E-Business

1
E-Business
2
E-Commerce

• A method of buying and selling products and
  services electronically. Or E-commerce is the
  automation of the business process between buyers
  and sellers.
• The main methods of e-commerce remain the
  Internet and the World Wide Web, but use of
  email, fax, and telephone orders are also
  prevalent.
• So commerce is, quite simply, the exchange of
  goods and services, usually for money.

3
Elements of e-commerce

• A product
• A place to sell the product - in the e-commerce
  case a web site displays the products in some way
  and acts as the place
• A way to get people to come to your web site
• A way to accept orders - normally an on-line form
  of some sort
• A way to accept money - normally a merchant
  account handling credit card payments. This piece
  requires a secure ordering page and a connection
  to a bank. Or you may use more traditional
  billing techniques either on-line or through the
  mail.
• A fulfillment facility to ship products to
  customers (often outsource-able). In the case of
  software and information, however, fulfillment
  can occur over the Web through a file download
  mechanism.
• A way to accept returns
• A way to handle warrantee claims if necessary
• A way to provide customer service (often through
  email, on-line forms, on-line knowledge bases and
  FAQs, etc.)

4
The disadvantages of e-commerce

• Getting traffic to come to your web site
• Getting traffic to return to your web site a
  second time
• Differentiating yourself from the competition
• Getting people to buy something from your web
  site. Having people look at your site is one
  thing. Getting them to actually type in their
  credit card numbers is another.
• Integrating an e-commerce web site with existing
  business data (if applicable)
• Confidentiality of data
• Integrity of data
• Availability of Internet
• Power shift to customers

5
E-commerce Audit and Control Issues (Best
Practices)

• When reviewing the adequacy of contracts in
  e-commerce applications, audit and control
  professionals should assess applicable use of the
  following items
• A set of security mechanisms and procedures that,
  taken together, constitute a security
  architecture for e-commerce (e.g. Internet
  firewalls, PKI. encryption, certificates and
  password management)
• A process whereby participants in an e-commerce
  transaction can be identified uniquely and
  positively (e.g., process of using some
  combination of public and private key encryption
  and certifying key pairs)
• Digital signatures, so the initiator of an
  e-commerce transaction can be uniquely associated
  with it.
• The procedures in place to control changes to an
  e-commerce presence
• Logs of e-commerce applications, which should be
  monitored by responsible personnel.
• The methods and procedures to recognize security
  breaches when they occur (network and host based
  intrusion detection systems)
• The protections in place to ensure that data
  collected about individuals are not disclosed
  without their consent nor used for purposes other
  than that for which they are collected

6
E-commerce Audit and Control Issues (Best
Practices)

• The mechanisms to protect e-commerces presence
  and their supporting private networks from
  computer viruses and to prevent them from
  propagating viruses to customers and vendors
• The features within the e-commerce architecture
  to keep all components from failing and allow
  them to repair themselves, if they should fail
  (single point of failure and built in resilience.
  
• A plan and procedure to continue e-commerce
  activities in the event of an extended outage of
  required resources for normal processing
• A commonly understood set of practices and
  procedures to define managements intentions for
  the security of e-commerce
• A shared responsibility within an organization
  for e-commerce security
• Communications from vendors to customers about
  the level of security in an e-commerce
  architecture
• A regular program of audit and assessment of the
  security of e-commerce environments and
  applications to provide assurance that controls
  are present and effective

7
Payment Mechanism in e-Commerce

• Credit Cards
• Credit is money made available to you by a bank
  or other financial institution, like a loan.
• Debit Card/Stored Value Card/Digital Cash/Cheque
  Card/Prepaid Card
• A credit card is a way to pay later a debit
  card is a way to pay now. When you use a debit
  card, your money is quickly deducted from your
  checking or savings account.
• Electronic Fund Transfers (EFT)
• Using electronic fund transfers (EFT), people can
  pay for goods and services by having funds
  transferred from various accounts electronically,
  using computer technology. One of the most
  visible demonstrations of EFT is the ATM, the
  automated teller machine that people use to
  obtain cash quickly.

8
Security in an EFT environment

• All of the equipment and communication linkages
  are tested to effectively and reliably transmit
  and receive data
• Each party uses security procedures that are
  reasonably sufficient for affecting the
  authorized transmission of data and for
  protecting business records and data from
  improper access
• There are guidelines set for the receipt of data
  and to ensure that the receipt date and time for
  data transmitted are the date and time the data
  have been received
• Upon receipt of data, the receiving party will
  immediately transmit an acknowledgment or
  notification to communicate to the sender that a
  successful transmission occurred
• Data encryption standards are set
• Standards for unintelligible transmissions are
  set
• Regulatory requirements for enforceability of
  electronic data transmitted and received are
  explicitly stated

9
Automated Teller Machine (ATM)

• An ATM is a specialized form of the POS terminal
  that is designed for the unattended use by a
  customer of a financial institution. These
  customarily allow a range of banking and debit
  operations, especially financial deposits and
  cash withdrawals. ATMs are usually located in
  uncontrolled areas to facilitate easy access to
  customers after hours.

10
Internal control guidelines for ATMs

• Written policies and procedures covering
  personnel, security controls, operations,
  disaster recovery credit and cheque
  authorization, override, settlement, and
  balancing
• Reconciliation of all general ledger accounts
  related to retail EFTs and review of exception
  items and suspense accounts
• Procedures for PIN issuance and protection during
  storage
• Procedures for the security of PINs during
  delivery and the restriction of access to a
  customers account after a small number of
  unsuccessful attempts
• Systems should be designed, tested and controlled
  to prevent retrieval of stored PINs in any
  non-encrypted form. Application programs and
  other software containing formulas, algorithms
  and data used to calculate PINs must be subject
  to the highest level of access for security
  purposes.
• Controls over plastic card procurement should be
  adequate with a written agreement between the
  card manufacturer and the bank that details
  control procedures and methods of resolution to
  be followed if problems occur.
• Controls and audit trails of the transactions
  that have been made in the ATM.

11
Audit of ATM

• To perform an audit of ATMs, the IS auditor
  should
• Review measures to establish proper customer
  identification and maintenance of their
  confidentiality
• Review files maintenance and retention system to
  trace transactions
• Review exception reports to provide an audit
  trail
• Review daily reconciliation of ATM transactions,
  including
• Review segregation of duties in the opening of
  ATM and recount of deposit
• Review the procedures made for the retained cards
• Review encryption key change management procedures

12
E-cheques

• A user writes an electronic cheque, which is a
  digitally signed instruction to pay. This is
  transferred (in the course of making a purchase)
  to another user, who then deposits it with the
  issuer. The issuer will verify the payers
  signature on the payment, and transfer the funds
  from the payers account to the payees account.
• Some advantages of electronic cheque systems are
• Easy to understand and implement
• The availability of electronic receipts, allowing
  users to resolve disputes without involving the
  issuer
• No need for payer to be online to create a
  payment
• These systems are usually fully traceable, which
  is an advantage for certain law enforcement, tax
  collection and marketing purposes, but a
  disadvantage for those concerned about privacy.

13
Electronic Banking

• Banking organizations have been delivering
  electronic services to consumers and businesses
  remotely for years. Electronic funds transfer
  (EFT) (including small payments and corporate
  cash management systems), publicly accessible
  automated machines for currency withdrawal and
  retail account management, are global fixtures.
• Continuing technological innovation and
  competition among existing banking organizations
  and new market entrants has allowed for a much
  wider array of electronic banking products and
  services for retail and wholesale banking
  customers. However, the increased worldwide
  acceptance of the Internet as a delivery channel
  for banking products and services provides new
  business opportunities as well as new risks.

14
Common Features

• Transactional (e.g., performing a financial
  transaction such as an account to account
  transfer, paying a bill, apply for a loan, new
  account, etc.)
• Electronic bill payment
• Funds transfer between a customers own checking
  and savings accounts, or to another customers
  account
• Investment purchase or sale
• Loan applications and transactions, such as
  repayments
• Non-transactional (e.g., online statements, check
  links, co-browsing, chat)
• Bank statements
• Financial Institution Administration
• Support of multiple users having varying levels
  of authority
• Transaction approval process
• Features commonly unique to Internet banking
  include
• Personal financial management support such as
  importing data into personal accounting software.
  Some online banking platforms support account
  aggregation to allow the customers to monitor all
  of their accounts in one place whether they are
  with their main bank or with other institutions.

15
Risk Management Challenges in E-banking

• Risk management is the responsibility of board of
  directors and senior management. They need to
  possess the knowledge and skills to manage the
  banks use of electronic banking and all related
  risks.
• The speed of change relating to technological and
  service innovation in e-banking is unprecedented.
  Currently, banks are experiencing competitive
  pressure to roll out new business applications in
  very compressed time frames. This competition
  intensifies the management challenge to ensure
  that adequate strategic assessment, risk analysis
  and security reviews are conducted prior to
  implementing new e-banking applications.
• Transactional e-banking web sites and associated
  retail and wholesale business applications are
  typically integrated, as much as possible, with
  legacy computer systems to allow more
  straight-through processing of electronic
  transactions. Such straight-through automated
  processing reduces opportunities for human error
  and fraud inherent in manual processes, but it
  also increases dependence on sound system design
  and architecture as well as system
  interoperability and operational scalability.

16
Risk Management Challenges in E-banking

• E-banking increases banks dependence on
  information technology, thereby increasing the
  technical complexity of many operational and
  security issues and furthering a trend toward
  more partnerships, alliances and outsourcing
  arrangements with third parties, such as ISPs,
  telecommunication companies and other technology
  firms.
• The Internet is everywhere and global by nature.
  It is an open network accessible from anywhere in
  the world by unknown parties. Messages are routed
  through unknown locations and via fast evolving
  wireless devices. Therefore, the Internet
  significantly magnifies the importance of
  security controls, customer authentication
  techniques, data protection, audit trail
  procedures and customer privacy standards.

17
Risk Management Controls for E-banking

• Board and Management Oversight
• Effective management oversight of e-banking
  activities
• Establishment of a comprehensive security control
  process
• Comprehensive due diligence and management
  oversight process for outsourcing relationships
  and other third-party dependencies
• Security Controls
• Authentication of e-banking customers
• Nonrepudiation and accountability for e-banking
  transactions
• Appropriate measures to ensure segregation of
  duties
• Proper authorization controls within e-banking
  systems, databases and applications
• Data integrity of e-banking transactions, records
  and information
• Establishment of clear audit trails for e-banking
  transactions
• Confidentiality of key bank information
• Legal and Reputational Risk Management
• Appropriate disclosures for e-banking services
• Privacy of customer information
• Capacity, business continuity and contingency
  planning to ensure availability of e-banking
  systems and services
• Incident response planning

18
Electronic Business

• The term electronic commerce is restricting,
  however, and does not fully cover the true nature
  of the many types of information exchanges
  occurring via telecommunication devices. The term
  electronic business also includes the exchange of
  information not directly related to the actual
  buying and selling of goods. Increasingly,
  businesses are using electronic mechanisms to
  distribute information and provide customer
  support. These activities are not commerce
  activities they are business activities. Thus,
  the term electronic business is broader and may
  eventually replace the term electronic commerce.

19
E-Business Building Process

• The challenge for an organization is to turn the
  vision and the market opportunity into a viable
  business. Developing the marketing strategy and
  plans and designing and deploying the business
  solution is key. Those who successfully
  architect, develop, and deploy e-business
  solutions will need to formulate and adopt a
  comprehensive business plan. Because of the
  critical role of Internet technologies and
  integration requirements, it is recommended that
  organizations need a comprehensive planning
  framework, an actual e-business model. This
  structured planning approach enables the
  organization to assess, plan for, and implement
  the multiple aspects of an e-business.
• Solid strategies
• Knowledge management techniques applied to a
  companys information and intellectual assets
• Effective e-business processes typically grouped
  in the customer relationship management (CRM),
  supply chain management (SCM), and core business
  operations domains

20
Electronic Business Models

• Classification by Provider and Consumer
• Business-to-Business (B2B)
• Business-to-Consumer (B2C)
• Business-to-Employee (B2E)
• Business-to-Government (B2G)
• Government-to-Business (G2B)
• Government-to-Government (G2G)
• Government-to-Citizen (G2C)
• Consumer-to-Consumer (C2C)
• Consumer-to-Business (C2B)

21
Electronic Business Models

• When organizations go online, they have to decide
  which e-business models best suit their goals. A
  business model is defined as the organization of
  product, service and information flows, and the
  source of revenues and benefits for suppliers and
  customers. The concept of e-business model is the
  same but used in the online presence.
• E-shops (Online Shopping)
• E-commerce
• E-procurement (old method is demand, approval,
  quotation, p.o,GRN)
• Collaboration Platforms (software services that
  enable individuals to find each other and the
  information they need and to be able to
  communicate and work together to achieve common
  business goals ) (Orkut.com, youtube.com)
• Third-party Marketplaces (Amazon.com )
• Information Brokerage (a person or business that
  researches information for clients. )
• Telecommunication (the use of electronic devices
  such as the telephone, television, radio or
  computer )