AICPA Assurance Services Executive Committee
Trust Information Integrity Task Force's Privacy Working Group
C/o Erin Mackler
Via email: email@example.com
Dear Task Force Members:
We are pleased to have the opportunity to provide feedback to the AICPA Assurance Services Executive Committee (ASEC) Trust Information Integrity Task Force's Privacy Working Group with respect to its recent Proposed Revision of Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy.
We welcome ASEC's efforts to update the criteria related to privacy in response to the rapidly changing technological environment. The services that CPAs can provide in assisting businesses and other entities both in understanding privacy controls and providing assurance to users of these entities’ services about private information, is vital. These improvements in standards will enable continued advancement of these services.
Baker Tilly is a large public accounting firm, currently ranked number 12 in the United States with approximately 290 partners and 2,500 team members, generally operating regionally, from Minneapolis to New York City. Our practice is varied, offering audit and assurance, tax, and consulting services to a broad array of clients. We have a large assurance service practice focusing on SOC 1 and SOC 2 reporting, as well as advising clients on effective design of information processing systems.
Our comments on the proposed revisions are:
- We support the revisions to the criteria to more clearly articulate the responsibilities of service organizations surrounding their vendor management procedures. However, with regards to P6.6, we feel the criteria are too far reaching. As it is currently worded, the criteria states “Unauthorized disclosures of personal information by vendors and other third parties, including breaches, are identified, reported to appropriate personnel….” To meet that criteria it appears service organizations would need to monitor and test the controls of their vendors and third parties. This seems impractical in many circumstances and inconsistent in situations when third parties are “carved out.” We recommend that the criteria be reworded to make the criteria require that service organizations have mechanisms to require their vendors and third parties to report unauthorized disclosures to them. We suggest this revised wording: “Procedures are in place to require vendors and other third parties to notify the entity of actual or suspected unauthorized disclosures of personal information which are then reported to appropriate personnel, and acted on in accordance with the entity’s established incident response procedures, privacy commitments, and system requirements.”
- In some cases the criteria wording could be interpreted differently by different practitioners and the supporting illustrative risks and controls do not provide sufficient examples for the practitioner to understand the intent of the criteria. In addition, in some circumstances the illustrative risks and controls are the same for multiple criteria. In those circumstances it may be possible to combine the criteria. We suggest further clarifying the criteria or adding additional illustrative risks and control examples for CC5.6, CC5.7, CC7.2, CC7.3, C1.7, P2.1, P3.1, P4.1, P4.2, P5.1, P5.2, P6.1, and P6.2.
We would be happy to discuss our comments in more detail if you have any questions. Please feel free to contact Jeff Krull at firstname.lastname@example.org or 215-557-2223.
Thank you for the opportunity to provide these comments on the proposed revisions. We appreciate the efforts of ASEC and the Task Force in proposing these revisions. We look forward to future issuance of the revised standards.
Baker Tilly Virchow Krause, LLP