The CPA Journal

SysTrust and WebTrust Technology Assurance Opportunities

By Anthony J. Pugliese and Ronald Halse

In Brief

Assuring E-commerce Practices and Information Technology Systems

The technology trust gap provides an opportunity for CPAs to deliver independent assurance about a company’s systems or verify key aspects of its e-commerce functions. CPA firms that familiarize themselves with the SysTrust and WebTrust programs might find a potential market for these services already exists within their client base.

SysTrust-licensed CPAs provide assurance services to businesses regarding the reliability and integrity of their information technology systems. In the WebTrust program, CPAs provide assurance services to e-commerce businesses regarding the reliability and integrity of their e-commerce practices in various areas, including transaction policies, privacy, and security.

The AICPA anticipates that numerous opportunities await CPAs that incorporate SysTrust or WebTrust services into their practices. Those that do will find technology assurance to be a dynamic and lucrative service area. SysTrust and WebTrust are two assurance services that address the increasingly important areas of information systems reliability and e-commerce integrity. Both services combine proven techniques for verifying the integrity of systems by employing a mix of current technology consulting skills and traditional auditing.

Systems Assurance: An Overview

Businesses of all sizes must consider two key factors:

Systems reliability. Companies depend on information technology for their daily functioning, maintaining their competitive position, and making key business decisions.

E-commerce security. Although e-commerce has become ubiquitous among both consumer retailers and business-to-business (B2B) merchants, customers’ acceptance of it is based on trust in the transaction and business practices of the other party.

The AICPA developed SysTrust and WebTrust to enable CPAs to build new practice niches. SysTrust applies to a wide variety of systems, while WebTrust focuses entirely on the Internet. SysTrust examines the reliability of the systems themselves and WebTrust attests to controls over Internet-based transactions.

The “Trust Gap”

Dependence on information technology is a fact of life for today’s businesses. Information systems are the engine behind key internal functions such as human resources, payroll, and accounting. To many outsiders whose only contact with a company may be electronic, the information systems may even be the company in the sense that the systems’ quality and accuracy differentiate the company in the marketplace—and damage the company’s reputation when they prove unreliable. Recognizing this fact, companies have invested in their information systems, making them into a key asset. Because systems assurance in the information technology marketplace will only expand in importance and size, systems assurance has the potential to develop as a profitable practice niche for CPAs.

Because companies and the public are aware of how expensive technology problems can be, problems with systems reliability, security, and confidentiality has created a “trust gap.” In a recent study by the Computer Security Institute (CSI), 90% of the respondents reported uncovering computer security breaches within the last 12 months, and 74% reported financial losses because of those breaches. Respondents detected a wide range of attacks and abuses:

25% found system penetration by outsiders

27% experienced denial-of-service attacks within their organizations

85% detected computer viruses.

Among the 273 respondents that were able to quantify their losses, the total came to more than $265 million. (The average annual total over the last three years was more than $120 million.) As in previous years, the most serious financial losses occurred through theft of proprietary information (66 respondents reported more than $66 million) and financial fraud (53 respondents reported over $55 million).

CSI concluded that “the threat from computer crime and other information security breaches continues unabated and the financial toll is mounting.”

Internet issues. Businesses’ Internet operations have grown in importance along with the rise in e-commerce. Retail spending online has surged during the last few years; a National Retail Federation/Forrester Online Retail Index recently found that online spending totaled $4.03 billion in a single month.

But the web remains a source of anxiety for many users and businesses. According to CSI, 59% of respondents cited their Internet connection as a frequent point of attack. Because of highly publicized Internet breaches, both consumers and businesses have become aware of Internet security and privacy issues. A recent IBM/Harris Poll found that 94% of U.S. citizens are concerned about possible misuse of personal information.

Role of the Accounting Profession

SysTrust and WebTrust were conceived under the auspices of the AICPA Special Committee on Assurance Services, which sought to identify new markets based on CPAs’ existing competencies. Although the most common type of assurance engagement is the audit, financial statement auditing is a mature industry with limited long-term growth potential. CPAs’ business and professional experience qualify them to perform more than just traditional services, including the examinations of systems at the heart of SysTrust and WebTrust engagements.

CPAs are in a position to leverage their existing skills to fulfill the needs of the systems assurance marketplace. With some additional training, practitioners can take advantage of the opportunities provided by SysTrust and WebTrust.

How SysTrust Works

SysTrust is designed to offer assurance to a broad audience—management, boards of directors, customers, and business partners—about the information systems that support a business or one of its segments. In a SysTrust engagement, a CPA performs an examination, similar to an audit, to evaluate the system’s reliability. A positive SysTrust report attests to the system’s reliability and ability to operate without material error, flaw, or failure during a stated period of time in a specified environment.

Clients would be interested in a systems assurance examination for some of the following reasons:

Internal and external users can lose access to essential services because of system failures and crashes.
Systems can be vulnerable to viruses and hackers because of unauthorized system access.
System failure can result in loss of access to system services or loss of data confidentiality or integrity.
Negative publicity in the wake of high-profile system failures can undermine customer and investor confidence.

SysTrust can benefit a business’s day-to-day operations in the following scenarios:

A company is trying to win a major contract as a supplier to a corporation that uses just-in-time (JIT) inventory management. A SysTrust report that demonstrates the reliability of the company’s systems and shows its capacity to be a dependable partner in the JIT environment enables the company to differentiate itself from its competitors.
A company decides to outsource its human resources, payroll, and other employee-related systems. To ensure smooth operations, it insists that any successful bidder maintain unqualified SysTrust reports on the outsourced systems.
A retailer qualifies for a discount on business interruption insurance because its SysTrust report attests to the reliability of its inventory management systems.
When technology problems at foreign subsidiaries cause trouble for an international company, its audit committee decides to adopt the SysTrust principles and criteria as a minimum standard for key subsidiaries.

In a SysTrust engagement, a system is divided into five elements:

Infrastructure, such as hardware and facilities
Software, including operating systems, utilities, and business applications software n People, who operate and use the system
Procedures, which can include information system backup and maintenance or input procedures.
Data, or the information that the system uses and supports.

Together, these elements form a system that provides the information that the business needs to function and supports management in long-term decision making.

Four essential principles comprise a SysTrust engagement:

Availability. Does the system operate in accordance with the business requirements? Is it accessible for routine processing and maintenance?
Security. Is the system protected against unauthorized access?
Integrity. Does the system process information completely, accurately, in a timely manner, and in accord with the required authorization?
Maintainability. Can the system be updated to provide continued availability, security, and integrity?

SysTrust standards also include 58 underlying criteria that establish the specific control objectives a system must meet to be considered reliable. Under the version 2.0 SysTrust Principles and Criteria for Systems Reliability exposure draft, practitioners can report on any of the SysTrust principles in an individual engagement, depending on the client’s needs. SysTrust version 2.0 also offers guidance on testing systems in the preimplementation stage. In addition, it covers agreed-upon procedures and consulting engagements.

SysTrust examination-level attestation engagements are performed in accordance with Statements on Standards for Attestation Engagements No. 1, Attestation Standards (an examination-level engagement must be performed to issue a SysTrust report), and are also covered by the AICPA Code of Professional Conduct.

At the conclusion of a SysTrust engagement, the CPA gives the client a reporting package that includes an attestation report, a system description, and an assertion about the effectiveness of controls over the reliability of the system.

AICPA Support Program

The AICPA Systems Reliability Task Force is building awareness and acceptance of the SysTrust concept within the profession and throughout the business community through articles, speeches, advertisements, and the AICPA website (www.aicpa.org).

Currently in the planning stages is a model in which a third-party website would offer businesses the opportunity to receive feedback and benchmarking data on their systems based upon their responses to specific questions. The site would then offer information on SysTrust practitioners that could help the company address its technology concerns.

The task force has also created training courses and other educational materials and related CPE courses. A competency model that will be available on the AICPA’s portal website (www.cpa2biz.com) will further enhance understanding of the skills needed to perform a SysTrust engagement. In addition, the AICPA’s continuous audit task force is working to transform the SysTrust engagement from a static model focused on a specific period into a continuous assurance model.

Getting started with SysTrust. Although existing CPA firm services establish an experience base for providing SysTrust services, there are none that inform users about the reliability of a system over a period of time. SysTrust provides this service.

CPAs providing SysTrust services are licensed by the AICPA, which requires that licensees purchase the AICPA SysTrust Principles and Criteria for Systems Reliability for $15. The firm must also adhere to licensing provisions, which include quality control requirements.

Once a firm offers SysTrust assurance engagements, it can also position itself as a key technology resource for clients by delivering related services such as security profiling and design, application controls consulting, and privacy consulting.

How WebTrust Works

Currently, WebTrust is the only comprehensive e-commerce seal that uses independent verification to prevent online fraud and privacy infringements. This third-party verification by specially licensed CPAs tells the customer that a website meets the high standards embodied in the WebTrust principles and criteria.

WebTrust is the only seal of assurance that complies with current European Union data-protection and privacy standards, the United Kingdom Data Protection Act, the requirements of the Global Business Dialogue Exchange (GBDE) and the Organisation for Economic Co-operation and Development (OECD), and Privacy Bill C-6 in Canada. The AICPA has signed agreements with the accountancy institutes of Argentina, Australia, Canada, Denmark, England and Wales, France, Germany, Hong Kong, Ireland, Italy, the Netherlands, New Zealand, Scotland, and Spain to offer WebTrust services in those countries. Websites hosted in other countries also carry the WebTrust seal, making the program a universal solution to the problems of e-commerce credibility, privacy, and security.

WebTrust Version 3.0

Under the recently released version 3.0 of the WebTrust Principles and Criteria, clients can select the WebTrust product best suited to their needs from a menu of seven principles:

Privacy. Focuses on how the sources of private information are being collected; how that information will be used, distributed, and corrected, when necessary; how cookies or other identification technologies are used; and how customers can opt out of transactions.

Transaction integrity. Provides assurance that services or products are provided to customers as requested; information on the condition of goods; a timeframe for transactions; payment and delivery terms; and a means of canceling orders or receiving customer support and service.

Security. Attests to the existence of a functioning disaster recovery plan, procedures to handle security breaches, the use of proper encryption technology, and the use of routine system backups.

Availability. Attests to the existence of access terms and conditions; availability policies that conform with legal, contractual, and other requirements; procedures that handle availability problems and security incidents; a functioning disaster recovery plan; and assurance that hardware and software have properly tested and documented availability objectives.

Nonrepudiation. Examines accessible records, procedures to authenticate authorized users, controls to record another party’s assent to an online transaction, and safeguards against unauthorized users, as well as establishing which party is liable for loss at different stages of the transaction process.

Confidentiality. Offers assurance that the security surrounding transmission, collection, and distribution of confidential information is adequate; that proper procedures exist for confidentiality breaches; that choices are provided to customers, including the choice to opt out of certain terms; that there are safeguards on transmission to unintended recipients and against unauthorized access; and that the storage of backup media is secure.

Customized disclosures. This unique principle must be covered in a report issued in conjunction with at least one other principle. The enterprise’s specified disclosures must comply with applicable professional standards and be relevant to its e-commerce business, and effective controls must ensure that the disclosures are reliable. Possible disclosures include the number of visits to a website on a specific date and assertions about the size of the business or the website’s popularity.

When reporting on each principle, the business must disclose applicable practices, comply with them, and maintain controls and procedures to ensure ongoing compliance. Instead of a one-size-fits-all engagement, clients can now ask the CPA to provide a report on the selected principles that are most relevant to their websites. Part of this redesigned “cafeteria” approach to WebTrust is a plan for the eventual addition of principles and criteria that serve the needs of the B2B marketplace.

WebTrust Target Market

A Boston Consulting Group study notes that total online business-to-consumer revenues across all categories grew by 120%, to $33.1 billion in 1999. In 2000, the online retail market is expected to grow by 85%, to $61 billion. In the B2B market, one-fourth of all domestic B2B purchasing will be done online by 2003, estimated at $2.8 trillion.

WebTrust is applicable across the Internet market to businesses of all sizes. There are WebTrust Principles and Criteria for Internet service providers (ISPs) and new WebTrust standards for certification authorities. Companies that have earned the WebTrust seal include Bell Canada and the online brokerage E*Trade, which mentions the seal in advertisements to differentiate itself in its highly competitive market.

“WebTrust allows us to provide the privacy and security that our customers want, giving them peace of mind that it is safe to buy at ShopCSC.com,” said Dan Schneeweiss, CEO of online computer retailer ShopCSC.com. “We’re confident that WebTrust will accelerate our already rapidly growing online business.”

AICPA Support Program

The AICPA’s marketing and public relations program targets businesses in existing and emerging e-commerce sectors, including retail, financial services, and hospitality. The WebTrust marketing campaign uses both traditional and electronic media, radio, public television, and in-flight advertising to establish the WebTrust brand. A major media relations campaign has extended exposure for the program in the general and business press. AICPA WebTrust team attendance at trade shows and conferences has introduced the program to important market segments and generated leads for specific engagements.

The team also recently redesigned the WebTrust seal for enhanced marketing opportunities and greater international appeal; the new seal has begun to be used this fall. The team has also created awareness of the program and its benefits among government officials in the United States and other countries. In response to licensee feedback, the Institute created training products and materials. Licensee support includes a regular newsletter describing WebTrust and industry developments and a client marketing sales newsletter. The support team also hosts conference calls among WebTrust practitioners and fosters licensee groups and alliances.

Getting Started. The WebTrust seal is licensed to CPA firms whose owners are members in good standing with the AICPA. Firms sign a licensing agreement that sets out certain requirements to maintain the seal’s quality and public confidence in it. For example, licensees must agree to abide by the program’s professional standards, take the requisite CPE to obtain and maintain licensing, and participate in a quality assurance program. WebTrust licensing fees range from $2,000 to $50,000 per firm for the first year, based on firm income. The fees decrease in the second and third years and level off in subsequent years. CPAs who now provide computer-related attest services already have much of the expertise needed to provide the WebTrust service.

Anthony J. Pugliese, CPA, is director of assurance services, and
Ronald Halse is marketing manager for assurance services, both at the AICPA.

The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

Visit the new cpajournal.com.