CPAs in business and industry can also use the Trust Services Principles & Criteria as a framework for internal control self-assessments, benchmarking, implementation and monitoring programs. They cannot, however, provide independent verification that the Principles and Criteria have been met.

SysTrust is designed to meet a number of different needs for businesses. As a result, businesses can either choose to use the Security, Availability, Confidentiality, and Processing Integrity principles and criteria individually or in some combination. There is one branded SysTrust service called SysTrust for System Reliability, which uses the security, availability and processing integrity principles.

Developed jointly by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA), SysTrust is currently being offered by licensed CPAs in the United States, and their international equivalents in several other countries around the world.

How Do You Know That a Web site Meets the SysTrust Standards?

A Web site that has met the Trust Services principles and criteria is eligible to display the SysTrust seal for that subject matter area on its site. Clicking on the seal allows customers to link to the CPA's examination report, the site's business practices and policies, and the Trust Services Principles and Criteria used to examine the business. The customer can also review the date on which the seal was granted, its expiration date and links to other e-commerce sites with active SysTrust seals.

Back to top

What Does a SysTrust Seal Signify?

A SysTrust seal demonstrates that a system has been examined by a qualified, independent CPA who has verified that the system's controls are operating effectively for the period reported on.

Back to top

Is There a Trust Services Seal Usage Guide?

The AICPA and CICA have developed a seal usage guide which highlights the standards for the use and display of the SysTrust and WebTrust seals (the "Marks").  It sets out the parameters for the display of the seal on practitioners' sites in support of the program and by clients that have successfully undergone a SysTrust or WebTrust audit.  It also covers the use of the various Marks by licensees and their clients in promotional materials. 

Back to top

Why Should I Offer SysTrust?

SysTrust is a strategic opportunity for CPAs to extend their core competencies and skills to existing and potential new clients. SysTrust positions a CPA firm for emerging opportunities in technology as well as affords them some protection from the erosion of other more traditional service lines.

SysTrust also provides CPAs with additional tools to protect the public interest as well as to help businesses enhance their corporate governance tools.

Back to top

I Work in Industry, How Can I Use SysTrust?

AICPA members in industry can benefit from SysTrust in several ways. Use the principles and criteria:

• As a guideline to setting up appropriate controls and systems that will instill confidence and trust.
  
  
• As a method of evaluating a system to determine whether it meets certain principles and criteria and employs best practices.
  
  
• As an internal method of assurance and self-assessment that management, the Board, and others can rely upon.

Back to top

How Do I Begin Offering SysTrust?

CPA firms whose owners are each members in good standing of the AICPA are eligible to be licensed as providers of Trust Services. To maintain the SysTrust program's quality and goal of building public confidence in systems, CPA firms are asked to sign a licensing agreement that prescribes some readily attainable requirements necessary for the program's success. These include: agreeing to follow the program's professional standards and participating in a quality assurance program.

Back to top

What Competencies Are Required to Offer SysTrust?

Most of the SysTrust service is based on expertise that CPAs who provide attest services in computerized environments already possess. At a minimum, additional skills, which can be readily attained if the CPA does not already possess them, include the following:

1. a working knowledge of Internet technologies, protocols and security techniques; and
   
2. specific controls and best practices a company should implement.

Final determination of a CPA's competency must be made by that CPA and based on requirements within professional standards.

Back to top

Are There Any Costs Incurred by a CPA Firm in Order to Offer SysTrust Services?

When a firm chooses to offer assurance services in the SysTrust program, there will be some costs incurred, including:

• Licensing fee.This fee will be used to provide on going promotion for the program.
  
  
• Per-seal charges. A seal management and maintenance fee is charged for access to the Internet-based seal issuance system.

Back to top

What Are the Professional Liability and Risk Management Considerations Related to SysTrust?

Each practitioner needs to evaluate this service opportunity in accordance with the firm's own professional liability and risk management policies.

Back to top

Does My CPA Firm's System Need to Earn a SysTrust Seal?

Not necessarily. If your firm's System is related to e-commerce, the firm can certainly benefit by earning and displaying the SysTrust seal. In addition, even if a seal is not needed on a website, the assurance received from a SysTrust attest service may be exactly what is needed by your management and board of directors. Of course, an independent third party must perform the SysTrust examination.

Back to top

How Often Must I Examine the Client's System to Ensure That the System Controls Are Operating Effectively?

As with all engagements, professional judgment must exercised. Considerations include: terms of the engagement, type of system, report content, changes which may affect the control environment, and other matters which may come to the practitioner's attention. However, at a minimum, the report must be refreshed every year.

Back to top

Yes, if a CPA firm fails to substantially comply with the SysTrust program's requirements, their license to issue SysTrust seals may be revoked. The primary goal of SysTrust is to protect the public interest and instill confidence in systems. This requires all CPAs to be in full compliance with the license agreement.

Back to top

How Do I Control The Client's Use of the Systrust Seal?

Under the SysTrust program, CPA firms are required to revoke the SysTrust seal for systems that fall out of compliance with the Trust Services principles and criteria. Using the seal management process, the practitioner can revoke the seal, disabling the functionality of the reporting process. You can also provide a copy of the Trust Services Seal Usage Guide to your client.

Back to top

Why Are CPAs Most Qualified to Offer Assurance Services Like SysTrust?

CPAs are recognized as independent parties that provide assurance as to the accuracy and fairness of many types of financial and non-financial information. CPAs must meet strict ethical, educational, and other professional requirements. They bring their independence, objectivity, and in-depth knowledge of business and technical expertise to the Internet with SysTrust.

Back to top