Transcript No Slide Title

Overview of WebTrustTM
AICPA
Chartered
Comptables
Accountants agréés
of Canada
du Canada
Secure e-Business
Concerns About e-Business








What are this site’s e-Commerce practices?
I am worried about security
I would like to maintain anonymity
I do not like trace ability
What are they going to do with my information?
Who am I really doing business with?
I am afraid I will get scammed, will I get my stuff?
What is the recourse if something goes wrong?
Secure e-Business
Barriers to Acceptance
People who have access to the Internet but who have not purchased
a good or service through the Internet, state that the following were
factors in their decision:
56 %
52 %
36 %
Concern over unauthorized use of credit card information
Concern over privacy of personal information
Concern over not receiving product or service ordered
Source: Canadian Institute of Chartered Accountants Electronic Commerce Survey August 1997
Secure e-Business
D&T & Retail Council of Canada’s Most Recent
Study
Consumers are saying…







The visual aspect of online shopping is key
There is a strong commitment to purchasing at Canadian sites.
Online purchasing is considered to be convenient and saves time.
Considerable concern still exists about the privacy of personal
information related to online purchasing.
A third party security endorsement can help build the trust of site
visitors.
Book marking of favorite sites has the potential to build loyalty
The power of “word of mouth” should not be underestimated.
Secure e-Business
The WebTrustTM Response A Unique Seal of
Assurance
WebTrustTM

Provides assurance that a web site meets AICPA/CICA defined criteria
for business practices and transaction integrity, security and privacy,
and related disclosures.

Is designed to build consumer confidence in electronic commerce.

Is the only service combining privacy, security, and transactional
integrity with up-front and ongoing independent third party
verification.

Will be able to demonstrate a web site’s compliance with the privacy
laws of major industrial countries.

Is a global seal that can be provided by qualified and licensed CPAs
and CAs around the world.
Secure e-Business
WebTrustTM Global Availability
Secure e-Business
Global Offering of WebTrustTM
Currently:











Canada
United States
England and Wales
Denmark
France
Germany
Ireland
Netherlands
Spain
Australia
Hong Kong
Planning:

New Zealand
Researching:





Belgium
Malaysia
Japan
Italy
Argentina
Secure e-Business
WebTrustTM Sample Site
Secure e-Business
Secure e-Business
WebTrustTM Seal
Web consumer would see
the seal on a Web page
Would then click on it to
access additional
information
Secure e-Business
WebTrustTM Certification Process
Secure e-Business
WebTrustTM Certification Process

Definition of scope









Web sites & services included
Geographical scope
Self-assessment questionnaire
Understand outsourced activities
Initial period at least 60 days
Unqualified audit report
At least semi-annual updates
Independence
Appropriate team with required expertise
Secure e-Business
Overview of the WebTrustTM Process
Phase I – Understanding the Methodology and Process
 Perform
a Self-evaluation.
 Understand and document the electronic commerce business
and systems processes, procedures and controls.
 Map existing processes and controls against WebTrust™
Principles and Criteria.
 Build a WebTrust™ Preview Site
Phase I – Understanding the Methodology & Process
Self Evaluation
Understand & Document Process, Procedures & Controls
Map Processes & Controls
Build WebTrustTM Preview Site
Secure e-Business
Overview of the WebTrustTM Process
Phase II – Testing of the Processes & Controls

Test and evaluate the Business Practices Disclosures,
Transaction Integrity, Security and Privacy Controls.
Phase II – Testing of the Processes & Controls
Test and Evaluate
Secure e-Business
Overview of the WebTrustTM Process
Phase III – Reporting

Complete the final report and certify the Web Site.
Phase III – Reporting
Complete and Certify
Secure e-Business
Overview of the WebTrustTM Process
Phase IV – Minimum Semi-Annual Updates (Version 3.0)
 Update
our review and tests of the Business Practice Disclosure,
Transaction Integrity and Information Protection on a semiannual basis.
 Update for any major system changes and service offerings.
Phase IV – Minimum Semi-Annual Updates
Update & Review our Tests Semi-Annually
Update for any Major System Changes & Service Offerings
Secure e-Business
The New Version 3.0 WebTrustTM
Version 3.0 includes any of the following WebTrustTM Seals:





WebTrust™ Security Seal
WebTrust™ Transactional Integrity Seal
WebTrust™ Privacy Seal
or WebTrust™ Consumer Protection Seal including all three
of the above
Additional principles for B2B & ISP/ASPs include:
 availability
 confidentiality
 non-repudiation
 customized disclosures
Secure e-Business
WebTrustTM 3.0 Principles: Security
Security
The enterprise discloses key security policies, complies with such
security policies, and maintains effective controls to provide
reasonable assurance that access to electronic commerce system
and data is restricted only to authorized individuals in conformity
with its disclosed security policies.
Secure e-Business
WebTrustTM 3.0 Principles: Transaction Integrity
Transaction Integrity
The enterprise discloses its business practices for electronic
commerce, executes transactions in conformity with such practices,
and maintains effective controls to provide reasonable assurance
that e-Commerce transactions are processed completely, accurately
and conformity with its disclosed business practices.
Secure e-Business
WebTrustTM 3.0 Principles: Privacy
Privacy
The enterprise discloses its privacy policies, complies with such
privacy practices, and maintains effective controls to provide
reasonable assurance that personally identifiable information
obtained as a result of electronic commerce is protected in
conformity with its disclosed privacy practices.
Secure e-Business
WebTrustTM 3.0 Principles: Availability
Availability
The enterprise discloses its practices for availability, complies with
such availability disclosures, and maintains effective controls to
provide reasonable assurance that e-commerce systems and data
are available as disclosed.
Secure e-Business
WebTrustTM 3.0 Principles: Non-repudiation
Non-repudiation
The enterprise discloses it practices for non-repudiation, complies
with such practices, and maintains effective controls and appropriate
records to provide reasonable assurance that the authentication and
integrity of transactions and messages received electronically are
provable to third parties in conformity with its disclosed nonrepudiation practices.
Secure e-Business
WebTrustTM 3.0 Principles: Confidentiality
Confidentiality
The enterprise discloses its confidentiality practices, complies with
such confidentiality practices and maintains effective controls to
provide reasonable assurance that access to information obtained as
a result of electronic commerce and designated as confidential is
restricted to authorized individuals in conformity with its disclosed
confidentiality practices.
Secure e-Business
WebTrustTM 3.0 Principles: Customized
Disclosures
Customized Disclosures
The enterprise’s specified disclosures are consistent with
professional standards for suitable criteria and relevant to its
electronic controls over the processes supporting such disclosures
to provide reasonable assurance that such disclosures are reliable.
Secure e-Business
Frequently Asked Questions
Secure e-Business
What happens if a company does not meet the audit
requirements? How long do we have to fix any
inconsistencies?
The company needs to demonstrate that it has been in compliance with the
WebTrust™ criteria for at least 60 days before it can receive the WebTrust™
seal. Then it needs to remain in compliance with the criteria to continue to
display the seal.
As part of their work, practitioners may identify weaknesses which need to be
addressed. This may be included as part of the services based on the extent
of the weaknesses identified. However, if the practitioner and the
management determine that the weaknesses are extensive, then we will have
to address those issues and help you improve the controls and practices
separately. In such cases, the seal will be awarded 60 days after the
implementation of the new controls, to ensure their effectiveness.
Secure e-Business
What does WebTrust™ membership provide
other than quarterly (semi-annual) audits?
As is the case with a financial statement audit, there is no membership structure.
The AICPA/CICA task force would be willing to consider such a program if there was
sufficient interest among organizations with the WebTrust™ seal.
However, as a certified WebTrust™ web-site, you will be listed at the WebTrust™
home page under a listing of all WebTrust™ certified companies. This provides
customers a “Yellow Pages” of WebTrust™ web-sites. Additionally, the members
will have access to “Best Practices” for Internet electronic commerce.
Secure e-Business
How is a WebTrust™ audit different from a regular
accounting and/ or system audit and what extra value
does it provide?
The purpose of a WebTrust™ audit differs significantly from those of a financial
statement audit. The focus of WebTrust™ is on the business practices disclosures
for electronic commerce transactions and the related controls over transaction
integrity and information protection. The WebTrust™ view is ensuring that
business-to-consumer electronic commerce transactions are appropriately handled
and that related concerns of typical consumers are addressed by the business.
By contrast, the financial statement audit focuses on the reliability and fair
presentation of financial statements and the related footnotes and disclosures. The
audit work performed on accounting systems is an intermediate step in formulating
the auditor's opinion on the financial statements.
Secure e-Business
By representing WebTrust™ , does the CA or CPA issuing
the WebTrust seal ensure security of the company’s
processes and systems to customers?
The responsibility for ensuring security of a company’s processes and systems is
that of the company’s management. The practitioner is providing an independent
and objective assessment of how management is discharging that responsibility.
Secure e-Business
What are the key customer benefits?
Key customer benefits are increased trust and confidence in doing business
electronically on the Internet. This should ultimately result in more efficient
markets and lower cost benefits to both the company and its customers.
Customers will have access to a “Yellow Pages” listing of your web-site as a
WebTrust™ certified business.
WebTrust™ is a recognized seal of assurance on the Internet. The true
advantage will be for those companies who get the early edge through strategic
marketing of their electronic commerce practices and their WebTrust™
certification.
Secure e-Business