t worth a loss of Pm There are also trade-offs between pri vac tice forces argue that they ne iat i a ono 'Y need information in order to provicl . jaonder to 12 ists the Bureau of Immigrant jovi esi For instance, Cu inv ly monitor the movements of visi joms Enforcement needs 10 fl etentsof vas tiscoury felon he eer a ind. sceutity. Government agencies and Srember 11, many Americans expres sete y S expressed greater will Sa sant greater willingness to give up some of their pri- For individuals, the privacy 5S fa i nin ent aiden ach faced by engaging in e-commerce range from sim- pee theft. For business entities, privacy risks may be in the form sion nator be of confidential information or loss of competitive ro . Figure 7-3 describes some of the rs i “ P isk indicators related to privac ted confidentiality. The remainder of this section discusses two important opie related to privacy: privacy policies and Internet tracking : )PRIVAGY POLICIES Most entities engaged in e-business have privacy policies. The policies serve two main purposes. First, they protect the entity because they clearly spell Mit how they will treat proprietary information. Second, they provide assurance 10 bust pass parners about how their information will be used. IT auditors ae fequentty involved tier in crafting such a policy or in evaluating one. “Thore are several elements ofa sound privacy policy. These include a general seNeriet a description of the information collected atte site, and the vse of the collected informa- | Value-Added Network vendor 8]<—_s——>] NAN ee | sey (conor [encere} Translation —— Transmission Vendor ..|<—__S——>|_eliabitiy FIGURE 7-6 AVAN-Basoy Source: Core Concepts of Acco and Nancy A. Bagranot. John: 1d EDI Systom uring informe Wiloy mn Song Systoms 8th od, Stoph ed Dipinai dengan CamscannerSPECIALIZED E BUSINESS APPLICATIONS 167 order f 2 common format (xy a jee, called a valie-added net fag HT EAFOTS. SOMLINE, aNd provid ¥ ints to their recipients, The and et - The reeipie ‘and then forwards the electronie do 1" DIEM Compute dranie used for transmis Ara aandard used ISMISSION into a fi ranstates the document from the EDL Svare, and processes the order, "Mt Compatible ‘ TDI is expensive because cher dedicated commun suopred primarily bj 2 or EDIE EDIFACT) (VAN and forwa AN). The ¥ ng some aa YAN eet Is it to an electronic post il adds vale by check With its own order management it requires ts us ion channel or Targe manufacturers a 1S {0 install speeial software and requires Tnite: patty VAN. As a result it has been seme iif they Wished fo da busine ae HE SuMpiers, who sometimes wer ered aan affording computersto-computer informane etine it rsinesses. these entities sometimes resorted te ween vesame efficiencies of EDL «4 (0 phone cal | The dntemet and World Wide Web. offer customers and suppliers an alternative to: EDI. Business partners can send encrypted EDI data back and forth over th hi ismet Becomes the communication channel and shinnnes le need or a VAN. Eneryption creates a virtual private network (discussed in Chapter 6). Intemet EDI, hove ever, requires that business trading Partners use the same software, unless the data fis ina standard format that each partner ean upload or download. The standard emerging for the xchange of EDI business data across the Intemet is ebXML, a version of XML. AS this sanéard matures, businesses are likely 10 change their traditional EDI document exchanges to Web-based stems. Another alternative to EDI is the extended intranet, wshere customers are given password access to a suppliers intranet so they ean check inventories and prices and place their orders. ‘The concern of IT auditors with respect to EDI and emerging forms of computerized dota sharing between trading partners varies with the approach used. Inthe case of a VAN, TT auditors will need to conduct third-party assurance aul (discussed later in this chap- te), For a Web-based EDI, the same network security issues exist a8 with any e-business tansactions, Finally, where customers have access to intranets, acess controls assume additional importance Imiil e-commerce ‘ange opportunities to smaller ls and faxes to obtain some of \ Collaborative Commerce Inthe Imemet age it’s getting difficult to say where one enterprise SOPs ond easter begins, Businesses are using all of the “net technologies Internet, intranet ans txtranct—-to extend their information systems fo customers, uP Ot tess patnees The strategy is to create allianees and partnershiPs Ma ee itive advantages. For example, airlines have parttebases for fights. The site aso allow: chase hotel rooms, s ~ well as complementary lustry organizations. Collaborative commerce means ay partner to accomplish @ spec! information, which creates additional or more extities with shared interest that any 00 having a ely to ental s val, This partnering is Wi ng je gone When Orbitz, brings. partner compan ‘ ona inforation abot one ater thet Ne fe kely 0 have had before Ot ditor, Privacy iso bet sore stan sate Sanam ay be he tok ae fone entity might be shared Collaborative e-business, because data shared witl an tly’s business partners a Dipinai dengan Camscanner168 cuarTeR7 E-BUSINESS FISKS E-mail Security and Privacy sana te ere was ever ate whe emma didnt exiSL. Today, egy Ian anette preferred mode of eommniation for many basing and instant messaging. are the prefer and individuals, fe. Eos can cary uses of wonns, Vitus serecners and common sense in nst this threat, but most people get buent as e-mail spam, bombs, sive impact, E-mails can feo catch on, There are other risks, too, such time or two before the and elcetronie eavesdropping of sniffing. (See Figure 7-7 for a listing of e-mail threats) In addition, there are threats that we may not have even thought of yet. Case-in-Point 16 describes n different kind of e-mail threat Case-in-Point 7-6 Starbucks seemed to be having a run on its er8me frappuccino coffee drinks one day in summer 2002, Customers bought the drinks with coupons that they had raceived in an e-mail. Unfortunately, the e-mail didn’t come from Starbucks, but rather from 2 hacker playing @ hoax. Store managers redeemed the coupons for some time before they got the message from headquarters that the coupons were courterten® Spamming involves sending multiple unwanted e-mails. This may just bea nuisance, OF by enya & move severe effect by overloading servers and communication channel, Sry Htunching a virus or DDOS attack, Sometimes spamming unintentional. Your “orst nightmare may be accidentally sending a personal message toa list serve—for this EMail Security Throts Vous orne mal replicate ana atachments may contain malicious code. In some sores bok Piet and Senate toa tarsnoe ee ee Sm i pape ae eS$2988 May be forwarded sag Ne OMIRCA through e-mail, For E-mail paper trailE-mail message integer itall messages oe somowhat pgtanent and can ba used as evidence ction of ads, Pelting smal that coun een ot Soa eating, ‘poenaed may be viewed as. Corporate espionage eevesdroppers may Dipinal dengan CamscannerSPECIALIZED E-BUSINESS APPLICATIONS 169 1 it’s a good idea to think before hitting the reply button. It is also good policy to sey ending anything personal or controversial as an e-mail in any ens, because e-mail mages a be permanent “Another c-mail issue is spoofing, It is quite easy to “hide” identities in e-mails. There ‘gac ease a one tiversity in which a male student sent an e-mail toa Female student he qed using her boyfFiend's e-mail address as the message source andl breaking up with her. Changing the e-mail sonree adress is relatively easy and allows e-mail spoofers to Fred e-mails come from diferent locations aployers need to create and communicate an e-mail policy to all employees so {hat there are no misunderstandings regarding the privaey of these communications, The feail policy should explain that the e-mail system is the property of the company, that the company maintains the right to audit and monitor it, and that it has the right to dis~ mail information. The policy should further state that employees may not assume confidentiality of their e-mail, that e-mails should be sent and received only for business purposes, and that employees should never send or accept offensive e-mails. Finally, the e-mail policy should state an e-mail retention policy. This is important in case supporting e-mails are needed in litigation. IT auditors need to make sure these policies exist and are thorough, broadly communicated, and enforced close CONTROLLING E-MAIL SYSTEMS The e-mail policy is arguably the most important component of effective e-mail security, but there are many specialized security products available that can help manage and secure e-mail applications. Features of these products include encryption, file compression, authentication, content scanning, tracking, Rutomatic expiration, digital shredding, filtering and blocking (e.g., blocking all exe- cutable attachments), and anti-virus protection. Some of the software available that pro- Vides this security are Genidocs Server, GLWebMail XT Professional, enRole, and CAMEO Recon. The best way to ensure e-mail privacy is through encryption. Two encryption stan- dards used for e-mail are Pretty Good Privacy (PGP) and Secure Multipurpose Internet Mail Extensions (S/MIME). PGP has a public and private key and you need both. Potential e-mail recipients can obtain the pubic key through e-mail, a Web site, or a digi- tal certificate authority.? The following describes how to use PGP for encryption. “There are two ways to encrypt an ¢-mail message with PGP. One way is to compose stent message and then encrypt te text file using the appropriate PGP command. Itis also posible to write, eneryp, and send the message alla nee, using the PGP command for ross pnetion, and including the appropriate public Key and e-mail address ofthe recipient along with the command. The second approach provides additional security because the unenerypted message is never stored, PGP users share a directory of public keys called a. sang you can't send an ensrypted message to anybody who doesn't have access to the key ring. . “SMIME is free and comes with Netscape Navigator and Microsoft Internet Explorer browsers. It is also available as a plug-in 8 It uses a shorter encryption code than PGP reese result, the code is easier to break, Even with encryption, shifters and hacker fan tamper with messages during transmission, but PGP and S/MIME ean detect tamper- ing by inspecting the digital signature, I they are able to decrypt the signature, the mes- sage is authentic, Individuals may use personal e-mail digital certificates to digitally sign et email messages, These signatures provide the recipients with authenti ation that the communications are from the signer, These certificates also allow individuals to tenerypt theizsnessaacs ster to keep unauthorized users from viewing them. Dipinal dengan Camscanner170 cuarten 7 e-0USINESS RISKS RS MANAGING THIRD-PARTY PROVIDE! a CobiT. discussed in Chapter 3, considers control over thirdeparty services as part of jt, y dansyal electronic payment providers. Many organi Pee (ASP, ce en. We ste develope control system varies with the extent of servi H aie services, need to ftst under TT ancitors in evaluating controls over third-party d ¢ Jer review and the third party, This begins stand the relationship between the entity un eI 2 onal policies and procedures that should be in Tine with the toning save level avcemente and contacts, The FF mudiors also need t review and document the third party's processes and controls as they relate to the client organization, IT auditors should confirm their understanding of the third party's processes and controls through surveys, conversations, and observation, They should also evaluate the risks of the relationship, test the controls, and develop conclusions regarding the effectiveness of the controls. Figure 7-8 deseribes several specific steps that would be incorporated in an audit plan for third-party services. - It is not unusual for a third party to produce an internal control report containing an evaluation by an independent evaluator. Businesses that provide such services for clients frequently obtain these reports and may use them to provide assurance to potential cus- tomers, An IT auditor who accepts such a report will need to consider the professional qualifications and independence of the party providing the report, the sufficiency of the report, and the period of time covered by the report. Third-party service audits are sometimes referred 10 as SAS 70 reviews. Statement on Auditing Standards (SAS) 70, Reports on the Processing of Transactions by Service Organizations, was issued by the AICPA Auditing Standards Board in 1992. The purpose ofthe standard was to provide financial auditors with some guidance in auditing the finan- cial statements of organizations that rely on third-party service organizations to process Some oftheir transactions. The standard also offers guidance to auditors providing a SAS 70 review or report on the transaction processing of a service organization that will be used by other auditors, IT auditors have frequently found themselves engaged in these types of audits because it is generally an information system that generates the transactions. Evaluate whether or not contacting for thire-party serves meets organizations! objeaves Inspect service dovl agreements and evaluate compliance with these agreements valuate the scope of services being offered by the thitd pany and determine okethe isin line with the service-level agreement. *y par end determine yethoe espe CnIGets and determine whether contract terms are being complied with by both pertes: sone tet contracts include provisions fr contingencies, confdontalty, sacar aeteean Costs, erm, and contact wolton and csoution terms, any SEEUHNY Ensure tht ll thinapary series a services are performed by pre-approved vendors at sontracts are awarded competitively. " Beapproved vendors and that cont Determine viather the contacts include Bre observed and elds Parformance motries and the dagroe to which thos? FIGURE 7-8 Sample Audit Stops for Evaluating Third Party Services awe Dipinai dengan Camscanner{HIRD-PARTY ASSURANCE senviors ™ she objective ofthis, <= SERVICES Toms of end consumers fs. ste as TT ly assurance services is to adh isco ; nl compan adress the privacy and security con- witors, ca evaluate eonidueting business ove te eion INCH, systems rly busine in tr ome ey set the puke. typically by displaying iy, and business poiees They then ee ores Memization has obtained this eine: ton sel mt the busines Wet ey thee Fe Lae aTE. Figs 7.) shows ample serene sea “ens ey emt eine an ers wa, a8 or Coane am: CA Nera i ine ofthe ents CLC) oa a ea Rcra) he C dian Institte of Cae ncal of lecesoftOnechanm ta e-business assurance, and clients cn another might be rete ‘iho din eres nt ‘online ree came of is pea cea eae Ne onfine business grew inthe 1990s, aceountants and others 3 rovide assurance services. CPAs viewed themselves as natura ean roses of ther assurance experts, The AICPA and CICA beloved ih omnes oti feel more secure trading with a busines that displayed a certificate of assurance Meyed by a CPA. As a result, they created two “trust services: WebTrust and SYST ut is ditected primarily at e-commerce transactions and is @ subset of SysTrist ‘which is for any information system, 1 vebtTrust and SysTiust embody a set of principles and riteria, The pines aro: covurity, availability, processing integrity, online privacy, and confidentiality? In a Sr gemment, the autor evaluates any oral of hese principles gaia of eee. The four categories of criteria ae polices, communicators procedures, and cite thin each category re spesific nite hat are common or ‘each principle omnermmple, the three criteria for policies or policy creat ‘and pproval, policy Re gements, and assignment of responsibility oF poheee ‘and any changes to them. Fly, cach specie enteria may be accompanied ®Y specific illustrative controls a A/CICA ramework of trust principles and een provides very specific guidance for a WebTrst or SysTrast enEHEEMe For instance, an auditor evaluating the processing integrity prinepe would Be Errmeted to examine specific authorized user it has been opportunities to es for this type of Certification FIGURE 7-9 Third Party Ase" __aaeeaeammad Dipinai dengan Camscanner172 CHAPTER? E-BUSINESS RISKS ss over system processing irin for cach principle oon the seal reveals jon’s polic jon against ne 1n_-onganiza access policies when examinins integer evaluating the client emganization AEOUS y, Sih Serna nce provided, election Select the tars amet se) vi She eh rapt aver sation aa py that conser items have invested eis Hine assurance and provide a stamp of approval that hag result « CPA firm may effet onte MhawseCooper’s BelterWeb is an example, The aoe ierners and provides assurance about sales terms, sl n on sales terms concerns infor. ns. The privaey principle con. ignature on il 1 is directed al con ‘and customer complaints. The section avions, and ret 1 toate wne a perc collected at a Web site, and security shows how ccems the use of personal information ¢ e nt principle ensures that on and assets are protected. The customer complaint principl infin ca conte for complains and that te online business is abet sare Stor camplants within a short te, As with WebTrust, a Web site visi for can click on the seal to view a statement describing the standards and policies its own Better Web progr privacy, security, payments, cancel tpl by the thirdparty assurance sevice Poy tere pbc ow welt the Better Business Bureau (BBB), The Council of BBBs has been providing assurance to consumers about business practices 1ee 1912. The Internet created an opportunity for the BBB to expand its assurance to online, as well as brick and mortar, companies. The e-business subsidiary of BBB, BBB Online, offers several kinds of certification, including a reliability seal program and a pri- vacy seal. To obtain a reliability seal, a business must be a member of the local BBB and ‘must meet the program eligibility criteria. These require a company to have been in busi- ness fora certain length of time, to have a satisfactory complaint-handling record, and to agree ‘9 comply with the BBB’s Code of Ontine Business Practices. To obtain the BBB Privacy seal, a business must adopt and post a privacy policy at its Web site and complete a compliance assessment questionnaire. TRUSTe, like the BBB, is a nonprofit organization providing third-party e-busi- ness assurance services. Unlike BBB Online, however, TRUSTe offers assurance only over privacy. The TRUSTe certification requires approval of a company’s privacy statement, TRUSTe offers a resource guide to help organizations create them. Both BBB Online and TRUSTe charge licensing fees for their certifications, based on com- pany revenues, Verisign, Inc, isanother speci ity assurance service provider. This eom- pany offers a variety of digital trust services, including a security seal. The security seal ‘has quickly become one of the most recognized on the Internet. It provides assurance that ‘he Web site is authentic and that data transmission uses SSL encryption, SUMMARY ig the Intemet along with ly with their business partners, (0 other network. prot Mi Spec tls tis ar ! Protocols, hardware, and software. associated with e-business are TCPAP and Ht 8s tied in cout neat CPAP and HTTP. Various software languages exe as ML and XML. Specialized forms of XML for e-business are likely intranets and extranets to work collaborative E es are similar 4 Dipinai dengan Camscannersy tne a8 cy NK From those ane art Bssness policy issues coro in ine ans One ae described in Chapter 6, The wasiness CFeALeS NeW ticks, iscussion questions 173 ity and oF the tl wit oa netwcks, These silty concerns, or transact Cae ‘or transaction pro est eaneerns af inividals an usinesses ney issues ancl on Ons is piv fn creating 4 privacy poliey. Se ff the eonteas and se incl f wei administraton. then ewalls, eatin ton geet ners, inion tection syste wet atu think-party services, and they my ce eciee ee may alo find hems proving this chapter discussed both of these options Inv addition, there are special dards, electronic payment mechanisms. setver PROTESHON, ane system ay ver fo ial Wepigs ensie successful busines ya reinbili rs usiness. ity, Transaction integrity and business 7 rity and ba aiot described three of th ap of these app owe detail mnt spe ‘business applications earry ion areas—EDI, collab ‘unique risks and contrts, ‘This ive commerce, anil e-mail—in Jyusiness creates opportunities ypPortunities for many third-party services. IT auelitors may be called on to ances as tied par DISCUSSION QUESTIONS 7 od "W 78 m0 or 7 3 4 (tas 746 ‘What would be the differes sks fi : ns faa bya ego ht wel nest ria i apeareenvi eer les renee Wh ar the ferences between he OS! ra protocol described in this chapter? , sr nha ane FPP XML is developing asa language to facilitate dhe extraction and manipulation of data onthe Atmel Discuss some of the obstacles likely inthe development of 2 common language for communicating and manipolating e-business dat enaey is considered to be one ofthe biggest concems in conducting consumer-o Pashess Pea arouse mere. Find the privacy polity for «popula online rte and ‘compare it with that of GE. insure the difference between privacy and confidentiality sues for so Pusnesos ‘engaged in e-commerce Sneath advantages and disadvantages of cookie files fom an end sonst standpoint SSL is the moat common encryption form used fr e-usiness DSSS NS shortcomings and explain how it compares with SET. Discuss the advantages to both an en EBPP systems. ‘Why is the issue of repudiation s vould go about obtaining a digital signe Explain how you W' signature might eary less risk than 2 POP signature, ons of electronic versus Pa Describe atleast four implica E-business conducted over the interne! F0 supplant tr Bebosiness omy enoowe co cominue sing EPL for exe! sus the Internet? oo ‘ ce tat he company for wish yu WOH PATE auditor who Heat ° 7 IT auditot Neommerce over the Interne ivtiat worth be your cones «i consumer and to banks and billing companies of portant in e-business? ‘Also explain why 8 digital sper evidence for TT ators ditional EDI systems. Why Jhange of business documents Ver Ifyou were an to engage in collaboratv regarding risk? Deserbe four specific tories Businesses have Tong been wi management of third-party provietS : ‘The duced its WebTrust asst so The ICP nyo mn been more popular? add ina ongaizatio’s eal poi: at shold be inl hat sho 1s, Why does the Internet make the services of third jncreasingly view several years ‘why do you thik ties important issue? 1. I has been slow tO this service has not only Dipinai dengan Camscanner