Internal Controls for E-Commerce
As e-commerce evolves, businesses must maintain internal controls that ensure the integrity of information and the security of assets. The basic rules still apply: The cost of controls should be evaluated against the benefits that accrue to the business. Electronic signatures, which often incorporate eneryption technology, provide the basis for many controls viewed as neccessary in an electronic enironment. Techniques that use some form of ublic key eneryption along with private key (symmetric) energyption appear to provide control of the risks of authentication, nonrepudiation, and security where risks are greatest. Other controls may be more appropriate for environments involving lesser risks.
The concepts of internal control are independent of any single technology, but the implementation of controls must embody changing technology. The Internet now allows business-critical information to be transmitted over an electronic medium. Often, documents require a signature that is reliable and verifiable and binding to both parties. Many of the traditional risks of business are changing, and entities are expected to control those risks. Accountants and auditors recognize that the purposes of internal control are to
* provide cost-effective safeguards against unauthorized access to or use of assets,
* ensure that financial records and accounts are sufficiently reliable for reporting, and
* ascertain compliance with applicable laws and regulations.
The fundamental nature of internal control requires that controls are cost effective-even though benefits can be difficult to quantify. Although matching the best control to the risk of loss is often difficult, cost/benefit imperatives remain important in designing and evaluating the control process.
Although e-commerce can encompass a wide range of electronic transactions, the expected growth in consumer online sales from $4.5 billion in 1998 to $35 billion in 2002 provides a benchmark-nearly 700%-of expected growth for the entire sector. As a sign of the government's position, on June 30, 2000, President Clinton signed the Electronic Signatures in Global and National Commerce Act, which provides that electronic records and related electronic signatures are not to be denied legal validity or enforceability merely because they are in electronic form.
Such explosive growth in electronic transactions will place a tremendous burden on control systems to assure the integrity of the transaction process. New risks have emerged, along with a demand for a reconsideration of available controls.
Conducting business in cyberspace entails the traditional risks of sales and contracting plus new risks unique to the electronic environment. Some risks result from the physical separation of customers from goods and services providers; other risks result from the lack of paper documentation. The following risks require closer consideration:
Authentication. Just as manual, handwritten signatures have traditionally proven authenticity, electronic signatures are used for the same purpose: to assure the approval of an authorized individual. Certain technologies used in electronic signatures can even offer higher levels of confidence than the handwritten signature; however, the further risks of nonrepudiation and security must also be addressed.
Nonrepudiation. It is imperative that neither party to a sale or contract can claim that the "agreement" is not what was agreed to. For example, the traditional contract law in the Statute of Frauds identifies situations in which a contract must be in writing to be enforceable. The common-law parol evidence rule provides that a written agreement dominates any preliminary, informal, or oral understanding. Although disputes can arise, the signed and dated copies of documents held by each party have traditionally provided evidence to judge the validity of conflicting claims. …