RISK MANAGEMENT

E-commerce

‘ e-tail, e-trade, e-retail, online buying selling, e-commerce, online shopping what ever term it take, its there; and growing from luxurious to FMCGs and from raw material of companies to grocery, vegetables, from autos to books.

E-commerce

‘e-commerce definition

The use of electronic transmission to engage in the exchange, including buying and selling, of products and services requiring transportation, either physically or digitally, from location to location.

when parts are shipped, supplier electronically transmits invoice to manufacturer.

because it reduces data entry, mailing costs and time to complete transactions.

E-commerce opportunities

powerful tool in the economic growth of developing countries

E-commerce promises better business for SMEs

sustainable economic development

Requires strong political will and good governance

Requires responsible and supportive private sector

Risk

This paper discusses what types of risks are present in e-commerce and presents a methodology that can be used to control e-commerce risks.

e-commerce-based risks are similar to those encountered in other business environments and that many of the requisite controls are extensions of controls for managing information systems risks.

Ecommerce categories

Business-to-business (B2B) e-commerce: Companies buying from and selling to each other

online. EDI was the early form for undertaking B2B e-commerce.

Business-to-consumer (B2C) e-commerce: Any business or organisation that sells its products

or services to consumers over the Internet

B2B: audit client is transacting with small group of other businesses (identity known, authorisation).

B2C: audit client is transacting with the world at large (identity unknown).

E-commerce risks include:

Risks arising from the nature of relationships with e-commerce trading partners;

Risks related to the recording and processing of e-commerce transactions;

Pervasive e-commerce security risks, including privacy issues;

Fraud risks; and

Risks of systems failures or ‘crashes’.

Risk in revenue recognition

Risk in revenue recognition

E-commerce companies are often based on revenue multiples, revenue is the area susceptible of misuse and fraud so subject to constant scrutiny i.e. continuous Audit

Revenues Are Often More Complicated in e-Commerce

Accounting issue is timing of revenue recognition and presentation (gross vs net)

Timing of revenue When orders received When goods dispatched When received by customer When accepted by customer When goods return option elapsed

Risk in revenue recognition

Most of companies accept payment via credit/ debit card or cash on delivery and delivery primary responsibility of company so important to consider risk and rewards transferred to customer at time of revenue recognition

revenue presentation (gross vs net)

At value customers billed including all costs of carriage, discount, insurance, agency commission and return costs

Risk in revenue at gross

Typical e-Commerce firm had negative earnings and P/E multiples

Companies that report at gross may inflate market share proportions

Examples of Reporting at Gross Priceline.com brokered airline tickets online and included

the full price of the ticket as Priceline.com revenues. This greatly inflated revenues relative to traditional ticket brokers and travel agents who only included commissions as revenue.

eBay.com included the entire price of auctioned items into its revenue even though it had no ownership or credit risk for items auctioned online.

Land's End issued discount coupons (e.g., 20% off the price), recorded sales at the full price, and then charged the price discount to marketing expense.

Risk in revenue recognition

Goods delivered to customer have option of return so revenue may be recognised when return option elapsed

Credit risk

Price discretion and discrimination

Direct taxation; legal issues related to taxes on revenues considered mainly responsibility of source country and company using that source, these issues not yet settled resolved case to case basis

A note must be given in financial statement regarding revenue recognition criteria

Risk in revenue recognition Management

Recognise revenue when each performance criteria satisfied Point of time vs over the period

when control passes

Disclosure of revenue recognition criteria

Continuous process auditing auditors review transactions at frequent intervals or as

they occur

intelligent control agents: heuristics(artificial intelligence) that search electronic transactions for anomalies

Ecommerce operational RiskWe have categorized risks in three primary areas:

Information risks stem from information published and containedin web sites and associated with the conduct of e-commerce. risksassociated with misuse of information, such as violation of laws ofhost country and other countries.

Technology risks include risks involving hardware, software,telecommunications and databases. These risks include theconsequences resulting from the misuse of technology or the useof inappropriate technologies required to address business needs.

Business risks concern customer and supplier relationships, andrisks associated with products and services marketed anddistributed over the Internet. They also include risks associatedwith managerial aspects of the contractual relations.

Information Risk

Information Risk Content on web page exposing web publisher to libel,

defamation of character, slander

Copyright infringement and invasion of privacy suits stemming from posted textual content ,digital scanning and morphing

Copyright, patent, or trade secret infringement violations by material used by web site developers

After unauthorized access to a web site, online information about employees or customers is stolen, damaged or released without authorization

Credit card information intercepted in transit is disclosed or used for fraudulent purposes

Information that has been changed or inserted in transmission is processed leading to erroneous results

Flight of intellectual property due to employees moving to competitors

Technology Risk Negligent errors or omissions in software design

Unauthorized access to a web site,

Infecting a web site with computer viruses

Internet service provider (ISP) server crashes

Software error and omission risks causing unauthorized access

Software content risk that violates a copyright

Insufficient bandwidth to handle traffic

Technology Risk

Insufficient bandwidth to handle traffic Obsolete hardware or hardware lacking the capacity

to process required traffic Risk due to excessive ISP outages or poor

performance ISP or home-company servers being down Scant technical infrastructure to manage cycle time to

develop, present, and process web-based products Inability of customer or supplier computers to handle

graphical downloads

Business Risk Risks related to payment to web site developers and disputes

between developers and clients

Lack of maintenance on existing web pages

Changes in supplier relationships re: data access, data ownership, distribution strategy, and marketing tactics

Changes in customer relationships re: data access, data ownership, distribution strategy, and marketing tactics

Products out-of-stock due to poor communication with operations

High shipping costs required for distribution

Inconvenient return policies -- lack of coordination with physical system

Excessive dependence on ISP to support firm's business strategy

Inability to manage cycle time for developing, presenting, and processing web-based products

Risk due to unprotected domain names which are usued by other organizations

Insufficient integration of e-commerce with supply chain channels

E-Commerce controls Security infrastructure controls (firewalls,

encryption and other security controls);

Systems controls (controls over systems development, systems monitoring); and

Programmed controls (e.g. to ensure customer is authentic – payment authorised with approved credit card, order is reasonable, method of payment or credit-worthiness have been established).