1999 Symposium on IS Assurance Panel Discussion on SysTrust

Abstract

This article reports on the 1999 symposium on information systems assurance panel discussion on SysTrust. The panelists' presentations were coordinated to elicit their views on information technology risks, systems reliability principles, and the role of assurance (e.g., SysTrust) from the perspective of the roles they represented. Section 5900 is the existing audit standard in Canada for reporting on design, existence and/or effectiveness of control procedures to achieve stated internal control objectives. It was designed to be undertaken by auditors at service organizations. However, unlike SysTrust, there is no uniform framework, no principles, and no criteria for such reports. Unlike SAS No. 70, there is no requirement under Section 5900 to assess the completeness of the stated internal control objectives. Despite inconsistencies in Section 5900 reporting, overall it does seem to have been a reasonably successful product. While the Section 5900 reporting may be inconsistent. There is a need for a recognized assurance standard that minimizes as much as possible any management bias. It seems that internal auditors would do well to consider recommending SysTrust for external assurance, and using it.