Information, Articles, Tools, and Useful LinksCommittee Listings, Member Forums, and Find a CITPInformation on AICPA Tech. Conference, Seminars, Webcasts, and ConferencesIT Section Membership Information, CITP Credential Information, Members Only Tools and Communications, and MorePublications, CPE, Conferences, and Webcasts
 
Search
 

Search Options

Printer Friendly View

Infotech Home > Resources > System Security & Reliability > System Reliability > Trust Services > Trust Services Principles—An Overview
Trust Services Principles and Criteria—An Overview
Source: Trust Services Principles, Criteria and Illustrations for Security, Availability, Processing Integrity, Confidentiality, and Privacy (Including WebTrust® and SysTrust®)

Trust Services (including WebTrust® and SysTrust®) are defined as a set of professional assurance and advisory services based on a common framework (that is, a core set of principles and criteria) to address the risks and opportunities of IT. Trust Services principles and criteria are issued by the Assurance Services Executive Committee of the AICPA. Illustrative controls have been provided for each criterion that supports the Trust Services principles.

 

The document, Trust Services Principles, Criteria and Illustrations provides guidance when providing assurance services, advisory services, or both on information technology (IT)-enabled systems including electronic commerce (e-commerce) systems. It is particularly relevant when providing services with respect to security, availability, processing integrity, online privacy, and confidentiality.

 

The increased use of technology, the increased use of third-party service providers for significant components of information processing systems, and the advent of new technologies have created more complex systems and new business processes to increase productivity and efficiency. With the more complex systems and new processes, issues of trustworthiness, such as reliability, privacy, and security, have become paramount. With these changes, there are increased business opportunities and risks.

 

Trust Services helps differentiate entities from their competitors by demonstrating to stakeholders that the entities are attuned to the risks posed by their environment and equipped with the controls that address those risks. Therefore, the potential beneficiaries of Trust Services assurance reports are consumers, business partners, creditors, bankers and other creditors, regulators, outsourcers and those using outsourced services, and any other stakeholders who in some way rely on electronic commerce (e-commerce) and IT systems.

Trust Services—Offerings of SysTrust and WebTrust

 

SysTrust and WebTrust are two specific services developed by the AICPA that are based on the Trust Services Principles, Criteria, and Illustrations. SysTrust engagements are designed for the provision or advisory services or assurance on the reliability of a system. WebTrust engagements relate to assurance or advisory services on an organization's system related to e-commerce. The Trust Services Principles, Criteria, and Illustrations may, however, be used to offer services other than SysTrust and WebTrust.

 

When a practitioner intends to provide assurance from SysTrust or WebTrust engagements, he or she needs to also follow the performance and reporting standards set forth in Chapter 1, “Attest Engagements,” of Statement on Standards for Attestation Engagements (SSAE) No. 10, Attestation Standards: Revision and Recodification, (AICPA, Professional Standards, vol.

1, AT sec. 101), as amended.

 

Only certified public accountants (CPAs) may provide the assurance services of Trust Services that result in the expression of a Trust Services, WebTrust, or SysTrust opinion, and in order to issue SysTrust or WebTrust reports, CPA firms must be licensed by the AICPA.

 

In the context of Trust Services, advisory services include strategic, diagnostic, implementation and sustaining/managing services using Trust Services principles and criteria. It would include, for example, advising clients on system weaknesses, assessing risk and recommending a course of action using the Trust Services developed principles and criteria as a benchmark. Practitioners providing such services follow Statement on Standards for Consulting Services (AICPA, Professional Standards, vol. 2, CS sec. 100). There is no expression of an opinion by the practitioner under these engagements.

 

The following principles and related criteria have been developed by the AICPA/CICA for use by practitioners in the performance of Trust Services engagements such as SysTrust and WebTrust.

·         Security. The system is protected against unauthorized

     access (both physical and logical).

·         Availability. The system is available for operation and use

    as committed or agreed.

·         Processing integrity. System processing is complete,

    accurate, timely, and authorized.

·         Confidentiality. Information designated as confidential is

     protected as committed or agreed.

 

·         Privacy. Personal information is collected, used, retained,

    and disclosed in conformity with the commitments in the

    entity’s privacy notice and with criteria set forth in

    Generally Accepted Privacy Principles issued by the

    AICPA/CICA.

 

Each of these Principles and Criteria are organized and presented in four broad areas:

 

·         Policies. The entity has defined and documented its

     policies relevant to the particular principle.
 

·         Communications. The entity has communicated its

     defined policies to authorized users.
 

·         Procedures. The entity uses procedures to achieve its

     objectives in accordance with its defined policies.
 

·         Monitoring. The entity monitors the system and takes

    action to maintain compliance with its defined policies. 

Download Trust Services Principles, Criteria and Illustrations

 
Copyright © 2006 by the American Institute of Certified Public Accountants, Inc., New York, New York.