AICPA Service Organization

Practitioner report

The Seal of Assurance combines high standards for identified activities with the requirement for an independent verification/audit. PwC has earned the right to display the Seal of Assurance with respect to the Trust Service Principle(s).

Service Organization Control Seal

The Seal represents the practitioner’s report on management's assertion(s) that PwC maintained effective controls, during the period October 1, 2018 through September 30, 2019, to provide reasonable assurance that the PwC systems covered by this report (i) were available for use as committed or agreed, (ii) protected against unauthorized access, use or modification, based on the applicable Trust Services Principles (TSP) and Criteria, and complied with its commitments regarding the availability and security of its system.

The Trust Services Principles (TSP) and Criteria is defined as a set of professional attestation and advisory services based on a core set of principles and criteria that addresses the risks and opportunities of IT-enabled systems and privacy programs. The Trust Services Principles and Criteria is an international set of principles and criteria for systems and electronic commerce developed and managed jointly by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). For more information, the TSP is available for purchase on the AICPA site.

The Seal of Assurance is a symbolic representation of what is contained in the practitioner’s report on management’s assertions.

Scope 

The scope of this report is intended to describe the general control structure relevant to the Trust Service Security and Availability Principles and Criteria (TSP section 100). The Web Hosting Environment (WHE), Internally Hosted Application Environment (IHAE) and Collaboration (NAMCOLAB) application environments are primarily used to provide technology and support services for the firm’s practice management and line of service offerings. The report is not intended to encompass all aspects of US IT’s service offerings.

The scope is limited to the systems and services managed and/or operated by PwC US IT personnel that support the development, deployment, control and configuration of the primary production environments within the datacenter located in Georgia (GDC). The GDC is the primary processing facility for all production resources in the WHE, NAMCOLAB, and IHAE.

PwC has earned the right to display the Seal of Assurance with respect to the Trust Service Principle(s) of:

Availability

The Availability Principle addresses accessibility to the defined system, products, or services as advertised or committed by contract, service-level, or other agreements. This Principle does not, in itself, set an acceptable minimum availability percentage performance level for Web sites or service provider access. The minimum availability percentage is established by mutual agreement (contract) between the customer and the service provider.

The criteria include requirements that:

  • availability policies exist, 
  • the entity communicates the defined system availability policies to authorized users, 
  • the entity uses procedures to achieve its documented system availability objectives in accordance with its defined policies, and
  • controls exist to monitor compliance with its defined system availability policies.

Security

The Security Principle requires an entity to meet high standards for the protection of the system components from unauthorized access, both logical and physical. The criteria includes requirements that the entity has effective security policies, discloses its key security practices, uses procedures to achieve its documented system security objectives in accordance with its defined policies, and has controls to ensure that these policies are followed.

PwC has earned the right to display the Seal of assurance with respect to the Trust Service Principle(s) of:

Availability

The Availability Principle addresses accessibility to the defined system, products, or services as advertised or committed by contract, service-level, or other agreements. This Principle does not, in itself, set an acceptable minimum availability percentage performance level for Web sites or service provider access. The minimum availability percentage is established by mutual agreement (contract) between the customer and the service provider.

The criteria include requirements that:

  • availability policies exist, 
  • the entity communicates the defined system availability policies to authorized users, 
  • the entity uses procedures to achieve its documented system availability objectives in accordance with its defined policies, and
  • controls exist to monitor compliance with its defined system availability policies.

Security

The Security Principle requires an entity to meet high standards for the protection of the system components from unauthorized access, both logical and physical. The criteria includes requirements that the entity has effective security policies, discloses its key security practices, uses procedures to achieve its documented system security objectives in accordance with its defined policies, and has controls to ensure that these policies are followed.

Follow us