Electronic Data

Interchange

By Ingrid B. Splettstoesser

In Brief

Compensating for the Loss of a Paper Trail

The reduction in the paper trail caused by the increased use of EDI results in the need for new controls and audit techniques. EDI is no longer just used by large businesses, as this example of a vehicle parts repair company shows. The article, based upon real business practices, provides examples of controls and audit techniques that can be used when examining completeness, accuracy, and authorization, the assertions most affected by EDI. The new requirements of SAS No. 80--Amendment to Statement on Auditing Standards No. 31, Evidential Matter, and the resources of the joint American and Canadian audit technique study Audit Implications of EDI are highlighted, illustrating the valuable resource the latter can provide to management and external accountants alike.

Electronic Data Interchange (EDI) works by converting documents, including purchase orders, shipping notices, or invoices into standard electronic formats. The converted document is sent from one entity's computer to another using a data communications network. Frequently, this is done using a value added network (VAN) that performs "store and forward" functions for the parties involved; receiving, storing, and sending information to participants. EDI has been used for close to 30 years by many types of businesses, with significant growth in the current decade. Advantages include elimination of paper, reduction of postage costs, reduction in data entry costs, improvements in data accuracy, and a resulting potential for faster, more efficient customer service.

Such paperless methods of processing information result in the need for different controls, as well as audit techniques that no longer rely on paper based approaches. A recent joint American and Canadian technique study, Audit Implications of EDI (1996), discusses business issues, providing examples of both EDI controls and audit techniques, as well as appendices that describe the history of EDI, a comparison of EDI standards, and a general audit program that could be tailored to specific client situations. For external auditors, the technique study is particularly timely since SAS No. 80, Amendment to Statement of Auditing Standards No. 31, Evidential Matter, points out that auditors should consider both written and electronic information when considering evidential matter.

How EDI Is Used at Repair Company

Repair Company repairs dashboards (called "clusters" by the vehicle industry) for a single vehicle manufacturer. It is an owner-operated business that has been in existence for about 20 years, providing stable employment for approximately 70 people and reasonable profit margins. The clusters are sent from various sources: the manufacturer (for rebuilding or correction of defects), authorized vehicle dealers, or independent body shops/ mechanics. Most dealers are hooked up to the dealer network by means of the manufacturer, functioning as a VAN, allowing dealers to send electronic mail or EDI transactions to each other and to Repair Co. The dealers and Repair Co. pay for this service based on the number of transactions sent. Others send their transactions in paper form.

Flow of Transactions. A typical dealer repair involves the following electronic documentation (EDI transactions) and business processes:

* The dealer sends an electronic shipment notice identifying the cluster serial number, vehicle model, vehicle mileage, year, production date, and other pertinent information.

* Upon receiving the notice, if the cluster is still under warranty, and a replacement is in stock, a replacement is immediately shipped to the dealer, along with a no-charge invoice.

* If not under warranty, upon receiving the cluster and determining the repair required, Repair Co. sends a formal electronic quote to the dealer, retaining the information included in the shipment notice, adding its own quote number, a description of the work required, and the cost.

* The dealer sends to Repair Co. either an electronic purchase order, authorizing the repair to proceed, or an electronic return notice, authorizing the part to be returned to the dealer at their cost.

* After completing the repair, an electronic invoice is submitted, which also serves as a delivery notice.

Dealers use either the electronic mail service, telephone, or facsimile to inquire about the status of a repair. Repair Co. similarly uses any of these methods to correspond with its dealer customers. Independents normally send documentation with a cluster or provide it by facsimile. Many independents use electronic mail--Repair Co. then prints the electronic message and retains the paper as its documentation.

Warranty Repairs. To enable effective operation of the business and a smooth flow of transactions, many custom written software applications are in use at Repair Co. (refer to Figure 1). The repair is first transferred or entered into the order entry module of the accounting system. A warranty module is used to determine whether this particular model for the specified mileage or year is still under warranty. If so, as indicated above, the customer is simply issued a no-charge replacement if the item is in stock. If not in stock, the repair proceeds as a high priority repair. To manage the repair, the cluster is transferred to the work order software by the order entry staff where it is automatically allocated to the next available production employee. A printed work order accompanies the cluster through the repair process.

Warranty repairs are transmitted on a daily basis to the manufacturer. If there is an error in the warranty bill (such as part number, model, year number, or defective code mismatches), the claim is rejected by the manufacturer and must be revised for subsequent retransmissions. The manufacturer has the right to periodically inspect defective parts or records held by Repair Co., in both electronic or paper form, to help ensure they are billed for only warranty repairs actually completed.

Nonwarranty Repairs. For nonwarranty repairs, upon receipt of the purchase order, its number is entered into the order entry/work order system by the accounting department, and the cluster is released for production with a printed work order identifying the required repair. Upon completion, the invoice is prepared by the order desk, which serves as both invoice and shipping document. Any deviations from the original work order must be approved by one of the four production supervisors using their unique password before the work can be added to the work order or billed to the customer.

Translation. All transactions submitted through EDI require "translation" (reformatting the transaction from the form produced by Repair Co. software to the standard format used by the EDI system) and electronic envelope preparation (see Figure 2). Repair Co. has programs unique to its own system that link its systems to the EDI systems. The envelopes are passed to the communications software, which adds a header and footer for each transmission before they are sent to the manufacturer/VAN, where transactions are sorted and placed into electronic dealer mailboxes. Repair Co. accounting employees retrieve messages from the company's electronic mailbox several times a day. The reverse process is then followed: The EDI systems reformat these transactions into a form that can be interpreted by Repair Co.'s systems.

Repair Co.
Controls

The owner has several major concerns in this system. He doesn't really understand how all of the software works, but he wants to ensure repair work is completed on a timely basis, all repair work is billed, billings reflect the actual work done, and warranty work is accurately processed (if work is incorrectly charged as warranty and rejected by the manufacturer, it can be difficult to collect from independents). These concerns are fundamental to the operation of his business--maintaining good profit margins and high levels of profitability.

The supervisors use the production management system to help ensure work is completed on a timely basis, with
nonwarranty work or warranty work for nonstock clusters completed as a priority. All EDI transactions are automatically date and time stamped. For manual transactions, the date is entered into the computer. Thus, the owner is able to run exception reports for unreasonable delays (requests for quotes not answered, purchase orders not satisfied) by looking for those not matched with invoices. Requests for quotes are to be answered the same day. Nonstock warranty work or nonwarranty repairs are to be completed within two business days unless the customer has been notified prior to the expiration of the three-day limit. Supervisors must answer to the owner for exceptions and are encouraged to compete for the best customer service levels.

To help ensure only authorized repairs are completed and billed, the owner has separated control over parts from control over purchase orders and invoicing. Parts needed for repairs will only be issued based on work orders that have been scheduled into the systems by order desk personnel. On a spot basis, production supervisors check work required for the quotes to ensure they have been done properly. Accounting staff are responsible for running daily reports from the
systems and ensuring warranty and
nonwarranty repairs are billed.

Looking at the controls the owner has put in place, it seems the only people that could do unauthorized repairs are the supervisors, since they have the ability to add repairs to a work order, or potentially to do repairs without paperwork. Perhaps the owner could instigate random rotation of supervisors, so that they could review each other's work.

Audit Concerns

Repair Co. requires an audit primarily for its bank loan (working capital needs are high due to the extended payment terms for warranty work, and the need for cluster and repair parts inventories).

SAS No. 80, Amendment to Statement on Auditing Standards No. 31, Evidential Matter, considers, among other things, how the absence of paper based documents could affect an audit engagement. Some of these difficulties can be illustrated using facts from Repair Co. For example, paragraph 12 indicates that information technology (perhaps in the form of computer assisted audit tests) may be needed where records are kept in electronic form. Dealer sales invoices are kept only in electronic form at Repair Co., although a sales journal is printed. Thus, computer tests could be used to ensure that electronic records sum to the totals in the sales journal, or to test the continuity of numeric sequences in sales invoices, looking for gaps. This would help examine the completeness assertion with respect to sales.

Paragraph 14 indicates the auditor should perform tests of controls where it is not possible or practical to reduce detection risk using substantive tests, while paragraph 17 indicates that evidential matter includes both written and electronic information. Paragraph 18 cautions that electronic information may not be available for extended periods of time, so the auditor should consider the availability of this information during the design of tests.

Audit Implications of EDI states that financial statement assertions most affected by EDI are completeness, accuracy, and authorization. For example, questions asked with respect to controls could include: How do we know that all goods shipped are billed (completeness)? Was the customer billed the correct amount (accuracy), and were all price exceptions approved (authorization)?

Let us look at the completeness assertion for sales. For Repair Co., methods of ensuring that all goods shipped are billed start with the shipment notice and move to the quoting cycle for nonwarranty sales. All EDI transactions are sequentially numbered, with header and trailer records used to handle control totals for each individual transmission. Once mailboxes are opened, the sender is sent an acknowledgement to confirm that transactions have been sent. All goods received for repair should have a shipping notice. Nonwarranty repairs would have a quote. All quotes should result in a purchase order or reject notice from the customer. All purchase orders should result in an invoice. Part of a substantive test to ensure completeness of sales could be a computer-based test that matched customer shipping notices to invoices (warranty or nonwarranty) or to a customer reject notice, producing an exception report of unmatched shipping notices. However, since Repair Co. purges electronic reject notices older than two months, the auditor would need to obtain a file of reject notices every month, or request the client to take additional backup copies of purchase orders to run this test. (All other files are retained in archive files and are readily available for the entire year.) Instead, the auditors could rely on the controls exerted by management-- reports are printed of incomplete
quotes and of unmatched purchase
orders, which are followed up by
he production supervisors and the owner.

These management controls are interdependent or combined controls: They require both a computer program (the one that prints the report) and a person (the supervisor or owner) for the control to be effective. Thus, the auditor needs to ensure that the program is functioning correctly during the period under audit and that unauthorized changes could not be made to the program. Since the programs were written by an independent software house, and Repair Co. staff test all programs prior to production, but are incapable of changing the programs themselves (since they are only available in object/machine code), the risk of unauthorized program changes is low. As long as evidence of supervisor and owner review of exception reports exists, it is likely this combined control would provide high levels of assurance that material errors with respect to sales completeness would be detected.

Billings are based on dollar amounts entered into the order/entry work order software and those provided on quotes. Warranty amounts are based on standard costs that have been approved by the vehicle manufacturer and entered into the accounting system by accounting staff. Access to standard costs is controlled by a password system that restricts access to only two accounting staff. Not only are passwords used, but the menu is hidden --the person must enter a menu number that does not appear as a valid option on the general menus, which then displays the standard cost master file change
subsystem.

The password system is maintained by the accounting manager, the senior accounting person. A customer is normally charged more than the standard costs, since standard costs have been developed by the manufacturer as the "optimum" time required to repair a cluster, with parts paid for as cost plus a markup percentage (normally 30%) with associated labor rates depending upon the complexity of the repair. Dealers and independents are charged hourly rates and parts prices approved by the owner, with any modifications verbally approved by the owner, and entered by the supervisors. To rely upon these accuracy and authorization controls, the auditor would need to determine the effectiveness of the password system (for example, are passwords difficult to guess, changed periodically, removed when employees leave?), spot check the accuracy of the standard costs, determine that the costing programs are functioning as described, and determine what controls are in place to ensure supervisors enter only those price changes approved by the owner.

Audit Planning Implications

The above scenario provides only a small slice of the kinds of issues that would be addressed in an audit where the client makes extensive use of EDI, since it is a simplified example. Chapter 4 of Audit Implications of EDI describes the many audit planning issues that need to be considered when auditing such clients. Walking through the phases of the audit, the auditor needs to determine early on, when gathering knowledge of the business, how EDI affects the business. If the client is using stand-alone EDI (where transactions are received, printed, and then manually entered into the production or accounting cycle), EDI might have limited or no effects on internal controls or business processes. Where the client uses integrated EDI, such as Repair Co., the paperless transactions affect business processes, resulting in the need for different controls and different audit techniques. Since transactions flow from one party to another without a paper trail, the electronic data needs to be examined. Information flows outside the organization, often on public communications channels; so controls to physically protect the information need to be considered. Authorization, completeness, and accuracy of transactions may be dealt with using a combination of manual and automated procedures.

If an auditor wants to place some reliance on internal control during the audit, he or she should assess control risk at below the maximum. This involves identifying specific controls relevant to specific assertions that are likely to prevent or detect material misstatements in those assertions, and performing tests of controls to evaluate the effectiveness of such controls. This means the auditor needs to determine how EDI transactions flow within the business, the controls over those transactions, and alternative methods for testing the transactions. For example, at Repair Co., the auditor might need to look at controls that ensure the company has received all transmission envelopes, and these envelopes have not been tampered with. This helps ensure completeness
of transactions sent, as well as authorization and accuracy of data within the transactions.

One consequence of electronic systems may be that some forms of paper are no longer sent, such as monthly customer statements. Auditors frequently rely on such external documents to help determine the reliability of year-end balances. At Repair Co., accounts receivable statements are no longer sent to dealers. The accounts receivable clerk is responsible for reviewing accounts receivable to ensure that transactions are paid on a timely basis. This results in a high concentration of responsibilities. This may require the auditor to do additional computer assisted tests with accounts receivable balances at the year-end. The auditor might also recommend to the owner that he or she periodically review the accounts receivable trial balance and personally approve all write-offs of accounts receivable. These are traditional manual controls that should not be forgotten when dealing with new technologies.

Electronic rather than paper audit trails are used to track and monitor transactions in EDI systems. Such audit controls should include activity logs (tracking both processed and failed transactions); network, sender, and recipient acknowledgements; and details of time sequences of processing. Processes need to exist to authenticate transactions and provide resistance to tampering by encrypting traffic that is sent along readily accessible communications lines. The company also needs to have good general information technology controls. These include the following:

* Security (e.g., user identification and authentication by means of passwords) so that unauthorized individuals cannot tamper with data or programs. For example, each employee should have a unique identification code that enables that person to deal with functions specific to his or her job.

* Program change controls so that reports or control features within programs can be relied upon during the period of the audit. Particularly with custom written programs, such programs should be carefully authorized, tested, and the movement to the production system monitored so that ongoing operations are not jeopardized by inadvertent errors in programs.

* Retention, backup, and disaster recovery procedures to enable the company to continue to function in the event of data processing problems, virus contaminations, or physical disasters. Retention refers to retaining data in electronic form for a sufficient time period
for ongoing operations, and for other purposes such as regulatory agencies who may require access to the records. Backup should be frequent, regular, stored offsite, and tied in to procedures for recovery in the event of minor problems (e.g., media failures) through to larger problems (fires or physical damage). This includes alternatives for software, hardware, and communications methods.

Future Considerations

As client profiles and processing methods change, the auditor needs to be fluent in those changes so that he or she can efficiently audit client systems.
To retain positive relationships with
the client and add to the declining
audit revenue base, this fluency means the auditor can help the client move
on to the next step in managing
the business.

For example, Repair Co. has decided it wants to provide a paperless option by means of the Internet for its independent customers that are not automobile dealers. It wants to engage its programming consultants to write a series of programs that would allow customers to use the Internet to enter requests for quote information, purchase orders, and return requests and allow Repair Co. to convert their transactions into a format readily accessible by word processors and spreadsheet software. Thus, the transactions now handled by EDI would then be sent back and forth using the Internet system. The owner wants to know what controls his programmer should put in place. Could you answer his
questions? If you were familiar with
controls required for EDI systems and understood the mechanics of Internet communication, the answer would be a resounding YES.

In addition to the audit technique study, there are many other resources available for auditing computer based systems. One such resource is the Information Systems Audit and Control Association (see http://www.isaca.org). The author has also accumulated a reading list of computer audit materials, available at http://www.atkinson.yorku.ca/~adms4552/resource.html.

By using your existing audit skills and standard computer assisted audit tests (such as generalized audit software or test data), together with new resources such as those provided by Audit Implications of EDI, you too can continue to provide top notch services to your clients.

Ingrid B. Splettstoesser, PhD, CA, CISA, is an assistant professor and area coordinator, audit and information
systems, at York University.

Figure 1

Software Used by Repair Co.

Figure 2

Typical EDI Transaction Envelope Contents

Interchange control header

Functional group header, eg. Purchase orders

Transaction set header

Detail data segments

Transaction set footer

Transaction set header

More detail data segments

Transaction set footer

Functional group footer

Functional group header, eg. Shipment notices

Transaction set header

Detail data segments

Transaction set footer

Functional group footer

Interchange control footer

Figure 1

Software Used by Repair Co.

Figure 2

Typical EDI Transaction Envelope Contents

Interchange control header

Functional group header, eg. Purchase orders

Transaction set header

Detail data segments

Transaction set footer

Transaction set header

More detail data segments

Transaction set footer

Functional group footer

Functional group header, eg. Shipment notices

Transaction set header

Detail data segments

Transaction set footer

Functional group footer

Interchange control footer