Frequently asked questions

Client

Can I make use of the Trust Services Principles and Criteria to health check my e-operations systems?

As the web culture developed over the years and becoming part of our daily lives, HKICPA has decided to open up the best practice standards for free public access with a view for wide adoption by the business community. E-business operators are encouraged to benchmark their e-operations with these standards as internal requirements for best practices. Whether the businesses need an independent certification resulted in a ˇ§Seal of Approvalˇ¨ issued by the auditor and placed it on their website will be a business decision.

What does the WebTrust Seal do for me and why do I want to pay for it?

Broad public concern over the privacy and security of Web sites is one of the primary obstacles impeding the ability of most businesses to succeed with Internet commerce. Potential customers are also concerned with the legitimacy of many business entities, especially small businesses that offer products and services over the Internet.

CPAs, whom the public widely views as independent and trustworthy, perform WebTrust services. The WebTrust Seal provides the assurance that Web sites containing the Seal meet high standards of security, privacy, and legitimacy. The Seal is evidence that your site has working controls and security in place that are as important to your company's own protection as they are to your customers.

Sites that have earned the WebTrust seal have reported that visits and sales at their respective sites have increased due to the presence of the seal. A few clients have placed "exit questions" at their site to question their customers regarding the WebTrust program. In each case, customers are expressing support and increased confidence because an independent, third party has evaluated the site.

How can I get the WebTrust seal?

The Seal can be obtained by engaging a CPA who offers the WebTrust service . Your CPA is offering the service now or is likely to be doing so in the near future. If this is not the case, a listing of CPAs who offer the service can be found on the Web sites of the HKICPA (www.hkicpa.org.hk/professionaltechnical/webtrust/ts_praclist.php).

How does my Web site qualify for the WebTrust Seal?

To earn the seal, Web sites must be in compliance with the WebTrust Principles issued by the HKICPA for a minimum of two months.

What if my Web site does not qualify?

Your CPA can provide the guidance necessary to bring your Web site into compliance with the required Principles. As these Principles address proper and broadly accepted internal controls and practices for operating your Web site, it makes good business sense to operate your site in accordance with these business principles.

Does my Web site need any special hardware or software to be compliant?

The extent of your investment in hardware and software depends on the size, complexity and type of your Web site. If your site is hosted by a third party Internet Service Provider (ISP), most of the software and hardware issues will likely rest with the ISP. However, if your company maintains its own Web hardware and software, your Web site will require software that maintains transactional integrity as well as firewall, encryption, and other hardware and software elements required for information protection. These elements are important for the protection of your company as well as for your customers. It is very risky to be engaged in Internet commerce without having transactional and security controls in place.

It is important to keep in mind that WebTrust is not so much about specific hardware and software as it is about business practices, controls and procedures.

How much does WebTrust cost?

The cost of WebTrust is likely to be comparable with other consulting services performed for your company by your current accounting firm. Since no two businesses are alike, no two WebTrust engagements will be similar. The cost of a WebTrust examination will be based on the complexity of the Internet site, hardware and software in use, and other factors in use at the commerce site.

My site uses "cookies" to facilitate users at our site - does this disqualify my site from earning the WebTrust seal?

As long as a site discloses its use of cookies in a manner similar to that used for disclosing other business practices, and the information contained within the cookie is protected in the manner in which the site protects other customer information, the use of cookies would not prohibit the issuance of a WebTrust seal.

How long is the WebTrust Seal valid?

The Seal is valid as long as it continues to receive CPA assurance that the Web site is compliant with WebTrust principles. Under these guidelines, the site must be tested for compliance at least every three months. Depending on the nature and complexity of the Web site and your business, more frequent testing may be required.

Under what circumstances can the WebTrust Seal be revoked?

CPAs are required to revoke the Seals of Web sites that fall out of compliance with the principles as currently published by the HKICPA (CICA/AICPA). In addition, the Seal will automatically expire from sites if not refreshed by a qualified CPA at least every twelve months.

My company is ISO 9000 compliant and my financial statements are audited by a CPA. Why do I need WebTrust?

The WebTrust Seal was developed to be widely recognized and accepted by the public and by the business community as the premier form of assurance of privacy, security, and legitimacy for Internet Web sites. ISO 9000 compliance is far broader and less specific than WebTrust - and less understood by the public. The standards pertaining to the audits of financial statements are different than WebTrust Principles and do not cover assurances pertaining to electronic commerce over the Web.

My company enjoys a solid reputation and our Web site maintains strong transactional control, uses passwords, anti-virus and firewalls.  Why do I need the WebTrust Seal?

The primary purpose of WebTrust is to overcome a major obstacle to the success of most companies' Internet sales efforts: the broad public concern over the privacy and security of Web sites and the legitimacy of many businesses. Even if a company's Web site is in compliance with the WebTrust Principles, there is no way a potential customer can be assured of this unless the WebTrust Seal is affixed to the site.

In some cases an independent evaluation of a commerce site may reveal weaknesses in the system that have been overlooked. Since the Internet moves at such a rapid pace, it is a small investment in your future success to have a CPA look at the controls and practices at a web site. The seal communicates to your customers that you are concerned about providing the best possible site for their Internet shopping experience.

Am I restricted in how I can use the WebTrust seal on my Web site?

Yes. CPAs who offer this service license use of the WebTrust Seal exclusively to your Web site. It cannot be copied, duplicated, or re-engineered in any way. Your CPA can provide you additional guidelines regarding advertising and printed materials displaying the WebTrust mark.