System Controls for Electronic Data Interchange

The success of the banking industry in utilizing electronic funds transfer systems (EFTS) led the way for electronic data interchange (EDI) to gain popularity as a means of data communication between vendors and customers in some industries. Generally, in an EDI environment, an on-line communication network links the computer systems of a given vendor and its customers. A customer can place an order through the EDI network to a vendor's system, thus avoiding some clerical paperwork and saving the time required for postal delivery. After receiving the order through the network, the vendor can acknowledge the order, issue a delivery notice, and dispatch an invoice through the same network. In some cases, by mutual agreement, a manufacturer can access his or her customer's inventory status file through an EDI network and replenish the customer's inventory automatically. Conventional paper documents are substantially reduced under these circumstances.

Manufacturers with EDI network communication can now obtain information concerning market demands and supplies faster than before, allowing them to respond to market conditions on a timely basis. Experiences of automotive, textile, and apparel industries all indicate that both production lead time and stock inventory have been substantially decreased. Accordingly, the cost of production can be reduced. Retailers, in turn, can avoid stock-out and capture more sales because suppliers can respond swiftly to unexpected surges in demand on popular items. For example, Seminole Manufacturing Co. reportedly has cut its delivery time of men's polyester slacks to Wal-Mart to 22 days-- a reduction of 50%. Also Wal-Mart's pants sales are up 31% over a 9- month period. In another example, Navistar International Corp. has cut its truck inventory by a third, or $167 million, which is a reduction from 33-day supply to a 6-day supply. Quick response to market conditions and reduction of production costs provide EDI network participants a competitive edge over nonparticipants.

The EFTS in the banking industry has generally limited its network communication to banks only. The new development in EDI technology, however, enables the industry to expand the boundary of its network. Some banks are trying to connect their customers' systems with the banks' systems so that a transfer of funds electronically from a merchant's account to a supplier's account would become possible. With the banking industry included in the EDI network, a purchaser, after inspecting delivered orders, could pay the bill electronically by transferring funds from his bank account to the vendor's account. The swift transfer of funds might affect traders' float cost--payees' float cost would decrease while payors' would increase. However, since most firms are involved in transactions related to both collections and payments, it is likely that gains and losses on float costs caused by swift transfer of funds would offset each other to some extent. Consequently, the net effect would probably be insignificant. On the other hand, however, fast inventory turnover and funds transfer would significantly decrease the amount of required working capital for members of an EDI network.

The use of EDI network communication brings the just-in-time (JIT) management concept one step closer to reality. Vendors can use an electronic transfer system where the initial purchase order (or delivery schedule) automatically sets up electronic data transfers at the delivery date and electronic funds transfers at the payment date.

The business world faces a communication revolution. EDI technology has been proven to be an effective means to save time, reduce costs, and increase revenues. Those who resist the new technology will soon be defeated in tense competitions. In short, EDI network communication will prevail in the near future.

The development of EDI technology provides management accountants with an excellent opportunity to improve their firms' external communication capability. High ranking management accountants, like controllers, may be in charge of, or participate in, the development of an information system designed to join an EDI network. In the meantime, public accountants providing management advisory services will get involved in EDI systems more frequently than ever before. Therefore, they should be aware of potential problems related to EDI communications. For instance, paper documents of transactions are disappearing and so is the conventional audit trail. Some of the conventional control devices may be obsolete. New controls must be in place to assure the integrity of financial data, safeguard of assets, and reliability of financial reports.

Generally, there are two types of EDI network structures. The first type of structure has a central station to direct the flow of communications; the second type does not. The decentralized structure can accommodate only a limited number of firms to participate in the communications system. The centralized structure has the capacity to contain many members in the network and, therefore, it allows member firms to reach more trading partners than the decentralized structure.

Necessary controls for an EDI system to accomplish its goals include: 1) network controls (inter-firm controls); and 2) member's internal controls (intra-firm controls).

Network Controls

To communicate effectively and efficiently, network participants must be able to send and receive valid business documents with which both parties of a transaction agree. To achieve this goal, participants must be assured that fraudulent acts utilizing EDI technology can be contained at a tolerable level. On the other hand, participants utilizing the JIT management concept may reduce the time and labor force for inspecting goods delivered by vendors. The level of trust between trade counterparts who adopt an EDI network to execute the JIT management concept must be high. Further, an EDI network's controls should provide an environment to satisfy the above conditions.

Listed below are some network controls that members of a centrally controlled EDI system should consider. Eventually, members should reach an agreement on the types of controls that must be in place.

Establishing Network Administration. It is necessary to delegate the network administration to an institution so that policies and control measures of the network can be executed. If the number of network members is low and a dominating member exists, the dominating member may be selected as the administrator. In some situations, general members may not like to give the dominating member the power of central coordination. Hence, one alternative arrangement is to assign the administrative job to a third party specialist.

Setting Policies and Rules of the Network. Policies and operational rules of the network must be established and agreed upon by members so that the network can function in an orderly manner and achieve its objectives. Without a set of clear policies and rules, the network could break down because of collisions among unguided actions.

Selective Admission to Network Membership. Close screening on both financial and non-financial credit worthiness of applicants is a necessary part of the policies. Those without a satisfactory credit background should be rejected to keep irregularities of the network communication low. In turn, the trust among members can be maintained at a high level.

Creating and Enforcing Ethical Rules. Network members' data bases are connected through the network. It is possible that some members could try to access their competitors' data files. Despite various control devices that may be in place at the network and individual-firm levels, some successful penetrations to confidential files may be committed by unauthorized members. Those illegal penetrators, if successfully traced through system controls or other means, should be discharged from the network.

Other ethical rules should also be considered. For example, those who intentionally and frequently violate contracts communicated through the network could destroy the trust among members. Under such circumstances, members may be forced to request conventional paper documents as hard evidence of valid contracts in case they need to take legal action later. Otherwise, they may take additional precautionary measures to reduce risks. Such movements would clearly increase the cost and decrease the efficiency of EDI communication.

Member Identification and Access Controls. The network administration should assign a proper identification code to each member and the member's computer (or terminal). In addition, the administration should devise certain access controls, including the assignment of passwords to members. For a member to submit a message through the network to another member, the member would be required to enter his ID code and password. The combination of a proper ID code and a proper password would be recognized by the network system for admission. The system should temporarily disconnect a specific line should a designated number of unsuccessful attempts to enter the network system be made. This technique can prevent a would-be intruder from continuously trying different possible access codes.

Another access control option is to require the network system to disconnect the communication line when the proper identification code and password have been recognized. A proper combination of identification code and password shows the logical address of a particular network member and the network system could immediately reconnect the communication line to the physical address of the member's computer system. This technique would prevent intruders and members of the network from using other members' identification codes and passwords to commit fraudulent transactions. The combination of member identification, password, and programmed access controls provides the network system with an assurance, to some extent, that the true identity of the message sender will be recognized. In addition, passwords must be changed often.

Establishing Audit Trails. The network system should keep several control logs to record all the messages transmitted through the network. The content of control logs should include the time and date, initiating party and receiving party, and the message. The data stored in control logs can corroborate the transmission of messages through the network. This is of particular importance should argument or legal action occur with regard to the existence and content of electronic communications. The data stored in the network logs are confidential and should not be available to everyone. Members should develop guidelines about how control-log data may be disclosed.

Member's Internal Controls

In an EDI environment, network members issue and receive business documents electronically; and the use of authorized signatures on paper documents to prove authenticity is no longer applicable. A vendor must establish certain control procedures to reduce risks related to fraudulent orders. The physical control over unused paper documents to avoid unauthorized issuance of documents is also obsolete. Without substituting control measures, an entity runs a risk of losing money because its employees may fraudulently commit the entity to unauthorized transactions. Misplacement of funds and other assets would be possible under the circumstances. On the other hand, a member receiving electronic documents from other members through the EDI network does not have paper-copy documents directly from its trade partners. Manual document logging controls to ensure that every incoming document is processed are no longer available and other controls must be created to accomplish the same goal.

Some basic controls that individual members of an EDI network can consider adopting include the following.

Establishing Written Policies and Rules. Written policies and rules for all employees would provide guidance on operations related to EDI communication which will be the basis of authority delegation and responsibility assignment.

Separation of Duties. Separation of duties among functions of authorization, execution, and data processing of transactions constitutes a good control. It reduces the risk of sending unauthorized documents to other members of the EDI network. Employees with data processing duties must receive written authorization from proper management to create and transmit electronic documents to other firms. Employees executing the jobs called for by the electronic documents may need to access electronic files for quick actions, and proper access controls are necessary to allow executing personnel to retrieve data from electronic files and, in the mean time, keep them out of document preparation and external transmission. Another example of separate duties is to allow employees to access and process only data related to their duties.

Access Controls. To prevent unauthorized personnel from accessing the entity's data or activating unauthorized transactions through the EDI network, certain access controls are necessary. Access controls can be classified into two categories: physical controls and programmed controls. Physical controls include security measures such as placing computers and terminals in designated areas only, locking computer rooms, and employing security guards. Only authorized personnel should be allowed to enter computer rooms. For additional security, some terminals should be designed to retrieve data only. Personnel needing data but not authorized to enter data could utilize those terminals.

Programmed controls include assignments of passwords and employee identification codes with various data processing capabilities. For example, personnel of the receiving department could be assigned passwords that enable them to access the purchase order file and the vendors' delivery notice files. They would be able to issue receiving reports internally, as well. However, the system would not allow them to issue purchase orders to vendors. The individual member firm's password to enter the EDI network should be kept secret, and employee passwords should be changed often. Only a limited number of employees should have the authorization to know the member firm's secret codes.

Returning the Received Messages to Sender for Confirmation. When a member firm receives electronic documents from another firm, it is important that the validity of the documents be confirmed and illegitimate documents be rejected through regular procedures. One way to achieve this objective is to send the same documents back to the sender for confirmation. In this situation, the management of the originating firm has the opportunity to stop unauthorized transactions before any damage is done.

Maintenance of Audit Trails. To ensure that every confirmed document received through the EDI network will be duly processed, electronic file logs for incoming documents should be kept. Historical activity logs that record time, content, and operator of actions taken through the computer system should be maintained. Periodically, summarized reports of document processing should be generated to provide management with a basis for evaluation of the operating procedures. Sufficient audit trails, thus enable management to identify sources of errors and irregularities.

Internal Audit. To ensure that internal control procedures are properly followed and that the controls have effectively achieved their objectives, internal audits are necessary. The audits should be performed periodically and sometimes by surprise. Sufficient audit trails coupled with successful internal audits can provide management with information about strengths and weaknesses of the current system. Successful audits also deter attempts at fraudulent actions.

Implications for Management

Stiff competition in the global market has forced U.S. firms to find new ways to face the challenge. The JIT management concept has been imported from Japan to improve the operating efficiency of a number of U.S. firms, requiring that attention be given to the development of techniques to provide management with sufficient information to properly schedule operations just in time. On the other hand, firms that have not adopted the JIT management style must also try to get ahead of their competitors in response to changing market demands. Swift and precise communication between retailers and manufacturers is a key component to meeting this challenge. An EDI network is a functional and efficient system to facilitate the goals of better communications.

While EDI technology makes timely actions possible, it may also bring disaster if proper controls are not in place. Sufficient internal controls are necessary for accounts to ensure the reliability of financial data and reports. When an EDI network is involved, however, internal controls alone are not enough. Certain cooperative controls among the network members must also be developed to achieve the EDI's objectives.