What are the AICPA Trust Services Criteria?

The AICPA Trust Services Criteria (TSC) are a set of control criteria used to evaluate the suitability of an organization's controls over its systems. They cover five categories: security (common criteria), availability, processing integrity, confidentiality, and privacy. These criteria form the basis for SOC 2 examinations.

Who needs to comply with AICPA professional standards?

CPA firms, accounting practices, and attestation service providers must comply with AICPA professional standards. This includes firms performing audits, reviews, compilations, and other attestation engagements, as well as any firm that issues SOC reports or handles confidential client financial data.

What is SSAE 18 and how does it relate to SOC 2?

SSAE 18 (Statement on Standards for Attestation Engagements No. 18) is the AICPA standard that governs attestation engagements, including SOC examinations. SOC 2 reports are issued under SSAE 18 and evaluate an organization's controls against the Trust Services Criteria.

How often should CPA firms review their quality management systems?

Under SQMS No. 1 (Statement on Quality Management Standards), CPA firms must establish, implement, and operate a system of quality management and evaluate it at least annually. Firms should also monitor and remediate deficiencies on an ongoing basis throughout the year.

Trust Services Criteria & Professional Standards

AICPA standards: your clients trust you with their numbers and their data

CPA firms handle some of the most sensitive financial data in existence. The AICPA's professional standards, Trust Services Criteria, and quality management requirements set the bar for how that data must be protected. BlackSheep maps every control so your firm stays compliant and SOC 2 ready.

Start Free Trial See the requirements

$249/month · All frameworks included · No credit card to start

Security controls

Control categories

Trust Services Criteria

Annual

Quality management review

Six categories of AICPA security requirements

Built on the Trust Services Criteria, AICPA Code of Professional Conduct, and Statement on Quality Management Standards (SQMS No. 1).

Governance & Ethics

aicpa-gov · 14 controls

Code of Professional Conduct compliance
Independence & objectivity requirements
Quality management system (SQMS No. 1)
Firm governance & leadership responsibilities
Ethical conflict resolution procedures
Tone at the top & accountability

Access & Authentication

aicpa-acc · 11 controls

Logical access controls over client data
Multi-factor authentication for systems
Role-based access & least privilege
User provisioning & deprovisioning
Session management & timeout policies
Privileged access monitoring

Data Protection & Privacy

aicpa-data · 13 controls

Client confidentiality safeguards
Encryption of financial data at rest & in transit
Data classification & handling procedures
Privacy notice & consent management
Retention & secure disposal policies
Cross-border data transfer controls

Operations & Monitoring

aicpa-ops · 10 controls

System availability & processing integrity
Change management procedures
Continuous monitoring & logging
Backup & recovery testing
Capacity planning & performance monitoring
Engagement quality reviews

Incident Response & Recovery

aicpa-ir · 8 controls

Security incident identification & escalation
Breach notification to affected clients
Business continuity planning
Disaster recovery procedures
Post-incident analysis & remediation
Regulatory notification obligations

Vendor & Third-Party Management

aicpa-vendor · 9 controls

Third-party risk assessment process
Vendor due diligence & selection criteria
Service-level agreements & monitoring
Subservice organization oversight (SOC 1/2)
Cloud provider security evaluation
Contract termination & data return

Does AICPA apply to your firm?

CPA Firms & Accounting Practices

Any firm with licensed CPAs performing audit, assurance, tax, or advisory services. AICPA membership requires adherence to the Code of Professional Conduct, and peer review obligations apply to firms performing attestation engagements.

Public accounting firms
Regional & local CPA practices
Sole practitioners with CPA license
Firms performing compilations & reviews
Tax preparation practices

Attestation Service Providers

Organizations that issue SOC 1, SOC 2, or SOC 3 reports, or perform other attestation engagements under SSAE 18. These firms must meet the Trust Services Criteria themselves while evaluating others against the same standards.

SOC examination firms
IT audit & assurance providers
Financial statement auditors
Compliance attestation providers
Peer review administrators

Advisory & Consulting Firms

CPA firms offering advisory services including cybersecurity risk management, forensic accounting, and business consulting. These practices must maintain independence, confidentiality, and data protection standards regardless of engagement type.

Cybersecurity advisory practices
Forensic accounting firms
Business valuation services
Litigation support providers
Management consulting with client data

Common questions about AICPA compliance

What is the difference between SOC 1 and SOC 2?

SOC 1 reports focus on internal controls over financial reporting (ICFR) and are relevant to organizations that process financial transactions for clients. SOC 2 reports evaluate controls against the Trust Services Criteria — security, availability, processing integrity, confidentiality, and privacy. Most technology and service organizations need SOC 2.

What are the five Trust Services Criteria categories?

Security (the common criteria, required for every SOC 2), availability (systems are operational and accessible as committed), processing integrity (system processing is complete, valid, and authorized), confidentiality (information designated as confidential is protected), and privacy (personal information is collected, used, and retained properly). Security is always included; the other four are selected based on the engagement.

What changed with SQMS No. 1 for quality management?

SQMS No. 1 replaced the older QC Section 10 and moved from a policies-and-procedures approach to a risk-based quality management system. Firms must now identify quality risks, design responses, monitor effectiveness, and evaluate their system annually. It applies to all firms performing engagements under AICPA professional standards, effective since December 15, 2025.

How does the AICPA Code of Professional Conduct affect cybersecurity?

The Code requires confidentiality of client information (Rule 1.700.001), which directly creates cybersecurity obligations. If a firm cannot demonstrate adequate safeguards for client data — encryption, access controls, incident response — it risks violating the Code. The confidentiality requirement extends to electronic systems, cloud storage, and third-party services.

Do small CPA firms need to follow these standards?

Yes. AICPA professional standards apply to all member firms regardless of size. The implementation may be scaled — a sole practitioner will have simpler controls than a Top 25 firm — but the obligations around client confidentiality, data protection, and quality management are the same. Small firms are frequently targeted precisely because attackers assume weaker defenses.

Related frameworks

IRS Publication 4557

Tax professional security requirements including WISP mandates and identity theft prevention for firms handling taxpayer data.

NIST CSF 2.0

The cybersecurity framework that underpins many SOC 2 control implementations and maps directly to Trust Services Criteria.

CIS Controls v8.1

Prioritized security controls that provide a practical implementation path for AICPA Trust Services Criteria requirements.

Your clients trust you with their financials. Prove you deserve it.

Track every Trust Services Criteria control, document your quality management system, and keep your firm SOC 2 ready. BlackSheep maps the full AICPA framework so nothing gets missed.

Start Free Trial

$249/month. 30-day money-back guarantee.