On July 1, 2002, the American Institute of CPAs (AICPA) and the Canadian Institute of Chartered Accountants (CICA) issued an exposure draft (ED) outlining proposed changes in the structure, order and wording of the principles and criteria for SysTrust and WebTrust services. The ED explains that, "There has been no substantive change in the scope of work necessary to perform WebTrust or SysTrust engagements."
Reasons for undertaking the project, according to the AICPA and CICA, include the facts that: (1) many people, including clients and potential clients, are confused about the differences between the two services, and (2) there isn't any conceptual difference between the criteria and principles for the two services. Backgrounders on the services taken from AICPA's Web site:
- WebTrust was the first service to be introduced. If a business meets the WebTrust principles and criteria, its site can display the WebTrust seal of approval. By clicking on the seal, customers can review the site's disclosures about its business practices, management's assertions, and the accountant's report. (See, for example, the seal by J.H. Cohn on AICPA's home page.) These services currently include the WebTrust programs on on-line privacy, business-to-consumer sites, and certification authorities. Services will soon be added for business-to-business sites.
- SysTrust is a broader concept that has in the past used a logo instead of a seal. The logo was meant to be used as a symbol for marketing purposes. Basically, the SysTrust service consists of evaluating a system against the SysTrust principles and criteria and determining whether controls over the system exist. Engagements can involve selected principles or other agreed-upon procedures. The accountant can also provide consulting services, e.g., to evaluate a client's readiness for a SysTrust engagement, apparently without risking accusations of a conflict of interest.
Key changes introduced in the ED include use of the SysTrust logo as an equivalent of a WebTrust seal when the accountant's report is presented electronically, provided the issuance of the logo follows the same procedures required to issue a WebTrust seal. The reasons for allowing dual symbols to achieve the same result are not intuitively clear, at least not to the casual reader, but the ED explains that seal management procedures will be provided in the Trust Services publication to be released after the exposure period.
Download the ED. The proposed changes are scheduled to become effective for examination periods beginning after August 31, 2002 for services other than WebTrust for certification authorities. Comments are due by August 15, 2002 and may include suggestions for changes not addressed in the ED. Comments can be sent by email to [email protected] or [email protected].