Assurance one-Commerce and

other systems

ACC 651/646

What are the Risksfor Consumers?

Unknown entity

Ease of establishing and removing e-Commerce sites

Transactions not processed correctly

Security of information

Privacy of information

3-2

What are the Risksfor Companies?

Denial of Servicesystem failures, crashes, capacity issues

Unauthorized AccessViruses, hackers, loss of confidentiality

Loss of Data Integritycorrupted, incomplete, fictitious data

Maintenance problemsunintended impact of system changes

Recent Headlines

“Security rated

top on-line fear”

“Computer woes halt TSE trading”

“eBay waives $3-5 million listing

fees after service outage”

“Rail company’s unreliable systemcauses rail cars to stack up, shippingdelays and shipments gone astray”

“Worm.Explore.Zip virus forces

shutdown of companies’ systems”

“Computer errors decimatemanaged care company’s stock”

Reliability & the Market

0

10

20

30

40

50

60

70

10/5

/98

10/1

9/98

11/2

/98

11/1

6/98

11/3

0/98

12/1

4/98

12/2

8/98

1/11

/99

1/25

/99

2/8/

99

2/22

/99

3/8/

99

3/22

/99

E*Trade Publicized Network Failures & Resulting Market Cap Decreases

E*T

rade

Sto

ck P

rice

(EG

RP

)

$767m

$737m $ 2.5b

Agenda

Concerns about system reliability

WebTrust

SysTrust

Future of IT Assurance

Dimensions of UnreliabilityDenial of Servicesystem failures, crashes, capacity issues

Unauthorized Accessviruses, hackers, loss of confidentiality

Loss of Data Integritycorrupted, incomplete, fictitious data

Maintenance problemsunintended impact of system changes

Failure to fulfill commitments

WebTrust & SysTrust

Two services designed to address new assurance needs

WebTrust deals with customer front end

SysTrust deals with systems

Both are CA/CPA assurance reportsUS - SSAE #1Canada - section 5025

What is SysTrust?SysTrust Criteria

System Description

Mgmt’s Assertions

Auditor’s Report

SysTrust Process Management makes

representations about system reliability

using framework of 4 principles and58 criteria

CA/CPA collects evidence to support management’s assertions

CA/CPA issues assurance report on controls over system’s reliability

What is WebTrust?

The WebTrust ProcessManagement makes representations

about e-commerce practicesusing framework of 3 principles

and related criteriaCA/CPA collects evidence to support

management’s assertionsCA/CPA issues seal

click here

Professional Standards 1

Professional Standards 2

Assurance/AttestationCICA - s. 5025 AICPA - SSAE #1S5900 & SAS 70

Rules of Professional Conduct Independence

Licensing SysTrust/WebTrust

Value of Assurance Report

Increase Revenues:attract customers, business partners avoid reputation / market-share / other lossesdifferentiate against competitorsbetter selection of business partners

Value of Assurance Report

Reduce Costs:avoid systems development rework reduce cost of capitalcommon evaluation framework - efficient

Value of Assurance Report

Reduce Risks:confidence in internal systemsappropriate controlsprotect shareholder valuebetter decision making regulators (taxation, privacy, etc...) insurers

Who are Likely Buyers?System Users & Influencers “C-Suite” - CEO, COO, CFO, CIO,... Internal AuditorsBoard of DirectorsCustomers

System OwnersService Providers (outsourcing)System Vendors

System Builders IT OperationsConsultants

A “SysTrust” Opinion...“ We have audited the assertion by mgmt that...

ABC company maintained effective controls...to provide reasonable assurance that…XYZ system was reliable...based on SysTrust principles & criteria…”

“ In our opinion mgmt’s assertion…is fairly stated in all material respects...”

Definitions

SYSTEM

RELIABILITY

CRITERIA

SYSTEM

...an organized collection of software, infrastructure, people, procedures and data that, together within a business context, produces information...

Software

Procedures

Infrastructure

Data

People

SY

ST

EM

SYSTEM RELIABILITY

“A system that operates without material error, fault or failure in availability, security, integrity or maintainability during a specified time in a specified environment.”

CRITERIACRITERIA CRITERIACRITERIA CRITERIACRITERIA CRITERIACRITERIA

AV

AIL

AB

ILIT

YA

VA

ILA

BIL

ITY

SEC

UR

ITY

SEC

UR

ITY

INTEG

RIT

YIN

TEG

RIT

Y

MA

INTA

INA

BIL

ITY

MA

INTA

INA

BIL

ITYRELIABILITYRELIABILITY

RELIABILITY

CRITERIAEach Principle has a series of Criteria

58 mandatory Criteria in 3 categories:policies exist and are appropriatepolicies are implemented and operate effectivelyadherence to policy is monitored

Attributes of Criteria:- measurable - relevant- objective - complete

Structure of Criteria

PRINCIPLES

CRITERIA CATE-GORIES

Availability Security Integrity Maintainability TOTALS

Policies 5 5 5 5 20

Procedures 4 11 6 5 26

Monitoring 3 3 3 3 12

Totals 12 19 14 13 58

Illustrative Controls 1

CICA’s ITCG comprehensive coverage

risk management & control,

IT planning, IS acquisition,

development & maintenance,

operations & support, security, business continuity &

recovery, etc.

Illustrative Controls 2

ISACF’s COBIT also comprehensive

planning & organization, acquisition &

implementation, delivery & support, monitoring, etc.

Business Practices DisclosureThe entity discloses its business practices for electronic commerce

transactions and executes transactions in accordance with its disclosed business practices.

Transaction IntegrityThe entity maintains effective controls to ensure that customers’ orders

placed using electronic commerce are completed and billed as agreed.

Information ProtectionThe entity maintains effective controls to ensure that private customer

information is protected from uses not related to the entity’s business.

WebTrust Principles

Business Practices Disclosure 1Business Practices Disclosure 1

Terms & conditions by which it does business

time frame for fulfillment time for backorder notificationnormal method of delivery & optionspayment terms & optionselectronic settlement practicescanceling recurring charges return practices, if any

Business Practices Disclosure 2Business Practices Disclosure 2

Nature of the goods, information, or services

Where customers can obtain warranty and other service

Information to allow customers to file claims & complaints (including consumer dispute resolution - version 2.0)

Information privacy policies (version 2.0)

Transaction Integrity ControlsTransaction Integrity Controls

All information needed to process & bill the order accurately is recorded

Proper goods or services are provided

Billing & settlement is done properly

Documentation permits subsequent follow-up

Management has monitoring to ensure: business practice disclosures remain current transaction integrity controls and practices remain effective non-compliance situations are promptly corrected

Information Protection ControlsInformation Protection Controls

Transmissions via public networks secure

Protection of private customer information

Protection against its unauthorized access to customer’s computers or files

Management has monitoring to ensure: information protection controls and practices remain effective non-compliance situations are promptly corrected

Control EnvironmentPart of Transaction Integrity and Information Protection Criteria

Entity has a control environment that is generally conducive to: Reliable business practice disclosures on its web site Effective controls over electronic commerce transaction

integrity Effective controls over protection of private customer

information

WebTrust Seal WebTrust Seal

Web consumer would see the seal on a web page

Would then click on it to access additional information

Display of firm name, logo is optional

Click to see report issued by: Click to see report issued by:

XY&Z, Chartered AccountantsXY&Z, Chartered Accountants

XY &ZXY &Z

click here

VeriSign certificate information

Accountant’s (XY&Z’s) report

Management’s assertions

Business practices disclosures

Link to AICPA/CICA WebTrust Principles & Criteria

Other relevant information

What User Sees Clicking...

Key License Provisions

License Firm & International Affiliates

Ownership AICPA/CICA

WebTrust Training Required for licensing Required for each

engagement

Protecting the Value of the Seal Quality assurance Annual renewal &

representations Record retention &

availability

WebTrust License FeesWebTrust License Fees

Annual fee

US$1,400 per seal award per year

Fees to be used for promoting *.Trust

8-2

Tier FirmSize Year 1 Year 2 Year 3

1 >$1.4billion

$72,500 $37,000 $25,000

2 >$70million

43,500 22,000 14,500

3 >$28million

22,000 6,000 3,800

4 >$1.4million

14,500 3,000 1,900

5 <$1.4million

7,200 1,500 900

WebTrust Annual License FeesWebTrust Annual License Fees

WebSite Seals & Rating Systems

Truste.com

BBBOnline.org

WebTrust

ADDSecure.net

ICSA.net

WABureau.com

WebWatchdog

MultiCheck

BizRate

Gomez

epinions.com

comparenet.com

Consumer Reports Yahoo

Amazon

etc

Comparison of Seals 1

WT BBB T-E WW BR MC ADD ICS WAB

Business Practices

Security

Privacy

Integrity

Recourse

Insurance

Comparison of Seals 2

WT BBB T-E WW BR MC ADD ICS WAB

High Standards

Quarterly Indep Audit

Quality Control

Internation’l

Positioning Services 1

ContinuousAuditing

PeriodicAssurance

ConsultingServices

Design ----Implement ---------------Operate

*.Trust

Positioning Services 2

Non-Financial

Financial

InternalUsers

ExternalUsers

SAS 70

S 5900

W

ebTrust

SysTrust

SysTrust vs S5900 & SAS70

S5900 & SAS70 Report on controls of

service organization No pre-established

principles or criteria Primarily financial

systems Information sharing

objective Audience primarily

other auditors Details on controls

SysTrust . Report on reliability of

a system or subset Established principles

& criteria Financial & non-

financial systems Objective is assurance

on system Management and third

party users No details on controls

Review of S 5900 1

Report on controls at service organizationStated control objectivesControl procedures designed to achieve objectives

Existence / Suitable Design

Effectiveness

Point in time vs. period of time

Review of S 5900 2Subject matter

Nature of examination

Standards

“Control procedures were suitably designedto provide reasonable,but not absolute, assurance that stated control objectives were achieved … and operated effectively throughout the stated period”

*.Trust Service Issues

Practicing Across Jurisdictional Boundaries

Client & Engagement Acceptance Client acceptance

Nature of business, reputation, management Engagement acceptance

Control environment, nature of sites Are they likely to meet criteria?

Expertise Required Personal: Integrity, Objectivity, Due Care Professional Competencies: Assurance, Subject Matter (IT) Marketing

Skill Sets NeededProfessional Standards

Systems Concepts

Business & Transactions Processing

Hardware

Software

Networks/Internet

Outside Experts

Engagement Management

DocumentationWorking papersEngagement summaries

Management Representation Letter

Auditor’s Report

Dealing with Change

Self Assessment /Readiness Assistance

System of Quality Control

Future PlansHarmonized WebTrust/SysTrust Principles and Criteria to be issued in Spring 2002

Training Courses

Building Awareness / Acceptance

Competency Models

Practitioner Aids

Value of *.Trust to CAsLarge, leverable engagements

Base for other advisory servicessecurity profiling & architectureapplication controls consultingprivacy

Reinforce CA/CPA’s position in marketbuild IT skillsat the table for e-Commerce

Progress towards continuous auditing

Vision

Real-time assurance on on-line databases

Systems Reliability Assurance

Report oninternal control

Tomorrow

Today

Ultimately

Base for Continuous Audit

Reliable Communication

Links

Auditor Proficiency

Automated Audit

Procedures

Timely Audit Reports

Reliable Systems

Subject Matter

Thank You

Questions?