risk management ecommerce
TRANSCRIPT
RISK MANAGEMENT
E-commerce
‘ e-tail, e-trade, e-retail, online buying selling, e-commerce, online shopping what ever term it take, its there; and growing from luxurious to FMCGs and from raw material of companies to grocery, vegetables, from autos to books.
E-commerce
‘e-commerce definition
The use of electronic transmission to engage in the exchange, including buying and selling, of products and services requiring transportation, either physically or digitally, from location to location.
when parts are shipped, supplier electronically transmits invoice to manufacturer.
because it reduces data entry, mailing costs and time to complete transactions.
E-commerce opportunities
powerful tool in the economic growth of developing countries
E-commerce promises better business for SMEs
sustainable economic development
Requires strong political will and good governance
Requires responsible and supportive private sector
Risk
This paper discusses what types of risks are present in e-commerce and presents a methodology that can be used to control e-commerce risks.
e-commerce-based risks are similar to those encountered in other business environments and that many of the requisite controls are extensions of controls for managing information systems risks.
Ecommerce categories
Business-to-business (B2B) e-commerce: Companies buying from and selling to each other
online. EDI was the early form for undertaking B2B e-commerce.
Business-to-consumer (B2C) e-commerce: Any business or organisation that sells its products
or services to consumers over the Internet
B2B: audit client is transacting with small group of other businesses (identity known, authorisation).
B2C: audit client is transacting with the world at large (identity unknown).
E-commerce risks include:
Risks arising from the nature of relationships with e-commerce trading partners;
Risks related to the recording and processing of e-commerce transactions;
Pervasive e-commerce security risks, including privacy issues;
Fraud risks; and
Risks of systems failures or ‘crashes’.
Risk in revenue recognition
Risk in revenue recognition
E-commerce companies are often based on revenue multiples, revenue is the area susceptible of misuse and fraud so subject to constant scrutiny i.e. continuous Audit
Revenues Are Often More Complicated in e-Commerce
Accounting issue is timing of revenue recognition and presentation (gross vs net)
Timing of revenue When orders received When goods dispatched When received by customer When accepted by customer When goods return option elapsed
Risk in revenue recognition
Most of companies accept payment via credit/ debit card or cash on delivery and delivery primary responsibility of company so important to consider risk and rewards transferred to customer at time of revenue recognition
revenue presentation (gross vs net)
At value customers billed including all costs of carriage, discount, insurance, agency commission and return costs
Risk in revenue at gross
Typical e-Commerce firm had negative earnings and P/E multiples
Companies that report at gross may inflate market share proportions
Examples of Reporting at Gross Priceline.com brokered airline tickets online and included
the full price of the ticket as Priceline.com revenues. This greatly inflated revenues relative to traditional ticket brokers and travel agents who only included commissions as revenue.
eBay.com included the entire price of auctioned items into its revenue even though it had no ownership or credit risk for items auctioned online.
Land's End issued discount coupons (e.g., 20% off the price), recorded sales at the full price, and then charged the price discount to marketing expense.
Risk in revenue recognition
Goods delivered to customer have option of return so revenue may be recognised when return option elapsed
Credit risk
Price discretion and discrimination
Direct taxation; legal issues related to taxes on revenues considered mainly responsibility of source country and company using that source, these issues not yet settled resolved case to case basis
A note must be given in financial statement regarding revenue recognition criteria
Risk in revenue recognition Management
Recognise revenue when each performance criteria satisfied Point of time vs over the period
when control passes
Disclosure of revenue recognition criteria
Continuous process auditing auditors review transactions at frequent intervals or as
they occur
intelligent control agents: heuristics(artificial intelligence) that search electronic transactions for anomalies
Ecommerce operational RiskWe have categorized risks in three primary areas:
Information risks stem from information published and containedin web sites and associated with the conduct of e-commerce. risksassociated with misuse of information, such as violation of laws ofhost country and other countries.
Technology risks include risks involving hardware, software,telecommunications and databases. These risks include theconsequences resulting from the misuse of technology or the useof inappropriate technologies required to address business needs.
Business risks concern customer and supplier relationships, andrisks associated with products and services marketed anddistributed over the Internet. They also include risks associatedwith managerial aspects of the contractual relations.
Information Risk
Information Risk Content on web page exposing web publisher to libel,
defamation of character, slander
Copyright infringement and invasion of privacy suits stemming from posted textual content ,digital scanning and morphing
Copyright, patent, or trade secret infringement violations by material used by web site developers
After unauthorized access to a web site, online information about employees or customers is stolen, damaged or released without authorization
Credit card information intercepted in transit is disclosed or used for fraudulent purposes
Information that has been changed or inserted in transmission is processed leading to erroneous results
Flight of intellectual property due to employees moving to competitors
Technology Risk Negligent errors or omissions in software design
Unauthorized access to a web site,
Infecting a web site with computer viruses
Internet service provider (ISP) server crashes
Software error and omission risks causing unauthorized access
Software content risk that violates a copyright
Insufficient bandwidth to handle traffic
Technology Risk
Insufficient bandwidth to handle traffic Obsolete hardware or hardware lacking the capacity
to process required traffic Risk due to excessive ISP outages or poor
performance ISP or home-company servers being down Scant technical infrastructure to manage cycle time to
develop, present, and process web-based products Inability of customer or supplier computers to handle
graphical downloads
Business Risk Risks related to payment to web site developers and disputes
between developers and clients
Lack of maintenance on existing web pages
Changes in supplier relationships re: data access, data ownership, distribution strategy, and marketing tactics
Changes in customer relationships re: data access, data ownership, distribution strategy, and marketing tactics
Products out-of-stock due to poor communication with operations
High shipping costs required for distribution
Inconvenient return policies -- lack of coordination with physical system
Excessive dependence on ISP to support firm's business strategy
Inability to manage cycle time for developing, presenting, and processing web-based products
Risk due to unprotected domain names which are usued by other organizations
Insufficient integration of e-commerce with supply chain channels
E-Commerce controls Security infrastructure controls (firewalls,
encryption and other security controls);
Systems controls (controls over systems development, systems monitoring); and
Programmed controls (e.g. to ensure customer is authentic – payment authorised with approved credit card, order is reasonable, method of payment or credit-worthiness have been established).