Trust Services and Information Integrity
The ASEC Trust Information Integrity Task Force is responsible for the technical accuracy of the Trust Services Criteria (TSC), including expanding its scope for entity-wide engagements and developing related services leveraging the TSC.
The TSC are control criteria for use in attestation or consulting engagements to evaluate and report on controls over information and systems (a) across an entire entity; (b) at a subsidiary, division, or operating unit level; (c) within a function relevant to the entity's operational, reporting, or compliance objectives; or (d) for a particular type of information used by the entity. The TSC are classified into the following categories:
- Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
- Availability. Information and systems are available for operation and use to meet the entity’s objectives.
- Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.
- Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.
The TSC can be found in the publication Trust Services Criteria.
The Task Force has developed the Guide, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.
Learn more about System and Organization Control (SOC) reporting.
In conjunction with the with the Canadian Institute of Chartered Accountants the task force recently issued a white paper on Information Integrity. The purpose of the paper is to define what information integrity means and provide context for it for users and preparers of information and providers of assurance on such information. The white paper focuses on what it means for information to have integrity and how information integrity can be achieved and maintained.
Trust Services Criteria Mapping
The task force has developed mappings of the Trust Services Criteria to various frameworks to assist practitioners utilizing the SOC 2® reporting framework to report on additional subject matter.
The AICPA has developed an illustrative report to assist CPAs in reporting in an examination of a pharmacy management application (PMA) or an electronic prescription application (EPA) for electronically prescribing controlled substances. The examination is performed under AT-C section 105 Concepts Common to All Attestation Engagements, (AICPA, Professional Standards) and AT-C section 205, Examination Engagements (AICPA, Professional Standards), to meet the requirements in Part 1311.300 of the rule requiring that the application provider of an EPA or PMA undergo “a third-party audit of the application” to determine whether it meets specified requirements contained in the rule.