Assurance one-Commerce and
other systems
ACC 651/646
What are the Risksfor Consumers?
Unknown entity
Ease of establishing and removing e-Commerce sites
Transactions not processed correctly
Security of information
Privacy of information
3-2
What are the Risksfor Companies?
Denial of Servicesystem failures, crashes, capacity issues
Unauthorized AccessViruses, hackers, loss of confidentiality
Loss of Data Integritycorrupted, incomplete, fictitious data
Maintenance problemsunintended impact of system changes
Recent Headlines
“Security rated
top on-line fear”
“Computer woes halt TSE trading”
“eBay waives $3-5 million listing
fees after service outage”
“Rail company’s unreliable systemcauses rail cars to stack up, shippingdelays and shipments gone astray”
“Worm.Explore.Zip virus forces
shutdown of companies’ systems”
“Computer errors decimatemanaged care company’s stock”
Reliability & the Market
0
10
20
30
40
50
60
70
10/5
/98
10/1
9/98
11/2
/98
11/1
6/98
11/3
0/98
12/1
4/98
12/2
8/98
1/11
/99
1/25
/99
2/8/
99
2/22
/99
3/8/
99
3/22
/99
E*Trade Publicized Network Failures & Resulting Market Cap Decreases
E*T
rade
Sto
ck P
rice
(EG
RP
)
$767m
$737m $ 2.5b
Agenda
Concerns about system reliability
WebTrust
SysTrust
Future of IT Assurance
Dimensions of UnreliabilityDenial of Servicesystem failures, crashes, capacity issues
Unauthorized Accessviruses, hackers, loss of confidentiality
Loss of Data Integritycorrupted, incomplete, fictitious data
Maintenance problemsunintended impact of system changes
Failure to fulfill commitments
WebTrust & SysTrust
Two services designed to address new assurance needs
WebTrust deals with customer front end
SysTrust deals with systems
Both are CA/CPA assurance reportsUS - SSAE #1Canada - section 5025
What is SysTrust?SysTrust Criteria
System Description
Mgmt’s Assertions
Auditor’s Report
SysTrust Process Management makes
representations about system reliability
using framework of 4 principles and58 criteria
CA/CPA collects evidence to support management’s assertions
CA/CPA issues assurance report on controls over system’s reliability
What is WebTrust?
The WebTrust ProcessManagement makes representations
about e-commerce practicesusing framework of 3 principles
and related criteriaCA/CPA collects evidence to support
management’s assertionsCA/CPA issues seal
click here
Professional Standards 1
Professional Standards 2
Assurance/AttestationCICA - s. 5025 AICPA - SSAE #1S5900 & SAS 70
Rules of Professional Conduct Independence
Licensing SysTrust/WebTrust
Value of Assurance Report
Increase Revenues:attract customers, business partners avoid reputation / market-share / other lossesdifferentiate against competitorsbetter selection of business partners
Value of Assurance Report
Reduce Costs:avoid systems development rework reduce cost of capitalcommon evaluation framework - efficient
Value of Assurance Report
Reduce Risks:confidence in internal systemsappropriate controlsprotect shareholder valuebetter decision making regulators (taxation, privacy, etc...) insurers
Who are Likely Buyers?System Users & Influencers “C-Suite” - CEO, COO, CFO, CIO,... Internal AuditorsBoard of DirectorsCustomers
System OwnersService Providers (outsourcing)System Vendors
System Builders IT OperationsConsultants
A “SysTrust” Opinion...“ We have audited the assertion by mgmt that...
ABC company maintained effective controls...to provide reasonable assurance that…XYZ system was reliable...based on SysTrust principles & criteria…”
“ In our opinion mgmt’s assertion…is fairly stated in all material respects...”
Definitions
SYSTEM
RELIABILITY
CRITERIA
SYSTEM
...an organized collection of software, infrastructure, people, procedures and data that, together within a business context, produces information...
Software
Procedures
Infrastructure
Data
People
SY
ST
EM
SYSTEM RELIABILITY
“A system that operates without material error, fault or failure in availability, security, integrity or maintainability during a specified time in a specified environment.”
CRITERIACRITERIA CRITERIACRITERIA CRITERIACRITERIA CRITERIACRITERIA
AV
AIL
AB
ILIT
YA
VA
ILA
BIL
ITY
SEC
UR
ITY
SEC
UR
ITY
INTEG
RIT
YIN
TEG
RIT
Y
MA
INTA
INA
BIL
ITY
MA
INTA
INA
BIL
ITYRELIABILITYRELIABILITY
RELIABILITY
CRITERIAEach Principle has a series of Criteria
58 mandatory Criteria in 3 categories:policies exist and are appropriatepolicies are implemented and operate effectivelyadherence to policy is monitored
Attributes of Criteria:- measurable - relevant- objective - complete
Structure of Criteria
PRINCIPLES
CRITERIA CATE-GORIES
Availability Security Integrity Maintainability TOTALS
Policies 5 5 5 5 20
Procedures 4 11 6 5 26
Monitoring 3 3 3 3 12
Totals 12 19 14 13 58
Illustrative Controls 1
CICA’s ITCG comprehensive coverage
risk management & control,
IT planning, IS acquisition,
development & maintenance,
operations & support, security, business continuity &
recovery, etc.
Illustrative Controls 2
ISACF’s COBIT also comprehensive
planning & organization, acquisition &
implementation, delivery & support, monitoring, etc.
Business Practices DisclosureThe entity discloses its business practices for electronic commerce
transactions and executes transactions in accordance with its disclosed business practices.
Transaction IntegrityThe entity maintains effective controls to ensure that customers’ orders
placed using electronic commerce are completed and billed as agreed.
Information ProtectionThe entity maintains effective controls to ensure that private customer
information is protected from uses not related to the entity’s business.
WebTrust Principles
Business Practices Disclosure 1Business Practices Disclosure 1
Terms & conditions by which it does business
time frame for fulfillment time for backorder notificationnormal method of delivery & optionspayment terms & optionselectronic settlement practicescanceling recurring charges return practices, if any
Business Practices Disclosure 2Business Practices Disclosure 2
Nature of the goods, information, or services
Where customers can obtain warranty and other service
Information to allow customers to file claims & complaints (including consumer dispute resolution - version 2.0)
Information privacy policies (version 2.0)
Transaction Integrity ControlsTransaction Integrity Controls
All information needed to process & bill the order accurately is recorded
Proper goods or services are provided
Billing & settlement is done properly
Documentation permits subsequent follow-up
Management has monitoring to ensure: business practice disclosures remain current transaction integrity controls and practices remain effective non-compliance situations are promptly corrected
Information Protection ControlsInformation Protection Controls
Transmissions via public networks secure
Protection of private customer information
Protection against its unauthorized access to customer’s computers or files
Management has monitoring to ensure: information protection controls and practices remain effective non-compliance situations are promptly corrected
Control EnvironmentPart of Transaction Integrity and Information Protection Criteria
Entity has a control environment that is generally conducive to: Reliable business practice disclosures on its web site Effective controls over electronic commerce transaction
integrity Effective controls over protection of private customer
information
WebTrust Seal WebTrust Seal
Web consumer would see the seal on a web page
Would then click on it to access additional information
Display of firm name, logo is optional
Click to see report issued by: Click to see report issued by:
XY&Z, Chartered AccountantsXY&Z, Chartered Accountants
XY &ZXY &Z
click here
VeriSign certificate information
Accountant’s (XY&Z’s) report
Management’s assertions
Business practices disclosures
Link to AICPA/CICA WebTrust Principles & Criteria
Other relevant information
What User Sees Clicking...
Key License Provisions
License Firm & International Affiliates
Ownership AICPA/CICA
WebTrust Training Required for licensing Required for each
engagement
Protecting the Value of the Seal Quality assurance Annual renewal &
representations Record retention &
availability
WebTrust License FeesWebTrust License Fees
Annual fee
US$1,400 per seal award per year
Fees to be used for promoting *.Trust
8-2
Tier FirmSize Year 1 Year 2 Year 3
1 >$1.4billion
$72,500 $37,000 $25,000
2 >$70million
43,500 22,000 14,500
3 >$28million
22,000 6,000 3,800
4 >$1.4million
14,500 3,000 1,900
5 <$1.4million
7,200 1,500 900
WebTrust Annual License FeesWebTrust Annual License Fees
WebSite Seals & Rating Systems
Truste.com
BBBOnline.org
WebTrust
ADDSecure.net
ICSA.net
WABureau.com
WebWatchdog
MultiCheck
BizRate
Gomez
epinions.com
comparenet.com
Consumer Reports Yahoo
Amazon
etc
Comparison of Seals 1
WT BBB T-E WW BR MC ADD ICS WAB
Business Practices
Security
Privacy
Integrity
Recourse
Insurance
Comparison of Seals 2
WT BBB T-E WW BR MC ADD ICS WAB
High Standards
Quarterly Indep Audit
Quality Control
Internation’l
Positioning Services 1
ContinuousAuditing
PeriodicAssurance
ConsultingServices
Design ----Implement ---------------Operate
*.Trust
Positioning Services 2
Non-Financial
Financial
InternalUsers
ExternalUsers
SAS 70
S 5900
W
ebTrust
SysTrust
SysTrust vs S5900 & SAS70
S5900 & SAS70 Report on controls of
service organization No pre-established
principles or criteria Primarily financial
systems Information sharing
objective Audience primarily
other auditors Details on controls
SysTrust . Report on reliability of
a system or subset Established principles
& criteria Financial & non-
financial systems Objective is assurance
on system Management and third
party users No details on controls
Review of S 5900 1
Report on controls at service organizationStated control objectivesControl procedures designed to achieve objectives
Existence / Suitable Design
Effectiveness
Point in time vs. period of time
Review of S 5900 2Subject matter
Nature of examination
Standards
“Control procedures were suitably designedto provide reasonable,but not absolute, assurance that stated control objectives were achieved … and operated effectively throughout the stated period”
*.Trust Service Issues
Practicing Across Jurisdictional Boundaries
Client & Engagement Acceptance Client acceptance
Nature of business, reputation, management Engagement acceptance
Control environment, nature of sites Are they likely to meet criteria?
Expertise Required Personal: Integrity, Objectivity, Due Care Professional Competencies: Assurance, Subject Matter (IT) Marketing
Skill Sets NeededProfessional Standards
Systems Concepts
Business & Transactions Processing
Hardware
Software
Networks/Internet
Outside Experts
Engagement Management
DocumentationWorking papersEngagement summaries
Management Representation Letter
Auditor’s Report
Dealing with Change
Self Assessment /Readiness Assistance
System of Quality Control
Future PlansHarmonized WebTrust/SysTrust Principles and Criteria to be issued in Spring 2002
Training Courses
Building Awareness / Acceptance
Competency Models
Practitioner Aids
Value of *.Trust to CAsLarge, leverable engagements
Base for other advisory servicessecurity profiling & architectureapplication controls consultingprivacy
Reinforce CA/CPA’s position in marketbuild IT skillsat the table for e-Commerce
Progress towards continuous auditing
Vision
Real-time assurance on on-line databases
Systems Reliability Assurance
Report oninternal control
Tomorrow
Today
Ultimately
Base for Continuous Audit
Reliable Communication
Links
Auditor Proficiency
Automated Audit
Procedures
Timely Audit Reports
Reliable Systems
Subject Matter
Thank You
Questions?