Transcript Part Four: Integrating E-Commerce with the Rest of the

Assurance on
e-Commerce
and other
systems
ACC 651/646
What are the Risks
for Consumers?
Unknown entity
Ease of establishing and removing
e-Commerce sites
Transactions not processed correctly
Security of information
Privacy of information
3-2
What are the Risks
for Companies?
Denial of Service

system failures, crashes, capacity issues
Unauthorized Access

Viruses, hackers, loss of confidentiality
Loss of Data Integrity

corrupted, incomplete, fictitious data
Maintenance problems

unintended impact of system changes
Recent Headlines
Reliability & the Market
70
60
50
40
$ 2.5b
$737m
30
20
$767m
10
9
/9
22
3/
9
99
8/
3/
22
/9
99
2/
8/
2/
9
/9
25
1/
11
/9
9
98
1/
/2
8/
98
12
/1
4/
98
12
11
/3
6/
/1
0/
98
8
/9
11
/2
11
9/
/1
10
/5
/9
8
98
0
10
E*Trade Stock Price(EGRP)
E*Trade Publicized Network Failures
& Resulting Market Cap Decreases
Agenda
Concerns about system reliability
WebTrust
SysTrust
Future of IT Assurance
Dimensions of Unreliability
Denial of Service

system failures, crashes, capacity issues
Unauthorized Access

viruses, hackers, loss of confidentiality
Loss of Data Integrity

corrupted, incomplete, fictitious data
Maintenance problems

unintended impact of system changes
Failure to fulfill commitments
WebTrust & SysTrust
Two services designed to address new
assurance needs
WebTrust deals with customer front end
SysTrust deals with systems
Both are CA/CPA assurance reports
US - SSAE #1
 Canada - section 5025

What is SysTrust?
SysTrust Process

System Description
Management makes
representations about Mgmt’s Assertions
system reliability
Auditor’s Report



SysTrust Criteria
using framework of
4 principles and
58 criteria
CA/CPA collects evidence
to support management’s assertions
CA/CPA issues
assurance report
on controls over system’s reliability
What is WebTrust?
The WebTrust Process

Management makes representations
about e-commerce practices

using framework of 3 principles
and related criteria
CA/CPA collects evidence to support
management’s assertions
 CA/CPA issues seal

click here
Professional Standards
1
Professional Standards
Assurance/Attestation
CICA - s. 5025
 AICPA - SSAE #1
 S5900 & SAS 70

Rules of Professional Conduct

Independence
Licensing SysTrust/WebTrust
2
Value of Assurance Report
Increase Revenues:
attract customers, business partners
 avoid reputation / market-share / other losses
 differentiate against competitors
 better selection of business partners

Value of Assurance Report
Reduce Costs:
avoid systems development rework
 reduce cost of capital
 common evaluation framework - efficient

Value of Assurance Report
Reduce Risks:
confidence in internal systems
 appropriate controls
 protect shareholder value
 better decision making
 regulators (taxation, privacy, etc...)
 insurers

Who are Likely Buyers?
System Users & Influencers
“C-Suite” - CEO, COO, CFO, CIO,...
 Internal Auditors
 Board of Directors
 Customers

System Owners
Service Providers (outsourcing)
 System Vendors

System Builders
IT Operations
 Consultants

A “SysTrust” Opinion...
“ We have audited the assertion by mgmt that...
ABC company maintained effective controls...
to provide reasonable assurance that…
XYZ system was reliable...
based on SysTrust principles & criteria…”
“ In our opinion mgmt’s assertion…
is fairly stated in all material respects...”
Definitions
SYSTEM
RELIABILITY
CRITERIA
...an organized
collection of
software,
infrastructure,
people,
procedures and
data that, together
within a business
context, produces
information...
Software Infrastructure
Data
People
Procedures
SYSTEM
SYSTEM
SYSTEM RELIABILITY
“A system that operates without
material error, fault or failure in
availability, security, integrity or
maintainability during a specified time
in a specified environment.”
RELIABILITY
CRITERIA
MAINTAINABILITY
INTEGRITY
SECURITY
AVAILABILITY
RELIABILITY
CRITERIA CRITERIA CRITERIA
CRITERIA
Each Principle has a series of Criteria
58 mandatory Criteria in 3 categories:
policies exist and are appropriate
 policies are implemented and operate effectively
 adherence to policy is monitored

Attributes of Criteria:
- measurable
- objective
- relevant
- complete
Structure of Criteria
PRINCIPLES
CRITERIA
CATEGORIES
Availability
Security
Integrity
Maintainability
TOTALS
Policies
5
5
5
5
20
Procedures
4
11
6
5
26
Monitoring
3
3
3
3
12
Totals
12
19
14
13
58
Illustrative Controls
CICA’s ITCG

comprehensive coverage






risk management &
control,
IT planning,
IS acquisition,
development &
maintenance,
operations & support,
security,
business continuity &
recovery, etc.
1
Illustrative Controls
ISACF’s COBIT

also comprehensive




planning & organization,
acquisition &
implementation,
delivery & support,
monitoring, etc.
2
WebTrust Principles
Business Practices Disclosure
The entity discloses its business practices for electronic commerce
transactions and executes transactions in accordance with its
disclosed business practices.
Transaction Integrity
The entity maintains effective controls to ensure that customers’ orders
placed using electronic commerce are completed and billed as
agreed.
Information Protection
The entity maintains effective controls to ensure that private customer
information is protected from uses not related to the entity’s
business.
Business Practices Disclosure 1
Terms & conditions by which it does business
time frame for fulfillment
 time for backorder notification
 normal method of delivery & options
 payment terms & options
 electronic settlement practices
 canceling recurring charges
 return practices, if any

Business Practices Disclosure 2
Nature of the goods, information, or services
Where customers can obtain warranty and
other service
Information to allow customers to file claims &
complaints (including consumer dispute
resolution - version 2.0)
Information privacy policies (version 2.0)
Transaction Integrity Controls
All information needed to process & bill the order
accurately is recorded
Proper goods or services are provided
Billing & settlement is done properly
Documentation permits subsequent follow-up
Management has monitoring to ensure:



business practice disclosures remain current
transaction integrity controls and practices remain
effective
non-compliance situations are promptly corrected
Information Protection Controls
Transmissions via public networks secure
Protection of private customer information
Protection against its unauthorized access to
customer’s computers or files
Management has monitoring to ensure:


information protection controls and practices remain
effective
non-compliance situations are promptly corrected
Control Environment
Part of Transaction Integrity and Information
Protection Criteria
Entity has a control environment that is
generally conducive to:



Reliable business practice disclosures on its web site
Effective controls over electronic commerce transaction
integrity
Effective controls over protection of private customer
information
WebTrust Seal
Web consumer would
see the seal on a web
page
Would then click on it
to access additional
information
Display of firm name,
logo is optional
click here
Click to see report issued by:
XY&Z, Chartered Accountants
XY &Z
What User Sees Clicking...
VeriSign certificate information
Accountant’s (XY&Z’s) report
Management’s assertions
Business practices disclosures
Link to AICPA/CICA WebTrust
Principles & Criteria
Other relevant information
Key License Provisions
License Firm &
International Affiliates
Ownership

AICPA/CICA
WebTrust Training


Required for licensing
Required for each
engagement
Protecting the Value
of the Seal



Quality assurance
Annual renewal &
representations
Record retention &
availability
WebTrust License Fees
Annual fee
US$1,400 per seal award per year
Fees to be used for promoting
*.Trust
WebTrust Annual License Fees
Tier
Firm
Size
Year 1
Year 2
Year 3
1
>$1.4
billion
$72,500
$37,000
$25,000
2
>$70
million
43,500
22,000
14,500
3
>$28
million
22,000
6,000
3,800
4
>$1.4
million
14,500
3,000
1,900
5
<$1.4
million
7,200
1,500
900
8-2
WebSite Seals &
Rating Systems
Truste.com
BBBOnline.org
WebTrust
ADDSecure.net
ICSA.net
WABureau.com
WebWatchdog
MultiCheck
BizRate
Gomez
epinions.com
comparenet.com
Consumer Reports
Yahoo
Amazon
etc
Comparison of Seals 1
WT
Business
Practices

Security

Privacy

Integrity

Recourse

Insurance

BBB T-E
WW BR
MC
ADD ICS





WAB



Comparison of Seals 2
WT
High
Standards

Quarterly
Indep Audit

Quality
Control

Internation’l

BBB T-E


WW BR
MC


ADD ICS

WAB
Positioning Services 1
Continuous
Auditing
Periodic
Assurance
*.Trust
Consulting
Services
Design ----Implement ---------------Operate
Positioning Services 2
NonFinancial
SysTrust
S 5900
W
e
b
T
r
u
s
t
Financial
SAS 70
Internal
Users
External
Users
SysTrust vs S5900 & SAS70
S5900 & SAS70






Report on controls of
service organization
No pre-established
principles or criteria
Primarily financial
systems
Information sharing
objective
Audience primarily
other auditors
Details on controls
SysTrust






.
Report on reliability of
a system or subset
Established principles
& criteria
Financial & nonfinancial systems
Objective is assurance
on system
Management and third
party users
No details on controls
Review of S 5900
1
Report on controls at service organization
Stated control objectives
 Control procedures designed to achieve objectives

Existence / Suitable Design
Effectiveness
Point in time vs. period of time
Review of S 5900
Subject matter
Nature of examination
Standards
“Control procedures were
suitably designed
to provide reasonable,
but not absolute,
assurance that stated control
objectives were achieved …
and operated effectively
throughout the stated period”
2
*.Trust Service Issues
Practicing Across Jurisdictional Boundaries
Client & Engagement Acceptance


Client acceptance
 Nature of business, reputation, management
Engagement acceptance
 Control environment, nature of sites
 Are they likely to meet criteria?
Expertise Required



Personal: Integrity, Objectivity, Due Care
Professional Competencies: Assurance, Subject Matter (IT)
Marketing
Skill Sets Needed
Professional Standards
Systems Concepts
Business & Transactions Processing
Hardware
Software
Networks/Internet
Outside Experts
Engagement Management
Documentation
Working papers
 Engagement summaries

Management Representation Letter
Auditor’s Report
Dealing with Change
Self Assessment /Readiness Assistance
System of Quality Control
Future Plans
Harmonized WebTrust/SysTrust
Principles and Criteria to be issued in
Spring 2002
Training Courses
Building Awareness / Acceptance
Competency Models
Practitioner Aids
Value of *.Trust to CAs
Large, leverable engagements
Base for other advisory services
security profiling & architecture
 application controls consulting
 privacy

Reinforce CA/CPA’s position in market
build IT skills
 at the table for e-Commerce

Progress towards continuous auditing
Vision
Real-time
assurance on
on-line databases
Systems
Reliability
Assurance
Report on
internal con trol
Today
Tomorrow
Ultimately
Base for Continuous Audit
Automated
Audit
Procedures
Reliable
Systems
Auditor
Proficiency
Reliable
Communication
Links
Subject
Matter
Timely Audit
Reports
Thank You
Questions?