AUDITING

April 2000

CASE STUDY ON AUDITING IN AN ELECTRONIC ENVIRONMENT

By Glenn L. Helms and Fred L. Lilly

Jean's Cookie Company is a one-location bakery whose focus is specialty cookies with unique flavorings and ingredients for holidays and special occasions. The bakery only ships cookies that have been baked within the last 24 hours.

In 1998, approximately 75% of the market for Jean's Cookie Company's product was local and 25% national. The owner, Jean, noted that local market demand was relatively stable, and she expected demand from the national market to increase exponentially. Her goal for 1999 was to increase national market share.

The Ordering System

The company's order-entry system consists of national and local customers placing orders using the bakery's toll-free or local number and providing credit card, address, and other relevant order information. To ensure accuracy, the operator repeats the order to the customer, who has the option of receiving a fax confirmation. Orders are sequentially numbered and entered into personal computers by 12 data-entry operators. The personal computers are connected to a local area network (LAN).

After an order is entered, the computer system generates a production request for the 15 bakers working in three shifts and a mailing label. Four packers per shift pick and package the appropriate cookies and place mailing labels on decorative boxes, which are shipped by carriers that guarantee a maximum two-day delivery. The company accepts orders 24 hours a day, seven days a week.

Each mailing label contains a bar code that is scanned to update the outstanding orders file. Information on filled orders is automatically deleted from the system. For quality control, an inspector periodically compares the packed goods with the order.

Entering the World of E-commerce

In 1998, Jean consulted with her CPA, Mike, and developed an electronic storefront on the Internet. The website provides a catalog of available cookie shapes, flavors, and styles and allows customers to place orders online as well as by telephone.

The online customer completes an order form and provides the same information requested in a telephone order. The company sends the customer an e-mail confirmation when the order is filled that provides information on the expected delivery date. Orders received at the electronic storefront are captured on a file that is used as input to the existing order-entry system. The owner hired John, a local college student majoring in information technology, to help develop the website.

By the end of 1998, national sales had increased beyond expectations and approximately 80% of all sales (national and local) were received via the Internet. The business experienced overall cost efficiencies, with no increase in the number of order-takers. John was working four hours each weekday and was responsible for maintaining the LAN and all of the programming for processing customer orders, preparing production requests, printing mailing labels, and transmitting credit card charges to the company's bank. John also served as the weekend computer operator for nightly updating of files, printing reports and preparing backup. Alison, the LAN supervisor, performed these duties during the week. Each weekend, John would take the backup disk home with him so the company always had a current copy of its files off-site.

After some customer complaints about not receiving shipments, the packers started recording the number of shipments made during each shift on a summary sheet. The bookkeeper was responsible for comparing the number of shipments with the weekly sales summary report and investigating any differences. However, John found that the bookkeeper frequently forgot to make the comparison, so he did it himself.

When John graduated in June 1999, Jean hired him full-time to write programs for an inventory control system and a system to automatically reconcile the credit card settlement report from the bank with the company's sales records. After these projects were done, the owner had him develop programs to order supplies automatically by sending electronic data interchange records to the three baking ingredients suppliers and the decorative box supplier.

Audit and Internal Control Implications

Jean believed that, due to the implementation of the electronic storefront and the increasing international exposure provided by the company's website, sales would increase significantly in the ensuing years. She wanted to construct new and larger production facilities to accommodate the expected demand.

Jean contacted a local community bank that agreed to fund the expansion if the company could provide audited financial statements. She engaged Mike's firm, which had been performing compilation and tax services for the company for several years, to conduct an audit. Mike told Jean that he needed information on the sales system's controls in order to plan and perform his audit.

Mike noted that Jean's Cookie Company's sales system had evolved into one in which the preponderance of significant information is transmitted, processed, maintained, and accessed electronically. In this situation, the auditor might turn to SAS No. 80, Evidential Matter, an amendment to SAS No. 31 on audit evidence. SAS No. 80 states that for a system that predominantly consists of electronic evidence, it might not be practical or possible to reduce detection risk to an acceptable level by performing only substantive tests for one or more financial statement assertions.

SAS No. 80 further notes that the auditor may find it difficult or impossible to access certain information for inspection, inquiry, or confirmation without using information technology. The auditor might use generalized audit software (GAS) or other computer-assisted audit techniques to test system controls or access information. Electronic evidence may not be retrievable after a specified period of time if files are changed and backup files do not exist.

For a business such as Jean's Cookie Company, the auditor should ascertain whether backup files are being made before information about filled orders is deleted. If information on filled orders is retained until audit work is completed or backup files of deleted information are made and retained, then the auditor may be able to use GAS to perform tests such as accounting for the numerical sequence of orders or reconciling orders with shipments. If information about filled orders is deleted from the system and backup files are not made, then the auditor might consider employing continuous auditing techniques.

One continuous auditing technique would be to include an embedded audit module in the client's shipping software. For example, all deleted transactions that exceed a certain dollar amount can be written to an audit file (known as a SCARF, systems control audit and review file) for subsequent review. Additional guidance on electronic evidence is provided in an AICPA auditing procedures study, The Information Technology Age: Evidential Matter in the Electronic Environment.

SAS No. 55, Consideration of Internal Control in a Financial Statement Audit, as amended by SAS No. 78, explains the importance of assigning to different people the responsibilities of authorizing transactions, recording transactions, preparing independent reconciliations, and maintaining custody of assets. For instance, although he does not enter transactions, John is the sole author of the application software that performs journalizing, posting, and other bookkeeping functions. If no one reviews his work and no controls prevent him from changing the programs, in many respects John functions as though he is recording transactions. He reconciles the weekly sales summary report, maintains custody of assets, and is responsible for preparing backup copies of the data files. A stronger internal control would require a different employee to reconcile shipments with the weekly sales summary report and another to create the backup file and transport it to an off-site location.

SAS No. 55 also notes the importance of general and application controls to provide assurance as to the accuracy, completeness, and authorization of transactions. General controls include controls over data center operations, systems software acquisition and maintenance, access security, and application system development and maintenance. In this case, the auditor should consider the impact of the lack of separation of duties between programming and systems development, operations, access, control group, and librarian functions on this type of audit because John performs all of these functions. Application controls, such as reconciliation of the number of shipments with orders, might be ineffective due to this lack of separation of duties. Again, many of these duties could be assigned to different employees as part-time tasks and would most likely strengthen internal control.

Even if the above duties are reassigned, the auditor should consider the impact of systems development and maintenance controls on the audit. John has had sole responsibility for developing and implementing the application software. Application programs should be developed in accordance with a systems development methodology that requires programming standards, documentation, testing, and approval by users and management before becoming operational. For example, supervisory personnel, such as Alison, should closely monitor the development process to ensure that John generates documentation, that test data appear to be adequate, and that procedures are followed to provide reasonable assurance that only approved applications are placed into operation.

SAS No. 55 states that application controls apply to the processing of individual applications. In traditional order-entry systems, orders are received and entered into the system by a company employee. At Jean's Cookie Company, while phone and fax orders are still processed in this manner, transactions received through the Internet are created by the customer (an unknown third party) and input directly into the company's sales system. Input edits included in the company's computer programs could secure this type of environment; tests for negative amounts (a negative quantity ordered), completeness (not accepting a transaction without a credit card number, expiration date, etc.), and limits (list all orders greater than $500 for review before baking begins) could prevent mistakes arising from incorrect data.

Additionally, the company could employ firewall software, which would allow only certain data to be entered onto the company's database and transmitted out through the Internet. The auditor may wish to design tests that ensure input edits work as described. Tests can also be designed to test the firewall software.

The website transactions for Jean's Cookie Company flow through an internet service provider (ISP). If the ISP has controls, these would also be of interest. The auditor should consider obtaining a service auditor's report on the ISP containing a description of ISP controls that might impact the auditor's risk assessment. For more guidance, see SAS No. 70, Reports on the Processing of Transactions by Service Organizations.

In addition, the CPA can advise the client to obtain a WebTrust seal of assurance as a possible way to increase sales. This seal provides assurance to potential and existing customers that a CPA or CA has evaluated the website's business practices and controls to determine whether they conform with the WebTrust principles and criteria for business-to-consumer e-commerce.

These criteria and principles address three broad areas of business risk: business practices, transaction integrity, and information protection. The consumer could be provided assurance that a certain percentage of orders are shipped within the promised delivery date, that charge card numbers are secure while being transmitted over the Internet due to encryption, and that personal data remain private. For additional information on WebTrust, see the AICPA website (http://www.aicpa.org). *