Web assurance seals--are they all alike? A look at WebTrust and other web assurance seals.

Joseph, Gilbert W. ; Bostick, Lisa N. ; Slaughter, Lanford T., Jr. 等

CASE DESCRIPTION

The primary subject matter of this case concerns the CPA's requirements and responsibilities for performing a WebTrust attestation service engagement. Additionally, this case provides a framework for discussion on the control issues with information systems. This case has a difficulty level of three, appropriate for junior-level courses. This case is designed to be taught in one class hour and is expected to require ten hours of outside preparation by students.

CASE SYNOPSIS

Patricia Greene, CPA is approached by Bill Miller, president of E-commerce.com, who is inquiring about web assurance seals. Mr. Miller wants to know what web seal programs are available and what requirements does his company have to meet to display a seal on its website. Ms. Greene, CPA has the task of identifying and comparing the various web seal programs. Additionally, she needs to investigate the requirements and responsibilities for performing a WebTrust engagement. Finally, she needs to communicate her findings to Mr. Miller.

INSTRUCTORS' NOTES

Timeframe and Sequencing of the Case

The case can be assigned to individual students or to teams of students. We recommend that teams should not be comprised of more than four students. The case should be broken in the four steps. Each step should be worth 1/4 of the total grade and be assigned for completion over a specified period of time, as follows.

** Step 1: (25 points) Website Policies and Web Assurance Seals. This is a relatively easy assignment. Students should complete this step and be prepared to present their results in one week.

** Step 2: (25 points) Seal Program Assurances and Merchant Requirements. This is a more involved assignment, but because it was limited to only four web seal programs, students should complete this step and be prepared to present their results in one week.

** Step 3: (25 points) Investigating Professional Guidance. This is a much more involved assignment, and caution students about this. Students will have to investigate eight different professional standards. Many will be eliminated quickly if the students read the first few pages of each standard carefully. However, AT101 and AT201 will require an investigation of much greater depth. The questionnaires are designed to focus their investigations, but there is much material in these two standards. We recommend that students be given two weeks to complete this step.

** Step 4: (25 points) Communicating Your Findings to the Client. This step is inextricably tied to Step 3 and it is better if students prepare the correspondence immediately after completing Step 3 while the information is fresh in their minds. We recommend that Steps 3 and 4 be completed simultaneously.

One class period of 50 minutes will be needed to introduce the case and the professional standards. Figure 1--Different CPA Practitioner Services, appearing in the student's case study, provided an overview of the various practitioner services and the applicable professional standards. It is particularly important that students understand that Trust Services are attestation engagements and that both WebTrust and SysTrust are this type of engagement. It is important for students to understand that a practitioner may report on a written assertion or may report directly on the subject matter (AU Section 101.09). With respect to a WebTrust engagement the practitioner will be reporting on the subject matter. We also recommend that one class period of 50 minutes be used to review the students' findings and to correct any misconceptions they may have.

Step 1: Website Policies and Web Assurance Seals

There are no standard solutions to this step or for the contents of Exhibit 1. Students could visit any variety of websites and find as many different web assurance seals. Equally, they will discover a wide variety of customer policies. Have the students discuss their findings in class. Our experience has been that many students have made purchases over the Internet. However, for many students, this will be the first time that they seriously looked at the firms' policy statements. It is often an eye-opening experience for them--many answers will be "No" or "Doesn't Say" for specific websites.

Step 2: Seal Program Assurances and Merchant Requirements

We selected only four web assurance seals for students to investigate. This made the material manageable for them, given the time frame allowed for the exercise. There was another motivation for selecting these specific four seal programs. This is a dynamic environment. Web seal programs have come and gone. For example, several highly specialized web seal programs have evolved for pharmaceuticals and other specialized industries. Within the general retail sector however, many different seal programs appeared and just as many have disappeared. To name only a couple, we could no longer find an Internet reference to the AOL Certified Merchant program criteria and Gomez Certified no longer produces a web assurance seal. The four seal programs assigned to the students, at least still exist. These are voluntary programs and many seal programs that were rigorous to comply with or costly for merchants apparently have not survived. The solutions for BBBOnLine, TRUSTe, WebTrust, and ePublicEye appear in Exhibits 4, 5, 6, and 7.

* BBBOnLine: The questionnaire's answers can be obtained by accessing several web pages. Starting from http://www.bbbonline.org, we accessed web pages with the titles "Reliability Program Requirements", "Frequently Asked Questions", "Dispute Resolution", "Apply for the Reliability Seal", and the "Code of Online Business Practices".

* TRUSTe: Answers to the questions were obtained from several web pages accessible from http://www.truste.org with the titles "For Consumers--The TRUSTe Program: How It Protects Your Privacy", "Seal Programs--Trustee Program Principles", "Seal Programs--How to Join the Privacy Seal Program", "Seal Programs--TRUSTe Oversight", "Seal Programs--Resolution Process", and the actual self assessment application document titled "TRUSTe License Agreement--8.0 Self-Assessment". TRUSTe is marked "Yes" in the final question about whether a CPA practitioner is needed to attest to the merchant meeting all web seal criteria, but this is true in only one situation--when the merchant has had prior serious violations of policy and the merchant is attempting to renew the seal.

* WebTrust: Starting from http://www.aicpa.org, a keyword search for "WebTrust" yielded a web page titled "Frequently Asked Questions About WebTrust". Also the AICPA main page contained connections to the WebTrust program via "New Innovative Services for CPAs", which yielded a different web page titled "WebTrust--Frequently Asked Questions About WebTrust" (this web page revealed the competencies expected of CPAs who provide WebTrust services) and a very useful 93-page document titled "Suitable Trust Service Criteria and Illustrations". Other useful WebTrust web pages were identified as "Consumers" and "Online Business--Overview of the WebTrust Program".

* ePublicEye: Starting from http://www.epubliceye.com, we accessed a variety of web pages with the titles "Your Guide to Companies With Nothing to Hide", "Compare Programs", "Providing the Intelligence to Build Trust", "Disclaimer", "Frequently Asked Questions", "Does Your Web Site Pass the Trust Test?", "Terms of Membership", and the actual online merchant application titled "Now We Need to Get to Know You" accessed vial a connection labeled "Apply Here!". Students can be misled by the ePublicEye web site and will have to further confirm all claims made by the seal program. For example, on the "Compare Programs" web page, in several places it indicates that the merchants are continuously "monitored". In fact, the only monitoring that is done is via consumer complaints and ratings, with ePublicEye monitoring the complaints. The "Compare Programs" web page also asserts that a complaint resolution mechanism exists. In fact, on subsequent web pages, it turns out that ePublicEye does not mediate complaints and dispute resolution is voluntary (based on the merchant's desire not to develop a bad reputation).

In the solution exhibits, we do not provide a recommended answer for the question about how thoroughly the website seal program addresses e-commerce assurance objectives (i.e., "Very Good" through "Very Poor"). Students will arrive at their own impressions about this question. Obviously, the more thorough the assurance coverage by the web seal program, the higher the answer should be.

Discuss with students why a seal program might or might not continue in existence. Have different student teams present their findings for specific web seal programs. Students are often surprised at how many of the e-commerce assurance concerns are not addressed by the individual web seal programs. Even more surprising are the number of answers they give under the "Doesn't Say" column, which means that the web seal programs often don't address the issues. Most students will surmise that many web seal programs are worth very little in terms of giving consumers a real sense of security and confidentiality. WebTrust will stand out as the notable exception with regard to its thoroughness and it is the only program that requires a CPA practitioner to attest to merchant's compliance with the seal program requirements.

Step 3: Investigating Professional Guidance

Students were asked to investigate eight different professional standards. They should quickly eliminate six standards as inappropriate for a practitioner to evaluate a web assurance seal program. Rationale follows:

* AT301--Financial Forecasts and Projections. This standard applies to attestations related to prospective financial statements or partial prospective financial statements. Prospective financial statements are financial forecasts or financial projections built on actions, plans, or assumptions made by the responsible party. A web assurance seal program is unrelated to prospective financial statements. This standard cannot be used for an attestation engagement related to a web assurance seal program. After checking "No" in the two boxes in Section B of the questionnaire, the remainder of the questionnaire will be blank. We do not provide an exhibit for this questionnaire.

* AT401--Reporting on Pro Forma Financial Information. This standard applies to attestations related to pro forma financial information, that is, financial information designed to show what the significant effects on historical financial information might have been had a transaction or event occurred at an earlier date. A web assurance seal program is unrelated to pro forma financial information. This standard cannot be used for an attestation engagement related to a web assurance seal program. After checking "No" in the two boxes in Section B of the questionnaire, the remainder of the questionnaire will be blank. We do not provide an exhibit for this questionnaire.

* AT501--Reporting on an Entity's Internal Control Over Financial Reporting. This standard applies to attestation engagements where a CPA practitioner in engaged to provide an examination report on the effectiveness of an entity's internal control system over financial reporting; that is, internal controls that pertain to an entity's ability to initiate, record, process, and report financial data consistent with the assertions embodied in either annual financial statements or interim financial statements, or both. Such an engagement would apply only tangentially to B2B or B2C e-commerce transactions or to a web seal assurance program. This standard cannot be used for an attestation engagement related to a web assurance seal program. After checking "No" in the two boxes in Section B of the questionnaire, the remainder of the questionnaire will be blank. We do not provide an exhibit for this questionnaire.

* AT601--Compliance Attestation. This standard applies to attestation engagements related to either the entity's compliance with requirements of specific laws, regulations, rules, contracts, or grants, or how effectively it complies with the same. In another source it states that Trust Services engagements do not require the CPA practitioner to provide assurances of an entity's compliance with laws, regulations, agreements, or contracts [Suitable Trust Services Criteria and Illustrations, p.3]. The AT601 standard cannot be used for an attestation engagement related to a web assurance seal program. After checking "No" in the two boxes in Section B of the questionnaire, the remainder of the questionnaire will be blank. We do not provide an exhibit for this questionnaire.

* AT701--Management's Discussion and Analysis. This standard applies to attestation engagements where a CPA practitioner performs an examination or a review of the MD&A prepared pursuant to the rules and regulations of the SEC, which are presented in annual reports to shareholders and in other documents. This standard cannot be used for an attestation engagement related to a web assurance seal program. After checking "No" in the two boxes in Section B of the questionnaire, the remainder of the questionnaire will be blank. We do not provide an exhibit for this questionnaire.

* CS100--Consulting Services: Definitions and Standards. This standard applies to consulting services engagements which are undertaken for the specific benefit of the client. Such engagements do not result in attestation opinions or reports to outsiders. This standard cannot be used for an attestation engagement related to a web assurance seal program or any attestation engagement. After checking "No" in the two boxes in Section B of the questionnaire, the remainder of the questionnaire will be blank. We do not provide an exhibit for this questionnaire. It is interesting to note that due to the great flexibility offered under consulting standards, some students may lose sight of the need for an opinion and suggest that consulting standards can be used for this purpose. You will need to emphasize that consulting standards do not apply where the CPA practitioner will render an opinion upon which third parties will rely.

This leaves only two standards that are potential candidates for an attestation engagement for a web assurance seal program--AT101 and AT201. We provide the solutions for these two standards in Exhibits 8 and 9.

* AT101--Attest Engagements. This standard provides an overview of attest engagements and specific guidance for examination and review engagements. Key points of the students' investigation are shown in Exhibit 8. After AT101 introduces agreed-upon procedures engagements, it relegates further discussion on this topic to AT201. The instructor should guide the discussion of this standard to ensure that the following key points are brought out.

[check] The Responsible Party. The client provides the subject matter, which in the case of trust services is the specific controls or evidence that demonstrates that the client has satisfied the specific criteria in a trust services principle. Therefore, the "responsible party" is the management of the client. AT101 specifically prohibits the CPA practitioner from being the responsible party in an attest engagement [AT101.13]. The CPA practitioner will not develop the performance standards used in the engagement. The CPA practitioner will perform the engagement using the criteria dictated by the web seal program.

[check] The Criteria. The criteria are the standards which the practitioner evaluates to determine whether the client has satisfied the trust services principles [AT101.24]. While AT101 allows criteria to come from many different sources, in this case, the criteria are defined by the web seal program [AT101.25 through .26].

[check] Type of Investigation. AT101 permits three types of investigations: (1) an examination; (2) a review; and (3) agreed-upon procedures. The professional standard expands upon the first two engagements and delays further discussion of agreed-upon procedures to AT201 [AT101.15].

[check] Report Type. Students should observe that an examination is the engagement that provides the highest level of assurance with the conclusion expressed in the form of an opinion (e.g., a positive opinion about how effectively the web site met the standards of performance). A review provides only a moderate level of assurance with the conclusion expressed only in the form of a negative assurance (e.g., nothing was observed that led the practitioner to think that the standards were not being met) [AT101.68]. At this time students should not be able to identify the type of report for agreed-upon procedures, as this material is discussed in AT201, thus their response should be "Don't Know" at this time. Also, information about consulting services is irrelevant to AT101. The important point here is that if Ms. Greene is to express an opinion about how well the client met the web seal program's performance demands, it would require an examination. A review engagement would be insufficient.

[check] Report Distribution. The answers are the same for both examination and review engagements. The report is a "general use" report [AT101.68] unless specific restrictions exist [AT101.78]. In this case, one could argue that the criteria used are appropriate only for a limited number of parties, or that Ms. Greene is reporting on only subject matter, or that written assertions have not been provided by the responsible party, and thus the report should be restricted to the client and the web seal program. However, as part of the WebTrust Program, clicking on the WebTrust Seal links the consumer to the CPA's report among other things. Therefore, it must be a "general use" report.

[check] General Standards (Independence). The only mention of independence relates to maintaining independence in "mental attitude". This is described as being intellectually honest, impartial, and unbiased. The professional standard goes on to say that "the possession of intrinsic independence is a matter of personal quality rather than of rules that formulate certain objective tests." No mention is made of other services that the CPA practitioner can or cannot perform [AT101.35 through .38]. The last item on this topic in the questionnaire (about avoiding conflicts of interest) does not appear in AT101. Rather, it is stated specifically in the consulting services standard [CS100.07] with a cross reference to the integrity and objectivity standard [ET102.03]. While this always sounds like a reasonable thing to do, it is not stated expressly in AT101.

[check] General Standards (Special Training). AT101 does require the CPA practitioner to have adequate technical training and proficiency [AT101.19] and have adequate knowledge of the subject matter that could be acquired through formal or continuing education, including self-study, or through practical experience [AT101.22]. Ms. Greene has already admitted that she lacks the practical experience in this engagement area, thus some form of education would be required. Students were advised also to check the WebTrust internet site. They should have discovered that additional skills are required to perform a WebTrust engagement. These skills included (1) a working knowledge of internet technologies, protocols and security techniques, (2) specific controls and best practices a company should implement, and (3) other skills as to be outlined soon in the WebTrust competency model. At this time the competency model has not yet been released, you will need to update subsequent to the release of this model. The last item on this topic in the questionnaire (about possessing professional competence) is paraphrased from the consulting services standard [CS100.06], and does not appear in AT101. While it sounds like something that one might expect for all engagements, students were supposed to look for specific wording and AT101 does not state this.

[check] AT201--Agreed-Upon Procedures Engagements. This standard expands the guidance specifically for agreed-upon procedure engagements beyond the introduction given them in AT101. Students might argue that an engagement for a web assurance seal could be organized as an agreed-upon procedures engagement. However, in the document entitled "Suitable Trust Services Criteria", agreed-upon procedures engagements are specifically stated as not appropriate for the issuance of a seal. However, the CPA practitioner can perform an agreed-upon procedures engagement related to the Trust Services principles and criteria. In this case, the CPA practitioner could not express an opinion, but only report the tests performed and the specific findings. This is a less likely agenda and inconsistent with the case as stated. Key points of the students' investigation are shown in Exhibit 9.

The need for a responsible party is identical to AT101 because it was discussed in AT101 before it terminated further discussion of agreed-upon procedures engagements [AT101.11]. The general, fieldwork, and reporting standards are identical to AT101 as stated in AT201.05. Therefore, the independence and special training requirements are the same. Two differences stand out, as discussed below.

[check] Report Type. Students should observe that an agreed-upon procedures engagement is only allowed to report the specific tests performed and the specific findings. No opinion or negative assurances may be given [AT201.24 and .31]. This is inconsistent with the case as written and would negate the use of an agreed-upon procedures engagement for the purpose of obtaining a web assurance seal. The instructor should emphasize the point that AT201 does not allow the CPA practitioner to express an opinion or to give negative assurances.

[check] Report Distribution. The report is not a "general use" report. The report must be restricted for use by the specified parties who agreed to the procedures that would be applied [AT201.31].

Step 4: Communicating Your Findings to the Client Students will vary in the wording of this step of the assignment. This component of the case should be evaluated for technical correctness, completeness, clarity, syntax, spelling, sentence structure, and other aspects of proper writing skills. The following key points should be made in a technically correct solution.

* Addressee. The correspondence should be addressed to Mr. Bill Miller of the firm E-commerce.com.

* Paragraph One. Students should briefly outline the three step process employed: (1) investigating website policies and different web assurance seals observed; (2) investigating the specific web seal programs and the requirements of merchants to obtain and renew the seals; and (3) investigating the AICPA professional guidance appropriate to such an engagement.

* Paragraph Two. Students should identify two web assurance seal programs, one of these should be the WebTrust program. Students should then recommend the WebTrust program as the single best seal that provides the most comprehensive e-commerce assurances. They should indicate that a CPA practitioner would be required to investigate and determine if the business meets all assurance criteria established by the WebTrust program.

* Paragraph Three. Students should indicate all of the following.

[check] The engagement would be governed by the standard AT101, Attest Engagements.

[check] An examination engagement would be needed in order for the CPA practitioner to express the needed opinion.

[check] Ms. Greene's firm will conduct the engagement and issue a report expressing an opinion about whether the firm has complied with all web seal requirements in all material respects over the period investigated. The criteria come from the WebTrust program.

[check] The report will not be restricted for distribution. It is a "general use" report.

[check] The management of the client is the "responsible party". They have provided the subject matter which in this case are the controls or evidence that demonstrates that they have satisfied the specific criteria of the WebTrust principles.

[check] Before undertaking the engagement, Ms. Greene's technical staff would have to attend special training in order to be technically competent to conduct the engagement. Specifically, they need to obtain the following additional skills: (1) a working knowledge of internet technologies, protocols and security techniques; (2) specific controls and best practices a company should implement; and (3) other skills as to be outlined soon in the WebTrust competency model. At this time the competency model has not yet been released, you will need to update subsequent to the release of this model.

[check] The only independence requirements for the CPA practitioner are those of independence in mental attitude regarding the specific attestation engagement. There should be no reason that Ms. Greene's firm could not perform other accounting, auditing, or consulting services for Mr. Miller, if he desired them.

* Signatory. The correspondence should be signed by Ms. Greene representing her CPA firm.

EXHIBIT 4. QUESTIONNAIRE FOR BBBOnLine IN STEP 2

Web Seal Program Name: BBBOnLine

Section A. e-commerce assurance
concerns of the web assurance seal Doesn't
program. Yes No Say

Data Security: Does the seal program
require the merchant to provide data
security that does following?

* Merchant must provide security for X
 data transmitted from the consumer
 to the web site (i.e., have a
 secure server transaction system).

* Merchant must provide security for X
 data that appears on the web site
 that will be used by the consumer
 to make transaction decision.

Business Policies: Does the seal
program require the merchant to have
business policies that the Doesn't
following? Yes No Say

* Merchant must display X
 understandable and consistent
 policies on the website
 (e.g., billing, payments,
 returns, sales tax)

* Merchant must adopt business X
 policies previously established by
 the seal program rather than
 develop his / her own policies.

* Merchant is allowed to write his / X
 her own business policies if the
 policies comply with principles
 approved by an acceptable body.

* Merchant is required to maintain a X
 history of adhering to its own
 policies.

* Merchant must demonstrate a X
 history of not changing these
 policies frequently.

Transaction Integrity: Does the seal
program require the merchant to
provide transaction processing Doesn't
integrity? Yes No Say

* Merchant must properly process all X
 transactions only after gaining
 the consumer's agreement.

* Merchant must respond to consumer X
 inquiries / complaints in a timely
 manner.

* Merchant must use agreed-to X
 shipping and pricing data.

* Merchant must resolve all customer X
 problems in a prompt manner.

* Merchant must provide a means for X
 consumers to communicate with the
 merchant regarding inquiries,
 follow-up, or complaints.

Data Privacy: Does the seal program
require the merchant to provide data Doesn't
privacy that does the following? Yes No Say

* Merchant must display X
 understandable and consistent
 policies on the website (e.g.,
 consumer data privacy
 principles).

* Merchant must keep transaction and X
 personal information about the
 consumer confidential.

* Merchant must adopt privacy X
 policies previously established by
 the seal program rather than
 develop his / her own policies.

* Merchant is allowed to write his/ X
 her own privacy policies if the
 policies comply with principles
 approved by an acceptable body.

* Merchant must allow the consumer X
 to verify or correct his / her
 personal data that is maintained
 on the merchant's computer.

* Merchant must release or use data X
 only as agreed to by the consumer,
 except as needed to complete the
 transaction.

* Merchant must protect the X
 consumer's computer from viruses
 or "cookies", except as needed to
 complete the transaction.

Seal Program Activities: Does the
seal program perform activities on
behalf of consumers in the following Doesn't
areas? Yes No Say

* Merchant must allow consumers to X
 voluntarily document their
 experiences via the seal program
 website.

* Merchant must let the seal program X
 summarize or rank consumer
 experiences with the merchant's
 history of honoring its policies.

* Merchant must agree to X
 arbitration, let the web seal
 program intervene on the
 customer's behalf, or have a
 similar resolution process.

Section B. Specific requirements of
the firm to be able to display the Doesn't
seal. Yes No Say

Self-Reporting Activities: Does the
seal program require merchants to
self-report the following items?

* Proof of having conducted business X
 for a specified period of time.

* Agree to abide by the seal X
 program's requirements.

* Pay a license fee. X

* Install the seal or consumer links X
 to the seal program website.

* Purchase or install security X
 software or hardware provided by
 the seal program.

* Profess that the merchant has full X
 online ordering capability.

Independent Evaluations: Does the
seal program require merchants to
have an initial evaluation as Doesn't
follows? Yes No Say

* Let a third party to confirm the X
 existence of the merchant.

* Let seal program representatives X
 confirm the merchant's existence
 via an on-site visit.

* Let seal program representatives X
 determine if the merchant fully
 discloses policies, without
 testing actual merchant
 performance.

* Let seal program representatives X
 conduct tests to see if the
 merchant adheres to stated
 policies and meets performance
 criteria.

* Engage an independent auditor to X
 determine if the merchant fully
 discloses policies, without
 testing actual merchant
 performance.

* Engage an independent auditor to X
 conduct tests to see if the
 merchant adheres to stated
 policies and meets performance
 criteria.

Renewal Requirements: Are specific
actions by merchants required to
renew their ability to display the Doesn't
seal? Yes No Say

* Pay a renewal license fee. X

* Not have significant consumer X
 complaints about failure to follow
 its own stated policies or to
 quickly resolve consumer problems.

* Let seal program representatives X
 determine if the merchant fully
 discloses policies, without
 testing actual merchant
 performance.

* Let seal program representatives X
 conduct tests to see if the
 merchant adheres to stated
 policies and meets performance
 criteria.

* Engage an independent auditor to X
 determine if the merchant fully
 discloses policies, without
 testing actual merchant
 performance.

* Engage an independent auditor to X
 conduct tests to see if the
 merchant adheres to stated
 policies and meets performance
 criteria only if severe violations
 were noted in previous merchant
 performance

* Engage an independent auditor to X
 conduct tests to see if the
 merchant adheres to stated
 policies and meets performance
 criteria.

How thoroughly do you feel that the Very Very
website seal program addresses Good Good Fair Poor Poor
e-commerce assurance objectives?
(Check one answer for each of the
assurance concerns)

* Data Security

* Business Policies

* Transaction Integrity

* Data Privacy

* Seal Program Activities

Would this web seal program require a Yes No
CPA practitioner to make statements
that the merchant met all the web X
seal program's criteria in order to
obtain, display, or renew the web
assurance seal? (Check one answer)

EXHIBIT 5. QUESTIONNAIRE FOR TRUSTE IN STEP 2

Web Seal Program Name: TRUSTe

Section A. e-commerce assurance Doesn't
concerns of the web assurance seal Yes No Say
program.

Data Security: Does the seal
program require the merchant to
provide data security that does the
following?

* Merchant must provide security X
 for data transmitted from the
 consumer to the web site (i.e.,
 have a secure server transaction
 system).

* Merchant must provide security X
 for data that appears on the web
 site that will be used by the
 consumer to make transaction
 decision.

Business Policies: Does the seal
program require the merchant to
have business policies that provide Doesn't
the following? Yes No Say

* Merchant must display X
 understandable and consistent
 policies on the website (e.g.,
 shipping, billing, payments,
 returns, sales tax).

* Merchant must adopt business X
 policies previously established
 by the seal program rather than
 develop his / her own policies.

* Merchant is allowed to write his X
 / her own business policies if
 the policies comply with
 principles approved by an
 acceptable body.

* Merchant is required to maintain X
 a history of adhering to its own
 policies.

* Merchant must demonstrate a X
 history of not changing these
 policies frequently.

Transaction Integrity: Does the
seal program require the merchant
to provide transaction processing Doesn't
integrity? Yes No Say

* Merchant must properly process X
 all transactions only after
 gaining the consumer's agreement.

* Merchant must respond to X
 consumer inquiries/complaints
 in a timely manner

* Merchant must use agreed-to X
 shipping and pricing data.

* Merchant must resolve all X
 customer problems in a prompt
 manner.

* Merchant must provide a means X
 for consumers to communicate
 with the merchant regarding
 inquiries, follow-up, or
 complaints.

Data Privacy: Does the seal program
require the merchant to provide
data privacy that does the Doesn't
following? Yes No Say

* Merchant must display X
 understandable and consistent
 policies on the website (e.g.,
 consumer data privacy
 principles).

* Merchant must keep transaction X
 and personal information about
 the consumer confidential.

* Merchant must adopt privacy X
 policies previously established
 by the seal program rather than
 develop his / her own policies.

* Merchant is allowed to write X
 his/her own privacy policies if
 the policies comply with
 principles approved by an
 acceptable body.

* Merchant must allow the consumer X
 to verify or correct his / her
 personal data that is maintained
 on the merchant's computer.

* Merchant must release or use X
 data only as agreed to by the
 consumer, except as needed to
 complete the transaction.

* Merchant must protect the X
 consumer's computer from viruses
 or "cookies", except as needed
 to complete the transaction.

Seal Program Activities: Does the
seal program perform activities on
behalf of consumers in the Doesn't
following areas? Yes No Say

* Merchant must allow consumers to X
 voluntarily document their
 experiences via the seal program
 website.

* Merchant must let the seal X
 program summarize or rank
 consumer experiences with the
 merchant's history of honoring
 its policies.

* Merchant must agree to X
 arbitration, let the web seal
 program intervene on the
 customer's behalf, or have a
 similar resolution process.

Section B. Specific requirements of
the firm to be able to display the
seal.

Self-Reporting Activities: Does the
seal program require merchants to Doesn't
self-report the following items? Yes No Say

* Proof of having conducted X
 business for a specified period
 of time.

* Agree to abide by the seal X
 program's requirements.

* Pay a license fee. X

* Install the seal or consumer X
 links to the seal program
 website.

* Purchase or install security X
 software or hardware provided by
 the seal program.

* Profess that the merchant has X
 full online ordering capability.

Independent Evaluations: Does the
seal program require merchants to
have an initial evaluation as Doesn't
follows? Yes No Say

* Let a third party to confirm the X
 existence of the merchant.

* Let seal program representatives X
 confirm the merchant's existence
 via an on-site visit.
 [ONLY FOR UNLAUNCHED WEBSITES]

* Let seal program representatives X
 determine if the merchant fully
 discloses policies, without
 testing actual merchant
 performance.

* Let seal program representatives X
 conduct tests to see if the
 merchant adheres to stated
 policies and meets performance
 criteria.

* Engage an independent auditor to X
 determine if the merchant fully
 discloses policies, without
 testing actual merchant
 performance.

* Engage an independent auditor to X
 conduct tests to see if the
 merchant adheres to stated
 policies and meets performance
 criteria.

Renewal Requirements: Are specific
actions by merchants required to
renew their ability to display the Doesn't
seal? Yes No Say

* Pay a renewal license fee. X

* Not have significant consumer X
 complaints about failure to
 follow its own stated policies
 or to quickly resolve consumer
 problems.

* Let seal program representatives X
 determine if the merchant fully
 discloses policies, without
 testing actual merchant
 performance.

* Let seal program representatives X
 conduct tests to see if the
 merchant adheres to stated
 policies and meets performance
 criteria.

* Engage an independent auditor to X
 determine if the merchant fully
 discloses policies, without
 testing actual merchant
 performance.

* Engage an independent auditor to X(*)
 conduct tests to see if the
 merchant adheres to stated
 policies and meets performance
 criteria only if severe
 violations were noted in previous
 merchant performance

* Engage an independent auditor to X
 conduct tests to see if the
 merchant adheres to stated
 policies and meets performance
 criteria.

How thoroughly do you feel that the
website seal program addresses
e-commerce assurance objectives?
(Check one answer for each of the Very Very
assurance concerns) Good Good Fair Poor Poor

* Data Security

* Business Policies

* Transaction Integrity

* Data Privacy

* Seal Program Activities

Would this web seal program require Yes(*) No
a CPA practitioner to make
statements that the merchant met X X
all the web seal program's criteria
in order to obtain, display, or
renew the web assurance seal?
(Check one answer)

(*) links together the responses for renewal requirements with the
web seal program

EXHIBIT 6. QUESTIONNAIRE FOR WEBTRUST IN STEP 2

Web Seal Program Name: WebTrust

Section A. e-commerce assurance
concerns of the web assurance
seal program.

Data Security: Does the seal
program require the merchant
to provide data security that Doesn't
does the following? Yes No Say

* Merchant must provide security X
 for data transmitted from the
 consumer to the web site
 (i.e., have a secure server
 transaction system).

* Merchant must provide X
 security for data that
 appears on the web site that
 will be used by the consumer
 to make transaction decision.

Business Policies: Does the
seal program require the
merchant to have business
policies that provide the Doesn't
following? Yes No Say

* Merchant must display X
 understandable and consistent
 policies on the website
 (e.g., shipping, billing,
 payments, returns, sales tax).

* Merchant must adopt business X
 policies previously
 established by the seal
 program rather than develop
 his / her own policies.

* Merchant is allowed to write X
 his / her own business
 policies if the policies
 comply with principles
 approved by an acceptable
 body.

* Merchant is required to X
 maintain a history of adhering
 to its own policies.

* Merchant must demonstrate a X
 history of not changing these
 policies frequently.

Transaction Integrity: Does
the seal program require the
merchant to provide transaction Doesn't
processing integrity? Yes No Say

* Merchant must properly X
 process all transactions
 only after gaining the
 consumer's agreement.

* Merchant must respond to X
 consumer inquiries /
 complaints in a timely
 manner.

* Merchant must use agreed-to X
 shipping and pricing data.

* Merchant must resolve all X
 customer problems in a
 prompt manner.

* Merchant must provide a X
 means for consumers to
 communicate with the merchant
 regarding inquiries,
 follow-up, or complaints.

Data Privacy: Does the seal
program require the merchant
to provide data privacy that Doesn't
does the following? Yes No Say

* Merchant must display X
 understandable and consistent
 policies on the website
 (e.g., consumer data privacy
 principles).

* Merchant must keep X
 transaction and personal
 information about the
 consumer confidential.

* Merchant must adopt privacy X
 policies previously
 established by the seal
 program rather than develop
 his / her own policies.

* Merchant is allowed to write X
 his/her own privacy policies
 if the policies comply with
 principles approved by an
 acceptable body.

* Merchant must allow the X
 consumer to verify or correct
 his / her personal data that
 is maintained on the
 merchant's computer.

* Merchant must release or use X
 data only as agreed to by the
 consumer, except as needed to
 complete the transaction.

* Merchant must protect the X
 consumer's computer from
 viruses or "cookies", except
 as needed to complete the
 transaction.

Seal Program Activities: Does
the seal program perform
activities on behalf of
consumers in the following Doesn't
areas? Yes No Say

* Merchant must allow consumers X
 to voluntarily document their
 experiences via the seal
 program website.

* Merchant must let the seal X
 program summarize or rank
 consumer experiences with the
 merchant's history of honoring
 its policies.

* Merchant must agree to X
 arbitration, let the web
 seal program intervene on the
 customer's behalf, or have a
 similar resolution process.

Section B. Specific requirements
of the firm to be able to display
the seal.

Self-Reporting Activities: Does
the seal program require
merchants to self-report the Doesn't
following items? Yes No Say

* Proof of having conducted X
 business for a specified
 period of time.

* Agree to abide by the seal X
 program's requirements.

* Pay a license fee. X
 [ENGAGEMENT CHARGES OF CPA
 PRACTITIONER]

* Install the seal or consumer X
 links to the seal program
 website.

* Purchase or install security X
 software or hardware provided
 by the seal program.

* Profess that the merchant has
 full online ordering
 capability.

Independent Evaluations: Does
the seal program require
merchants to have an initial Doesn't
evaluation as follows? Yes No Say

* Let a third party to confirm X
 the existence of the merchant.
 [CPA PRACTITIONER]

* Let seal program X
 representatives confirm the
 merchant's existence via an
 on-site visit.

* Let seal program X
 representatives determine if
 the merchant fully discloses
 policies, without testing
 actual merchant performance.

* Let seal program X
 representatives conduct tests
 to see if the merchant adheres
 to stated policies and meets
 performance criteria.

* Engage an independent auditor
 to determine if the merchant X
 fully discloses policies,
 without testing actual
 merchant performance.

* Engage an independent auditor X
 to conduct tests to see if the
 merchant adheres to stated
 policies and meets performance
 criteria.

Renewal Requirements: Are
specific actions by merchants
required to renew their ability Doesn't
to display the seal? Yes No Say

* Pay a renewal license fee. X
 [ENGAGEMENT CHARGES OF CPA
 PRACTITIONER]

* Not have significant consumer X
 complaints about failure to
 follow its own stated policies
 or to quickly resolve consumer
 problems.

* Let seal program X
 representatives determine if
 the merchant fully discloses
 policies, without testing
 actual merchant performance.

* Let seal program X
 representatives conduct tests
 to see if the merchant adheres
 to stated policies and meets
 performance criteria.

* Engage an independent auditor X
 to determine if the merchant
 fully discloses policies,
 without testing actual
 merchant performance.

* Engage an independent auditor X
 to conduct tests to see if the
 merchant adheres to stated
 policies and meets performance
 criteria only if severe
 violations were noted in
 previous merchant performance

* Engage an independent auditor X
 to conduct tests to see if the
 merchant adheres to stated
 policies and meets performance
 criteria.

How thoroughly do you feel
that the website seal program
addresses e-commerce assurance
objectives? (Check one answer
for each of the assurance Very Very
concerns) Good Good Fair Poor Poor

* Data Security

* Business Policies

* Transaction Integrity

* Data Privacy

* Seal Program Activities

Would this web seal program Yes No
require a CPA practitioner to
make statements that the all X
the merchant met web seal
program's criteria in order to
obtain, display, or renew the
web assurance seal
(Check one answer)

EXHIBIT 7. QUESTIONNAIRE FOR ePUBLICEYE IN STEP 2

Web Seal Program Name: ePublicEye

Section A. e-commerce assurance
concerns of the web assurance
seal program.

Data Security: Does the seal
program require the merchant
to provide data security that Doesn't
does the following? Yes No Say

* Merchant must provide security X
 for data transmitted from the
 consumer to the web site
 (i.e., have a secure server
 transaction system).

* Merchant must provide security X
 for data that appears on the
 web site that will be used by
 the consumer to make
 transaction decision.

Business Policies: Does the
seal program require the
merchant to have business
policies that provide the Doesn't
following? Yes No Say

* Merchant must display X
 understandable and consistent
 policies on the website
 (e.g., shipping, billing,
 payments, returns, sales tax).

* Merchant must adopt business X
 policies previously
 established by the seal
 program rather than develop
 his / her own policies.

* Merchant is allowed to write X
 his / her own business
 policies if the policies
 comply with principles
 approved by an acceptable
 body.

* Merchant is required to X
 maintain a history of adhering
 to its own policies.

* Merchant must demonstrate a X
 history of not changing these
 policies frequently.

Transaction Integrity: Does
the seal program require the
merchant to provide transaction Doesn't
processing integrity? Yes No Say

* Merchant must properly process X
 all transactions only after
 gaining the consumer's
 agreement.

* Merchant must respond to X
 consumer inquiries /
 complaints in a timely manner.

* Merchant must use agreed-to X
 shipping and pricing data.

* Merchant must resolve all X
 customer problems in a prompt
 manner.

* Merchant must provide a means X
 for consumers to communicate
 with the merchant regarding
 inquiries, follow-up, or
 complaints.

Data Privacy: Does the seal Doesn't
program require the merchant to Yes No Say
provide data privacy that does
the following?

* Merchant must display X
 understandable and consistent
 policies on the website (e.g.,
 consumer data privacy
 principles).

* Merchant must keep transaction X
 and personal information about
 the consumer confidential.

* Merchant must adopt privacy X
 policies previously
 established by the seal
 program rather than develop
 his / her own policies.

* Merchant is allowed to write X
 his / her own privacy policies
 if the policies comply with
 principles approved by an
 acceptable body.

* Merchant must allow the X
 consumer to verify or correct
 his / her personal data that
 is maintained on the
 merchant's computer.

* Merchant must release or use X
 data only as agreed to by the
 consumer, except as needed to
 complete the transaction.

* Merchant must protect the X
 consumer's computer from
 viruses or "cookies", except
 as needed to complete the
 transaction.

Seal Program Activities: Does
the seal program perform
activities on behalf of
consumers in the following Doesn't
areas? Yes No Say

* Merchant must allow consumers X
 to voluntarily document their
 experiences via the seal
 program website.

* Merchant must let the seal X
 program summarize or rank
 consumer experiences with the
 merchant's history of honoring
 its policies.

* Merchant must agree to X
 arbitration, let the web seal
 program intervene on the
 customer's behalf, or have a
 similar resolution process.

Section B. Specific requirements
of the firm to be able to display
the seal.

Self-Reporting Activities: Does
the seal program require
merchants to self-report the Doesn't
following items? Yes No Say

* Proof of having conducted X
 business for a specified
 period of time.

* Agree to abide by the seal X
 program's requirements.

* Pay a license fee. X

* Install the seal or consumer X
 links to the seal program
 website.

* Purchase or install security X
 software or hardware provided
 by the seal program.

* Profess that the merchant has X
 full online ordering
 capability.

Independent Evaluations: Does
the seal program require
merchants to have an initial Doesn't
evaluation as follows? Yes No Say

* Let a third party confirm the X
 existence of the merchant.

* Let seal program X
 representatives confirm the
 merchant's existence via an
 on-site visit.

* Let seal program X
 representatives determine
 if the merchant fully
 discloses policies, without
 testing actual merchant
 performance.

* Let seal program X
 representatives conduct tests
 to see if the merchant adheres
 to stated policies and meets
 performance criteria.

* Engage an independent auditor X
 to determine if the merchant
 fully discloses policies,
 without testing actual
 merchant performance.

* Engage an independent auditor X
 to conduct tests to see if the
 merchant adheres to stated
 policies and meets performance
 criteria.

Renewal Requirements: Are
specific actions by merchants
required to renew their ability Doesn't
to display the seal? Yes No Say

* Pay a renewal license fee. X

* Not have significant consumer X
 complaints about failure to
 follow its own stated policies
 or to quickly resolve consumer
 problems.

* Let seal program X
 representatives determine if
 the merchant fully discloses
 policies, without testing
 actual merchant performance.

* Let seal program X
 representatives conduct tests
 to see if the merchant adheres
 to stated policies and meets
 performance criteria.

* Engage an independent auditor X
 to determine if the merchant
 fully discloses policies,
 without testing actual
 merchant performance.

* Engage an independent auditor X
 to conduct tests to see if the
 merchant adheres to stated
 policies and meets performance
 criteria only if severe
 violations were noted in
 previous merchant performance

* Engage an independent auditor X
 to conduct tests to see if the
 merchant adheres to stated
 policies and meets performance
 criteria.

How thoroughly do you feel
that the website seal program
addresses e-commerce assurance
objectives? (Check one answer
for each of the assurance Very Very
concerns) Good Good Fair Poor Poor

* Data Security

* Business Policies

* Transaction Integrity

* Data Privacy

* Seal Program Activities

Would this web seal program Yes No
require a CPA practitioner to
make statements that the X
merchant met all the web seal
program's criteria in order to
obtain, display, or renew the
web assurance seal?
(Check one answer)

EXHIBIT 8. QUESTIONNAIRE FOR AT101 IN STEP 3

Section A. Identify the professional standard you are reviewing.

Identify the Standard by number AT101--Attest Engagements
(e.g., AT101, AT201, CS100, etc.)
and write the exact title.

Briefly summarize the stated Used when a CPA practitioner is
purpose of the standard (e.g., engaged to issue an examination,
when it is appropriate to use a review, or an agreed-upon
this specific standard). procedures report on assertions
 or subject matter that is the
 responsibility of another party.

Section B. With regard to this specific
professional standard, can this standard be
used by a CPA practitioner to support an
engagement designed to accomplish the Don't
following purpose? Yes No Know

To perform an attest level engagement for X
the purpose of obtaining a web assurance seal
to display on the client's website.

To perform an attest level engagement on X
certain procedures related to the Trust
Services principles.

If you answered "No" to BOTH of the questions above,
SKIP THE REMAINING SECTIONS of this questionnaire.

If you answered "Yes" to ONE OR BOTH questions above,
complete the remaining sections of this questionnaire.

Section C. Identify the characteristics Don't
required of the investigation. Yes No Know

Does the professional standard require X
that a "responsible party" be identified who
will provide the assertions or who is
responsible for the subject matter being
investigated?

For a web The management of the X
assurance client who engages the CPA
engagement, who practitioner to evaluate
would be the the web site
"responsible
party" if one The organization that X
is needed? administers the web seal
 program

 The CPA practitioner who X
 was hired to conducting the
 investigation

Where could the The client or party X
criteria come responsible for the subject
from that will matter being investigated
be used to
evaluate the A body designated by the X
assertions or AICPA governing council
the subject
matter being Groups composed of experts X
evaluated? who follow due process
 procedures

 Industry associations X

 Other groups who do not X
 follow due process
 procedures

What type(s) of Examination X
investigation(s)
can be performed Review X
under this
standard? (Use Agreed-Upon Procedures X
your answer here
to guide your Consulting Services X
answers to Engagement
Sections D, E &
F below.)

Section D. Report Type: For only each type Don't
of investigation checked in Section C above, Yes No Know
indicate the type of report that can be
issued.

You checked an The AICPA places NO X
EXAMINATION restrictions on the
investigation in content of the report.
Section C above.
 Report must express a X
 positive opinion about the
 assertions or subject
 matter conforming to the
 evaluation criteria
 (unqualified, qualified,
 adverse, or disclaimer).

 Report must state that is X
 was a lesser investigation,
 express no opinion, and
 express only negative
 assurances.

 Report must identify the X
 test(s) performed and the
 specific findings (express
 no opinion or negative
 assurances).

You checked a The AICPA places NO X
REVIEW restrictions on the content
investigation of the report.
in Section C
above. Report must express a X
 positive opinion about the
 assertions or subject
 matter conforming to the
 evaluation criteria
 (unqualified, qualified,
 adverse, or disclaimer).

 Report must state that is X
 was a lesser investigation,
 express no opinion, and
 express only negative
 assurances.

 Report must identify the X
 test(s) performed and the
 specific findings (express
 no opinion or negative
 assurances).

You checked an The AICPA places NO X
AGREED-UPON restrictions on the content
PROCEDURES of the report.
investigation
in Section C Report must express a X
above. positive opinion about the
 assertions or subject
 matter conforming to the
 evaluation criteria
 (unqualified, qualified,
 adverse, or disclaimer).

 Report must state that is X
 was a lesser investigation,
 express no opinion, and
 express only negative
 assurances.

 Report must identify the X
 test(s) performed and the
 specific findings (express
 no opinion or negative
 assurances).

You checked a The AICPA places NO
CONSULTING restrictions on the content
SERVICES of the report.
engagement
in Section Report must express a
C above. positive opinion about
 the assertions or subject
 matter conforming to the
 evaluation criteria
 (unqualified, qualified,
 adverse, or disclaimer).

 Report must state that is
 was a lesser investigation,
 express no opinion, and
 express only negative
 assurances.

 Report must identify the
 test(s) performed and the
 specific findings (express
 no opinion or negative
 assurances).

Section E. Report Distribution: For only Don't
each type of investigation checked in Yes No Know
Section C above, indicate how the report
can be distributed

You checked an The AICPA places NO X
EXAMINATION restrictions on the
investigation in distribution of the report.
Section C above.
 The report can be generally X
 distributed unless the
 criteria used are
 appropriate or available
 to only a limited number
 of parties, or when
 reporting on subject
 matter and written
 assertions were not
 provided by the responsible
 party.

 The report must be X
 restricted to specified
 readers who agree to
 accept the specific
 tests performed.

You checked a The AICPA places NO X
REVIEW restrictions on the
investigation in distribution of the report.
Section C above.
 The report can be generally X
 distributed unless the
 criteria used are
 appropriate or available
 to only a limited number
 of parties, or when
 reporting on subject
 matter and written
 assertions were not
 provided by the
 responsible party.

 The report must be X
 restricted to specified
 readers who agree to
 accept the specific tests
 performed.

You checked an The AICPA places NO X
AGREED-UPON restrictions on the
PROCEDURES distribution of the report.
investigation in
Section C above. The report can be generally X
 distributed unless the
 criteria used are
 appropriate or available to
 only a limited number of
 parties, or when reporting
 on subject matter and
 written assertions were not
 provided by the responsible
 party.

 The report must be X
 restricted to specified
 readers who agree to accept
 the specific tests
 performed.

You checked a The AICPA places NO
CONSULTING restrictions on the
SERVICES distribution of the report.
engagement in
Section C above. The report can be generally
 distributed unless the
 criteria used are
 appropriate or available to
 only a limited number of
 parties, or when reporting
 on subject matter and
 written assertions were
 not provided by the
 responsible party.

 The report must be
 restricted to specified
 readers who agree to
 accept the specific tests
 performed.

Section F. General Standards: Within this
specific professional standard, indicate
if the standard requires CPA practitioner Don't
independence or special training Yes No Know

Is independence The AICPA imposes no X
needed for this independence restrictions
engagement? on the CPA practitioner
 for this engagement

 The CPA practitioner must X
 not do any other accounting
 or auditing services during
 this engagement

 The CPA practitioner must X
 not do any other consulting
 services for the client
 during the engagement

 The CPA practitioner must X
 maintain independence in
 mental attitude (be honest,
 impartial, unbiased)

 The CPA practitioner must X
 avoid conflicts of interest
 that would impair the
 practitioner's objectivity

Is special There are no requirements X
training needed stated about competence,
for this technical training,
engagement? * proficiency, or special
 knowledge

 The CPA practitioner must X
 possess additional skills
 to perform a web assurance
 engagement.

 The CPA practitioner must X
 possess professional
 competence in the
 engagement being undertaken

* HINT: In addition to this specific professional standard look at the
WebTrust internet site identified earlier.

EXHIBIT 9. QUESTIONNAIRE FOR AT201 IN STEP 3

Section A. Identify the professional standard you are reviewing.

Identify the Standard by number AT201--Agreed-Upon Procedures
(e.g., AT101, AT201, CS100, etc.) Engagements
and write the exact title.

Briefly summarize the stated Used when a CPA practitioner
purpose of the standard (e.g., performs and reports on all
when it is appropriate to use agreed-upon procedures engagements.
this specific standard). That is an engagement in which the
 CPA practitioner is engaged to
 issue a report of findings based
 upon specific procedures performed
 on a subject matter

Section B. With regard to this specific
professional standard, can this standard be
used by a CPA practitioner to support an
engagement designed to accomplish the Don't
following purpose? Yes No Know

To perform an attest level engagement for X
the purpose of obtaining a web assurance seal
to display on the client's website.

To perform an attest level engagement on
certain procedures related to the Trust X
Services principles.

If you answered "No" to BOTH of the questions above,
SKIP THE REMAINING SECTIONS of this questionnaire.

If you answered "Yes" to ONE OR BOTH questions above,
complete the remaining sections of this questionnaire.

Section C. Identify the characteristics Don't
required of the investigation. Yes No Know

Does the professional standard require that X
a "responsible party" be identified who will
provide the assertions or who is responsible
for the subject matter being investigated?

For a web The management of the
assurance client who engages the CPA
engagement, who practitioner to evaluate
would be the the web site
responsible
party if one is The organization that
needed? administers the web seal
 program

 The CPA practitioner who
 was hired to conducting the
 investigation

Where could the The client or party X
criteria come responsible for the subject
from that will matter being investigated
be used to
evaluate the A body designated by the X
assertions or AICPA governing council
the subject
matter being Groups composed of experts X
evaluated? who follow due process
 procedures

 Industry associations X

 Other groups who do not X
 follow due process
 procedures

What type(s) of Examination X
investigation(s)
can be performed Review X
under this
standard? (Use Agreed-Upon Procedures X
your answer here
to guide your Consulting Services X
answers to Engagement
Sections D, E &
F below.)

Section D. Report Type: For only each type Don't
of investigation checked in Section C above, Yes No Know
indicate the type of report that can be
issued.

You checked an The AICPA places NO
EXAMINATION restrictions on the
investigation in content of the report.
Section C above.
 Report must express a
 positive opinion about the
 assertions or subject
 matter conforming to the
 evaluation criteria
 (unqualified, qualified,
 adverse, or disclaimer).

 Report must state that is
 was a lesser investigation,
 express no opinion, and
 express only negative
 assurances.

 Report must identify the
 test(s) performed and the
 specific findings (express
 no opinion or negative
 assurances).

You checked a The AICPA places NO
REVIEW restrictions on the
investigation in content of the report.
Section C above.
 Report must express a
 positive opinion about the
 assertions or subject
 matter conforming to the
 evaluation criteria
 (unqualified, qualified,
 adverse, or disclaimer).

 Report must state that is
 was a lesser investigation,
 express no opinion, and
 express only negative
 assurances.

 Report must identify the
 test(s) performed and the
 specific findings (express
 no opinion or negative
 assurances).

You checked an The AICPA places NO X
AGREED-UPON restrictions on the content
PROCEDURES of the report.
investigation
in Section C Report must express a
above. positive opinion about the X
 assertions or subject
 matter conforming to the
 evaluation criteria
 (unqualified, qualified,
 adverse, or disclaimer).

 Report must state that is X
 was a lesser investigation,
 express no opinion, and
 express only negative
 assurances.

 Report must identify the X
 test(s) performed and the
 specific findings(express
 no opinion or negative
 assurances).

You checked a The AICPA places NO
CONSULTING restrictions on the content
SERVICES of the report.
engagement in
Section C above. Report must express a
 positive opinion about the
 assertions or subject
 matter conforming to the
 evaluation criteria
 (unqualified, qualified,
 adverse, or disclaimer).

 Report must state that is
 was a lesser investigation,
 express no opinion, and
 express only negative
 assurances.

 Report must identify the
 test(s) performed and the
 specific findings (express
 no opinion or negative
 assurances).

Section E. Report Distribution: For only
each type of investigation checked in
Section C above, indicate how the report Don't
can be distributed Yes No Know

You checked an The AICPA places NO
EXAMINATION restrictions on the
investigation in distribution of the report.
Section C above.
 The report can be generally
 distributed unless the
 criteria used are
 appropriate or available to
 only a limited number of
 parties, or when reporting
 on subject matter and
 written assertions were

 Not provided by the
 responsible party.

 The report must be
 restricted to specified
 readers who agree to
 accept the specific tests
 performed.

You checked a The AICPA places NO
REVIEW restrictions on the
investigation in distribution of the report.
Section C above.
 The report can be generally
 distributed unless the
 criteria used are
 appropriate or available
 to only a limited number
 of parties,or when
 reporting on subject
 matter and written
 assertions were not
 provided by the
 responsible party.

 The report must be
 restricted to specified
 readers who agree to accept
 the specific tests
 performed.

You checked an The AICPA places NO X
AGREED-UPON restrictions on the
PROCEDURES distribution of the report.
investigation
in Section C The report can be generally X
above. distributed unless the
 criteria used are
 appropriate or available
 to only a limited number
 of parties, or when
 reporting on subject matter
 and written assertions
 were notprovided by the
 responsible party.

 The report must be X
 restricted to specified
 readers who agree to accept
 the specific tests
 performed.

 The AICPA places NO
 restrictions on the
You checked a distribution of the report.
CONSULTING
SERVICES The report can be generally
engagement distributed unless the
in Section C criteria used are
above. appropriate or available to
 only a limited number of
 parties, or when reporting
 on subject matter and
 written assertions were
 not provided by the
 responsible party.

 The report must be
 restricted to specified
 readers who agree to accept
 the specific tests
 performed.

Section F. General Standards: Within this Don't
specific professional standard, indicate Yes No Know
if the standard requires CPA practitioner
independence or special training

Is independence There AICPA imposes no X
needed for this independence restrictions
engagement? on the CPA practitioner
 for this engagement

 The CPA practitioner must X
 not do any other accounting
 or auditing services during
 this engagement

 The CPA practitioner must X
 not do any other consulting
 services for the client
 during the engagement

 The CPA practitioner must X
 maintain independence in
 mental attitude (be honest,
 impartial, unbiased)

 The CPA practitioner must X
 avoid conflicts of interest
 that would impair the
 practitioner's objectivity

Is special There are no requirements X
training needed stated about competence,
for this technical training,
engagement? * proficiency, or special
 knowledge

 The CPA practitioner must X
 possess adequate technical
 training, proficiency, and
 knowledge of the subject

 The CPA practitioner must X
 possess professional
 competence in the
 engagement being undertaken

* HINT: In addition to this specific professional standard look at
the WebTrust internet site identified earlier.

Gilbert W. Joseph, The University of Tampa Lisa N. Bostick, The University of Tampa Lanford T. Slaughter, Jr., Accounting &Technology Assurance LLC