The SysTrust service is an assurance service that was jointly developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). It is designed to increase the comfort of management, customers, and business partners with systems that support a business or particular activity. In a SysTrust engagement, the practitioner evaluates and tests whether or not a specific system is reliable when measured against three essential principles: availability, security, and integrity. SysTrust is based on the common framework of the Trust Services Principles and Criteria. Here is a summary of the three Trust Service principles that comprise a SysTrust engagement:

  • Availability. The system is available for operation and use at times set forth in service-level statements or agreements.
  • Security. The system is protected against unauthorized physical and logical access.
  • Integrity. System processing is complete, accurate, timely, and authorized.

Detailed criteria exists for each of the above principles. A fourth principle for Maintainability used to exist in prior version of the SysTrust service. The criteria and illustrative controls related to the former Maintainability principle have now been folded into the above three principles for Availabilty, Security, and Integrity. The Trust Services criteria is posted on both the AICPA and CICA web sites. There is also a separate page on this site devoted to Trust Services.

At the completion of a SysTrust engagement, the practitioner renders an opinion on management's assertion (or the actual subject matter) that effective controls were maintained to provide reasonable assurance that the SysTrust principles were achieved. The practitioner can report on all four SysTrust principles or each principle separately. Because the SysTrust principles and criteria are established and available to any user, the practitioner's report does not have to be restricted to specific parties.

A SAS 70 audit engagement is designed to provide information and assurance to user organizations and their auditors regarding the service organization's controls. The service auditor renders an opinion on whether the controls were suitably designed, placed in operation, and operating effectively. The SAS 70 service auditor's report includes the independent auditor's opinion, a description of the service organization's controls, and the results of the service auditor's procedures (in the case of a Type II audit).

The following table highlights some of the specific differences between a SAS 70 audit engagement and a SysTrust engagement:

  •  

  • SAS 70 audit engagement

  • SysTrust engagement

  • Nature of the engagement
  • Provides a report on a service organization's controls related to financial statement assertions of user organizations.
  • Provides a report on system reliability using standard principles and criteria for all engagements.
  • Are there pre-established control objectives or criteria?
  • No.
  • Yes.
  • Objective of the engagement
  • Information sharing and assurance. Provides detailed information on the design of the system and controls, an opinion on the system description and controls, and the results of the auditor's procedures.
  • Assurance on a system. No detail on the underlying control procedures is provided.
  • Types of systems addressed by the engagement
  • Systems that process transactions or data for the user organization.
  • Any system.
  • Distribution of report
  • Generally restricted to the service organization, user organizations, and prospective user organizations.
  • No restrictions.
  • Audience for the report
  • Service organizations, user organizations (i.e. customers), and auditors of the user organizations.
  • Stakeholders of the system - for example, management, customers, and business partners.
Information in the above table taken from version 2.0 of the "AICPA/CICA SysTrust Principles and Criteria for Systems Reliability".

If you are interested in obtaining SysTrust assurance, please send an e-mail to: systrust@sas70.com.

If you need further information, contact us.



Comments are closed
Richard commented on 23-Aug-2010 10:56 PM
I would like to know who can perform the systrust audit in Taiwan
Teresa commented on 07-Sep-2011 08:06 AM
I would like to know how to obtain a copy of the SysTrust for a vendor we are currently proposing to do business with.
Patsy commented on 13-Oct-2011 07:16 AM
I would like to know if Systrust incorporates HR in the audit, like tracking hours etc, combined with amount of transactions processed?