| |
 |  |
 |  |
|
Business Readings
"Hey, Jimmy, there’s a guy at the loading dock says he’s got two truck loads of what we ordered. Why did you order this much stuff? We’re just a middle market grocery store. Why would they ship us 10 times our normal order? Is there a problem with that new EDI purchasing project our MIS department set up? How are we going to pay for all this stuff?" Source: Reprinted from "Doing Business in the Future with EDI," by Scott E. Whitsitt, Insight, February/March, pp. 29–31. Reprinted by permission of Insight. Scott E. Whitsitt This is an actual example of what can happen if you don’t properly plan your company’s implementation of EDI or electronic data interchange. The technology has been around more than 20 years and will soon, if it hasn’t already, be impacting your business. EDI is a buzzword often misused to describe various approaches to automation. TEDIS Programme (a group formed by the Commission of the European Communities) defines EDI as "the interchange of standard formatted data between the computer application systems of trading partners with minimal manual intervention." This definition contains several key words. "Standard formatted data" is critical to the success of EDI for one reason: all trading partners must speak the same electronic language if they are going to do business together. "Between computer application systems" means no manual intervention between your computer system (e.g., purchasing application) and that of your supplier (e.g., order processing application). "Trading partners" is a term that suggests a partnership with your customers and suppliers. EDI provides some obvious benefits, such as quicker response to your customers and elimination of waste, but it also adds an element of risk. Before you set up an EDI system, you must identify these risks. The Risks The lack of paper documents or human intervention inherent with EDI creates some new risks to your organization that can be easily overlooked. The framers of the U.S. Constitution formed our current judicial system before anyone could even contemplate electronic transactions. The courts are still wrestling with the idea of contracts (e.g., purchase orders, invoices) maintained in an electronic format without manual signatures. Many aspects that make a manual document good evidence in a court of law, such as company letterhead and manual signatures, are not as apparent in an electronic transaction. EDI cuts across all departments within an organization. Your company will, therefore, be even more dependent on computer processing than in the past. This means business continuity planning will be critical to your organization’s survival. How long can your business survive without the ability to accept or process orders? If you are dealing with a major EDI user like Kmart or Ford, manually processing their orders may not be an option. The storage and security of these electronic transactions will be critical to the continued existence of your organization. If the system (or system user) somehow manages to lose, damage, or alter the transactions you won’t have any manual document to refer to for verification. EDI also forces a company to become more reliant on its trading partners. Replacing your suppliers and customers will not be as simple as in the past. New suppliers and customers must be brought into your "EDI network" only after sufficient testing and trading partner agreements have been set up. The Solutions The EDI Risk Analysis Working Party, a subcommittee of the Institute of Chartered Accountants in England and Wales, identifies six ramifications of poorly implemented EDI systems: potential loss of transaction trail; increased exposure to ransom, blackmail or fraud; disruption to cash flows; loss of profitability; damage to reputation; and financial collapse. But these risks can be minimized with proper planning and implementation. Two of the more critical control points, although not the only ones, are trading partner agreements and controls over computer systems. Many legal issues can be addressed by a properly drafted trading partner agreement and good controls over a company’s computer system. A well controlled computer system adds credibility to its electronic documents, and terms of sale details can be documented in advance in the trading partner agreement. The Internal Revenue Service recently addressed this issue of EDI transactions in its Revenue Procedure 91-59. Effective for years beginning after Dec. 31, 1991, the IRS does not require hard copy records if the EDI electronic document and the trading partner agreement capture all the details of the transaction. The importance of trading partner agreements is evident in the grocer example: The parties did not agree upon the specifics of order acknowledgement. The grocer’s computer placed an order for 250 pounds of brown sugar and was expecting an order acknowledgement. The supplier’s computer received the order but, because of a programming error, did not send an acknowledgement. After an hour of waiting for the supplier to respond, the grocer’s computer assumed the supplier did not receive the order and requested another 250 pounds, and another and another. Although enormous for the middle market grocer, the supplier accepted the orders because they fell within a range of acceptable orders that includes middle market and superstores. All the details that make up a business relationship, from the specifics of information technology to terms of sale, should be considered in these agreements. Traditionally, trading partners have relied upon statements made on manual documents (e.g., purchase order and invoices) to specify the terms and conditions of sale. If disputes arise, the trading partner agreement will be critical to resolving them. The American Bar Association has an example trading partner agreement that could be a good starting point for many organizations. One benefit of creating a trading partner agreement is the relationship developed with your supplier or customer. Invest the time needed to develop your agreements face-to-face with these people and ensure the appropriate levels of management are involved. EDI can be an excellent opportunity to broaden your contacts within their organization. Computer security is often the most difficult aspect of EDI for smaller organizations to control. These companies generally do not have adequate resources to segregate incompatible duties in their information systems department, and haven’t fully addressed end user access issues. Controls over computer systems can be classified as general controls or application controls. General controls address the total computer environment (e.g., access to computer programs and data files) while application controls apply to a specific system (e.g., order processing, purchasing, etc.). Application controls are probably already built somewhat into your existing systems, whether manual or computerized. For example, a common manual control over cash disbursements is to match a purchase order and receiving report with the supplier’s invoice before payment. In an EDI system these documents are electronic and invoices generally are not used. The purchase order and receiver contain all the required information. Payment is made by electronic funds transfer on delivery of the goods. The only efficient way to control this process will be through properly designed and tested computer application systems. Then, any changes or modifications to these systems must be tightly controlled with good general computer controls (access control software and good systems development life cycle techniques). The control objectives for organizations that implement EDI are no different from those who do not. The only difference is the increased importance and opportunity of using information technology to achieve those objectives. However, EDI can provide one benefit in the future that will outweigh all the costs and risks: without it you cannot do business. There are many technical issues relating to EDI this article can’t even begin to address. If you want further information on EDI, the EDP Auditor Journal Volume I, 1990 has several articles on this subject. This publication is available from the EDPAA, P.O. Box 88180, Carol Stream, IL. 60188-0180, or call 708/682- 1200. Discussion Questions
| ||||||
 | ||||||
