Auditing of e-Commerce and e-Business

RKM 4 PSI
Kevin Mannuel / 397033

We Frequently use the terms “e-business” and “e-commerce” interchangeably, but

they don’t really mean the same thing. E-commerce means using IT to but and sell goods
and services electronically. E-business is a broader term, covering not just goods and
services exchanges, but also all forms of business conducted using electronic transmission of
data and information. For example, e-business includes using the internet or intranets for
employee training or customer support. E-business began when customers and suppliers
recognized the advantages of exchanging documents such as purchase orders and invoices
electronically, rather than through postal service. This electronic data interchange (EDI)
could speed ordering and fulfillment dramatically. The advent of the internet allowed
business, organizations, and individuals to publish World Wide Web pages and
communicate to broader audiences.
The internet is the world’s biggest network, connecting thousands of other
networked computer systems. Doing business over the internet requires a variety of
specialized protocols, software, and browsers and servers. In addition, e-business requires
specialized software language. One of the most widely used of all protocols is the
Transmission Control Protocol (TCP/IP). The internet is an international network of local
area networks (LAN) and computers with no single controlling site. TCP/IP allows
communication among Internet nodes, and each computer or network connected to the
internet must support it. Each message transmission over the Internet requires an IP
address for both the sender and receiver. The IP address is the numerical translation of the
text address. The IP address includes both source and destination information. Each address
is unique and consists of a network and host address. An example of an IP address would be
251.36.220.5. The first group of numbers identifies a geographic region, the next group is
for a specific organizational entity, the third set is the group of computers or network
identification, and the last number references a specific computer. Finally, IP address may
be static or dynamic. Static are assigned and stay the same from one computing session to
another. With a dynamic approach, a computer, receives a new IP address for each
computing session. The main hardware component in e-commerce is the Web server, which
hosts an organization’s Web pages and the program that gets network requests and sends
back HTML files in response. These pages are in hypertext markup language (HTML) format.
The Web server sends and receives messages from users in HTTP message format.
HTML is a formatting language that specifies the presentation of information over
the World Wide Web. There is no question that HTML has been fundamental to the
development of the internet. However, e-business needs another language to enable the
transmission and manipulation of information across the internet network. This language is
extensible markup language (XML). XML uses tags to describe data element, unlike HTML
tags that describe the data rather than describing just how the data should be presented.
Another way that XML differs from HTML is that it Is extensible, another word for
expendable. There is a fixed set of markup tags for HTML, but users and software designer
can create new tags for XML. As a result, user groups are working to create specialized sets
of industry tags, which, in a sense, represent that industry’s proprietary language. The
accounting and finance industry is developing extensible business reporting language
(XBRL), which is to be used for business reporting over the internet. An advantage of XBRL,
will be that business entities can store the data once in XBRL format and extract it as
needed for a variety of reporting purposes.
E-business requires allowing access to some part of an organization’s information
system, so at any stage there is threat of unauthorized access. The use of dedicated Web
servers should restrict that access, although hackers can often find their way into even
highly secure networks. Privacy concerns the protection afforded to proprietary
information, including personal information and information related to an exchange or
transaction. The protection may be against unauthorized access, or it may be policies
ensuring that users who access information do not use it for any purpose other than what is
allowed by the information provider. Confidentiality is similar to privacy, except that it
focuses on information that Is specifically designed to be confidential or secret. Privacy and
confidentiality are extremely important in e-business for many reasons. For example, e
business provides and opportunity to collect more data about buyers and sellers that is
possible in a brick and mortar world. For individuals, the privacy risks faced by engaging in e-
commerce range from simple embarrassment to identity theft. For business entities, privacy
risks may be in the form of litigation for unauthorized disclosure of confidential information
or loss of competitive proprietary information.
Most entities engaged in e-business have privacy policies. The policies serve two
main purposes. First, they protect the entity because they clearly spell out how they will
treat proprietary information. Second, they provice assurance to business partners about
how ther information will be used. IT auditors are frequently involved in either in crafting
such a policy or in evaluating one. There are several elements of a sound privacy policy,
includes a general statement, a description of the information collected at the site, and the
use of the collected information.
Business and software applications may use internet tracking tools to monitor
behavior over the internet. Two of these devices are logs and cookies. Web servers make a
record each time a user’s Web browser views an Internet Page. These records, called log
files, are key to the fact that “someone is always watching” when a user is on the internet.
Most of the time, no one really cares and the log files have no value. Sometimes, however,
the information may be useful for a variety of purposes. For example, log files are legal
documents, and the may be used against an individual in court. The data in a log file
typically includes the name and IP address of the user’s computer, the time of the request,
the address requested, and the uniform resource locator (URL) of the previous page visited.
The URL of the current or launch page provides a refer link. Advertisers are very interested
in these link because they indicate behavior patterns of Web users.
Another internet tracking tool is a cookie. Cookies are pieces of data placed in a
browser’s memory. The text contains both the identity of the server leaving the cookie and
the identity of the user’s computer. While cookies have been the subject of much
controversy because of their privacy infringement, they do serve many useful purposes. For
example, internet shoppers may be greeted by name at some sites, and as they move from
page to page the information on previous pages can be accumulated-perhaps into a
shopping cart. Web tracking tools are controls in that they provide audit trails of activity.
They infringe on privacy. Online users have some power over this monitoring, at least with
respect to cookies. A user or user group may choose to disable cookies on a personal
computer. Spyware is another type of internet tracking tool that may be used for marketing
purposes or by hackers to obtain confidential or private information.
 Since the internet is a network, all the general network and telecommunications
systems risks and controls apply to it. E-business, however, poses security risks beyond
those of other networks for several reasons. The first is that the networks is public
accessible to any user with a Web browser and an Internet Service Provider (ISP) and
therefore cannot be protected in the same ways a private network might be. A second
reason is that e-commerce by definition involves the exchange of monetary and other liquid
assets, in addition to information assets, such as credit numbers, over a public network
created additional vulnerabilities. Another increased risk for the internet versus other
networks is its sheer size and its increasing importance to the functioning of the economy.
Encryption, a part of any network security system, is a particularly important in e-business.
The information transmitted during an echange of goods or services is frequently
confidential or sensitive. Offering customers a secure way to purchase goods over the
internet is critical to the success of online retailers. The internet basically uses the
publice/private key encryption. Parties conducting business over the internet are concerned
about establishing a secure connection. Secure Sockets Layer (SSL) technology, an
encryption protocol developed by Netscape, provides for this. WITH SSL, a customer’s
browser locates the merchant’s public key, which is stored at the retail web site. The
customer’s browser uses the public key to encrypt the message so that only the merchant
can read it. SSL is used when a browser and server communicate. Other encryption
protocols applicable to specific Open Systems Interconnect (OSI) layers are Secure Socket
Shell (SSH), Secure Electronic Transmission (SET), Secure-HTTP (S-HTTP), and IP security.

Most parties in business to consumer e-business transactions pay for goods and
services with credit cards. Business engaged in e-commerce use either credit cards or the
same types of accounts payable invoicing and payment systems for offline transactions.
Individuals and business are increasingly paying bills online. This is done though an
electronic bill presentment and payment (EBPP) systems. Users can do this by making
arrangements either directly with each creditor or through a banking service. Consumers
will find that the ability to pay bills electronically and view their account status online
provides them convenience and time savings. Business should also save as the transaction
costs for setting up individual customer accounts and processing payments decreases.
The purposes of securing the Web server are to ensure privacy and confidentiality,
prevent downloads of programmed threats and resist attacks from intruders both outside
and inside the organization. While many users may be authorized to interact with the Web
server, the server security should ensure that only a limited set of authorized users can
actually shut down the server, maintain it, log onto it, and control the job accounting data
associated with it.
Business-to-consumer e-commerce is big, but international business-to-business e
commerce is bigger and could reach $8 trillion annually by 2004. As the dollar amount of
transactions over the internet increases, so does concern about the availability and
reliability of online business processes. Ensuring availability and reliability of online services
requires maintaining all of the security precautions. It is difiicult, if not impossible, to
protect servers from DOS attacks, which increase the importance of backup and recovery
plans and procedures.