Application 3 – Annotated Bibliography

Auditinginthee-commerceera..pdf

Home >Information Systems homework help >Application 3 – Annotated Bibliography

Information Management & Computer Security Auditing in the e-commerce era Ning Zhao, David C. Yen, I‐Chiu Chang,

Article information: To cite this document: Ning Zhao, David C. Yen, I‐Chiu Chang, (2004) "Auditing in the e‐commerce era", Information Management & Computer Security, Vol. 12 Issue: 5, pp.389-400, https://doi.org/10.1108/09685220410563360 Permanent link to this document: https://doi.org/10.1108/09685220410563360

Downloaded on: 11 March 2018, At: 19:10 (PT) References: this document contains references to 21 other documents. To copy this document: permissions@emeraldinsight.com The fulltext of this document has been downloaded 4339 times since 2006*

Users who downloaded this article also downloaded: (2005),"E-commerce impact: emerging technology – electronic auditing", Managerial Auditing Journal, Vol. 20 Iss 4 pp. 408-421 <a href="https://doi.org/10.1108/02686900510592089">https:// doi.org/10.1108/02686900510592089</a> (2003),"Computer-assisted audit tools and techniques: analysis and perspectives", Managerial Auditing Journal, Vol. 18 Iss 9 pp. 725-731 <a href="https://doi.org/10.1108/02686900310500488">https:// doi.org/10.1108/02686900310500488</a>

Access to this document was granted through an Emerald subscription provided by emerald-srm:552352 []

For Authors If you would like to write for this, or any other Emerald publication, then please use our Emerald for Authors service information about how to choose which publication to write for and submission guidelines are available for all. Please visit www.emeraldinsight.com/authors for more information.

About Emerald www.emeraldinsight.com Emerald is a global publisher linking research and practice to the benefit of society. The company manages a portfolio of more than 290 journals and over 2,350 books and book series volumes, as well as providing an extensive range of online products and additional customer resources and services.

Emerald is both COUNTER 4 and TRANSFER compliant. The organization is a partner of the Committee on Publication Ethics (COPE) and also works with Portico and the LOCKSS initiative for digital archive preservation.

*Related content and download information correct at time of download.

D ow

nl oa

de d

by W

al de

n U

ni ve

rs it

y A

t 19

:1 0

11 M

ar ch

2 01

8 (P

T )

https://doi.org/10.1108/09685220410563360

Auditing in the e-commerce era Ning Zhao and David C. Yen

Department of DSC and MIS, Miami University, Oxford, Ohio, USA, and

I-Chiu Chang Department of Information Management, National Chung Cheng University,

Chia Yi, Taiwan

Keywords Auditing, Electronic data interchange, Communication technologies, Artificial intelligence

Abstract Financial statements are not as important to investors as they once were, as technology has changed the way companies create value today. While these changes pose serious threats to the economic viability of auditing, they also create new opportunities for auditors to pursue. Both the American Institute of Certified of Public Accountants and the Canadian Institute of Chartered Accountants (CICA) Task Force on Assurance Services have identified continuous auditing as a service that should be offered. Continuous auditing is significantly different from an annual financial statement audit. A latest research report produced by the CICA defines a continuous audit as: “a methodology that enables independent auditors to provide written assurance on a subject matter using a series of auditors’ reports issued simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter.” However, continuous auditing would present significant technical hurdles. These technical hurdles could be overcome if certain conditions exist. Computer-assisted audit tools (CAATs) are one of the conditions that must exist in order to conduct the continuous auditing. CAATs are defined as computer-assisted tools that permit auditors to increase their productivity, as well as that of the audit function. Therefore, with the real-time accounting and electronic data interchange popularizing, CAATs are becoming even more necessary. The demand for timely and forward-looking information hints that the continuous audit will eventually replace the traditional audit report on year-end results.

Introduction Public accountants have provided audits, a traditional attestation service, for more than 100 years. Auditing can create tremendous economic value for a company. By auditing companies’ financial statements, the cost of raising capital is reduced. That is, for debt, companies would be able to pay lower interest rates; for equity, they would be able to offer their shares at higher prices.

Despite the past and present value of auditing, we must be concerned about the role that audits will play in the future. The bottom line is that traditional audits are being threatened by the power of the information technology systems that are being developed today. Information technology provides users with alternate information sources, thereby reducing the need for the traditional financial statements. These developments are also dramatically changing all other aspects of preparing, auditing, and using financial statements. Such changes pose serious threats to the economic viability of auditing.

The increasingly pervasive use of information technology and its growing power threatens auditors in several ways. The relative importance of financial statements to investors is the first area that is being threatened. In the beginning of the century, financial statements represented the majority of the information available to an enterprise’s debt and equity investors. As accounting principles improved, the value of

The Emerald Research Register for this journal is available at The current issue and full text archive of this journal is available at

www.emeraldinsight.com/researchregister www.emeraldinsight.com/0968-5227.htm

Auditing in the e-commerce era

389

Information Management & Computer Security Vol. 12 No. 5, 2004

pp. 389-400 q Emerald Group Publishing Limited

0968-5227 DOI 10.1108/09685220410563360

D ow

nl oa

de d

by W

al de

n U

ni ve

rs it

y A

t 19

:1 0

11 M

ar ch

2 01

8 (P

T )

financial statements increased as well. However, at the same time, information technology made other sources of relevant information available. For example, investors can now get up-to-the-minute data about companies through public and proprietary databases, instead of having to wait for quarterly or annual reports.

A second threat to auditing posed by IT is the fact that annual printed financial statements are based on historical information. Information technology, on the other hand, can provide a user with statements that are based on current details and figures. In today’s fast-paced society, historical figures quickly become outdated. Therefore, once banks and investors have real-time access to an enterprise’s databases, they will have little interest in annual printed financial statements. Due to the fact that the audit franchise relies heavily on financial statements, there has been a recent decline in the CPAs’ market share for investor-relevant data.

The field of auditing is maturing. In many public accounting firms, the revenues of audit services have not grown for many years. Under this severe situation, both the American Institute of Certified of Public Accountants (AICPA; www.aicap.com) and the Canadian Institute of Chartered Accountants (CICA; www.cic.com) Task Force on Assurance Services have identified continuous auditing as a service that should be offered to help reverse the effects of the decline. Also, in order to help the profession move in a more positive direction, a study is underway to provide a conceptual framework for external continuous audits. This paper will examine the threats to traditional auditing, a new concept of auditing known as continuous auditing, the technical conditions necessary to conduct the continuous audits, the computer-assisted audit tools (CAATs) required to achieve continuous auditing, and the reality and future of continuous auditing.

Threats and challenges to traditional auditing As mentioned before, information technology presents serious threats to the audit function. Many economic events are now being captured, measured, recognized, and reported electronically, without any paper documentation. Along these lines, online, real-time accounting (RTA) is beginning to emerge. However, although information technology presents serious threats to the audit function, it also offers CPAs exciting opportunities to develop valuable new services. For example, artificial intelligence, a branch of computer science that concerns itself with computer “thinking”, is very useful in the accounting area. XBRL, an extensible business reporting language, will also expand professional opportunities for CPAs and other financial executives, as well as add value to financial information for all users.

RTA The chief function of auditing is the attest function, which entails giving an opinion on the fairness of companies’ financial statements. This evaluation is conducted in the context of generally accepted accounting principles (GAAP) and requires the application of generalized auditing standards (GAS) (Rezaee et al., 2000). In the early years, financial statements represented a large part of the information available to an enterprise’s investors. Debtors and equity investors’ lending and investing decisions were largely based on companies’ financial statements. Due to this reliance on the financial statements, the role of the auditor was a vital one. The audits were necessary to ensure that the information the public received was as complete and accurate as

IMCS 12,5

390

D ow

nl oa

de d

by W

al de

n U

ni ve

rs it

y A

t 19

:1 0

11 M

ar ch

2 01

8 (P

T )

possible. One reason that the information needed to be as accurate as possible was because the statements were published only on a periodic basic. The financial statements could be produced, audited, and published only a few times a year because the information needed to generate such reports was either too difficult or too costly to obtain under real-time management.

However, information technology has currently made real-time management economically feasible, while traditional paper-based accounting systems have increasingly become out of sync with current practices. Many economic events are now being captured, measured, recognized, and reported electronically, without any paper documentation. Rezaee et al. (2000) have named this new accounting process RTA. RTA can be defined as making accurate accounting information available as soon as possible to assist in providing faster and higher quality decision support to a wider range of users. It provides a single point-in-time information update. For example, when an approved vendor’s invoice is posted, the Accounts Payable vendor account is credited and the General Ledger expense and tax accounts are debited. Also, at the same time, inventory, activity costing, and project commitment balances are being updated.

According to research studies, in manufacturing industries, just-in-time (JIT) inventory management has generated real-time reporting of inventories and work-in-process items on companies’ balance sheets. Likewise, the increasingly refined practice of cash management is rapidly evolving toward real-time management of accounts payable and accounts receivable, along with financial investments of all kinds. Similar trends are also emerging in the retail sector. The process of accounting for the flow of business, from an individual consumer purchase to the company’s bottom line, is rapidly becoming an online process. Thus, in a modern retail store, individual consumer transactions directly affect online inventory management and the reordering of products from suppliers. The financial aspects of such retail transactions are also managed on a real-time basis via electronic cash registers. These registers are tied directly to credit card networks, check authorization companies, and other entities. The financial managers of retail companies are moving toward real-time tracking of cash flows from final sales, vendor payments, and accreted payroll expense items (Rezaee et al., 2000).

With changes occurring in the accounting process that remove a traditional source of information and require the creation of new auditing procedures to conduct financial audits, the procedures of auditing require a significant change. The paper-based audit procedures now followed by most accounting firms need to be replaced by a continuous, electronic audit procedure.

Electronic data interchange (EDI) The audit is also threatened by the fact that the capacity to link capital investors to company databases has become a reality over the last few years through EDI. Initially, EDI was intended to save time and money by permitting companies to do business without paper documents. However, EDI also permits companies to streamline their supply chains. With the ability to electronically connect to suppliers, a company will not need to wait for paper documents in order to receive important data. EDI-linked companies, therefore, are far better able to anticipate physical flows of products and

Auditing in the e-commerce era

391

D ow

nl oa

de d

by W

al de

n U

ni ve

rs it

y A

t 19

:1 0

11 M

ar ch

2 01

8 (P

T )

services. They are able to produce and ship “just in time inventory,” eliminating the need for “just in case inventory.”

Banks and investors can also be connected together through EDI by anticipating cash needs and evaluating their ability to pay the money back. Capital costs and liquidity risks can then be lowered. Some observers anticipate that within the next ten years, most companies will begin to allow investors to view the information in their databases as they begin to realize the cost savings.

Once capital suppliers have access to an enterprise’s databases, they will have little interest in historical annual financial statements and auditors’ opinions. What they will be interested in is assurance from the auditor that the information in the databases is reliable and that the system is likely to produce data that is reliable.

Artificial intelligence Expert systems software is the artificial intelligence software that is most often used today for businesses’ accounting applications. Expert systems are software programs that use facts, knowledge, and reasoning techniques to solve problems that would normally require expert abilities from humans. Accounting is a perfect field for use of expert system applications, mainly because many problems that arise call for specialized expertise. Many expert systems used by auditors begin with an evaluation of the risk associated with a particular client engagement. Some examples of this include Deloitte & Touche’s Audit Planning Advisor, which helps auditors evaluate areas of concern and audit risk; Price Waterhouse’s Planet, which includes only audit procedures related to specific engagements risks; and Arthur Anderson’s WinProcess, used to categorize a client’s audit risk based on the complexity of the client computer processing environment. These systems have been proven to work very efficiently for these companies, and have helped their auditors immensely.

XBRL (extensible business reporting language) XBRL will be soon become the lingua franca for all business reporting, whether it’s issuing financial statements, allowing banks and shareholders to file 10-Ks with the SEC, or uploading business information onto a Web site (Cohen and Hannon, 2000). XBRL will completely change how business information will be reported, used, and calculated in future years. Once it gets added to most accounting and financial reporting software, it will automatically translate all the business information you choose. It will then identify each part of the data when it is viewed by a Web browser or sent to a spreadsheet for examination and calculation (Cohen and Hannon, 2000).

XBRL will make the financial manager’s work much easier and more effective because it will increase the access and usability of business data. It will not matter whether the information is from a business or an association, whether it is a large or small company, or whether the company is public, private or not-for-profit. Additionally, after the financial information has been created and formatted in XBRL for the first time, it never has to be created again, which will lower the cost of processing, calculating, and formatting the information. XBRL will expand professional opportunities for CPAs and other financial executives, as well as add value to the financial information for all users (Cohen and Hannon, 2000).

IMCS 12,5

392

D ow

nl oa

de d

by W

al de

n U

ni ve

rs it

y A

t 19

:1 0

11 M

ar ch

2 01

8 (P

T )

Continuous auditing: a new concept and practice In order for internet-based, real-time financial information to have value, decision makers need real-time assurances from an independent third party that the information is secure, accurate, and reliable. The auditing profession, though, has been slow to adapt to the information needs of on-line users of financial data. A recent study, co-sponsored by the AICPA and the CICA, concluded that, while real-time auditing of financial data is technologically viable, real-time assurance will require significant rethinking of the auditor’s role in a real-time information system (Shields, 1998).

Both the AICPA’s Special Committee on Assurance Services and the CICA’s Task Force on Assurance Services have identified continuous auditing as a service that should be offered. Continuous auditing is significantly different from an annual financial statement audit. A latest research report produced by the CICA defines a continuous audit as “a methodology that enables independent auditors to provide written assurance on a subject matter using a series of auditors’ reports issued simultaneously with, or a short period of time after, the occurrence of events underlying the subject matter” (Shields, 1998). Greg Shields, a senior manager in the CICA’s auditing standards department, describes how, in a continuous audit, auditors’ reports are issued within short intervals or sometimes even made available immediately. In the latter case, the report could take the form of an “evergreen report” that is available whenever a user accesses a Web site. It contains the audited information, with the auditor’s report dated at the time of user access. Alternately, a “report on demand” could be issued. It is similar to the evergreen report, but available only if specifically requested by the user. Shields (1998) also mentions that, unlike the traditional financial statement audit, the continuous audit could focus on any type of information relevant to decision-making. Some areas that the audit would concentrate on would be the authenticity, integrity, and non-repudiation of electronic commerce transactions, the effective operation of controls over a publicly accessible database, or the various non-financial measures of an entity’s performance (Shields, 1998).

According to the AICAP’s Web guide for auditors, the auditors can conduct continuous auditing when most of the information exists only in electronic form. For example, auditors can use software to detect auditor-specified exception items from amongst all of the transactions processed. If an approved sale to a customer pushes the account’s line of credit beyond its limit, a computer log can capture that information for the auditor’s subsequent testing. The sales processing application could contain an embedded audit module with the auditor’s selection criteria. Such modules would allow for the continuous monitoring and analysis of transaction processing.

The auditor is generally involved in designing the systems to ensure that the application includes his or her criteria. To prevent unauthorized modification to the embedded audit module, the auditor also may implement controls, such as the use of passwords to restrict access to source codes or procedures to ensure the entity’s compliance with adequate application software maintenance procedures. Additionally, only approved employees should know the specified criteria for transaction selection (Shields, 1998).

Continuous auditing vs traditional auditing Similarities Both continuous auditing and traditional auditing are assurance services. Assurance services are independent professional services that improve the quality of information

Auditing in the e-commerce era

393

D ow

nl oa

de d

by W

al de

n U

ni ve

rs it

y A

t 19

:1 0

11 M

ar ch

2 01

8 (P

T )

or its context for decision makers. Assurance services can be decomposed into attestation services and non-attestation services. Continuous auditing and traditional auditing are both under the attestation category. In an attestation engagement, auditors provide written reports on the degree of correspondence between written assertions and pre-established criteria.

Both continuous auditing and traditional auditing cover the basic financial statements such as the balance sheet, income statement, statement of stockholders’ equity, and a statement of cash flows. GAAPs serve as the criteria for both.

Differences The traditional audit is conducted mostly in the traditional paper-based accounting information systems. In contrast, the continuous audit can only be conducted when most information exists only in electronic form.

The traditional audit is usually conducted once a year. The audit work is very time consuming, requiring much planning and assistance, and it is too difficult to produce more than once a year. In order to issue an opinion on the fairness of a company’s financial statements, auditors have to spend weeks doing fieldwork. For a continuous audit, however, auditors’ reports are issued at short intervals or made available immediately. The information is all kept in electric form, so the reports are easier to produce more frequently.

Benefits of continuous auditing Continuous auditing increases the value of real-time financial information, since decision makers need real-time assurances from an independent third party that the information is secure, accurate, and reliable.

Unlike the traditional audit, continuous auditing provides financial statement users with timely assurance reports, such as a report on demand.

Limitations of continuous auditing Continuous auditing presents significant technical hurdles. In order to conduct continuous auditing, certain conditions must exist. In the next section, there will be a detailed discussion on this issue.

Continuous auditing to generally accepted auditing standards (GAASs) presents new and significant challenges for CPAs. Currently, GAASs contains numerous standards relevant to e-business, but is not currently compiled into a single authoritative document in continuous auditing.

A summary of these similarities and differences can be found in Table I.

Continuous auditing required supports Continuous auditing would present significant technical hurdles (Verschoor, 1999). According to Shields, during an annual financial statement audit, evidence is often obtained well after the occurrence of underlying events. Such delays are not consistent with the concept of continuous auditing. In a continuous audit environment, little time would elapse between the occurrence of the events and transactions being audited and the process of obtaining audit evidence and reporting on related information. Further, in a continuous audit there would be much less time to investigate and deal with any incorrect statements detected. Frequent misstatements, and the time required for

IMCS 12,5

394

D ow

nl oa

de d

by W

al de

n U

ni ve

rs it

y A

t 19

:1 0

11 M

ar ch

2 01

8 (P

T )

resolution, would delay reports and greatly diminish the usefulness of continuous auditing. However, Shields points out that these technical hurdles could be overcome if certain conditions exist.

Systems requirement First, the information to be audited must be generated by reliable systems, such as computerized systems that can produce highly reliable information quickly. But how do we know whether the system is reliable or not? Are there any standards available to test computer systems’ reliability? In response to such concerns, the AICPA and the CICA jointly developed a new service – SysTrust – to provide assurance of such concerns. In a SysTrust engagement, accountants report on the availability, security, integrity, and maintainability of a system. A SysTrust engagement includes a system description that delineates the boundaries of the system covered by the engagement, management’s assertion about the system’s underlying controls, and an attestation report by a CPA that evaluates the system against specific criteria. To earn an unqualified opinion, a system must meet all of the SysTrust principles and criteria.

A reliable system is one that operates without material error, fault, or failure during a specified time in a specified environment. The four essential principles underlying such systems are (the following information is from AICPA and CICA Exposure Draft: SysTrustTM principles and criteria for systems reliability, Version 2.0):

(1) Availability. The system is available for operation and use at times set forth in service agreements.

(2) Security. The system is protected against unauthorized physical and logical access. (Logical access is the ability to read or manipulate data through remote access.)

(3) Integrity. System processing is complete, accurate, timely and in accordance with the entity’s transaction approval and output distribution policy.

(4) Maintainability. The system can be updated in a manner that provides continuous availability, security and integrity.

Traditional auditing Continuous auditing

Similarities Independent professional attestation services

Independent professional attestation services

Uses GAAP as criteria Uses GAAP as criteria

Differences Used in paper-based accounting information systems

Used in paper-less accounting information systems

Once a year Evergreen or report on demand

Limitations Lack of technological adaptation Significant technical hurdles Only periodic audit reports Lack of standards and guidance

Benefits History of techniques and standards used

Increase the value of real time financial information Timely audit report

Table I. Summary table

Auditing in the e-commerce era

395

D ow

nl oa

de d

by W

al de

n U

ni ve

rs it

y A

t 19

:1 0

11 M

ar ch

2 01

8 (P

T )

For each principle, the following criteria enable a practitioner to determine if an entity’s system is met. The criteria are organized into three categories:

(1) Communications. The entity has defined and communicated performance objectives, policies and standards for system availability, security, integrity and maintainability.

(2) Procedures. The entity uses procedures, people, software, data and infrastructure to achieve system availability, security, integrity and maintainability objectives in accordance with established policies and standards.

(3) Monitoring. The entity monitors the system and takes action to achieve compliance with system availability, security, integrity and maintainability objectives, policies and standards.

A system must satisfy all of the SysTrust criteria to be deemed reliable. To obtain evidence that criteria have been met, a practitioner examines the controls related to each criterion. The SysTrust guidance materials provide practitioners with several necessary illustrative controls.

Audit tool requirements The second condition that must exist to conduct a continuous audit is to ensure that the continuous audit process is highly automated (Shields, 1998). Audit tools must be installed within an information system to achieve continuous auditing. Some tools include embedded audit modules or audit hooks, exception reporting, and transaction tagging. These tools allow auditing to occur even when the auditor is not present (Bodnar and Hopwood, 2001). With embedded audit modules, application subroutines capture data for audit purposes. This data is usually related to a high-risk area. For example, an application program for payroll would include a code that causes transactions meeting pre-specified criteria to be written to a special log called a systems control audit review file. With exception reporting, if the information system includes mechanisms to reject certain transactions that fall outside pre-defined specifications, then the ongoing reporting of exception transactions allows the system to continually monitor itself. And using transaction tagging, certain transactions are tagged with a special identifier so that they can be recorded as they pass through the information system. For example, a specific number of employees have tags attached to their transaction records so that an auditor can verify the processing logic in the payroll system. Tagging, in this instance, could also check to see that controls within the system are operating properly. Suppose that a control procedure requires the rejection of transactions if the number of hours worked during a pay period is unreasonable. Auditors can review tagged transactions to make sure that this control procedure works (Bodnar and Hopwood, 2001). From the above, one can see that auditors can use CAATs to help them in various continuous auditing tasks. Since CAATs are a very popular area in continuous auditing, the following paragraphs will provide more detailed information regarding this subject matter.

CAATs are defined as computer-assisted tools that permit auditors to increase both their own productivity and that of the audit function. CAATs are a way in which the auditor uses the computer in an information system to gather, or assist in gathering, audit evidence. Before the advent of computers, all audit work was performed manually. Proving the completeness of an audited account would involve the manual

IMCS 12,5

396

D ow

nl oa

de d

by W

al de

n U

ni ve

rs it

y A

t 19

:1 0

11 M

ar ch

2 01

8 (P

T )

totaling of many paper transactions. Consequently, identifying problems in an account could take many auditors a great deal of time. Such computer assisted audit tools allow the auditor to perform many of the previously manually intensive tasks both quickly and efficiently, allowing savings in time and cost. With the RTA and EDI popularizing, computer assisted audit tools are becoming even more necessary (Brodie, 1990).

Different CAATs may be used for different purposes in continuous auditing. For example:

. An embedded audit module, as mentioned above, is a CAAT in which code prepared by the auditor is embedded in the client’s software. Embedded audit modules are programs written and compiled within an application to perform audit procedures while an application is in operation, and may be run only when activated or on a routine basis. They allow for the continuous monitoring and analysis of transactions, and may be embedded at various levels of the application. Such modules are ideal for high-volume, online, real-time systems where the timeliness, completeness, accuracy, and validity of transactions are essential. Embedded audit modules are typically used on applications that pose the highest risk to the organization.

Embedded audit modules enable an auditor to continuously monitor systems. Using these modules allows the auditor to select data samples at any time because the data is selected with the normal production process. The embedded modules also encourage auditor involvement during the designing of the system. Embedded audit modules may require high levels of time, effort, and resources to be built and maintained. Therefore, care must be taken that unauthorized personnel do not modify the embedded modules. Normally, they are built during the development of the system (Bodnar and Hopwood, 2001).

. Exception reporting is a very common CAAT tool. It involves the extraction of data from the audit file to another file using criteria specified by the auditor; for a financial audit, the auditor will need to identify records that fall within categories.

If the information system includes mechanisms to reject certain transactions that fall outside predefined specifications, then the ongoing reporting of exception transactions allows the system to continually monitor itself. (Bodnar and Hopwood, 2001).

. Transaction-tagging is a trace which allows auditors to follow a transaction through the program step by step until the problem is identified. By doing so, certain transactions are tagged with a special identifier so that they can be recorded as they pass through the information system. For example, a specific number of employees have tags attached to their transaction records so that an auditor can verify the processing logic in the payroll system. (Simkin et al., 1999).

In order to enable auditors to review computer files without continually rewriting processing programs, many software vendors provide the above CAAT in software packages. Two popular software programs used by auditors are Audit Command Language (ACL) and Interactive Data Extraction and Analysis (IDEA):

(1) ACL is provided by ACL Services Ltd. ACL Service Ltd is a privately held company based in Vancouver, Canada, with offices in Brussels and Singapore, and representatives worldwide. Since 1987, they have provided an integrated solution for auditors, combining market-leading software with a full range of

Auditing in the e-commerce era

397

D ow

nl oa

de d

by W

al de

n U

ni ve

rs it

y A

t 19

:1 0

11 M

ar ch

2 01

8 (P

T )

training and consulting services, a worldwide support network, and industry-focused publications. The software requires limited technical expertise for application development and maintenance and has detailed audit trails and on-line help. Using ACL for MVS, users are able to extract information from mainframe data files and then use the graphical orientation of ACL for Windows to do analysis and processing (www.acl.com).

(2) IDEA was developed and marketed by the CICA in 1986. IDEA is a powerful, yet easy-to-use productivity tool that allows auditors, analysts and other financial professionals to display, analyze, sample, or extract data generated by various computer systems on their desktop. IDEA benefits accountants and financial managers by helping them improve their decision-making capabilities. It also helps them to work more efficiently and effectively, in turn giving customers and clients more quality and value, while reducing business costs at the same time. On July 11, 2000, the CICA sold its interest in the IDEA audit automation software to CaseWare International, Inc.

Other requirements A third condition essential to continuous auditing is the need for an effective link between the audit firm’s system and the audited entity’s system in order to enable fast, accurate, and secure communication of audit instructions and results (Shields, 1998). Connectivity is easier to achieve now than it was in years before. The audit firm can now be directly linked to the entity’s wide area network. The Internet could also be used to establish the required connection, provided firewalls, encryption, and other security features are used.

The fourth condition is for accurate and understandable auditors’ reports to be made available on a timely basis (Shields, 1998). Users could post the continuous information and related auditors’ report to a Web site so that they are readily accessible. The company would have to implement, and the auditors would have to test, controls over the automated process for updating the information and the auditors’ report.

The fifth condition necessary for a continuous audit is that auditors would have to have the ability to actually do the necessary work and also have the understanding of how the actual process operates. This would mean that the auditors would need to have knowledge of the various aspects of information technology, as well as the subject matter of the companies’ business and financial process being audited. According to a survey done by Bagranoff and Vendrzyk (2000), in the future, an information system auditor and a financial auditor will be combined into one, and the financial audit will be taken over by the information system audit within the next five years. In other words, future auditors must not only have expertise in the area of financial accounting, but also information technology. Today, public accountants’ certification does not necessarily imply a certified public accountant (CPA); many accounting practitioners indicate that the certified information system auditor (CISA) is becoming more and more valued (Bagranoff and Vendrzyk, 2000).

Future outlooks of continuous auditing Mr Shiro, the CEO of PriceWaterhouseCooper’s, best described the need for the change in auditing practices. He claimed that the Internet, stakeholders’ demands for real-time

IMCS 12,5

398

D ow

nl oa

de d

by W

al de

n U

ni ve

rs it

y A

t 19

:1 0

11 M

ar ch

2 01

8 (P

T )

financial information, new corporate value drivers, global stock trading, 24-hour business news, and security needs for electronically transmitted information are fundamentally changing the way we do business. The demand for information that is on time and accurate is forcing the accounting profession to rethink how their auditors audit their companies. Investors and other users of financial reports are beginning to demand more timely and forward-looking information, which will mean that continuous auditing will replace the traditional year-end report. This will not only allow audit professions to provide a continuous audit, it will facilitate continuous risk monitoring and sensors to detect taxable events and tax optimization opportunities as a whole new service.

Five years ago, the role of IS audit in the big five was to largely just add support to the financial audit. However, as mentioned above, in time, the position of the IS auditor will gradually take over the role of the financial auditor. In the future, the services that Big Five auditors will offer will include real-time assurance, continuous auditing, security outsourcing, privacy and security assurance, and business continuity assurance.

Many new technologies are expected to influence the IS audit practice over the next five years, including data mining, security tools such as digital certificates, and ERP security tools. Now the next question we must ask is, who will be the ideal job candidate for an auditing firm in five years? According to a survey done by Bagranoff and Vendrzyk (2000), many auditors suggested that academic accounting and MIS departments must merge in order to be able to produce the job candidate they want to hire. Developing educational programs that will adjust to the changes that will be occurring in the field of auditing is very important. It is vital for students and faculty to understand the change in assurance services taking place within the big five.

In addition to the above, according to a recent AICPA presentation, AICPA is currently working on a R&D project to provide continuous SysTrust assurance. The professions want to take the knowledge learned from the Continuous SysTrust and apply it to continuous assurance on financial reporting systems (XBRL systems).

Conclusions Information technology is dramatically changing the way financial statements are prepared, audited, and used. While these changes pose serious threats to the economic viability of auditing, they also create new opportunities for the audit profession. As the traditional audit profession fights for survival, there is no doubt that the old model of annual financial statement audits is becoming less relevant. Auditing can, however, add more value to an entity if the service is timely enough to meet the needs of decision-makers. Continuous auditing seems to be the right path to take to come up with the answers that the investors and other users of financial statements desire. Auditors, however, must change their mindset to embrace a continuous reporting environment and then acquire the requisite technical skills and knowledge of subject matter to meet the demands of this environment.

References

Bagranoff, N. and Vendrzyk, V. (2000), “The changing role of IS audit among the big five accounting firms”, Information Systems Control Journal, Vol. 5, pp. 33-7.

Auditing in the e-commerce era

399

D ow

nl oa

de d

by W

al de

n U

ni ve

rs it

y A

t 19

:1 0

11 M

ar ch

2 01

8 (P

T )

Bodnar, G. and Hopwood, W. (2001), Accounting Information Systems, 8th ed., Prentice-Hall, Upper Saddle River, NJ.

Brodie, G. (1990), “CAATs scan”, CA Magazine, Vol. 123 No. 4, pp. 32-4.

Cohen, E. and Hannon, N. (2000), “How XBRL will change your practice”, CPA Journal, Vol. 70 No. 11, pp. 36-41.

Rezaee, Z., Ford, W. and Elam, R. (2000), “Real-time accounting systems”, Internal Auditor, Vol. 57 No. 2, pp. 62-7.

Shields, G. (1998), “Non-stop auditing”, CA Magazine, Vol. 131 No. 7, pp. 39-40.

Simkin, M., Moscove, S. and Bagranoff, N. (1999), Accounting Information Systems, 6th ed., John Wiley & Sons, Inc., New York, NY, pp. 311-12.

Verschoor, C.C. (1999), “Book and research reviews”, Internal Auditing, Vol. 14 No. 4, pp. 39-40.