1、Electronic Data Interchange Audit Control Guide Petroleum Industry Data Exchange ! A Standards Committee of the American Petroleum Institute American Petroleum Institute 1220 L Street, Northwest 4j Washington, DC 20005 Electronic Data Interchange Audit Control Guide Petroleum Industry Data Exchange
2、A Standards Committee of the American Petroleum Institute February 1992 American Petroleum Institute 1220 L Street, Northwest Washington, DC 20005 CONTENTS Introduction v I. ED1 Administration . 1 II. Trading Partner Agreements 7 111. Value Added Networks . 13 IV. Data Transmission Integrity . 19 V.
3、 Application Controls. 24 VI. BackupandRecovery 28 VII. Conclusion 32 Glossary 33 Electronic Data Interchange (EDO - Audit Control Guide INTRODUCTION Electronic Data Interchange (EDI) is defined as the computer-to-computer exchange of business information between trading partners in a standardized f
4、ormat. Transactions can be processed much faster with ED1 which enables organizations to increase customer satisfaction, reduce costs, and improve their competitive positions. In an effort to capitalize on these benefits, the petroleum industry, through the API, has made a major commitment to expand
5、ed use of this technology. In conjunction with this effort, the API Internal Audit Committee established a task force to examine related control, legal, and audit issues. SCOPE This guide is intended as a reference document in the preparation of more definitive guidelines, programs, and procedures f
6、or specific users and business risks. Users of the guide should be alert and responsive to the individual needs of their organization. The guide was written primarily for audit professionals, but it may also benefit information systems, EDI, Controllers, and legal professionals across the industry.
7、It represents the views and experiences of its authors. An effort has been made to be comprehensive; however, it is not possible to anticipate the control needs of every organization. Certain controls may not be enforceable or even useful in a particular environment. The basic principles of control,
8、 such as segregation of duties, documentation, timeliness, completeness, supervision, and review, are as necessary in ED1 as in any other business environment. This guide identifies key exposures and security issues which are unique to the implementation of the technology. It does not replace the tr
9、aditional application audit program. Rather, it emphasizes the types of controls which apply more specifically to an ED1 environment. This guide focuses on the exchange of data rather than funds. As such, controls specific to Electronic Funds Transfer (EFT) have not been included; however, many of t
10、he controls outlined herein could be extended to the EFT environment. When ED1 is implemented, business processes become increasingly dependent on the security and control of the communications network and application software. The following are just a few of the risks associated with EDI: -V- Elect
11、ronic Data Interchange (EDO - Audit Control Guide Unauthorized access to transactions could facilitate industrial espionage or major fraud via transaction manipulation. H Lost, unauthorized, or inaccurate transactions could cause financial losses. w Misunderstandings between trading partners over th
12、e following issues can damage business relationships and cause lost revenue: - What transaction format to use Whether or not to send acknowledgments - Responsibility for errors, omissions, or communications problems Changes in third-party services or providers - w Lack of knowledge of laws and regul
13、ations governing ED1 could create legal liability or unrecoverable losses. GUIDELINES I. ED1 Administration - This section covers the overall management, including topics such as data security policy, organization, and planning. A coordination function is needed to administer the companys ED1 progra
14、m. The coordinator needs to offer leadership both inside and outside the company and is responsible for establishing guidelines, prwiding technical assistance, providing a review/advisory role for ED1 projects, and communicating ED1 issues throughout the company. II. Trading Partner Agreements - Thi
15、s section describes the essential contents of trading partner agreements which provide the basis for understanding responsibilities and obligations of trading partners. A trading partner agreement addresses the standards and methods of data electronically sent and received between two or more partie
16、s. The level of detail and specific content found in a trading partner agreement depends on the importance of the underlying transaction. Decisions regarding whether to include or exclude certain provisions should be based on the significance of associated business risks. III. Value Added Networks (
17、VANS) - A trading partner may elect to use a third-party service provider, such as a VAN, to obtain certain teleprocessing or other services. This section is similar to the trading partner agreement section but emphasizes internal security procedures of third-party suppliers. IV. Data Transmission I
18、ntegrity - This section deals with procedures for internal business systems and telecommunications as they apply to EDI. Topics include: -vi- Electronic Data Interchanae (ED11 - Audit Control Guide transaction validation, data mapping, data integrity, error detection and com mu ni cati0 n . V. Appli
19、cation Controls - This section covers control issues that generally apply to any application which sends or receives information via an ED1 transmission. Emphasis has been placed on processing controls for incoming transactions. VI. Backup and Recovery - This section includes planning measures which
20、 ensure the continuity of business transactions and operations if disruption of ED1 services and/or operation occurs. It addresses the need for coordinated backup plans for applications, VANS, and trading partners, and includes requirements for data retention on media which substitute for paper docu
21、ments. A particular control may be applicable to more than one of the above sections. In this case, the control has been documented in multiple sections to promote clarity and readability of the guide. -vi- Electronic Data Interchange (EDO - Audit Control Guide SECTION I ED1 ADMINISTRATION INTRODUCT
22、ION An administrative function needs to exist within each company to address issues particular to ED1 and to support and manage the implementation of EDI. The type and size of this organization will vary depending on the companys needs. The organization might consist of a coordinating committee (and
23、 possibly subcommittees), a project team, or a full-time coordinator. Regardless of an organizations type and size, a coordination function is needed to administer the companys ED1 program. The coordinator is responsible for establishing guidelines, providing technical assistance, providing a review
24、/advisory role for projects, and communicating ED1 issues throughout the company. Risks associated with inadequate ED1 administration include the following: Lack of a company vision for ED1 which may result in misunderstanding and lack of management commitment to ED1 opportunities. Redundant ED1 adm
25、inistrative activities. Potential duplication of ED applications and computing resources. Inconsistent ED1 approaches. These risks can result in missed business opportunities or additional cost to the organization. -1 - Electronic Data Interchange (EDO - Audit Control Guide GUIDELINES A. Leadership
26、The coordinator should provide leadership for the companys ED1 effort both inside and outside the company. Outside influence is particularly important since business groups typically set ED1 standards. 1. The coordinator should promote ED1 within the company as follows: a. Creates an ED1 vision and
27、strategy for the entire company. b. Acts as the focal point for all ED1 activity within the company. c. Gains managements commitment to ED1 concepts. d. Generates ideas for linking ED1 with business strategies. e. Participates in the operating departments technology planning f. Promotes ED1 solution
28、s. 9. Educates and raises consciousness about ED1 through presentations. h. Conducts ED1 seminars for company employees. 2. The coordinator should influence EDls direction outside the company as fo I lo ws : a. Actively participates in ED1 focal groups and committees. b. Represents the company by pa
29、rticipating in standards setting organizations, groups, and/or committees. c. Holds ED1 seminars for suppliers and partners. B. ED1 Guidelines The coordinator should set internal guidelines for the entire company. Guidelines specific to ED1 are needed because of complexities brought to the organizat
30、ion by -2- Electronic Data Interchange (EDO - Audit Control Guide incorporating the technology into business practices. ED1 guidelines may include the following: 1. Defining ED1 and related terms. 2. Identifying opportunities to exploit EDI. 3. Giving advice on and examples of trading partner contra
31、cts. 4. Setting basic policies for the companys trading partner relationships. 5. Establishing rules for the conversion of data for use in applications. 6. Setting guidelines for data retention/backup procedures. 7. Establishing minimum requirements for disaster recovery. 8. Issuing data security po
32、licies and procedures for those applications impacted by EDI. C. Business Assessments of New ED1 Technologies The coordinator should keep current on changing ED1 technologies and provide guidance in technical areas. In this role, the oversight function might include the following: 1. Providing techn
33、ical assessments of various ED1 technologies. 2. Maintaining an awareness of trends in ED1 communications technology. 3. Providing technical consultation to project support teams on com mu n cat i o ns tech no logy capabi lit es and alt e r nat ives. 4. Providing advice and counsel to project suppor
34、t teams by performing evaluations of specific network vendor services. 5. Recommending translation processes available through standard software. 6. Providing technical assessment of proposed changes to all standards used by the company through industry, national, and international conventions. -3-
35、Electronic Data Interchange (EDO - Audit Control Guide D. ReviewlAdvisory Role for ED1 Projects The coordinator should provide review/advisory services for projects and will require easy access to all resources important to EDI. In this capacity, the ED1 group should perform the following: 1. 2. 3.
36、4. 5. 6. 7. Coordinate audit coverage of ED1 systems before, during, and after implementation. Communicate with trading partners and help establish appropriate ground ru les. Review ED1 contracts and assist in contract negotiations with trading partners.Obtains appropriate legal counsel when require
37、d. Advise project team on changes required to operational procedures, management control procedures, and computer applications in order to implement the electronic delivery and/or receipt of business documents. Monitor progress of all projects. Assist with implementations to reduce the learning curv
38、e and to eliminate redundant applications. Help prioritize projects. E. Coordinate ED1 Legal Issues Electronic Data Interchange alters business procedures by eliminating the need for paper documents and associated handling procedures. Legal risks are especially troublesome because courts have yet to
39、 rule on some ED1 issues. The technology raises new legal concerns which must be effectively addressed to ensure organizations comply with federal, state, and local laws, reduce potential legal liability, and avoid partner misunderstandings. When using EDI, strong internal control helps businesses a
40、void possible litigation. The coordinator should establish guidelines which assist in reducing legal risks. Currently, legal issues are primarily addressed in trading partner agreements which serve as contracts between trading partners. (See Section II on this subject.) The coordinator should also m
41、aintain contact with appropriate legal counsel to keep -4- Electronic Data Inierchanae EDIJ - Audit Control Guide current on ED1 legal issues. Some areas of legal concern which require attention include the following: 1. Legal Proof A business must be able to prove, after the fact, the details of tr
42、ansactions communicated between trading partners. Traditionally, evidence was made available by retaining paper documents such as purchase orders and invoices. ED1 replaces ink and paper. There is currently no legal precedent for/against allowing ED1 representations of legal instruments to be used a
43、s legal proof to settle a dispute in a court of law. The law only states that information used in court must be reliable. Therefore, strong internal controls need to be in place to ensure reliability in the ED1 environment. In the absence of legal precedent it may be prudent to recommend retaining a
44、ll three ED1 mediums: the untranslated transmission, the translation software and its related translation standards, and the translated data. 2. Message Authenticity Message authenticity in the world of paper documents includes letterheads or other printing on paper showing origin, handwritten signa
45、tures, a notary seal, etc. With EDI, controls which establish authenticity can be placed around electronic messages. Some of these controls may be the same as those for paper documents. Other controls specific to electronic medium may include properly protected passwords, message authentication code
46、s, or cryptographic schemes. If a party wishes to hold its trading partner legally accountable for ED1 transactions, it should require that internal controls be in place to ensure authenticity and acknowledgements or confirmations are returned for each transmission. 3. Reliable Records Data brought
47、to court as legal proof is required to be reliable or trustworthy. Strong internal control is the basis for establishing trustworthiness. If electronic records are to be reliable, they must not be manipulated unless stringent audit trails are in effect, and the person who is entrusted with the recor
48、ds must not have conflicting responsibilities. Logs and data kept in original condition can also help establish the reliability of records. -5- Electronic Data Interchange (EDU - Audit Control Guide 4. Regulations Various laws and regulations require businesses to keep records of their transactions
49、and implement controls to ensure record integrity and to guard against fraudulent transactions. The Statute of Frauds, Foreign Corrupt Practices Act, state corporation laws, and tax record keeping regulations are examples of laws or regulations which raise questions of compliance in the ED1 environment. The coordinator should stay alert to activities in these areas and coordinate or direct appropriate responses to new developments. -6- Electronic Data Interchange (EDO - Audit Control Guide SECTION II TRADING PARTNER AGREEMENTS (TPAs) INTRODUCTION A Trading Partner Agreement is a c
