| Foreword | p. xiii |
| Preface | p. xv |
| Acknowledgments | p. xvii |
| The Frontier: An EDI Overview | p. 1 |
| Exactly What Is EDI? | p. 1 |
| Growth of EDI | p. 1 |
| EDI Market Acceptance | p. 2 |
| The Costs and Benefits of Imppementing EDI | p. 5 |
| Who Should Use EDI? | p. 6 |
| EDI Operating Issues | p. 7 |
| EDI Risks | p. 8 |
| Management Control Concerns | p. 9 |
| General Controls in EDI Standards | p. 10 |
| ANSI | p. 11 |
| UN/EDIFACT | p. 12 |
| Acknowledgments | p. 12 |
| EDI Audit Implications | p. 12 |
| Summary | p. 13 |
| EDI Infrastructure and Standards | p. 15 |
| The Essential Components of EDI | p. 15 |
| Standards | p. 15 |
| Telecommunications Hardware and Software | p. 16 |
| Translation Software | p. 16 |
| Standards: Evolution of a Business Tool | p. 18 |
| The Development of North American Standards | p. 18 |
| The Development of International Standards | p. 21 |
| The Standards Controversy | p. 23 |
| ANSI ASC X12 Transaction Set Table, Segment Dictionary Format, and Data Element Definition | p. 25 |
| Networks and Telecommunications | p. 29 |
| Third-Party Networks | p. 29 |
| Benefits of Value-Added Networks | p. 30 |
| Interconnectability: VAN Versus Point-to-Point | p. 31 |
| Selecting a Third-Party Network | p. 33 |
| Internal Controls in Third-Party Networks | p. 34 |
| Access Control | p. 34 |
| Data Integrity | p. 35 |
| Transmission Security | p. 37 |
| Liability of Third-Party Network Vendors | p. 40 |
| Cross-Vulnerabilities in EDI Partnerships | p. 43 |
| What is Cross-Vulnerability in EDI? | p. 43 |
| Cross-Vulnerabilities Involving Security | p. 43 |
| Point-of-Sale and EDI Security | p. 44 |
| Limitations of Current Security Structures | p. 45 |
| Security Solutions | p. 47 |
| Cross-Vulnerabilities in Other Business Areas | p. 48 |
| Difficulties with Shared Standards | p. 49 |
| The Uncertain Legal Status of EDI Contracts | p. 50 |
| Conflicts in Partners' Competitive Profiles | p. 52 |
| More EDI-Related Exposures | p. 53 |
| Summary and Recommendations | p. 54 |
| Control Self-Assessment Worksheet and Summary | p. 57 |
| Managing Interenterprise Partnerships | p. 61 |
| Characteristics of Interenterprise Partnerships | p. 61 |
| Selecting Trading Partners | p. 61 |
| The Trading Partner Agreement | p. 62 |
| Other EDI Agreements | p. 64 |
| Third-Party Network Agreements | p. 65 |
| Application Software Agreements | p. 65 |
| Legal Issues, Lawyers, and Auditors | p. 66 |
| Fundamental Questions | p. 67 |
| Creating an Enforceable Contract | p. 69 |
| A Matter of Evidence | p. 69 |
| Managing Liability and Risk | p. 71 |
| Conventions, Guidelines, and Agreements | p. 72 |
| Summary | p. 72 |
| EDI Application Control Issues | p. 75 |
| Internal Controls in Information Systems | p. 75 |
| Application Controls | p. 75 |
| Security Controls | p. 78 |
| Environmental Controls | p. 78 |
| Project Controls | p. 78 |
| EDI Standard-Driven Controls | p. 78 |
| Other EDI-Specific Controls | p. 79 |
| Controls for Transaction Accuracy and Completeness | p. 80 |
| Inbound Transaction Control Considerations | p. 81 |
| Outbound Transaction Control Considerations | p. 81 |
| Transmission Control Considerations | p. 82 |
| Control Agreements Between Partners | p. 83 |
| EDI Management and Environmental Control | p. 85 |
| Environmental Controls: An Overview | p. 85 |
| Operations and Management | p. 85 |
| Computer Operations | p. 86 |
| Data and Program Security | p. 86 |
| Contingency Planning and Disaster Recovery | p. 87 |
| Project Management | p. 88 |
| Learn About EDI | p. 89 |
| Gain Executive Commitment and Management Buy-In | p. 89 |
| Establish Quality Project Plan | p. 89 |
| Review Business Processes and Internal Systems | p. 90 |
| Conduct Surveys | p. 90 |
| Review Standards and Documents to be Exchanged | p. 91 |
| Choose Translation Software | p. 91 |
| Choose a Network Provider | p. 91 |
| Design, Develop, and Test the System | p. 92 |
| Cut Over to and Implement the EDI System | p. 92 |
| Perform Postimplementation Review | p. 92 |
| Vendor-Supplied Translation Software | p. 92 |
| EDI and Records Retention | p. 95 |
| The Risks of Poor Records Retention | p. 95 |
| The Objectives of Good Records Retention | p. 96 |
| The Basic Principles of Records Retention | p. 96 |
| Paper Versus Electronic Copies | p. 97 |
| The Admissibility of Electronic Records | p. 98 |
| Key Considerations for an EDI Records Management Program | p. 99 |
| Storage Media | p. 100 |
| Auditability of Records | p. 101 |
| Records to Consider Keeping | p. 102 |
| Retention Requirements for EDI | p. 103 |
| The Control Dimensions of Financial EDI | p. 105 |
| What is Financial EDI? | p. 105 |
| ANSI ASC X12 Versus UN/EDIFACT Payment Formats | p. 106 |
| Financial EDI in Insurance | p. 109 |
| The Financial EDI Information Component | p. 109 |
| The Canadian Financial EDI Audit Trail | p. 112 |
| Uniform Commerical Code Article 4A: Funds Transfer | p. 114 |
| The Model Electronic Payments Agreement and Commentary | p. 115 |
| Canadian Inter-Financial Institution EDI Control and Audit Standards | p. 115 |
| Uniform Conduct for the Interchange of Trade Data by Teletransmission | p. 115 |
| Financial EDI Controls | p. 116 |
| The Payor's Perspective | p. 116 |
| The Payee's Perspective | p. 117 |
| The Financial Institution's Perspective | p. 119 |
| Evaluated Receipt Settlement and Financial EDI: An Application at the Macro Level | p. 119 |
| Summary | p. 121 |
| EDI Audit Considerations | p. 123 |
| The Auditor as Control Consultant | p. 123 |
| General Audit Implications for EDI | p. 123 |
| The External Auditor's Role | p. 125 |
| Knowledge of the Business | p. 125 |
| Assessment of Risk | p. 126 |
| Evaluation of General Controls | p. 127 |
| Evaluation of Processing Controls | p. 128 |
| Testing | p. 130 |
| Use of Computer-Assisted Audit Techniques | p. 130 |
| The Internal Auditor's Role | p. 131 |
| Final Thoughts on the Auditor's Changing Role | p. 135 |
| Epilogue | p. 139 |
| General Considerations for an EDI Audit | p. 143 |
| Management Control Concerns | p. 143 |
| Loss of the Paper Audit Trail | p. 143 |
| Business Continuity | p. 143 |
| Exposure of Data to Third Parties | p. 143 |
| Potential Legal Liability | p. 144 |
| Records Retention and Retrievability | p. 144 |
| Segregation of Duties | p. 144 |
| Managing Interenterprise Relationships | p. 144 |
| Implications for Information Systems Auditors | p. 144 |
| An EDI Implementation Audit Program | p. 147 |
| Audit Objective | p. 147 |
| Implementation Audit Program | p. 147 |
| A Financial EDI Audit Program | p. 151 |
| Overview | p. 151 |
| Audit Procedures for Generic Funds Transfer | p. 151 |
| Management and Administrative Controls | p. 152 |
| System Controls | p. 152 |
| User (Operational) Controls | p. 153 |
| Financial EDI-Specific Audit Procedures | p. 154 |
| Management Controls | p. 154 |
| Application Controls | p. 154 |
| Environmental Controls | p. 155 |
| Audit Considerations for Trading Partner Agreements | p. 157 |
| Review Model Trading Partner Agreements | p. 157 |
| Evaluate Controls to be Included in the Trading Partner Agreement | p. 158 |
| Evaluate Interorganizational Control Assurances | p. 158 |
| Audit Considerations for Third-Party Network Agreements | p. 159 |
| Complete Statement of Terms | p. 159 |
| Data Ownership | p. 160 |
| Confidentiality | p. 160 |
| Investigations and Audits | p. 161 |
| Liability for Errors | p. 161 |
| Amendments | p. 161 |
| Termination | p. 162 |
| Environmental Audit Considerations: Contingency Planning and Disaster Recovery | p. 163 |
| Telecommunications Services and Support | p. 163 |
| Additional Audit Considerations | p. 165 |
| Recommended Readings | p. 167 |
| General Readings | p. 167 |
| Management Topics | p. 170 |
| Standards | p. 172 |
| Audit and Control Issues | p. 173 |
| Security Issues | p. 175 |
| Legal Issues | p. 175 |
| Network and Telecommunications Issues | p. 177 |
| Software and Third-Party Network Vendors | p. 178 |
| Productivity Enhancements | p. 179 |
| Contingency Planning and Disaster Recovery | p. 179 |
| Association Addresses | p. 182 |
| Glossary | p. 183 |
| About the Authors | p. 205 |
| Index | p. 207 |
| Table of Contents provided by Syndetics. All Rights Reserved. |
