560 likes | 741 Views
Assurance on e-Commerce and other systems. ACC 651/646. What are the Risks for Consumers?. Unknown entity Ease of establishing and removing e-Commerce sites Transactions not processed correctly Security of information Privacy of information. 3-2. What are the Risks for Companies?.
E N D
Assurance one-Commerce and other systems ACC 651/646
What are the Risksfor Consumers? • Unknown entity • Ease of establishing and removing e-Commerce sites • Transactions not processed correctly • Security of information • Privacy of information 3-2
What are the Risksfor Companies? • Denial of Service • system failures, crashes, capacity issues • Unauthorized Access • Viruses, hackers, loss of confidentiality • Loss of Data Integrity • corrupted, incomplete, fictitious data • Maintenance problems • unintended impact of system changes
Recent Headlines “Rail company’s unreliable system causes rail cars to stack up, shipping delays and shipments gone astray” “Security rated top on-line fear” “eBay waives $3-5 million listing fees after service outage” “Worm.Explore.Zip virus forces shutdown of companies’ systems” “Computer errors decimate managed care company’s stock” “Computer woes halt TSE trading”
Reliability & the Market E*Trade Publicized Network Failures & Resulting Market Cap Decreases $ 2.5b $737m E*Trade Stock Price(EGRP) $767m
Agenda • Concerns about system reliability • WebTrust • SysTrust • Future of IT Assurance
Dimensions of Unreliability • Denial of Service • system failures, crashes, capacity issues • Unauthorized Access • viruses, hackers, loss of confidentiality • Loss of Data Integrity • corrupted, incomplete, fictitious data • Maintenance problems • unintended impact of system changes • Failure to fulfill commitments
WebTrust & SysTrust • Two services designed to address new assurance needs • WebTrust deals with customer front end • SysTrust deals with systems • Both are CA/CPA assurance reports • US - SSAE #1 • Canada - section 5025
SysTrust Criteria System Description Mgmt’s Assertions Auditor’s Report What is SysTrust? • SysTrust Process • Management makes representations about system reliability • using framework of 4 principles and58 criteria • CA/CPA collects evidence to support management’sassertions • CA/CPA issues assurance report on controls over system’s reliability
What is WebTrust? • The WebTrust Process • Management makes representations about e-commerce practices • using framework of 3 principles and related criteria • CA/CPA collects evidence to support management’s assertions • CA/CPA issues seal click here
Professional Standards 2 • Assurance/Attestation • CICA - s. 5025 • AICPA - SSAE #1 • S5900 & SAS 70 • Rules of Professional Conduct • Independence • Licensing SysTrust/WebTrust
Value of Assurance Report • Increase Revenues: • attract customers, business partners • avoid reputation / market-share / other losses • differentiate against competitors • better selection of business partners
Value of Assurance Report • Reduce Costs: • avoid systems development rework • reduce cost of capital • common evaluation framework - efficient
Value of Assurance Report • Reduce Risks: • confidence in internal systems • appropriate controls • protect shareholder value • better decision making • regulators (taxation, privacy, etc...) • insurers
Who are Likely Buyers? • System Users & Influencers • “C-Suite” - CEO, COO, CFO, CIO,... • Internal Auditors • Board of Directors • Customers • System Owners • Service Providers (outsourcing) • System Vendors • System Builders • IT Operations • Consultants
A “SysTrust” Opinion... “ We have audited the assertion by mgmt that... ABC company maintained effective controls...to provide reasonable assurance that…XYZ system was reliable...based on SysTrust principles & criteria…” “ In our opinion mgmt’s assertion…is fairly stated in all material respects...”
Definitions • SYSTEM • RELIABILITY • CRITERIA
Software Infrastructure Data People Procedures SYSTEM ...an organized collection of software, infrastructure, people, procedures and data that, together within a business context, producesinformation... SYSTEM
SYSTEM RELIABILITY “A system that operates without materialerror, fault or failure in availability, security, integrity or maintainability during a specified time in a specified environment.”
RELIABILITY AVAILABILITY MAINTAINABILITY SECURITY INTEGRITY CRITERIA CRITERIA CRITERIA CRITERIA RELIABILITY
CRITERIA • Each Principle has a series of Criteria • 58 mandatory Criteria in 3 categories: • policies exist and are appropriate • policies are implemented and operate effectively • adherence to policy is monitored • Attributes of Criteria:- measurable - relevant - objective - complete
CICA’s ITCG comprehensive coverage risk management & control, IT planning, IS acquisition, development & maintenance, operations & support, security, business continuity & recovery, etc. Illustrative Controls 1
ISACF’s COBIT also comprehensive planning & organization, acquisition & implementation, delivery & support, monitoring, etc. Illustrative Controls 2
WebTrust Principles • Business Practices Disclosure The entity discloses its business practices for electronic commerce transactions and executes transactions in accordance with its disclosed business practices. • Transaction Integrity The entity maintains effective controls to ensure that customers’ orders placed using electronic commerce are completed and billed as agreed. • Information Protection The entity maintains effective controls to ensure that private customer information is protected from uses not related to the entity’s business.
Terms & conditions by which it does business time frame for fulfillment time for backorder notification normal method of delivery & options payment terms & options electronic settlement practices canceling recurring charges return practices, if any Business Practices Disclosure 1
Business Practices Disclosure 2 • Nature of the goods, information, or services • Where customers can obtain warranty and other service • Information to allow customers to file claims & complaints (including consumer dispute resolution - version 2.0) • Information privacy policies (version 2.0)
Transaction Integrity Controls • All information needed to process & bill the order accurately is recorded • Proper goods or services are provided • Billing & settlement is done properly • Documentation permits subsequent follow-up • Management has monitoring to ensure: • business practice disclosures remain current • transaction integrity controls and practices remain effective • non-compliance situations are promptly corrected
Information Protection Controls • Transmissions via public networks secure • Protection of private customer information • Protection against its unauthorized access to customer’s computers or files • Management has monitoring to ensure: • information protection controls and practices remain effective • non-compliance situations are promptly corrected
Control Environment • Part of Transaction Integrity and Information Protection Criteria • Entity has a control environment that is generally conducive to: • Reliable business practice disclosures on its web site • Effective controls over electronic commerce transaction integrity • Effective controls over protection of private customer information
WebTrust Seal • Web consumer would see the seal on a web page • Would then click on it to access additional information • Display of firm name, logo is optional click here Click to see report issued by: XY&Z, Chartered Accountants XY &Z
What User Sees Clicking... • VeriSign certificate information • Accountant’s (XY&Z’s) report • Management’s assertions • Business practices disclosures • Link to AICPA/CICA WebTrust Principles & Criteria • Other relevant information
License Firm & International Affiliates Ownership AICPA/CICA WebTrust Training Required for licensing Required for each engagement Protecting the Value of the Seal Quality assurance Annual renewal & representations Record retention & availability Key License Provisions
WebTrust License Fees • Annual fee • US$1,400 per seal award per year • Fees to be used for promoting *.Trust
Truste.com BBBOnline.org WebTrust ADDSecure.net ICSA.net WABureau.com WebWatchdog MultiCheck BizRate Gomez epinions.com comparenet.com Consumer Reports Yahoo Amazon etc WebSite Seals & Rating Systems
Continuous Auditing PeriodicAssurance Consulting Services Design ----Implement ---------------Operate Positioning Services 1 *.Trust
WebTrust SysTrust S 5900 SAS 70 Positioning Services 2 Non-Financial Financial InternalUsers ExternalUsers
SysTrust vs S5900 & SAS70 • S5900 & SAS70 • Report on controls of service organization • No pre-established principles or criteria • Primarily financial systems • Information sharing objective • Audience primarily other auditors • Details on controls • SysTrust . • Report on reliability of a system or subset • Established principles & criteria • Financial & non-financial systems • Objective is assurance on system • Management and third party users • No details on controls
Review of S 5900 1 • Report on controls at service organization • Stated control objectives • Control procedures designed to achieve objectives • Existence / Suitable Design • Effectiveness • Point in time vs. period of time
Subject matter Nature of examination Standards “Control procedures were suitably designedto provide reasonable,but not absolute, assurance that stated control objectives were achieved … and operated effectively throughout the stated period” Review of S 5900 2
*.Trust Service Issues • Practicing Across Jurisdictional Boundaries • Client & Engagement Acceptance • Client acceptance • Nature of business, reputation, management • Engagement acceptance • Control environment, nature of sites • Are they likely to meet criteria? • Expertise Required • Personal: Integrity, Objectivity, Due Care • Professional Competencies: Assurance, Subject Matter (IT) • Marketing
Skill Sets Needed • Professional Standards • Systems Concepts • Business & Transactions Processing • Hardware • Software • Networks/Internet • Outside Experts
Engagement Management • Documentation • Working papers • Engagement summaries • Management Representation Letter • Auditor’s Report • Dealing with Change • Self Assessment /Readiness Assistance • System of Quality Control