Chapter 12 - Accounting and Information Systems Department

advertisement
Chapter 12
Electronic
Commerce
Systems
COPYRIGHT © 2007 Thomson South-Western, a part of The Thomson Corporation. Thomson, the Star logo, and SouthWestern are trademarks used herein under license
1
Objectives for Chapter 12
 Topologies that are employed to achieve connectivity across
the Internet
 Protocols and understand the specific purposes served by
several Internet protocols
 Business benefits associated with Internet commerce and be
aware of several Internet business models
 Risks associated with intranet and Internet electronic
commerce
 Issues of security, assurance, and trust pertaining to
electronic commerce
 Electronic commerce implications for the accounting
profession
Internet Technologies
 Packet switching
messages are divided into small packets
each packet of message takes different route
 Virtual private network (VPN)
a private network within a public network
you may connect to UTEP via a VPN
 Extranets
password controlled network for private users – often outside
the company, but includes trading partners (vendors &
customers)
 World Wide Web
an Internet facility that links users locally and globally
 Internet addresses
e-mail address
URL address
IP address
What is E-Commerce?
The electronic processing and
transmission of business data
electronic buying and selling of goods and
services
on-line delivery of digital products
electronic funds transfer (EFT)
electronic trading of stocks
direct consumer marketing
electronic data interchange (EDI)
the Internet revolution
Benefits of E-Commerce
Access to worldwide customer and/or
supplier base
Reductions in inventory investment and
carrying costs
Reductions in procurement costs
Better customer service
Rapid creation of business partnerships to fill
emerging market niches
Reductions in retail prices through lower
marketing costs
5
Risks Associated with
E-commerce
6
General Concerns
 Data Security: Are stored and transmitted data
adequately protected?
 Business Policies: Are policies publicly stated
and consistently followed?
 Privacy: How confidential are customer and
trading partner data?
 Business Process Integrity: How accurately,
completely, and consistently does company
process its transactions?
7
Intranet Risks
Intercepting Network Messages
sniffing: interception of user IDs, passwords,
confidential e-mails, and financial data files
Accessing Corporate Databases
connections to central corporate databases increase
risk that data will be viewed, corrupted, changed, or
copied by employees
Uncontrolled Expansion
ill-conceived network decisions create serious threat
8
Internet Risks to Businesses
IP Spoofing: masquerading to gain access to
Web server and/or to perpetrate unlawful act
without revealing one’s identity
Technology Failures: disruption caused by
hardware failure causes e-business to lose
customer credibility and sales revenues
Malicious Programs: viruses, worms, logic
bombs, and Trojan horses pose threats to both
Internet and Intranet users
9
DOS Attack
Receiver
Sender
Step 1: SYN messages
Step 2: SYN/ACK
Step 3: ACK packet code
In a DOS Attack, the sender sends hundreds of messages, receives the
SYN/ACK packet, but does not response with an ACK packet. This leaves the
receiver with clogged transmission ports, and legitimate messages cannot be
received.
Controls
11
Network Control
Objectives
establish communications session
between sender and receiver
manage flow of data across network
detect errors in data caused by line
failure or signal degeneration (static)
detect and resolve
data collisions between
competing nodes
12
POLLING METHOD OF CONTROLLING DATA COLLISIONS
SLAVE
MASTER
Locked
Locked
SLAVE
WAN
Polling Signal
SLAVE
Data Transmission
Locked
SLAVE
The “master” polls “slave” sites to determine if they have data to transmit.
If a slave responds in affirmative, Master locks network while data are transmitted.
Allows priorities to be set for data communications across the network
Token
Ring
Central Files
Server
Node
Local Files
Node
Local Files
Contains data
Empty token
Node
Local Files
Carrier Sensing
 Random access technique that detects collisions
when they occur (stepping out in traffic)
 Widely used--found on Ethernets.
 Node wishing to transmit “listens” to line to determine if it is
in use. If line is busy, it waits a pre-specified amount of time
(seconds) to transmit.
 Collisions occur when two nodes listen, hear no messages
transmitting, and then simultaneously begin transmitting.
Data collides and two nodes are instructed to hang up and
try again.
 Disadvantage: Becomes a problem as network traffic
increases. Line may not be used optimally when multiple
nodes are trying to transmit simultaneously.
15
Encryption Techniques
In general --Private Key (less secure)
Public Key (more secure)
16
Data Encryption
Private Key
Company A
Cleartext
Message
Encryption
Program
Ciphertext
Communication
System
Company B
Cleartext
Message
Encryption
Program
Ciphertext
Communication
System
17
Public Key Encryption
Two keys
Sender encodes message with Public key
Recipient decrypts with Private key
After encryption, Sender cannot decrypt
Company A
Company B
18
E-Commerce Security:
Digital Authentication
Digital signature: electronic authentication
technique that ensures that transmitted message
originated with authorized sender and that it was
not tampered with after the signature was applied
Digital certificate: like an electronic
identification card that is used in conjunction with
a public key encryption system to verify
authenticity of the message sender
E-Commerce Security:
Firewalls
Firewalls - software and hardware that provide
focal point for security by channeling all network
connections through controlled gateway
 Network level firewalls - low cost/low security access
control. Uses screening router to its destination. This
method does not explicitly authenticate outside users.
Hackers may penetrate system using an IP spoofing
technique.
 Application level firewalls - high level/high cost
customizable network security. Allows routine services
and e-mail to pass through, but can perform
sophisticated functions such as logging or user
authentication for specific tasks.
20
Assurance
“Trusted” third-party organizations offer
seals of assurance that businesses can
display on their Web site home pages:
BBB
TRUSTe
Veri-Sign, Inc
ICSA
AICPA/CICA WebTrust
AICPA/CICA SysTrust
Implications for Accounting
Privacy violation
major issues:
a stated privacy policy
consistent application of stated privacy policies
what information is the company capturing
sharing or selling of information
ability of individuals and businesses to verify and
update information on them
1995 Safe Harbor Agreement
establishes standards for information transmittal
between US and European companies
Implications for Accounting
Audit implication for XBRL
taxonomy creation: incorrect taxonomy
results in invalid mapping that may cause
material misrepresentation of financial data
validation of instance documents:
ensure that appropriate taxonomy and tags
have been applied
audit scope and timeframe: impact on
auditor responsibility as a consequence of
real-time distribution of financial statements
Implications for Accounting
Continuous process auditing
auditors review transactions at frequent
intervals or as they occur
intelligent control agents: heuristics that
search electronic transactions for anomalies
Electronic audit trails
electronic transactions generated without
human intervention
no paper audit trail
Implications for Accounting
Confidentiality of data
open system designs allow mission-critical
information to be at the risk to intruders
Authentication
in e-commerce systems, determining the
identity of the customer is not a simple task
Nonrepudiation
repudiation can lead to uncollected revenues
or legal action
use digital signatures and digital certificates
Implications for Accounting
Certification authority (CA) licensing
trusted 3rd party vouches for identity
Data integrity
determine whether data has been
intercepted and altered
Access controls
prevent unauthorized access to data
Changing legal environment
provide client with estimate of legal exposure
Protocols
27
Protocol Functions
Facilitate physical connection between
network devices.
Synchronize transfer of data between
physical devices.
Provide basis for error checking and
measuring network performance.
Promote compatibility among network
devices.
Promote network designs that are
flexible, expandable, cost-effective. 28
Internet Protocols
Transfer Control Protocol/Internet Protocol
(TCP/IP) - controls how individual packets of data
are formatted, transmitted, received
Hypertext Transfer Protocol (HTTP) - controls
web browsers – not the same as HTML
File Transfer Protocol (FTP) - used to transfer
files across Internet
Simple Network Mail Protocol (SNMP) - e-mail
Secure Sockets Layer (SSL) and Secure
Electronic Transmission (SET) - encryption
schemes
29
HTML: Hyper Text Markup
Language
Format used to produce Web pages
Defines page layout, fonts, and graphic elements
used to lay out information for display in an appealing
manner like one sees in magazines and newspapers
using both text and graphics (including pictures)
appeals to users
Hypertext links to other documents on the
Web
Even more pertinent is HTML’s support for hypertext
links in text and graphics that enable the reader to
‘jump’ to another document located anywhere on World
Wide Web.
XML: eXtensible Markup
Language
XML is meta-language for describing markup
languages.
 Extensible means that any markup language can
be created using XML.
Includes creation of markup languages capable of
storing data in relational form, where tags
(formatting commands) are mapped to data values
can be used to model the data structure of an
organization’s internal database
Comparing HTML and XML
XBRL: eXtensible Business
Reporting Language
 XBRL is an XML-based language for standardizing
methods for preparing, publishing, and exchanging
financial information, e.g., financial statements.
 XBRL taxonomies are classification schemes.
 Advantages:
Business offer expanded financial information to all
interested parties virtually instantaneously.
Companies that use XBRL database technology can
further speed the process of reporting.
Consumers import XBRL documents into internal
databases and analysis tools to greatly facilitate their
decision-making processes.
Networks
34
Local Area Network (LAN)
Computers located close together (in
same building/campus) linked together to
share data/software/hardware
Physical connection of workstations to LAN is
achieved through network interface card
(NIC)
Server stores network operating system,
application programs, and data to be shared.
35
Topologies
36
Star Topology
Network of workstations with large
central computer (host)
Host computer has direct
connections to workstations
All communications must go
through host computer. Can do local
processing even if host is down.
37
Star Network
Topeka
St. Louis
Local Data
Local Data
Kansas
City
Tulsa
Central Data
Dallas
Local Data
Local Data
Ring Topology
Configuration eliminates central site.
All nodes are of equal status (peers).
Responsibility for managing
communications is distributed among
nodes.
Common resources shared by all nodes
can be centralized/managed by file server
that is also node.
39
Ring
Topology
Central
Files
Server
Local
Files
Local
Files
Local
Files
Local
Files
Local
Files
Bus Topology
Nodes are all connected to common
cable - the bus.
Communications and file transfers
between workstations are controlled by
server.
Generally less costly to install than ring
topology.
41
Bus Topology
Print Server
Node
Node
Local Files
Local Files
Node
Server
Local Files
Central
Files
Node
Local Files
Node
Local Files
Client-Server Topology
This configuration distributes the
processing between user’s (client’s)
computer and central file server.
Both types of computers are part of
network, but each is assigned functions
that it best performs.
This approach reduces data
communications traffic, thus reducing
queues and increasing response time.
Client-Server Topology
Client
Data Manipulation
Capabilities
Client
Data Manipulation
Capabilities
Server
Record
Searching
Capabilities
Client
Data Manipulation
Capabilities
Common
Files
Client
Data Manipulation
Capabilities
Client
Data Manipulation
Capabilities
Wide Area Network (WAN)
WAN is network dispersed over wider
geographic area than LAN. Typically
requires use of:
gateways to connect different types LANs
bridges to connect same type LANs
WANs may use common carrier facilities
telephone lines or Value Added
Network (VAN).
45
WAN
Bridge
LAN
LAN
Gateway
Gateway
LAN
LAN
Gateway
Electronic Data
Interchange (EDI)
Exchange of business transaction
information:
between companies
in standard format
via computerized information system
In “pure” EDI systems, human involvement is
not necessary to approve transactions. (Very
few pure EDI systems.)
47
EDI System
Our Company
Wal-Mart
Application Purchases
Software System
Sales Order
System
EDI
Translation
Software
Communications
Software
EDI
Translation
Software
Direct Connection
Application
Software
Direct
Connection for
Many
Transactions
Communications
Software
Other
Mailbox
Wal-Mart’s
mailbox
VAN
Other
Mailbox
Our Company’s
mailbox
VAN for Few
Transactions
Advantages of EDI
Reduction or elimination of data entry
Reduction (not elimination) of
errors
paper
paper processing and postage
inventories (via JIT systems)
49
50
Download