GROUP ASSIGNMENT:

Audit Case of
Jacksonville Jaguars (Case 6.2)

By Group Accounting Class - Auditing:

Amellia Samantha / 008201500036
Jersey Purba / 008201500057
Samuel Alexander / 008201500028
Stephanie Angelica / 008201500095
Batch 2015
Auditing Seminar Subject
Lecturer: Gatot Imam Nugroho

President University
Jalan Ki Hajar Dewantara, Cikarang,
West Java - Indonesia
(021) 89109762

July 2018
 Case 3.3 Jacksonville Jaguars

Evaluating IT Benefits and Risks and Identifying Trust Services Opportunities

I. Summary

The Jacksonville Jaguars National Football League (NFL) team is taking advantage of
electronic payments technologies in the sale of stadium snacks and souvenirs. At Alltel
Stadium where the Jaguars play their home games, football fans can use Spot Cards to
purchase soft drinks, beer, popcorn, and Jaguar souvenirs rather than fumble for cash and
change when making their purchases.

The Spot Card offers both benefits and costs to fans in the stadium. The use of
electronic payment technologies offers advantages for snack and souvenir vendors by
providing better information for monitoring their businesses. Although electronic payment
technologies offer improvements for the fans and vendors, those who rely on the Spot Card to
process sales need assurance that the technology and related information produced is accurate
and reliable.

Some of the key facts of the case are as follows:

 The stadium where the Jacksonville Jaguars NFL team plays football began taking
advantage of electronic commerce in the sale of stadium souvenirs and snacks in
1995.

 W hen the system was implemented, fans began to use electronic Spot Cards
in lieu of cash to purchase snacks and souvenirs from vendors roaming the stands
and from vendors at permanent locations inside the stadium. The Spot Card is swiped
through point-of-sale (POS) machines, which calculate the sales amounts for
approval by the customer before the amount owed is deducted from the balance in
the chip on the Spot Card.

 Fans purchase Spot Cards using ATM-like machines that allow them to transfer funds
from their bank or credit card account onto an electronic chip embedded in the Spot
Card.

1|Jacksonville Jaguars
  The battery-operated POS machines capture information about each transaction,
including the customer’s card number, the location where the merchandise was sold,
and the date and time of the transaction.

 After the game, vendors download data contained in their POS machines to a
computer located in the stadium counting room.

 Once all data is downloaded to the stadium computer, the data is transmitted to a host
computer at First Union Bank (now part of Wachovia Corporation) in
Jacksonville. The host computer uses the data to settle that day’s sales with
each vendor in the stadium and generates reports containing detailed
information about sales volumes for specific products sold in specific sections of
the stadium.

 First Union Bank receives a fee from every transaction, and the bank collects
the remaining balance on unused Spot Cards at the end of two years.

 The AICPA’s Trust Services Principles and Criteria provide a framework for
CPAs to provide assurance about IT system reliability for systems like the Spot Card
system at Alltel Stadium.

 Reliance on the Spot Card technology at the Jacksonville stadium presents

stadium vendors, customers, and First Union Bank numerous risks that must be
considered. The presence of those risks provides CPAs opportunities to provide
assurance about the reliability of the Spot Card technology.

II. Learning Objectives

1. Identify benefits to businesses from implementing information technology.

IT has many benefits for and other business people. It helps people connect
virtually from a computer, smartphone, or any other type of device that has Internet
access. Business people can talk to foreign partners using video conferencing,
messenger, email, and a shared network. Businesses can promote diversity by hiring
people from all over the world. This allows employees to become more aware of other
cultures and backgrounds.

2|Jacksonville Jaguars
 Next, IT opens doors for businesses to work mostly virtual. Experienced
workers can educate others from other parts of the world. They can work together to
tackle any project. Employees are empowered to make choices. This gives them more
freedom to express their ideas and make the needed fixes when a problem arises.
Employees also learn to collaborate with one another and build long-lasting
partnerships and strong work relationships. This type of atmosphere creates a
boundary-less organization. Additionally, IT helps businesses work together, or
network. Software programs and hardware devices make it possible to connect to
many different companies without driving or flying to their actual locations.
Furthermore, many businesses rely on IT for storage programs and security programs.
For instance, a company could use a storage program to keep its financial
information. It could have a security system to keep all customer information
protected.

In the case of Jacksonville Jaguars, IT helps them in business transaction

process which allowed them to get cash from Spot Card which actually minimize the
risk of money theft.

2. Recognize risks that are associated with the use of information technology.

There are some risks that can be faced from the use of information technology:

 IT structures that fail to support operations or projects.

 Failure to control IT assets such as loss of mobile devices.

 Downtime of IT services.

 IT programs, projects or operations teams that go over budget.

 A failure to control change to complex systems including practices such as

change management and configuration management.

 Loss of data that cannot be restored.

 An inability to secure resources such as skilled employees.

 Security vulnerabilities such as weak passwords and poorly designed software.

 Security threats such as malware and hackers.

3|Jacksonville Jaguars
3. Understand the Trust Services® Principles and Criteria framework of assurance
services.

The TSC are control criteria for use in attestation or consulting engagements
to evaluate and report on controls over information and systems (a) across an entire
entity; (b) at a subsidiary, division, or operating unit level; (c) within a function
relevant to the entity's operational, reporting, or compliance objectives; or (d) for a
particular type of information used by the entity. The TSC are classified into the
following categories:
 Security. Information and systems are protected against unauthorized access,
unauthorized disclosure of information, and damage to systems that could
compromise the availability, integrity, confidentiality, and privacy of
information or systems and affect the entity’s ability to meet its objectives.
 Availability. Information and systems are available for operation and use to
meet the entity’s objectives.
 Processing integrity. System processing is complete, valid, accurate, timely,
and authorized to meet the entity’s objectives.
 Confidentiality. Information designated as confidential is protected to meet the
entity’s objectives.
 Privacy. Personal information is collected, used, retained, disclosed, and
disposed to meet the entity’s objectives.
4. Distinguish between SysTrust® and WebTrust® services.

WebTrust and SysTrust are two specific services developed by the AICPA and
Canadian Institute of Chartered Accountants (CICA) based on the Trust Services
Principles and Criteria. Both services are based on the common framework (i.e., a
core set of principles and criteria) established in the Trust Services Principles and
Criteria. The WebTrust service evaluates an eBusiness client’s privacy, security,
availability, confidentiality, consumer redress for complaints, and business practices.
The SysTrust service examines a particular client’s information system to assure the
availability, security, integrity, and maintainability of that system.

WebTrust and SysTrust services differ from each other in a variety of ways.
WebTrust Services are focused more specifically on e-commerce and building
confidence with individual and business consumers who are purchasing a product(s)

4|Jacksonville Jaguars
 or service(s) online. The WebTrust services highlight matters such as security,
privacy, availability, confidentiality, and processing integrity. Once an online
business has received a WebTrust examination and demonstrated compliance with the
principles and criteria, the website of that company can display the authentic
WebTrust seal of approval.

In order to maintain the seal of approval, the online business must be re-
evaluated once every 12 months to assure that the company continues to be in
compliance with the Trust Services Principles and Criteria for their eBusiness
application. On the other hand, SysTrust services are focused on providing assurance
that a company has an effectively controlled information system. Relevant Trust
Services Principles and Criteria for the SysTrust services address five areas: security,
availability, processing integrity, confidentiality, and privacy. In a SysTrust
engagement, not only does the CPA evaluate if the company is in harmony with the
principles and criteria, but also determines if the system is effectively controlled. The
performed tests are to determine whether those controls were operating effectively
during a specified period. If the system meets the SysTrust criteria, an unqualified
attestation report is issued relative to management’s written assertion that the controls
over the system have been effectively maintained over that period of time in
accordance with SysTrust principles.

5. Determine how CPAs can provide assurance about processes designed to reduce
risks created when new information technology systems are introduced.

Under the Trust Services framework, CPAs can be engaged to perform an

AICPA Sys Trust data. In doing so, CPAs might test the integrity of an information
system by analysing sample IT provide users with assurance that an IT system has
been properly designed and determine whether systems are secure and whether
adequate contingency plans are in place in service to provide assurance regarding the
reliability of IT systems. In these engagements, CPAs can reliable output for
accuracy. Assurance providers can also provide valuable services to help
organizations the event of system failure or disaster.

5|Jacksonville Jaguars
III. Required

1. To become more familiar with these assurance services opportunities, obtain a copy
of the Trust Services Principles and Criteria, which can be located on the
Internet. Use your internet browser to locate a copy of the framework by
conducting a search for “Trust Services Principles and Criteria.” Most likely you
will find a link to the framework posted on the AICPA’s “Information
Technology Center” Web page (http://infotech.aicpa.org). Use the framework to
complete the following exercises:

a) Summarize in your own words the objective of a Trust Services engagement.

The AICPA defines Trust Services as professional assurance and advisory services
based on a common framework to address the risks and opportunities associated
with information technology (IT). The advent of new technologies has created
more complex systems and business processes to increase productivity and
efficiency. With these new technologies, issues of trustworthiness, reliability, security,
and availability arise. Trust Services provide a framework for CPAs to provide
assurance to third parties about these issues.

b) What are the five Trust Services Principles? Provide a brief description
of each Principle.

The Trust Services framework consists of these five principles:

 Availability: Determines whether the system is available for operation and

use as committed or agreed.

 Security: Determines whether the system is protected against unauthorized access

(physical and logical).

 Processing Integrity: Determines whether the system processing is complete,

accurate, timely, and authorized.

 Online Privacy: Determines whether personal information that is obtained as

a result of e-commerce is collected, used, disclosed, and retained as committed
or agreed.

6|Jacksonville Jaguars
  Confidentiality: Determines whether information designated as confidential is
protected as committed or agreed.

c) For each of the five Trust Services Principles, describe why management at Alltel
Stadium or fans in the stadium might want assurance about how the Spot Card
technology complies with each of the five Trust Services Principles. For
example, why might management be interested in obtaining assurance about the
Spot Card’s system’s compliance with the “Security” principle?

Management and the fans at Alltel Stadium may want assurances about each of the
five Trust Services Principles as noted briefly below:

 Availability: Both management and fans want a system that is available at

all times the stadium is in use. If the system suffers from periodic
downtimes, confidence and reliance on the system would seriously erode.

 Security: The various stadium vendors want to ensure that the transactions they
enter and all related information related to pricing, sales, and inventory are secure.
Similarly, fans want to know that any information about their cash balances, both
on the Spot Card and at the bank, are secure.

 Processing Integrity: Both management and fans want to be assured that

transactions via the Spot Card are processed at agreed upon terms. If system
errors are introduced, use of the Spot Card will decline.

 Online Privacy: To the extent the Internet is used by management to transmit data
from the stadium to the bank, there is a concern that vendor information may not
be secure. And, to the extent fans can use the Internet to pre-load Spot Cards with
cash balances, there would be significant fan concerns that their personal
information is protected.

 Confidentiality: Vendors would want assurances that vendor-specific

information captured and stored is confidentially maintained. Similarly, the
confidentiality of any records of fan purchasing activities would be important to
the fans.

d) What are the purposes of “Principles” and “Criteria”? How do they relate and how
do they differ?

7|Jacksonville Jaguars
 The five Trust Services Principles reflect broad statements of objectives that
should be achieved. For each principle, the Trust Services framework contains
Criteria, which demonstrate the attributes that the entity must meet to be able to
demonstrate that it has achieved the principle. The Criteria are to be used as
benchmarks to measure and present the subject matter and against which the practitioner
evaluates the subject matter.

e) What is the relationship between a SysTrust engagement and the Trust Services
Principles and Criteria? You may need to conduct an Internet-based search to locate
more information about SysTrust services.

SysTrust services use the following four Trust Services Principles to evaluate whether
a system is reliable:

 Availability: Determines whether the system is available for operation and use as
committed or agreed.

 Security: Determines whether the system is protected against unauthorized access

(physical and logical).

 Processing Integrity: Determines whether the system processing is complete,

accurate, timely, and authorized.

 Confidentiality: Determines whether information designated as confidential is

protected as committed or agreed.

For each principle, the Trust Services framework contains criteria, which
demonstrate the attributes that the entity must meet to be able to demonstrate that
it has achieved the principle. A practitioner may provide a SysTrust service related
to a single criterion (e.g., Availability) or all criteria in combination. The criteria
are to be used as benchmarks to measure and present the subject matter and
against which the practitioner evaluates the subject matter. In order to receive an
unqualified opinion, all criteria for a principle must be met unless the criterion is clearly
not applicable. The principles and criteria are organized along four broad categories:
policies, communications, procedures, and monitoring.

With a SysTrust engagement a CPA issues an attestation report to signify that

management of a company has maintained effective controls to enable its system to

8|Jacksonville Jaguars
function reliably in accordance with SysTrust criteria, and that those controls
operate effectively within a specified period of time.

If one or more of the principles and criteria are not fulfilled, a CPA can issue
a qualified or adverse report - directly on the subject matter rather than on
management’s assertion. A SysTrust report can be issued on any one or more of the four
principles.

f) What is the difference between a SysTrust engagement and a WebTrust engagement?

You may need to conduct an Internet-based search to locate more information about
these services.

WebTrust and SysTrust are two specific services developed by the AICPA based on
the Trust Services Principles and Criteria. Both services are based on the common
framework (i.e., a core set of principles and criteria) established in the Trust
Services Principles and Criteria. The WebTrust service evaluates an eBusiness client’s
privacy, security, availability, confidentiality, consumer redress for complaints, and
business practices. The SysTrust service examines a particular client’s information
system to assure the availability, security, integrity, and maintainability of that
system.

WebTrust and SysTrust services differ from each other in a variety of ways. WebTrust
services are focused more specifically on e-commerce and building
confidence with individual and business consumers who are purchasing a
product(s) or service(s) online. The WebTrust services highlight matters such as
security, privacy, availability, confidentiality, and processing integrity. Once an online
business has received a WebTrust examination and demonstrated compliance with the
Principles and Criteria, the website of that company can display the authentic WebTrust
seal of approval. In order to maintain the seal of approval, the online business must be
reevaluated once every 12 months to assure that the company continues to be in
compliance with the Trust Services Principles and Criteria for their e-business
application.

On the other hand, SysTrust services are focused on providing assurance that a
company has an effectively controlled information system. Relevant Trust Services
Principles and Criteria for the SysTrust services address four areas: security,
availability, processing integrity, and confidentiality. In a SysTrust engagement, not

9|Jacksonville Jaguars
 only does the CPA evaluate if the company is in harmony with the Principles and
Criteria, but also determines if the system is effectively controlled. CPAs perform
tests to determine whether those controls were operating effectively during a specified
period. If the system meets the SysTrust criteria, an unqualified attestation report is
issued relative to management’s written assertion that the controls over the system
have been effectively maintained over that period of time in accordance with
SysTrust principles.

2. The use of IT offers tremendous advantages. At the time of implementation, what

benefits did the use of Spot Cards offer to following groups:

a. Jaguar Snack and souvenir vendors:

The main benefit of this technology is that sales people will no longer require
handling cash, Spot card technology helps in reducing the cash handling which leads
to reduction in the risk of loss of cash because of misappropriation or any other error.
Also, the technology can increase the efficiency of sales people by decreasing the
processing time consumed in sales. With the introduction of POS machines,
dependency of vendors on sales people for processing sales amount correctly will also
reduce. Thus, there is less risk of human error in calculating the sales amount.

b. Fans in the Stadium:

The main benefit of the technology to the fans would be convenience. Fans
can now easily purchase good s by using their Spot Card without having any need to
keeping cash with them. Card will help delivering the products to fans quickly so that
they can pay more attention to the game. Fans will also be benefitted by relying on
POS machines to determine sales amount correctly.

c. First Union Bank:

The main benefit of Spot Card technology for First Union Bank will be the
income generated from fees which is related to the sale as well as installation of the
Spot Card system. Fee from sale of signature Spot Cards, from addition made to
balance of Spot Cards and interest on outstanding balance of Spot Cards will also
accrue to Union Bank. Finally, assuming that the Jacksonville Spot Card systems
works effectively, First Union benefits from the marketing exposure and
publicity associated with the use of the Spot Card technology. Perhaps a Spot

10 | J a c k s o n v i l l e J a g u a r s
 Card user is a business owner that may later engage First Union to implement a
similar technology in another business.

3. While the Spot Card offered several benefits, the use the related information
technology to process snack and souvenir transactions did create new risks. Identify
risks for the following groups:

a. Snack and souvenir vendors:

Any equipment failure like of POS can result in the loss of sales for vendors.
Any error in the design of POS machines for input of data can also results in
systematic errors in all sales transaction. There may occur errors while accumulating
the data of different sales transactions by POS machine. Loss of data may happen
when downloading the data from POS machine to the computer in the stadium.
Similarly, loss of data may also happen when data are transferred to the computer of
First Union.

b. Fans in the Stadium:

First, customers rely on the accuracy of the ATM-like machines that are used
to increase the balance maintained on the Spot Card chip. The ATM machines could
incorrectly update the chip balance and/or incorrectly update the fan’s bank balance or
credit card balance. Second, the customers rely on the accuracy of the POS
machines to process each purchase they make with a Spot Card. the updating of the
balance remaining on the Spot Card is correctly processed. Third, the
customers run the risk of Spot Card failure whereby the chip is damaged and cannot
be used to process any transaction. Fourth, like vendors, the customer relies on the
POS machine to accurately process the sale. The customer relies on the POS
machine’s ability to process the correct price times quantity for each sales transaction.
Fifth, the customer bears the risk of physical loss or theft of the Spot Card. Finally,
the customer loses cash when the balance is unused after two years.

c. First Union Bank:

The reputation of bank may be at risk in case the whole system fails. There is
also a risk when money is transferred from the bank account to Spot Card balances
which can also increase the risk of the bank. Bank can also suffer from the risk from
counterfeit Spot Card. Moreover, First Union was ultimately responsible for

11 | J a c k s o n v i l l e J a g u a r s
 ensuring that the bank’s computer is operational once data is downloaded from the
stadium computer. The bank assumed some risks that the computer correctly
processes transactions for each vendor. The accuracy and completeness of
information processed by the First Union computer was dependent on the bank’s
controls surrounding that system.

4. What processes or controls might the stadium and First union have implemented to
help reduce these risks?

Stadium: Management of stadium should have implemented a procedure to make

sure the POS machines are tested on regular basis. POS machines must have a strong
battery back-up so that they can continuously run even if original power is not there.
Frequency of downloading the data from POS machines to the computers located in the
stadium could be increased which was just once during a day. Backup copies of data files
could be created with the help of stadium computers before downloading the data of
stadium computers to First union computer. This would help employees of stadium in
verifying the information against the reports of First Union: the programme of software
which is used to process various transactions using the POS machines could have
included enough checks so that accuracy of transactions could be maintained.
Management of stadium also had to make sure that all operators of POS machines are
trained in their operation.

First Union Bank: Besides backup controls and other contingencies as mentioned
above, First Union must had an effective contingency plans for the computers as its
premises. The bank should also have properly invested in development of backup plans
for safeguarding itself any natural disaster. Also, Bank would also need to make sure that
no data are lost during the transmission from stadium to the bank. Encryption techniques
and the use of the batch control would help in reducing the chances of errors during the
transmission of data.

5. What kind of information could the CPA examine and evaluate in order to assure
stadium vendors that they can reasonably rely in the Spot Card System to conduct
business?

A CPA may structure a SysTrust based assurance services. There is strong possibility
that stadium vendors would only value the assurance which is related to the
appropriateness of processes and procedures developed by First Union and management

12 | J a c k s o n v i l l e J a g u a r s
 stadium. For Instance, the CPA firm can conduct examination of policies as well as
procedures that were designed to make sure that all POS machines are properly
maintained. The CPA firm may also conduct test of sales transactions to make sure that
POS machines are able to identify unit prices correctly and determining totals of sales
transaction accurately. Also, The CPA firm can review procedure of downloading
conducted in night to make sure that all POS machines are part of the download. Other
evidence about system security and backup and contingency planning would also likely
be obtained.

6. Using Trust Services Principles and Criteria for the “Online Privacy Principle”,
develop an online privacy policy for Alltel that could be posted on the stadium’s
website for customers to review before using the Spot Card Technology.

The Trust Services Principles for online Privacy:

The principle has its main focus on the protection of personal information of
customers which an organization collects through e-commerce systems. Here, Privacy can
be defined as “all rights and obligations of individual as well organizations related to
collection, usage, retention, and disclosure of personal information.” Examples of
personal information includes name of customer, his address, phone number, insurance,
social security number, credit card number, employer, family, information, and
employment history. Since customers should have enough confidence in an organization
that their information is protected, therefore many companies disclose their private
policies on their website.

An online private policy for Alltel Stadium can be developed on the basis of the
following nine privacy practices that are important for management of confidential and
private information of customers; that are developed by American Institute of AICPA:

1) Notice: An entity should inform customers about its privacy policies and practices
at or before the time information is collected or as soon as practicable thereafter.
The notice should describe the purpose for which personal information is
collected and how it will be used.
2) Choice and Consent: An organization should make all possible choices available
to its customers and should obtain their consent for collecting, disclosing, and
retaining of personal information.

13 | J a c k s o n v i l l e J a g u a r s
3) Collection: An organization should only collect the information which is required
as per the objective mentioned in the noticed.
4) Use and Retention: An organization should only use the personal information for
the objective mentioned in the notice.
5) Access: Customer should be able to access their personal information for different
purposes like correction, deletion, and updating.
6) Onward transfer and disclosure: An organization should disclose personal
information of customers to the third parties as per the purpose defined in the
notice.
7) Security: An organization should take enough care to protect the personal
information of customers from loss, destruction, misuses and unauthorized access.
8) Integrity: An organization should take enough care for whatever information it
collects from the customer because it should be relevant as per the objective.
9) Management and enforcement: The entity should provide procedures for
assurance of compliance with its own privacy policies and independent recourse
procedures to address any unresolved complaints and disputes. The entity
should designate one or more individuals who are accountable for the entity’s
compliance with its privacy policies.

14 | J a c k s o n v i l l e J a g u a r s