Impact of e-business

By Gerald Trites
Illustration: Gary Taxali

Auditing standards have been affected by technology changes, and a review shows that more may be needed

Auditing standards have been in the CICA Handbook for more than 30 years. Most were developed well before the e-business revolution and some before the use of technology became prevalent in business. To determine whether they have been affected by technology driven change related to e-business, the Information Technology Committee (ITAC) of the CICA conducted a review in 2000. Since then, there have been changes, but more still needs to be done.

While the term "e-business" has been overworked, it's widely used, although definitions vary considerably. As ITAC noted, there is a distinction between e-commerce and e-business: "E-commerce is the process of carrying out business transactions by electronic means, without using paper and utilizing a communications infrastructure, increasingly the Internet. E-business is any business that uses e-commerce and related technologies and processes to devel-op, expand or enhance its business activities. Accordingly, e-business is broader than e-commerce."

E-business has technological, managerial and operational components. Technologies are usually categorized between buy-side and sell-side, front-end and back-office tools. Organizational components include such areas as webmasters and Internet service providers. Managerial components include outsourcing, business process change and strategic planning. The term "e-business" encompasses technology usage, but adds a distinct supply-chain/Internet focus to the discussion and results in the identification of issues directed to that focus.

Auditing Guideline No. 32 (Electronic commerce, effect on the audit of financial statements) was issued in March 2003. This document, which represented the adoption of International Auditing practice statement (IAPS) 1013, covered several matters related to e-business, although it did not represent any change in Handbook recommendations.

The main areas covered by AuG-32 are materiality and audit risk, knowledge of the business, misstatements, internal control and audit evidence. These sections of the Handbook are also soon to be revised as a result of a separate, large project on audit risk, for which the International AASB has recently issued standards and to which the Canadian board is planning to conform.

Guideline 32 does contain guidance on e-business risk and includes a section on the legal implications of e-business. It also includes a large section on Knowledge of the Business, focusing on e-commerce industries, strategy, extent of e-commerce and outsourcing. ITAC is also recommending that AASB add a paragraph in Section 5140 to indicate the knowledge required in respect of e-business for a particular client includes a sufficient knowledge of the technology being used, as well as the strategy and techniques used in executing transactions on the Internet.

The guideline also generally recognizes the internal control issues around e-business, such as the environmental controls of websites, e-business strategic planning, supporting infrastructure, and the applications controls for Internet and Internet-enabled applications.

Although AuG-32 includes a section on internal control, it does not cover reporting on weaknesses in internal control, which is the subject of Handbook Section 5220. In e-business, the issue arises regarding who is responsible for reporting weaknesses in a system that is shared among several companies with different auditors. There should be a requirement to report weaknesses in systems being used by the company regardless of who owns them. In addition, material is needed in the Handbook to define the reporting responsibilities of the various auditors involved in shared systems.

The guideline contains some material on audit evidence, which calls for recognition that paper evidence may not be available and that this may require additional procedures to check the integrity of the electronic evidence. The recent CICA research report on Electronic Audit Evidence provides some excellent ideas on this subject and should be reviewed and reflected in the Handbook.

Finally, the increased role of technology in e-business has raised the importance of the issues covered in Section 5360, Using the Work of a Specialist. There are several areas in e-business where using the work of a specialist might be required. ITAC recommended the section be expanded by adding examples of e-business situations together with issuance of a guideline dealing with the use of specialists related to e-business. The guideline would acknowledge the importance of specialists in an e-business context.

Since the use of the Internet is central to e-business, there are issues related to the use of websites not covered in AuG-32 that need to be reflected in auditing and assurance standards. The association material in Section 5020 was written before the advent of websites, leaving a question as to when public accountants are associated with websites. At present, public accountants' names appear regularly in sites in various capacities and it is important that the issue of association with websites be dealt with. There is also a question of boundaries. Because of links on the site, users may not know where they are in the site or even if they are in another site. (See CICA research study — The Impact of Technology on Financial and Business Reporting.) The Toronto Stock Exchange has issued a policy statement which addresses the boundary issue.

Section 5050, Using the Work of Inter-nal Audit, is another important area affected by the use of the Internet. Although the basic principles are unlikely to require change, the possible extent of usage of internal audit related to technology matters is so wide-ranging that it warrants special consideration.

Consideration should be given to amending Section 5135, Auditor's Responsibility to Consider Fraud and Error, to recognize the advent of websites. The auditor has the same degree of responsibility with regard to the detection of misstatements arising from fraud and error that exists in other safer environments. Therefore, this area should be examined from the viewpoint of revisiting the responsibilities or defining the prudent steps that must be taken in e-business audits to meet these responsibilities.

While documentation of audit files is increasingly being computerized, at present certain documents must be developed and retained in paper form. Some documents, however, such as bank confirmations, account confirmations, letters of rep-resentation and legal letters are obtained in digital format. This raises the need to revisit the procedures required to retain the essential principles of confirmations, such as control over the process by the auditor, indicating a need for a revision to Section 5145, Documentation.

Audit Reports on Financial Information Other than Financial Statements is covered in Section 5805. The increased use of the Internet for business and for reporting purposes is giving rise to the need for more performance reporting. The issue of reporting on the specific performance measures is a growing one that should be covered in the Handbook. Similarly, as the use of XBRL grows, as evidenced by its recent adoption by TSX Group for its own accounts, the need for assurance on individual tagged data elements will grow, leading to a need for data-level assurance. This area urgently requires study and offers an opportunity for the profession to offer this new service.

Section 6560, Communications with Law Firms Regarding Claims and Possible Claims, needs to be reviewed for the changes in the law regarding e-business. This has become something of a specialty area among lawyers, which means that communications about e-business matters may need to draw on this special expertise. There may be a need for a joint study on this topic with the bar association. Also, e-business involves complex jurisdictional issues that could require some consideration in making queries and assessing replies.

Prospectuses are sometimes placed on websites and no doubt this trend will grow. Section 7100 deals with the auditor's involvement with prospectuses and other offering documents. In March 2003 Section 7100 was amended to address this area. Also amended was Section 7500, The Auditor's Involvement with Annual Reports, which calls for an auditor to review annual reports to determine content is not contradictory with financial statements.

Section 9200, Compilation Engagements, also may require change. Where public accountants become associated with websites, and changes are made in the information on those sites, or in the underlying data, the issue arises as to whether and when a compilation report should be issued.
ITAC's 2000 review resulted in suggestions for several new research projects.

• Ethical hacking: or penetration testing, is a type of assignment in which a professional attempts to break through the security layers of a client's system and then reports to the client. These services employ skills traditionally used in IT security reviews but extend them with specialized IT skills. Somewhat related are vulnerability tests, which are assignments in which a security professional conducts a review to determine whether the client's system is vulnerable to unauthorized entry. Such a review normally focuses on the identification of specific vulnerabilities of the system to unauthorized entry. ITAC recently issued a white paper on this. (It is available from www.cica.ca/itac.)
• Audit of virtual enterprises: virtual enterprises include communities of interest and trading exchanges, which include trading partners working within linked systems, such as ERP, CRM and e-procurement systems. Audit issues relating to virtual enterprises, for example, asset valuations, lack of physical assets and shared systems, all need to be studied. Technology is driving and enabling the creation of these enterprises.
• Crosscertification of systems: many systems involved with electronic commerce are inter-organizational, where some organizations in a group use systems managed by the other organizations in the group. This means auditors of individual organizations must rely on the systems of other organizations. Therefore, there may be a need for crosscertification of those systems for various auditors in the group.
• Audit implications of virtual private networks: virtual private networks are logical rather than physical networks. In other words, they are set up by using software to create "tunnels" on the Internet. They are often used to create secure private linkages to send sensitive data. Accordingly, they are considered to be secure and reliable. And they form an important part of a company's overall IT system, and any audit must be concerned with their implications for the overall system.

There is a good deal to be done in recognizing the important impact of e-business and technology adoption on auditing and assurance standards. Hopefully, there will be further discussion of these matters by the AASB and the initiation of new projects to incorporate the implications of e-business into the Handbook and to the development of new studies and other guidance for practitioners.