Twitter

WebTrust Services

Overview

Trust Services (comprised of the SysTrust® and WebTrust® programs) are defined as a set of professional assurance and advisory services based on a common set of principles and criteria that address the risks and opportunities of information technology (IT). Trust Services principles and criteria are issued by the Assurance Services Executive Committee of the American Institute of Certified Public Accountants and the services can only be delivered by a licensed Certified Public Accounting firm.

Trust Services differentiate companies from their competitors by demonstrating their awareness of the risks posed by their environment and providing third party verification by a CPA firm that they are equipped with the controls necessary to address those risks. Beneficiaries of Trust Services assurance reports are consumers, business partners, creditors, bankers and other creditors, regulators, outsourcers and those using outsourced services, and any other stakeholders who in some way rely on electronic commerce (e-commerce) and IT systems.

All Trust Services engagements utilize a combination of the following principles and criteria:

Security
The system is protected against unauthorized access (both physical and logical).
Availability
The system is available for operation and use as committed or agreed.
Processing Integrity
System processing is complete, accurate, timely, and authorized.
Confidentiality
Information designated as confidential is protected as committed or agreed.
Privacy
Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles (GAPP) issued by the AICPA and CICA.
WebTrust® Review Services

SAS 70 Solutions utilizes one or more of the Trust Services Principles and Criteria (shown above), as specified by the client, to determine whether the client’s e-commerce website is in compliance with the selected principles and criteria. The primary objective of the review is to provide website users with increased confidence that the website is appropriately controlled through independent third party verification of compliance with a standardized set of common controls. The various types of WebTrust® engagements include:

WebTrust®
The scope of the assurance engagement includes one or more combinations of the Trust Services Principles and Criteria not contemplated by the programs specified below.
WebTrust® Online Privacy
The scope of the assurance engagement includes the relevant online Privacy Principles and Criteria.
WebTrust® Consumer Protection
The scope of the assurance engagement includes both the Processing Integrity and relevant online Privacy Principles and Criteria.
WebTrust® for Certification Authorities
The scope of the assurance engagement includes the Principles and related Criteria unique to certification authorities.
Deliverables

The primary deliverables of our WebTrust® reviews include:

  • Detailed project plan for the audit
  • Comprehensive information request list allowing the organization’s personnel to gather documentation in advance of fieldwork
  • The independent auditor’s report delivered in two hardcopy formats
  • The independent auditor’s report delivered in secured PDF format

In addition, clients that are in compliance with the selected WebTrust® criteria receive temporary license to display the WebTrust® seal on their website. The WebTrust® seal links to a copy of the independent auditor’s report and is valid for one year, after which the seal must be removed from the website unless re-certification is performed. WebTrust® seal licensing is managed by a joint effort between the AICPA and CICA and a licensing fee must be paid in order to utilize this seal.

Who Should Consider a WebTrust® Review?

The following are characteristics of the ideal candidate for WebTrust® review services:

  • The organization conducts business through the use of an online website or other e-commerce means.
  • The organization’s reputation largely depends on its ability to keep information accurate, secure, private or confidential.
  • The organization desires independent third party verification of its controls.
  • The organization prefers an independent review resulting in a third party certification “seal” that can be openly marketed to customers, as well as a third party report that can be shared with customers.
  • The organization has annual revenues greater than $2 million and the organization has ten or more employees.

WebTrust® is a registered Mark (branded service) of the Canadian Institute of Chartered Accountants.

Back to Top