Appendix B. SysTrust Report Content Example

With a SysTrust examination, there is an auditor’s opinion. In addition, the service provider provides a management assertion and a system description that are attached to the auditor’s opinion to form the SysTrust reporting package. Optionally, the reporting package can also include a schedule of controls that the service provider has implemented to address the Trust Services criteria.

SysTrust Auditor’s Opinion[102]

<On Audit Firm Letterhead>

To the Management of XYZ Service Provider, Inc.:

We have examined management’s assertion that XYZ Service Provider during the period <Date1> through <Date2> maintained effective controls over the ABC System to provide reasonable assurance that its System was reliable based on the AICPA/CICA Trust Services Criteria for Systems Reliability. This assertion is the responsibility of XYZ Service Provider’s management. Our responsibility is to express an opinion based on our examination.

A reliable system is one that is capable of operating without material error, fault, or failure during a specified period in a specified environment. The AICPA/CICA Trust Services Availability, Security, and Processing Integrity Criteria are used to evaluate whether XYZ Service Provider’s controls over the reliability of its System are effective.

Our examination was conducted in accordance with attestation standards established by the American Institute of Certified Public Accountants and, accordingly, included (1) obtaining ...

Get Cloud Security and Privacy now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.