Auditing Electronic Data Interchange Electronic Data Interchange It is the intercompany exchange of computer processible business information in standard format. In a pure EDI environment, there are no human intermediaries to approve or authorize transactions. Authorizations, mutual obligations, and business practices that apply to transactions are all specified in advance under the trading partner agreement. Benefits of EDI Data keying. EDI reduces or even eliminates the need for data entry. Error reduction. Firms using EDI see reductions in data keying errors, human interpretation and classification errors, and filing (lost document) errors. Reduction of paper. The use of electronic envelopes and documents drastically reduces the paper forms in the system. Postage. Mailed documents are replaced with much cheaper data transmissions. Automated procedures. EDI automates manual activities associated with purchasing, sales order processing, cash disbursements, and cash receipts. Inventory reduction. By ordering directly as needed from vendors, EDI reduces the lag time that promotes inventory accumulation. Financial EDI It is the process of using EDI for fund transfers, cash receipts, cash disbursements and other purchasing and selling activities. EDI Controls Transaction Authorization and Validation • Both the customer and the supplier must establish that the transaction being processed is to (or from) a valid trading partner and is authorized. This can be accomplished at three points in the process. 1. Some VANs (Value Added Networks) have the capability of validating passwords and user ID codes for the vendor by matching these against a valid customer file. The VAN rejects any unauthorized trading partner transactions before they reach the vendor’s system. 2. Before being converted, the translation software can validate the trading partner’s ID and password against a validation file in the firm’s database. 3. Before processing, the trading partner’s application software references the valid customer and vendor files to validate the transaction. Access Control • To function smoothly, EDI trading partners must permit a degree of access to private data files that would be forbidden in a traditional environment. The trading partner agreement will determine the degree of access control in place. EDI Audit Trail The absence of source documents in EDI transactions eliminates the traditional audit trail and restricts the ability of accountants to verify the validity, completeness, timing, and accuracy of transactions. One technique for restoring the audit trail is to maintain a control log, which records the transaction’s flow through each phase of the EDI system. Audit Objectives Relating to EDI • The auditor’s objectives are to determine that (1) all EDI transactions are authorized, validated, and in compliance with the trading partner agreement; (2) no unauthorized organizations gain access to database records; (3) authorized trading partners have access only to approved data; and (4) adequate controls are in place to ensure a complete audit trail of all EDI transactions. Audit Procedures Relating to EDI • Tests of Authorization and Validation Controls. The auditor should establish that trading partner identification codes are verified before transactions are processed. To accomplish this, the auditor should (1) review agreements with the VAN facility to validate transactions and ensure that information regarding valid trading partners is complete and correct, and (2) examine the organization’s valid trading partner file for accuracy and completeness. Tests of Access Controls. Security over the valid trading partner file and databases is central to the EDI control framework. The auditor can verify control adequacy in the following ways: 1. The auditor should determine that access to the valid vendor or customer file is limited to authorized employees only. The auditor should verify that passwords and authority tables control access to this file and that the data are encrypted. 2. The trading agreement will determine the degree of access a trading partner should have to the firm’s database records (such as inventory levels and price lists). The auditor should reconcile the terms of the trading agreement against the trading partner’s access privileges stated in the database authority table. 3. The auditor should simulate access by a sample of trading partners and attempt to violate access privileges. Tests of Audit Trail Controls. The auditor should verify that the EDI system produces a transaction log that tracks transactions through all stages of processing. By selecting a sample of transactions and tracing these through the process, the auditor can verify that key data values were recorded correctly at each point. Auditing PC-Based Accounting Systems Overview The software market offers hundreds of PCbased accounting systems. In contrast to mainframe and client-server systems that are frequently custom-designed to meet specific user requirements, PC applications tend to be general-purpose systems that serve a wide range of needs. PC System Risk and Controls Operating System Weaknesses • In contrast to mainframe systems, PCs provide only minimal security for data files and programs contained within them. This control weakness is inherent in the philosophy behind the design of PC operating systems. Intended primarily as single-user systems, they are designed to make computer use easy and to facilitate access, not restrict it. Weak Access Control • Security software that provides logon procedures is available for PCs. Most of these programs, however, become active only when the computer is booted from the hard drive. A computer criminal attempting to circumvent the logon procedure may do so by forcing the computer to boot from a CD-ROM, whereby an uncontrolled operating system can be loaded into the computer’s memory. Inadequate Segregation of Duties • Employees in PC environments, particularly those of small companies, may have access to multiple applications that constitute incompatible tasks. For example, a single individual may be responsible for entering all transaction data, including sales orders, cash receipts, invoices, and disbursements. Multilevel Password Control • Multilevel password control is used to restrict employees who are sharing the same computers to specific directories, programs, and data files. Under this approach, different passwords are used to access different functions. Risk of Theft • Because of their size, PCs are objects of theft and the portability of laptops places them at the highest risk. Formal policies should be in place to restrict financial and other sensitive data to desktop PCs only. In addition, the organization should provide employee training about appropriate computer usage. Weak Backup Procedures • Computer failure, usually disk failure, is the primary cause of data loss in PC environments. If the hard drive of a PC fails, recovering the data stored on it may be impossible. To preserve the integrity of mission-critical data and programs, organizations need formal backup procedures. Risk of Virus Infection • Virus infection is one of most common threats to PC integrity and system availability. Strict adherence to organizational policies and procedures that guard against virus infection is critical to effective virus control. Audit Objectives Associated with PC Security • Verify that controls are in place to protect data, programs, and computers from unauthorized access, manipulation, destruction, and theft. • Verify that adequate supervision and operating procedures exist to compensate for lack of segregation between the duties of users, programmers, and operators. • Verify that backup procedures are in place to prevent data and program loss due to system failures, errors, and so on. • Verify that systems selection and acquisition procedures produce applications that are high quality, and protected from unauthorized changes. • Verify that the system is free from viruses and adequately protected to minimize the risk of becoming infected with a virus or similar object. Audit Procedures Associated with PC Security • The auditor should observe that PCs are physically anchored to reduce the opportunity of theft. • The auditor should verify from organizational charts, job descriptions, and observation that programmers of accounting systems do not also operate those systems. In smaller organizational units where functional segregation is impractical, the auditor should verify that there is adequate supervision over these tasks. • The auditor should confirm that reports of processed transactions, listings of updated accounts, and control totals are prepared, distributed, and reconciled by appropriate management at regular and timely intervals. • Where appropriate, the auditor should determine that multilevel password control is used to limit access to data and applications and that the access authority granted is consistent with the employees’ job descriptions. • If removable or external hard drives are used, the auditor should verify that the drives are removed and stored in a secure location when not in use. • By selecting a sample of backup files, the auditor can verify that backup procedures are being followed. By comparing data values and dates on the backup disks to production files, the auditor can assess the frequency and adequacy of backup procedures. If an online backup service is used, the auditor should verify that the contract is current and adequate to meet the organizations needs. • By selecting a sample of PCs, the auditor should verify that their commercial software packages were purchased from reputable vendors and are legal copies. The auditor should review the selection and acquisition procedures to ensure that enduser needs were fully considered and that the purchased software satisfies those needs. The auditor should review the organization’s policy for using antiviral software. This policy may include the following points: 1. Antiviral software should be installed on all microcomputers and invoked as part of the startup procedure when the computers are turned on. This will ensure that all key sectors of the hard disk are examined before any data are transferred through the network. 2. All upgrades to vendor software should be checked for viruses before they are implemented. 3. All public-domain software should be examined for virus infection before it is used. 4. Current versions of antiviral software should be available to all users. Verify that the most current virus data files are being downloaded regularly, and that the antivirus program is indeed running in the PC’s background continuously, and thus able to scan all incoming documents. Corporate versions generally include a “push” update where the software automatically checks the home Web site of the antivirus vendor for new updates each time it is connected to the Internet and the PC is booted.