 |
E-Commerce And CPA WebTrust
by:
Christopher J. Leach, CPA
Leach Consulting and Accounting
San Diego, CA
Marshall B. Romney, Ph.D, CPA, CFE
Professor of Accounting and Information Systems
Brigham Young University
Bradley Farmer
Masters of Accountancy Student
Brigham Young University
E-Commerce And CPA WebTrust
The world of e-commerce has tremendous benefits for consumers: shopping
24 hours a day, purchases delivered right to your door, lower prices,
and so far no sales tax as long as the consumer and the merchant reside
in different states. Despite these advantages, only one-fifth of on-line
adults 5% of North Americans have made a purchase on-line.
Retailers and marketers are frantically creating websites competing for
consumer dollars, but consumers are not rushing to their computers to
shop. According to a recent study published by the American Institute
of Certified Public Accountants (AICPA), the main reason why they are
not is that many consumers are afraid of a lack of security and privacy
in Internet transactions. Clear business disclosures ñ awareness
of whom you are doing business with ñ and transaction integrity
also top the list, according to the same study.
The AICPA study, performed by Yankolovich Partners, found that 91 percent
of on-line users wouldnít provide information about their income
and 85 percent would not give their credit card information on-line. However,
since consumers often worry about the integrity of their information once
they provide it to an on-line business, the respondents liked the concept
of a seal of assurance awarded by an independent third party.
In traditional brick-and-mortar businesses, potential customers can judge
the solvency and quality of a store by looking at the outside. If youíre
walking down the street and you see a new store, you can tell a whole
lot about it without even going inside: you know where itís located,
you can see what kinds of people are inside and you can look on the door
and see when they are open. Contrast that to the Webówhen you visit
a site you donít usually know where they are located or how to
get in touch with a live human being if there is a problem. It is difficult
to judge the quality and practices of an on-line business.
Consumers need to know that their information will be protected and legitimate
on-line businesses need to be able to distinguish themselves from less-reputable
sites. CPA WebTrust was designed to meet the needs of both the on-line
consumer and the on-line retailer.
What Is CPA WebTrust?
As a result of consumer and business demand the AICPA and the Canadian
Institute of Chartered Accountants (CICA) developed CPA WebTrust. CPA
WebTrust is the seal of assurance that indicates a Web site meets specific
criteria for standard business practices, controls over transaction integrity,
and information protection.
CPA WebTrust is a new certification designed for on-line businesses by
a special committee of the AICPA. To qualify for WebTrust, a business
must follow three general principles:
They must disclose their business and information privacy practices and
follow the disclosed practices.
They must maintain effective controls to complete customer transactions
as agreed.
They must maintain effective controls to protect customer information.
The first principle requires disclosure. A company must tell the customer
on the site how it handles such things as sales returns, customer complaints,
and customer privacy. The WebTrust seal also shows that a CPA has verified
that an on-line business follows their published practices.
The second principle involves transaction integrity. It ensures that a
company has adequate controls to ensure that shipping, billing, and recording
are done correctly and in a timely manner. Simply stated, it means that
if you order five books you receive the five books you ordered and are
billed for the proper amount. Year 2000 issues and impacts are also considered
during this part of the site examination, however no assurance is given
regarding a siteís Y2K readiness as this is beyond the scope of
the WebTrust Examination.
The third principle ensures a protection of a customerís private
information. This requires assessing the encryption or other methods to
protect private customer information during transmission. It also tests
the protection of this information once the merchant receives it as well
as the physical protection of the systems that contain customer data.
For example, the examination tests to make sure that unauthorized buyer
information is not passed on or sold to a third party not directly involved
in the e-commerce transaction.
When a consumer visits a site certified by WebTrust, he will see the CPA
WebTrust seal (shown below on the certificate). Clicking on the seal brings
up a certificate, which contains links to information and authentication.
The visitor to the web site can click on the links to verify the authenticity
of the seal, to find out information about managementís assertions,
or to find out more about CPA WebTrust.
For an example of a WebTrust seal you can visit the AICPA web site.
You can also see the seal on the following businessweb sites:
E-Trade
Bell Canada
Zurich Financial Services
Australia Limited
Altus Mortgage
For a listing of all sites that currently have earned the WebTrust seal
you can visit VeriSign's complete listing at http://www.verisign.com/webtrust/siteindex.html
How Does CPA WebTrust Work?
To receive the WebTrust seal a site must under go an intense audit-like
process. The seal is then valid for a maximum of three months. The seal
will then need to be "refreshed" in order to remain on a web
site. The AICPA and CICA have partnered with VeriSign, the leading provider
of digital identification, to protect the authenticity of the seal and
maintain a listing of all sites that have current WebTrust seals.
The procedure for obtaining a WebTrust seal requires several steps:
The practitioner conducts tests to assure that the site uses the WebTrust
principles consistently.
If the site conforms to the principles, the practitioner obtains an Enrollment
Identification (EID) from the AICPA, CICA, or other appropriate licensed
association.
The EID number is given to the company requesting the seal and used for
registration at the seal manager site (VeriSign, for example).
Upon registration, the company will receive a special Class 3 Certificate
(the WebTrust digital certificate) from the seal manager.
The seal manager helps the company install the seal and a special WebTrust
digital certificate.
Digital certificates are renewed every year, but the seal is valid for
a maximum of three months. If a CPA decides that the seal and the corresponding
digital certificate should be removed from a companyís web site
before it has expired she must notify the company. She would request that
the seal and the related practitionerís report be removed from
the Web site. The CPA would also tell the seal manager, VeriSign, that
the seal should be revoked. The seal manager would then electronically
revoke the digital certificate.
Competiton to CPA WebTrust
With consumer fears concerning the Internet growing and businesses wanting
to move customers to the web, other programs have developed that compete
with WebTrust. The most notable programs are TrustE and the Better Business
Program. As illustrated in the graphic below all other seal programs fall
short of the assurance that WebTrust provides. In a recent move by both
IBM and Microsoft TrustEís seal was removed from both of these
sites because the program did not provide the assurance IBM and Microsoft
required.
How Can I Get Involved?
The first step towards becoming more involved is learning more about the
service. Two excellent resources for CPA WebTrust are the AICPA web site
www.AICPA.org and
the CPA WebTrust site www.CPAWebTrust.org
.
To provide the WebTrust seal, a CPA must be licensed for the WebTrust
service. License requirements include taking a WebTrust CPE, agreeing
to abide by the WebTrust professional standards, and participating in
a quality-control program. Being a provider of WebTrust services requires
many of the same skills as other attest services; however, specific skills
in Internet technologies and controls are important. These skills and
requirements are outlined in the WebTrust practice manual issued by the
AICPA.
If you are interested in working for a firm that provides the CPA WebTrust
service, a list of WebTrust-certified CPAs is included at the CPA WebTrust
site ( HYPERLINK http://www.cpawebtrust.org/developer/index.html http://www.cpawebtrust.org/developer/index.html
).
CPA WebTrust Is Constantly Evolving
Since e-commerce is rapidly changing with technology and consumer preferences,
CPA WebTrust must also adapt. The newest version of WebTrust establishes
an enhanced set of criteria for privacy and consumer protection. Under
version 2.0, privacy standards are outlined which meet current European
standards established by the European Union (EU) on October 25, 1998,
as well as guidelines established by the Online Privacy Alliance (OPA)
in the United States. To further build consumer confidence with the program,
a consumer arbitration program has been added to the WebTrust Program.
Under the program, a third-party arbitrator will handle any consumer complaint
not resolved by the website management. Strict rules for arbitration for
the WebTrust program were developed by the National Arbitration Forum
( HYPERLINK "http://www.arb-forum.com" www.arb-forum.com ).
This new service will literally level the playing field for organizations
entering the arena of electronic commerce. The larger companies like Amazon
Book and Landís End which already have name recognition will be
compared with smaller companies using the same consistent principles and
criteria. A consumer will be able to make an informed choice and evaluate
a merchant using information verified by a Certified Public Accountant.
Microsoft recently stated: ìCPA WebTrust is the seal of approval
that consumers need in order to overcome the security fears that are so
common with the Internet. With such fears defeated, small businesses now
have a unique opportunity to literally conduct business anywhere in the
world as they exploit the full potential of eCommerce and the Internet.
What better individual to facilitate this then the small businessí
most trusted advisor, the CPA.
In addition to CPA WebTrust, which is focused on the business to consumer
(B2C) market place, the AICPA/CICA have issued two other programs under
the WebTrust Family Banner. The first is WebTrust-ISP.
WebTrust ñ ISP, as the name implies provides assurance for the
Internet Service Provider marketplace. Similar to WebTrust B2C, the ISP
must undergo a rigorous audit like examination. Four broad principles
are used to evaluate an ISP:
Business and Information Privacy Practices
The ISP discloses its business and information privacy practices for e-commerce
services and provides such services in accordance with its disclosed business
practices.
Availability
The ISP maintains effective controls to provide reasonable assurance that
the ISPís network access point and related e-commerce services
are available as disclosed by the ISP.
Security and Privacy
The ISP maintains effective controls against unauthorized physical and
electronic access to the ISPís e-commerce operating systems and
applications, and to private customer information obtained as a result
of e-commerce activities to provide reasonable assurance that access to
systems and customer accounts is restricted to authorized individuals
and that such private customer information is protected from uses not
related to the ISPís business.
Service Integrity
The ISP maintains effective controls to provide reasonable assurance that
customer messages and transactions, service requests, and responses are
processed accurately and completely.
The other newly developed program is Third Party Service Provider Reports
(TPSP) for WebTrust engagements. Like a SAS 70 letter which is auditor-to-auditor
communications for specific financial controls for an audit, the TPSP
provides guidance for accountant-to-account communications for a WebTrust
engagement.
Currently under development by the Electronic Commerce Assurance Task
force are two other programs: WebTrust for Certification Authorities ñ
which will certify those entities issuing digital certificates and WebTrust
ñ B2B or WebTrust for the Business-to-Business market. Both of
these new programs are anticipated to be released during the next calendar
year.
For a complete additional information concerning the WebTrust program
as well as access to the principles for CPA WebTrust, CPAWebTrust-ISP
and the TPSP guide visit www.CPAWebTrust.org
or www.AICPA.org .
|
