1.866.669.6561

check

Trust Services FAQ

What is the different between a SAS 70 and Trust Services (WebTrust and SysTrust)?

Do all five Trust Services Principles apply to my organization?

What is the required audit period for WebTrust and SysTrust?

What is the required frequency of a WebTrust and SysTrust audit?

What is a WebTrust and SysTrust seal?

Can I have a WebTrust and SysTrust audit prior a system being place in a live production environment?

How does my company prepare for a WebTrust and SysTrust?

How much does a WebTrust and SysTrust cost?

How much time is required from the company’s staff to complete a WebTrust and SysTrust?

How long does it take to complete a WebTrust and SysTrust?

 

1. What is the different between a SAS 70 and Trust Services (WebTrust and SysTrust)?

a. A SAS 70 audit is an unrestricted audit that is performed for service organizations as it relates to the user organizations financial statement assertions. Therefore, SAS 70 reports are limited to the scope of services that have a financial impact on their user organizations. A Trust Services audit is based on framework that consisted of defined principles as they relate to a System.

b. Below is a table summarizing the differences:

  SAS 70 audit engagement SysTrust / WebTrust engagement
Purpose of Engagement Scope of audit is based on the service organizations processes and procedures that can financially impact a user organization. Scope of the audit is based on a defined framework to assess the security, confidentiality, processing integrity, privacy and availability of specified systems.
Defined Scope No. Yes.
Types of Systems Data and Transaction Processing Systems Any system.
Users of Report Service organizations, user organizations, and auditors of the user organizations. Unrestricted

 

2. Do all five Trust Services Principles apply to my organization?

a. The service organization can choose if they want one Principle evaluated or all five Principles. Normally your trusted CPA advisor will assist you in the selection of Principles based the use of the report, the type of system and contractual obligations that may be relevant to your customers.

 

3. What is the required audit period for WebTrust and SysTrust?

a. Both audits can be performed as a point in time (similar to a Type 1 SAS 70 audit) or over a period of time (similar to a Type 2 SAS 70 audit) that is based on the needs of the users of the report.

 

4. What is the required frequency of a WebTrust and SysTrust audit?

a. To remain compliant, organizations are required to have an annual audit performed by an independent licensed CPA firm.

 

5. What is a WebTrust and SysTrust seal?

a. The WebTrust and SysTrust seal is a recognized symbol that can be displayed by customers upon the successful completion of a WebTrust and SysTrust assurance audit.

i. A SysTrust seal can be achieved by completing a point in time or period of time audit.

ii. A WebTrust seal can be achieved by completing a period of time audit.

 

6. Can I have a WebTrust and SysTrust audit prior a system being place in a live production environment?

a. It is common for organizations to want a system evaluated prior to placing the system in a live production environment. In this situation we can issue a Trust Services report based on the suitability of design of control procedures, but cannot issue a WebTrust and SysTrust report and corresponding seals.

 

7. How does my company prepare for a WebTrust and SysTrust?

a. Many organizations that are going through a WebTrust and SysTrust for the first time are overwhelmed or just may not have the time to research and implement the proper internal controls and processes that are normally evaluated during a WebTrust and SysTrust. We provide our clients with 2 different options to this approach.

1) The first option is designed for clients who either do not have the resources, time or maybe the internal resources that can evaluated their internal controls. For this option we offer our clients onsite consulting to gain an understanding of the systems under review. We then customize our audit plan and deliver a detailed document request list to prepare our clients for phase three (fieldwork)

2) The second option is clients that are just looking for some guidance and wish to prepare for the WebTrust and SysTrust themselves. Normally these are clients that have been through internal controls audits or have onsite resources with the understanding or audit and controls. For this approach we simply hold phone conferences and provide our clients with an audit framework that they can easily follow to help ensure the appropriate foundation is set to start the WebTrust and SysTrust process.

 

8. How much does a WebTrust and SysTrust cost?

a. Even though when dealing with a predefine framework, the cost of a WebTrust and SysTrust varies for each client because all WebTrust and SysTrust audits are different from the next. However some of the factors that should be considered in the price of a WebTrust and SysTrust are the Principle selected for review, period of review, size of your organization, the complexity of the information systems under review, the type of services offered and possibly the location of your business. Contact us for a quick and customize WebTrust and SysTrust quote.

 

9. How much time is required from the company’s staff to complete a WebTrust and SysTrust?

a. Preparation for first time WebTrust and SysTrusts

i. The required amount of time for your internal resources can significantly vary based on the size of your organization and the preparedness of your internal policies and procedures. A company that has all of these processes documented and mapped out should be able to efficiently communicate their services their auditors. Some companies choose to hire a consultant to assist in the preparation of their WebTrust and SysTrust and some choose to prepare internally (see FAQ 1).

ii. A company can expect that a lead resource over each relevant business unit (System Admin, Network Administrator, Lead Developer, Human Resources, etc) should expect to devote 5 to 10 hours preparing for and working with the auditors. This includes documentation gathering, responding to questionnaires and holding interviews/walkthroughs with your auditors. (This time can vary depending on the number of Principles that are under review)

iii. Key Success Factors for an efficient WebTrust and SysTrust include but are not limited to the following:

1. A project plan

2. Designation of a SAS 70 project lead

3. Scheduling of required resources (members of business units)

4. Utilization of experience and educated auditors

 

10. How long does it take to complete a WebTrust and SysTrust?

a. Timing varies depending on a number of factors included the preparedness of your organization, size and type of services under review. However for most organizations that operate out of a centralize location we tell our clients that our audit process from the time we hold a kickoff call to the time they receive their audit report is no longer than 8 weeks in duration. Of those 8 weeks normally we are only onsite for 1 or 2 weeks. Please refer to our methodologies for an explanation of the WebTrust and SysTrust process and timeline.

More Information