Because e-commerce is so new, much of what the experts say about it is really in theory: Consumers will buy many different products online because of the convenience, in theory. Once consumers are assured of a reasonable level of security, they won't hesitate to send credit card numbers over the Internet, in theory.
A company that says it can provide more security than its competitors, and prove that claim, will prosper, in theory. Resource Marketing, a small company in Fort Thomas, Kentucky, that provides banner advertising and other e-commerce services to the Web community, recently became the first commercial site to receive a CPA WebTrust seal and thus got a chance to prove, or disprove, these theories.
Before earning the seal, Resource Marketing had to examine its marketing strategy and consider ways to encourage customers to do business online. After beginning work with its CPA firm to gets the seal, Resource Marketing had to overhaul its business practices and finally submit to an audit. Only now, with the seal in place for half a year, can the company decide if the time, effort and cost were worth it. Were the theories right?
THE WHYS AND WHEREFORES
Christopher Swainhart, Resource Marketing's president, heard about WebTrust from Fleming, Brockschmidt & Durkin PLL, the Cincinnati firm that was performing tax and general accounting work for the company. (FB&D does perform traditional financial statement audits but had never done any attest work for Resource Marketing.) FB&D Partner Robert Findley called me one day and said, "You do a lot of online work; are you interested in this?" Swainhart was. As the e-commerce field became more crowded, I needed a way to distinguish my company from its competitors, Swainhart said, and I wanted to encourage customers to feel comfortable working with us online as much as possible. Resource Marketing is just six people; every transaction a customer can perform online is one less phone call we have to deal with. Swainhart looked at various assurance options, such as the Better Business Bureaus BBB OnLine program, but ultimately chose CPA WebTrust. (For more on WebTrust's competitors, see "The Electronic Frontier", JofA, May98.) Having a CPA behind a logo gave it a level of integrity and credibility a self-regulated program did not have.
IN THE THICK OF IT
As the WebTrust engagement began, we had to make changes, but it wasn't a disruptive process, said Swainhart. Resource Marketing already had a secure server but had to change some of its IT policies to become WebTrust compatible. I thought we had a pretty good interface already; that this part would be a piece of cake. But we had to make more changes than we expected. Over a two- to three-week period, CPA Findley examined Resource Marketing's practices and made suggestions; Resource Marketing followed with changes to the code used to program the Web site.
For example, Findley said when he first took a look at Resource Marketing for the WebTrust engagement, he found the company had little trouble with transaction integrity and privacy. However, he did have a problem with the company's business disclosures; there weren't any. Findley started Swainhart writing them, and client and CPA engaged in back-and-forth e-mails as Swainhart created WebTrust-compliant disclosures, such as how long the company would take to fulfill an order. Although the WebTrust engagement requires some onsite work, Findley was able to do a lot of it from his desktop computer with the help of e-mail.
The pitfalls. Findley found that the audit was the easy part. The real work was getting Resource Marketing ready for it. In fact, he recognized problems that, although they did not occur with Resource Marketing, are likely to occur in a future WebTrust engagement. It's important to spend a lot of time on the preassessment, before even beginning the engagement: Next time I'll ask right up front, Do you have a secure server? No? Are you prepared to spend the money to get one? Who at your organization is going to be responsible for making changes to the site to become WebTrust-compliant? He also emphasized the need to ask the client to involve a wide range of staff in the process: Web sites involve marketing, IT and finance, so the staff involved in those areas should be involved in the engagements as well. Finally, no firm should underestimate the learning curve in its first WebTrust engagement. I'd compare it to doing your first financial statement audit, and having no one in your firm or any colleagues who have done one either.
But did the seal actually do anything? Swainhart says it did. We've seen a 50% increase in the number of online transactions processed since the seal went up. But that doesn't tell the whole story. Resource Marketing's banner advertising program places clients' online ads on thousands of sites all over the Net. That portion of its business grew even faster. It's almost impossible for our clients to make sure we are posting their ads as we promised. Even a WebTrust seal doesn't make that guarantee. But the seal does say a CPA has verified our procedures. Frankly, it provides a level of assurance our competitors don't have.
Additionally, Resource Marketing's busy staff is spending less time reassuring customers about the safety of doing business online and explaining procedures. Customers read about what WebTrust provides and note that we promise product delivery in 48 hours. There's no need to call or e-mail us with those questions or ask us for reassurance. Resource Marketing is creating an online form that asks customers what they think about WebTrust and how it affected their decisions to do business with Resource Marketing. Swainhart and his colleagues also will be calling selected customers to talk with them about it.
The WebTrust engagement also opened up additional opportunities for FB&D. Resource Marketing has engaged the firm to issue a report under SAS no. 70, Reports on the Processing of Transactions by Service Organizations . CPAs performing WebTrust engagements on sites hosted by Resource Marketing will be able to rely on that report, mitigating the need to review and verify many of the technical controls WebTrust requires.
Concluded Findley, Selling WebTrust is a matter of convincing people it's a value-added product well worth the cost. In the long term or the short term, there will be a payback. For Resource Marketing, it was short term.
Help Is on the Way