WEBTRUST

ENGAGEMENTS
What is a WEBTRUST ENGAGEMENTS?

an assurance service jointly developed by the American Institute of Certified

Public Accountants (AICPA) and the Canadian Institute of Chartered
Accountants (CICA). WebTrust relies on a series of principles and criteria
designed to promote confidence and trust between consumers and companies
conducting business on the Internet. Public accounting firms and practitioners,
who obtain a WebTrust business license from the AICPA or CICA, can provide
assurance services to evaluate and test whether a particular web site meets
any one of the Trust Services principles and criteria. The WebTrust seal of
assurance is placed on the organization's web site following the engagement
and signifies the practitioner's unqualified opinion.
 PRINCIPLES & CRITERIA - TRUST SERVICES

• Security
The system is protected against unauthorized access (both physical and logical).
• Availability
The system is available for operation and use as committed or agreed.
• Processing Integrity
System processing is complete, accurate, timely, and authorized.
• Online Privacy
Personal information obtained as a result of e-commerce is collected, used, disclosed, and
retained as committed or agreed.
• Confidentiality
Information designated as confidential is protected as committed or agreed.
 SYSTRUST
ENGAGEMENTS
What is a SYSTRUST ENGAGEMENT?

an assurance service that was jointly developed by the American Institute of

Certified Public Accountants (AICPA) and the Canadian Institute of Chartered
Accountants (CICA). It is designed to increase the comfort of management,
customers, and business partners with systems that support a business or
particular activity. In a SysTrust engagement, the practitioner evaluates and
tests whether or not a specific system is reliable when measured against three
essential principles: availability, security, and integrity. SysTrust is based on the
common framework of the Trust Services Principles and Criteria
 PRINCIPLE & CRITERIA - TRUST SERVICES

• Availability
The system is available for operation and use at times set forth in service-level statements or
agreements.
• Security
The system is protected against unauthorized physical and logical access.
• Integrity
System processing is complete, accurate, timely, and authorized.
 FINANCIAL PROJECTIONS
FINANCIAL PROJECTIONS include financial
statement forecasts and pro form financial
information. This analysis is often performed
in conjunction with seeking loans or issuing
stock. IT Auditors are less involved with this
type of attest service. They are usually only
involved to the extent the auditor needs to
use special software to perform projections.
 COMPLIANCE REVIEWS
- compliance reviews usually involve verifying a
company’s compliance with business regulations.
Compliance reviews might use IT auditors, but
usually rely to the extent they are intended to
access the technology used by the client company.
For example, IT auditors may be involved in a PIN
( PERSONAL IDENTIFICATION NUMBER ) encryption
security review. A PIN encryption review is a
special type of AUP whereby the auditor test the
integrity of the clients encryption process for
 FINDINGS AND RECOMMENDATIONS
A findings and recommendation report includes most
reviews that would be considered consulting or advisory
services. Examples of engagement that fall under this
category include system implementations, including
enterprise resource planning ( ERP ) implementations
like an SAP, Oracle or PeopleSoft implementation
engagement. Security reviews; database application
reviews; IT infrastructure and improvements needed
engagement; project management and IT internal audit
services.
A findings and recommendations report does not
produce an opinion. Rather it is a summary of the work
 SAS 70 AUDIT
Statement on Auditing Standards
Statement on Auditing Standards (SAS) No. 70, Service
Organizations, was a widely recognized auditing standard
developed by the American Institute of Certified Public
Accountants (AICPA). A service auditor's examination
performed in accordance with SAS No. 70 (also commonly
referred to as a "SAS 70 Audit") represents that a service
organization has been through an in-depth examination of
their control objectives and control activities, which often
include controls over information technology and related
processes. In today's global economy, service organizations
or service providers must demonstrate that they have
adequate controls and safeguards when they host or process
data belonging to their customers. In addition, the
requirements of Section 404 of the Sarbanes-Oxley Act of
2002 make SAS 70 audit reports even more important to the
process of reporting on the effectiveness of internal
SAS No. 70 provides guidance to enable an independent auditor "service auditor" to
issue an opinion on a service organization's description of controls through a Service
Auditor's Report SAS 70 does not specify a pre-determined set of control objectives
or control activities that service organizations must achieve. Service auditors are
required to follow the AICPA's standards for fieldwork, quality control, and reporting.
A SAS 70 Audit is not a "checklist" audit.

SAS No. 70 is generally applicable when an independent auditor "user auditor" is

planning the financial statement audit of an entity "user organization" that obtains
services from another organization "service organization". Service organizations that
impact a user organization's system of internal controls could be application service
providers, bank trust departments, claims processing centers, data centers, third
party administrators, or other data processing service bureaus.
 BENEFITS TO SERVICE ORGANIZATIONS

Service organizations receive significant benefits and value from having a SAS
70 audit performed. A Service Auditor's Report with an unqualified opinion that is
issued by an Independent Accounting Firm differentiates the service organization from
its peers by demonstrating the establishment of effectively designed control
objectives and control activities. A Service Auditor's Report also helps a service
organization build trust with its user organizations.
 BENEFITS TO SERVICE ORGANIZATIONS

Without a current Service Auditor's Report in hand, a service organization may have
to entertain multiple audit requests from its customers and their respective auditors.
Multiple visits from user auditors can place a strain on the service organization's
resources. A Service Auditor's Report ensures that all user organizations and their
auditors have access to the same information and in many cases this will satisfy the
user auditor's requirements. A Type II service auditor's report will also allow the user
organizations and the user auditors to possibly place reliance on the controls at the
service organization. This can be a significant component to the user auditor's control
evaluations and the user organization's own assessments of internal control over
financial reporting.
 CASE STUDY

TSI Inc., a division of Verizon telephone services, notes that

it would have 130 auditors on site from 130 customers if it had
to accommodate its customers external auditors individually
instead, TSI has a SAS 70 audit performed annually and the
results are made available to all of its customers external
auditors.
 CASE STUDY
One of the most effective ways a service organization
can communicate information about its controls is
through a Service Auditor's Report. There are two types
of Service Auditor's Reports: Type I and Type II.
A Type I report describes the service organization's
description of controls at a specific point in time
(e.g. June 30, 2010). A Type II report not only includes
the service organization's description of controls, but
also includes detailed testing of the service
organization's controls over a minimum six month period
(e.g. January 1, 2010 to June 30, 2010).
 CASE STUDY
In a Type I report, the service auditor will express an opinion on whether the service
organization's description of its controls presents fairly, in all material respects, the relevant aspects
of the service organization's controls that had been placed in operation as of a specific date, and
whether the controls were suitably designed to achieve specified control objectives.
In a Type II report, the service auditor will express an opinion on the same items noted
above in a Type I report, and whether the controls that were tested were operating with sufficient
effectiveness to provide reasonable, but not absolute, assurance that the control objectives were
achieved during the period specified.
CASE STUDY
THANK YOU!