SOC 3 SysTrust/WebTrust | Trust Services Principles and Criteria | What you Need to know
SOC 3 SysTrust/WebTrust audit and assurance services, also known as the Trust Services, are a broad-based set of principles and criteria put forth jointly by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). The need for Trust Services, such as SysTrust and WebTrust, have grown considerably in recent years, due in large part to the advent and growth of e-commerce and the overall e-business environment, which results in tremendous amounts of sensitive and confidential data traversing from entity to entity, often involving financial related information. In short, we live in a digital world where information is transparent, readily available, and can be accessed anytime by almost anyone, anywhere. The need to protect e-commerce systems and other supporting I.T. systems and platforms is vitally important, now more than ever.
Thus, when alternative attest and advisory services are not preferable, or appropriate, such as: SOC 1 SSAE 16 framework; the SOC 2 AT Section 101 framework; or even Payment Card Industry Data Security Standards (PCI DSS) compliance, service organizations and user organizations can look to the Trust Services Principles and Criteria, which are issued under the AICPA SOC 3 guidance, for addressing risks related to I.T. and validating that security, availability, processing integrity, confidentiality, and/or privacy provisions are in place. After all, it’ s these very core tenants of the Trust Services Principles and Criteria that give essential stakeholders (i.e., business partners, regulatory bodies, outsourcing entities, creditors, etc.) a level of assurance and confidence for e-commerce systems and other supporting I.T. platforms for which they may rely on. Trust Services can be a significant differentiator for companies seeking to gain competitive advantages within a given business market or sector, as one’s adherence to the defined set of principles within the Trust Services platform itself illustrates a true commitment to system security and other supporting parameters.
Trust Services Principles and Criteria
The following five (5) areas essentially define the framework of the Trust Services Principles along with helping define the scope of an actual SOC 3 SysTrust/WebTrust assurance engagement:
- Security: The system is protected, both logically and physically, against unauthorized access.
- Availability: The system is available for operation and use as committed or agreed to.
- Processing Integrity: System processing is complete, accurate, timely, and authorized.
- Confidentiality: Information that is designated “confidential” is protected as committed or agreed.
- Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the privacy principles put forth by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA).
Interestingly, both the SysTrust and the WebTrust audit and assurance services are commonly grouped together under the “Trust Services” phrase, but they actually each comprise their own family or categories of audit and assurances services. The SysTrust categories of services are geared primarily towards a wide variety of I.T. systems, such as those adhering to the principles of Security, Availability, and Processing Integrity; known specifically as the “SysTrust Systems Reliability” category, which can be issued under the AICPA SOC 3 framework by a Certified Public Accounting (CPA) firm. Additionally, the "SysTrust" category by itself is a designation given from an engagement by a CPA firm that actually includes one or more combinations of the Trust Services Principles and Criteria areas. Most often, the end deliverables for a SysTrust assurance engagement is an unqualified opinion and report (unqualified report) from a CPA firm along with a SysTrust seal, for which it may be displayed on the organization's website for one full-calendar year from the date of issue.
As for WebTrust, this specialized trust service also has their own family or categories of audit and assurance services, which consist of the following: (1). WebTrust Online Privacy (2). WebTrust Consumer Protection (3). WebTrust (4). WebTrust for Certification Authorities
The WebTrust service is geared primarily towards e-commerce systems and the ability for these systems to adhere to online privacy, consumer protection, certificate authorities along with one or more combinations of the Trust Services Principles and Criteria areas. As with SysTrust, a CPA firm can undertake this examination in accordance with the AICPA SOC 3 framework, resulting in the issuance of an opinion and report along with a WebTrust seal, which may also be displayed on the organization's website for one full-calendar year from the date of issue.
NDBYour Trusted Provider for SSAE 16 Compliance
- Vast Experience Across Numerous Industries and Sectors
- Fixed Fee Engagements for SSAE 16 Reports
- Nationally Recognized PCAOB CPA Firm