PwC submitted a comment letter on the ASEC’s Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy ("proposed trust services criteria"). We support ASEC’s effort to reorganize and revise the extant trust services criteria to more closely align with the 17 principles in Internal Control—Integrated Framework (COSO 2013 framework). We note ASEC’s view that, as revised, the trust services criteria provide a great deal of flexibility in application (e.g., they may be used to evaluate a variety of different subject matters).
We also note the efforts to restructure and add supplemental criteria to better address cybersecurity risks in engagements using the trust services criteria. We believe, if not clearly delineated, that confusion may arise as to how a cybersecurity engagement differs from a SOC 2® engagement when the trust services criteria can be applied to both types of engagements. We believe further articulation of the key differences is necessary for practitioners and those who engage practitioners to perform these types of engagements.
© 2016 - 2020 PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details.