Chapter 12 HALL ELECTRONIC COMMERCE SYSTEM

E-Commerce
Electronic processing and transmission of business data

INTERNET TECHNOLOGIES
Packet Switching
messages are divided into small packets
each packet of the message takes different routes

Virtual private network (VPN)

private network within a public network
Secured access; send and receive data across public network as if connected to a private network

Intranet
Systems of computers that connect internal users of org, distributed over a wide geographic area

Extranets
a password controlled network for private users

World Wide Web

an Internet facility that links users locally and globally
• Web Page → fundamental format for the web; text document

Internet Addresses
- e-mail address (for each user)
- URL address (for each web page)
- IP address (for each computer)

Protocol
a standard set of rules that allow devices to communicate with each other; governs the design of hardware and software
Functions:
- Physical connection of devices
- Synchronize transfer of data → defining the rules in initiating a message
- Basis for checking network performance → compares measured results against expectations
- Compatibility of network devices → conforming to a mutually acceptable mode of operation
- Promote flexible network designs → users are free to change and enhance their systems

TYPES OF PROTOCOLS
Transfer Control Protocol/Internet Protocol (TCP/IP)
Basic protocol that controls how individual packets of data are formatted, transmitted, and received
Permits communication between internet sites; reliable because delivery is guaranteed

Hypertext Transfer Protocol (HTTP)

controls web browsers

File Transfer Protocol (FTP)

used to transfer files across the internet

Simple Network Mail Protocol (SNMP)

E-mail

Secure Sockets Layer (SSL)

encryption schemes used to secure transactions over the web.

Secure Electronic Transmission (SET)

encryption schemes to secure credit card transactions

Open System Interface (OSI)

A layered set of standards created by international standards
organization
Allows diff manufacturers to interface with each other in a
seamless interconnection at the user level
- Layers 1-4 = about data communication
- Layers 5-7 = about data manipulation

Hypertext Markup Language HTML

FORMAT/DISPLAY for web pages like the font, page layout etc
Used to layout information for display
● links to other docs in the WWW, allows user to jump to another site

XML AND XBRL

eXtensible Markup Language XML
is meta-language for describing markup languages
- ANY markup language can be created using XML.
- Can be used to model the data structure of an organization’s internal
database
- Stores data in a form that can be retrieved and shared even by
incompatible applications → like a universal language readable and
convertible to any programming language

HTML vs XML
- Cannot process HTML because only limited to the format/display of
the web page
- Can process XML into any other language

XBRL: eXtensible Business Reporting Language

XML-based language for standardizing methods for preparing, publishing, and
exchanging financial information, e.g., financial statements.
• XBRL Instance Document → mapping of the organization’s internal
data to XBRL taxonomy elements
• XBRL Taxonomies → classification schemes that are compliant with
XBRL specifications to accomplish a specific info exchange or
reporting objectives (eg filing with SEC); specifies data to be included
in report
XBRL IMPLICATIONS ON AUDIT
Taxonomy Creation: incorrect taxonomy results in invalid mapping that may cause material misrepresentation of financial data
validation on instance documents: ensure that appropriate taxonomy and tags have been applied
audit scope and timeframe: impact on auditor responsibility as a consequence of real-time distribution of financial statements

INTERNET BUSINESS MODELS

Internet business model. 3 levels
1. Information: display the info of a company or biz
2. Transaction: accept/place orders online
3. Distribution: sell digital products online

E commerce Greatest Benefit: ability to forge dynamic business alliances with other orgs to fill a unique market niche; more
business partnerships; forming a DYNAMIC VIRTUAL ORGANIZATION

Areas of Concern
● Data Security: data protected?
● Business Policies: policies publicly stated and followed?
● Privacy: confidential?
● Business Process Integrity: accurate, complete, and consistent info?

RISKS ASSOCIATED WITH ELECTRONIC COMMERCE

Intranet Risks
● Intercepting network messages: SNIFFING → unauthroized interception of information by a node on the network or
unauthorized access (exposure is greater if intranet is connected to internet)
● Accessing corporate database: increases risk that data will be accessed by employee if intranet is connected to a central
corporate database
● Privileged employees: override may allow unauthorized access
● Reluctance to prosecute: Don’t want to prosecute computer crime in fear of negative publicity (might show that biz does
not have proper security)

Internet Risk to Consumers

• Theft of Credit Card Numbers
• Theft of Passwords
• Consumer Privacy
o Cookies → files containing user info created by web server of site being visited; contains URLs of visited sites
o Privacy issue: what info is being captured and how it is used (ex target advertising purposes ba?)

Internet Risks to Business

• IP Spoofing; Make it seems as tho coming from a trusted source but is not —> impersonating an IP address or
masquerading one’s true identity
• DOS/ Denial of Service Attack: disables biz to transact and process; an attack to prevent it from servicing users
3 types of DOS attacks
o SYN FLOOD: 3-way handshake, needs the last handshake from the attacker, but attacker does not give thereby
making the website wait and unavailable; consumes all resources
o SMURF: attack and overwhelm a server with numerous test messages until it inoperable bc of traffic; Uses ping
signals
▪ Ping → ping is used to test the state of network and determine if host computer is connected to network
▪ Countered by disabling IP broadcast address
o DDOS: multiple compromised or “zombie” computers attack a single targeted system. May take the form of SYN
flood or smurf
• Other malicious programs: viruses,worms,logic bombs, and Trojan horses
E-COMMERCE SECURITY, ASSURANCE AND TRUST
Encryption
Transforms a clear message into a coded form also called the ciphertext
Multiple people have public key to encode it
Sender uses an encryption algorithm to convert original message (cleartext) into a coded form (cihertext)

Decoding
Only one or few people have the private key to decode.

Digital Authentication
prove or confirm the info or message sent. NOT same as authorization
● Digital Signature: prove that original sender’s message is not tampered with
● Digital Certificate: identify and verify user sending a message is who he or she claims to be, and provide the receiver with
the means to encode a reply, used in conjunction with a public key encryption
○ trusted third parties known as certification authorities (Cas) issue digital certs
○ public key infrastructure (PKIs) contains policies and procedures for digital certification

Firewalls:
System used to insulate an org’s intranet from the internet
Can be used to authenticate an outside user of the network, verify his/her level of access authority and direct the user to the
program, data or service requested.
SOFTWARE and HARDWARE network security or control gateway, that channels all incoming and outgoing connections based on
predetermined security rules.
• Network Level Firewall → provides basic screening of low security messages and routes them to their destination
• Application Level Firewall → high level of network security

Network level firewalls

low cost/low security access control
- uses a screening router to its destination
- penetrate the system using an IP spoofing technique (examines the IP address)
- does not explicitly authenticate outside users ( only determines whether it should be allowed or denied but cannot actually
grant access)

Application level firewalls

high level/high cost customizable network security
- Allows routine services and e-mail to pass through (grant access)
- performs sophisticated functions such as logging or user authentication for specific tasks (authenticates credentials of user
before allowing access to the network)

Seals of Assurance
Shows that biz website is trusted, provided by third parties
Examples: BBB, TRUSTe, Veri-Sign, Inc, ICSA AICPA/CICA WebTrust, and AICPA/CICA SysTrust

1995 Safe Harbor Agreement:

Standards regarding info transmission between US and Europe; be able to do business with each other basta there is adequate
established level of privacy protection
APPENDIX – NETWORK TOPOLOGIES
LAN
Computers located close together are linked
Physically connected achieved through NCI, network interface card.

Network Interface Cards (NIC)

Establishes physical connection of workstations to the LAN

Server
Store the application program, operating system

WAN
Covers Greater geographic area than a LAN.
Is kinda like multiple LANS combined together, therefore:
● Bridges to connect same type LANS
● Gateways to connect diff LANS
***WANs May use carriers facilities like telephone lines or Value Added Network (VAN)

Value Added network

service offered by 3rd party that acts as Intermediary between business partners for sharing data via shared business processes. —>
internal control!

STAR TOPOLOGY:
Large central computer is known as HOST, and the other smaller connected
computers are nodes
Controlled by host computer or server
• Often used for a WAN; computer is a mainframe
• popular for mainframe computing
• All communications Have to go through the host, except for local
computing
• Primary communication is between central site and node

HIERARCHICAL TOPOLOGY
Host computer connected to several levels of subordinate computers.
- Master-slave relationship: only one master (host).
- Local level (slave)—> regional level (slave) —> corporate level (master)

RING TOPOLOGY:
equal lahat, so no more central computer.
- responsibility is equally distributed
- central site is eliminated
- may be used for LAN and WAN
- peer-to-peer arrangement (equal lahat)
- Common resources shared by nodes can be managed by a file server that is a
node
BUS TOPOLOGY:
All the nodes are connected to a COMMON CABLE (think body of the bus
and computers are wheels).
The server is the front of bus (the one with the engine)
• MOST POPULAR for LANs
• Simple, reliable and generally less costly to install than the ring
topology

CLIENT SERVER TOPOLOGY

Looks like a bus topology, but can be used for bus, star, ring topology
distributes the processing between the client/user computer and the central file server.
- ***each computer is assigned functions that it best performs.
- reduces data communications traffic, thus reducing queues and increasing response time.

NETWORK CONTROL
Data Collision
When two or more signals is transmitted simultaneously, it destroys both messages.

Techniques to control data collisions:

Polling
most popular technique for establishing communication session in WANs
- if one slave computer is transmitting data to master computer,
- The master comp must LOCK the other slaves, in order to avoid disruption of the data transmitting
Think of LOCKOUT PROCEDURES, similar
Advantages: noncontentious (two nodes can never access the network at the same time), and can set priorities for data
communications across the network

Token Passing
Involves transmitting a special signal (token) around the network form node to node in a specific sequence
Each node receives the token, regenerates it and passes it to the next node
Only the node possessing the token is allowed to transmit data
• Can be used in ring or bus topologies

Carrier Sensing
random access techniques that detect collisions when the occur; found on Ethernet
- Collision: When a node thinks there is no transmission and proceeds to transmit simultaneously with others
- Though collisions can still occur
- Used with bus topology

Electronic Data Interchange (EDI)

Intercompany exchange of computer-processible business info in standard format
Exchange of business transaction information between companies, via computerized system and in a standard format (ANSI or
EDIFACT)
- In pure edi systems, no human intervention needed to approve transactions
Advantages of EDI: Reduction in paper, data entry, error, inventories

Businesses have 2 options:

• Obtain Internal EDI system/ software OR
• Obtain a VAN service without investing in software
CHAPTER 13 HALL: SYSTEMS DEVELOPMENT LIFE CYCLE, SDLC

Systems Strategy
First step is to develop a systems strategy
Understand business needs by analyzing vision and mission and an analysis of market

Project Initiation
Process where system proposals are assessed for consistency with plan, and is evaluated in terms of feasibility and cost-
benefit

In House Development
For unique info na makukuha lang through internal development of system

Commercial Packages
When nature of the project and needs of the user permit, most orgs prefer a commercial package

Maintenance and Support

Maintenance is acquiring and implementing the latest software versions ng commercial packages AND making in house
modifications to existing systems

Participants in SDLC:
● Systems Professionals: gather facts, analyze problems in current systems and formulate solutions
○ systems analysts, systems designers, programmers
○ product: a new system
● End Users: primary users of the system, addressing their needs is critical to success; for whom the system is built
● Stakeholders: individuals who have an interest in the system but are not end users eg employees, suppliers

Systems Strategy
Objective: link individual system projects to strategic objectives of the firm
Establish a systems steering committee
Systems Steering Committee
involves CEO, CFO, CIO, internal auditors, senior management from user areas and computer services
Typical responsibilities:
- provide guidance
- resolve conflicts
- review projects and assigning priorities
- budget and allocate funds
- review the status of projects
- determine whether projects should be continued
In summary: they just review, resolve, budget

OVERVIEW OF PHASE 1: SYSTEMS STRATEGY (planning, analysis, forming proposals)

A. understand the strategic needs of the organization
B. examine the organization’s mission statement
C. analyze competitive pressures on the firm
D. examine current and anticipated market conditions
E. consider the information systems’ implications pertaining to legacy systems
F. consider concerns registered through user feedback
G. produce a strategic plan for meeting these various and complex needs
H. produce a timetable for implementation

Strategic Systems Planning

involves the allocation of resources at the macro level
When we think strategic → long term → usually covers 3-5 years

Key inputs in developing systems strategy:

1. strategic business needs of the organization
2. situations involving legacy systems
3. end user feedback

Strategic Business Needs

Vision and mission: shapes the organization’s business strategy
Industry and competency analysis
● Industry analysis: (macro level) forces that affect the industry and biz performance eg important trends, significant risks,
and potential opportunities; no mission may resolve to employees with unaligned missions
● Competency analysis: (biz level) complete picture of effectiveness as seen via four strategic filters: resources,
infrastructure, products/services, and customers (CRIS/P)

Legacy Systems
existing applications, databases and processes are considered legacy systems which should be altered to current business processes
Architecture Description → formal description of an IS, organized in a way that identifies properties and components of IS.

End User Feedback

Identifying user needs is fundamental to everything else, critical to systems success bc they are primary users
End user feedback is relevant in multiples phases of SDLC
In Phase 1: end user feedback pertains to substantial perceived problems rather than minor needed improvements
1. recognize problems
2. define problems
3. specify systems objectives
4. determine feasibility and contributions of projects
5. may entail prioritizing individual projects
 6. preparing a formal project proposal

Recognizing problem
need for new, improved system is manifested through various symptoms.
- Symptoms may seem vague and innocuous or go unrecognized initially.

The point at which the problem is recognized is often a reflection or function of management’s philosophy.
● reactive management - responds to problems only when they reach a crisis (solution)
● proactive management - alert to subtle signs of problems and aggressively looks for ways to improve (prevention)

Defining the Problem

- should avoid a single definition of a problem
- para hindi sayang ung resources if these are used for a non-existing problem
- keep an open mind and gather facts before deciding
- learn to intelligently interact with systems professionals; necessary to arrive at an accurate problem definition.

The next three stages of the end user feedback process involve this interactive process.

Specify systems objectives

strategic objectives of the firm and the operational objectives of the systems must be compatible.
At this point, the objectives only need to be defined in general terms.

Preliminary Project Feasibility (TELOS)

● Technical - is the technology necessary available?
● Economic - are the funds available and appropriate for the system?
● Legal - does the system fall within legal boundaries? ability of a system to protect individual privacy and confidentiality
● Operational - can procedural changes be made to make the system work? Compatibility of existing system with new system
-- considers the transition;
● Schedule- can the project be completed by an acceptable time period? Can users be trained within acceptable time period

Preparing a Formal Project Proposal

Systems Project Proposal: provides management with a basis for deciding whether or not to proceed with the project.
- Summarizes findings and provides a general recommendation.
- links the objectives of system and business objectives of the firm.

Develop Strategic Systems Plan

steering committee and systems professionals evaluate the pros
and cons of each proposal.
- Assess each proposal’s benefits, costs, strategic impact
- Proceed with proposals with greatest potential for
supporting the organization’s business objectives at the
lowest cost.

Create an Action Plan: Time to translate strategy into action

Balanced Scorecard aka the BSC, has four perspectives: (FLIC)
- Financial: how do we look to our shareholders?
- Learning and Growth: can we continue to improve?
- Internal Business Process: what must we excel at?
- Customer: how do we look to our customers?
Purpose: provide feedback from internal and external sources for continuous improvement
***BSC primary objectives: info on dimensions important to every org
***BSC Secondary objectives: avoid too much info, concentrate only on critical success factors

● Auditors should routinely review the organization’s systems strategy.

● Careful systems planning is a cost-effective way to reduce the risk of creating unneeded, unwanted, inefficient, and
ineffective systems.
● Both internal and external auditors have vested interests in this outcome.

OVERVIEW OF PHASE 2: PROJECT INITIATION (deciding on the proposals and method of implementation based on feasibility and
cost-benefit)
A. assess systems proposals for consistency with the strategic systems plan
B. evaluate feasibility and cost-benefit characteristics of proposals
C. consider alternative conceptual designs
D. select a design to enter the construct phase of the SDLC
E. examine whether the proposal will require in-house development, a commercial package, or both

Systems Analysis
A business problem must be fully understood before a solution can be formulated.
A defective analysis will lead to a defective solution.
System analysis is a two-step process : survey of current systems & analysis of users’ needs

Survey of CURRENT/EXISTING SYSTEM

Involves determining what elements of current system should be preserved as part of the new system
PROS
- Identifies aspects of the old system that should be continued
- aids in planning the implementation of the new system
- possibly determine of the cause of reported problem symptoms
CONS
- the current physical tar pit → tendency on part of analyst to be sucked in and then bogged down by the task of
surveying the current system
- can prevent new ideas if they focus too much on the current system
Result: more like an improved old system rather a new one

The Survey Step

Fact-gathering techniques include observing, participating, interviewing, and reviewing documents. (RIPO)
Facts must be gathered regarding:
- data sources and data stores
- users
- processes
- data flows
- controls, especially audit trails
- transaction volumes
- error rates
- resource costs
- bottlenecks and redundant operations

Fact Gathering Techniques

• Observation
• Task Participation
• Personal Interviews
 • Reviewing Key Documents

The Analysis Step

intellectual process that is commingled with fact gathering.
Analyst is simultaneously analyzing as he/she gathers the facts
A formal systems analysis report, prepared and presented to the steering committee, contains:
- reasons for system analysis
- scope of study
- problem identified with current system
- statement of user requirements
- resource implications
- Recommendations

The Conceptualization Phase of Alternative Designs

Produce alternative conceptual solutions that satisfy the requirements identified during systems analysis
Requires just enough detail to highlight the differences between critical features of competing systems rather than their similarities
Alternative options: EDI system or Batch system

Accountant’s role in Conceptual Design

● Accountants should be responsible for the conceptual system… and the systems professionals for the physical system.
● If important accounting considerations are not conceptualized at this point, they may be overlooked, exposing the
organization to potential financial loss.
● The auditability of a system depends in part on its design characteristics.

Systems Evaluation and Selection

A critical juncture in the SDLC
- a formal mechanism for selecting the one system from the set of alternative conceptual designs that will go forward for
construction
- an optimization process that seeks to identify the best system
- a structured decision-making process that reduces uncertainty and risk
Selection Process involves two steps: (1) detailed feasibility study and (2) cost-benefit analysis
The formal product output: systems selection report

The Role of Accountants in Systems selection

Accountants ensure that the following are considered during evaluation and selection:
● only escapable costs are used in calculations of cost savings benefits
● reasonable interest rates are used in measuring present values of cash flows one-time and recurring costs are completely
and accurately reported
● realistic useful lives are used in comparing competing projects
● intangible benefits are assigned reasonable financial values

Detailed Feasibility Study

Similar to the preliminary project feasibility analysis (TELOS), but now more detailed and oriented to deciding on a specific system
design.
- ****Cost-benefit analysis is ECONOMIC feasibility study
- Cost-Benefit Analysis → if new system’s benefit will outweigh the costs

Identify Costs:
Either one-time cost or recurring
ONE TIME COSTS
 • Hardware acquisition
• Site preparation
• Software acquisition
• Systems design
• Programming and testing
• Data conversion
• Training

RECURRING COSTS
• Hardware maintenance
• Software maintenance
• Insurance
• Supplies
• Personnel

Identify Benefits
TANGIBLE BENEFITS: Reduced cost and Increased revenues; can be measured and expressed in financial terms
INTANGIBLE Benefits—increased customer/employee satisfaction, improved decision making, operational flexibility, increased
efficiency

Comparing Costs and Benefits

Two methods commonly used for evaluating the costs and benefits:
● Net Present Value Method: deduct the present value of costs from the present value of benefits over the life of the project.
The optimal choice is the project with the greatest net present value.
● Payback Method: do break-even analysis of total costs (one-time costs plus present value of recurring costs) and total
benefits (present value of benefits). After the break-even point, the system earns future profits. The optimal choice is the
project with the greatest future profits.

How to acquire the system decided on:

● in-house: best for systems that need to meet unique and proprietary business needs → tailor made from scratch
● purchase commercial software: best for systems that are expected to support “best industry practices” → already existing
● a mix of the first two approaches: make in-house modifications of a commercial system to meet the organization’s unique
needs

Announcing the New System Project… can be the most delicate aspect of the SDLC.
**End user support is critical to success.
All end users need to understand the objectives of the new system.
End users and managers who view the new system as a potential benefit to their jobs, rather than a threat, are more likely to
cooperate with the project.

WHY are Accountants Involved with SDLC?

An information system consumes has significant financial resource implications.
The quality of accounting information systems and their output rests directly on the SDLC activities that produce them.

HOW are Accountants Involved with SDLC?

As end users who must provide a clear picture of their problems and needs
As members of the development team
As auditors who must ensure that the system is designed with appropriate internal controls and computer audit techniques.