- Identify at least three risks that auditors need to consider for companies that process web-based sales transactions, including credit card payments.
- For each risk identified, develop a mitigation risk strategy. Provide specific examples.
- identify specific controls and tests of controls related to IT governance, including:
- Organizing the IT function.
- Controlling computer center operations.
- Designing an adequate disaster recovery plan.
I would say that Occurrence, Completeness, and Posting are the most important assertions for auditors to verify when examining web-based transactions. I have previously run webstores, and in my experience the transactions are usually easy to identify and test for because they go through several stages of third-party verification before they appear as sales in the web site history.
Companies usually require third parties involved in the maintenance and design of their web platform, as well as third-party payment processers such as a merchant processors or PayPal, or both, which are involved in each transaction. The web store and the payment processers each produce their own statements of sales and payments which can be referenced with bank statements to verify that sales and payments have occurred and are accounted for. Web sales also produce shipping and customer information that can be used to verify occurrence.
Completeness is often a difficult assertion to verify, but these same characteristics of web transactions make it difficult to hide sales from the system. The automated nature of web stores make it nearly impossible to “hide” web sales because the shipping, customer, payment, and inventory systems would all have to be circumvented to avoid records of the sales occurring.