Trust Services are defined as a set of professional assurance services based on a common framework, which is comprised of a core set of principles and criteria. The framework has been designed to address the risk and opportunities associated with information technology. The Trust Services Principles and Criteria were jointly developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). and they are used for Service Organization Control (SOC) 2 and SOC 3 reports. Each principle has an objective as outlined below:
- The system is protected against unauthorized access (both physical and logical).
- The system is available for operation and use as committed or agreed.
- Processing Integrity
- System processing is complete, accurate, timely, and authorized.
- Online Privacy
- Personal information obtained as a result of e-commerce is collected, used, disclosed, and retained as committed or agreed.
- Information designated as confidential is protected as committed or agreed.
WebTrust and SysTrust were the original assurance services that used principles and criteria that were very similar in nature and scope. WebTrust was originally used to allow business-to-consumer web sites to have an independent CPA firm verify that they had adequate controls and processes to meet the criteria for each principle. The WebTrust seal of assurance was placed on the organization’s web site following the issuance of the CPA firm’s unqualified opinion. SysTrust was a similar service that focused on determining whether or not an organization’s system was reliable.
In 2003, the AICPA and CICA harmonized or merged the previous versions of the WebTrust and SysTrust Principles and Criteria to form the Trust Services Principles and Criteria.
Today CPA firms can be engaged to issue a SOC 2 or SOC 3 report using any combination of the Trust Services Principles and Criteria. The service organization management prepares a system description and makes an assertion that it has controls in place to meet the stated criteria for each of the applicable principles.
The specific evaluation criteria and examples of illustrative controls for each principle can be found on the AICPA web site .
If you need further information, feel free to contact us .
More About SSAE 16
New AICPA SOC 1 Guide – Now Available
The AICPA has updated and issued the SOC 1 Guide book “Service Organizations – Reporting on Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial Reporting” as of May 1, 2013. The book is available from the AICPA at www.cpa2biz.com (publication AAGASO13P)
SSAE No. 16 is now effective
The new service organization reporting standard, Statement on Standards for Attestation Engagements (SSAE) No. 16, is now effective as of June 15, 2011. SSAE 16 supersedes Statement on Auditing Standards (SAS) No. 70 with the professional guidance on performing the service auditor’s examination.
New AICPA Web Page on Service Organization Control (SOC) Reporting
The AICPA has a new online resource dedicated to providing information on Service Organization Control (SOC) reporting including the new SSAE 16 standard. It can be viewed here.
Welcome to our new site. SSAE16.com is officially launched.