CICA and CMA Canada joined together January 1, 2013 to create CPA Canada as the national organization to support unification of the Canadian accounting profession under the CPA banner.

Overview of Trust Services

Trust Services are defined as:

A set of professional assurance and advisory services based on a common framework (i.e., a core set of principles and criteria) to address the risks and opportunities of IT.

In the development of Trust Services, the objective was to establish a core set of principles and related criteria for key areas related to IT, e-commerce, e-business, and systems. These form the measurement basis for the delivery of the related service(s).

The Trust Services principles and criteria are organized into four broad areas:

PoliciesThe entity has defined and documented its policies1 relevant to the particular principle.
CommunicationsThe entity has communicated its defined policies to authorized users.
ProceduresThe entity uses procedures to achieve its objectives in accordance with its defined policies.
MonitoringThe entity monitors the system and takes action to maintain compliance with its defined policies.

 

The following principles and criteria have been developed by the AICPA/CICA for use by practitioners in the performance of Trust Services engagements, including SysTrust and WebTrust

 

SecurityThe system is protected against unauthorized access (both physical and logical).
AvailabilityThe system is available for operation and use as committed or agreed.
Processing IntegritySystem processing is complete, accurate, timely, and authorized.
ConfidentialityInformation designated as confidential is protected as committed or agreed.
PrivacyPersonal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in Generally Accepted Privacy Principles issued by the AICPA/CICA.

 

Trust Services helps differentiate entities from their competitors by demonstrating to stakeholders that the entities are attuned to the risks posed by their environment and equipped with the controls that address those risks. Therefore, the potential beneficiaries of Trust Services assurance reports are consumers, business partners, creditors, bankers and other creditors, regulators, outsourcers and those using outsourced services, and any other stakeholders who in some way rely on electronic commerce (e-commerce) and IT systems.

Tremendous amounts of information are now readily available. This information has evolved into much more than just basic recordkeeping data. Information and the systems that produce it have become critical components in an entity’s day-to-day operations, the production of products or services, customer and partner relations, and so on. Given this dependence, corporate management and their boards of directors, among others, are concerned about whether the systems on which they rely provide timely, reliable information.

Despite the importance of IT in business today, lack of reliability remains problematic. Many information systems today are technically complex, with large databases that are breeding grounds for errors and other compromises to data and data-related functions. In addition, as a result of the great speed of operations of many of today’s systems, errors can travel very far “downstream” before being noticed. Because many systems are interconnected, errors in one system often have a domino effect on other systems as well—even beyond the entity’s boundaries, where the errors reach suppliers, customers, business associates, and investors. Thus, even the best-designed information systems on which many stakeholders now rely may be fallible.

Additional Security and Other Risks

Security and privacy concerns have become more prominent:

  • Security breaches have become more frequent and are more often reported. For instance, denial of service attacks affect many prominent e-commerce sites. E-mail viruses and worms have taken advantage of system weaknesses to cause significant disruptions to businesses.
  • Consumer attitudes toward privacy have shifted. Consumers’ concerns over privacy are taking a massive toll by preventing Internet commerce to reach its full potential.
  • Entities have found themselves unprepared for the failures of systems of all types.
  • Sanctions have been levied against entities that have failed to properly respect privacy standards.

Need for Trust

A variety of factors have combined to make trust an issue. Factors such as globalization, the anonymity of e-commerce, and an increasing reliance on complex and powerful IT systems have caused concerns among business customers and partners leading to a decline in trust. These issues are addressed with the services provided by practitioners using the Trust Services framework.

WebTrust

The WebTrust service is actually comprised of a “family” of assurance services designed for e-commerce-based systems and, upon attainment of an unqualified assurance report, would entitle the entity to display a WebTrust Seal and accompanying practitioner’s report on its Web site. The WebTrust family of branded assurance services includes the following, applied in the context of an e-commerce system:

  • WebTrust Online Privacy. The scope of the assurance engagement includes the relevant online Privacy principle and criteria.
  • WebTrust Consumer Protection. The scope of the assurance engagement includes both the Processing Integrity and relevant online Privacy Principles and Criteria.
  • WebTrust. The scope of the assurance engagement includes one or more combinations of the Principles and Criteria not anticipated above.
  • WebTrust for Certification Authorities. The scope of the assurance engagement includes the Principles and related Criteria unique to certification authorities.

SysTrust

The SysTrust service is also comprised of a "family" of assurance services designed for a wide variety of IT-based systems as may be defined by the entity and, upon attainment of an unqualified assurance report, would entitle the entity to display a SysTrust Seal and accompanying auditor's report. The SysTrust family of branded assurance services includes the following, applied in the context of an entity's defined system:

  • SysTrust-Systems Reliability. The scope of the assurance engagement includes the Security, Availability, Processing Integrity or Confidentiality Principles and Criteria.
  • SOC 3 SysTrust for Service Organizations. The scope of the assurance engagement includes one or more combinations of the Security, Availability, Processing Integrity, Confidentiality or Privacy Principles and Criteria unique to service organizations.

An important aspect of both the SysTrust and WebTrust brands is that they are designed to be sufficiently flexible to meet the needs of those entities wanting to be examined. Both brands were initially developed with the idea that they would result in attest (audit) level assurance. In practice, however, the Trust Services Principles and Criteria can be used as a basis for providing both advisory and assurance services.


1The term policies refers to written statements that communicate management's intent, objectives, requirements, responsibilities, and/or standards for a particular subject. Such communications may be explicitly designated as policies while others may be implicit (such as, communications with users not otherwise documented as policies, written procedures, etc.). Policies may take many forms but should be in writing.