Internal and external forces such as globalization, global interconnectivity, automation, and other technological advancements are making today's supply chains highly sophisticated and complex. For organizations that produce, manufacture or distribute products, there's often a high level of interdependence and connectivity with their suppliers and their customers and business partners.
Although the interconnectedness of these organizations can be beneficial (increased revenues, expanded market opportunities, and cost reduction), the ability of organizations to meet their goals is often increasingly dependent on events, processes, and controls that are not visible and are often beyond their control - such as a supplier's controls. That's why the demand for transparency in supply chains is now higher than ever before, and why this is the perfect time for you to help organizations assess their supply chain risks, evaluate the system controls within their manufacturing, production, or distribution systems, and communicate their supply chain management efforts to those with whom they do business.
Accountants and financial managers can also increase the credibility of the supply chain information communicated by the organization by providing an opinion on the organization's supply chain efforts. This guide enables the accountant and financial manager to examine and report on the description of a system for manufacturing, producing and distributing goods as well as on the controls within that system using a dynamic, proactive, and agile approach. It will show how to conduct this examination in accordance with the attestation standards. The guide may also be helpful when providing readiness assessments to clients, who are not quite ready for an examination level service and need help to get there.
The guide also includes excerpts from the two distinct, but complementary sets of criteria developed by the AICPA to assist practitioners with SOC for Supply Chain engagements: the description criteria and the 2017 trust services criteria.
Table of Contents
1 Introduction and Background .01-.75
Introduction .01-.09
Intended Users of a SOC for Supply Chain Report .10-.16
Overview of a SOC for Supply Chain Examination .17-.19
Contents of the SOC for Supply Chain Report .20-.21
Defining the System to Be Examined .22-.34
The Entity’s System Objectives and Principal System Objectives .27-.28
Selecting the Trust Services Category or Categories to Be Addressed by the Examination .29-.33
Determining the Time Frame for the Examination .34
Other Engagement Considerations .35-.41
Considerations for Entities That Distribute Products .35-.38
Considerations for Entities That Bundle Services With Their Products .39-.40
Considerations for a Design-Only Examination .41
Matters Not Addressed by a SOC for Supply Chain Examination .42-.43
Criteria for a SOC for Supply Chain Examination .44-.62
Description Criteria .45-.47
Trust Services Criteria .48-.58
Evaluating the Entity's Principal System Objectives .59-.62
The Practitioner's Opinion in a SOC for Supply Chain Examination .63-.65
Other Types of SOC Examinations: SOC Suite of Services .66
Professional Standards .67-.74
Attestation Standards .68-.70
Code of Professional Conduct .71
Quality in the SOC for Supply Chain Examination .72-.74
Definitions .75
2 Accepting and Planning a SOC for Supply Chain Examination .01-.154
Introduction .01-.02
Understanding Entity Management’s Responsibilities .03-.10
Entity Management’s Responsibilities Prior to Engaging the Practitioner .04-.07
Entity Management’s Responsibilities During the Examination .08-.09
Entity Management’s Responsibilities During Engagement Completion .10
Responsibilities of the Practitioner .11
Engagement Acceptance and Continuance .12-.15
Independence .16-.19
Competence of Engagement Team Members .20-.24
Preconditions of the Engagement .25-.49
Determining the Appropriateness of the Subject Matter .26-.27
Identifying the Components of the System to be Examined .28-.30
Determining the Boundaries of the System Being Examined .31-.38
Determining Whether Entity Management is Likely to Have a Reasonable Basis for Its Assertion .39-.43
Assessing the Suitability and Availability of Criteria .44
Determining Whether the Entity’s Principal System Objectives Are Reasonable in the Circumstances .45-.49
Requesting a Written Assertion and Representations From Entity Management .50-.54
Agreeing on the Terms of the Engagement .55-.64
Accepting a Change in the Terms of the Examination .60-.64
Establishing an Overall Examination Strategy for and Planning the Examination .65-.69
Performing Risk Assessment Procedures .70-.106
Obtaining an Understanding of the Description of the Entity’s System and Control Effectiveness .71-.83
Assessing the Risks of Material Misstatement .84-.95
Considering Materiality During Planning .96-.106
Considering Entity-Level Controls .107-.111
Understanding the Internal Audit Function .112-.119
Planning to Use the Work of a Practitioner's Specialist .120-.126
Identifying Customer Responsibilities and Complementary Customer Controls .127-.133
Identifying Suppliers and Complementary Supplier Controls .134-.150
Suppliers Whose Controls Are Necessary for the Entity to Achieve Its Principal System Objectives .134-.135
Complementary Supplier Controls .136-.141
Using the Inclusive Method .142-.150
Planning to Use the Work of an Other Practitioner .151-.154
3 Performing the SOC for Supply Chain Examination .01-.199
Introduction .01
Designing Overall Responses to the Risk Assessment .02-.03
Designing and Performing Procedures .04
Obtaining Evidence About Whether the Description Presents the System That Was Designed and Implemented in Accordance With the Description Criteria .05-.59
Disclosures Related to the Types of Goods Produced, Manufactured, or Distributed .17-.18
Disclosures About the Entity’s Principal System Objectives .19-.24
Disclosures About System Incidents .25-.28
Disclosures About Risks That May Have a Significant Effect on the Entity’s Production, Manufacturing, or Distribution .29-.30
Disclosures About Inputs to and Components of the System .31-.32
Disclosures About Individual Controls and the Applicable Trust Services Criteria .33-.41
Disclosures About Complementary Customer Controls .42-.43
Disclosures Related to Complementary Supplier Controls .44-.56
Disclosures About Nonrelevant Criteria .57
Disclosures About Significant Changes to the System During the Period .58-.59
Evaluating Description Misstatements Identified During the Examination .60-.67
Considering Whether the Description is Misstated or Otherwise Misleading .68-.69
Obtaining Evidence About the Suitability of the Design of Controls .70-.85
Multiple Controls Are Necessary to Address an Applicable Trust Services Criterion .77-.78
More Than One Control Addresses a Particular Risk .79
Procedures to Obtain Evidence About the Suitability of Design of Controls .80-.85
Evaluating Deficiencies in the Suitability of Design of Controls .86-.88
Obtaining Evidence About the Operating Effectiveness of Controls .89-.94
Designing and Performing Tests of Controls .91-.94
Nature of Tests of Controls .95-.110
Testing Review Controls .101-.102
Evaluating the Reliability of Information Produced by the Entity .103-.110
Timing of Tests of Controls .111-.112
Extent of Tests of Controls .113-.118
Testing Superseded Controls .119-.120
Using Sampling to Select Items to Be Tested .121-.125
Selecting Items to Be Tested .124-.125
Additional Risk Considerations Related to Suppliers and Business Partners .126-.136
Controls That Suppliers Expect the Entity to Implement .126-.131
Entity Controls for Addressing Supplier Risks .132-.133
Complementary Supplier Controls .134-.136
Considering Controls That Did Not Need to Operate During the Period Covered by the Examination .137
Identifying and Evaluating Deviations in the Effectiveness of Controls .138-.142
Materiality Considerations When Evaluating Deficiencies in the Effectiveness of Controls .143-.146
Using the Work of the Internal Audit Function .147-.153
Using the Work of a Practitioner's Specialist .154-.157
Revising the Risk Assessment .158-.162
Evaluating the Sufficiency and Appropriateness of Evidence .159-.160
Evaluating the Results of Procedures .161-.162
Responding to and Communicating Known and Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, and Deficiencies in the Effectiveness of Controls .163-.169
Known or Suspected Fraud or Noncompliance With Laws or Regulations .163-.165
Communicating Incidents of Known or Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, or Internal Control Deficiencies .166-.169
Obtaining Written Representations .170-.183
Requested Written Representations Not Provided or Not Reliable .180-.181
Engaging Party is Not the Responsible Party .182
Representations From the Engaging Party When It is Not the Responsible Party .183
Subsequent Events and Subsequently Discovered Facts .184-.191
Subsequent Events Unlikely to Have an Effect on the Practitioner’s Report .191
Documentation .192-.196
Considering Whether Entity Management Should Modify Its Assertion .197-.199
4 Forming the Opinion and Preparing the Practitioner's Report .01-.91
Responsibilities of the Practitioner .01-.05
Forming the Practitioner's Opinion .06-.15
Concluding on the Sufficiency and Appropriateness of Evidence .08-.13
Expressing an Opinion on Each of the Subject Matters in the SOC for Supply Chain Examination .14-.15
Describing Tests of Controls and Results of Tests in the Practitioner’s Report .16-.28
Describing Tests of Controls and Results When Using the Internal Audit Function .24-.26
Describing Tests of the Reliability of Information Produced by the Entity .27-.28
Preparing the Practitioner’s SOC for Supply Chain Report .29-.40
Elements of the Practitioner’s Report .29
Restricting the Use of the Practitioner’s Report .30-.31
Reporting When There Are Complementary Customer Controls .32-.35
Reporting When There Are Complementary Supplier Controls .36-.40
Reporting When the Practitioner Assumes Responsibility for the Work of an Other Practitioner .41
Modifications to the Practitioner’s Opinion .42-.67
Qualified Opinion .50-.51
Adverse Opinion .52-.56
Scope Limitation .57-.61
Disclaimer of Opinion .62-.67
Report Paragraphs Describing the Matter Giving Rise to the Modification .68-.76
Illustrative Separate Paragraphs When There Are Material Misstatements in the Description .68-.73
Illustrative Separate Paragraph: Material Deficiencies in the Effectiveness of Controls .74-.76
Other Matters Related to the Practitioner's Report .77-.80
Emphasis-of-Matter Paragraphs and Other-Matter Paragraphs .77-.78
Distribution of the Report by Management .79-.80
Practitioner's Recommendations for Improving Controls .81
Other Information Not Covered by the Practitioner's Report .82-.86
Illustrative Report .87-.88
Preparing a SOC for Supply Chain Report in a Design-Only Examination .89-.91
Supplement
A 2020 Description Criteria for a Description of an Entity’s Production, Manufacturing, or Distribution System in a SOC for Supply Chain Report
B 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy
Appendix
A Information for Entity Management
B Comparison of SOC for Supply Chain, SOC 2®, and SOC for Cybersecurity Examinations and Related Reports
C Illustrative Management Assertion in a SOC for Supply Chain Examination
D Illustrative Accountant's Report for a SOC for Supply Chain Examination
E Illustrative SOC for Supply Chain Report (Including Entity Management's Assertion, Accountant's Report, and Illustrative Description of the System)
F Definitions
G Overview of Statements on Quality Control Standards
Index of Pronouncements and Other Technical Guidance
Subject Index