Trust Services Assurance

SOC 2 and SOC 3 reports use the AICPA Trust Services Criteria to allow the auditor to conclude if adequate controls have been designed and are operating effectively for a given system.

Trust Services are defined as a set of professional assurance services based on a common framework, which is comprised of a core set of principle and criteria. The framework has been designed to address the risk and opportunities associated with information technology. SysTrust and WebTrust were two specific services jointly developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) that use the following Trust Services Principles and Criteria:

  • Security
  • The system is protected against unauthorized access (both physical and logical).
  • Availability
  • The system is available for operation and use as committed or agreed.
  • Processing Integrity
  • System processing is complete, accurate, timely, and authorized.
  • Online Privacy
  • Personal information obtained as a result of e-commerce is collected, used, disclosed, and retained as committed or agreed.
  • Confidentiality
  • Information designated as confidential is protected as committed or agreed.

Earlier versions of WebTrust and SysTrust used principles and criteria that were very similar in nature and scope. The Trust Services Principles and Criteria is essentially the merging and harmonization of the previous WebTrust and SysTrust Principles and Criteria. CPA firms can still perform a WebTrust or a SysTrust engagement using the Trust Services Principles and Criteria.

Public accounting firms and practitioners, who obtain a WebTrust business license from the AICPA or CICA, can provide assurance services to evaluate and test whether a system meets the selected Trust Services principles and criteria. The WebTrust seal of assurance is placed on the organization's web site following the engagement and signifies the practitioner's unqualified opinion.

A SysTrust engagement allows public accounting firms and practitioners to provide assurance on the reliability of a system using any of the Trust Services Principles and Criteria with the exception of the Online Privacy Principle and Criteria. The Online Privacy Principle and Criteria can only be used for a WebTrust engagement.

The specific evaluation criteria and examples of illustrative controls for each principle can be found on the AICPA web site.  You can also read more at the AICPA's web page on System and Organization Controls reporting.

If you need further information, feel free to send an e-mail to:info@sas70.com.