188     PART II       Transaction Cycles and Business Processes

                         REENGINEERING USING THE INTERNET
                         Doing Business on the Internet
                         Thousands of organizations worldwide are establishing home pages on the Internet to promote their prod-
                         ucts and solicit sales. By entering the seller’s home page address into the Internet communication pro-
                         gram from a PC, a potential customer can access the seller’s product list, scan the product line, and place
                         an order. Typically, Internet sales are credit card transactions. The customer’s order and credit card infor-
                         mation are attached to the seller’s e-mail file.
                           An employee reviews the order, verifies credit, and enters the transaction into the seller’s system for
                         processing in the normal way. Because of the need to review the e-mail file before processing, the turn-
                         around time for processing Internet sales is sometimes longer than for telephone orders. Research is cur-
                         rently under way to develop intelligent agents (software programs) that review and validate Internet
                         orders automatically as they are received.
                           Unlike EDI, which is an exclusive business arrangement between trading partners, the Internet con-
                         nects an organization to the thousands of potential business partners with whom it has no formal agree-
                         ment. In addition to unprecedented business opportunities, risks for both the seller and the buyer
                         accompany this technology. Connecting to the Internet exposes the organization to threats from computer
                         hackers, viruses, and transaction fraud. Many organizations take these threats seriously and implement
                         controls including password techniques, message encryption, and firewalls to minimize their risk. The
                         technology of networks is discussed in the appendix to Chapter 12. In Chapter 16, we examine techniques
                         for controlling these technologies.

                         CONTROL CONSIDERATIONS FOR COMPUTER-BASED SYSTEMS
                         The remainder of this section looks at the relationship between internal controls under alternative process-
                         ing technologies. The purpose of this discussion is to identify the nature of new exposures and gain some
                         insight into their ramifications. Solutions to many of these problems are beyond the scope of discussion
                         at this point. Chapters 15, 16, and 17 present these general control issues as well as management and
                         auditor responsibilities under Sarbanes-Oxley legislation.
                         Authorization
                         Transaction authorization in real-time processing systems is an automated task. Management and
                         accountants should be concerned about the correctness of the computer-programmed decision rules and
                         the quality of the data used in this decision.
                           In POS systems, the authorization process involves validating credit card charges and establishing that
                         the customer is the valid user of the card. After receiving online approval from the credit card company,
                         the clerk should match the customer’s signature on the sales voucher with the one on the credit card.
                         Segregation of Duties

                         Tasks that would need to be segregated in manual systems are often consolidated within computer programs.
                         For example, a computer application may perform such seemingly incompatible tasks as inventory control,
                         AR updating, billing, and general ledger posting. In such situations, management and auditor concerns are
                         focused on the integrity of the computer programs that perform these tasks. They should seek answers to such
                         questions as: Is the logic of the computer program correct? Has anyone tampered with the application since it
                         was last tested? Have changes been made to the program that could have caused an undisclosed error?
                           Answers to the questions lie, in part, in the quality of the general controls over segregation of duties
                         related to the design, maintenance, and operation of computer programs. Programmers who write the
                         original computer programs should not also be responsible for making program changes. Both of these
                         functions should also be separate from the daily task of operating the system.
                         Supervision
                         In an earlier discussion, we examined the importance of supervision over cash-handling procedures in the
                         mail room. The individual who opens the mail has access both to cash (the asset) and to the remittance
                         advice (the record of the transaction). A dishonest employee has an opportunity to steal the check and