Proposition: While "techies" emphasize their Websites and browsers, auditors can be secure that their understanding of conventional systems and networks will suffice for now in dealing with the intricacies of client systems.
Not so fast! Quite unexpectedly to all but the most visionary of seers, the technology supporting the Internet is today a growing element in many companies' plans for evolving their internal systems to meet tomorrow's challenges. The day is already past when auditors can put off learning the skills required to understand and evaluate the strengths and weaknesses of Internet-type systems. We're not just talking about setting up a home page here, but also about the fact that companies such as Ford Motor, 3M, AT&T and Eli Lilly have implemented Intranets to meet new system and corporate communication needs. Intranets are private networks, connecting different types of computers in various segments of a company through the use of TCP/IP ("open architecture") standards. One estimate is that over half of the large companies in the US are evaluating this technology for near-term internal use. The prime mover in this revolution is the universally well understood motivator--cost.
The advantages of the technology are compelling:
The "no free lunch" principle dictates that there are some disadvantages too. For example, your systems may be better "understood" by unfriendly insiders and outsiders, so vigilant security and constant monitoring are essential. To avoid system penetration, some companies now prohibit the direct connection of their networks to external networks, and others have implemented sophisticated "firewalls" to deter thieves and pranksters.
Auditor Responses
The client's dedication to establishing and enforcing computing policies and good practices will increase in importance in preventing problems due to error and fraud. Any sort of distributed system today is more vulnerable than the mainframes of yesteryear, since the "chains" of today's systems have so many more links and the chain is only as strong as its weakest link. The network can be a powerful conspirator in manufacturing evidence or covering a thief's tracks. Consequently, access control and other security measures must be strictly enforced, and every user has an increased responsibility to guard against system security breaches. To control access, security specialists are resorting to hardware and hardwired security measures, as well as distributing software on CD-ROM to minimize copying and modification risks. System watchdogs may use the new "Cookies" technology, supported by some browsers, to keep track of selected activity on the local Intranet. Systems analysis tools such as SATAN may be used to analyze certain known weaknesses of some UNIX-based networks. SATAN is free to requesters, but it is also freeware to potential system troublemakers.
Auditors will need to monitor developments in security issues on a constant basis, most conveniently through the resources and reporting mechanisms on the Web itself. Recently, security flaws in the Apache and NCSA Web servers were identified and within days patches to address these issues became available through the Internet. The broad number of people identifying problems and also seeking solutions is actually regarded as a strength of this "open architecture" technology. This point is contrary to traditional systems thinking.
Commerce in Cyberspace
To date, mainstream commercial use of the Internet has been limited, but current developments will likely change all that. In February, 1996 the major credit card companies Visa and Mastercard released draft SET (Secure Electronic Transmission) specifications, and by the end of the year, implementation is expected. Under these standards, the merchant will be shielded from the sensitive credit card data, and will only have access to the important information necessary to process the order. These specifications can be downloaded at the Visa and Mastercard Web sites. Skeptical auditors do not believe that totally "bullet-proof" protocols can be developed, and the legal responsibilities and risks for merchants and consumers have yet to be fully defined. However, the pressure for retailing businesses to enter the cyberspace marketplace are overwhelming.
A simple extension of this consumer marketing trend is the logical expansion of EDI, where shared protocols and mutually agreed security software will protect the parties to the point where the Internet may become a "virtual private network." Auditors will accordingly need to assess any resultant new business risks, and evaluate the validity of more paperless assets than ever before.
Of course, challenges within the Internet itself are present too. The "permissive" environment of the Internet may be in for some stricter parenting, as demand presses the limiting envelopes of hardware and existing protocol standards. To ensure the continued success of the Internet, investments will need to be made, and some additional hardware and software standards can be helpful in minimizing the growth pains. For example, Netscape and Microsoft have introduced their own extensions of the HTML (hypertext) standards, since the business world needs have outpaced standards in this area. This trend can threaten the "open architecture" environment if not addressed by the IETF (Internet Engineering Task Force). Alternatively, the most popular versions of these extensions may become the de facto standard going forward.
Implications for Education
Some technologists suggest that the new trends indicate that the time has not been better for making educational investments in a technology that may have a long payback period for students and educators. Computer pioneers sometimes lament their fate as "repositories for obsolete computer languages." However, investments in understanding the fundamentals of today's technology are likely to be useful to all future users and auditors of systems. These technologies include browsers and the hypertext environment, the high level fundamentals of open-architecture design and implementation, the use of rapid application development tools (e.g., Power Builder or Visual Basic), and developing the skills to use E-mail and file transfer to the point where these tasks become second nature. For the future computer auditor, some programming experience with a modern language (C or C++) will be a useful tool for expanding understanding of the underlying processes. It is not often that a relevant training ground for an expanding business tool is so readily available, with tools and training materials available at our bookstores and fingertips. The Rutgers Website (http://www.rutgers.edu/accounting) will keep you posted on these and related issues, and you may wish to view there a course syllabus for a popular Rutgers Accounting and Information Systems course "Wired for the Technological Future" designed to increase awareness of current technology trends, review developments in electronic commerce and develop Internet skills.
Return
to The
Auditor's Report, Summer, 1996