The Electronic Frontier

Boldly going where no CPA has gone before? Take a map.

  • CPAs THINKING ABOUT GETTING INTO WebTrust should be well informed about the problems of e-commerce and WebTrust competitors.

  • TRUST IS THE KEY ISSUE. Customers wonder whether they can trust a company and whether sensitive information will be kept private.

  • A NEW SERVICE FROM THE AICPA , CPA WebTrust is not the only logo service available. Other logo services include BBB Online , TRUSTe, and ICSA.

  • WEBTRUST IS UNIQUE BECAUSE it includes broader criteria, requires testing before the seal is added, requires frequent re-examination and is tied in with traditional attestation services.

  • A COMPANY'S NEED FOR online assurance will vary, based on how well it is known in the marketplace and who its customers are.
Glen L. Gray , CPA, PhD, is a professor of accounting and MIS at the College of Business Administration and Economics, California State University, Northridge. He, with Karl Nagel, CPA, is currently writing the Guide to Electronic Commerce Assurance Services for Harcourt Brace Professional Publishing. URL: ; e-mail: . Roger Debreceny , FCPA, is professor of accounting in the Nanyang Business School at Nanyang Technological University, Singapore. URL:; e-mail:

Before jumping into WebTrust, CPAs should understand not only the problems with consumer online commerce that give rise to programs such as WebTrust, but also the Web logo services from non-CPA competitors. Although electronic commerce offers CPAs a chance to build on their experience, reputation and training, they need to understand some background before they proceed. No one article, or even one book, can explain everything CPAs need to know about online commerce, but this article explores several key areas in the current e-commerce landscape.


Although the estimates vary widely from different research organizations, Forrester Research, Inc. ( ), a market research company that specializes in information technology and e-commerce, estimates that buyers and sellers exchanged $8 billion over the Internet in 1997 and will exchange well over $100 billion by the year 2000-a trend that poses ample opportunities for CPAs. According to the AICPA special committee on assurance services, the e-commerce assurance market for CPAs could grow to between $2 billion and $11 billion annually over the next few years ( ).

Exhibit 1: BBB Online Criteria
  1. Become a member of the appropriate local Better Business Bureau.
  2. Provide the BBB with information regarding company ownership and management and the street address and telephone number at which the company does business, which will be verified by the BBB in a visit to the company's physical premises.
  3. Be in business a minimum of one year (with limited exceptions).
  4. Have a satisfactory complaint-handling record with the BBB.
  5. Agree to participate in the BBB's advertising self-regulation program, and correct or withdraw online advertising when challenged by the BBB and found not to be substantiated or not in compliance with our children's advertising guidelines.
  6. Respond promptly to all consumer complaints.
  7. Agree to binding arbitration, at the consumer's request, for unresolved disputes involving consumer products or services advertised or promoted online.

Although e-commerce is exploding, both buyers and sellers voice concerns about conducting business on the Internet. Many customers and business owners still distrust the process of e-commerce. They also may have a number of concerns about their potential trading partners—trading partners that they may never have dealt with previously or even communicated with other than by the Web or e-mail. Indeed, research published earlier this year by CommerceNet ( ), a not-for-profit industry association that promotes e-commerce, confirms that a lack of trust is one of the top issues identified by market participants as preventing e-commerce from growing as fast as it otherwise could. While e-commerce is increasing, trust concerns, too, have actually risen over the last year, suggesting that this problem will not decline merely as people become more familiar with doing business on the Internet.

Customers are wary because many questions remain unanswered about online stores, such as the following:

  • Is this a real company? (The authentication problem.)
  • Is this a trustworthy company? (The reputation problem.)
  • If I send credit card or bank information, is it safe? (The payment problem.)
  • If I provide information to a company on its Web site, where will the information end up? (The privacy problem.)
  • If I place an order, will I receive what I asked for?
  • Will I receive delivery when promised?
  • Will any problems I have be resolved quickly?
  • Is the money-back guarantee honored?
  • How soon will I get credit for returned items?
  • How quickly will the company perform service on warranty items?
  • Will the company be able to send me necessary replacement parts quickly?

CPAs, by virtue of education and experience, are in an excellent position to provide assurance to consumers on these questions and thus remove some of the obstacles hindering further growth of Internet commerce.


WebTrust is not the first attempt at answering these questions. In the past few years, logo services or logo programs have been used to build trust between e-commerce trading partners. Essentially, if a seller fulfills a set of criteria specified by an assurance provider, it can place the provider's logo on its Web site. The logo offers reassurance to concerned buyers that the seller meets the standards established by a trusted third party. Typically, the logo itself is tamper-resistant and is linked to the assurance provider's site, where the user can go to find out more detailed information about the meaning and scope of the logo service. CPA WebTrust is one of several logo services.

Exhibit 2: TRUSTe Logos and Meanings
  1. Information Disclosure
    • The site must explain and summarize its general information gathering practices.
    • The site must explain up front what personally identifiable data are being gathered, what the information is used for and with whom the information is being shared.
    • The site must disclose whether users may opt out of having their information used by the site or third parties, whether they may delete or deactivate themselves from the site's database and whether they may update or change their information once it is disclosed.
  2. The site must display on its home page the trustmark that discloses the site's overall privacy policy.
  3. Communication Monitoring. The site may not monitor personal communications to third parties such as e-mail or instant messages, except to the extent required by law, or as necessary in the process of maintaining the site.
  4. The site must adhere to its stated privacy policies.
  5. The site must adhere to its stated privacy policies, even after the site discontinues the TRUSTe program unless consent is obtained directly from the user.
  6. The site agrees to cooperate with all TRUSTe reviews and audits.

Such services are becoming increasingly common. Some services address fairly narrow issues. For example, in response to widespread public concern about the security of credit card information on the Internet, MasterCard and Visa collaborated on a joint venture called Secure Electronic Transactions (SET). Electronic vendors that meet SET standards for sending credit card information over the Internet can display the logo shown at right. (See for more on SET.)

In a similar vein, the network authentication and digital certificate company VeriSign Inc. ( ) introduced the VeriSign Authentic Site logo (above) to assure users that a Web site is capable of transmitting and receiving secure (encrypted) information and that the site and company are real. While the SET and VeriSign logo services address highly specific issues of trust-building, CPA WebTrust addresses a much wider set of issues. The WebTrust logo (see page 38) assures that the seller has met the established WebTrust criteria, which have three major sections: business practices, transaction integrity and information protection. (A one-day seminar for CPAs on WebTrust explains these criteria in detail. For more on CPA WebTrust, see the sidebar on page 38 and "In CPAs We Trust," JofA, Dec.97, page 62.) The CPA's goal is to determine whether a seller meets the WebTrust criteria and can use the WebTrust logo, thereby providing valuable information to buyers while helping sellers gain a competitive edge in an increasingly crowded marketplace.

Potential rivals to CPA WebTrust include

  • The Better Business Bureau's BBB OnLine program, which grants a logo to a seller that has satisfied seven criteria or standards (see exhibit 1, page 32). BBB OnLine addresses the authentication problem: Buyers click on the BBB OnLine logo to go to the BBBOnLine Web site, which verifies that the company's site is legitimately displaying the logo.
  • TRUSTe, which primarily addresses Internet privacy issues. Sellers can potentially extract information from buyers without their knowledge or permission and sell it to other companies. For example, a travel site may use information from so-called cookie files on a traveler's computer to build a profile of the traveler. Each time the user visits the travel site more information is added to the profile. Alternatively, businesses often share information from forms that buyers complete online. The TRUSTe logo (see exhibit 2, at right) essentially indicates that the seller has stated how the buyer's information will be used (for example, it will be used only for internal activities, it will be sold to third parties or some variation between these two policies) and the seller will abide by the stated policy. To subsequently test a seller's adherence to its pledge, the TRUSTe organization seeds the seller's database with a phony user name. If that name later appears in another seller's databases, TRUSTe knows the first seller has violated its pledge. The first seller could then lose its right to display the logo. Sellers also agree to a possible surprise audit by Coopers & Lybrand or KPMG Peat Marwick. By clicking on the TRUSTe logo, consumers can determine whether the logo is legitimate.
  • The International Computer Security Association (ICSA), formally the National Computer Security Association (NCSA), is an independent organization that primarily concentrates on security issues. ICSA offers a Web Certification Program that, unlike BBB OnLine and TRUSTe, focuses on the technology side of e-commerce ( The certification process includes a combination of self-reporting, on-site evaluation, remote testing and spot-checking. Those Web sites meeting the ICSA criteria can display the logo shown below.

WebTrust differs from these other logo services in important ways. First, the WebTrust criteria include a broad variety of e-commerce criteria, well beyond those addressed by BBB OnLine or TRUSTe. Although ICSA goes deeper into technology criteria, in addition to some technology criteria, WebTrust addresses business practices and internal control criteria. For example, WebTrust requires numerous performance disclosures on the Web site such as delivery times, how returns are handled and a phone number for customer services. The WebTrust criteria include specific technology and internal control disclosures relating to processing orders and protecting customer information. In addition to its broad coverage, probably the most significant difference is that CPAs fully pretest—under well-established attestation standards—all the seller's assertions regarding the WebTrust criteria before issuing the logo. BBB OnLine and TRUSTe, in particular, primarily rely on self-reporting and some after-the-fact testing. Finally, recognizing the rapidly changing Internet and e-commerce environments, WebTrust requires that sellers be recertified at least every 90 days. Thus, although CPA WebTrust faces some competition as an assurance service, it has important advantages that should render it attractive to e-commerce participants.


Looking beyond the specifics of consumer e-commerce, where will the potential markets for logo assurance services come from? Exhibit 3, below, illustrates the different types of buyers and sellers involved in e-commerce. The combinations create different market segments with different needs and characteristics; knowing these characteristics can help a CPA determine the appropriate points to stress in marketing WebTrust to these different market segments.

The seller may be a new enterprise that exists only on the Web, such as ( ), or an established company opening an electronic store, such as Barnes & Noble. Buyers may be individuals or organizations. Individuals are generally more spontaneous. Business buyers are likely to be more analytical and systematic in their purchasing decisions. Business buyers usually work with signed contracts, purchase orders and a bidding process. They also have access to third-party sources of information, such as Dun & Bradstreet, that retail consumers generally don't consult.

Exhibit 3: Types of E-commerce Transactions
Types of E-commerce Sellers
Types of Buyers New, Web Specific Traditional Established
Consumers Cell I Cell III
Businesses Cell II Cell IV

Perhaps the most obvious market for logo assurance services is in cell I. Unlike traditional businesses, new, Web-based sellers do not have established reputations. Retail consumers might be reluctant to enter into e-commerce transactions with sellers they're unfamiliar with. Individual consumers are generally less likely to locate formal third-party information. Consequently, a third-party assurance logo located on the Web site is a powerful marketing tool for e-commerce sellers, since it may be the only third-party assurance the consumer sees. It is no surprise, then, that WebTrust, BBB OnLine and TRUSTe all seem to be aimed at this market segment.

The other market segments, however, also provide significant opportunities for those offering logo assurance services. Traditional companies (cells III and IV) that are regional, or are established only in specific market niches and are now expanding nationally or even internationally via e-commerce, will benefit from WebTrust. The logo will help them get a jump-start in markets where they have not yet established reputations.

Even though retail e-commerce receives the most coverage in the popular press, the dollar value of business-to-business e-commerce transactions—manufacturing, wholesale trade and services—is significantly larger and the difference is growing. As with other estimates of e-commerce activities, the estimated sizes of these two market segments vary widely. However, Forrester Research estimated that the business-to-business market will grow to be eight times larger than that of retail e-commerce by the year 2000. While business buyers do have access to a broader range of third-party information, it can be expensive to search this information and apply it to particular potential sellers. Assurance logos provide an efficient and cost-effective way to screen potential sellers. Business buyers can then perform more detailed evaluations only on sellers that made it through the first logo-based screening process. This two-step approach will be more important as businesses make general "calls for bids" on the Web rather than the business-as-usual scenario of seeking bids from a small number of established suppliers. Just as some companies and government agencies now require their suppliers to be ISO 9000-compliant, they also may require that they display the WebTrust logo. (It should be noted that currently WebTrust is only a business-to-consumer logo service. The AICPA electronic commerce assurance services task force is developing a business-to-business version of WebTrust.)

CPAs should start recommending the WebTrust logo to clients and employers now and not wait for market pressures to force them to do so later. Businesses displaying the WebTrust logo will have a competitive advantage. WebTrust's ultimate success depends on how well the profession, and its clients, market the logo.


Entering the assurance arena does carry some risks. Retail consumers, unfamiliar with a CPA's attestation services, may not understand the limitations of WebTrust. For example, a consumer may believe a CPA firm that performed a WebTrust engagement endorses the seller's products. A disappointed customer may sue the firm. Business buyers generally have a better understanding of attestation engagements, but litigation risks exist with those customers, too. CPAs should carefully screen their prospective clients, particularly those in the retail e-commerce marketplace. ("Financial Reporting and Risk Management in the 21st Century," an article cowritten by AICPA General Counsel Richard Miller for the April 1997 issue of the Fordham Law Review , discusses some electronic risks for CPAs.)


WebTrust is not the only e-commerce service or assurance service that CPAs could provide. Based on our own experience plus discussions with practitioners, anecdotal evidence seems to indicate that most clients will not be ready for their first WebTrust examinations. For example, the appropriate internal controls may not be in place. Thus, CPAs may have significant opportunities in helping clients prepare for WebTrust examinations. The attestation standards do allow CPAs to provide advice to clients—even help prepare assertions—as long as management takes responsibility for the final decisions and assertions.

Case Study: Dollars, Marks and Beer
Money makes the world go around, as the song goes, and today the Internet makes money go around the world. Sonnet Financial has gone into the business of selling money over the Web-all over the world-quickly, cheaply and securely. If you have to purchase $100,000 in supplies in Paris tomorrow, Sonnet will convert the dollars to francs. All you need is a modem.

Sonnet, founded in 1992 to provide discount currency exchanges for companies, introduced a new product this year called FXWeb ( No new software is necessary. Once you sign up with Sonnet, you can enter a password-protected page and set up one or more source accounts-such as your company's bank account in New York-and destination accounts-such as a parts supplier in Tokyo or your company's branch office in Oslo. You type in the amount and the type of currency and hit "OK." You're done. FXWeb follows up with an online confirmation and organizes all your transactions into a report you can download into a general ledger or spreadsheet program.

Sonnet is not a credit company-its clients must send the actual transaction funds the same day-and it does not speculate in the currency markets. Its business is organizing the transactions and it makes its money entirely from fees it charges its customers. "Think of us as the air traffic controllers of currency exchange," said Sonnet Senior Vice-President Daniel A. Carmel.

Hassle-free environment
The Internet gives Sonnet and its small to midsize business clients several advantages over banks. The first is cost: Sonnet's online system can easily gather all the dollar-to-yen transactions, for example, and combine them in one transaction. This gives smaller companies the same favorable transaction rates as the world's largest corporations. Companies don't have to worry if their banks can't handle certain international transactions or waste time shopping around for a better rate: Sonnet works with 25 U.S. banks to negotiate the best rate for a given transaction.

Customers don't have to keep banker's hours. "We have a client who buys beer wholesale in Germany for export to Canada," said Carmel. "At the end of the day, he plugs his laptop into a jack in his hotel room and posts all his transfers." Sonnet performs the transfers three times a day and charges fixed fees ranging from $40 to $150, depending on the size of the transaction.

Sonnet relies on a VeriSign digital certificate to ensure security of transactions. (VeriSign is the security arm of CPA WebTrust. See the sidebar on page 38 and www. for details.) Currently, it uses 40-bit encryption technology, although it expects to go to the even more secure 128-bit technology in the near future. (Each bit doubles the encoding power.) Sonnet's site allows customers to set up a double log-in process so no one person in the company can make a transaction solely on his or her own authority. A CEO or CFO, for example, can have a high-level supervisory log-in password to administer other employees' authority. "If someone quits-or is fired-it takes just minutes to cancel that employee's log-in authority," said Carmel.

For the small business people who want their piece of the global market, the Internet is simplifying the business of doing business.

Richard J. Koreto

From a functional point of view, companies are justifiably concerned about the new and modified internal controls needed to support e-commerce. For example, the fact that outsiders now have access to their online systems is justifiably a matter of considerable concern. Traditional businesses often have to integrate their new e-commerce systems with their existing sales, inventory and accounting systems. WebTrust criteria do address internal controls but primarily from a narrow focus of protecting customer information and order entry accuracy. However, these are just a small part of the many internal control issues associated with e-commerce. Supplying more in-depth internal control assurance services could provide many new opportunities for CPAs.

Also, sellers may have concerns about buyers. Sellers want some form of nonrepudiation , meaning a buyer cannot deny sending an order request. Sellers may eventually require buyers—especially business buyers making very large purchases—to have some form of assured authentication controls in place, suggesting that another realm of opportunities for CPAs to sell assurance services may be forthcoming.


WebTrust and other assurance services described in this article build on existing CPA skills. Although CPAs do not need to be technological experts, they do need to understand e-commerce to help determine how to apply their existing skills to this new domain. (For profiles of practitioners performing WebTrust engagements, see "WebTrust Rolls On," JofA, Feb.98, page 98, and "WebTrust Isn't Just for Stores," JofA, Apr.98, page 81.) The following is a broad action plan to help CPAs move into e-commerce.

Obtain an overview. A number of books and articles provide information about e-commerce concepts, terminology and technology without becoming bogged down in technical details:

  • The CPA's Guide to Web Commerce , by John Graves and Jacqueline Justice (AICPA).
  • Frontiers of Electronic Commerce , by Ravi Kalakota and Andrew B. Whinston (Addison-Wesley).
  • Understanding Electronic Commerce , by David Kosiur (Microsoft Press).

Several magazines such as Electronic Commerce World and Internet Computing also are available. Key Web sites include CommerceNet ( ) and Emmerce ( and the Institute's dedicated WebTrust site ( ).

Learn about logo services. Visit BBB Online ( ), TRUSTe ( ) and ICSA ( www. ) sites to learn more about them and understand how they differ from WebTrust. Visit the AICPA site ( ) to read and download detailed information about WebTrust.

Tailor CPA services. After a CPA talks to a prospective client, he or she should look at exhibit 3 to properly classify the entity. The CPA can then customize the assurance services.

A frontier is a wild and unpredictable place. The online business community will likely wrestle with a number of solutions to e-commerce problems before reaching satisfactory answers. But strip away the technology issues and e-commerce isn't really all that new: Consumers want assurance on online purchases the same way that they want assurance on traditional financial statements. CPAs who understand the online problems will find many solutions from their years of audit experience. The combination is hard to beat.


Year-end tax planning and what’s new for 2016

Practitioners need to consider several tax planning opportunities to review with their clients before the end of the year. This report offers strategies for individuals and businesses, as well as recent federal tax law changes affecting this year’s tax returns.


News quiz: Retirement planning, tax practice, and fraud risk

Recent reports focused on a survey that gauges the worries about retirement among CPA financial planners’ clients, a suit that affects tax practitioners, and a guide that offers advice on fraud risk. See how much you know with this short quiz.


Bolster your data defenses

As you weather the dog days of summer, it’s a good time to make sure your cybersecurity structure can stand up to the heat of external and internal threats. Here are six steps to help shore up your systems.