Overview

On September 19, 2016, the AICPA issued an exposure draft, Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. It outlines revised AICPA trust services criteria for use by public accounting firms that provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program, or SOC 2 engagements. Management also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of controls

By way of background, TSP section 100, Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Principles and Criteria), presents criteria established by the Assurance Services Executive Committee (ASEC) of the AICPA for use by practitioners when providing attestation or consulting services to evaluate controls relevant to the security, availability, or processing integrity of one or more systems, or the confidentiality or privacy of information processed by one or more systems, used by an entity. Management of an entity also may use the trust services criteria to evaluate the suitability of design and operating effectiveness of such controls.

To enable the trust services criteria to also be used in entity-wide engagements, ASEC is reorganizing and revising the extant trust services criteria to more closely align with the 17 principles in Internal Control—Integrated Framework, an internal control framework revised in 2013 by the Committee of Sponsoring Organizations of the Treadway Commission (COSO 2013 framework). The COSO 2013 framework is a leading framework for assessing the design and effectiveness of internal control. It is frequently used as criteria against which entities evaluate the effectiveness of their internal control over financial reporting (ICFR), and it has gained wide acceptance by users of ICFR reports. Although it is usually used to assess ICFR, the COSO 2013 framework is intended for use in assessing all reporting, operations, and compliance internal control objectives.

The proposed revisions to the trust services criteria set out in this exposure draft have been adapted from the principles in the COSO 2013 framework and include supplemental criteria that apply to engagements that use the trust services criteria over security, availability, processing integrity, confidentiality, or privacy. In addition, they have been organized into the five COSO components: control environment, communication and information, risk assessment, control activities, and monitoring. They also include points of focus related to each criterion.

For fur­ther de­tails see the press re­lease and related information on the AICPA’s Web site. 

In January 2017, the AICPA issued the 2017 edition of its Trust Services Criteria Guide which has been updated to include the final version of these proposed revisions. There is no requirement to adopt this AICPA guidance in Canada.

Other de­vel­op­ments

January 2017

In January 2017, the AICPA issued the 2017 edition of its Trust Services Criteria Guide which has been updated to include the final version of these proposed revisions. There is no requirement to adopt this AICPA guidance in Canada

September 2016

On September 19, 2016, the AICPA issued an exposure draft, Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy. It outlines revised AICPA trust services criteria for use by public accounting firms that provide advisory or attestation services to evaluate the controls within an entity’s cyber risk management program, or SOC 2 engagements.