Fraud in E-Commerce Applications by using e SCARF as Continuous Assurance


The growth of electronic commerce (‘e-commerce’)
in the world has been dramatic over the past few years, with forecasts
suggesting that this explosive trend will continue (Pastore 2002). The birth of
the dot-coms who have capitalised on the advantages e-commerce provides, such
as lower barriers to market entry, as well as the extensive integration of
e-commerce systems into incumbent organisations is testament to this. This growth
has arisen as the benefits of e-commerce have been realised by businesses and
consumers alike. In the ‘digital economy’, e-commerce has facilitated efficient
information exchange, enabled cost reductions, provided new revenue
opportunities and increased process efficiencies. Customers also reap these
benefits through the reception of better customer service and the greater
convenience of paperless online transactions (Turban 2000). E-commerce is ever
more becoming intertwined with how organisations do business and are

However, this tight integration with e-commerce has
increased the exposure of businesses to a broader range of risks such as
security, privacy and reliability concerns (Daigle and Lampe 2000). Actual and
perceived security concerns, in particular, are large barriers preventing a
more rapid uptake and growth of ecommerce (Elliot and Fowell 2000). Managing
these risks becomes of great importance to companies partaking in any
e-commerce operation – both in protecting company e-commerce revenue flows from
security-related mishaps (such as fraud, theft and systems failure), and in
assuring hesitant customers of the safety of engaging in e-commerce. 

One of the chief security risks is fraud (Anandarajah
and Lek 2000; Cerpa and Jamieson 2001). In any transaction, participants want
to ensure proper receipt of payment in exchange for goods or services. Failure
by one party to receive what they expect may indicate the occurrence of fraud.
As a consequence of the advent of ecommerce, new methods of carrying out
financial transactions mean that new methods by which fraud is perpetrated also
arise (such as shill bidding in online auctions (Wang, Hidvégi and Whinston
2001b)). The presence of fraud, or even the threat of it is a deterrent to businesses
and customers alike, who may choose to resort

to more traditional means of performing transactions
(Elliot and Fowell 2000). Currently, a variety of tools using a myriad of
approaches to detect fraud do exist, but their use is limited, fragmented and
their effectiveness is untested (section 3.2.4). The fraud detection solutions
that do exist for businesses engaging in e-commerce tend to be proprietary in
nature and how they work is unpublicised. The electronic environment therefore
has need for effective controls, built around a generalised, tested framework,
that will mitigate the risk of fraud that e-commerce poses. It is clear that
businesses stand to benefit from the ability to reduce fraud, but the
development of these controls is also important for auditors. An essential
responsibility of auditors is to plan and conduct audits for irregularities
induced by fraud, other illegal acts and errors, that impact upon the financial
reports of an entity (AUS210 2002; Baer 2002; AICPA 2002). Therefore, enabling
better detection of fraud would facilitate an auditor’s job. 

Fraud prevention is difficult in the faceless world of
the Internet, and any measure designed to respond to it must be able to do so
in a timely manner. Continuous assurance (CICA) offers a timely method of
assurance where, by monitoring transactions (flows of information, especially
payment and order details) in real-time, irregularities that point to illicit
behaviour may be promptly detected and dealt with. Continuous assurance systems
capitalise on the infrastructure and real-time nature of e-commerce systems. In
fact, continuous assurance systems rely on the system being assured to be a
quick and reliable source of relevant data, because the assurance system must,
in turn, provide its own service of delivering timely assurance and reporting
information (Vasarhelyi, Kogan and Sudit 2000). Such a system will be able to
detect fraudulent activity in an e-commerce system in an unobtrusive manner.
There is a need to develop an assurance system that can be easily integrated
into existing systems, be flexible to adapt to different organisations and
organisational change, and provide control over the assurance process
(Vasarhelyi, Kogan and Sudit 2000). 

This thesis has a variety of aims, focusing primarily
on improving our understanding of detecting and preventing fraud in e-commerce
systems by the use of continuous assurance systems. A conceptual model relating
the aspects and concepts associated with the real-time monitoring of e-commerce
transactions for fraud will be developed.

Explored along the way will be the various continuous
assurance methods for ecommerce fraud detection, before we finally settle on
using the SCARF (Systems Control Audit Review File) technique to implement an
assurance system that will provide assurance for financial transactions for a
business to consumer e-commerce store. This system, called eSCARF (electronic
SCARF), will be adapted for the IBM WebSphere Commerce (interchangeably
referred to as WebSphere) environment from a prototype eSCARF system developed
by Ng and Wong (1999). Following the implementation of eSCARF, a user
evaluation of the system will be acquired from professionals with experience in
auditing. The evaluation will be obtained by performing an evaluation survey,
assessing attributes of the system from an auditor’s perspective, looking at
its design quality and perceived usefulness. This will aid the future and
ongoing development of eSCARF by providing valuable user input, as well as
shedding further insight into auditors’ requirements for continuous assurance


This thesis is concerned with improving our
understanding of detecting and preventing fraud in electronic commerce
(e-commerce) transactions by using continuous assurance systems. It also seeks
to evaluate the usefulness of eSCARF, a continuous assurance system for fraud
detection, which is developed in this thesis. The area of electronic fraud was
targeted as it is one of the major risks for businesses engaging in the rapidly
growing practice of e-commerce today. The ability to mitigate this risk is
valuable to businesses and auditors, and continuous assurance systems, which
may provide assurance services in real-time, offer such an ability. A
conceptual model was constructed to produce a generalised overview of the fraud
auditing environment, and the objects and forces influencing the process. This
allows us to better understand and visualise the relationships between all
these issues. 

The second part of this thesis developed a continuous
assurance system that may be used to combat electronic fraud. This system is
called eSCARF (electronic System Control Audit Review File), designed for the
IBM WebSphere Commerce 5.4 ecommerce system. The development of eSCARF is
documented and provides insight into the architecture of a continuous assurance

The third part of this thesis involves a user
evaluation of eSCARF by 15 auditors via an evaluation survey. The evaluation
survey assessed the quality and perceived usefulness of the system. The survey
discovered that the participants regarded eSCARF as a highly usable system with
clear indications of its usefulness in effectively detecting e-commerce fraud.
Further input gathered from auditors provided ways eSCARF could be enhanced.
With this information and the verification of eSCARF’s feasibility and
applicability for fraud detection, future avenues for eSCARF’s continued
development are mapped out.  


Litrature reveiw:


Electronic commerce relates to the usage of electronic
communication networks to conduct business transactions (Turban 2000). The
emergence of e-commerce in society has profoundly impacted upon how people
manage and conduct business. It has changed how companies operate internally,
whilst also giving them the opportunity to expand into new, previously
untappable, markets. The ubiquitous nature of e-commerce has also accelerated
globalisation as instantaneous information exchange is possible anywhere on the
planet. The smallest of firms employing ecommerce potentially have access to a
global market. The largest of firms have redefined or remodelled themselves in
response to the advent of e-commerce. Indeed, e-commerce not only affects the
way business is conducted, but its nascent influence reverberates through to
changing the world economy (Nezu 2000). 

Nonetheless, this new dimension of business has
problems, barriers and disadvantages that inhibit its expansion. It is a
phenomenon undergoing continual, rapid change and maturity. Increasing levels
of integration of e-commerce systems into business has led to an increasing
level of reliance on these systems. Interorganisational systems and globally
distributed data means that ensuring the availability, integrity and
confidentiality of the information these systems process is of paramount
importance. Unfortunately, it is the pace of e-commerce system development that
amplifies the huge challenge of ensuring those same systems are secure.  This thesis examines specifically the threat
of fraud which is the largest security risk that has direct implications upon
the revenue flows and costs of a business. 

It is for this reason that e-commerce security should
receive collaborative attention from research institutions and commercial organizations,
such that security may be able to keep in step with the latest advancements in
e-commerce (Anandarajah and Lek 2000). Current approaches tend to be fragmented
in nature, due to the wide variety of systems in the marketplace, and the trend
of interorganizational systems integration means that unless a more unified
approach to surging up security is taken, the rise in number of points a large
e-commerce system has that are exploitable will

be increasingly detrimental. A system vulnerable to
different types of fraud stands to be a large liability over more traditional
means of business and undermines the attractiveness of e-commerce. Moreover,
customers that perceive that their ecommerce transactions are susceptible to
fraud are not encouraged to engage in such business (Elliot and Fowell 2000).
Only when security systems are developed that can, with a reasonable degree of
effectiveness, detect fraud, will this barrier to e-commerce uptake be

3.1.1 The Impact of E-Commerce There can be no denial
that e-commerce has made a definite and significant impact upon the global
economy. Its integration into society has affected the ways people manage and
conduct business. The spread of e-commerce will continue as organizations use
it to increase productivity as well as another avenue for sales and service. In
fact, Clarke (1993) predicts that business-to-business (B2B) and
businessto-consumer (B2C) e-commerce will become so popular that most
businesses will be forced to enter the digital economy in order to retain
competitive advantage. 

In a study encompassing the first half of 2000, the
Internet Economy was, in the United States, found to support more than 3
million workers (CREC 2001). Online businesses numbered 550,000 by mid-2000
(Cerpa and Jamieson 2002), up 30 percent from the previous year. The United
States Department of Commerce estimated that retail e-commerce sales for the
fourth quarter of 2001 totaled $10 billion (Pastore 2002), up from $5.3 billion
in the same period in 1999 (Armstrong 2000). In contrast, total retail sales
were $821.2 billion and $860.8 billion in the fourth quarter of 1999 and 2001
respectively. Although e-commerce only accounts for a miniscule portion of all
retail sales, e-commerce sales have doubled proportionate to total retail sales
in the two year period, reflecting an increasing amount of e-commerce usage.
That ecommerce sales only compose about one percent of total retail sales
demonstrates there is plenty of room for e-commerce to continue expanding

From a worldwide perspective, IDC found that e-commerce
spending grew 68 percent between 2000 and 2001 to reach $600 billion. IDC
estimates that this will continue increasing to a massive $1 trillion in 2002
(Pastore 2002). The numbers above are primarily in reference to B2C
transactions. It is postulated that B2B transactions outstrip B2C ones with the
Gartner Group predicting 2004 worldwide B2B revenues at $7.3 trillion. It is
this profit potential that has lured venture capitalists into investing into
‘dot com’ companies which are trying to ‘ride the wave’ and establish
themselves as profitable businesses. 

There are many other statistics that may be cited.
However, one thing is clear – that ecommerce’s prominence in business is
increasing. In the next few years, this growth is forecasted to continue

From an organizational and management perspective, the
changes e-commerce has wrought have been just as dramatic. Most notably, the
restructuring of the ‘Big Five’ multinational accounting firms to separate
their e-commerce consulting arms from their auditing arms. The impetus for this
is to ensure that their audit work is not compromised as a conflict of interest
exists if a firm both consults and audits the same client (Kane 2002).
Accenture’s separation from Andersen, as a result, also gave it independence
such that when Andersen was shaken by the collapse of Enron and consequential
legal proceedings, Accenture was relatively untouched. PricewaterhouseCoopers
has spun off its consulting arm which was acquired by IBM, Deloitte Touche
Tohmatsu spun off its consulting arm into Braxton, with KPMG likewise turning
theirs into BearingPoint. 

Apart from sales and marketing, e-commerce systems are
also employed for operational and supply purposes, including finance, logistics
and procurement. Incumbent firms especially have managed to take advantage of
these types of systems, enabling cost reduction and greater process
efficiencies (Turban 2000)



       Kaiyoong Deng;
Ruzhang; hong Guo; “Analysis of study on detection of credit fraud in E –
Commerce” future computer sciences of application (ICFCSA), 2011 , P (12-



Neubert M; Peleeira, A.M; dolago, A.P: “Feature Extraction for fraud detection
in electronic marketplaces” web congress, 2009 pg (182 – 192)


            Chun – Hsiu
Yeh; Tsui – ping chang; wesi – chang sher: “Developing the continuous Assurance
Embedded continuous audit web services”, Asia – Pacific services computing
conference, 2008, APSCC, 08 Pg (1049 – 1054)


        Alles, M. G.,
Kogan, A. and Vasarhelyi, M. A. (2002), Feasibility and economics      .            of continuous assurance, Auditing:
A Journal of Practice and Theory, vol. 21 (1), pg. 125-138

   Addison-Wesley; Anandarajah,
Benjamin and Lek, Monkol (2000), “Using Data                          .            Mining to Detect E-Commerce Fraud”, Report
No. 37 1998-99.

    Baker, C. R. (1999) An
Analysis of fraud on the Internet, Internet Research-Electronic Networking
Applications & Policy, 9(5), 348-359. Compton, P., Edwards, G., Kang, B.,
Malor, R., Menzies, T., and P. Preston (1991) Ripple down rules: possibilities
and limitations, Proceedings of the 6th Knowledge Acquisiting for Knowledge
Based Systems Workshop, Banff, pp 2-5. Elder IV, J. and D. Pregibon (1996) A
Statistical Perspective on Knowledge Discovery in Databases, U.M. Fayyad, G.
Piatetsky-Shapiro, P. Smyth, and R. Uthurusamy, eds., Advances in Knowledge
Discovery and Data Mining, pp. 83-115, AAAI/MIT Press. Fayyad, U.,
Piatetsky-Shapiro, G., Smyth, P., and R. Uthurusamy (1996) Advances in
Knowledge Discovery and Data Mining, AAAI/MIT Press, 1996. Groth, R. (2000)
Data Mining- Building Competitive Advantage, Prentice Hall. Holsheimer, M., and
A. P. J. M. Siebes (1994) Data Mining, the search for knowledge in databases,
Report CS-R9406, CWI, Amsterdam, The Netherlands, pp. 8-19, 41-49. Lach, J.
(1999) Data Mining Digs In, American Demographics, July, pp38-40, 42-45. Lunt,
T. L. (1993) A Survey of Intrusion Detection Techniques, IPIP-TC11 Computers
and Security, 12(4), pp 405-418. Mitchell, T. M. (1997) Machine Learning.
Singapore: McGraw-Hill. Nath, R., Akmanligil, M., Hjelm, K., Sakaguchi, T., and
M. Schultz (1998) Electronic Commerce and the Internet: Issues, Problems, and
Perspectives, International Journal of Information Management, 18(2),  pp 91-101. Quinlan, J. R. (1993) C4.5:
Programs for Machine Learning, Morgan Kaufmann. Smith, R. (1999) Fraud : What
Response?, Australian CPA, November,  pp.
39. Sweeney, P. (1999) Cyber-Crime’s Looming Threat, Banking Strategies,
July/August, pp 54-56,58-59. Thrun, S. B., Bala, J., Bloedorn, E., Bratko, I.,
Cestnik, B., Cheng, J., De Jong, K., Dzeroski, S., Fahlman, S. E., Fisher, D.,
Hamann, R., Kaufman, K., Keller, S., Konomenko, I., Kreuziger, J., Michalski,
R. S., Mitchell, T., Pachowicz, P., Reich, Y., Vafaie, H., Van de Welde, W.,
Wenzel, W., Wnek, J., and J. Zhang (1991) The Monk’s problems: A performance
comparison of different learning algorithms, Technical Report CMU-CS-19-197,
Computer Science Department, Carnegie Mellon University, Pittsburgh, PA. Wong,
K., Ng, B., Cerpa, N., and R. Jamieson (2000) An Online Audit Review System for
Electronic Commerce, Proceedings of the Thirteen Bled Electronic Commerce
Conference, Slovenia, pp 19-21