This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our cookie notice (http://www2.deloitte.com/ca/en/legal/cookies.html) for more information on the cookies we use and how to delete or block them.
The full functionality of our site is not supported on your browser version, or you may have 'compatibility mode' selected. Please turn off compatibility mode, upgrade your browser to at least Internet Explorer 9, or try using another browser such as Google Chrome or Mozilla Firefox.

AICPA Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy [Completed]

Issued:

Included in the 2017 edition of the AICPA’s Trust Services Criteria Guide

Effective date:

Not applicable. There is no requirement to adopt this AICPA material in Canada

Last up­dated:

January 2017

Overview

On September 19, 2016, the AICPA issued an exposure draft, Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. It outlines revised AICPA trust services criteria for use by public accounting firms that provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program, or SOC 2 engagements. Management also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls

By way of background, TSP section 100, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Principles and Criteria), presents criteria established by the Assurance Services Executive Committee (ASEC) of the AICPA for use by practitioners when providing attestation or consulting services to evaluate controls relevant to the security, availability, or processing integrity of one or more systems, or the confidentiality or privacy of information processed by one or more systems, used by an entity. Management of an entity also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of such controls.

To enable the trust services criteria to also be used in entity-wide engagements, ASEC is reorganizing and revising the extant trust services criteria to more closely align with the 17 principles in Internal Control—Integrated Framework, an internal control framework revised in 2013 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO 2013 framework). The COSO 2013 framework is a leading framework for assessing the design and effectiveness of internal control. It is frequently used as criteria against which entities evaluate the effectiveness of their internal control over financial reporting (ICFR), and it has gained wide acceptance by users of ICFR reports. Although it is usually used to assess ICFR, the COSO 2013 framework is intended for use in assessing all reporting, operations, and compliance internal control objectives.

The proposed revisions to the trust services criteria set out in this exposure draft have been adapted from the principles in the COSO 2013 framework and include supplemental criteria that apply to engagements that use the trust services criteria over security, availability, processing integrity, confidentiality, or privacy. In addition, they have been organized into the five COSO components: control environment, communication and information, risk assessment, control activities, and monitoring. They also include points of focus related to each criterion.

For fur­ther de­tails see the press re­lease and related information on the AICPA’s Web site. 

In January 2017, the AICPA issued the 2017 edition of its Trust Services Criteria Guide which has been updated to include the final version of these proposed revisions. There is no requirement to adopt this AICPA guidance in Canada.

Other de­vel­op­ments

January 2017

In January 2017, the AICPA issued the 2017 edition of its Trust Services Criteria Guide which has been updated to include the final version of these proposed revisions. There is no requirement to adopt this AICPA guidance in Canada

September 2016

On September 19, 2016, the AICPA issued an exposure draft, Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. It outlines revised AICPA trust services criteria for use by public accounting firms that provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program, or SOC 2 engagements.

Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.