Trust ServiceS Assurance

Trust Services are defined as a set of professional assurance services based on a common framework, which is comprised of a core set of principle and criteria. The framework has been designed to address the risk and opportunities associated with information technology. SysTrust and WebTrust are two specific services jointly developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) that use the following Trust Services Principles and Criteria:

  • Security
  • The system is protected against unauthorized access (both physical and logical).
  • Availability
  • The system is available for operation and use as committed or agreed.
  • Processing Integrity
  • System processing is complete, accurate, timely, and authorized.
  • Online Privacy
  • Personal information obtained as a result of e-commerce is collected, used, disclosed, and retained as committed or agreed.
  • Confidentiality
  • Information designated as confidential is protected as committed or agreed.

Earlier versions of WebTrust and SysTrust used principles and criteria that were very similar in nature and scope. The Trust Services Principles and Criteria is essentially the merging and harmonization of the previous WebTrust and SysTrust Principles and Criteria. CPA firms can still perform a WebTrust or a SysTrust engagement using the Trust Services Principles and Criteria.

Public accounting firms and practitioners, who obtain a WebTrust business license from the AICPA or CICA, can provide assurance services to evaluate and test whether a particular eCommerce service meets the selected Trust Services principles and criteria. The WebTrust seal of assurance is placed on the organization's web site following the engagement and signifies the practitioner's unqualified opinion.

A SysTrust engagement allows public accounting firms and practitioners to provide assurance on the reliability of a system using any of the Trust Services Principles and Criteria with the exception of the Online Privacy Principle and Criteria. The Online Privacy Principle and Criteria can only be used for a WebTrust engagement.

The specific evaluation criteria and examples of illustrative controls for each principle can be found on the AICPA web site.  You can also read more at the AICPA's web page on Service Organization Control reporting.

If you need further information, feel free to send an e-mail to:info@sas70.com.