1 / 55

Assurance on e-Commerce and other systems

Assurance on e-Commerce and other systems. ACC 651/646. What are the Risks for Consumers?. Unknown entity Ease of establishing and removing e-Commerce sites Transactions not processed correctly Security of information Privacy of information. 3-2. What are the Risks for Companies?.

rollin
Download Presentation

Assurance on e-Commerce and other systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Assurance one-Commerce and other systems ACC 651/646

  2. What are the Risksfor Consumers? • Unknown entity • Ease of establishing and removing e-Commerce sites • Transactions not processed correctly • Security of information • Privacy of information 3-2

  3. What are the Risksfor Companies? • Denial of Service • system failures, crashes, capacity issues • Unauthorized Access • Viruses, hackers, loss of confidentiality • Loss of Data Integrity • corrupted, incomplete, fictitious data • Maintenance problems • unintended impact of system changes

  4. Recent Headlines “Rail company’s unreliable system causes rail cars to stack up, shipping delays and shipments gone astray” “Security rated top on-line fear” “eBay waives $3-5 million listing fees after service outage” “Worm.Explore.Zip virus forces shutdown of companies’ systems” “Computer errors decimate managed care company’s stock” “Computer woes halt TSE trading”

  5. Reliability & the Market E*Trade Publicized Network Failures & Resulting Market Cap Decreases $ 2.5b $737m E*Trade Stock Price(EGRP) $767m

  6. Agenda • Concerns about system reliability • WebTrust • SysTrust • Future of IT Assurance

  7. Dimensions of Unreliability • Denial of Service • system failures, crashes, capacity issues • Unauthorized Access • viruses, hackers, loss of confidentiality • Loss of Data Integrity • corrupted, incomplete, fictitious data • Maintenance problems • unintended impact of system changes • Failure to fulfill commitments

  8. WebTrust & SysTrust • Two services designed to address new assurance needs • WebTrust deals with customer front end • SysTrust deals with systems • Both are CA/CPA assurance reports • US - SSAE #1 • Canada - section 5025

  9. SysTrust Criteria System Description Mgmt’s Assertions Auditor’s Report What is SysTrust? • SysTrust Process • Management makes representations about system reliability • using framework of 4 principles and58 criteria • CA/CPA collects evidence to support management’sassertions • CA/CPA issues assurance report on controls over system’s reliability

  10. What is WebTrust? • The WebTrust Process • Management makes representations about e-commerce practices • using framework of 3 principles and related criteria • CA/CPA collects evidence to support management’s assertions • CA/CPA issues seal click here

  11. Professional Standards 1

  12. Professional Standards 2 • Assurance/Attestation • CICA - s. 5025 • AICPA - SSAE #1 • S5900 & SAS 70 • Rules of Professional Conduct • Independence • Licensing SysTrust/WebTrust

  13. Value of Assurance Report • Increase Revenues: • attract customers, business partners • avoid reputation / market-share / other losses • differentiate against competitors • better selection of business partners

  14. Value of Assurance Report • Reduce Costs: • avoid systems development rework • reduce cost of capital • common evaluation framework - efficient

  15. Value of Assurance Report • Reduce Risks: • confidence in internal systems • appropriate controls • protect shareholder value • better decision making • regulators (taxation, privacy, etc...) • insurers

  16. Who are Likely Buyers? • System Users & Influencers • “C-Suite” - CEO, COO, CFO, CIO,... • Internal Auditors • Board of Directors • Customers • System Owners • Service Providers (outsourcing) • System Vendors • System Builders • IT Operations • Consultants

  17. A “SysTrust” Opinion... “ We have audited the assertion by mgmt that... ABC company maintained effective controls...to provide reasonable assurance that…XYZ system was reliable...based on SysTrust principles & criteria…” “ In our opinion mgmt’s assertion…is fairly stated in all material respects...”

  18. Definitions • SYSTEM • RELIABILITY • CRITERIA

  19. Software Infrastructure Data People Procedures SYSTEM ...an organized collection of software, infrastructure, people, procedures and data that, together within a business context, producesinformation... SYSTEM

  20. SYSTEM RELIABILITY “A system that operates without materialerror, fault or failure in availability, security, integrity or maintainability during a specified time in a specified environment.”

  21. RELIABILITY AVAILABILITY MAINTAINABILITY SECURITY INTEGRITY CRITERIA CRITERIA CRITERIA CRITERIA RELIABILITY

  22. CRITERIA • Each Principle has a series of Criteria • 58 mandatory Criteria in 3 categories: • policies exist and are appropriate • policies are implemented and operate effectively • adherence to policy is monitored • Attributes of Criteria:- measurable - relevant - objective - complete

  23. Structure of Criteria

  24. CICA’s ITCG comprehensive coverage risk management & control, IT planning, IS acquisition, development & maintenance, operations & support, security, business continuity & recovery, etc. Illustrative Controls 1

  25. ISACF’s COBIT also comprehensive planning & organization, acquisition & implementation, delivery & support, monitoring, etc. Illustrative Controls 2

  26. WebTrust Principles • Business Practices Disclosure The entity discloses its business practices for electronic commerce transactions and executes transactions in accordance with its disclosed business practices. • Transaction Integrity The entity maintains effective controls to ensure that customers’ orders placed using electronic commerce are completed and billed as agreed. • Information Protection The entity maintains effective controls to ensure that private customer information is protected from uses not related to the entity’s business.

  27. Terms & conditions by which it does business time frame for fulfillment time for backorder notification normal method of delivery & options payment terms & options electronic settlement practices canceling recurring charges return practices, if any Business Practices Disclosure 1

  28. Business Practices Disclosure 2 • Nature of the goods, information, or services • Where customers can obtain warranty and other service • Information to allow customers to file claims & complaints (including consumer dispute resolution - version 2.0) • Information privacy policies (version 2.0)

  29. Transaction Integrity Controls • All information needed to process & bill the order accurately is recorded • Proper goods or services are provided • Billing & settlement is done properly • Documentation permits subsequent follow-up • Management has monitoring to ensure: • business practice disclosures remain current • transaction integrity controls and practices remain effective • non-compliance situations are promptly corrected

  30. Information Protection Controls • Transmissions via public networks secure • Protection of private customer information • Protection against its unauthorized access to customer’s computers or files • Management has monitoring to ensure: • information protection controls and practices remain effective • non-compliance situations are promptly corrected

  31. Control Environment • Part of Transaction Integrity and Information Protection Criteria • Entity has a control environment that is generally conducive to: • Reliable business practice disclosures on its web site • Effective controls over electronic commerce transaction integrity • Effective controls over protection of private customer information

  32. WebTrust Seal • Web consumer would see the seal on a web page • Would then click on it to access additional information • Display of firm name, logo is optional click here Click to see report issued by: XY&Z, Chartered Accountants XY &Z

  33. What User Sees Clicking... • VeriSign certificate information • Accountant’s (XY&Z’s) report • Management’s assertions • Business practices disclosures • Link to AICPA/CICA WebTrust Principles & Criteria • Other relevant information

  34. License Firm & International Affiliates Ownership AICPA/CICA WebTrust Training Required for licensing Required for each engagement Protecting the Value of the Seal Quality assurance Annual renewal & representations Record retention & availability Key License Provisions

  35. WebTrust License Fees • Annual fee • US$1,400 per seal award per year • Fees to be used for promoting *.Trust

  36. WebTrust Annual License Fees 8-2

  37. Truste.com BBBOnline.org WebTrust ADDSecure.net ICSA.net WABureau.com WebWatchdog MultiCheck BizRate Gomez epinions.com comparenet.com Consumer Reports Yahoo Amazon etc WebSite Seals & Rating Systems

  38. Comparison of Seals 1

  39. Comparison of Seals 2

  40. Continuous Auditing PeriodicAssurance Consulting Services Design ----Implement ---------------Operate Positioning Services 1 *.Trust

  41. WebTrust SysTrust S 5900 SAS 70 Positioning Services 2 Non-Financial Financial InternalUsers ExternalUsers

  42. SysTrust vs S5900 & SAS70 • S5900 & SAS70 • Report on controls of service organization • No pre-established principles or criteria • Primarily financial systems • Information sharing objective • Audience primarily other auditors • Details on controls • SysTrust . • Report on reliability of a system or subset • Established principles & criteria • Financial & non-financial systems • Objective is assurance on system • Management and third party users • No details on controls

  43. Review of S 5900 1 • Report on controls at service organization • Stated control objectives • Control procedures designed to achieve objectives • Existence / Suitable Design • Effectiveness • Point in time vs. period of time

  44. Subject matter Nature of examination Standards “Control procedures were suitably designedto provide reasonable,but not absolute, assurance that stated control objectives were achieved … and operated effectively throughout the stated period” Review of S 5900 2

  45. *.Trust Service Issues • Practicing Across Jurisdictional Boundaries • Client & Engagement Acceptance • Client acceptance • Nature of business, reputation, management • Engagement acceptance • Control environment, nature of sites • Are they likely to meet criteria? • Expertise Required • Personal: Integrity, Objectivity, Due Care • Professional Competencies: Assurance, Subject Matter (IT) • Marketing

  46. Skill Sets Needed • Professional Standards • Systems Concepts • Business & Transactions Processing • Hardware • Software • Networks/Internet • Outside Experts

  47. Engagement Management • Documentation • Working papers • Engagement summaries • Management Representation Letter • Auditor’s Report • Dealing with Change • Self Assessment /Readiness Assistance • System of Quality Control

More Related