An audit approach of the information systems auditor in an electronic commerce environment with emphasis on internet payment security

Bezuidenhout, Pieter Stefan

22 August 2005

Electronic Commerce (EC) is a growing business option and due to the “openness” of the underlying technologies used for EC, introduces new risks and new technologies that require sophisticated and sometimes very technical controls to be implemented. The role of the IS auditors is to ensure that they are technically competent to understand the impact of new technologies on the control environment and at the same time IS auditors need to be able to communicate the audit results to non-technical management. In this study the following framework, supported by detailed information and procedures for each step, is provided to assist the IS auditor to formulate an appropriate audit approach for an EC payment security audit: <ul> <li>-- Gathering of background information related to EC payment security.</li> <li>-- Highlighting the risks in this environment.</li> <li>-- Identifying possible controls that will minimise the risks.</li> <li>-- Attending to various audit considerations that should be addressed by the IS auditor (these considerations are based on the underlying technologies, general controls, and ED-specific issues e.g., PKI, digital certificates, etc.</li> </ul> The study highlighted the fact that the IS auditors should understand that they can not be experts in all the different technologies related to EC payment security. They should, however, equip themselves with the knowledge to understand the risks involved with new technologies and they should have a sufficiently in depth background exposure to technology to understand the controls required to address the risks. Results of previous audit procedures also play a significant role in shaping the IS auditor’s approach when auditing in an EC payment security environment. This thesis provides the IS auditor with a holistic approach to an EC payment security audit. After considering and implementing the elements of the framework developed in this study in an EC payment security audit, the IS auditor has to perform the actual audit tests, evaluate the results, and report the finding. Detailed audit considerations have also been provided to assist the IS auditor in collecting information and in developing an audit program. Copyright 2002, University of Pretoria. All rights reserved. The copyright in this work vests in the University of Pretoria. No part of this work may be reproduced or transmitted in any form or by any means, without the prior written permission of the University of Pretoria. Please cite as follows: Bezuidenhout, PS 2002, An audit approach of the information systems auditor in an electronic commerce environment with emphasis on internet payment security, MCom dissertation, University of Pretoria, Pretoria, viewed yymmdd < http://upetd.up.ac.za/thesis/available/etd-08222005-120314/ > / Dissertation (MCom (Computer Auditing))--University of Pretoria, 2006. / Auditing / unrestricted

Electronic commerce security measures

Electronic commerce auditing

UCTD

Validity and accuracy issues in electronic commerce with specific reference to VPN's

13 August 2012

M.Comm. / Business have traditionally relied on private leased lines to link remote office together so that distant workers could share information over a Wide Area Network (WAN). However, while providing a high degree of privacy, leased lines are expensive to set up and maintain. The Internet is fast becoming a requirement for supporting business operations in the global economy. The major concern in using a public network, like the Internet, for data exchange is the lack of security. The Internet was designed to be an "open" network, accessible to anyone with low or none security consideration. Virtual Private Networks (VPN) using Point-to-Point Tunneling Protocol (PPTP) has emerged as a relatively inexpensive way to solve this problem. The primary objective of this dissertation is to evaluate validity and accuracy issues in electronic commerce using VPN as a secure medium for data communication and transport over the Internet. The inherent control features of PPTP were mapped to data communication control objectives and the control models show how these address validity, completeness and accuracy. After analysing and evaluating the inherent control features of PPTP, the overall result is that: PPTP enables a valid communication link to be established with restricted access (validity); the PPTP communication link remains private for the full time of the connection (validity); data can be sent accurately and completely over the PPTP connection and remains accurate during transmission (accuracy); and all data sent is completely received by the receiver (accuracy). By deploying a Point-to-Point Tunneling Protocol for virtual private networking, management can mitigate the risk of transmitting private company and business data over the Internet. The PPTP analysis and evaluation models developed intend to give the auditor a control framework to apply in practice. If the auditor needs to perform a data communication review and finds that a virtual private network has been established using PPTP, the control models can assist in providing knowledge and audit evidence regarding validity and accuracy issues. The auditor should however, not review PPTP in isolation. Validity and accuracy control features inherent to TCP/IP and PPP should also be considered as well as controls on higher levels, e.g. built-in application controls.

Electronic commerce-Security measures.

Extranets (Computer networks)

Electronic commerce-Auditing.

Virtual Private Networks

Point-to-Point Tunneling Protocol