Position paper: cybercommerce: a risk perspective

Technology has become so advanced and IT auditing advances as well. However, the fact still remains that even if technology has become very advanced risks and potential harm to integrity and accuracy of the data still remains especially in cyber commerce. Cyber commerce has three categories which are business-to-business (Ball business-to-customers (BBC) and mobile commerce (m-commerce).

Today, the term ” e-commerce” includes all commercial activities performed through information technology and communication engineering, such as the Internet, virtual private networks (Vans), automated teller machines (Tams), electronic fund transfers (Feet), electronic data interchange (EDI), e-supply chain management (e-SCM) and e-customer relationship management. E-commerce is now a trend and IT auditors must audit them to minimize the threats and risks that come with it.

IT auditors look into existing internal controls, which might not have been optimized for the best results. There are several reasons why internal control cannot provide absolute assurance that objectives will be achieved: cost-benefit realities, collusion among employees and external events beyond an organization’s control. To be able to provide ample assurance, the American Institute of Certified Public

Accountants (CPA) and the Canadian Institute of Chartered Accounts (CIA) comply organizations to obtain and maintain the Websites seal which guarantee the business practices and Information policy (disclosure of how orders are processed and how returns and warranties are handled), transaction Integrity (report on how protection (privacy of sensitive information). Electronic data interchange (EDI), the predecessor of BIB e-commerce, saves time and effort over detailed paperwork, but it is an expensive system to install and contrast, the electronic data transfers allowed by new forms of e-commerce are fluid ND easy to use.

The World Wide Web (WWW) allows a free flow of information across an open, widely available network despite its risks related to integrity and reliability. Prior to the installation of, or shifting to, e-commerce, an organization should ascertain the level of risk exposure on two counts: the number of people involved (greater number, greater risk) and the value of the transaction or payment or contract (greater value, greater risk).

An organization’s IT auditors need to ensure that changes, whether they are new business models and processes or new systems, support the organization’s mission ND objectives and adequate control procedures are an integral component from the beginning of the system’s development process. These internal controls are activities performed to eliminate risks or minimize them to an acceptable level. In most cases, it is cost-prohibitive to implement every type of control in an effort to eliminate all elements of risk.

Thus, IT auditors must be aware of an organization’s objectives and must weigh the costs of implementing a control against the potential benefits of that. Accounting professionals refer to rules, policies and procedures involved in managing an organization’s risks as the ” system of internal controls. ” The way accountants view internal controls changed in the early sass as a result of the landmark study, ” Internal Control? Integrated Framework,” by the Committee of Sponsoring Organizations of the Tramway Commission (COOS). COOS defines internal control as a process.

In the COOS framework, internal controls are designed to assure: effectiveness and efficiency of operations, reliability of financial reporting, compliance with laws and regulations. These are composed of five interrelated monuments: control environment, risk assessment software, control activities, information and communications and ongoing monitoring. Fraud is a highly publicized risk in an e-commerce environment. E-commerce fraud can be perpetrated either internally (by an employee within the firewall) or by an external intruder.

All companies are vulnerable to sabotage and espionage from the inside and the outside, a risk heightened, but not created, by the Internet. Not all of it is malicious, and software companies in particular are prone to in-house hiking by employees. These negative aspects only drive an organization to obtain an optimal decision regarding whether to protect or how much to protect a system from its own internal users or anywhere outside the firewall. Unfortunately, a company probably cannot easily prevent a disgruntled employee from damaging its business.

But companies can make it more difficult for an internal saboteur from a legal, physical and technical point of view. Systems at risk from an internal saboteur require a different kind of managerial decision making, which involves social engineering and group dynamics prevailing in an organization. Possible fraudulent activities include: misrepresenting company tenders, corrupting the electronic ordering or invoicing systems and duplicating payment, among others. Attacks, hacking, interception of data by an unauthorized person, unauthorized viewing or corruption of data, and data that are archived or disposed of improperly. Poor access protection of information can be another cause of risk, especially when dealing with the separation of private and public data. An IT auditor is expected to identify such information from its origin or center of creation. II. SOOT ANALYSIS STRENGTHS WEAKNESSES

E-commerce saves time and effort over detailed paperwork The electronic data transfers allowed by new forms of e-commerce are fluid & easy to use E-commerce grants benefits as improved decision-making, increased efficiency, less paperwork and greater empowerment Reduced transaction costs Greater productivity through service availability Customers are empowered through the routes that companies can use to reach & interact with them E-commerce can enhance control over the systems and reduce the costs of implementing Improve standardized internal business process Makes international trading easier

Reduce cost of business operations Free flow of information across open, widely available network Supports & compliments business reengineering and integration E-commerce has potential risk to harm the integrity and accuracy of data Drawback in reliability of data Gets further complicated as technology continues to evolve (changes in communication technologies, database and other related information technologies) Business practices and information privacy, transaction integrity and information protection are areas in need of great assurance It is risk-based due to technologies involved

Fraud is highly publicized in e-commerce environment and can be perpetuated either internally or externally There is repudiation Business data and systems may be exposed to unknown outsiders OPPORTUNITIES THREATS In an e-commerce environment, the internal systems and processes of an entity are no longer operated in isolation.

An organization exchanges information via transactions that link entities together in ways unanticipated in the traditional environment Opportunities for fundamental reform in how organizations and their supply chains communicate and work with other businesses Opportunities for local equines to grow and compete in the global market place The number and location of parties that can attempt to access the systems create new challenges related to protecting critical application and activities The most suitable strategy and model should chosen or else e-commerce would result to intent or curiosity using hacking techniques or sheer chance Any e-business is a sitting duck with regard to the illicit and illegal objectives of a malicious hacker or intruder who may wreak havoc on system resources and data Streamlining approvals through electronic processes may remove existing internal controls and potentially increase risk a step further Ill. POSITION PROPER A. Theories The principles of e-commerce auditing deal with the general theories of auditing and IT auditing; such as those relating to business threats or managerial and operational assurances and controls, and with audit techniques, namely reviewing controls, analyzing a program and testing integrity.

These principles also deal with the content of audits by identifying several candidate targets (such as IT facility management, computing and networking operations, or application developers), system targets such as key applications, enterprise systems and databases during pre- and/or post- implementation phases), and functional targets (such as system and network change management; public key infrastructure; or intrusion prevention, detection and management). These principles, in general, are applicable across the e-commerce categories and technologies. E-commerce should be knowledgeable IT security vulnerabilities. Such vulnerabilities may be internal or external to the organization, and/or logical or physical in nature.

Most organizations in business and otherwise re highly vulnerable to security lapses and breaches; therefore, security audit specialists should be on the audit engagement team of a BIB e-commerce entity. The management must appreciate the significance of having IT auditors participate. The major objectives of the e-commerce audit/assurance review are to: Provide management with an independent assessment of the effectiveness of the architecture and security of the e-commerce and environments and their alignment with the enterprise’s IT security policies and architecture and with industry good practices. Provide management with an evaluation of the IT function’s preparedness in the event of an intrusion or major failure of the e-commerce. Identify issues that may impact the security of the enterprise’s e-commerce stance.

The primary responsibility to detect fraud lies with the company. The auditor’s role is to design the audit with the reasonable assurance of detecting fraud, but the purpose of an audit is not to detect fraud (unless of course it is a special fraud engagement) but to reduce it to an acceptable. Fraud occurs because of the Fraud Triangle which is composed of opportunities, pressure and rationalization. Forensic auditing helps detect fraud within the organization. Forensic auditors act as gather evidence, interview suspects, implement invigilation and use other indirect methods of proofs. Sudden change in a certain employee’s lifestyle or actions can point to fraud.

Forensic auditors also review company’s internal controls, conduct penetration testing, perform background checks on current or prospective employees and provide litigation support such as serving as expert witnesses in criminal or civil court proceedings. B. Position Personally, I acknowledge the fact that the need for an e-commerce site is becoming ore and more obvious day by day. As you go online, you can find website for almost all businesses, there are online sellers such as E-bay and Lazed; when you go to social network sites, online business is very rampant. Any business that doesn’t embrace this will be left by it competitors. And yes, this is a leap for humanity.

Technology brought us higher. However, it all comes with potential risk, as the article said; I agree to this. In fact in my opinion, the risk now that everything is electronic is a little higher compared to manual transactions because of the technologies involved ND the expertise needed. When business was conducted manually, it was easy to pinpoint the risk the company faces and should there be errors, it was easy to trace and correct because we were still capable of comprehending the minds that made that mistake. On the other hand, now that operations have been computerized, the risks have become more difficult to identify and the problems too complex to solve.

Having said this, it is safe to conclude the e-commerce creates new dimension for transaction which are beneficial, yes, but comes the need to reengineering the business process. As to those relating to business threats or managerial and operational assurances and controls, I agree that now that e-commerce is the trend, the IT auditing must adjust to it. Personally, I think that there are 3 most important Jobs that an auditor must be able to perform in auditing businesses in e-commerce, aside from minimizing fraud. First, they must be familiar with organization’s objective. Second, they must be able to ensure that the existing internal controls of the organization are effective.

This is important because internal controls are the very things that keep an organization on course towards its objectives and the achievement of its mission and this promotes effective and efficient operations. Lastly, IT auditors must be always weigh the costs of implementing control against the potential benefit of that control. I agree that e-commerce is not simple, and it gets further complicated with the changes in communication technologies, database and other related information technologies. I also agree that businesses should not shift to e-commerce simply to reduce their operating costs and increase their revenue. Businesses should think carefully before making a move like this. Infinite that e-commerce bring – fluid, easy to use, increased effectiveness and efficiency, less paperwork, great empowerment, among others.

However, part of me thinks that although it has so many strengths, the few weaknesses it has makes up for these strengths. From the point of view of the management, it would be very important that they can be assured of the integrity and reliability of data and most importantly, the privacy of sensitive information. Unfortunately, these can be drawbacks of relying too much on technology. C. Recommendation I recommend that businesses think thoroughly before deciding to go with genealogical flow. Yes, it has a lot of advantages but it doesn’t come cheap. Also, I recommend that should every company that has a computerized system should give importance to IT auditing.

They should always seek for the assurance that the risks they are exposed to are being successfully identified, addressed and reduced to an acceptable level. Also, auditors must understand that the solution is not a quick fix and will build over time with the awareness of all employees and the unfettered support of management. One should not forget that auditors provide assurance to arioso stakeholders, and client management is one significant stakeholder. However, the management must not rely solely on their auditors because not everything is an auditor’s Job; detecting fraud is management’s responsibility. I suggest that both auditors and management give a hefty attention to an organization’s internal controls because these help an organization to achieve its objectives and keep them on course.

Their internal control must be solid and effective because the business relies on this day in and day out by ensuring effective and efficient operations, reducing the sis of asset loss and helping ensure reliability of data. Having said this, it is safe to conclude that internal control in e-commerce is very important. Thus, I recommend that the management do everything to make sure their internal controls can stand the tests. It is imperative that e-businesses have an information assurance framework? a solid plan of action with the required tools, trained personnel and tested procedures? that is capable of protecting valuable information regarding the privacy and financial aspects of the prospective customers.