Auditing E-business

By Bruce H. Nearon

In Brief

Seeking Guidance in a Changing Environment

More and more entities are becoming involved in the world of e-business, whether they are pure-play Internet companies, dot-com subsidiaries, or the Internet operations of traditional businesses. Auditing the financial statements of e-businesses according to generally accepted auditing standards (GAAS) presents new and significant challenges for CPAs. Current GAAS contains numerous standards relevant to e-business, but they are not currently compiled into a single authoritative document. The author has brought those standards together in one place, compiling a guide for CPAs engaged in the proper application of GAAS to audits of e-businesses.

The Internet was born in 1970 when four university computers and research centers were connected together in a shared network. The Internet functioned almost exclusively for noncommercial purposes until the introduction of the Mosaic browser (1993) and the Netscape browser (1994) provided user-friendly graphic interfaces (GUI) that made the Internet more accessible to consumers and businesses. After the advent of these web browsers, use of the Internet for financial transactions began to increase at an exponential rate. Initially, most of the growth was in consumer transactions (i.e., e-commerce), but recently this growth has slowed. On the other hand, growth in Internet business transactions (i.e., e-business) continues at exponential rates. The anticipated growth in e-business presents CPAs and their clients with an unprecedented opportunity. Those poised to take advantage of this growth will prosper.

Both the mass media and the business press have reported extensively on the phenomenal growth of e-business. CPAs know the Internet is important; now they want to learn more about how, specifically, it affects their clients, practice, and financial statement auditing. In Blown to Bits, authors Philip Evans and Thomas Wurster discuss deconstruction, a process involving competition from dot-com companies that could cause devastating changes to companies and industries. The threat of deconstruction has motivated many accountants and their clients to react quickly to the opportunities and threats posed by the Internet.

E-business transactions are expected to grow from approximately $100 billion in 1999 to $7.3 trillion by 2004, according to a recent estimate in the New York Times. Gross domestic product (GDP) for 2004 is estimated at $11 trillion, which would make e-business represent 66% of the economy within the next four years. Simply put, companies engaged in e-business or actively planning for it can expect rapidly increasing sales and technological expansion. CPAs prepared to audit e-businesses will reap the benefits.

Because computers have been used in accounting for more than 40 years, many CPAs already have the skills and experience necessary to audit digital records. The use of machines for processing accounting information dates back to the 1930s, when IBM’s punch card tabulators were used by the largest businesses and government agencies. Middle-market companies began processing transactions electronically as costs dropped. In the 1980s, low-cost PCs brought computing to the smallest of businesses.

Many accountants have chosen to audit around the computer by treating it as a “black box.” Currently, the great e-business opportunity for CPAs is the simultaneous reduction in audit costs and improvement in audit quality that can be generated by auditing “through the computer” instead of around it. CPAs with IT knowledge will have a distinct advantage in the future market for financial statement audits.

Many CPA firms already provide the following nonattest services to e-businesses:

According to current professional standards, CPA firms that design, implement, or integrate e-business systems may under certain conditions retain their independence but hosting a client’s website will cause outsiders to doubt the auditor’s independence. Independence rules that prevent CPAs from hosting audit client websites strengthen the profession’s credibility and provide state regulators and the SEC with a strong rationale for continuing the profession’s audit franchise.

In order to exercise due professional care, CPAs must gain a competent understanding of internal controls and the nature of electronic evidence. Due to the nature of e-business processing, auditors with a detailed understanding of controls will be able to determine whether evidence obtained in substantive tests is sufficient for their audit conclusions. The 1994 Internal Control-Integrated Framework (COSO Report) identified circumstances that increase e-business risks. In April 2000 the stock market suffered a significant correction, and during the ensuing two months many e-businesses lost 50–90% of their market value. Before the correction, investors ignored low sales, mounting losses, and continual cash infusions into the Internet sector. Auditors considered whether their dot-com clients satisfied the going concern assumption and determined it was valid because of the commitment by investors to continuously refinance. In the current environment, however, the auditors of an e-business with no profits on the horizon and low cash reserves should consider qualifying their audit report because of substantial doubts about the entity continuing as a going concern.

Planning and Audit Evidence

AU section 150.02, Standards of Fieldwork, requires the audit to be adequately planned. According to AU section 326.18, Evidential Matter:

Certain electronic evidence may exist at a certain point in time. However, such evidence may not be retrievable after a specified period of time if files are changed and if backup files do not exist. Therefore, the auditor should consider the time during which information exists or is available in determining the nature, timing, and extent of substantive tests, and, if applicable, tests of controls.

Adequate planning of e-business audit procedures is critical because most of the audit evidence is in electronic form. In some cases, there may not be any physical evidence, for example the online sale, purchase, and delivery of music, books, documents, and information. Evidence of subsequent settlement may also exist only in electronic form. In such situations, auditors should begin audit procedures during the fiscal year in order to ensure that sufficient evidence is available.

By 2005, the entire supply chain will be automated and, over the next five years, will witness enormous pressure on all companies to conduct business electronically. 7 Because e-business transactions will affect all entities, practitioners should begin ascertaining their audit clients’ involvement in e-business as soon as possible. A logical starting place is to include considerations about the nature of actual and planned Internet operations in engagement acceptance procedures. Many boards of directors are keenly aware of the opportunities and threats the Internet poses and their minutes often reveal the client’s e-business strategy. Budget reports also provide indications of Internet activity, but projected e-business revenues and expenses may be lumped in with other sales and expenses, or combined in the technology or marketing budget. Unusual projected increases in these areas may indicate the client’s planned involvement in the Internet. An obvious place to find evidence of the client’s e-business activ ity is the web itself. The client’s website should be carefully examined and an Internet search for indications of the client’s e-business activity conducted.

Adequate Technical Training

According to AU section 210, Training and Proficiency:

The audit is to be performed by a person or persons having adequate technical training and proficiency as an auditor.

It should be recognized that the training of a professional person includes a continual awareness of developments taking place in business and [the] profession.

One possible concern is that college accounting programs trail other business disciplines in adopting formal e-business curriculums. Although most of the top business schools offer e-business courses, few accounting schools do. If accounting schools placed greater emphasis on technical competence, clients and regulators would feel more confident that CPAs have the requisite skills to audit e-business. And as e-business expands to encompass the majority of financial transactions, the accounting profession’s audit franchise can be strengthened by the perception that CPAs are the most qualified professionals to serve the e-business audit market.


According to AU section 220, Independence, the second general standard is:

In all matters relating to the assignment, an independence in mental attitude is to be maintained by the auditor or auditors.

The auditor is required to perform the engagement without bias and should avoid situations that might lead outsiders to doubt the auditor’s independence. With respect to e-business, an audit firm could be providing nonattest services to a client that would cast doubt on an outsider’s perception of the firm’s independence. Some CPA firms design, implement, or host client websites. Hosting a website could mean that the audit firm has physical control of the client’s web servers, serves as network administrator or webmaster, or maintains the e-business software and databases. Some CPA firms that host websites for nonpublic companies do not think this service impairs independence, likening it to providing bookkeeping services. According to ET section 101, Independence, an audit firm’s independence would be impaired if the firm—

  • supervised client personnel in the daily operation of a client’s information system or
  • managed a client’s local area network.

    Although hosting or managing a website is not specifically addressed in the ET standards, the extension of the logic and intent is obvious. An outsider might reasonably doubt the independence of a firm that hosts a client’s website.

    Even if you make the analogy that a website is like a bookkeeping service, according to ET section 101.05, independence would be impaired if the auditor—

  • determines or changes journal entries or account classifications for transactions or other accounting records without obtaining client approval,
  • prepares source documents or originates data, or
  • makes changes to source documents without client approval.

    Because a website that conducts e-business transactions could be performing all of the above functions under the control of the server host, webmaster, or network administrator, an outsider might believe auditor independence has been impaired.

    For auditors of public companies, the case against hosting an audit client’s website is even stronger. According to CCH’s SEC Handbook, section 600, “Matters Relating to Independent Accountants, Bookkeeping, and Related Professional Services”:

    It is the Commission’s position that an accounting firm cannot be deemed independent with regard to auditing financial statements of a client if it has participated closely, either manually or through its computer services, in maintenance of the basic accounting records. … In this situation the accountant, by preparing the basic accounting records, has placed himself in a position where he would be reviewing his own record keeping and could therefore appear to a reasonable third party to lack the objectivity and impartiality with respect to that client which an independent audit requires.

    Neither case specifically addresses Internet hosting, but the intent of the SEC is clear. A client’s website hosted by its auditor records transactions and performs both bookkeeping and computer processing. According to the SEC, both of these activities, separately or taken together, impair independence.

    Internal Control and Evidential Matter

    According to AU section 150, Generally Accepted Auditing Standards:

    A sufficient understanding of internal control is to be obtained to plan the audit and determine the nature, timing, and extent of tests to be performed. Sufficient competent evidential matter is to be obtained through inspection, observation, inquiries, and confirmations to afford a reasonable basis for an opinion regarding the financial statements under audit.

    Proper application of these standards is critical for audits of e-businesses because the inherent nature of electronic evidence requires internal control for electronic transactions.

    According to Auditing Procedure Study, The Information Technology Age: Evidential Matter in the Electronic Environment, the basic accounting issues in an electronic environment are the validity, completeness, and integrity of the accounting records. The relevant auditing and internal control concepts are segregation of duties, information security, and techniques for error correction. In an e-business environment:

    The intended purpose of electronic evidence does not differ from traditional forms of evidence, but it is distinguished by the need for controls to ensure validity. The competence of the electronic evidence usually depends on the effectiveness of internal controls over its validity and completeness.

    According to AU section 326, Evidential Matter:

    If control risk is assessed at a maximum, an auditor who performs only substantive tests of electronic evidence may not be able to obtain sufficient competent evidential matter. Electronic evidence adds new dimensions for the auditor’s consideration, such as the reliability of the system producing and controlling evidence.

    Frequently, e-business applications run on operating systems with security weaknesses that render them unreliable. Often, e-business software is custom written and lacks controls. Even some commercially available packages are developed and implemented without consideration of internal controls.

    Competent evidence should have prima facie credibility:

    Without testing the internal controls surrounding the electronic evidence (for example, controls over generation, storage, manipulation, and transmission), a lack of credibility may not be recognized by the auditor.

    In order to audit e-business transactions, the auditor will have to perform special procedures:

    The auditor may be required to use report writers, specialized audit software, data extraction tools, or other system-based techniques in order to use the information in electronic form.

    To audit e-business transactions, the auditor must have access to the underlying system and data, but the client’s IT department may be reluctant to grant the auditor access. For some clients, accounting records may be processed and stored by third-party Internet service providers (ISP). In the past, an auditor could sometimes obtain an SAS 70 report from a computer service bureau’s auditor on the policies and procedures placed in operation and possibly on tests of operating effectiveness. In today’s environment, an auditor generally cannot obtain an SAS 70 letter from an ISP that hosts a client’s e-business. If the volume of a client’s e-business transactions processed by an ISP are material to the financial statements, lacking an SAS 70 letter or access to the ISP could cause a scope limitation when the auditor is unable to obtain a sufficient understanding of internal control.

    COSO Risk Assessment

    AU section 319, Consideration of Internal Control in a Financial Statement Audit, requires the auditor to obtain a sufficient understanding of internal control. A major source of the definitions and descriptions of internal control used in AU section 319 is the COSO Report. According to COSO, one of the essential components of internal control is the assessment of risk relevant to the preparation of the financial statements. The COSO Report identifies the following circumstances that demand special attention when assessing control risk for e-businesses:

  • Changed economic operating environment
  • New personnel
  • New or revamped information system
  • Rapid growth
  • New technologies
  • New lines, products, and activities.

    Changed economic operating environment. Use of the Internet for commercial and business purposes has dramatically changed the economic operating environment. One threat facing established companies is that new e-business competitors may be better financed. Many dot-coms are partially owned by large corporations or have partners and investors with deep pockets. Many of the new players have either managers with a better understanding of e-business or well-connected former managers of large organizations. These factors put enormous pressure on established companies struggling to maintain traditional market share.

    New personnel. In many cases, managers of E-business operations are young, new, and performance-focused and possess less understanding or appreciation of the need for internal controls. E-businesses also experience high employee turnover because of the scarcity of personnel with e-business technology skills. Within Internet operations of established companies, new managers may not understand the overall business mission or may be less willing to abide by established policy.

    New and revamped information systems. E-business operating and application systems are new, yet their expected useful life is only about two years. Even established e-businesses continually upgrade their systems and make significant modifications. Existing companies that add Internet operations face the complex task of integrating e-business technology with legacy systems. Often, the new and old systems have radically different architectures. The pressure of fast track development and implementation creates an atmosphere in which the existing controls in legacy systems may fail when they are merged with or replaced by new systems. Implementers of new Internet systems want to “go live” as soon as possible, and controls are often an afterthought.

    Rapid growth. Once new Internet operations get their site up and running, many become the victim of their own success if maximum capacity is reached sooner than expected. If this occurs, controls over other functions such as fulfillment, customer service, and support may break down under unanticipated demand. Existing supervisors might not be able to maintain control of hastily added additional support systems. In addition, excess demand on unreliable operating systems may cause frequent server crashes, resulting in lost accounting records.

    New lines, products, and activities. When new technologies are incorporated into existing systems, previously reliable internal controls may no longer be effective. As companies add new e-business lines and activities, managers may be unfamiliar with the control features of the new systems. For new systems, as well as those merged with legacy systems, this unfamiliarity could result in a serious underestimation of risk.

    The cumulative effect of the special circumstances identified by the COSO Report in today’s Internet environment means that control risk increases by a significant degree.

    Going Concern

    In March 2000, Arthur Andersen qualified its audit report on CDNow, an Internet high-flyer, for going concern issues. This qualification confirmed what many had long feared: Thin operating margins do not compensate for excessive marketing costs, and increasing sales volumes do not generate profits when every sale loses money. CDNow’s business model required continual new cash infusions in order to succeed. Auditors of e-businesses need to take a hard look at their clients’ short-term expected cash needs and cash generating abilities. The conjunction of low sales, a high ratio of marketing costs to total expenses, low (less than 12 months) cash reserves, and dependence on funding continued operations with new cash infusions from investors should raise doubts in the auditor’s mind about the entity’s ability to continue as a going concern.

    Many Internet companies that counted on continued funding by investors have shut their doors or gone bankrupt, and Silicon Valley lawyers are expecting many more such failures. Most dot-coms are not expected to survive, and in such an environment auditors should carefully consider the provisions of AU section 341, The Auditor’s Consideration of an Entity’s Ability to Continue as a Going Concern. Indications of substantial doubt about the entity’s ability to continue as a going concern include negative financial trends and the need to seek new sources or methods of financing:

    Ordinarily, information that significantly contradicts the going concern assumption relates to the entity’s inability to continue to meet its obligations as they become due.

    If the auditor believes there is substantial doubt about the entity’s ability to continue as a going concern for a reasonable period of time, he should 1) obtain management’s plan to mitigate the conditions and 2) assess the effectiveness of the plan.

    If the auditor concludes there is substantial doubt, he should 1) consider the adequacy of the disclosure about the entity’s inability to continue as a going concern and 2) include an explanatory paragraph in his audit report to reflect his conclusion.


    E-business transactions are expected to continue their exponential growth in the near future, and it is likely that CPAs’ current clients are either conducting e-business transactions or planning their debut. CPAs must be qualified to audit e-business transactions when their value is material to the financial statements. Many firms are retraining their staff to audit e-businesses in an effort to improve technical competence; accounting programs are revamping their curricula with the same goal in mind. Moving quickly to acquire the technical skills necessary to audit e-business while maintaining strong independence rules enhances the profession’s credibility with clients and regulators. As e-business transaction volume grows, auditors are considering the circumstances identified in the COSO Report that demand special attention.

    And as the Internet sector cools down and the inevitable shakeout of weaker companies takes place, the going concern assumption for all e-businesses must be carefully scrutinized by auditors. By carefully applying audit standards and increasing their IT knowledge, CPAs can improve the quality of audited financial statements of e-businesses. Higher-quality financial information about Internet companies allows investors to make better decisions, which reduces stock market volatility and increases the efficiency of economy-wide asset allocations.

    Bruce H. Nearon, CPA, of J.H. Cohn LLP in Roseland, N.J., serves on the NYSSCPA Auditing Standards and Procedures Committee and Emerging Technologies Committee.

    Home | Contact | Subscribe | Advertise | Archives | NYSSCPA | About The CPA Journal

    The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

    ©2009 The New York State Society of CPAs. Legal Notices

    Visit the new