Secure e-Business

AICPA Chartered Accountants of Canada

Comptablesagréésdu Canada

Overview of WebTrustTM

Secure e-Business

What are this site’s e-Commerce practices? I am worried about security I would like to maintain anonymity I do not like trace ability What are they going to do with my information? Who am I really doing business with? I am afraid I will get scammed, will I get my stuff? What is the recourse if something goes wrong?

Concerns About e-Business

Secure e-Business

People who have access to the Internet but who have not purchased a good or service through the Internet, state that the following were factors in their decision:

52 %

Concern over privacy of personal information

56 %

Concern over unauthorized use of credit card information

36 %

Concern over not receiving product or service ordered

Source: Canadian Institute of Chartered Accountants Electronic Commerce Survey August 1997

Barriers to Acceptance

Secure e-Business

The visual aspect of online shopping is key There is a strong commitment to purchasing at Canadian sites. Online purchasing is considered to be convenient and saves time. Considerable concern still exists about the privacy of personal

information related to online purchasing. A third party security endorsement can help build the trust of site

visitors. Book marking of favorite sites has the potential to build loyalty The power of “word of mouth” should not be underestimated.

D&T & Retail Council of Canada’s Most Recent Study

Consumers are saying…

Secure e-Business

Provides assurance that a web site meets AICPA/CICA defined criteria for business practices and transaction integrity, security and privacy, and related disclosures.

Is designed to build consumer confidence in electronic commerce. Is the only service combining privacy, security, and transactional integrity

with up-front and ongoing independent third party verification. Will be able to demonstrate a web site’s compliance with the privacy laws of

major industrial countries. Is a global seal that can be provided by qualified and licensed CPAs and CAs

around the world.

The WebTrustTM Response A Unique Seal of Assurance

WebTrustTM

Secure e-Business

WebTrustTM Global Availability

Secure e-Business

Planning: New Zealand

Researching: Belgium Malaysia Japan Italy Argentina

Planning: New Zealand

Researching: Belgium Malaysia Japan Italy Argentina

Currently: Canada United States England and Wales Denmark France Germany Ireland Netherlands Spain Australia Hong Kong

Currently: Canada United States England and Wales Denmark France Germany Ireland Netherlands Spain Australia Hong Kong

Global Offering of WebTrustTM

Secure e-Business

WebTrustTM Sample Site

Secure e-Business

Secure e-Business

Web consumer would see the seal on a Web page

Would then click on it to access additional information

WebTrustTM Seal

Secure e-Business

WebTrustTM Certification Process

Secure e-Business

Definition of scope Web sites & services included Geographical scope

Self-assessment questionnaire Understand outsourced activities Initial period at least 60 days Unqualified audit report At least semi-annual updates Independence Appropriate team with required expertise

WebTrustTM Certification Process

Secure e-Business

Perform a Self-evaluation.Understand and document the electronic commerce business and systems processes, procedures and controls.

Map existing processes and controls against WebTrust™ Principles and Criteria.

Build a WebTrust™ Preview Site

Overview of the WebTrustTM Process

Phase I – Understanding the Methodology and Process

Phase I – Understanding the Methodology & ProcessPhase I – Understanding the Methodology & Process

Self Evaluation

Understand & Document Process, Procedures & Controls

Map Processes & Controls

Build WebTrustTM Preview Site

Secure e-Business

Overview of the WebTrustTM Process

Phase II – Testing of the Processes & Controls

Phase II – Testing of the Processes & ControlsPhase II – Testing of the Processes & Controls

Test and Evaluate

Test and evaluate the Business Practices Disclosures, Transaction Integrity, Security and Privacy Controls.

Secure e-Business

Overview of the WebTrustTM Process

Phase III – Reporting

Phase III – ReportingPhase III – Reporting

Complete and Certify

Complete the final report and certify the Web Site.

Secure e-Business

Update our review and tests of the Business Practice Disclosure, Transaction Integrity and Information Protection on a semi-annual basis.

Update for any major system changes and service offerings.

Overview of the WebTrustTM Process

Phase IV – Minimum Semi-Annual Updates (Version 3.0)

Phase IV – Minimum Semi-Annual UpdatesPhase IV – Minimum Semi-Annual Updates

Update & Review our Tests Semi-Annually

Update for any Major System Changes & Service Offerings

Secure e-Business

WebTrust™ Security Seal WebTrust™ Transactional Integrity Seal WebTrust™ Privacy Seal or WebTrust™ Consumer Protection Seal including all three of the

above Additional principles for B2B & ISP/ASPs include:

availability confidentiality non-repudiation customized disclosures

The New Version 3.0 WebTrustTM

Version 3.0 includes any of the following WebTrustTM Seals:

Secure e-Business

The enterprise discloses key security policies, complies with such security policies, and maintains effective controls to provide reasonable assurance that access to electronic commerce system and data is restricted only to authorized individuals in conformity with its disclosed security policies.

WebTrustTM 3.0 Principles: Security

Security

Secure e-Business

Transaction Integrity

The enterprise discloses its business practices for electronic commerce, executes transactions in conformity with such practices, and maintains effective controls to provide reasonable assurance that e-Commerce transactions are processed completely, accurately and conformity with its disclosed business practices.

WebTrustTM 3.0 Principles: Transaction Integrity

Secure e-Business

WebTrustTM 3.0 Principles: Privacy

The enterprise discloses its privacy policies, complies with such privacy practices, and maintains effective controls to provide reasonable assurance that personally identifiable information obtained as a result of electronic commerce is protected in conformity with its disclosed privacy practices.

Privacy

Secure e-Business

WebTrustTM 3.0 Principles: Availability

The enterprise discloses its practices for availability, complies with such availability disclosures, and maintains effective controls to provide reasonable assurance that e-commerce systems and data are available as disclosed.

Availability

Secure e-Business

WebTrustTM 3.0 Principles: Non-repudiation

The enterprise discloses it practices for non-repudiation, complies with such practices, and maintains effective controls and appropriate records to provide reasonable assurance that the authentication and integrity of transactions and messages received electronically are provable to third parties in conformity with its disclosed non-repudiation practices.

Non-repudiation

Secure e-Business

WebTrustTM 3.0 Principles: Confidentiality

The enterprise discloses its confidentiality practices, complies with such confidentiality practices and maintains effective controls to provide reasonable assurance that access to information obtained as a result of electronic commerce and designated as confidential is restricted to authorized individuals in conformity with its disclosed confidentiality practices.

Confidentiality

Secure e-Business

WebTrustTM 3.0 Principles: Customized Disclosures

The enterprise’s specified disclosures are consistent with professional standards for suitable criteria and relevant to its electronic controls over the processes supporting such disclosures to provide reasonable assurance that such disclosures are reliable.

Customized Disclosures

Secure e-Business

Frequently Asked Questions

Secure e-Business

What happens if a company does not meet the audit requirements? How long do we have to fix any inconsistencies?

The company needs to demonstrate that it has been in compliance with the WebTrust™ criteria for at least 60 days before it can receive the WebTrust™ seal. Then it needs to remain in compliance with the criteria to continue to display the seal.

As part of their work, practitioners may identify weaknesses which need to be addressed. This may be included as part of the services based on the extent of the weaknesses identified. However, if the practitioner and the management determine that the weaknesses are extensive, then we will have to address those issues and help you improve the controls and practices separately. In such cases, the seal will be awarded 60 days after the implementation of the new controls, to ensure their effectiveness.

Secure e-Business

What does WebTrust™ membership provide other than quarterly (semi-annual) audits?

As is the case with a financial statement audit, there is no membership structure. The AICPA/CICA task force would be willing to consider such a program if there was sufficient interest among organizations with the WebTrust™ seal.

However, as a certified WebTrust™ web-site, you will be listed at the WebTrust™ home page under a listing of all WebTrust™ certified companies. This provides customers a “Yellow Pages” of WebTrust™ web-sites. Additionally, the members will have access to “Best Practices” for Internet electronic commerce.

Secure e-Business

How is a WebTrust™ audit different from a regular accounting and/ or system audit and what extra value does it provide?

The purpose of a WebTrust™ audit differs significantly from those of a financial statement audit. The focus of WebTrust™ is on the business practices disclosures for electronic commerce transactions and the related controls over transaction integrity and information protection. The WebTrust™ view is ensuring that business-to-consumer electronic commerce transactions are appropriately handled and that related concerns of typical consumers are addressed by the business.

By contrast, the financial statement audit focuses on the reliability and fair presentation of financial statements and the related footnotes and disclosures. The audit work performed on accounting systems is an intermediate step in formulating the auditor's opinion on the financial statements.

Secure e-Business

By representing WebTrust™ , does the CA or CPA issuing the WebTrust seal ensure security of the company’s processes and systems to customers?

The responsibility for ensuring security of a company’s processes and systems is that of the company’s management. The practitioner is providing an independent and objective assessment of how management is discharging that responsibility.

Secure e-Business

What are the key customer benefits?

Key customer benefits are increased trust and confidence in doing business electronically on the Internet. This should ultimately result in more efficient markets and lower cost benefits to both the company and its customers.

Customers will have access to a “Yellow Pages” listing of your web-site as a WebTrust™ certified business.

WebTrust™ is a recognized seal of assurance on the Internet. The true advantage will be for those companies who get the early edge through strategic marketing of their electronic commerce practices and their WebTrust™ certification.