8/13/2019 Audit Trails in an E-Commerce Enviroment

1/3

Audit Trails in an E-commerce EnvironmentTo compete, companies must make it easier for their employees, customer and providers to share vital business in real time and to

access services, products and information in the highly competitive global business environment. That said, e-commerce was created tosolve the problem.

E-commerce is the use of technology to interact with partners or customers in the Internet world. For example, a bank calls thisintegration e-banking.

To compete, companies must show to all the participants in the e-commerce environment integrity, confidentiality, efficiency,effectiveness and availability. For that reason, audit trails that are used in a manner that does not promote company objectives, utilizetheir benefits effectively, ensure availability, or show integrity, could have a material effect on the goals of the organization.

Whether in an office, factory, school, home or retail shop, an organization can benefit from e-commerce--anytime, anywhere.

Some believe that the audit t rails in e-commerce are generated at the end of the total process, with customer and product information.This is incorrect. Audit trails are used in a variety of systems and equipment. For example, every customer or partner who enters theorganization's network with a user ID and password is logged, and these type of transactions must be recorded for later control.

DefinitionsLog : Log in or log on, to gain access to a secured computer system or online service by keying in personal identification information.Log off or log out, to terminate a session on such a system or service.

Journal : Double-entry bookkeeping. A book into which all transactions are entered before being posted into the ledger.

Audit trail 1 : A set of transactions from initial customer contact through completion of the sale and delivery of the product or service,including complaints and inquiries.

Audit trail 2 : A set of transactions that reflects all changes made to a database (customers, products, prices, etc.), a networkparameter, a network traffic, a security table(s), an operating system(s), undesired events and alarms.

Audit TrailTransactions that are sent/received using the external and/or internal networks have integrity and confidentiality categorized as "high." Alog must be kept and special attention should be given to these kind of messages because they usually are the core of the business.

An organization should log the customer's transaction from its initiation through collection of the receipt and delivery of the product. Additionally, the organization should keep the security administrator's log because he has the option to assign processing functions,assessed as highly confidential, integrity or availability to the employees. Furthermore, these tasks should be logged beyond thecompensating controls implemented (e.g., dual control).

Without a good audit t rail, the organization may have difficulty dealing with customer inquiries, questions about the delivery of service,audit investigations, etc., particularly for older transactions. It would be disappointing to a customer if, following the delivery of thepurchased goods or service, the organization could not answer a question or complaint because its system would not provide enoughuseful information.

Functions of an Audit Trail(source FFIEC, pages 12-29)

An audit trail should be kept to:

Allow an auditor to follow the history of a transaction Permit recovery when it is found that a user has incorrectly updated or deleted a record Investigate the causes when a record is found to be erroneous Assist recovery from massive file destruction Assist in correcting the file where data damage is program caused Correct false information that has been sent to system users Monitor procedural violations to highlight possible breaches of security Assist in correct recovery from a system failure Monitor the way the system is being used (as an aid to design)

Recover from the loss of a file-action journal

See Figure 1 .

8/13/2019 Audit Trails in an E-Commerce Enviroment

2/3

Audit Trail in an E-commerce EnvironmentThe aim of table 1 is to illustatepotential audit trails. Please refer tothe graph numbers of the firstcolumn with figure 2 .

Audit ProcessMany logs and/or journals need tobe reviewed in an IT audit of e-commerce. Therefore, the followingis a possible audit process to set theaudit strategy:

Interview appropriatemanagement and staff togain an understanding ofbusiness, organization,roles, policies, laws andmanagement reporting,and to define audit scope.

Identify informationrequirements relevant forthe business process.

Identify inherent IT risksand the overall level ofcontrol. A commonlyaccepted approach for risk analysis in IT is C OBIT 3rd Edition.

Select processes and platforms to audit. Set the audit strategy.

The risk assessment performed should indicate where and what monitoring needs to be done by the people involved in the securityarea. Examples may include:

Failed access attempts Incorrect value assigned to data Attempts to change restricted data Excessive use of certain data Invalid entries in event logs

The use of computer assisted audit techniques (CAATs) to assess the safeguarding, integrity, effectiveness and efficiency objectives ofaudit trails also is recommended (definitions/explanation of these objectives are shown in C OBIT 3rd Edition, page 14). Auditors whohave used CAATs have found the application of these tools to be widespread, flexible and comprehensive. The use of CAATs allows forthe complete analysis of audit trails, focusing testing on subsets that appear with errors or irregularities and presenting them tomanagers and/or clients in a new format (file or paper).

In addition, the following are additional recommendations to add to an audit program of audit trails in an e-commerce audit:

Analyze the security ACL (access control list) assigned to the resources (operating systems generally) where the logs arestored (online, offline, onsite, offsite).

Check for existence of policies and procedures about audit trails in applications and products. Review the audit trails towards recreating activity or error analysis as needed. Review the parameters installed in the equipment/software regarding activation/deactivation or deletion. Obtain and assess the risk assessment document for each audit trail generated. Check for the existence of controls over the audit trails considered as high relative to confidentiality and integrity (e.g., EFT

systems and their equipment, network, procedures, etc.). Monitor routines to analyze audit trail availability. Review the access control audit trails on the security software or key management reports.

Basel Committee on E-bankingThe following principle was issued by the Basel Committee on Banking Supervision in the document entitled "Risk ManagementPrinciples for Electronic Banking."

Principle 9: Banks should ensure that clear

audit trails exist for all e-banking transactions.

8/13/2019 Audit Trails in an E-Commerce Enviroment

3/3

Delivery of financial services over the Internet can make it more difficult for banks to apply and enforce internal controls and maintainclear audit trails if these measures are not adapted to an e-banking environment. Banks are challenged to ensure not only that effectiveinternal control can be provided in highly automated environments, but also that the controls can be independently audited, particularlyfor all critical e-banking events and applications.

A bank's internal control environment may be weakened if it is unable to maintain clear audit trails for its e-banking activities. This isbecause much, if not all, of its records and evidence supporting e-banking transactions are in an electronic format. To determine where

clear audit trails should be maintained, the following types of e-banking transactions should be considered:

The opening, modification or closing of a customer's account Any transaction with financial consequences Any authorization granted to a customer to exceed a limit Any granting, modification or revocations of systems access rights or privileges

Sound Practices for E-banking SystemsThe following are several sound practices to help ensure that a clear audit trail exists for e-banking transactions:

Sufficient logs should be maintained for all e -banking transactions to help establish a clear audit trail and assist in disputeresolution.

E-banking systems should be designed and installed to capture and maintain forensic evidence in a manner that maintainscontrol over the evidence and prevents tampering with and the collection of false evidence.

In instances where processing systems and related audit trails are the responsibility of a third-party service provider:o The bank should ensure that it has access to relevant audit trails maintained by the service provider.o Audit trails maintained by the service provider must meet the bank's standards.

ConclusionIn today's business environment, organizations are using their network to interact with other networks. The aim is to integrate theirbusinesses with the electronic commerce world. While it is easy to identify an organization's technology, it must know how to use, aswell as audit, the technology.

The problem is that IT audit or IT risk management has to learn about the risks involved in these new technology infrastructures andhow to assess, evaluate and present them.

IT auditors can audit (technical or not) all the logs in an e-commerce environment, but they first need to know in what businesses theorganization is involved.

ReferencesChapman and Zwicky, Building Internet Firewalls , O'Reilly & Associates, Inc.

COBIT 3rd Edition, IT Governance Institute, www.isaca.org//templateredirect.cfm?section=cobit6

Federal Financial Institutions Examination Council, IS Examination Handbook , volume 1, 1996, www.ffiec.gov

Risk Management Principles for Electronic Banking , Basel Committee on Banking Supervision, May 2001, www.bis.org

National Institute of Standard and Technology, Guideline on Firewalls and Firewall Policy , January 2002, www.nist.gov

Database Security in Oracle8i , An Oracle Technical White Paper, November 1999, www.oracle.com

Group Policy Reference (Windows 2000), Systems and Network Attack (NSA) Center, Report number: C4-053R-00,unclassified ,W2Kguides@nsa.gov

Luis A . Blanco, CISA is an IT auditor in the IT Audit--GRM (Group Risk Management) department at Lloyds TSB Bank plc, Argentina, and has more thanseven years of experience in IT audits for financial institutions in Argentina. He is working toward a master's in management informationsystems at the University of El Salvador in Buenos Aires, Argentina, and currently is doing research in the information technology riskmanagement and wireless LAN network fields. He can be contacted at lablanco@yahoo.com .

http://www.ffiec.gov/http://www.ffiec.gov/http://www.ffiec.gov/http://www.bis.org/http://www.bis.org/http://www.bis.org/http://www.nist.gov/http://www.nist.gov/http://www.nist.gov/http://www.oracle.com/http://www.oracle.com/http://www.oracle.com/mailto:W2Kguides@nsa.govmailto:W2Kguides@nsa.govmailto:W2Kguides@nsa.govmailto:lablanco@yahoo.commailto:lablanco@yahoo.commailto:lablanco@yahoo.commailto:lablanco@yahoo.commailto:W2Kguides@nsa.govhttp://www.oracle.com/http://www.nist.gov/http://www.bis.org/http://www.ffiec.gov/