|
Engagement/Seal Availability Matrix The following table indicates the Trust Services seals available by type of engagement. For example, “SysTrust” in the matrix entry for a Security engagement under the “IT Systems” column indicates that a SysTrust Security Seal may be issued for a Trust Services Security attestation engagement performed on an IT system. Seals that are not available are indicated by “—.” | Type of Engagement | IT Systems | e-commerce Systems | | Security | SysTrust | WebTrust | | Privacy | — | WebTrust | | Processing Integrity | SysTrust | WebTrust | | Availability | SysTrust | WebTrust | | Confidentiality | SysTrust | WebTrust | | Certification Authorities | — | WebTrust | | Consumer Protection | — | WebTrust | | System Reliability | SysTrust | — | | Other Engagement Combinations | SysTrust | WebTrust |
SysTrust® and WebTrust® Seals The Trust Services Program offers two different brands of assurance services: SysTrust and WebTrust. The practitioner’s firm should determine which assurance engagements it is qualified to perform and which of these services best meet the needs of its clients. A seal may be issued for use by the client for each brand of services. SysTrust: SysTrust assurance services are designed to evaluate a wide variety of IT-based systems. The SysTrust assurance service covers the following subject areas: - SysTrust Security
- SysTrust Processing Integrity
- SysTrust Availability
- SysTrust Confidentiality
- SysTrust System Reliability: combines the SysTrust Security, Processing Integrity and Availability engagements
- Generic SysTrust Seal: spans one or more combinations of any SysTrust engagements listed above
WebTrust: WebTrust assurance services are designed for e-commerce-based systems. The WebTrust service covers the following subject areas: WebTrust Security - WebTrust Privacy
- WebTrust Processing Integrity
- WebTrust Availability
- WebTrust Confidentiality
- WebTrust for Certification Authorities
- WebTrust Consumer Protection: combines the WebTrust Privacy and Processing Integrity engagements
- Generic WebTrust Seal: spans one or more combinations of any WebTrust engagements listed above
Trust Services Program seals may be used in two ways. They are either available for online display or they may be used with various types of other materials, subject to prior written approval from the AICPA/CICA and adherence to the guidelines set forth in this manual. It is important to note that the guidelines differ, depending on the user (i.e., the practitioner firm or the client) and the nature of the Trust Services Program (SysTrust® or WebTrust®).
“Self-Service” Seal Delivery Process
Once practitioners have successfully completed a Trust Services engagement, they may access the AICPA/CICA Seal Management System to assemble, preview, and finalize a SysTrust or WebTrust Seal for display on a client web site. When displayed, the seal will be linked to a secure AICPA/CICA web site that is accessible by clicking on the seal. This enables a user of the client’s web site to verify the validity of the seal and read the audit report and management assertions.
Example Online Trust Services Page
Below is an example Trust Services Seal page. When a user clicks on the WebTrust Security Seal, a web page similar to the following will appear:
You have arrived here from a SysTrust® or WebTrust® certified site. The applicable SysTrust or WebTrust Seal of assurance symbolizes that this site has been examined by an independent accountant. Further, the Seal represents the practitioner's report (see below) on management’s assertion(s) that the entity's business is in conformity with the applicable Trust Services Principle(s) and Criteria. The Trust Services Principles and Criteria is an international set of principles and criteria for systems and electronic commerce developed and managed jointly by the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants. By demonstrating compliance with Trust Services criteria through an examination by an independent practitioner, entities earn the right to display the Seal of assurance. The entity has earned the right to display the Seal of assurance with respect to the Trust Service Principle(s) of: Security The Security Principle requires an entity to meet high standards for the protection of the system components from unauthorized access, both logical and physical. The criteria include requirements that the entity - has effective security policies,
- discloses its key security practices,
- uses procedures to achieve its documented system security objectives in accordance with its defined policies, and
- has controls to ensure that these policies are followed.
Click here to view the Audit Report and Management's Assertions Click here to download Adobe Acrobat Links: WebTrust Program
Security Principles / Criteria |
Monitoring Seals Once a Trust Services Seal is issued, the client may continue to display the seal on its web site provided the client obtains an updated, unqualified practitioner’s report on a regular basis. However, if the client is no longer in compliance, the client must remove the seal from its web site.
The interval between updates should never exceed twelve months. This interval may depend upon the complexity of the client’s operation; the frequency of significant changes to the client’s systems, policies and disclosures; and the practitioner’s professional judgment. Seal Renewal
The seal will remain valid for one year, plus a ninety day grace period, unless it is revoked or suspended. The grace period is provided to allow sufficient time for completing the follow-up review. Revoking or Suspending Seals
If the practitioner determines that the client’s systems, policies and disclosures fail to comply with the Trust Services Principles and Criteria at any time or if the client fails to renew the seal through a follow-up review at the end of one year, the practitioner will immediately notify the client and advise that the seal must be removed from the client’s web site and any printed or online materials. The practitioner will also suspend all the relevant links from the active Trust Services web site using the Seal Management System and notify the local institute of certified public accountants or equivalent. Restoring Seals
A practitioner may restore a Trust Services Seal after it has been revoked or suspended if an unqualified report can be rendered. The practitioner may either reinstate the original report if it is once again accurate or issue a new report. Suspending a Practitioner
The licensed institute will retain the right to revoke seals for a practitioner’s firm that is no longer a member in good standing. In this case, the licensed institute has the ability to revoke the seals that the practitioner’s firm is using and may also revoke those seals that the practitioner’s clients are using. |
