|
SysTrust® is an assurance service provided by CPAs regarding the reliability of systems and was developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA). Providing a benchmark for what makes a system reliable, SysTrust® generally defines reliable system as one that is capable of operating without material error, fault, or failure during a specified period in a specific environment. According to SysTrust®, the following four Trust Services principles are used to evaluate whether a system is reliable.
1. Availability—The system and its stored information are available for operation and use at times set forth in agreements. Availability requires that users of the system be able to input and update system information when needed and that decision makers who use the system's information be able to access the information when needed.
2. Security—The system is protected against unauthorized access to its physical and logical components. System security includes protection of the system resources and prevents misuses of system software, among other things.
3. Processing Integrity—The system processing is complete, accurate, timely, and authorized. Processing integrity requires that the system is free to perform its functions as intended—free from system manipulation. Note that processing integrity is not the same as data integrity, as it does not necessarily mean that the information stored in the system is, complete and accurate, because of errors that could have been introduced previously and still remain in the system.
4. Confidentiality—The entity has established policies and procedures designed to prevent unauthorized access to information while transmitted to or stored in its system that has been designated as confidential. Unlike personal information, there are no defined rights of access to confidential information to ensure its accuracy and completeness. Therefore confidential information can vary significantly from business to business and often defined by contractual arrangements.
These principles alone do not provide a reliable system. Rather, criteria supporting and related to each principle are the foundation of the SysTrust® definition of system reliability.
Trust Services Criteria Underlying Its Principles
In general, Trust Services criteria represent control objectives related to reliable systems.
For each of the four Trust Services principles that are to be evaluated for system reliability, criteria have been established against which a system can be evaluated. The criteria address the following features that contribute to system reliability: the definition and documentation, procedures and system monitoring activities. The Trust Services criteria are designed to be complete, relevant, objective and measurable, addressing all of the system components and relationships between them.
You can perform SysTrust® engagements for your clients to independently test and evaluate a system's reliability as measured against the criteria underlying the four principles just described. The criteria are organized into the following categories:
· Policies—Criteria that address whether the entity has defined and documented its system reliability objectives and the methods it uses to achieve them
· Communications—Criteria that address that the entity has communicated its defined policies to authorized users.
· Procedures—Criteria that address the effectiveness of the procedures the entity uses to achieve system reliability
· Monitoring—Criteria that address the entity's monitoring of its system to maintain compliance with its defined policies and to detect potential impairment to system reliability
The criteria are designed to be complete, relevant, objective, and measurable. An entity can achieve the criteria by implementing effective system reliability controls. A system is deemed reliable if all the Trust Services criteria for all four principles have been met. For engagements addressing only certain Trust Services principles, all criteria related to those principles must be met.
|