IS Auditing Guidelines G1 Using the Work of Other Experts
APPENDIX COBIT Reference
5. AUDIT CONSIDERATIONS
5.1 Judicial Validity of an Electronic Transaction
5.1.1 To be considered valid, a contract involving selling goods or services should be signed. For electronic contracts, this can be achieved with a digital signature.
5.1.2 The digital signature can achieve the objective of juridical relevance as follows:
Authentication—There is evidence of data provenience.G28 Computer Forensics cont.
Nonrepudiation or paternity—Each key user has the legal responsibility to protect his/her key. Therefore, he/she cannot repudiate or unilaterally modify the content of the signed document. A valid system used to protect the private key might possibly store it in a secure personal device, such a smart card. Is it possible to deny someone’s own digital signature? Even if it would be considered admissible, the negation has no value. The other party should only have to demonstrate that the signature was valid when the contract was signed. This means that the owner must prove that his/her private key was stolen or subjected to unauthorised use before the time the contract was signed. The digital signature authenticated by a notary cannot be denied.
Confidentiality—To add confidentiality to a signed document, it is only necessary to encrypt it using the addressee’s public key.5.2 Identification of Parties and Transaction Content
5.2.1 Only people of legal age (ordinarily 18 years old or more in most jurisdictions) have the capacity to conclude a contract.
5.2.2 Merchants can utilise any means to prove to themselves that the other party is legally authorised to make a transaction. They can request any kind of proof and proceed to store the buyer’s data in their archives. In case of error or misuse, the vendor is ultimately responsible for the proper execution of the contract. When using a digital signature system, the responsibility resides with the authority that issued the digital signature. This authority is called a certification authority (CA). If contested, the digital certificate owner should demonstrate if the private key was stolen or misused.
5.2.3 The same considerations apply to the content of the transaction (integrity), which is preserved when using the digital signature system. Otherwise the merchant is responsible for false, incomplete, ambiguous and erroneous data.
5.2.4 The merchant is always responsible for credit card frauds and privacy violation.
5.3 Location Where the Contract Is Concluded
5.3.1 The greatest problem regarding electronic commerce is determining the exact location where the contract is concluded, which determines the legal jurisdiction and the applicable laws and regulations.
5.3.2 In the absence of a specific law applicable to a contract, the only alternative is to refer it to the international jurisdiction. Modern technology allows anyone to connect to his/her service provider from virtually everywhere in the world. This results in the impossibility of defining the exact location where the contract concludes.
5.3.3 The solution is the proper application of international law and consequent application of international agreements.2
5.3.4 The most accepted approach states that:
If the parties have chosen a specific legislation, this is the only legislation that is applicable
If the parties have not chosen any legislation scheme, the one with the closest relationship to the contract (i.e., residence of the service provider) or, in case of product selling, the law of the consumer’s country is applicable5.3.5 In any case, it is imperative that every kind of prudence is exercised, as it is extremely difficult to determine (and prove) the location of the merchant.
5.4 Category Distinction
5.4.1 The intrinsic characteristic of informatics, regardless of the modalities of conclusion of the contract, is to qualify the acquirer as a consumer because legislation protects the consumer in every country. For this reason, there is a distinction between business-to- business and business-to-consumer electronic commerce.
5.5 Fraud Prevention
5.5.1 The economic system is founded from one side on identification and nonrepudiation of proposals/acceptances, and from the other side on establishing fund transfers reasonably secure both when a subject buys (which implies he/she wants to receive services or a goods) and when the subject sells (which implies he/she wants to receive payment). The digital signature system appears today as the only statutory form of payment online.
5.6 Use of Credit Cards Over the Internet
5.6.1 Today, the credit card constitutes the most utilised payment instrument for transactions over the Internet. Unfortunately there are many possibilities for abuse of credit card data (such as allowing the reproduction of these data online). For example, there is a possibility that the transaction receipt could be read by someone unauthorised to do so.
5.6.2 For online transactions, it is not necessary to have a credit card, but only its data. Credit card crimes are committed simply using card data in an unauthorised manner. There are three types of credit card crime:
Abuse of card data
Falsification and possession of false credit card
Selling or buying an illegal card5.6.3 The illegal use of a credit card over the Internet includes any action aimed to fraudulently obtain money, goods or services using card data. A crime is committed even when the owner uses the card after its expiration.
2The Rome Convention, 1980 European law, www.rome-convention.org/instruments/i_conv_cons_it.htm and the Vienna Convention, an
6. KEY ELEMENTS OF COMPUTER FORENSICS FOR AUDIT PLANNING