SysTrust, with Erin Mackler of the AICPA
Session Moderator: I'm excited that Erin Mackler is here today. She works for the AICPA and has some great information about our topic. Let me introduce her quickly and then we'll get on to our subject!
Erin joined the AICPA's Assurance Services Team in October 1998 as the SysTrust Team Leader. Ms. Mackler is responsible for overseeing the AICPA's Systems Reliability Task Force in the development and implementation of the CPA SysTrust service. She works with the Task Force in crafting the SysTrust Principles and Criteria for Systems Reliability, which serves as the foundation for the SysTrust service. Ms. Mackler has published numerous articles on the CPA SysTrust service, including one that appears in the Journal of Accountancy.
Prior to joining the AICPA in 1989 as a Project Manager in Professional Development, Ms. Mackler was a Senior Associate with Coopers & Lybrand, LLP, where she served clients in the banking, insurance and manufacturing sectors.
Ms. Mackler received a Bachelor of Science degree in accounting with honors from Fairleigh Dickinson University.
Erin Mackler: Thanks for the introduction.
I'll begin the session by first telling you what CPA SysTrust is.
SysTrust is an assurance service that independently tests and verifies a system's reliability. This service is part of a broader future vision of the accounting profession to supply real-time assurance on information databases and systems and is a natural extension of the CPA's audit and information technology consulting functions. With SysTrust, a CPA tests whether a system is reliable as measured against four essential SysTrust principles: availability, security, integrity and maintainability.
The objective of a SysTrust system-reliability engagement is for the licensed CPA to provide independent verification that a company has effective system controls and safeguards so that a system can function reliably. Upon completion of a SysTrust engagement a CPA issues a SysTrust assurance report to company management. A SysTrust assurance report can be used by a company in its marketing and investor outreach materials or other marketing documents, on its Web Site, within insurance agreements and specific contracts with potential or existing clients.
SysTrust is designed to increase the comfort of management, customers, and business partners with the systems that support a business by decreasing the risk associated with systems failures. SysTrust was developed jointly by the American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA). SysTrust is provided by licensed CPAs and CAs.
Does anyone have any questions?
Scott Cytron: Is there a training program for SysTrust?
Erin Mackler: Yes we have two self-study training courses that are available through the AICPA.
Why do companies or business need SysTrust?
Developments in information technology provide far greater power to companies at far lower costs. As business dependence on information technology increases, tolerance decreases for systems that are not secure, unavailable when needed and unable to produce accurate information on a consistent basis. An unreliable system can cause a chain of events that negatively affects a company and its customers, suppliers and business partners.
What is examined in a SysTrust Engagement?
In a SysTrust engagement, management prepares a description that defines which aspects of the system should be covered so that boundaries are clear to users of the report. The system description is attached to the CPA's report. The CPA performs audit procedures to examine and test the infrastructure, software, people, procedures, and data. The CPA determines whether system controls exist and performs tests to determine whether those system controls operate effectively during the period covered by the SysTrust assurance report.
What are the principles that a CPA uses to determine the reliability of a system?
A reliable system is one that is capable of operating without material error, fault, or failure during a specific period of time within a specified environment. Every SysTrust engagement examines four SysTrust principles to evaluate whether a system is reliable and then measures them against certain criteria.
The SysTrust principles are:
Companies might also engage a CPA to test any one or combination of these Principles in addition to providing valuable information technology consulting service related to the principles.
Catherine: What are the primary differences between a SysTrust engagement and the EDP review historically used?
Erin Mackler: SysTrust provides an independent auditor's opinion on the system. It is examination level assurance, therefore it is an audit of the system.
What are the criteria that a CPA uses to determine the reliability of a system?
Erin Mackler: For each of the four SysTrust principles, criteria have been established against which a system can be evaluated. The criteria address the following features that contribute to system reliability: the definition and documentation (i.e. policies), procedures and system monitoring activities. The SysTrust criteria are designed to be complete, relevant, objective and measurable, addressing all of the system components and relationships between them.
What is a SysTrust report?
With a SysTrust engagement a CPA issues an attestation report to signify that management of a Company has maintained effective controls to enable its system to function reliably and that those controls operate effectively within a specified period of time. If one or more of the principles and criteria are not fulfilled, a CPA can issue a qualified or adverse report - directly on the subject matter rather than on management's assertion.
Is there a seal that can be put on a company's Web site?
A SysTrust report is issued by the CPA as a written report. The company may choose to publish its report on its Web site, in its marketing materials, or in other forms. However, SysTrust does not issue a seal.
Who benefits from SysTrust?
Companies that receive a SysTrust report from an independent, trusted CPA are able to minimize risk to shareholders, corporate governance bodies and business partners by providing them with trustworthy information that allows them to make better decisions. Benefiting from the insight obtained in a SysTrust engagement, a company is more attuned to the risks posed by their unique environment and properly equipped with the knowledge to address those risks.
Management, board of directors, audit committee or other corporate governance bodies can gain more confidence in internal systems by making sure they are subject to appropriate information technology controls. As a result, senior management can improve decision-making and more effectively discharge their responsibilities and key role in safeguarding the information assets of the businesses they oversee.
Internal auditors and system owners use the SysTrust principles and criteria to guide the development and implementation of reliable systems. This can lower costs, help avert systems development rework and prevent loss of reputation or market share directly attributable to unreliable systems.
Service providers, such as outsourcing service providers, system integrators and vendors, can engage a practitioner to assure the reliability of their systems and services provided to their customers. Companies can differentiate themselves from competitors that cannot provide the same type of assurance to their business partners and customers.
System users gain assurance about the reliability of their systems.
System builders and consultants in turn can use the SysTrust principles and criteria as a framework for designing reliable systems.
Business partners can benefit by helping to build trust and confidence in each other's systems.
Session Moderator: Erin, if this is a good time, could you talk a bit about why the AICPA decided this was an important product to develop?
Erin Mackler: The AICPA felt this is an important project because companies are becoming and more and more dependent on their system and they felt there is an need for assurance on systems
Session Moderator: Does anyone else have any questions about SysTrust?
Erin Mackler: Why are CPAs most qualified to offer assurance services like SysTrust?
CPAs are recognized as trusted, independent third parties that provide assurance as to the accuracy and fairness of many types of financial and non-financial information. CPAs must meet strict ethical, educational and other professional requirements. They bring their independence, objectivity and in-depth knowledge of IT environments and technical expertise to system operations with SysTrust. They are uniquely qualified to independently verify and test a system for reliability.
How to get started in offering SysTrust services?
To become licensed to offer SysTrust services, you merely need to purchase the AICPA/CICA SysTrust Principles and Criteria for Systems Reliability (product # 060465) from the AICPA and adhere to the license agreement contained in the document. The cost of the document is $14.50 for AICPA members and $18.25 for nonmembers. It can be ordered by calling 1-888-777-7077 or online at www.aicpa.org
What are the new developments in the SysTrust service?
The AICPA/CICA recently issued for public comment an exposure draft of version 2.0 of the AICPA/CICA SysTrust Principles and Criteria for Systems Reliability. Version 2.0 provides for greater flexibility in providing the service. To obtain a copy of Version 2.0 refer to the AICPA's website at www.aicpa.org
Tom Aumiller: Is there a certification requirement beyond completion of the self-study courses?
Erin Mackler: No. Because these engagements are performed under the AICPA's Attestation Standards, those standards require that you have the adequate technical training to perform these engagements.
Tom Aumiller: Will the AICPA be promoting the service? If so, how?
Erin Mackler: We are promoting this service through brochures, articles in the Journal of Accountancy, conferences etc...
A copy of the exposure draft will be posted with the transcript of this session.
Tom Aumiller: Thank you, Erin.
Erin Mackler: If anyone has any questions, please email me at firstname.lastname@example.org or call 212-596-6149
Session Moderator: Thanks Erin for a great session. We appreciate your time here today.
Erin Mackler: Thank you for your time
Session Moderator: Thanks, too, to all of you for joining us. Feel free to give Erin a call with questions.
Click here to download the exposure draft of version 2.0 of the SysTrust Principles and Criteria.