Erin Mackler
American Institute of Certified Public Accountants
1211 Avenue of the Americas
New York, NY 10036-8775
December 6, 2016
RE: Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy
Dear Ms. Mackler:
We appreciate the opportunity to comment on the Proposed Revision of Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (the “proposed trust services criteria”). Companies are trying to design and implement effective cybersecurity risk management programs, as the threat of cybersecurity attacks continues to rise. CPAs are well-positioned to provide value to companies by performing a range of services related to cybersecurity, from advisory services to attestation engagements. Demand for such services is likely to increase, and we note a wider range of stakeholders are interested in reports on companies’ cybersecurity risk management programs.
We continue to support the AICPA’s efforts – both in terms of assistance for companies who wish to report on their cybersecurity risk management programs and guidance for practitioners on how the attestation standards can be applied in this emerging area. The Explanatory Memorandum appropriately identifies many of the issues associated with cybersecurity risk management programs and their evolving nature.
We have offered some overall feedback on cybersecurity risk management programs and the use of the trust services criteria. We have also responded to the specific questions related to the proposed trust services criteria and offer the following suggestions for the Assurance Services Executive Committee’s (ASEC) consideration in finalizing these criteria. We have commented separately on the Proposed Description Criteria for Management’s Description of an Entity’s Cybersecurity Risk Management Program.
Overall comments
We support ASEC’s effort to reorganize and revise the extant trust services criteria to more closely align with the 17 principles in Internal Control—Integrated Framework (COSO 2013 framework) for the reasons set out in the Explanatory Memorandum. We note ASEC’s view that, as revised, the trust services criteria provide a great deal of flexibility in application (e.g., they may be used to evaluate a variety of different subject matters).
We also note the efforts to restructure and add supplemental criteria to better address cybersecurity risks in engagements using the trust services criteria. We believe, if not clearly delineated, that confusion may arise as to how a cybersecurity engagement differs from a SOC 2® engagement when the trust services criteria can be applied to both types of engagements. We believe further articulation of the key differences is necessary for practitioners and those who engage practitioners to perform these types of engagements. This could potentially be done within the practitioner’s report on the cybersecurity engagement, supplemented by additional educational-type materials for those engaging practitioners to perform services related to cybersecurity as well as users of those reports.
Guide for respondents
1. Are there any unnecessary or otherwise not relevant supplementary criteria or points of focus? Please provide a list.
We believe the further specificity within the trust services criteria is useful at this time to align with the COSO Framework, as well as to differentiate and align expectations about how a variety of subject matters can be addressed. The trust services criteria were designed to provide flexibility in application and use for a variety of different subject matters, and therefore must remain relatively principles-based. After these proposed changes to the trust services criteria are finalized, we would encourage ASEC to refrain from reopening the criteria to address new or emerging services and instead consider whether other measures could be taken to explain how the trust services criteria can be tailored to those services.
2. Are there any missing supplementary criteria or points of focus? Please provide a list.
We have not identified any missing supplementary criteria or points of focus at this time.
3. Do you have any concerns about the measurability of any of the supplementary criteria or points of focus? Please provide a list.
We do not have any specific concerns about the measurability of any of the supplementary criteria or points of focus, recognizing the role of points of focus (see question 4).
4. The AICPA developed the trust services criteria and related points of focus using an approach similar to the one used by COSO when developing its Integrated Framework – Internal Control. The points of focus related to the criteria are important characteristics of the criteria. Consistent with the COSO approach, management may determine that some of the points of focus are not suitable or relevant and may identify and consider characteristics based on specific circumstances of the entity. Point of focus assist management in determining the matters to be addressed in the presentation. However, use of the criteria does not require management to address every point of focus in its description. Do you believe this approach is appropriate? It not, please describe the approach you would recommend.
We believe this approach is appropriate. While the points of focus are helpful for both management and practitioners, taking a more prescriptive approach to requiring all points of focus to be addressed in the presentation has the potential to result in more of a "checklist-based" mentality to preparing the presentation and would likely result in onerous narratives that may be less informative. We also suggest ASEC and others give consideration to whether there may be merit in reports issued in accordance with the trust services criteria explaining how points of focus are taken into account, in order to avoid a potential expectation that there would be explicit reporting on each point of focus.
* * * * *
We appreciate the opportunity to express our views and would be pleased to discuss our comments or answer any questions you may have. Please contact Kevin Knight at (703) 918-3505.
Sincerely,

PwC. All rights reserved. PwC refers to the US member firm or one of its subsidiaries or affiliates, and may sometimes refer to the PwC network. Each member firm is a separate legal entity. Please see www.pwc.com/structure for further details. This content is for general information purposes only, and should not be used as a substitute for consultation with professional advisors.

Expand Expand
Resize
Tools
Rcl
Add to favorites
Please ensure
that you select
Print Background (colors and images) when printing.
CONTINUE
PwC image modal

This content is copyright protected. It is for your own use only - do not redistribute. These materials were downloaded from PwC's Viewpoint (viewpoint.pwc.com) under license.

Warning 2

Welcome to Viewpoint, the new platform that replaces Inform. Once you have viewed this piece of content, to ensure you can access the content most relevant to you, please confirm your territory.

Viewpoint allows you to save up to 25 favorites.

Consider removing one of your current favorites in order to to add a new one.

Go to favorites

Are you sure you would like to remove this page from your list?

Yes
You are already signed in on another browser or device.
Click Continue if you want to automatically close other logged in sessions and continue. If you want to manually check for other active logged in sessions first, please select Cancel to go back to the previous page.
Need some help? Contact us
signin option menu option suggested option contentmouse option displaycontent option contentpage option relatedlink option prevandafter option trending option searchicon option search option feedback option end slide

Hello and welcome to Viewpoint

Your go-to resource for timely and relevant accounting, auditing, reporting and business insights. Follow along as we demonstrate how to use the site

Before we start.

Choose your preferred language below.