Secure e-Business Chartered Accountants of Canada Comptables agréés du Canada Overview of WebTrust TM

Secure e-Business  What are this site’s e-Commerce practices?  I am worried about security  I would like to maintain anonymity  I do not like trace ability  What are they going to do with my information?  Who am I really doing business with?  I am afraid I will get scammed, will I get my stuff?  What is the recourse if something goes wrong? Concerns About e-Business

Secure e-Business People who have access to the Internet but who have not purchased a good or service through the Internet, state that the following were factors in their decision: 52 % Concern over privacy of personal information 56 % Concern over unauthorized use of credit card information 36 % Concern over not receiving product or service ordered Source: Canadian Institute of Chartered Accountants Electronic Commerce Survey August 1997 Barriers to Acceptance

Secure e-Business  The visual aspect of online shopping is key  There is a strong commitment to purchasing at Canadian sites.  Online purchasing is considered to be convenient and saves time.  Considerable concern still exists about the privacy of personal information related to online purchasing.  A third party security endorsement can help build the trust of site visitors.  Book marking of favorite sites has the potential to build loyalty  The power of “word of mouth” should not be underestimated. D&T & Retail Council of Canada’s Most Recent Study Consumers are saying…

Secure e-Business  Provides assurance that a web site meets AICPA/CICA defined criteria for business practices and transaction integrity, security and privacy, and related disclosures.  Is designed to build consumer confidence in electronic commerce.  Is the only service combining privacy, security, and transactional integrity with up-front and ongoing independent third party verification.  Will be able to demonstrate a web site’s compliance with the privacy laws of major industrial countries.  Is a global seal that can be provided by qualified and licensed CPAs and CAs around the world. The WebTrust TM Response A Unique Seal of Assurance WebTrust TM

Secure e-Business WebTrust TM Global Availability

Secure e-Business Planning:  New Zealand Researching:  Belgium  Malaysia  Japan  Italy  Argentina Currently:  Canada  United States  England and Wales  Denmark  France  Germany  Ireland  Netherlands  Spain  Australia  Hong Kong Global Offering of WebTrust TM

Secure e-Business WebTrust TM Sample Site

Secure e-Business

Web consumer would see the seal on a Web page Would then click on it to access additional information WebTrust TM Seal

Secure e-Business WebTrust TM Certification Process

Secure e-Business  Definition of scope  Web sites & services included  Geographical scope  Self-assessment questionnaire  Understand outsourced activities  Initial period at least 60 days  Unqualified audit report  At least semi-annual updates  Independence  Appropriate team with required expertise WebTrust TM Certification Process

Secure e-Business  Perform a Self-evaluation.  Understand and document the electronic commerce business and systems processes, procedures and controls.  Map existing processes and controls against WebTrust™ Principles and Criteria.  Build a WebTrust™ Preview Site Overview of the WebTrust TM Process Phase I – Understanding the Methodology and Process Phase I – Understanding the Methodology & Process Self Evaluation Understand & Document Process, Procedures & Controls Map Processes & Controls Build WebTrust TM Preview Site

Secure e-Business Overview of the WebTrust TM Process Phase II – Testing of the Processes & Controls Test and Evaluate  Test and evaluate the Business Practices Disclosures, Transaction Integrity, Security and Privacy Controls.

Secure e-Business Overview of the WebTrust TM Process Phase III – Reporting Complete and Certify  Complete the final report and certify the Web Site.

Secure e-Business  Update our review and tests of the Business Practice Disclosure, Transaction Integrity and Information Protection on a semi- annual basis.  Update for any major system changes and service offerings. Overview of the WebTrust TM Process Phase IV – Minimum Semi-Annual Updates (Version 3.0) Phase IV – Minimum Semi-Annual Updates Update & Review our Tests Semi-Annually Update for any Major System Changes & Service Offerings

Secure e-Business  WebTrust™ Security Seal  WebTrust™ Transactional Integrity Seal  WebTrust™ Privacy Seal  or WebTrust™ Consumer Protection Seal including all three of the above  Additional principles for B2B & ISP/ASPs include:  availability  confidentiality  non-repudiation  customized disclosures The New Version 3.0 WebTrust TM Version 3.0 includes any of the following WebTrust TM Seals:

Secure e-Business The enterprise discloses key security policies, complies with such security policies, and maintains effective controls to provide reasonable assurance that access to electronic commerce system and data is restricted only to authorized individuals in conformity with its disclosed security policies. WebTrust TM 3.0 Principles: Security Security

Secure e-Business Transaction Integrity The enterprise discloses its business practices for electronic commerce, executes transactions in conformity with such practices, and maintains effective controls to provide reasonable assurance that e-Commerce transactions are processed completely, accurately and conformity with its disclosed business practices. WebTrust TM 3.0 Principles: Transaction Integrity

Secure e-Business WebTrust TM 3.0 Principles: Privacy The enterprise discloses its privacy policies, complies with such privacy practices, and maintains effective controls to provide reasonable assurance that personally identifiable information obtained as a result of electronic commerce is protected in conformity with its disclosed privacy practices. Privacy

Secure e-Business WebTrust TM 3.0 Principles: Availability The enterprise discloses its practices for availability, complies with such availability disclosures, and maintains effective controls to provide reasonable assurance that e-commerce systems and data are available as disclosed. Availability

Secure e-Business WebTrust TM 3.0 Principles: Non-repudiation The enterprise discloses it practices for non-repudiation, complies with such practices, and maintains effective controls and appropriate records to provide reasonable assurance that the authentication and integrity of transactions and messages received electronically are provable to third parties in conformity with its disclosed non- repudiation practices. Non-repudiation

Secure e-Business WebTrust TM 3.0 Principles: Confidentiality The enterprise discloses its confidentiality practices, complies with such confidentiality practices and maintains effective controls to provide reasonable assurance that access to information obtained as a result of electronic commerce and designated as confidential is restricted to authorized individuals in conformity with its disclosed confidentiality practices. Confidentiality

Secure e-Business WebTrust TM 3.0 Principles: Customized Disclosures The enterprise’s specified disclosures are consistent with professional standards for suitable criteria and relevant to its electronic controls over the processes supporting such disclosures to provide reasonable assurance that such disclosures are reliable. Customized Disclosures

Secure e-Business Frequently Asked Questions

Secure e-Business What happens if a company does not meet the audit requirements? How long do we have to fix any inconsistencies? The company needs to demonstrate that it has been in compliance with the WebTrust™ criteria for at least 60 days before it can receive the WebTrust™ seal. Then it needs to remain in compliance with the criteria to continue to display the seal. As part of their work, practitioners may identify weaknesses which need to be addressed. This may be included as part of the services based on the extent of the weaknesses identified. However, if the practitioner and the management determine that the weaknesses are extensive, then we will have to address those issues and help you improve the controls and practices separately. In such cases, the seal will be awarded 60 days after the implementation of the new controls, to ensure their effectiveness.

Secure e-Business What does WebTrust™ membership provide other than quarterly (semi-annual) audits? As is the case with a financial statement audit, there is no membership structure. The AICPA/CICA task force would be willing to consider such a program if there was sufficient interest among organizations with the WebTrust™ seal. However, as a certified WebTrust™ web-site, you will be listed at the WebTrust™ home page under a listing of all WebTrust™ certified companies. This provides customers a “Yellow Pages” of WebTrust™ web-sites. Additionally, the members will have access to “Best Practices” for Internet electronic commerce.

Secure e-Business How is a WebTrust™ audit different from a regular accounting and/ or system audit and what extra value does it provide? The purpose of a WebTrust™ audit differs significantly from those of a financial statement audit. The focus of WebTrust™ is on the business practices disclosures for electronic commerce transactions and the related controls over transaction integrity and information protection. The WebTrust™ view is ensuring that business-to-consumer electronic commerce transactions are appropriately handled and that related concerns of typical consumers are addressed by the business. By contrast, the financial statement audit focuses on the reliability and fair presentation of financial statements and the related footnotes and disclosures. The audit work performed on accounting systems is an intermediate step in formulating the auditor's opinion on the financial statements.

Secure e-Business By representing WebTrust™, does the CA or CPA issuing the WebTrust seal ensure security of the company’s processes and systems to customers? The responsibility for ensuring security of a company’s processes and systems is that of the company’s management. The practitioner is providing an independent and objective assessment of how management is discharging that responsibility.

Secure e-Business What are the key customer benefits? Key customer benefits are increased trust and confidence in doing business electronically on the Internet. This should ultimately result in more efficient markets and lower cost benefits to both the company and its customers. Customers will have access to a “Yellow Pages” listing of your web-site as a WebTrust™ certified business. WebTrust™ is a recognized seal of assurance on the Internet. The true advantage will be for those companies who get the early edge through strategic marketing of their electronic commerce practices and their WebTrust™ certification.