CICA and CMA Canada joined together January 1, 2013 to create CPA Canada as the national organization to support unification of the Canadian accounting profession under the CPA banner.

Trust Services

IMPORTANT NOTICE

RE: SysTrust for Service Organization Controls Seal Program Cessation

The AICPA and CPA Canada have jointly decided to discontinue the Systrust and SOC 3 SysTrust for Service Organizations seal programs. Both organizations recognize the growth in the market for attestation/assurance services in the area of systems reliability and service organization controls and will continue to maintain the underlying Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy to ensure the effectiveness of these services over time. This announcement affects only the issuance of SysTrust and SOC 3 SysTrust for Service Organization seals and the related licensing of practitioners.

Effective immediately, the AICPA and CPA Canada will no longer issue new licenses to practitioners to use, or the right of practitioners to permit its clients to use, the SysTrust or SOC 3 SysTrust for Service Organizations seals. Existing licenses will remain in effect until the end of their term, at which point they will not be renewed.

For SysTrust and SOC 3 SysTrust for Service Organization seals that have been issued under existing licenses, they will remain active through to their expiration date. For SysTrust and SOC 3 engagements currently in progress, including renewals of existing SysTrust and SOC 3  SysTrust for Service Organization seals, we will continue to issue seals through to December 31, 2014. After this date, practitioners who wish to continue their use of any SysTrust related marks should disclose to their clients that the seal program is no longer active nor is it supported by or associated with the AICPA and CPA Canada

While the WebTrust for Certification Authorities seal program continues, CPA Canada is reviewing the program to determine if the benefits justify the resources necessary to continue the program. AICPA and CPA Canada will continue to maintain the Trust Services Principles and Criteria for Certification Authorities that support the WebTrust for Certification Authorities seal program.

A copy of this letter has been attached for your records.

Should you have any questions regarding the discontinuance of the SysTrust and SOC 3 SysTrust for Service Organization seal programs, please feel free to contact CPA Canada or the AICPA via email at the following addresses:

CPA Canada
webtrust@cpacanada.ca
AICPA
smacey@aicpa.org
Brian Loney
Director, Publishing
Member Services
CPA Canada
Amy Pawlicki
Director, Business Reporting, Assurance
and Advisory Services
AICPA

 

TRUST SERVICES PRINCIPLES AND CRITERIA, and ILLUSTRATIONS

NOTICE: Revised Trust Services Principles and Criteria Issued

The 2014 revision to the Trust Services Principles and Criteria have been issued. They are effective for periods ending on or after December 15, 2014, early implementation permitted. They are available as part of the subscription service of the AICPA Technical Practice Aids or as a standalone e-book, Trust Services Principles, Criteria and Illustrations.

 

New and Revised WebTrustSM/TM for Certification Authorities Principles and Criteria 

The WebTrustSM/TM for Certification Authorities Task Force has released the final versions of the following Principles and Criteria documents after reviewing comments received on the exposure drafts of these three documents. To reduce confusion these documents are now referred to as “WebTrust” documents rather than “Trust Services” documents. There have not been any other significant changes made as a result of comments received on the exposure draft. The documents are:

  • WebTrustSM/TM Principles and Criteria for Certification Authorities – SSL Baseline with Network Security – Version 2.0
    Effective for audit periods starting on or after July 1, 2014, Version 2.0 incorporates the CA/Browser Forum requirements for the Issuance and Management of Publicly-Trusted Certificates and Network and Certificate System Security Requirements. (See Appendix A, B and C in the Principles and Criteria document for more information). The essential change from Version 1.1 is the incorporation of criteria related to network security into the document.
  • WebTrustSM/TM Principles and Criteria for Certification Authorities – Extended Validation SSL – Version 1.4.5
    Effective upon release on April 3, 2014, Version 1.4.5 of the WebTrustSM/TM Principles and Criteria for Extended Validation SSL incorporates changes to criteria to reflect updates made by CA/B Forum. In 2011, the Forum released its Baseline Requirements for the Issuance and Management of Publicly-Trusted Certificates (“Baseline Requirements”). Subsequently, the CA/B Forum approved several updates, with the latest edition being Version 1.1.6. The Forum’s EV SSL Guidelines and these EV SSL Criteria, at times makes reference to the Baseline Requirements and many guidelines which used to be previously detailed in the Forum’s EV SSL Guidelines are now incorporated by reference to the Baseline Requirements. To facilitate the EV SSL Audit, however, these requirements continued to be detailed in the WebTrust EV SSL Criteria.
  • WebTrustSM/TM Principles and Criteria for Certification Authorities – Extended Validation Code Signing
    Effective for audits starting on or after July 1, 2014, the WebTrustSM/TM Principles and Criteria for Certification Authorities – Extended Validation Code Signing (“EV Code Signing Criteria”) document establishes criteria to be used by auditors as a basis for an EV Code Signing audit. These Principles and Criteria are based on the CA/B Forum’s “Guidelines for the Issuance and Management of Extended Validation Code Signing Certificates”.

WebTrustSM/TM Principles and Criteria for Certification Authorities

Framework for third party assurance providers to assess the adequacy and effectiveness of the Controls employed by Certification Authorities (CAs)

  1. Principles and Criteria for Certification Authorities 2.0

Framework for third party assurance providers for Extended Validation Certificates

  1. Principles and Criteria for Certification Authorities – Extended Validation Audit Criteria 1.4 (amended) (Superseded)
  2. WebTrust Principles and Criteria for Certification Authorities – Extended Validation SSL – Version 1.4.5

 Framework for third party assurance providers relating to SSL Certificates

  1. Principles and Criteria - SSL Baseline Requirements Version 1.1. (Amended) (Superseded)
  2. WebTrust Principles and Criteria for Certification Authorities – SSL Baseline with Network Security – Version 2

Framework for third party assurance providers relating to code signing

  1. Principles and Criteria for Certification Authorities – Extended Validation Code Signing