This site uses cookies to provide you with a more responsive and personalised service. By using this site you agree to our use of cookies. Please read our cookie notice for more information on the cookies we use and how to delete or block them.
The full functionality of our site is not supported on your browser version, or you may have 'compatibility mode' selected. Please turn off compatibility mode, upgrade your browser to at least Internet Explorer 9, or try using another browser such as Google Chrome or Mozilla Firefox.

Deloitte comments on AICPA's proposed revised trust services criteria

Published on: Dec 09, 2016

Deloitte & Touche LLP comments on the Assurance Services Executive Committee (ASEC) of the American Institute of Certified Public Accountants (AICPA) proposed revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy.

An excerpt from the comment letter is shown below:


1. Are there any unnecessary or otherwise not relevant supplementary criteria or points of focus? Please provide a list.

CC5.2 – We noted that CC5.2 includes the same point of focus twice, namely “Establishes Relevant Technology Infrastructure Control Activities”; accordingly, we recommend deleting one of the instances.

2. Are there any missing supplementary criteria or points of focus? Please provide a list.

CC2.2 – We believe a point of focus is missing relating to privacy; accordingly, we recommend adding a point of focus that applies only to an engagement using the trust services criteria for privacy. For example, the following point of focus could be added to CC 2.2:

Communicates Changes to Objectives Related to Privacy—The entity communicates changes to the entity’s objectives related to privacy to internal users in a timely manner.

CC3.4 – We believe arrangements with third parties should be considered for their impacts on the system of internal control as well as changes at those third parties. Accordingly, we recommend adding a point of focus that assesses changes to the arrangements with existing third parties or changes at those third parties.
3. Do you have any concerns about the measurability of any of the supplementary criteria or points of focus? Please provide a list.

P7.1 – We believe the language “accurate, up-to-date” in the additional criteria for privacy is vague and could lead to different interpretations. Accordingly, we recommend clarifying the language. For example, the following changes could be made to the criteria:

The entity collects and maintains accurate, up-to-date, complete, and relevant personal information to meet the entity’s objectives related to privacy in a complete and accurate manner.

4. The AICPA developed the trust services criteria and related points of focus using an approach similar to the one used by COSO when developing its Integrated Framework—Internal Control. The points of focus are important characteristics of the criteria. Consistent with the COSO approach, management may determine that some of the points of focus are not suitable or relevant and may identify and consider other characteristics based on specific circumstances of the entity. Points of focus assist management and the practitioner in evaluating whether the controls are suitably designed and operating effectively. However, use of the criteria does not require management or the practitioner to separately assess whether each point of focus is addressed. Do you believe this approach is appropriate? If not, please describe the approach you would recommend.
D&T agrees with the proposed approach laid out in the exposure draft.

Full text of the comment letter is available below.


Correction list for hyphenation

These words serve as exceptions. Once entered, they are only hyphenated at the specified hyphenation points. Each word should be on a separate line.