E-BUSINESS SYSTEMS AND THE RELATED RISKS AND CONTROLS (STUDY OBJECTIVE 6)
Today, there are two popular types of Internet sales, commonly referred to as business to consumer (B2C), and business to business (B2B). B2C sales are those that most people are familiar with, whereby a retail or service firm sells directly to consumers using a website. This is also called e-commerce. B2B sales, on the other hand, involve companies using websites to sell products and services to each other. These types of sales transactions are known as e-business. A more detailed description of e-commerce and e-business is presented in Chapter 14.
There are numerous B2C examples, including Amazon.com, CDUniverse. com, Lands' End, J. Crew, and Delta Air Lines. In a B2C sale, the company's website and underlying network and software systems capture sales data, authorize credit card payments, and acknowledge the order via e-mail. The details such as customer, shipping address, items ordered, and credit card number are captured on the website and uploaded into the company's accounting and logistic software systems. The website must interface with the company's data on inventory, customer accounts, prices, and shipping charges.
B2B is not as well known by those in the general public. Like B2C, it involves the use of websites and the Internet to conduct business. The difference is that the transactions are between companies, rather than between a company and consumer. This difference is significant in several ways. First, a B2B sale is between known and trusted parties. The buyer and seller have a preestablished business relationship and may have even negotiated prices and delivery expectations. In a B2C sale, the seller may not have any established relationship with the customer.
Many large corporations sell to other companies. Staples® is an example of a company selling to other companies via websites. Regarding sales of office supplies to other large corporations, management at Staples realizes that it must support orders in the manner the customer prefers. Jay Baitler, the senior vice president of the Staples Contract Division, said, “Offering Internet-based transactions is now critical.”2 Internet-based sales accounted for 70 percent of the revenue in the contract division.
In both B2B and B2C sales, the advantages of e-commerce include the following:
- Reduced cost through lower marketing, employee, and paperwork costs
- Shorter sales cycles due to reduced time to place an order, deliver the order, and collect payment
- Increased accuracy and reliability of sales data
- Increased potential market for products and services
However, the Internet-connected nature of e-commerce sales includes several risks that a company must manage. As described in Chapter 4, the network and Internet connections required to conduct e-commerce are risk exposure areas, or “entry points.” The risks involve security, availability, processing integrity, and confidentiality, among others. The risks related to Internet sales are as follows:
Security and Confidentiality
- 1. Unauthorized access
- 2. Hackers or other network break-ins
- 3. Repudiation of sales transactions
Processing Integrity
- 4. Invalid data entered by customers
- 5. Incomplete audit trail
- 6. Errors when integrating data into back-end systems such as accounting, payment processing, and order fulfillment software systems
Availability
- 7. Hardware and software system failures that block customers from access to the website
- 8. Virus and worm attacks
- 9. Denial-of-service attacks by hackers
In addition, there are many online privacy risks to customers. Customer data must be safeguarded by internal controls. The specifics of online privacy risks and controls appear in a later chapter on e-commerce.
Controls should be in place to reduce the security, availability, processing integrity, and confidentiality risks. The controls that can lessen these risks are described in the next several sections.
SECURITY AND CONFIDENTIALITY RISKS
To protect the security of the IT system and the confidentiality of the data, it is important to ensure that those accessing the website and conducting sales transactions are valid and authorized users. User authentication is an important control for Internet sales when it is possible to use it. In the case of retail sales to end-user consumers, user authentication may not be appropriate. B2C companies that engage in retail sales do not always ask users to create user IDs and passwords before buying on the website. Customers can perceive this requirement as burdensome or an invasion of privacy. The need to sell to a wide range of unknown customers may prevent online retailers from using authentication controls. The cost of user authentication in terms of lost sales would outweigh any benefit of the controls. In other cases, such as B2B Internet sales, authentication through user IDs and passwords is more important.
To lessen the chance of fraudulent sales, sales without payment, and repudiation of sales, a company must institute controls to assure the authenticity of the customer and the sale. A real danger in Internet sales is that a customer will use false or fictitious payment information in placing an order. A second danger is that a customer will repudiate a sale. “Repudiate” means that the customer claims to not have conducted the transaction. In both situations, it is important that a company have controls in place to ensure that the transaction is with a valid customer with valid payment authorization and that an audit trail is maintained. Customer authentication through user ID and password should also be used. Credit card authorization procedures must be correctly processed. Digital signatures or digital certificates can be used much like a paper signature is used to authenticate and validate the customer. Finally, transactions should be logged and data trails maintained to avoid repudiation.
PROCESSING INTEGRITY RISKS
As customers enter data on a website to place an order, they may make data entry errors. Controls should be used to minimize these errors. The programming within the website should include steps to check the completeness, accuracy, and validity of the data. You have probably noticed the effect of these controls when ordering items on a website. As two examples, consider what happens if you enter an incorrect state abbreviation or do not complete all necessary fields. Usually, the website provides feedback to you that the state abbreviation is not valid or all necessary fields have not been completed. These are programmed data input checks that should be built into any Web-based sale systems. The programmed checks should include many of those described in Chapter 4, such as field checks, validity checks, limit checks, range checks, reasonableness checks, and sign checks.
In a Web-based sale system, there probably is no trail of paper documents to serve as an audit trail. Therefore, the company must capture all relevant data and maintain those data in a form that constitutes an audit trail. Logging transactions can help establish an audit trail in an electronic environment.
Dynamically programmed websites that capture sales data can be considered the front end of the sales process. A company must develop a method to integrate the data captured into the back end processes and applications. An example of a back-end process is one that actually pulls items from warehouses and ships to customers. The data from the website must either be manually entered, or integrated into these back-end processes. Controls must exist to ensure the accuracy of data as it is integrated across back-end processes. Such controls include reconciliations and verifications. Data can be totaled as they come from the website and retotaled after they are integrated into the backend system. These two totals can be reconciled to make sure they agree.
AVAILABILITY RISKS
Any interruptions to the system can cause critical problems for companies that sell via e-commerce. Any time the website is unavailable to customers probably means lost sales. Therefore, the company should put controls in place to minimize service disruptions. These controls can include redundant systems, disaster recovery plans, testing of software changes, and capacity planning and testing. Redundancy is needed for servers, data, and networks.
A redundant server system requires maintaining one or more computers as extra, backup Web servers that can operate if the main server goes down. Data redundancy is usually accomplished by having data stored in RAID (redundant array of inexpensive disks). A RAID storage maintains one or more disk drives that mirror each other. In this manner, one or more exact duplicates of the data are maintained. A backup network structure should be in place if communication is lost through the regular network.
Disaster recovery plans must be in place to ensure uninterrupted customer access even through natural disasters such as fire, flood, or earthquake. The company must have plans to continue service when disasters occur.
As changes are made to the website or the underlying software to process sales, it is important that the changes be tested before they are implemented. If such changes are not tested, they may fail and disrupt operations.
Finally, managers must plan for sufficient capacity in the e-commerce system and servers to ensure that the system is not overwhelmed by the number of users accessing it. A slow or stalled website can result in lost sales. Managers should consistently monitor, test, and adjust the capacity of the system to meet its needs.