ARTICLES

As a combination of network technology and audit, audit under a network environment enjoys the advantage of open system interconnection, which enables wide free share and flow of auditing information. As a result, real time audit can be carried out dynamically through the network, so as to examine and monitor the transactions of enterprises at every stage and to make timely disclosures.

However, the network also makes it possible for information users to take vicious actions to control, intercept, alter and even destroy the information and resource data which will undoubtedly put audit work at risk. Therefore, the security aspect of the network becomes the a key factor while undertaking network-based audit.

1. Security requirements for network-based audit

In a network environment, security requirements include the reliability and confidentiality of information used for audit, the safety of the auditing system and the definitiveness of audit conclusion.

1.1 Reliability and confidentiality of the information used for audit

Material used in network-based audit generally exists in electronic form which can be altered and forged without a trace, which reduces the reliability of these materials. Besides, during the transmission process in network, audit evidence is also subject to interception and replacement and this undoubtedly puts the truthfulness of audit evidence under threat.

Furthermore, since most of the information provided by the auditees concerns business secrets, the interests of the auditees will be severely undermined if the secrets are intercepted or duplicated during the transmission process in network. Security, therefore, becomes an essential requirement for audit in the network environment.

1.2 The safety of the auditing system

A large amount of data concerning the auditees’ business, such as background materials and financial information, can be found in the audit information database of the audit institution. Immeasurable losses may occur if this data is altered, intercepted or embezzled. For this reason, auditors should make sure that this data should not be intercepted during the transmission process and that the audit data processing system is free from unauthorized visits.

1.3 The definitiveness of the audit conclusions

Audit conclusions are the basis of many economic activities and their veracity will not only directly affect the interests of auditees, investors and customers but also the operation of banks, tax authorities, industrial and commercial administration agencies. The network is an open and public resource, through which the audit conclusions drawn by audit institutions can be altered. Therefore, maintaining the definitiveness of the audit conclusions is an indispensable aspect of security.

2. Methods to guarantee the security of network-based audit

One major technical feature of network-based audit is the transmission and processing of audit information. The security of audit in network environment comprises two aspects: the security of the computer network and that of the audit data processing system.

The security of a computer network embraces: computer network equipments security, computer network system security, database security, network protocols security and computer network management security etc. To implement a network security reinforcement plan is therefore, important for achieving security objectives of the network.

The audit data processing system security refers to the reliability of the audit database and audit conclusions. The open and public nature of the network demands a high level of security. To guarantee security, the audit data processing system should possess the following functions: to prevent the audit information being intercepted during the transmission process, to prevent the audit database being accessed illegally, to guarantee that accounting information cannot be forged and finally, to ensure that the audit reports and conclusions are free from alteration.

2.1 To Establish a Certificate Authority System

As an indispensable condition for network-based audit, the system of Certificate Authority is established to guarantee that only authorized auditors can access relevant information in the auditee’s database and use the information in his data processing system. The CA system ensures that investors and customers can get correct and reliable audit conclusions. For this purpose, an open and fair third-party authentication authority is needed for issuing all kinds of digital certificates and providing confirmation service.

2.2 Adopting data encryption techniques

Most of the data information collected in a network-based audit has a prescription time and is transmitted via network, which should be enciphered from plain text to cipher text. The encryption process ensures that, even if the information were intercepted during the transmission process, relevant secrets would not be leaked out.

2.3 Building a firewall for the audit data processing system

As the only guarded passage, a firewall examines all the information in and out of the system, which means users of the audit data processing system could control the security decision-making process in an integrated way. According to different needs of customers for various types of network, a firewall can enforce a set of comprehensive and complicated security tactics. Furthermore, a firewall can also detect, record and follow the tracks of the users’ activities and make further analysis so as to protect network security.

2.4 Intrusion-detecting technology

Intrusion detection is a common network monitoring technique, and also a very important approach to protect network security. First introduced in 1985, the intrusion detection system is based on statistical models and can actively prevent hackers from intruding the network and avoiding incidents of “service denial” for legal users.

2.5 Protect audit trail

Audit trail refers to the information collected by analyzing codes, balance sheets, and original transaction data generated during economic activities in the accounting system. It is the auditee’s responsibility to provide an intact audit trail. In an ‘audit under network environment’, it is necessary not only to retain the audit evidence in accounting management system but also to keep the audit trail of transactions via network. To protect the audit trail existing in electronic format, techniques of Certificate Authority, such as ‘digital signature’ and ‘digital time seal’ could be adopted.

A mix of manual and half-manual audit methodology is still in vogue in China, and the collection of audit evidence mainly depends on field work. After being processed by computers, this evidence can be used in the audit report. With the development of the network economy and electronic business, network management will be improved greatly, which serves as an impetus to the development of audit in the network environment.