Trust Services are defined as a set of professional assurance services based on a common framework, which is comprised of a core set of principles and criteria. The framework has been designed to address the risk and opportunities associated with information technology. The Trust Services Principles and Criteria were jointly developed by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA), and they are used for Service Organization Control (SOC) 2 and SOC 3 reports. Each principle has an objective as outlined below:
- The system is protected against unauthorized access (both physical and logical).
- The system is available for operation and use as committed or agreed.
- Processing Integrity
- System processing is complete, accurate, timely, and authorized.
- Online Privacy
- Personal information obtained as a result of e-commerce is collected, used, disclosed, and retained as committed or agreed.
- Information designated as confidential is protected as committed or agreed.
WebTrust and SysTrust were the original assurance services that used principles and criteria that were very similar in nature and scope. WebTrust was originally used to allow business-to-consumer web sites to have an independent CPA firm verify that they had adequate controls and processes to meet the criteria for each principle. The WebTrust seal of assurance was placed on the organization's web site following the issuance of the CPA firm's unqualified opinion. SysTrust was a similar service that focused on determining whether or not an organization's system was reliable.
In 2003, the AICPA and CICA harmonized or merged the previous versions of the WebTrust and SysTrust Principles and Criteria to form the Trust Services Principles and Criteria.
Today CPA firms can be engaged to issue a SOC 2 or SOC 3 report using any combination of the Trust Services Principles and Criteria. The service organization management prepares a system description and makes an assertion that it has controls in place to meet the stated criteria for each of the applicable principles.
The specific evaluation criteria and examples of illustrative controls for each principle can be found on the AICPA web site.
If you need further information, feel free to contact us.