Risks of CPA Assurance of WebTrust^SM Electronic Seals

and of DataTrust Privacy of Cookie Jars

Deborah Coulter is keenly aware that what worries her superiors the most are the inventive ways in which hackers and crackers are able to break into the most secure computer and networking systems on earth, including the most secure systems in the Pentagon. See Footnote 1.  Whereas hackers invade systems as a challenge without evil intentions, crackers break into systems intending to steal from or otherwise injure the system. Stealing can be parasitic over time or a single-incident theft. Smart crackers are patient and resist stealing or otherwise letting intentions be known for long periods of time. Sometimes there is only information theft from the host (e.g. stealing cookies) that is later used to steal from or otherwise harm innocent third parties. In the early part of 1998 when the Pentagon was moving war planes into the Persian Gulf, mysterious hackers were invading and leaving trap doors (for exiting and re-entry) in classified databases. On June 1, 1998 Newsweek reported the following on Page 60:

The hackers turned out to be a couple of teenagers in Cloverdale, Calif., coached by a third teenager living in Israel; they were just having some fun. But to America's national-security establishment, the threat of information (IW) is deadly serious.

If Pentagon systems can be cracked by whiz kids, what is the risk of A&K assurance services to DARE? Also, what is the risk that a disgruntled employee will leave the cookie jar open or sell passwords or other confidential information to criminals?

In a PBS television broadcast of Life on the Internet in the early part of 1997, Carmen Cassidy discovered how art galleries and bookstores around the world are closing down in order to become virtual businesses on the Internet. Many such businesses are much more successful online than they were in fixed locations. The lead was initially taken by online bookstores attempting to build virtual communities among parties interested in each book. See Footnote 2.  Subsequently, galleries and other businesses discovered that virtual communities are both sources of inspiration for authors and artists and sources of renewed interest of customers in products.

Ms Cassidy invested heavily in her online Disabled Artist Resource Emporium (DARE) headquartered in Dallas, Texas. DARE’s mission is to both help artists with disabilities produce works of art and to help sell their finished products. Products include traditional paintings and computer art as well as sculptures, music recordings, books, poems, and handicraft items. Carmen Cassidy herself was an artist until she became quadriplegic following an automobile accident.

Ms Cassidy eventually closed her six DARE outlet stores in major cities across the nation and moved the entire DARE operation into cyberspace via the Internet. One of the key motivations was to focus on the formation of "virtual communities" around the leading artists under her sponsorship. She now provides web space for anyone who wants to evaluate any artist’s work and/or comment on that work or the artist in general. She also provides web chat rooms where an artist can communicate at scheduled times in spontaneous dialog with admirers, critics, customers, students, and fellow artists.

There are actually two virtual communities that form around each DARE artist. The "output" community centers on the past, present, and future works of art of a given artist. That is the community described above. The second virtual community is called the "input" community. The latter community attempts to bring the artist into communication with anyone that can help an artist improve upon his or her craft. For example, persons keen on tracking disabilities technologies can communicate with artists about leading edge and emerging products for such disabilities as sight impairment, hearing impairment, motor control impairment, and other types of impairments that make it difficult but not impossible to generate high quality pieces of art and music.

DARE profits both from purchases of hardware/software to assist artists, and from sales of works from artists. DARE has brokerage contracts with various vendors of products for disabled persons and brokerage contracts with the artists attempting to sell their crafts. DARE has been successful because of trust and professionalism on all sides of transactions. DARE tests vendor products and, on occasion, hires independent testing firms to evaluate newer types of inventions. DARE has a staff of two professional art critics and also hires independent consultants to appraise the works of art displayed in various galleries at the DARE web site. DARE also holds several patents on devices intended to aid artists with certain types of disabilities. In addition, DARE conducts both on site and online training courses for artists.

Carmen Cassidy received a disturbing message on March 9, 1998. A customer who had purchased several items in February revealed that, by using a web search engine, he had stumbled onto two domain names with identical DARE opening pages. Ms Cassidy discovered that an unscrupulous scoundrel had downloaded all of the DARE documents and images in order to create a phony DARE web site.

The customer complained that a telephone solicitation had been received announcing a changed DARE phone number and offering a discount based upon the amount of the February purchase. The customer started to place another order but became suspicious after being informed that "DARE" would no longer accept credit cards. Only cash and money orders were to be transmitted. The fact that "DARE" encouraged sending cash though the mails is what made the customer suspicious enough to conduct a web search for DARE sites.

Ms Cassidy expressed deep gratitude to the customer for discovering the phony DARE site. The customer, however, remained irate about privacy issues. What made the customer especially upset with Carmen Cassidy is that the phony "DARE" con artist somehow had DARE’s cookie data regarding the customer’s name, address, phone number, email address, and details regarding the February purchase from the legitimate DARE web site. Somehow unauthorized hands were in the DARE cookie jar. The systems engineers that designed and installed the DARE web site made it possible to send out cookies to customer and artist computers.  See Footnote 3.

Even though authorities in New Jersey shut down the phony DARE web operation in a matter of days, Carmen Cassidy grew exceedingly distraught. She had closed all of the DARE outlet stores around the nation and plunged heavily into the virtual DARE web site. Not until March 9 did she discover how truly vulnerable her virtual DARE was to fraud and corruption. When the word spread, her long-established goodwill with artists and the public might take a plunge from which she could not recover without abandoning her web business and reopening outlet stores at considerable trouble and expense.

As chance would have it on March 9, Sam Burke was in her office working on both her corporate and personal tax returns. Sam worked out of the Dallas office of the A&K LLP public accounting firm. Sam informed Ms Cassidy that his firm had an assurance service team that could help save her online DARE.

. Deborah Coulter received a call from her colleague Sam Burke on March 9. Sam put his client, Carmen Cassidy, on the line. Ms Coulter informed the distressed Carmen Cassidy that, by using the AICPA’s WebTrust^SM Electronic Seal, A&K will authenticate that designated web site is the official DARE site. The service for logo authentication is termed LogoTrust by A&K. The accounting firm also offers its DataTrust assurances to users that DARE cookie information on customers and artists would remain confidential. DataTrust is the term used by A&K for assurances that privacy rights to information are protected. DataTrust is the third principle under the AICPA’s WebTrust^SM Electronic Seal. Furthermore, DARE could purchase other assurance services that would provide the world with greater confidence when dealing with DARE over the Internet. Among these services are TransTrust from A&K. TransTrust is the term used by A&K to depict the second principle of the WebTrust^SM Electronic Seal.

On March 11, Deborah Coulter organized a team of professionals to meet with both employees of DARE and the systems engineers who designed the online DARE operations. Getting the engagement would only be half the battle for Ms Coulter. The other half of the battle in this new line of business was in convincing A&K partners that the initial and annual fees eventually agreed upon for the DARE assurance services outweighed the risks to A&K in providing such services. This new line of business was still looked upon with skepticism by most audit and tax partners.

On the up side, there is a driving force of change in public accounting practices around the nation. Consulting revenues of large international accounting firms like A&K are growing at much faster rates than traditional audit and tax services. In addition, consulting profit margins are enormous compared to thinning margins from audit and tax engagements.

On the downside, A&K partners feel more in control of the lawsuit and reputation risks in auditing and tax services. Some newer assurance services do not pose a serious threat in the eyes of A&K partners. For example, elder care assurance services do not appear to be especially risky since A&K can schedule random visits to care centers and pay whistle blowing rewards to employees of care centers.

Deborah Coulter is keenly aware that what worries her superiors the most are the inventive ways in which hackers and crackers are able to break into the most secure computer and networking systems on earth, including the most secure systems in the Pentagon. See Footnote 4.  Whereas hackers invade systems as a challenge without evil intentions, crackers break into systems intending to steal from or otherwise injure the system. Stealing can be parasitic over time or a single-incident theft. Smart crackers are patient and resist stealing or otherwise letting intentions be known for long periods of time. Sometimes there is only information theft from the host (e.g. stealing cookies) that is later used to steal from or otherwise harm innocent third parties. If Pentagon systems can be cracked by whiz kids, what is the risk of A&K assurance services to DARE? Also what is the risk that a disgruntled employee will leave the cookie jar open or sell passwords or other confidential information to criminals?