Audit Implications of EDI

Audit Implications of EDI

Reimel, J. Christopher. Infotech Update. New York: Fall 1992. Vol. 2, Iss. 1; pg. 1

Abstract (Summary)
The avoidance of paper and the lack of human intervention are 2 of the most attractive advantages of electronic data interchange (EDI) for many organizations. Another advantage is that there is no need to rekey data for order entry and subsequent processing. Perhaps the most compelling reason to implement EDI is that large customers are requiring their vendors to implement it or risk losing them as customers. All of these factors are powerful incentives for audit clients to adopt EDI. When an auditor first encounters a client who has changed to EDI for all or part of its customer base, there are many issues that have a bearing on the consideration of the internal control structure. These issues are: 1. lack of a paper trail, 2. lack of document review, 3. large sales to few customers, 4. uncontrolled program changes, and 5. fraud more difficult to detect. The auditor should also be aware of the differences between EDI audit and an audit of a traditional computerized client.

Electronic data interchange (EDI) is the electronic transmission of business documents in a standard format. Data or information is transmitted electronically over telephone lines or using microwave signals from the sender's computer to the receiver's computer without human intervention.

The most common form of business transaction using EDI is the purchase and sale of a product. At the beginning of the business year, the buyer and seller enter into a written agreement that specifies the general terms of the sales contract. Price may be specified but volume generally is not. An order is initiated when information is transmitted from the buyer's computer to the seller's computer. The order is completed without a paper document being generated and involves no further human intervention.

The avoidance of paper and the lack of human intervention are two of the most attractive advantages of EDI for many organizations. Another advantage is that there is no need to rekey data for order entry and subsequent processing, thus eliminating the costs of labor as well as error detection and correction. According to one source, 70 percent of all computer-generated paper is rekeyed into another computer system. Perhaps the most compelling reason to implement EDI is that large customers are requiring their vendors to implement it or risk losing them as customers. All of these factors are powerful incentives for audit clients to adopt EDI. Thus, the auditor should gain an understanding of EDI and its audit implications.

AUDIT IMPLICATIONS

When an auditor first encounters a client who has changed to EDI for all or part of its customer base, there are many issues that have a bearing on his or her consideration of the internal control structure and the nature, timing, and extent of substantive testing. The following are some of the potential issues:

1 lack of a paper trail or at least a diminished paper trail

2 lack of document review by clerical and management personnel

3 a large number of sales potentially concentrated among a small number of customers

4 uncontrolled program changes being made to the system

5 fraud being more difficult to detect.

LACK OF PAPER TRAIL

Auditors are familiar with paper documents and plan their audits after obtaining an understanding of the internal control structure. The EDI audit information that the auditor needs will be contained in the client's computer files and not in paper reports. Some clients will print special reports at the auditor's request. Other clients will resist these requests for special reports because of time constraints, other projects, or lean staffing throughout the organization.

Some audit clients will use a value-added network (VAN) to transmit their data. The function of the VAN is to accumulate and store the transmissions. The auditor may wish to inquire after the controls that exist to ensure that the data that has been transmitted has been correctly received. VANs store information about the transmissions in transmission logs and error files. However, this information is only stored for a short period of time in the error files until the erroneous transmission problem has been resolved and the data has been retransmitted. It is the client's responsibility to ensure that the proper controls are established, whether these controls are in their own application systems, in the VAN, or in a combination of both. The client's system must detect and correct any erroneous transmissions before the VAN deletes the data. The auditor may wish to review and test the controls to determine that this is indeed taking place. The client should retain data files and reports that prove that the data transmissions are correct.

The auditor may need to obtain the necessary audit information directly from the client's computer files. Computer programming languages, such as Easytrieve Plus, SAS, and Focus are examples of tools that will solve this problem. The auditor must be proficient with these tools or contract with persons who are skilled in this area.

LACK OF DOCUMENT REVIEW

Internal controls are management's responsibility. Reviewing documents has been a control that management has used to determine that a system is functioning as intended. EDI systems have the ability to substitute automated controls for manual controls. Automated controls can prevent errors from occurring. While all automated systems have the ability to run automated controls, it is management's responsibility to design, implement, and test these controls. Controls do not implement themselves. They must be implemented by management. The auditor must remember that the controls are implemented in the application systems that are using EDI and not in EDI itself.

Microcomputer flowcharting packages, such as Easyflow and Flowcharting 3, are examples of tools that will aid the auditor with the documenting of the EDI system and the controls associated with the systems using EDI.

LARGE SALES TO FEW CUSTOMERS

One of the major advantages of EDI for the seller is that buyers select one or two vendors for a product or line of related products. Thus, sellers can achieve efficiencies by selling and shipping large quantities of goods to a small number of buyers. As a result, a large amount of receivables may be concentrated within a relatively small number of customers. If electronic funds transfer (EFT) is used for daily payments to the seller, the amount of receivables may be small, possibly only one or two days' worth of receivables.

If a large amount of sales is concentrated among a small number of customers, it may be cost-effective to confirm 100 percent of the receivable balance. A 100 percent confirmation of receivables may still be a small number of confirmations, possibly less than 50.

If one of the major customers ceases to do business with the audit client, the auditor may conclude that substantial doubt exists about the entity's ability to continue as a going concern.

UNCONTROLLED PROGRAM CHANGES

Uncontrolled changes can cause many major problems to any computer system. Uncontrolled changes can be disastrous to systems using EDI because of the lack of a paper trail and the lack of document review by management. The same features that make EDI attractive because of increased efficiencies make EDI an audit concern if management has not instituted effective controls over the entire EDI application system. Auditors may want to determine that changes have been authorized by management and that a paper trail of these changes exists and has been examined by management. If there is evidence that uncontrolled changes have occurred, the auditor may wish to note that fact in the management letter and remind management that uncontrolled changes cause uncontrolled data-which results in incorrect financial information.

The audit plans of clients with EDI will most likely show a distinct shift from substantive testing to testing of controls. This testing could be as simple as footing an EDI file or as complex as performing calculations on every attribute in the EDI file.

FRAUD

As sales orders are received electronically, errors in classification, transposition, and coding are reduced or eliminated. The EDI system performs much of the work that clerical personnel had previously performed and had sometimes performed erroneously. However, unauthorized and fraudulent changes can be made with goods shipped to a different location than the authorized location. Prices can be changed and the excess funds diverted to unauthorized bank accounts. These changes can be quickly reversed with only one day's shipments or after only one shipment has been diverted. The detection of these acts can be difficult for an auditor. Therefore, access to the EDI system by employees should be strictly controlled and monitored by management. It is likely that the auditor will want to perform tests of such controls.

We have read about the increase in the number of fraudulent tax returns filed electronically. As EDI becomes more prevalent, we can expect the number of frauds committed using EDI to increase. This will be especially true where organizations have adopted both EDI and downsizing or lean staffing.

BUYER AND SELLER CONTROLS

Controls must be established in both the buyer and seller's computer system to ensure that all of the data that has been transmitted has been received. Hash totals, record counts, dollar totals, and bit totals can be used to ensure integrity of data. An EDI transaction should have the same identifying information that a paper document has: for example, the vendor number, the purchase order number, the time, the date, the computer identification number of the person approving the transaction, and any other identifying characteristics used by management that uniquely identify the transaction.

Organizations that use EDI also may use EFT to complete the purchasing cycle. The buyer may electronically transfer the funds to the seller's bank account. Therefore, there may be a relatively small number of fund transfer transactions involving large dollar amounts (monthly payments) or a large number of fund transfer transactions involving small dollar amounts (daily payments). Although not required by GAAS, the auditor may want to consider reviewing all electronic cash transfers rather than a statistical sample, if monthly payments are made.

DIFFERENCES BETWEEN EDI CLIENTS AND TRADITIONAL AUTOMATION CLIENTS

The auditor should be aware of the differences between an EDI audit and an audit of a traditional computerized client. The following are some of the differences:

a EDI works in a seamless environment while the traditional audit environment has boundaries between the audit client and other parties to the transactions. As a result of these boundaries, documents are produced as evidence of the transaction. These documents include purchase orders, receiving reports, payments, and deposit slips. In an EDI environment, transactions flow from one party to another with little or no evidence that the transaction has occurred

b In an EDI environment, data security and controls encompass protection of data that has physically left the organization and is en route to the other parties to the transaction. The data that is being sent must be secured, protected, and controlled against technical mishaps and deliberate sabotage and theft. EDI information is extremely valuable to a client's competitors. Some audit clients will be relying on an EDI practice known as "DIAL, DUMP, AND PRAY." This means that the client initiates the transaction (DIAL), sends the data (DUMP), and has little or no controls in place that assure them that the data has been received accurately (PRAY).

c To evaluate EDI audit evidence that is in an electronic format only will require the auditor to use programming languages and data extraction tools that were not necessary in a traditional computerized audit environment. The practice of auditing around the computer may no longer be applicable in many EDI environments.

d In an EDI environment, electronic completeness and electronic approvals may not be as self-evident as in the traditional computerized audit environment. This approval and completeness may be indecipherable, undistinguishable, or nonexistent.

EDI may not be an option for clients that want to continue in business. Their customers may deliver an ultimatum. Become an EDI vendor or lose our business. Likewise, audit clients that have implemented EDI may deliver an ultimatum to their auditor. Acquire the skills to audit EDI systems or lose our business.

BUILDING RESPECT FOR TECHNOLOGY ISSUES

Auditors need to be aware of the risks that technology implementation can create, while simultaneously seeing the potential for client service opportunities. Michael Harnish, partner at Crowe, Chizek & Company in Oak Brook, Illinois, and chairman of the AICPA's Information Technology Executive Committee relates a technology-based story about a client that charged forward based on a misunderstanding of how a new system worked, and how an audit team was able to help them to see their error.

The client, newly using EDI, interacted with a public warehouse through n third-party VAN that facilitated EDI communication. The client was relying on what they thought was a confirmation indication on the screen of their newly installed EDI system to be assured that the EDI orders were correct, properly placed, accepted, and processed. Unfortunately, it was found that some orders were either being missed or not being processed in a timely way. Further investigation revealed that the "confirmation" they were relying on only meant that the third party (VAN) had received the order. It was not a warehouse confirmation. In reality, the public warehouse did not interact with the EDI system on the prescribed basis. Orders were routinely being missed and therefore shipments not being made.

As it turned out, there was a simple solution. The use of several reports available on the EDI system--showing third party drop-out transactions--and an EDI acknowledgment transaction from the warehouse are now used by the client to confirm receipt and follow up on problems. The client has gained a newfound respect for the need to have in-house knowledge of the EDI technology that is becoming increasingly important to their business. The audit team was able to help the client sharpen their EDI understanding, and more effectively manage their new technology implementation. "The solution to the problem was not particularly complicated," adds Mike, "but the implications due to the lack of complete understanding of EDI were certainly damaging and would have gotten worse over time."

J. Christopher Reimel is chief of Information Systems Audit with the New Jersey Department of Labor. He is also a member of the Information Technology Research Subcommittee. In this article, Reimel discusses how to audit clients that are using EDI. This is the second in a series of articles on EDI. The first article, "So Your Client Is Going To EDI," appeared in the spring issue of InfoTech Update.