SOC 3 Examinations: WebTrust and SysTrust Services
Developed by the AICPA and Canadian Institute of Chartered Accountants (CICA), Trust Services are intended to differentiate entities from their competitors by providing evidence to stakeholders that their business is attuned to the risks posed by their environment and has the necessary controls in place to address those risks.
The principles and criteria used to perform Trust Services engagements (WebTrust and Systrust) are based on the Trust Services Principles developed by the AICPA and CICA to address the risks and opportunities of IT.
The Trust Service Principles, as defined by AICPA/CICA, include:
- Security: The system is protected against unauthorized access (both physical and logical).
- Availability: The system is available for operation and use as committed or agreed.
- Processing Integrity: System processing is complete, accurate, timely, and authorized.
- Confidentiality: Information designated as confidential is protected as committed or agreed.
- Privacy: Personal information is collected, used, retained, and disclosed in conformity with the commitments in the entity’s privacy notice and with the criteria set forth in Generally Accepted Privacy Principles issued by the AICPA/CICA.
WebTrust services include a “family” of assurance services designed for e-commerce-based systems.
The WebTrust family of assurance services, as defined by AICPA/CICA, includes the following (applied in the context of an e-commerce system):
- WebTrust Online Privacy: The scope of the assurance engagement includes the relevant online generally accepted privacy principles (GAPP).
- WebTrust Consumer Protection: The scope of the assurance engagement includes both the Processing Integrity and relevant GAPP.
- WebTrust: The scope of the assurance engagement includes one or more combinations of the Principles and Criteria not anticipated above.
- WebTrust for Certification Authorities: The scope of the assurance engagement includes the Principles and related Criteria unique to certification authorities.
SysTrust services include a “family” of assurance services designed for a wide variety of IT-based systems.
The SysTrust family of assurance services, as defined by AICPA/CICA, includes the following:
- SysTrust-Systems Reliability: The scope of the assurance engagement includes the Security, Availability, Processing Integrity or Confidentiality Principles and Criteria.
- SOC 3 SysTrust for Service Organizations: The scope of the assurance engagement includes one or more combinations of the Security, Availability, Processing Integrity, Confidentiality or GAPP unique to service organizations.
The placement of the WebTrust Seal or SysTrust Seal on your companies website signifies to individuals¹ that you are adhering to the standard business and information practices and disclosures.
A SOC 3 report should be updated on an annual basis, as it is only valid for 12 months from the date the report was issued. Customers completing the SOC 3 examination may also purchase the AIPCA WebTrust / SysTrust seals which can be displayed on their website.
Individuals¹ – Potential recipients of a SOC 3 report: consumers, business partners, creditors, bankers, regulators and outsourcers.
A-lign’s SOC 3 examinations contain the following deliverables:
- Auditor’s Report
- Detailed System Description
- Management Assertion
Please call 1-888-702-5446 for further information, or contact us here.