Electronic Commerce and Auditing in Cyberspace

Douglas W. Barbin


What used to encompass just financial statement auditing has expanded to reports on internal control, information risk assessment, regulatory compliance auditing, and most recently, ethics and privacy auditing. As a result, accountants are no longer the only parties involved. Audits of today’s complex business environment require specially trained persons in fields ranging from computer technology to law enforcement to management science and philosophy. In the sixteenth century, “Auditing . . . was designed to verify the honesty of persons charged with fiscal responsibilities.” It is important to note that while the scope and methodology of the audit have changed, its principle and role in society have not.

Electronic commerce poses especially interesting and critical challenges for auditing. Such challenges include the issue of security and privacy within electronic commerce, public trust of security and privacy, assurance of security and privacy, and the interrelationships among the three. What can auditors do to provide integrity to the dynamic and uncertain environment of electronic commerce in the global marketplace? How can they tackle issues ranging from encryption to mandatory privacy standards for commerce, such as those established in the European Union?

The primary obstacle hindering electronic commerce is the consumers and specifically, their confidence. The public is very much aware of the risks associated with electronic commerce and is extremely skeptical. Consumers need reasonable assurance of the integrity of the systems. They are constantly exposed to stories in the media of hackers, Cyber-terrorists, and violations of their privacy. The assurances of a company-provider are not good enough. An independent review by persons or a company with a trusted reputation, using their cumulative knowledge of the industry and relevant privacy standards, can provide reasonable assurance of integrity of the system as a whole. The auditor, (be it an accountant, a security specialist, a computer programmer, or an expert in privacy issues), must recognize the fluid environment in which the Internet exists. The auditor must be careful in establishing standards and benchmarks, for they could be outdated months later. An effective audit would involve continuous review of a company’s information systems and policies with respect to privacy and security as well as compliance with any established codes. For instance with the European Union’s privacy standards, it would be necessary to understand the rules of compliance while at the same time recognizing changes in legal interpretations and technological advances. It is important to view the audit less as a test and more of a race; a race to beat the very people and events threatening the business of electronic commerce.

Regardless of changes in scope and methodology, the objective of an audit comes down to providing integrity in a world of uncertainty. The use of an independent auditor in the field of electronic commerce can provide for that integrity and boost consumer confidence within the global “Cyber”-market. Note: Possible cases studies could include the emergence of Information Systems Risk Management, Amazon.com, “Cyber”-Malls, and examples of multi-domestic and global companies expanding through cyber-space.