Overview of WebTrustTM

1
Overview of WebTrustTM
2
Concerns About e-Business

• What are this sites e-Commerce practices?
• I am worried about security
• I would like to maintain anonymity
• I do not like trace ability
• What are they going to do with my information?
• Who am I really doing business with?
• I am afraid I will get scammed, will I get my
  stuff?
• What is the recourse if something goes wrong?

3
Barriers to Acceptance
People who have access to the Internet but who
have not purchased a good or service through the
Internet, state that the following were factors
in their decision
Source Canadian Institute of Chartered
Accountants Electronic Commerce Survey August
1997
4
DT Retail Council of Canadas Most Recent
Study
Consumers are saying

• The visual aspect of online shopping is key
• There is a strong commitment to purchasing at
  Canadian sites.
• Online purchasing is considered to be convenient
  and saves time.
• Considerable concern still exists about the
  privacy of personal information related to online
  purchasing.
• A third party security endorsement can help build
  the trust of site visitors.
• Book marking of favorite sites has the potential
  to build loyalty
• The power of word of mouth should not be
  underestimated.

5
The WebTrustTM Response A Unique Seal of Assurance
WebTrustTM

• Provides assurance that a web site meets
  AICPA/CICA defined criteria for business
  practices and transaction integrity, security and
  privacy, and related disclosures.
• Is designed to build consumer confidence in
  electronic commerce.
• Is the only service combining privacy, security,
  and transactional integrity with up-front and
  ongoing independent third party verification.
• Will be able to demonstrate a web sites
  compliance with the privacy laws of major
  industrial countries.
• Is a global seal that can be provided by
  qualified and licensed CPAs and CAs around the
  world.

6
WebTrustTM Global Availability
7
Global Offering of WebTrustTM

• Planning
• New Zealand
• Researching
• Belgium
• Malaysia
• Japan
• Italy
• Argentina

• Currently
• Canada
• United States
• England and Wales
• Denmark
• France
• Germany
• Ireland
• Netherlands
• Spain
• Australia
• Hong Kong

8
WebTrustTM Sample Site
9
(No Transcript)
10
WebTrustTM Seal
Web consumer would see the seal on a Web
page Would then click on it to access
additional information
'Click'
11
WebTrustTM Certification Process
12
WebTrustTM Certification Process

• Definition of scope
• Web sites services included
• Geographical scope
• Self-assessment questionnaire
• Understand outsourced activities
• Initial period at least 60 days
• Unqualified audit report
• At least semi-annual updates
• Independence
• Appropriate team with required expertise

13
Overview of the WebTrustTM Process
Phase I Understanding the Methodology and
Process

• Perform a Self-evaluation.
• Understand and document the electronic commerce
  business and systems processes, procedures and
  controls.
• Map existing processes and controls against
  WebTrust Principles and Criteria.
• Build a WebTrust Preview Site

14
Overview of the WebTrustTM Process
Phase II Testing of the Processes Controls

• Test and evaluate the Business Practices
  Disclosures, Transaction Integrity, Security and
  Privacy Controls.

15
Overview of the WebTrustTM Process
Phase III Reporting

• Complete the final report and certify the Web
  Site.

16
Overview of the WebTrustTM Process
Phase IV Minimum Semi-Annual Updates (Version
3.0)

• Update our review and tests of the Business
  Practice Disclosure, Transaction Integrity and
  Information Protection on a semi-annual basis.
• Update for any major system changes and service
  offerings.

17
The New Version 3.0 WebTrustTM
Version 3.0 includes any of the following
WebTrustTM Seals

• WebTrust Security Seal
• WebTrust Transactional Integrity Seal
• WebTrust Privacy Seal
• or WebTrust Consumer Protection Seal including
  all three of the above
• Additional principles for B2B ISP/ASPs include
  
• availability
• confidentiality
• non-repudiation
• customized disclosures

18
WebTrustTM 3.0 Principles Security
Security

• The enterprise discloses key security policies,
  complies with such security policies, and
  maintains effective controls to provide
  reasonable assurance that access to electronic
  commerce system and data is restricted only to
  authorized individuals in conformity with its
  disclosed security policies.

19
WebTrustTM 3.0 Principles Transaction Integrity
Transaction Integrity

• The enterprise discloses its business practices
  for electronic commerce, executes transactions in
  conformity with such practices, and maintains
  effective controls to provide reasonable
  assurance that e-Commerce transactions are
  processed completely, accurately and conformity
  with its disclosed business practices.

20
WebTrustTM 3.0 Principles Privacy
Privacy
The enterprise discloses its privacy policies,
complies with such privacy practices, and
maintains effective controls to provide
reasonable assurance that personally identifiable
information obtained as a result of electronic
commerce is protected in conformity with its
disclosed privacy practices.
21
WebTrustTM 3.0 Principles Availability
Availability
The enterprise discloses its practices for
availability, complies with such availability
disclosures, and maintains effective controls to
provide reasonable assurance that e-commerce
systems and data are available as disclosed.
22
WebTrustTM 3.0 Principles Non-repudiation
Non-repudiation
The enterprise discloses it practices for
non-repudiation, complies with such practices,
and maintains effective controls and appropriate
records to provide reasonable assurance that the
authentication and integrity of transactions and
messages received electronically are provable to
third parties in conformity with its disclosed
non-repudiation practices.
23
WebTrustTM 3.0 Principles Confidentiality
Confidentiality
The enterprise discloses its confidentiality
practices, complies with such confidentiality
practices and maintains effective controls to
provide reasonable assurance that access to
information obtained as a result of electronic
commerce and designated as confidential is
restricted to authorized individuals in
conformity with its disclosed confidentiality
practices.
24
WebTrustTM 3.0 Principles Customized Disclosures
Customized Disclosures
The enterprises specified disclosures are
consistent with professional standards for
suitable criteria and relevant to its electronic
controls over the processes supporting such
disclosures to provide reasonable assurance that
such disclosures are reliable.
25
Frequently Asked Questions
26
What happens if a company does not meet the audit
requirements? How long do we have to fix any
inconsistencies?

• The company needs to demonstrate that it has been
  in compliance with the WebTrust criteria for at
  least 60 days before it can receive the WebTrust
  seal. Then it needs to remain in compliance
  with the criteria to continue to display the
  seal.
• As part of their work, practitioners may identify
  weaknesses which need to be addressed. This may
  be included as part of the services based on the
  extent of the weaknesses identified. However, if
  the practitioner and the management determine
  that the weaknesses are extensive, then we will
  have to address those issues and help you improve
  the controls and practices separately. In such
  cases, the seal will be awarded 60 days after the
  implementation of the new controls, to ensure
  their effectiveness.

27
What does WebTrust membership provide other
than quarterly (semi-annual) audits?

• As is the case with a financial statement audit,
  there is no membership structure. The AICPA/CICA
  task force would be willing to consider such a
  program if there was sufficient interest among
  organizations with the WebTrust seal.
• However, as a certified WebTrust web-site, you
  will be listed at the WebTrust home page under
  a listing of all WebTrust certified companies.
  This provides customers a Yellow Pages of
  WebTrust web-sites. Additionally, the members
  will have access to Best Practices for Internet
  electronic commerce.

28
How is a WebTrust audit different from a regular
accounting and/ or system audit and what extra
value does it provide?

• The purpose of a WebTrust audit differs
  significantly from those of a financial statement
  audit. The focus of WebTrust is on the
  business practices disclosures for electronic
  commerce transactions and the related controls
  over transaction integrity and information
  protection. The WebTrust view is ensuring that
  business-to-consumer electronic commerce
  transactions are appropriately handled and that
  related concerns of typical consumers are
  addressed by the business.
• By contrast, the financial statement audit
  focuses on the reliability and fair presentation
  of financial statements and the related footnotes
  and disclosures. The audit work performed on
  accounting systems is an intermediate step in
  formulating the auditor's opinion on the
  financial statements.

29
By representing WebTrust , does the CA or CPA
issuing the WebTrust seal ensure security of the
companys processes and systems to customers?

• The responsibility for ensuring security of a
  companys processes and systems is that of the
  companys management. The practitioner is
  providing an independent and objective assessment
  of how management is discharging that
  responsibility.

30
What are the key customer benefits?

• Key customer benefits are increased trust and
  confidence in doing business electronically on
  the Internet. This should ultimately result in
  more efficient markets and lower cost benefits to
  both the company and its customers.
• Customers will have access to a Yellow Pages
  listing of your web-site as a WebTrust
  certified business.
• WebTrust is a recognized seal of assurance on
  the Internet. The true advantage will be for
  those companies who get the early edge through
  strategic marketing of their electronic commerce
  practices and their WebTrust certification.