+353-1-416-8900REST OF WORLD
+44-20-3973-8888REST OF WORLD
1-917-300-0470EAST COAST U.S
1-800-526-8630U.S. (TOLL FREE)

SOC for Supply Chain. Reporting on an Examination of Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy in a Production, Manufacturing, or Distribution System, 2020. Edition No. 1. AICPA

  • Book

  • 368 Pages
  • August 2020
  • John Wiley and Sons Ltd
  • ID: 5838073

Internal and external forces such as globalization, global interconnectivity, automation, and other technological advancements are making today's supply chains highly sophisticated and complex. For organizations that produce, manufacture or distribute products, there's often a high level of interdependence and connectivity with their suppliers and their customers and business partners.

Although the interconnectedness of these organizations can be beneficial (increased revenues, expanded market opportunities, and cost reduction), the ability of organizations to meet their goals is often increasingly dependent on events, processes, and controls that are not visible and are often beyond their control - such as a supplier's controls. That's why the demand for transparency in supply chains is now higher than ever before, and why this is the perfect time for you to help organizations assess their supply chain risks, evaluate the system controls within their manufacturing, production, or distribution systems, and communicate their supply chain management efforts to those with whom they do business.

Accountants and financial managers can also increase the credibility of the supply chain information communicated by the organization by providing an opinion on the organization's supply chain efforts. This guide enables the accountant and financial manager to examine and report on the description of a system for manufacturing, producing and distributing goods as well as on the controls within that system using a dynamic, proactive, and agile approach. It will show how to conduct this examination in accordance with the attestation standards. The guide may also be helpful when providing readiness assessments to clients, who are not quite ready for an examination level service and need help to get there.

The guide also includes excerpts from the two distinct, but complementary sets of criteria developed by the AICPA to assist practitioners with SOC for Supply Chain engagements: the description criteria and the 2017 trust services criteria.

Table of Contents

1 Introduction and Background .01-.75

Introduction .01-.09

Intended Users of a SOC for Supply Chain Report .10-.16

Overview of a SOC for Supply Chain Examination .17-.19

Contents of the SOC for Supply Chain Report .20-.21

Defining the System to Be Examined .22-.34

The Entity’s System Objectives and Principal System Objectives .27-.28

Selecting the Trust Services Category or Categories to Be Addressed by the Examination .29-.33

Determining the Time Frame for the Examination .34

Other Engagement Considerations .35-.41

Considerations for Entities That Distribute Products .35-.38

Considerations for Entities That Bundle Services With Their Products .39-.40

Considerations for a Design-Only Examination .41

Matters Not Addressed by a SOC for Supply Chain Examination .42-.43

Criteria for a SOC for Supply Chain Examination .44-.62

Description Criteria .45-.47

Trust Services Criteria .48-.58

Evaluating the Entity's Principal System Objectives .59-.62

The Practitioner's Opinion in a SOC for Supply Chain Examination .63-.65

Other Types of SOC Examinations: SOC Suite of Services .66

Professional Standards .67-.74

Attestation Standards .68-.70

Code of Professional Conduct .71

Quality in the SOC for Supply Chain Examination .72-.74

Definitions .75

2 Accepting and Planning a SOC for Supply Chain Examination .01-.154

Introduction .01-.02

Understanding Entity Management’s Responsibilities .03-.10

Entity Management’s Responsibilities Prior to Engaging the Practitioner .04-.07

Entity Management’s Responsibilities During the Examination .08-.09

Entity Management’s Responsibilities During Engagement Completion .10

Responsibilities of the Practitioner .11

Engagement Acceptance and Continuance .12-.15

Independence .16-.19

Competence of Engagement Team Members .20-.24

Preconditions of the Engagement .25-.49

Determining the Appropriateness of the Subject Matter .26-.27

Identifying the Components of the System to be Examined .28-.30

Determining the Boundaries of the System Being Examined .31-.38

Determining Whether Entity Management is Likely to Have a Reasonable Basis for Its Assertion .39-.43

Assessing the Suitability and Availability of Criteria .44

Determining Whether the Entity’s Principal System Objectives Are Reasonable in the Circumstances .45-.49

Requesting a Written Assertion and Representations From Entity Management .50-.54

Agreeing on the Terms of the Engagement .55-.64

Accepting a Change in the Terms of the Examination .60-.64

Establishing an Overall Examination Strategy for and Planning the Examination .65-.69

Performing Risk Assessment Procedures .70-.106

Obtaining an Understanding of the Description of the Entity’s System and Control Effectiveness .71-.83

Assessing the Risks of Material Misstatement .84-.95

Considering Materiality During Planning .96-.106

Considering Entity-Level Controls .107-.111

Understanding the Internal Audit Function .112-.119

Planning to Use the Work of a Practitioner's Specialist .120-.126

Identifying Customer Responsibilities and Complementary Customer Controls .127-.133

Identifying Suppliers and Complementary Supplier Controls .134-.150

Suppliers Whose Controls Are Necessary for the Entity to Achieve Its Principal System Objectives .134-.135

Complementary Supplier Controls .136-.141

Using the Inclusive Method .142-.150

Planning to Use the Work of an Other Practitioner .151-.154

3 Performing the SOC for Supply Chain Examination .01-.199

Introduction .01

Designing Overall Responses to the Risk Assessment .02-.03

Designing and Performing Procedures .04

Obtaining Evidence About Whether the Description Presents the System That Was Designed and Implemented in Accordance With the Description Criteria .05-.59

Disclosures Related to the Types of Goods Produced, Manufactured, or Distributed .17-.18

Disclosures About the Entity’s Principal System Objectives .19-.24

Disclosures About System Incidents .25-.28

Disclosures About Risks That May Have a Significant Effect on the Entity’s Production, Manufacturing, or Distribution .29-.30

Disclosures About Inputs to and Components of the System .31-.32

Disclosures About Individual Controls and the Applicable Trust Services Criteria .33-.41

Disclosures About Complementary Customer Controls .42-.43

Disclosures Related to Complementary Supplier Controls .44-.56

Disclosures About Nonrelevant Criteria .57

Disclosures About Significant Changes to the System During the Period .58-.59

Evaluating Description Misstatements Identified During the Examination .60-.67

Considering Whether the Description is Misstated or Otherwise Misleading .68-.69

Obtaining Evidence About the Suitability of the Design of Controls .70-.85

Multiple Controls Are Necessary to Address an Applicable Trust Services Criterion .77-.78

More Than One Control Addresses a Particular Risk .79

Procedures to Obtain Evidence About the Suitability of Design of Controls .80-.85

Evaluating Deficiencies in the Suitability of Design of Controls .86-.88

Obtaining Evidence About the Operating Effectiveness of Controls .89-.94

Designing and Performing Tests of Controls .91-.94

Nature of Tests of Controls .95-.110

Testing Review Controls .101-.102

Evaluating the Reliability of Information Produced by the Entity .103-.110

Timing of Tests of Controls .111-.112

Extent of Tests of Controls .113-.118

Testing Superseded Controls .119-.120

Using Sampling to Select Items to Be Tested .121-.125

Selecting Items to Be Tested .124-.125

Additional Risk Considerations Related to Suppliers and Business Partners .126-.136

Controls That Suppliers Expect the Entity to Implement .126-.131

Entity Controls for Addressing Supplier Risks .132-.133

Complementary Supplier Controls .134-.136

Considering Controls That Did Not Need to Operate During the Period Covered by the Examination .137

Identifying and Evaluating Deviations in the Effectiveness of Controls .138-.142

Materiality Considerations When Evaluating Deficiencies in the Effectiveness of Controls .143-.146

Using the Work of the Internal Audit Function .147-.153

Using the Work of a Practitioner's Specialist .154-.157

Revising the Risk Assessment .158-.162

Evaluating the Sufficiency and Appropriateness of Evidence .159-.160

Evaluating the Results of Procedures .161-.162

Responding to and Communicating Known and Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, and Deficiencies in the Effectiveness of Controls .163-.169

Known or Suspected Fraud or Noncompliance With Laws or Regulations .163-.165

Communicating Incidents of Known or Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, or Internal Control Deficiencies .166-.169

Obtaining Written Representations .170-.183

Requested Written Representations Not Provided or Not Reliable .180-.181

Engaging Party is Not the Responsible Party .182

Representations From the Engaging Party When It is Not the Responsible Party .183

Subsequent Events and Subsequently Discovered Facts .184-.191

Subsequent Events Unlikely to Have an Effect on the Practitioner’s Report .191

Documentation .192-.196

Considering Whether Entity Management Should Modify Its Assertion .197-.199

4 Forming the Opinion and Preparing the Practitioner's Report .01-.91

Responsibilities of the Practitioner .01-.05

Forming the Practitioner's Opinion .06-.15

Concluding on the Sufficiency and Appropriateness of Evidence .08-.13

Expressing an Opinion on Each of the Subject Matters in the SOC for Supply Chain Examination .14-.15

Describing Tests of Controls and Results of Tests in the Practitioner’s Report .16-.28

Describing Tests of Controls and Results When Using the Internal Audit Function .24-.26

Describing Tests of the Reliability of Information Produced by the Entity .27-.28

Preparing the Practitioner’s SOC for Supply Chain Report .29-.40

Elements of the Practitioner’s Report .29

Restricting the Use of the Practitioner’s Report .30-.31

Reporting When There Are Complementary Customer Controls .32-.35

Reporting When There Are Complementary Supplier Controls .36-.40

Reporting When the Practitioner Assumes Responsibility for the Work of an Other Practitioner .41

Modifications to the Practitioner’s Opinion .42-.67

Qualified Opinion .50-.51

Adverse Opinion .52-.56

Scope Limitation .57-.61

Disclaimer of Opinion .62-.67

Report Paragraphs Describing the Matter Giving Rise to the Modification .68-.76

Illustrative Separate Paragraphs When There Are Material Misstatements in the Description .68-.73

Illustrative Separate Paragraph: Material Deficiencies in the Effectiveness of Controls .74-.76

Other Matters Related to the Practitioner's Report .77-.80

Emphasis-of-Matter Paragraphs and Other-Matter Paragraphs .77-.78

Distribution of the Report by Management .79-.80

Practitioner's Recommendations for Improving Controls .81

Other Information Not Covered by the Practitioner's Report .82-.86

Illustrative Report .87-.88

Preparing a SOC for Supply Chain Report in a Design-Only Examination .89-.91

Supplement

A 2020 Description Criteria for a Description of an Entity’s Production, Manufacturing, or Distribution System in a SOC for Supply Chain Report

B 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy

Appendix

A Information for Entity Management

B Comparison of SOC for Supply Chain, SOC 2®, and SOC for Cybersecurity Examinations and Related Reports

C Illustrative Management Assertion in a SOC for Supply Chain Examination

D Illustrative Accountant's Report for a SOC for Supply Chain Examination

E Illustrative SOC for Supply Chain Report (Including Entity Management's Assertion, Accountant's Report, and Illustrative Description of the System)

F Definitions

G Overview of Statements on Quality Control Standards

Index of Pronouncements and Other Technical Guidance

Subject Index