Auditing Electronic Data Interchange

Auditing Electronic
Data Interchange
Electronic Data Interchange
It is the intercompany exchange of computer
processible business information in standard
In a pure EDI environment, there are no human
intermediaries to approve or authorize
transactions. Authorizations, mutual obligations,
and business practices that apply to transactions
are all specified in advance under the trading
partner agreement.
Benefits of EDI
Data keying. EDI reduces or even eliminates the
need for data entry.
Error reduction. Firms using EDI see reductions
in data keying errors, human interpretation and
classification errors, and filing (lost document)
Reduction of paper. The use of electronic
envelopes and documents drastically reduces
the paper forms in the system.
Postage. Mailed documents are replaced with
much cheaper data transmissions.
Automated procedures. EDI automates manual
activities associated with purchasing, sales order
processing, cash disbursements, and cash
Inventory reduction. By ordering directly as
needed from vendors, EDI reduces the lag time
that promotes inventory accumulation.
Financial EDI
It is the process of using EDI for fund transfers,
cash receipts, cash disbursements and other
purchasing and selling activities.
EDI Controls
Transaction Authorization and Validation
• Both the customer and the supplier must
establish that the transaction being processed
is to (or from) a valid trading partner and is
authorized. This can be accomplished at three
points in the process.
1. Some VANs (Value Added Networks) have the
capability of validating passwords and user ID codes for
the vendor by matching these against a valid customer
file. The VAN rejects any unauthorized trading partner
transactions before they reach the vendor’s system.
2. Before being converted, the translation software can
validate the trading partner’s ID and password against a
validation file in the firm’s database.
3. Before processing, the trading partner’s application
software references the valid customer and vendor files
to validate the transaction.
Access Control
• To function smoothly, EDI trading partners
must permit a degree of access to private data
files that would be forbidden in a traditional
environment. The trading partner agreement
will determine the degree of access control in
EDI Audit Trail
The absence of source documents in EDI
transactions eliminates the traditional audit trail
and restricts the ability of accountants to verify
the validity, completeness, timing, and accuracy
of transactions. One technique for restoring the
audit trail is to maintain a control log, which
records the transaction’s flow through each
phase of the EDI system.
Audit Objectives Relating to EDI
• The auditor’s objectives are to determine that
(1) all EDI transactions are authorized,
validated, and in compliance with the trading
partner agreement; (2) no unauthorized
organizations gain access to database records;
(3) authorized trading partners have access
only to approved data; and (4) adequate
controls are in place to ensure a complete
audit trail of all EDI transactions.
Audit Procedures Relating to EDI
• Tests of Authorization and Validation Controls.
The auditor should establish that trading partner
identification codes are verified before
transactions are processed. To accomplish this,
the auditor should (1) review agreements with
the VAN facility to validate transactions and
ensure that information regarding valid trading
partners is complete and correct, and (2) examine
the organization’s valid trading partner file for
accuracy and completeness.
Tests of Access Controls. Security over the valid trading
partner file and databases is central to the EDI control
framework. The auditor can verify control adequacy in
the following ways:
1. The auditor should determine that access to the valid
vendor or customer file is limited to authorized
employees only. The auditor should verify that passwords
and authority tables control access to this file and that
the data are encrypted.
2. The trading agreement will determine the degree of
access a trading partner should have to the firm’s
database records (such as inventory levels and price lists).
The auditor should reconcile the terms of the trading
agreement against the trading partner’s access privileges
stated in the database authority table.
3. The auditor should simulate access by a sample of
trading partners and attempt to violate access privileges.
Tests of Audit Trail Controls. The auditor should
verify that the EDI system produces a
transaction log that tracks transactions through
all stages of processing. By selecting a sample of
transactions and tracing these through the
process, the auditor can verify that key data
values were recorded correctly at each point.
Auditing PC-Based
Accounting Systems
The software market offers hundreds of PCbased accounting systems. In contrast to
mainframe and client-server systems that are
frequently custom-designed to meet specific
user requirements, PC applications tend to be
general-purpose systems that serve a wide
range of needs.
PC System Risk and Controls
Operating System Weaknesses
• In contrast to mainframe systems, PCs provide
only minimal security for data files and
programs contained within them. This control
weakness is inherent in the philosophy behind
the design of PC operating systems. Intended
primarily as single-user systems, they are
designed to make computer use easy and to
facilitate access, not restrict it.
Weak Access Control
• Security software that provides logon procedures
is available for PCs. Most of these programs,
however, become active only when the computer
is booted from the hard drive. A computer
criminal attempting to circumvent the logon
procedure may do so by forcing the computer to
boot from a CD-ROM, whereby an uncontrolled
operating system can be loaded into the
computer’s memory.
Inadequate Segregation of Duties
• Employees in PC environments, particularly
those of small companies, may have access to
multiple applications that constitute
incompatible tasks. For example, a single
individual may be responsible for entering all
transaction data, including sales orders, cash
receipts, invoices, and disbursements.
Multilevel Password Control
• Multilevel password control is used to restrict
employees who are sharing the same
computers to specific directories, programs,
and data files. Under this approach, different
passwords are used to access different
Risk of Theft
• Because of their size, PCs are objects of theft
and the portability of laptops places them at
the highest risk. Formal policies should be in
place to restrict financial and other sensitive
data to desktop PCs only. In addition, the
organization should provide employee training
about appropriate computer usage.
Weak Backup Procedures
• Computer failure, usually disk failure, is the
primary cause of data loss in PC environments.
If the hard drive of a PC fails, recovering the
data stored on it may be impossible. To
preserve the integrity of mission-critical data
and programs, organizations need formal
backup procedures.
Risk of Virus Infection
• Virus infection is one of most common threats
to PC integrity and system availability. Strict
adherence to organizational policies and
procedures that guard against virus infection
is critical to effective virus control.
Audit Objectives Associated with PC
• Verify that controls are in place to protect data, programs,
and computers from unauthorized access, manipulation,
destruction, and theft.
• Verify that adequate supervision and operating procedures
exist to compensate for lack of segregation between the
duties of users, programmers, and operators.
• Verify that backup procedures are in place to prevent data
and program loss due to system failures, errors, and so on.
• Verify that systems selection and acquisition procedures
produce applications that are high quality, and protected
from unauthorized changes.
• Verify that the system is free from viruses and adequately
protected to minimize the risk of becoming infected with a
virus or similar object.
Audit Procedures Associated with PC
• The auditor should observe that PCs are physically anchored to reduce the
opportunity of theft.
• The auditor should verify from organizational charts, job descriptions, and
observation that programmers of accounting systems do not also operate
those systems. In smaller organizational units where functional
segregation is impractical, the auditor should verify that there is adequate
supervision over these tasks.
• The auditor should confirm that reports of processed transactions, listings
of updated accounts, and control totals are prepared, distributed, and
reconciled by appropriate management at regular and timely intervals.
• Where appropriate, the auditor should determine that multilevel
password control is used to limit access to data and applications and that
the access authority granted is consistent with the employees’ job
• If removable or external hard drives are used, the
auditor should verify that the drives are removed and
stored in a secure location when not in use.
• By selecting a sample of backup files, the auditor can
verify that backup procedures are being followed. By
comparing data values and dates on the backup disks
to production files, the auditor can assess the
frequency and adequacy of backup procedures. If an
online backup service is used, the auditor should verify
that the contract is current and adequate to meet the
organizations needs.
• By selecting a sample of PCs, the auditor should verify
that their commercial software packages were
purchased from reputable vendors and are legal
copies. The auditor should review the selection and
acquisition procedures to ensure that enduser needs
were fully considered and that the purchased software
satisfies those needs.
The auditor should review the organization’s policy for using antiviral
software. This policy may include the following points:
1. Antiviral software should be installed on all microcomputers and
invoked as part of the startup procedure when the computers are
turned on. This will ensure that all key sectors of the hard disk are
examined before any data are transferred through the network.
2. All upgrades to vendor software should be checked for viruses
before they are implemented.
3. All public-domain software should be examined for virus infection
before it is used.
4. Current versions of antiviral software should be available to all
users. Verify that the most current virus data files are being
downloaded regularly, and that the antivirus program is indeed
running in the PC’s background continuously, and thus able to scan all
incoming documents. Corporate versions generally include a “push”
update where the software automatically checks the home Web site of
the antivirus vendor for new updates each time it is connected to the
Internet and the PC is booted.

similar documents