eCommerce SecurityPurpose of These Audit Programs and Internal Control QuestionnairesIntroductionAudit ObjectivesFunctional ObjectivesINTERNAL CONTROL QUESTIONNAIREThe Information Systems Audit andControl Association & Foundationwww.isaca.orgeCommerce SecuritySelection & Identification of Trading PartnersAUDIT PROGRAM&INTERNAL CONTROL QUESTIONNAIREThe Information Systems Audit and Control Association & Foundation With more than 22,000 members in more than 100 countries, the Information Systems Audit and Control Association® (ISACA™) isa recognized global leader in IT governance, control and assurance. Founded in 1969, ISACA sponsors international conferences,administers the globally respected CISA® (Certified Information Systems Auditor™) designation attained by more than 23,000professionals worldwide, and develops globally-applicable Information Systems (IS) Auditing and Control Standards. An affiliatedFoundation undertakes the leading-edge research in support of the profession. The IT Governance Institute, an offshoot of theAssociation, sponsors a new web site dedicated to the theory and practice of IT governance for the purpose of ensuring that ITactivities achieve business objectives.Purpose of These Audit Programs and Internal Control QuestionnairesOne of the goals of ISACA’s Education Board is to ensure that educational products developed by ISACA support member and industry information needs. Responding to member requests for useful audit programs, the Education Board has recently released audit programs and internal control questionnaires on outsourcing and various eBusiness topics for member use through the GIR. These products are intended to provide a basis for audit work. The eBusiness audit programs and internal control questionnaires were developed from material recently released in ISACA’s e-Commerce Security Technical Reference Series. These technical reference guides are being developed by Deloitte & Touche and are recommended for use with these audit programs and internal control questionnaires. Additional eBusiness security products will be produced through the end of 2001 as additional technical reference guides are produced. In addition, the Education Board will be producing products on other topics as well. The Education Board cautions users not to consider these audit programs and internal control questionnaires to be all-inclusive or applicable to all organizations. They should be used as a starting point to build upon based on an organization’s constraints, policies, practices and operational environment.Control Objectives for Information and R elated TechnologyCOBIT® has been developed as a generally applicable and accepted standard for good Information Technology (IT) security and control practices that provides a reference framework for management, users, and IS audit, control and security practitioners.This program has been developed and reviewed using COBIT Third Edition as a model. Audit objectives and steps are included.DisclaimerThe topics developed for these Audit Programs and Internal Control Questionnaires have been prepared for the professionaldevelopment of ISACA members and others in the IS Audit and Control community. Although we trust that they will be useful forthat purpose, ISACA cannot warrant that the use of this material would be adequate to discharge the legal or p rofessional liability ofmembers in the conduct of their practices.October 2000eCommerce Security Selection & Identification of Trading Partners Page ____ of ____AUDIT PROGRAMIntroductionThis audit program and ICQ are recommended to be used as tools and as a supplements to the eCommerce Technical Reference Guide –Trading Partner identification, Registration and Enrollment : Security, Audit, Control and features . Foremore details on th is publication for an understanding of th is topic, please refer to: http://www.isaca.org/bk_ints.htm#trs-1 In all types of business, it is important to know with whom you are doing business. With all the changes overthe last 100 years from doing business face-to-face in a small community based on a handshake, to worldwideelectronic transactions from business-to business, business-to consumer, and consumer–to–business, all aspectsof business transactions have changed. However, the same need to know whom we do business with remains.The selection, and identification of trading partners is the first step of doing business in this evolving world ofelectronic transactions and very important process to be controlled. This program is intended to assist in thoseendeavors.The Education Board cautions users not to consider these audit programs and internal control questionnaires tobe all-inclusive or applicable to all organizations. They should be used as a starting point to build upon based onan organization’s constraints, policies, practices and operational environment.This program has been developed and reviewed with regards tousing COBIT Third Edition as a model. v 2 andaAudit objectives and steps are included. For more information on COBIT Third Edition, including freedownloads, please visit ISACA’s web site at http://www.isaca.org/cobit.htmAudit ObjectivesReferenced C OBI T * Control ObjectivesPO1 – Define a Strategic IT planPO2 – Define the Information ArchitecturePO3 – Determine Technological DirectionPO6 – Communicateing Management’s Aims and DirectionsPO9 –- Assess RisksDS2 – Manage Third –Party ServicesDS11 –- Manage DataM1 – Monitor the ProcessesM2 – Assess Internal Control AdequacyFunctional Objectives1. eCommerce strategies are consistent with organizational business objectives and communicated properly2. A consistent process exists by which trading partners are selected and identified.* http://www.isaca.org/cobit.htmeCommerce Security Selection & Identification of Trading Partners Page ____ of ____3. Once selected, clear requirements of all parties involved in eCommerce transactions are definedcontractually.4. Either planned, or existing, infrastructure enables the eCommerce capabilities defined by the businessobjectives to be adequately implemented and