The 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy presents control criteria established by the Assurance Services Executive Committee (ASEC) of the AICPA for use in attestation or consulting engagements to evaluate and report on controls over the security, availability, processing integrity, confidentiality, or privacy of information and systems (a) across an entire entity; (b) at a subsidiary, division, or operating unit level; (c) within a function relevant to the entity’s operational, reporting, or compliance objectives; or (d) for a particular type of information used by the entity.
In developing and establishing these criteria, ASEC followed due process procedures, including exposure of criteria for public comment. BL section 360R, Implementing Resolutions Under Section 3.6 Committees, designates ASEC as a senior technical committee with the authority to make public statements without clearance from the AICPA council or the board of directors. Paragraph .A44 of ATC section 105, Concepts Common to All Attestation Engagements, indicates that criteria promulgated by a body designated by the Council of the AICPA under the AICPA Code of Professional Conduct are, by definition, considered suitable.
This version of the trust services criteria has been modified by AICPA staff to include conforming changes necessary because of the issuance, in March 2020, of a new SOC examination. In a SOC for Supply Chain examination, a practitioner examines and reports on the effectiveness of controls (suitability of design and operating effectiveness) relevant to the security, availability, or processing integrity of a system or the confidentiality or privacy of information processed by a system that produces, manufactures, or distributes products. These changes, which have been reviewed by the ASEC chair, were made to provide greater flexibility for use of the trust services criteria in a SOC for Supply Chain examination. It is important to note that these changes do not alter in any way the trust services criteria used to evaluate controls in a SOC 2®, SOC 3®, or SOC for Cybersecurity examination.