Electronic Data Interchange
Essay by review • February 16, 2011 • Research Paper • 1,165 Words (5 Pages) • 1,177 Views
Definition
Electronic Data Interchange (EDI) can be formally defined as 'The transfer of structured data, by agreed message standards, from one computer system to another without human intervention'(Wikipedia, 2007). It represents the application of computer and communications technology to traditional paper-based business processes, supporting innovative changes in those processes. It involves the exchange and transmittal of business documents, such as invoices, purchase orders and shipping notices, in a standard, machine-processable format (CISA, 2008).
EDI is not a new technology. It was first used in transportation and shipping industries in 1970s. However, EDI use has grown significantly in a many business sectors in the past decade. It is not limited to simply sending and receiving various messages but has allowed trading partners to access to each other’s internal records such as sales and inventory information. The use has come into prominence because EDI could provide the following benefits:
• Less paperwork, reduced cost
• Fewer errors during the exchange of information
• Increased speed in information exchange and processing
• Improved trading partner relationships
• Improved intracompany flow of information
Threats
On the other hand, although EDI has created a number of changes in the way commerce is conducted and has offered significant opportunities, it also has attracted new threats and potential exposures and increased the seriousness of some existing problems. Some examples of these are described below.
• Absence of Human Intervention: this is often seen as an advantage, since computers can perform repetitive tasks more quickly and consistently than humans. From a security viewpoint, however, the removal of humans from the process also removes a degree of protection, since the computers are incapable of applying curiosity or common sense to instructions (Ian Walden, 1993).
• Paperless Trading: the absence of paper from the electronic trading process carries its own collection of advantages, and corresponding security problems. The absence of hard copy evidence in support of these business transactions has serious implications both from a legal standpoint and from an auditor’s perspective. Audit procedures will have to be established to verify specific transactions contained in electronic media.
• Increased Exposure to Fraud: EDI reduces the segregation of duties and limits the number of personnel involved with individual transactions. Control of internal systems and procedures may be limited to a few people. This increases the risk of unauthorized transactions (Stanley Weiner, 1995).
• Loss of Confidentiality of Sensitive Information: Proprietary information, such as customer lists, price lists, manufacturing schedules, etc., could fall into a competitor's possession (Stanley Weiner, 1995).
• Software Failure: Should any part of the system fail, management would have to confront problems related to transactions that have to be completed by set due dates. Types of transactions that could impact the organization include cash payments, payroll, just-in-time inventory, and production schedules (Stanley Weiner, 1995).
These potential weaknesses have been exploited on a number of occasions, resulting in fraudulent purchase orders, delay in message deliver, denial of receipt of message and so on. Due to the unique nature of EDI, message contents should be kept confidential, integrity of the message must be ensured and the availability of messages and the associated transfer and processing systems must be maintained in an EDI environment.
Controls
Proper controls need to be placed to protect EDI transmissions. Transaction authorization is a major concern in EDI environment. The accountant should attempt to ensure all transactions are properly authorized and that they are complete, accurate and, valid. Controls should apply to both inbound and outbound transactions.
Effective access control will prevent most attacks and the auditor will expect to see access restricted those who are properly authorized and have a genuine need to see or use the data. Traditionally, paper documents and signatures have been used to authenticate the data that constitute commercial transactions. Authentication of EDI transmissions requires different methods. A combination of passwords, tokens and even biometric techniques will typically be used. Specific countermeasures such as encryption can be applied to reduce confidentiality vulnerabilities and availability vulnerabilities can be reduced by introducing redundancy into the system.
Audit trail is another important countermeasure in an EDI environment. It is probably the only way of determining that a breach of other countermeasures has occurred. It is also crucial in the case of business disputes over transaction. In addition, physical security measures include storing backup files offsite and keeping equipment behind locked doors need to be addressed. Inadequate security is troublesome in entities that rely heavily on EDI for business transactions. Some of the common threats and corresponding controls are listed below.
Threats Controls
Illegal use of network User authentication
Espionage, breach of privacy encryption
Message modification Message authentication
Message replay Application
...
...