Trust Services and Information Integrity
The ASEC Trust Information Integrity Task Force is responsible for the technical accuracy of the Trust Services Criteria (TSC), including expanding its scope for entity-wide engagements and developing related services leveraging the TSC.
The TSC are control criteria for use in attestation or consulting engagements to evaluate and report on controls over information and systems (a) across an entire entity; (b) at a subsidiary, division, or operating unit level; (c) within a function relevant to the entity's operational, reporting, or compliance objectives; or (d) for a particular type of information used by the entity. The TSC are classified into the following categories:
- Security. Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
- Availability. Information and systems are available for operation and use to meet the entity’s objectives.
- Processing integrity. System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
- Confidentiality. Information designated as confidential is protected to meet the entity’s objectives.
- Privacy. Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.
The TSC can be found in the publication Trust Services Criteria.
The Task Force has developed the Guide, SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy.
Learn more about System and Organization Control (SOC) reporting.
Trust Services Criteria Mapping
The task force has developed mappings of the Trust Services Criteria to various frameworks to assist practitioners utilizing the SOC 2® reporting framework to report on additional subject matter.
The AICPA has developed an illustrative report to assist CPAs in reporting in an examination of a pharmacy management application (PMA) or an electronic prescription application (EPA) for electronically prescribing controlled substances. The examination is performed under AT-C section 105 Concepts Common to All Attestation Engagements, (AICPA, Professional Standards) and AT-C section 205, Examination Engagements (AICPA, Professional Standards), to meet the requirements in Part 1311.300 of the rule requiring that the application provider of an EPA or PMA undergo “a third-party audit of the application” to determine whether it meets specified requirements contained in the rule.
Data and information integrity
In conjunction with the with the Canadian Institute of Chartered Accountants the task force issued a white paper on Information integrity. The purpose of the paper is to define what information integrity means and provide context for it for users and preparers of information and providers of assurance on such information. The white paper focuses on what it means for information to have integrity and how information integrity can be achieved and maintained.
In addition, the task force recently developed Criteria for describing a set of data and evaluating its integrity and a background of illustrative use cases for applying criteria. The new criteria can be used to assist management, board of directors, internal auditors, and other stakeholder in determining the relevance of the data to the users’ purpose and making decisions based on that set of data. The new criteria can be used by a CPA in an attestation engagement on the description or the set of data. In such an examination or review engagement, the CPA uses the criteria when evaluating the description, the set of data, or both. The criteria in this document may also be used when the CPA is engaged to provide other nonattest or advisory services to a client. The purpose of the background of illustrative use cases for applying criteria is to provide examples of how and under what circumstances the AICPA Criteria for Describing a Set of Data and Evaluating Its Integrity can be used by entities and CPAs.