GROUP ASSIGNMENT:

Auditing Case of
Harley-Davidson, Inc. (Case 6.1)

By Group Accounting Class - Auditing:

Amellia Samantha / 008201500036
Jersey Purba / 008201500057
Samuel Alexander / 008201500028
Stephanie Angelica / 008201500095
Batch 2015
Auditing Seminar Subject
Lecturer: Gatot Imam Nugroho

President University
Jalan Ki Hajar Dewantara, Cikarang,
West Java - Indonesia
(021) 89109762

May 2018
 Case 6.1 Harley-Davidson, Inc.
Identifying eBusiness Risks and
Related Assurance Services for the eBusiness Marketplace

I. Summary
Harley-Davidson Motor Company began over 100 years ago.
Today the company has net sales over $4 billion and 55% of U.S. market share.
In the mid-1990s the company began work on vertically and technologically integrated supply-chain
system. By forming strategic alliances with all of its top suppliers, bringing them into the design and
planning process, and integrating with them through the internet, Harley-Davidson was able to
dramatically reduce the cost of producing its famous “hogs.” The company shaved $40 million off its
materials costs over a five-year period. Product-development time fell by 30%. Defect levels on bike
parts plummeted from an average of 10,000 to 48 parts per million for over 75% of its suppliers.

II. Learning Objectives

1. Identify business risks associated with eBusiness models used in today’s supply-
chain management systems.
 Information overload
 Software/network failure or malfunctioning
 Exposure to internal threats (e.g., possible sabotage by employee, theft of
information, information manipulation) in the system
 Exposure to external threats (e.g., theft of information by external parties
in the system, virus/malware) in the system
 Over-dependency on the system

Specifically, the environmental and process risks of eBusiness are as follows:

1|Harley-Davidson, Inc
2. Describe assurance services CPAs can provide to clients involved in eBusiness
partnerships.
In 1997 the AICPA created the "CPA WebTrust" seal. Under this program,
independent accountants or auditors examine three areas related to a website every 90
days: information protection, business practices disclosures and transaction integrity.
The Web Trust approach should enhance the feeling of security with online
purchasing. In addition, the auditors are able to stay better informed on the
organization's eBusiness controls.

In the meantime this CPA WebTrust program was enhanced in view of the
new technologic changes. People want to know how a site will handle confidential
information. Without the assurance from independent third parties that confidential
information will be protected, some individuals or organizations will never buy
online. eBusiness companies must explain how they collect and handle information
and post easyto-read confidentiality statements.

After all, the ultimate goal to provide trust and assurance for eBusiness
companies is through the execution of the continuous audit process. The continuous
audit is one in which the auditor does not necessarily operate in discrete (annual) time
intervals as in the traditional audit. Instead, the auditor uses software and/or integrated
application controls on the client's application and data systems to keep the auditor
updated online / in real-time on any exceptions or "red flags" occurring in the client
databases. A continuous audit usually requires that the auditor is involved on the
original design and implementation of the eBusiness system controls. Needless to say
that such online / real-time auditing will have an enormous impact on the audit
profession and its professionals as such.

The major accounting and audit firms either have or are in the process of
redesigning their audit approach to change with the evolution to an eBusiness model.
In redesigning the audit, the auditors place a much heavier emphasis on business
processes and internal controls. Moreover, all auditors realize that besides financial
and technological skills also other competencies like tax, legal, corporate finance,
strategy, deep industry knowledge and specific eBusiness technological skills are vital
to perform a solid eBusiness audit and issue an opinion.

3. Recommend effective internal controls to address risks associated with eBusiness

supply-chain systems.
For an effective internal controls, eBusiness companies must use the most
reliable security controls and tools and communicate that they are doing so to their
audience in an easy-to-understand language. This includes using the latest encryption
technology, digital signatures and certificates, secure server technology and
authentication to ensure that all information exchanged is secure. This implies an
independent verification to ensure that all security controls adequately protect the
organization, its suppliers, partners and customers from the risk of (main) security
breaches.

2|Harley-Davidson, Inc
III. Required

1. Identify the most significant new business risks facing Harley-Davidson (HD) as
result of integrating eBusiness into its supply chain management system and by
allowing suppliers to have access to the company’s intranet. If your instructor does not
specify the number of risks for you to identify, list at least three.
Harley-Davidson inevitably faces a variety of risks as the company relies on an Internet
based supply chain network such as:
 Suppliers may violate confidentiality agreements and leak information to competitors.
 Suppliers may not effectively interpret the information being provided to properly
schedule the delivery of parts.
 The Internet-based system may be periodically down, resulting in suppliers being
unable to access electronic information. In such circumstances, suppliers will lose
productive time until the system is repaired.
 Other suppliers NOT chosen may not be ready to do future business if a current
supplier drops out of the network) less diversification among suppliers.
 An employee of one of the suppliers may have contacting job responsibilities that
create an incentive to commit fraud.
 There exists the possibility of a natural disaster occurring in which the system may go
down and information may be lost.
 Suppliers may manipulate the system and take advantage of their increased access to
HD’s purchasing schedules, including increased possibility of fraudulent actions by
suppliers.
 Suppliers may not be up to par in terms of being compatible with HD’s Internet-based
system (they may lack the necessary hardware and software tools. In addition,
suppliers may not have the know-how to operate the system. Finally, a supplier’s
system may lack integrity and quality, and may provide inaccurate information to
HD’s system
 HD may experience technology di1culties relating to tra1c problems in which too
many external partners are on the system at once. Also, technology di1culties may
occur if all the “bugs” are not worked out of the system or if HD experiences
hardware/software problems internally
 The risk of fraudulent transactions may increase as a result of switching from a paper
based supply-chain management system to an electronic system. Hiding such
transactions may become easier since there is no paper-based audit trail of
transactions to be reviewed by internal or external auditors.
 HD and/or external business partners may lack the resources necessary to integrate
new technologies effectively and efficiently.

2. For each risk you identified in question number one above, identify the control
Harley Davidson might have implemented to mitigate that risk.
The following are some of the internal controls that HD has likely implemented to
mitigate the risks identified above:

3|Harley-Davidson, Inc
 The creation of an internal IT department with a systems administrator who oversees
the transfer of confidential information between HD and suppliers and plays the role
of watchdog.
 The implementation of a certification process in which periodic training meetings are
held, including educating all HD employees and suppliers on the operation of the new
supply-chain management system and testing their knowledge of how to use the new
system. This assures that everyone is on the same page.
 Periodically sending HD personnel out to visit suppliers to verify that suppliers are
using the system correctly and understanding the information.
 The use of a dynamic password system and other types of security programs that limit
access to the system.
 The negotiation of a contract with Manugistics Group, Inc. that requires the company
to always have personnel available to repair the system whenever it fails. HD’s IT
department could also receive training on how to maintain and fix the system so as
not to be completely dependent on Manugistics. Also, such a contract should be
negotiated with hardware/software manufacturers.
 Requiring that the system be backed up on a periodic basis and constructing a cold,
warm, or hot site in the case of disaster.
 Ensuring that adequate separation of duties exists for HD and supplier employees.
 The performance of random audits by an outside company to monitor the use of
confidential information by suppliers.
 The implementation of a procedure to discard information after it has been used or to
store it securely.
 Requiring suppliers to stay up to date on current technology by purchasing and
maintaining hardware and software that is compatible with the new supply-chain
management system.
 The implementation of a pilot program to convert over to the new Internet-based
system from the old system. Instead of converting everything over at one time,
changing one department at a time will allow HD and its suppliers to continue on the
old system until most of the bugs are worked out and the new system is operating
e1ciently.
 The implementation of a system where every transaction is stored electronically, with
backups, in a secure area. By saving to a secure long-term storage location,
transactions are available for later review or audit.
 The performance of a financial analysis to discover if the benefits outweigh the costs
of implementing the new system.
 Requiring each supplier’s system to be independently audited and approved (e.g., the
SysTrust service may be applicable).
 The creation of an accurate flowchart that illustrates the flow of information
accompanied by a narration that su1ciently describes the processes and procedures of
the system.
 The use of firewalls and such security measures to protect from those attempting to
corrupt the integrity of the system.

4|Harley-Davidson, Inc
3. Given the technology linkages between business partners in eBusiness systems, how
might an eBusiness system like Harley-Davidson’s increase business risks for its
business partners?
The following list illustrates ways in which an eBusiness system like the one used by
Harley-Davidson might increase business risks for its business partners:
 Costs to be a partner may make doing business with HD less profitable.
 Information from HD may not provide reliable forecasts for suppliers to manage their
inventories effectively.
 HD may take advantage of its dominance in the negotiation position and the Internet
arrangement may increase competitive pressures on suppliers.
 Business relationships that the partners have with other customers may suffer as
partners use time, energy, and resources to satisfy HD, they may lose business
because of lack of capacity to be anything more than an HD supplier.
 Huge dependence on HD as a key customer, less diversified customer base. Suppliers
are also likely to lose some autonomy and freedom as HD may exercise more
influence over their business decisions.
 Specializing in HD parts may create the need for business partners to depart from
business plans and strategies that were once successful. Partners may find that they
need to specialize and drop some lines of business in order to produce the quantity of
specific parts needed by HD.
 Pressure may increase for suppliers’ employees in meeting HD’s demands on a real-
time, on-line basis.

4. Research the SysTrust and WebTrust services from the information on the following
web page (or search the Internet or within the AICPA’s Information technology Center
Web site for “Trust Services” http://www.webtrust.org. Describe how WebTrust
services differ from SysTrust services. Describe how they are related.
WebTrust and SysTrust are two specific services developed by the AICPA and
Canadian Institute of Chartered Accountants (CICA) based on the Trust Services Principles
and Criteria Both services are based on the common framework (i.e., a core set of principles
and criteria) established in the Trust Services Principles and Criteria. The WebTrust service
evaluates an eBusiness client’s privacy, security, availability, confidentiality, consumer
redress for complaints, and business practices. The SysTrust service examines a particular
client’s information system to assure the availability, security, integrity, and maintainability
of that system.
WebTrust and SysTrust services differ from each other in a variety of ways.
WebTrust Services are focused more specifically on e-commerce and building confidence
with individual and business consumers who are purchasing a product(s) or service(s) online.
The WebTrust services highlight matters such as security, privacy, availability,
confidentiality, and processing integrity. Once an online business has received a WebTrust
examination and demonstrated compliance with the principles and criteria, the website of that
company can display the authentic WebTrust seal of approval.

5|Harley-Davidson, Inc
 In order to maintain the seal of approval, the online business must be re-evaluated
once every 12 months to assure that the company continues to be in compliance with the
Trust Services Principles and Criteria for their eBusiness application. On the other hand,
SysTrust services are focused on providing assurance that a company has an effectively
controlled information system. Relevant Trust Services Principles and Criteria for the
SysTrust services address five areas: security, availability, processing integrity,
confidentiality, and privacy. In a SysTrust engagement, not only does the CPA evaluate if the
company is in harmony with the principles and criteria, but also determines if the system is
effectively controlled. The performed tests are to determine whether those controls were
operating effectively during a specified period. If the system meets the SysTrust criteria, an
unqualified attestation report is issued relative to management’s written assertion that the
controls over the system have been effectively maintained over that period of time in
accordance with SysTrust principles.

5. What Trust Services principles are examined in a SysTrust engagement? Describe the
role of the criteria when evaluating these principles in a SysTrust engagement.
As stated on its website, SysTrust uses the following five Trust Services Principles to
evaluate whether a system is reliable:
 Availability: Determines whether the system is available for operation and use as
committed or agreed.
 Security: Determines whether the system is protected against unauthorized access
(physical and logical).
 Processing Integrity: Determines whether the system processing is complete,
accurate, timely, and authorized.
 Confidentiality: Determines whether information designated as confidential is
protected as committed or agreed.
 Privacy: Personal information is collected, used, retained, and disclosed in
conformity with the commitments in the entity’s privacy notice and with the criteria
set forth in generally accepted privacy principles issued by the AICPA/CICA
For each principle, the Trust Services framework contains criteria, which demonstrate the
attributes that the entity must meet to be able to demonstrate that it has achieved the
principle. The criteria are to be used as benchmarks to measure and present the subject matter
and against which the practitioner evaluates the subject matter. In order to receive an
un0uali"ed opinion, all criteria for a principle must be met unless the criterion is clearly not
applicable. The principles and criteria are organized along four broad categories: policies,
communications, procedures, and monitoring. With a SysTrust engagement a CPA issues an
attestation report to signify that management of a company has maintained effective controls
to enable its system to function reliably in accordance with SysTrust criteria, and that those
controls operate effectively within a specified period of time. If one or more of the principles
and criteria are not fulfilled, a CPA can issue a qualified or adverse report - directly on the
subject matter rather than on management’s assertion. A SysTrust report can be issued on any
one or more of the five principles.

6|Harley-Davidson, Inc
6. According to the CICA Web site indicated in question number four, what
professional standards must a CPA follow when providing assurance services that result
in the expression of a WebTrust or SysTrust opinion?
When providing assurance from SysTrust or WebTrust engagements, practitioners
must follow the performance and reporting standards contained in Statement on Standards for
Attestation engagements (SSAE) No. 10, (Attestation Standard: Revision and Recognition
(AICPA, Professional Standards, vol. 1 , AT sec. 101), as amended. In the provision of
advisory services, such as strategic, diagnostic, implementation and sustaining/managing
services, using Trust Services principles and criteria, practitioners should follow Statement
on Standards for Consulting Services (AICPA, Professional Standards, vol. 2, CS sec. 100).

7. Assume Harley-Davidson asks your CPA firm about the WebTrust and SysTrust
services that it provides. Write a brief memo to Gerry Berryman, Vice president of
Materials Management, detailing the potential benefits of WebTrust and SysTrust for
Harley-Davidson. Include in the memo a recommendation regarding which of these
assurance services would be most appropriate for Harley-Davidson’s supply chain
management system. Be sure to explain to Mr. Berryman the nature of the two different
services and why you are recommending the one you chose.
Memo
To: Gerry Berrymans
From:
Date:
RE: WebTrust and SysTrust Services
I am writing in response to the information you requested on WebTrust and
SysTrust services. The purpose of this memo is to briefly describe each service and to
give you my recommendation as to which service is best for Harley-Davidson.
Both WebTrust and SysTrust services enable a CPA to provide assurance that a
system is, in fact, reliable. Both of these services work to minimize risk to outside parties
who depend on a company’s Internet-based system to make decisions. The SysTrust service
would likely be most the more appropriate of the two services in relation to Harley-
Davidson’s new supply-chain management system. SysTrust services will focus on providing
assurance that Harley-Davidson has effective system controls and safeguards implemented in
the new supply-chain management system in accordance with applicable Trust Services
principles and criteria. Such an increased level of assurance is vital considering the fact that
many suppliers and business partners outside of the company will be using the new
system to make decisions that will influence the financial success of their businesses. In
order for the Internet-based system to thrive, outside parties must be confident in the
reliability and integrity of Harley-Davidson’s information system.

7|Harley-Davidson, Inc
 WebTrust services are focused more specifically on e-commerce by helping build
confidence with consumers purchasing a company’s product over the Internet. Harley
Davidson has an e-commerce site that focuses on advertising motorcycles and selling
merchandise. I would suggest that Harley-Davidson consider using the WebTrust
services to increase the confidence of customers making purchases over the Internet.
Having the website stamped with the WebTrust seal may increase customers’ confidence in
using the site.
The most important issue at this time appears to be increasing the confidence
of suppliers and business partners in the supply-chain management system. Thus, while
both services would be appropriate, I recommend that Harley-Davidson first seriously
consider obtaining SysTrust services.

8|Harley-Davidson, Inc