Audit Trails in an E-commerce Environment

To compete, companies must make it easier for their employees, customer and providers to share vital business in real time and to access services, products and information in the highly competitive global business environment. That said, e-commerce was created to solve the problem. E-commerce is the use of technology to interact with partners or customers in the Internet world. For example, a bank calls this integration e-banking. To compete, companies must show to all the participants in the e-commerce environment integrity, confidentiality, efficiency, effectiveness and availability. For that reason, audit trails that are used in a manner that does not promote company objectives, utilize their benefits effectively, ensure availability, or show integrity, could have a material effect on the goals of the organization. Whether in an office, factory, school, home or retail shop, an organization can benefit from e-commerce--anytime, anywhere. Some believe that the audit trails in e-commerce are generated at the end of the total process, with customer and product information. This is incorrect. Audit trails are used in a variety of systems and equipment. For example, every customer or partner who enters the organization's network with a user ID and password is logged, and these type of transactions must be recorded for later control.

Definitions
Log: Log in or log on, to gain access to a secured computer system or online service by keying in personal identification information. Log off or log out, to terminate a session on such a system or service. Journal: Double-entry bookkeeping. A book into which all transactions are entered before being posted into the ledger. Audit trail 1: A set of transactions from initial customer contact through completion of the sale and delivery of the product or service, including complaints and inquiries. Audit trail 2: A set of transactions that reflects all changes made to a database (customers, products, prices, etc.), a network parameter, a network traffic, a security table(s), an operating system(s), undesired events and alarms.

Audit Trail
Transactions that are sent/received using the external and/or internal networks have integrity and confidentiality categorized as "high." A log must be kept and special attention should be given to these kind of messages because they usually are the core of the business. An organization should log the customer's transaction from its initiation through collection of the receipt and delivery of the product. Additionally, the organization should keep the security administrator's log because he has the option to assign processing functions, assessed as highly confidential, integrity or availability to the employees. Furthermore, these tasks should be logged beyond the compensating controls implemented (e.g., dual control). Without a good audit trail, the organization may have difficulty dealing with customer inquiries, questions about the delivery of service, audit investigations, etc., particularly for older transactions. It would be disappointing to a customer if, following the delivery of the purchased goods or service, the organization could not answer a question or complaint because its system would not provide enough useful information.

Functions of an Audit Trail

(source FFIEC, pages 12-29) An audit trail should be kept to:

Allow an auditor to follow the history of a transaction Permit recovery when it is found that a user has incorrectly updated or deleted a record Investigate the causes when a record is found to be erroneous Assist recovery from massive file destruction Assist in correcting the file where data damage is program caused Correct false information that has been sent to system users Monitor procedural violations to highlight possible breaches of security Assist in correct recovery from a system failure Monitor the way the system is being used (as an aid to design) Recover from the loss of a file-action journal

See Figure 1.

Audit Trail in an E-commerce Environment

The aim of table 1 is to illustate potential audit trails. Please refer to the graph numbers of the first column with figure 2.

Audit Process
Many logs and/or journals need to be reviewed in an IT audit of ecommerce. Therefore, the following is a possible audit process to set the audit strategy:

Interview appropriate management and staff to gain an understanding of business, organization, roles, policies, laws and management reporting, and to define audit scope. Identify information requirements relevant for the business process. Identify inherent IT risks and the overall level of control. A commonly accepted approach for risk analysis in IT is COBIT 3rd Edition. Select processes and platforms to audit. Set the audit strategy.

The risk assessment performed should indicate where and what monitoring needs to be done by the people involved in the security area. Examples may include:

Failed access attempts Incorrect value assigned to data Attempts to change restricted data Excessive use of certain data Invalid entries in event logs

The use of computer assisted audit techniques (CAATs) to assess the safeguarding, integrity, effectiveness and efficiency objectives of audit trails also is recommended (definitions/explanation of these objectives are shown in COBIT 3rd Edition, page 14). Auditors who have used CAATs have found the application of these tools to be widespread, flexible and comprehensive. The use of CAATs allows for the complete analysis of audit trails, focusing testing on subsets that appear with errors or irregularities and presenting them to managers and/or clients in a new format (file or paper). In addition, the following are additional recommendations to add to an audit program of audit trails in an e-commerce audit:

Analyze the security ACL (access control list) assigned to the resources (operating systems generally) where the logs are stored (online, offline, onsite, offsite). Check for existence of policies and procedures about audit trails in applications and products. Review the audit trails towards recreating activity or error analysis as needed. Review the parameters installed in the equipment/software regarding activation/deactivation or deletion. Obtain and assess the risk assessment document for each audit trail generated. Check for the existence of controls over the audit trails considered as high relative to confidentiality and integrity (e.g., EFT systems and their equipment, network, procedures, etc.). Monitor routines to analyze audit trail availability. Review the access control audit trails on the security software or key management reports.

Basel Committee on E-banking

The following principle was issued by the Basel Committee on Banking Supervision in the document entitled "Risk Management Principles for Electronic Banking." Principle 9: Banks should ensure that clear audit trails exist for all e-banking transactions.

Delivery of financial services over the Internet can make it more difficult for banks to apply and enforce internal controls and maintain clear audit trails if these measures are not adapted to an e-banking environment. Banks are challenged to ensure not only that effective internal control can be provided in highly automated environments, but also that the controls can be independently audited, particularly for all critical e-banking events and applications. A bank's internal control environment may be weakened if it is unable to maintain clear audit trails for its e-banking activities. This is because much, if not all, of its records and evidence supporting e-banking transactions are in an electronic format. To determine where clear audit trails should be maintained, the following types of e-banking transactions should be considered:

The opening, modification or closing of a customer's account Any transaction with financial consequences Any authorization granted to a customer to exceed a limit Any granting, modification or revocations of systems access rights or privileges

Sound Practices for E-banking Systems

The following are several sound practices to help ensure that a clear audit trail exists for e-banking transactions:

Sufficient logs should be maintained for all e-banking transactions to help establish a clear audit trail and assist in dispute resolution. E-banking systems should be designed and installed to capture and maintain forensic evidence in a manner that maintains control over the evidence and prevents tampering with and the collection of false evidence. In instances where processing systems and related audit trails are the responsibility of a third-party service provider: o The bank should ensure that it has access to relevant audit trails maintained by the service provider. o Audit trails maintained by the service provider must meet the bank's standards.

Conclusion
In today's business environment, organizations are using their network to interact with other networks. The aim is to integrate their businesses with the electronic commerce world. While it is easy to identify an organization's technology, it must know how to use, as well as audit, the technology. The problem is that IT audit or IT risk management has to learn about the risks involved in these new technology infrastructures and how to assess, evaluate and present them. IT auditors can audit (technical or not) all the logs in an e-commerce environment, but they first need to know in what businesses the organization is involved.

References
Chapman and Zwicky, Building Internet Firewalls, O'Reilly & Associates, Inc. COBIT 3rd Edition, IT Governance Institute, www.isaca.org//templateredirect.cfm?section=cobit6 Federal Financial Institutions Examination Council, IS Examination Handbook, volume 1, 1996, www.ffiec.gov Risk Management Principles for Electronic Banking, Basel Committee on Banking Supervision, May 2001, www.bis.org National Institute of Standard and Technology, Guideline on Firewalls and Firewall Policy, January 2002, www.nist.gov Database Security in Oracle8i, An Oracle Technical White Paper, November 1999, www.oracle.com Group Policy Reference (Windows 2000), Systems and Network Attack (NSA) Center, Report number: C4-053R-00, unclassified,W2Kguides@nsa.gov Luis A. Blanco, CISA is an IT auditor in the IT Audit--GRM (Group Risk Management) department at Lloyds TSB Bank plc, Argentina, and has more than seven years of experience in IT audits for financial institutions in Argentina. He is working toward a master's in management information systems at the University of El Salvador in Buenos Aires, Argentina, and currently is doing research in the information technology risk management and wireless LAN network fields. He can be contacted at lablanco@yahoo.com.