|RICHARD J. KORETO is a Journal news editor. Mr. Koreto is an employee of the American Institute of CPAs and his views, as expressed in this article, do not necessarily reflect the views of the AICPA. Official positions are determined through certain specific committee procedures, due process and deliberation.|
For the past seven years, Westek Presentation Systems has sold high-technology multimedia presentation systems through offices in California, Arizona and Washington. Two years ago, it created a Web site ( http://www.westek.com ) for marketing and customer service. But potential buyers were afraid to purchase expensive equipment through a Web site; some did so only after laboriously checking out the company through phone calls. "We needed a sort of Good Housekeeping seal to tell customers we were legitimate—something that would give them confidence," said Westek President Wade Harb. In fall 1997, Christopher Leach, Westeks CPA, approached Harb with a new service—CPA-provided assurance on his site. He told Harb that if they worked together, Westek could have what it wanted by becoming one of the first companies to earn the brand-new "CPA WebTrust" seal.
This article describes what WebTrust plans to accomplish, what you need to know to perform WebTrust engagements and where to get that information. Read about a colleague already performing Web assurance engagements.
A NEW SERVICE FOR A NEW ENVIRONMENT
CPA WebTrust had its origins in the American Institute of CPAs special committee on assurance services. Studies commissioned by the Institute showed that although consumers were worried about making purchases on the Web, nearly half of online users said a CPA seal would make them more likely to make online purchases. As a result, the AICPA electronic commerce assurance services task force, chaired by Everett C. Johnson, developed a Web assurance service dependent on both traditional CPA assurance skills the public has long relied on and sophisticated new technologies.
WebTrust, like the Internet, is an international program. Its a joint effort between the AICPA and the Canadian Institute of Chartered Accountants. Also, Johnson said, "We expect other professional institutes around the world to sign up for the WebTrust program." In addition, multinational accounting firms can perform the engagements on Web sites owned by foreign companies that hope to attract U.S. customers online.
Not just a seal. On the surface, the CPA WebTrust program consists of a seal, added under the authority of a qualified CPA, announcing that the site has been "audited." But adding just a graphic to a Web site is easy; stealing the CPA WebTrust seal from a legitimate site and adding it to an "unaudited" page is a 10-minute job. However, the CPA WebTrust program offers more than just a graphic. The Institutes partner in the program is VeriSign, a privately held two-year-old company dedicated to providing secure electronic commerce solutions. Customers wanting to make sure a site has earned its seal can click on the seal itself and go directly to a VeriSign Web page to confirm the companys status as a proper recipient of the seal. (This link and the VeriSign page are virtually impossible to forge.) The CPA performing the engagement will pay a fee to the AICPA, which in turn will pay a certain amount to VeriSign—described as in the "hundreds of dollars range" by Johnson—for each site VeriSign handles. These license fees will be used to advertise and promote the CPA WebTrust seal.
Companies also have to disclose their online business practices and post the online auditors report. The AICPA has set up a site (see the Web assurance link box, page 63) for the make-believe Trail Boss Cookin company (TBC), so CPAs and the general public can see what an approved site looks like and how it works.
Of course, Web pages can change daily —even hourly— so to ensure a company continues to meet the criteria, the CPA will need to reexamine the Web site every 90 days, although this period can vary based on the complexity of the site. If a company no longer meets WebTrust criteria, the CPA can tell VeriSign to cancel the connection, removing the seal from the companys pages.
|Everything You Wanted to Know
The AICPA has posted a wealth of details about the program on its Web site. Interested members can download the 35-page document WebTrust Principles and Criteria for Business-to-Consumer Commerce , which the AICPA will be updating as necessary. Included are detailed lists of all the criteria CPAs have to check during an engagement, a description of the seal process, examples of practitioners reports and a self-assessment questionnaire. Check out the sample Web pages for the make-believe Trail Boss Cookin company that show the WebTrust seal in action. Go to http://www.aicpa.org/WebTrust/index.htm . And for questions the Web pages dont answer, the Institute has added an e-mail link: WebTrust@aicpa.org.
What CPA WebTrust Does — and Does Not — Do. Basically, the CPA has to examine the company and its Web pages in three broad areas:
1. Business practices disclosure, such as noting how long it takes to fulfill an order.
2. Transaction integrity, such as sending the customer a confirming e-mail message after the order is placed.
3. Information protection, such as making sure the companys servers use appropriate technology to encrypt private customer information.
For more details, see the box below.
Assuming the site has passed inspection, the CPA writes an "independent accountants report" for the WebTrust program that is not radically different from the report that accompanies more traditional CPA engagements. In fact, WebTrust engagements fall under the well-established AICPA statements on standards for attestation engagements. In the example for TBC, the report says, "TBCs management is responsible for its assertion. Our responsibility is to express an opinion on managements assertion based on our examination.Because of inherent limitations in controls, errors or fraud may occur and not be detected." Neither TBC nor its CPA can give an iron-clad guarantee every online order will be perfect, but the site lists, for example, its shipping, returns and problem-resolution policies. VeriSign project manager Ben Golub used an analogy to describe the level of assurance: "If you wanted to buy a Rolex watch, youd go to a reputable jewelry shop, not to some guy claiming to sell Rolexes out of the trunk of his car." CPA WebTrust helps create the Internet equivalent of going to an established store, which has a business license and a framed document attesting to its integrity, security and business practices.
IS IT RIGHT FOR YOUR PRACTICE?
"I think many CPAs have the technology skills to get into this area," said task force chairman Johnson. "They may be pleasantly surprised to find out how much they already know." The only formal requirement to become licensed to perform WebTrust engagements is a one-day seminar. The Institute gave a number of courses throughout the country in the fall of 1997 and is in the process of selling the course to state CPA societies. Interested members can check the remaining dates and cities for AICPA courses on the Web site or call their state societies for 1998 dates.
However, Christopher Leach told the Journal that WebTrust engagements, like any other engagement, require a certain body of knowledge. "Transaction integrity and disclosure are issues CPAs have been addressing for years. But a lot of CPAs have no background in Internet security and privacy. You cant just pick this up from a one-day seminar." To become WebTrust certified, a CPA must be competent in areas such as hardware security devices, server technology, firewalls and communication protocols. Leach advised CPAs who are familiar with attestation engagements generally, but not with the Internet, to work with others more familiar or consider hiring someone with the right experience.
For such a new service, CPAs may be unsure how much to charge a client. Johnson said prices are expected to be at a comfortable level for small businesses. Of course, Web sites, like companies and CPA firms, vary greatly in size and complexity and prices will range accordingly. "Theres no reason why a qualified sole practitioner could not perform WebTrust engagements," said Johnson. He is a partner of Deloitte & Touche, which also plans to perform WebTrust engagements.
Another issue for the CPA ready to perform an engagement is liability, according to Leach. "We spoke with our carrier and others and explained this new service was covered under the SSAEs, so we are comfortable for now. But this is still untested, so were watching it closely." He advised CPAs to look at their exposure. "On the one hand, if someone buys a $12.95 book from a site and is really unhappy, its only a $12.95 loss. But if lots of people are unhappy and you multiply $12.95 times the number of customers, you could have a problem." Leach pointed out that along with every WebTrust seal is a $100,000 insurance policy on the site. "For now, that seemed to reassure our carrier."
THE FIRST WEBTRUST ENGAGEMENT
Leach, a member of the electronic commerce assurance services task force, said, "I began discussing the CPA WebTrust program with Wade Harb at Westek because I knew it was a high-tech company on the cutting edge always looking for new and exciting ways of doing things." Harb was interested right away: "Westek didnt set up shop in a garage yesterday, only to go broke leaving our customers with no support. I wanted to tell them we were here to stay."
At the first meeting to discuss WebTrust, Leach ran into what he expects will be a common problem: The president came with the webmaster and marketing manager, but not the chief financial officer. "The mind-set is that anything Web related is a marketing issue. But with WebTrust, things have changed. WebTrust is a financial function, involving financial controls." Westeks CFO has attended meetings since then.
At the meeting, Leach gave the company a 16-page self-assessment questionnaire, which forces the company to examine its entire online system. What is its control environment? How does it ensure that all information needed to process and bill an order is recorded accurately? Once its filled out, Leach will assess it and send a staff member to Westek to start the onsite work.
"A key issue is how cooperative the Internet service provider will be." Larger companies tend to store, or "host," their sites on their own servers. Westek, like most small and medium-size companies, rents space from an ISP. "We have to examine the ISP when assessing security, integrity and privacy. Fortunately, my clients ISP is working with us."
Harb and his staff are spending time and money preparing to receive the seal. Westek arranged for a secure server—to help ensure that private information cannot be stolen—and installed an online ordering system that can safely accept credit card numbers. Westeks marketing manager is planning to send online press releases announcing the seals installation. Harb believes its worth all the time and the effort. Once customers are confident doing online business with Westek, the site will free up his people. "Customers wont have to call us if they know what they want. They can pick a product, fill out the order form online and send it. It will save our time and theirs." Although Westek is a technologically sophisticated company, Harb said he believes the seal will help any company selling on the Web. "You dont have to know a lot about the Internet to understand the benefits of appearing credible to the public." He said there could be dozens of competitors on the Web and customers would be more likely to do business on the site with some type of assurance seal.
At Journal press time Leach and Harb hoped to have a seal on the site by mid-November. And the AICPA, which sells a wide variety of products on AICPA Online, is also seeking the seal through its auditors. "I have a bet with Barry Melancon that Westek will beat the Institute in posting the seal," said Leach.