Business Risk, Internal Control, and Audit Implications of EDI
Weiner, Stanley, The CPA Journal
[Editor's Note: An extensive discussion of certain aspects of electronic data interchange (EDI) is included in this month's feature article 'The IRS Regulatory Implications of Electronic Record Keeping" by Joseph Danos and Ram S. Sriram. It is accompanied by a sidebar by Mr. Weiner, which explains some of the basics of EDI. It is suggested readers familiarize themselves with the EDI concepts in the feature and the sidebar before proceeding with this article.]
In the past, EDI was limited to simply sending and receiving various messages. However, within the past few years, trading partners have allowed each other access to internal records such as sales and inventory information. This allows the selling partner to monitor stock usage and provide just-in-time inventory techniques. The customer, in effect, is permitting the selling partner to ship goods based upon a predefined agreement. It is important that, to protect both parties, any agreement be codified legally in what is known as a "trading partner agreement." A trading partner agreement normally includes the following major elements:
* Transaction standards. This defines business transactions that will be conducted between trading partners. This also includes any restrictions, such as a limitation on the dollar amount of a particular type of transaction.
* Message standards. This stipulates the form and content of messages. These will normally be ANSI ASC-X12 within the U.S.
* Security Standars. Sensitive data is often transmitted. Consideration will have to be given as to how such information will be protected. Other issues, such as authentication and data integrity, will also have to be resolved.
* Data storage standards. Trading partners will also have to agree upon the storage of sensitive data and the method and time frame of data retention.
* Accountability--outlines the obligations of the trading partners.
* Standard of care-degree of diligence to be used by each trading partner.
* Force majeure--unexpected or unanticipated events.
* Message validation and error-check procedures.
* Security control-use of encryption, if required.
* Trade terms and conditions.
* Confidentiality--protection of proprietary information.
* Arbitration and dispute resolution.
* Governing law of the agreement. EDI presents varied challenging legal issues. Attorneys will have to have experience in data processing and will have to interact with both accountants and technical data processing personnel.
Accounting Issues Related to the Use of the internet of
Many companies may evaluate the use of the Internet for the communication of transactions. At the present time, this should be avoided. The Internet is an unregulated environment and presents many dangers. The majority of computer crimes occur on the Internet. Furthermore, use of the Internet in many instances will eliminate the buffer that a value-added network provides. This means that unauthorized parties would have the opportunity to provide adequate audit trails and controls for the accountant to utilize. The Internet utilizes many networks. In certain instances, the efficiency and reliability of such networks are questionable.
Although EDI offers significant opportunities, it also has a number of business risks. Both financial managers and accountants should be aware of these risks to take appropriate action to minimize them during system planning and implementation. Some of the risks to be dealt with are the following:
Loss of Business Continuity. Corruption of EDI applications, whether done innocently or deliberately, could affect every EDI transaction undertaken by a company. This would have a negative impact on both customer and vendor relations. In an extreme situation, it could ultimately affect the ability of a company to stay in business. …