Monash Manufacturing Limited (MML) is a large, Melbourne-based manufacturer and retailer of pipes and pipe fittings. For some time it has had electronic-data-interchange (EDI) links with all its major suppliers and a good number of its smaller suppliers. The EDI system has been used in a fairly straightforward way-for example, to exchange orders, invoices, bills of lading, and credit notes.

You are an information systems auditor in a firm of chartered accountants that has just taken over the audit of MML. The partner in charge of the audit has asked you to review controls over the EDI system and report to him on their likely reliability. In this light, you are currently documenting internal controls within the system.

You decide to start your review by examining procedures that MML uses to authenticate trading partners within its EDI system. In this light, you interview MML's chief accountant. She informs you that the following procedures are in place:

a. Trading-partner information is maintained in a secure file. When an EDI transaction (e.g., an invoice) is received from a trading partner, the trading-partner identifier in the transaction is checked against the file of authorized trading partners. If a match is not obtained, the transaction is rejected and written to an error file. An exception report is printed and given each morning to the chief accountant so that she can scrutinize the nature of rejected transactions and, if need be, undertake follow-up actions.

b. The trading-partner identifier (plus other sensitive information) is encrypted before transmission within the EDI system. MML and its trading partners use a private-key cryptosystem. At the end of each month, MML distributes a cryptographic key to each of its trading partners. The same key is used by all trading partners (although the trading partners are not aware of this fact). The key is distributed by downloading the new key to all trading partners encrypted under the old key. The new key is decrypted and then installed automatically in each trading partner's system.

c. Before new trading partners are approved, they are screened extensively. MML is concerned about the honesty of their management, their financial viability, their reliability in terms of the provision of goods and services, and so on. The chief accountant undertakes this screening, although she sometimes relies on an outside firm that specializes in screening activities.

d. Only the chief accountant and a trading-partners clerk are authorized to establish new trading partners on the trading partners file. Only they have the action privileges assigned to enable them to add, delete, or modify data on the trading-partners file.

e. All accesses to the trading-partners file are recorded in an audit trail. A summary report is prepared each month on the basis of the audit trail, and a copy of this report is given to both the chief accountant and the controller (to whom the chief accountant reports).
Required: On the basis of the information you have obtained so far, what are your conclusions about the likely reliability of controls over authenticating trading partners within the system? What further evidence would you now collect? Depending on your findings, what advice are you likely to give the partner in charge of the audit as to how the remainder of the audit should proceed?