< Appendix H Trust services assurance services, jointly developed by the CICA and AICPA, are a set of professional assurance services based on a framework designed to address the risks and opportunities of information technology enabled systems, including electronic commerce systems. There are five principles: • security • availability • processing integrity • online privacy • confidentiality Each principle is subdivided into the four areas of policies, communications, procedures, and monitoring. Within each of the four areas are a series of cri- teria against which to assess the client’s operations and illustrative controls that would ensure achievement of the criteria. The CICA and AICPA have jointly developed WebTrust SM and SysTrust SM , assurance services based on the Trust Services Principles and Criteria. Brief examples of each follow. 1 Electronic commerce involves individuals and organizations conducting business transactions, without paper documents, using computer and telecommunications networks. This includes transactions under electronic data interchange (EDI), where formal contracts exist between the parties, and business over the Internet (World Wide Web), where the parties do not have a preexisting contractual relationship. In recent years electronic com- merce over the Internet has grown tremendously. However, this growth has been inhibited by consumer concern over the confidentiality of customer information (such as credit card numbers). The CICA and the AICPA pro- vide the WebTrust SM seal of assurance, which is intended to symbolize to potential customers that a CA has evaluated the website’s business practices and controls to determine whether they conform to the principles and cri- teria for business-to-consumer electronic commerce. 1 The entire set of principles, criteria and illustrative controls are available at: www.cica.ca/ multimedia/Download_Library/Standards/Webtrust/English/e_TSPCriteria.pdf. CA WebTrust SM CA WebTrust SM Trust Services Assurance Services mes64769_appendix H.indd 1 mes64769 appendix H.indd 1 8/22/2007 11:47:51 AM 8/22/2007 11:47:51 AM
Transcript
<Appendix H
Trust services assurance services, jointly developed by the CICA and AICPA, are a set of professional assurance services based on a framework designed to address the risks and opportunities of information technology enabled systems, including electronic commerce systems. There are five principles:
Each principle is subdivided into the four areas of policies, communications, procedures, and monitoring. Within each of the four areas are a series of cri-teria against which to assess the client’s operations and illustrative controls that would ensure achievement of the criteria. The CICA and AICPA have jointly developed WebTrustSM and SysTrustSM, assurance services based on the Trust Services Principles and Criteria. Brief examples of each follow.1
Electronic commerce involves individuals and organizations conducting business transactions, without paper documents, using computer and telecommunications networks. This includes transactions under electronic data interchange (EDI), where formal contracts exist between the parties, and business over the Internet (World Wide Web), where the parties do not have a preexisting contractual relationship. In recent years electronic com-merce over the Internet has grown tremendously. However, this growth has been inhibited by consumer concern over the confidentiality of customer information (such as credit card numbers). The CICA and the AICPA pro-vide the WebTrustSM seal of assurance, which is intended to symbolize to potential customers that a CA has evaluated the website’s business practices and controls to determine whether they conform to the principles and cri-teria for business-to-consumer electronic commerce.
1The entire set of principles, criteria and illustrative controls are available at: www.cica.ca/multimedia/Download_Library/Standards/Webtrust/English/e_TSPCriteria.pdf.
2 Part VIII Accounting Services, Attest Engagements, and Assurance Services
Exhibit H–1 presents EarthWear’s management’s assertions about its website. The report of management’s assertions
is signed by the president and CEO and the chief financial officer. Exhibit H–2 contains Willis and Adams’s unqualified report concerning the second and third assertions relating to online order-taking and fulfillment. The first paragraph of Willis and Adams’s report sets out the responsibilities of management and the responsibilities of the auditor. The third paragraph describes the scope of the examination, and is similar to the scope para-graph of an audit. The fourth paragraph provides an unqualified opinion on the relevant assertions of EarthWear’s management.
In response to the fact that the new systems created by developments in information technology are running businesses, providing products and services, and communicating with business partners and customers, the CICA and AICPA have jointly developed the SysTrustSM service to provide assurance to management, customers, and business partners regarding the systems that support a business or a particular activity. Clients may choose to have a SysTrustSM service in order to differentiate themselves from their competitors as better attuned to the risks posed by their envi-ronment, better equipped with the necessary controls to address those risks, and able to provide assurance to users regarding those controls. A Sys-TrustSM examination is performed under the assurance standards described in Table 19–1 of the text. The objective of a SysTrustSM engagement is to enable the practitioner to issue a report on whether management main-tained effective controls over the reliability of an identified system. The practitioner determines whether the controls over the system exist and
CA SysTrust SMCA SysTrust SM
E X H I B I T H–1
Management’s Assertions for EarthWear’s Website
EarthWear Clothiers, on its website for electronic commerce (at www.mcgrawhill.ca/olc/messier/earthwear), asserts the following:
We have disclosed our business practices for electronic commerce and executed transactions in accordance with these disclosed business practices;
We have maintained effective controls to provide reasonable assurance that customers’ orders placed using electronic commerce were completed and billed as agreed; and
We have maintained effective controls to provide reasonable assurance that private customer information obtained as a result of electronic commerce was protected from uses not related to our business
during the period from January 1, 2007, through March 31, 2007, in conformity with the CICA
WebTrust SM Principles and Criteria.
Calvin J. Rogers James C. WattsPresident & CEO Chief Financial Officer
Auditor’s WebTrust SM Unqualified Report on Consumer Protection
To the Management of EarthWear Clothiers Ltd.:
We have audited EarthWear Clothiers Ltd.’s compliance with the CICA/AICPA Trust Services Criteria for consumer protection, and the effectiveness, in accordance with these criteria, of controls over the online privacy and processing integrity of its Order-Taking and Order-Fulfilling System during the period June 1, 2007 through August 31, 2007. The compliance with these criteria and the effectiveness of these controls are the responsibility of EarthWear Clothiers Ltd.’s management. Our responsibility is to express an opinion based on our examination.
Within the context of CICA/AICPA Trust Services, Consumer Protection addresses the controls over personally identifiable infor-mation and the processing of electronic commerce transactions. The CICA/AICPA Trust Services Online Privacy and Processing Integrity Criteria are used to evaluate whether EarthWear Clothiers Ltd.’s controls over consumer protection of its Order-Taking and Order-Fulfillment System are effective. Consumer protection does not address the quality of EarthWear Clothiers Ltd.’s goods nor their suitability for any customer’s intended purpose.
Our audit was conducted in accordance with standards for assurance engagements established by the Canadian Institute of Char-tered Accountants (CICA). Those standards require that we plan and perform our audit to obtain reasonable assurance as a basis for our opinion. Our audit included (1) obtaining an understanding of EarthWear’s relevant online privacy and processing integrity controls; (2) testing and evaluating the operating effectiveness of those controls; (3) testing compliance with the Online Privacy and Processing Integrity Criteria; and (4) performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion.
In our opinion, EarthWear Clothiers Ltd., in all material respects:complied with the CICA/AICPA Trust Services Criteria for consumer protection with respect to the Order-Taking and Order-Fulfillment System; and
maintained, in accordance with these criteria, effective controls over the Order-Taking and Order-Fulfillment System to provide reasonable assurance that:
a. personal information obtained as a result of electronic commerce was collected, used, disclosed and retained, as committed or agreed and
b. system processing was complete, accurate, timely, and authorized
during the period June 1, 2007 through August 31, 2007.
Because of inherent limitations in controls, error or fraud may occur and not be detected. Furthermore, the projection of any con-clusions, based on our findings, to future periods is subject to the risk that the validity of such conclusions may be altered because of changes made to the system or controls, the failure to make needed changes to the system or controls, or a deterioration in the degree of effectiveness of the controls.
The WebTrust SM seal on EarthWear Clothiers Ltd.’s website constitutes a symbolic representation of the contents of this report and is not intended, nor should it be construed, to update this report or provide any additional assurance.
This report does not include any representation as to the quality of EarthWear Clothiers Ltd.’s goods nor their suitability for any customer’s intended purpose.
[Willis and Adams] [Calgary, Alberta]Chartered Accountants [October 15, 2007]
4 Part VIII Accounting Services, Attest Engagements, and Assurance Services
performs tests to determine whether those controls were operating effec-tively throughout the period covered by the report.
Exhibit H–3 shows an example of an auditor’s SystrustSM report on management’s assertions about the effectiveness of controls over the order-taking and order-fulfillment system at EarthWear.
The population in Canada and the United States is aging, and many of these people have accumulated significant wealth. Additionally, individuals are living to ages where they require some form of assisted living. In the
Prime PlusPrime Plus
E X H I B I T H–3
Auditor’s WebTrust SM Unqualified Report on Consumer Protection
To the Management of EarthWear Clothiers Ltd.
We have audited the effectiveness of EarthWear Clothiers Ltd.’s controls over the reliability of its Order-Taking and Order-Fulfilling System during the period June 1, 2007 through August 31, 2007 in accordance with CICA/AICPA Trust Services Criteria for systems reliability. The effectiveness of these controls is the responsibility of EarthWear Clothiers Ltd.’s management. Our responsibility is to express an opinion based on our audit.
A reliable system is one that is capable of operating without material error, fault, or failure during a specified period in a specified environment. The CICA/AICPA Trust Services Availability, Security, and Processing Integrity Criteria are used to evaluate whether EarthWear Clothiers Ltd.’s controls over the reliability of its Order-Taking and Order-Fulfilling System are effective.
Our audit was conducted in accordance with standards for assurance engagements established by the Canadian Institute of Char-tered Accountants (CICA). Those standards require that we plan and perform our audit to obtain reasonable assurance as a basis for our opinion. Our audit included (1) obtaining an understanding of EarthWear’s relevant system availability, security, and processing integrity controls; (2) testing and evaluating the operating effectiveness of the controls; and (3) performing such other procedures as we considered necessary in the circumstances. We believe that our audit provides a reasonable basis for our opinion.
In our opinion, EarthWear Clothiers Ltd. maintained, in all material respects, effective controls over the reliability of the Order-Taking and Order-Fulfilling System to provide reasonable assurance that:
the system was available for operation and use, as committed or agreed
the Order-Taking and Order-Fulfilling System was protected against unauthorized access (both physical and logical)
the System processing was complete, accurate, timely, and authorized
during the period June 1, 2007 through August 31, 2007, in accordance with CICA/AICPA Trust Services Criteria for systems reliability.
Because of inherent limitations in controls, error or fraud may occur and not be detected. Furthermore, the projection of any con-clusions, based on our findings, to future periods is subject to the risk that the validity of such conclusions may be altered because of changes made to the system or controls, the failure to make needed changes to the system or controls, or deterioration in the degree of effectiveness of the controls.
The SysTrustSM seal on EarthWear Clothiers Ltd.’s website constitutes a symbolic representation of the contents of this report and is not intended, nor should it be construed, to update this report or provide any additional assurance.
[Willis and Adams] [Calgary, Alberta]Chartered Accountants [October 15, 2007]
past these individuals relied on family members to provide some level of care. However, changing demographics show a more mobile younger generation. Many of these younger families have both spouses working outside the home, and they do not have time to care for elderly relatives. The CA can bring another level of assurance or comfort to the elderly per-son and his or her family members. ElderCare services, jointly developed by the CICA and AICPA, build on the CA’s reputation for independence, objectivity, and integrity to provide a service that is in the public interest. More specifically, ElderCare service is designed to assure family members that proper care is provided to elderly family members who are no longer totally independent. The role of the practitioner is one of oversight. The practitioner acts in the place of the absent family members and relies on qualified specialists, employed by the client or the responsible fam-ily member, to provide the services outside the scope of the practitioner’s expertise. The practitioner’s role is to observe and report on how those service providers are meeting the needs of the client and the criteria for care established by the family members. It is likely that this service will be combined with traditional financial services, and the practitioner will establish strategic alliances with other professionals (such as elder law attorneys, geriatric care managers, and social workers or medical personnel). Based on research conducted by the CICA and the AICPA, it appears that there is a demand for this type of service.2
Types of ElderCare Services Practitioners can offer three types of ElderCare services: (1) consulting/facilitating services, (2) direct services, and (3) assurance services.
Consulting/Facilitating Services This type of service includes the practitioner consulting with the client or third party (the responsible in-dividual) to establish the standards of care expected. This might include giving the third party a list of services that are available in the community. Consulting services might also include assisting the client or third party in selecting the care provider and level of care for each type of care required.
Direct Services Direct services include practitioner services such as receiving, depositing, and accounting for the individual’s income; paying bills and conducting routine financial transactions for the client; and su-pervising investments and accounting for the estate. These services might also include arranging for proper care, paying for it, and periodically en-suring that the care is being received at the appropriate level; arranging for transportation for the client; and supervising household items such as home maintenance and repairs.
2You should examine the market research conducted by Hill & Knowlton and Yankelovich Partners, Inc., in the United States, and Hazelton Group in Canada, at the AICPA’s home page (www.aicpa.org). See also Canadian Institute of Chartered Accountants, Eldercare— Practice Management and Practice Development Issues (Toronto: CICA, 1999). See also S. Fraser, “Senior Priorities” CAMagazine (May 1998), p. 41; and P. Pethick, K. Duggan, and A. E. Sammon, “Assisting the Elderly,” CA Magazine (December 1999), p. 34–36.
6 Part VIII Accounting Services, Attest Engagements, and Assurance Services
Assurance Services In this type of service the practitioner issues periodic reports about the quality of care provided to the elderly person. This type of assurance service may involve the practitioner visiting the elderly person and inspecting documentation such as logs, diaries, or other evidence to support that the contracted services have been provided at the appropriate level of care.
ElderCare engagement reporting will depend on the level of service provided. For direct services, such as depositing income and paying bills, the practitioner may perform a compilation service. For assurance serv-ices, the practitioner will likely prepare a report on the results of applying specified procedures. The engagement may require that the practitioner periodically report to family members less formally.
![The Do Change end2end Trust Assurance Framework … · The Do Change end2end Trust Assurance Framework ... [SAML2core], and more recent Kantara Initiative User ... as European Commission](https://static.documents.pub/doc/80x56/5b1525aa7f8b9ab6778dc930/the-do-change-end2end-trust-assurance-the-do-change-end2end-trust-assurance.jpg)
