On Friday, October 3, 2014, the American Institute of Certified Public Accountants (AICPA) and CPA Canada communicated their intention to discontinue the SysTrust and SOC 3 SysTrust for Service Organizations seal programs. The decision goes into effect immediately. According to the announcement, this affects only the issuance of SysTrust and SOC 3 SysTrust for Service Organization seals and the related licensing of practitioners.
“Effective immediately, the AICPA and CPA Canada will no longer issue new licenses to practitioners to use, or the right of practitioners to permit its clients to use, the SysTrust or SOC 3 SysTrust for Service Organizations seals. Existing licenses will remain in effect until the end of their term, at which point they will not be renewed.
For SysTrust and SOC 3 SysTrust for Service Organization seals that have been issued under existing licenses, they will remain active through to their expiration date. For SysTrust and SOC 3 engagements currently in progress, including renewals of existing SysTrust and SOC 3 SysTrust for Service Organization seals, we will continue to issue seals through to December 31, 2014. After this date, practitioners who wish to continue their use of any SysTrust related marks should disclose to their clients that the seal program is no longer active nor is it supported by or associated with the AICPA and CPA Canada.”
After thorough analysis of seal licensing trends over the past few years and considering feedback obtained from practitioners, the AICPA and CPA Canada determined that the assurance benefits associated with administering the seal program did not outweigh the costs of the resources required to run the program. Ultimately, these factors led to the decision to discontinue the seal licensing program altogether.
Practitioners and service organizations may continue to execute and issue SOC 3 reports. The impact is limited only to the seal itself. SOC 3 remains a viable reporting option for service organizations that require a public-use report without restrictions. However, the AICPA and CPA Canada will no longer administer the official seal that service organizations make available on their website, nor will they maintain the list of service auditors registered with the AICPA and CPA Canada to issue such reports.
Service Organization To-Dos
If you currently obtain a SOC 3 report or are interested in doing so, make sure to talk with your service provider about these developments. As stated previously, the SOC 3 report option remains viable as a public-use report. Although the SysTrust or SOC 3 seal can no longer be obtained from the jointly administered AICPA and CPA Canada program, there are other appropriate options for advertising and distributing your public-use report. The process will be slightly different, but the net effect to the users of your SOC 3 report should be minimal. If you have questions about how this may apply to your company, contact Brian Thomas, partner in IT Advisory services, at firstname.lastname@example.org or 832-320-3280.