Reporting on Systems Reliability
暂无分享,去创建一个
EXECUTIVE SUMMARY * THE AICPA AND THE CICA HAVE JOINTLY INTRODUCED an assurance service, SysTrust, in which practitioners report on the reliability of an entity's systems. To earn an unqualified SysTrust report, a system must meet all of the 4 principles and 58 criteria. * A SYSTEM IS AN INFRASTRUCTURE of hardware, software, people, procedures and data that--together in a business context--produces information. A reliable system operates without material error, fault or failure during a specified time in a specified environment. * THE FOUR ESSENTIAL PRINCIPLES UNDERLYING reliable systems are availability, security, integrity and maintainability. For each there is a set of criteria that enables a practitioner to assess whether a system has achieved that particular principle. * IN THE UNITED STATES, a SysTrust engagement is performed under AICPA Statement on Standards for Attestation Engagements no. 1, Attestation Standards. In Canada, the engagement is performed using standards found in the CICA Handbook. * AN UNQUALIFIED SYSTRUST REPORT PROVIDES system users with assurance about system reliability. Management can gain confidence in its own internal systems. A report can also increase the confidence business partners have in each other's systems. Introducing SysTrust, a new assurance service. In today's increasingly interconnected economy, one company's glitch on Monday can be another's bad headline on Tuesday. It's not just a company's own systems that need to be reliable; the systems of suppliers, business partners and customers must also be dependable. In the drive to find new markets, reduce costs and provide better customer service, companies rely on each other's systems through outsourcing, partnerships and joint ventures. In response to concerns about unreliable systems, the AICPA and the Canadian Institute of Chartered Accountants jointly developed a new assurance service SysTrust[SM]--to provide assurance that a system is, in fact, reliable. In a SysTrust engagement, accountants report on the availability, security, integrity and maintainability of a system. A SysTrust engagement includes a system description that delineates the boundaries of the system covered by the engagement, management's assertion about the system's underlying controls and an attestation report by a CPA that evaluates the system against specific criteria. To earn an unqualified opinion, a system must meet all of the SysTrust principles and criteria. (See exhibit 1, pages 76-79, for more details.) Exhibit 1: SysTrust Principles and Criteria Availability: The system is available for operation and use at times set forth in service-level statements or agreements. A1) The entity has defined and communicated performance objectives, policies and standards or system availability. A1.1 The system availability requirements of authorized users--and system availability objectives, policies and standards--are identified and documented. A1.2 The documented system availability objectives, policies and standards have been communicated to authorized users. A1.3 The documented system availability objectives, policies and standards are consistent with the system availability requirements specified in contractual, legal and other service-level agreements and applicable laws and regulations. A1.4 Responsibility and accountability for system availability have been assigned. A1.5 Documented system availability objectives, policies and standards are communicated to entity personnel responsible for implementing them. A2) The entity utilizes procedures, people, software, data and infrastructure to achieve system availability objectives in accordance with established policies and standards. A2.1 Acquisition, implementation, configuration and management of system components related to system availability are consistent with documented system availability objectives, policies and standards. …