|Trust Services Principles and Criteria Overview
Trust Services are defined as a set of professional attestation and advisory services based on a core set of principles and criteria that addresses the risks and opportunities of IT-enabled systems and privacy programs. Trust Services Principles and Criteria are issued by the Assurance Services Executive Committee of the AICPA.
The document, Trust Services Principles, Criteria, and Illustrations provides guidance when providing assurance services, advisory services, or both on information technology (IT)-enabled systems including electronic commerce (e-commerce) systems. It is particularly relevant when providing services with respect to security, availability, processing integrity, online privacy, and confidentiality.
The increased use of technology, the increased use of third-party service providers for significant components of information processing systems, and the advent of new technologies have created more complex systems and new business processes to increase productivity and efficiency. With the more complex systems and new processes, issues of trustworthiness, such as reliability, privacy, and security, have become paramount. With these changes, there are increased business opportunities and risks.
Trust Services helps differentiate entities from their competitors by demonstrating to stakeholders that the entities are attuned to the risks posed by their environment and equipped with the controls that address those risks. Therefore, the potential beneficiaries of Trust Services assurance reports are consumers, business partners, creditors, bankers and other creditors, regulators, outsourcers and those using outsourced services, and any other stakeholders who in some way rely on electronic commerce (e-commerce) and IT systems.
In the context of trust services, advisory services include strategic, diagnostic, implementation, sustaining, and managing services using trust services principles and criteria. Practitioners providing such services follow CS section 100, Consulting Services: Definitions and Standards (AICPA, Professional Standards, vol. 2). The practitioner does not express an opinion in these engagements.
The following principles and related criteria have been developed by the AICPA and the Canadian Institute of Chartered Accountants (CICA) for use by practitioners in the performance of trust services engagements:
- Security. The system is protected against unauthorized access (both physical and logical).
- Availability. The system is available for operation and use as committed or agreed.
- Processing integrity. System processing is complete, accurate, timely, and authorized.
- Confidentiality. Information designated as confidential is protected as committed or agreed.
- Privacy. Personal information is collected, used, retained, disclosed, and destroyed in conformity with the commitments in the entity’s privacy notice and with criteria set forth in generally accepted privacy principles issued by the AICPA and CICA.
The trust services principles and criteria of security, availability, processing integrity, and confidentiality are organized in four broad areas:
- Policies. The entity has defined and documented its policies relevant to the particular principle.
- Communications. The entity has communicated its defined policies to responsible parties and authorized users of the system.
- Procedures. The entity placed in operation procedures to achieve its objectives in accordance with its defined policies.
- Monitoring. The entity monitors the system and takes action to maintain compliance with its defined policies.
Download Trust Services Principles and Criteria. For more details and to access the full illustration, purchase the Technical Practice Aid.
The Trust Services Principles and Criteria are effective as of September 15, 2009.
SysTrust and WebTrust are two specific assurance services offerings developed by the AICPA and CICA that are based on the Trust Services Principles and Criteria. Practitioners must be licensed by the CICA to use these registered service marks. For more information on licensure, visit the WebTrust website.