by John M. Covaleski
New York - The American Institute of CPAs is preparing to overhaul its WebTrust and SysTrust attestation services.
The institute will combine the separate principles for each service into one set of principles for a broadened Trust Services attest program that would apply to future WebTrust and SysTrust engagements. The merged services could also be applied to other attest and consulting work.
The new Trust Services program will have one licensing standard for practitioners versus the separate standards now required by WebTrust and SysTrust. Another change could be that electronic reports or seals, similar to ones awarded to Web Trust-certified Web sites, would be added to SysTrust, which now uses paper-based certification.
The two trust services, both jointly developed by the AICPA and the Canadian Institute of Chartered Accountants in the late 1990s, provide guidance that enables auditors to issue opinions on the key technologies employed by most businesses today. SysTrust attests to the reliability of client companies’ internal technology systems, while WebTrust attests to the reliability of Web sites and associated electronic commerce systems and business pract-ices.
The change appears to be an effort to jump start slow market accept-ance for the services. Web Trust’s Web site, WebTrust.org., lists just 26 Web sites that carry the WebTrust seal, and an AICPA spokesman said that the number of completed SysTrust engagements is in the "hundreds."
The AICPA is portraying the move as an effort to alleviate confusion about the programs and to increase CPAs’ potential to derive consulting engage-ments from them.
The institute will continue to support WebTrust and SysTrust, but there will be a separate marketing effort put to work for the Trust Services. The institute began re-positioning the two attest services last year when it replaced their separate task forces with the joint Trust Services Task Force. The decision to "harmonize" principles was an outcome of that combination, according to Karyn Waller, the AICPA’s senior manager of trust services.
Task force members recognized that both programs’ separate principles were very similar, she said.
Creation of Trust Services will most likely not occur until the third or fourth quarter of this year, and details of how services will be combined will not be known until then. Waller said that it is very likely that only one set of licensing standards will apply, but those standards are still unknown.
"There are engagements out there and money to be made in that," Chris Stormer, an AICPA Trust Services Task Force member said at the AICPA’s Tech 2002 technology conference. At that mid-May show, he also announced that his task force plans to release an exposure draft of the combined attest principles for the two services by the end of June.
That draft would, in essence, revise the three criteria that are shared by both services - availability, security and integrity - so that they can be applied to both services. Principles that apply only to Web Trust - ones related to protecting the privacy of Web site visitors - will remain applicable only to that service.
"We are putting the SysTrust criteria right next to the WebTrust criteria and are in the process of harmonizing the two to come up with a base of criteria useable in both types of engagements," Stormer said in an interview shortly after the Tech conference. "We are bringing these together because there is confusion in the marketplace about what is WebTrust, what is SysTrust and how are they used."
Having one set of principles for both services would alleviate that market confusion and could also make it easier for CPAs to provide either or both of the services, according to Stormer.
The institute also said that the reported number of completed engagements is misleading because practitioners have handled numerous SysTrust and WebTrust engagements in which they performed only the portion of the attest service that was requested by the client. Although the clients are not added to a completed engagement count for either service, in each case, CPAs have provided a value-added and billable service, Stormer noted.
WebTrust and SysTrust are each available in modules, meaning that client companies can request attestation of only the particular part of the service that applies to their business.
Stormer acknowledged that market acceptance is an issue. "It’s like we’ve got a killer mousetrap, but we have to get a mouse in it," he said.
Consultants agree that the planned merger would help pare down any confusion. "Combining WebTrust and SysTrust could make a strong statement, a less confusing statement, to a public that will discover it needs these services," said Tom Davis, a Valdosta, Ga.-based practice management consultant and specialist in technology. He blamed the limited market acceptance on the relative newness of the services.
Currently, CPAs or CICA members qualify to handle SysTrust upon paying $15 for the AICPA-CICA booklet, "SysTrust Principles and Criteria for Systems Reliability," which includes a "passive" license, according to Waller. The practitioners must also belong to firms that are peer-reviewed.
WebTrust requirements are much stiffer. Pract-itioners must attend formal training and their firms must pay fees ranging from $2,000 to $3,000 based on the firms’ revenue, said a WebTrust spokesman.
One of the distinctions between the programs is that SysTrust is considered to be more like standard attest services, which CPAs are already licensed to perform by virtue of being CPAs.
WebTrust is viewed differently because it applies to the still-evolving field of electronic commerce and uses an electronic seal versus the standard paper-based reports that are now used by SysTrust, Waller said.
