Guide: Reporting on an Examination of Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy in a Production, Manufacturing, or Distribution System Aicpa
Visit to download the full and correct content document: https://ebookmass.com/product/guide-reporting-on-an-examination-of-controls-releva nt-to-security-availability-processing-integrity-confidentiality-or-privacy-in-a-production -manufacturing-or-distribution-system-aicpa/
More products digital (pdf, epub, mobi) instant download maybe you interests ...
Pitch, Tweet, or Engage on the Street 1st Edition
https://ebookmass.com/product/pitch-tweet-or-engage-on-thestreet-1st-edition/
Czech Security Dilemma: Russia as a Friend or Enemy? 1st ed. Edition Jan Holzer
https://ebookmass.com/product/czech-security-dilemma-russia-as-afriend-or-enemy-1st-ed-edition-jan-holzer/
Ready or Not: Assurance Security Duet Part Two (Assurance Security Book 2) 1st Edition Jillian West
https://ebookmass.com/product/ready-or-not-assurance-securityduet-part-two-assurance-security-book-2-1st-edition-jillian-west/
What's the T?: The Guide to All Things Trans And/or Nonbinary Juno Dawson
https://ebookmass.com/product/whats-the-t-the-guide-to-allthings-trans-and-or-nonbinary-juno-dawson/
What's the T?: The Guide to All Things Trans And/or Nonbinary Juno Dawson
https://ebookmass.com/product/whats-the-t-the-guide-to-allthings-trans-and-or-nonbinary-juno-dawson-2/
British Autobiographies: An Annotated Bibliography of British Autobiographies Published or Written before 1951 William Matthews
https://ebookmass.com/product/british-autobiographies-anannotated-bibliography-of-british-autobiographies-published-orwritten-before-1951-william-matthews/
How to
Count Animals, More or Less Shelly Kagan https://ebookmass.com/product/how-to-count-animals-more-or-lessshelly-kagan/
Sell or Be Sold: How to Get Your Way in Business and in Life
https://ebookmass.com/product/sell-or-be-sold-how-to-get-yourway-in-business-and-in-life/
The Language of Managerialism: Organizational Communication or an Ideological Tool? 1st Edition Thomas Klikauer
https://ebookmass.com/product/the-language-of-managerialismorganizational-communication-or-an-ideological-tool-1st-editionthomas-klikauer/
Reporting on an Examination of Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy in a Production, Manufacturing, or Distribution System
SOC for Supply Chain March 1, 2020
© 2020 American Institute of Certified Public Accountants. All rights reserved. For information about the procedure for requesting permission to make copies of any part of this work, please email Copyright-Permissions@aicpa-cima.com with your request. Otherwise, requests should be written and mailed to Permissions Department, 220 Leigh Farm Road, Durham, NC 27707-8110 USA.
1 2 3
ISBN 978-1-94830-695-9
ISBN 978-1-119-72340-0
ISBN 978-1-948306-96-6
ISBN 978-1-119-72344-8 (ePub) (ePDF) (oBook) (Print)
(AsofMarch1,2020)
AboutAICPAGuides ThisAICPAGuide, ReportingonanExaminationofControlsRelevanttoSecurity,Availability,ProcessingIntegrity,Confidentiality,orPrivacyinaProduction,Manufacturing,orDistributionSystem,hasbeendevelopedbymembersof theSOCforSupplyChainWorkingGroupoftheAICPAAssuranceServicesExecutiveCommittee(ASEC)inconjunctionwithmembersoftheAuditingStandardsBoard(ASB).
Thepurposeoftheguideistoassistpractitionersengagedtoexamineandreportonasystemthatproduces,manufactures,ordistributesproducts,includingcontrolsoveroneormoreofthefollowing:
a. Thesecurityoftheentity'ssystem
b. Theavailabilityoftheentity'ssystem
c. Theprocessingintegrityoftheentity'ssystem
d. Theconfidentialityoftheinformationthattheentity'ssystemprocessesormaintainsforcustomersandbusinesspartners
e. Theprivacyofpersonalinformationthattheentity'ssystemcollects,uses,retains,discloses,anddisposesofforcustomersand businesspartners
AnAICPAGuidecontainingattestationguidanceisrecognizedasaninterpretivepublicationasdescribedinAT-Csection105, ConceptsCommontoAllAttestationEngagements. 1 Interpretativepublicationsarerecommendationsonthe applicationofStatementsonStandardsforAttestationEngagements(SSAEs) inspecificcircumstances,includingengagementsforentitiesinspecializedindustries.InterpretivepublicationsareissuedundertheauthorityoftheASB. ThemembersoftheASBhavefoundtheattestationguidanceinthisguideto beconsistentwithexistingSSAEs.
Apractitionershouldbeawareofandconsidertheguidanceinthisguideapplicabletohisorherattestationengagement.Ifthepractitionerdoesnotapply theattestationguidanceincludedinanapplicableinterpretivepublication,the practitionershoulddocumenthowtherequirementsoftheSSAEswerecompliedwithinthecircumstancesaddressedbysuchattestationguidance.
Anyattestationguidanceinaguideappendixorexhibit(whetherachapter orbackmatterappendixorexhibit),thoughnotauthoritative,isconsidered an otherattestationpublication.Inapplyingsuchguidance,thepractitioner should,exercisingprofessionaljudgment,assesstherelevanceandappropriatenessofsuchguidancetothecircumstancesoftheengagement.Although thepractitionerdeterminestherelevanceofotherattestationguidance,such guidanceinaguideappendixorexhibithasbeenreviewedbytheAICPAAudit andAttestStandardsstaff,andthepractitionermaypresumethatitisappropriate.
TheASBandtheAccountingandReviewServicesCommittee(ARSC)arethe designatedseniorcommitteesoftheAICPAauthorizedtospeakfortheAICPA
onallmattersrelatedtoattestationintheirrespectiveareasofresponsibility.Conformingchangesmadetotheattestationguidancecontainedinthis guideareapprovedbytheASBchair(orhisorherdesignee)andthedirectorof theAICPAAuditandAttestStandardsstaff.Updatesmadetotheattestation guidanceinthisguideexceedingthatofconformingchangesareissuedafter allASBmembershavebeenprovidedanopportunitytoconsiderandcomment onwhethertheguideisconsistentwiththeSSAEs.
AICPAGuidesmayincludecertaincontentpresentedasa"supplement,""appendix,"or"exhibit."Asupplementisareproduction,inwholeorinpart,of authoritativeguidanceoriginallyissuedbyastandard-settingbody(includingregulatorybodies)andisapplicabletoentitiesorengagementswithinthe purviewofthatstandardsetter,independentoftheauthoritativestatusofthe applicableAICPAGuide.Appendixesandexhibitsareincludedforinformationalpurposesandhavenoauthoritativestatus.
PurposeandApplicability Aspreviouslydiscussed,thisguideprovidesguidancetopractitionersengaged toexamineandreportonasystemanentityusestoproduce,manufacture,or distributeproducts.
InApril2016,theASBissuedSSAENo.18, AttestationStandards:Clarification andRecodification,whichincludesAT-Csection105,AT-Csection205, ExaminationEngagements,andAT-Csection320, ReportingonanExaminationof ControlsataServiceOrganizationRelevanttoUserEntities'InternalControl OverFinancialReporting.AT-Csections105and205establishrequirements andapplicationguidanceforreportingonanentity'scontrolsoveritssystem relevanttosecurity,availability,processingintegrity,confidentiality,orprivacy. AT-Csection320includesrequirementsandapplicationguidancethatmaybe relevantforreportingonanentity'scontrolsoveritssystemrelevanttosecurity,availability,processingintegrity,confidentiality,orprivacybecausecertainunderlyingcircumstancesofthesubjectmatteraddressedinthisguideare analogoustocircumstancesaddressedinAT-Csection320.
Theattestationstandardsenableapractitionertoreportonsubjectmatter otherthanhistoricalfinancialstatements.Apractitionermaybeengagedto examineandreportoncontrolsatanentityrelatedtovarioustypesofsubject matter(forexample,controlsthataffectcustomers'financialreportingorthe privacyofinformationprocessedforcustomers'customers).
TermsUsedtoDefineProfessionalResponsibilitiesin ThisAICPAGuide Anyrequirementsdescribedinthisguidearenormallyreferencedtotheapplicablestandardsorregulationsfromwhichtheyarederived.Generally,the termsusedinthisguidedescribingtheprofessionalrequirementsofthereferencedstandardsetter(forexample,theASB)arethesameasthoseusedinthe applicablestandardsorregulations(forexample,"must"or"should").
Readersshouldrefertotheapplicablestandardsandregulationsformoreinformationontherequirementsimposedbytheuseofthevarioustermsused todefineprofessionalrequirementsinthecontextofthestandardsandregulationsinwhichtheyappear.
Certainexceptionsapplytothesegeneralrules,particularlyincircumstances inwhichtheguidedescribesprevailingorpreferredindustrypracticesforthe applicationofastandardorregulation.Inthesecircumstances,theapplicableseniorcommitteeresponsibleforreviewingtheguide'scontentbelievesthe guidancecontainedhereinisappropriateforthecircumstances.
ReferencestoProfessionalStandards Incitingattestationstandardsandtheirrelatedinterpretations,referencesto standardsthathavebeencodifiedusesectionnumberswithinthecodification ofcurrentlyeffectiveSSAEsandnottheoriginalstatementnumber.
ExaminationsofSystemandOrganizationControls: SOCSuiteofServices In2017,theAICPAintroducedtheterm systemandorganizationcontrols (SOC)torefertothesuiteofservicespractitionersmayproviderelatingto system-levelcontrolsofanentityorsystem-orentity-levelcontrolsofotherorganizations.Formerly,SOCreferredto serviceorganizationcontrols,andsuch reportsaddressedcontrolsaroundsystemsusedtoprovideservices.Byredefiningthatacronym,theAICPAenablestheintroductionofnewinternalcontrol examinationsthatmaybeperformed(a)forothertypesoforganizations,in additiontoserviceorganizations,and(b)oneithersystem-levelorentity-level controlsofsuchorganizations.Thisguideprovidesinterpretiveguidancefor therelevantattestationstandardsusedtoreportonthesecurity,availability, orprocessingintegrityofasystemortheconfidentialityorprivacyoftheinformationprocessedbythesystem.Theengagementdiscussedinthisguideis referredtoasaSOCforSupplyChainexamination.OtherSOCengagements includethefollowing:
a. SOC1® —SOCforServiceOrganizations:ICFR.Serviceorganizationsmayprovideservicesthatarerelevanttotheircustomers' internalcontroloverfinancialreportingand,therefore,totheauditoffinancialstatements.Therequirementsandguidancefor performingandreportingonsuchcontrolsisprovidedinAT-C sections105and320.AICPAGuide ReportingonanExaminationofControlsatanEntityRelevanttoCustomers'InternalControlOverFinancialReporting(SOC1® ) providesrelevantinterpretiveguidancefortherelevantstandardstoassistpractitioners engagedtoexamineandreportoncontrolsatserviceorganizations thatarelikelytoberelevanttocustomers'internalcontrolover financialreporting.
b. SOC2® —SOCforServiceOrganizations:TrustServicesCriteria. Someserviceorganizationsprovideservicesthatarerelevantto controlsotherthaninternalcontroloverfinancialreporting,for example,controlsrelevanttothesecurityofasystemortothe privacyofinformationprocessedbyasystemforcustomers.The requirementsandguidanceforperformingandreportingonsuch engagementsareprovidedinAT-Csections105,205,and320. AICPAGuide SOC2® ReportingonanExaminationofControlsata ServiceOrganizationRelevanttoSecurity,Availability,Processing Integrity,Confidentiality,orPrivacy providesinterpretiveguidance
fortherelevantattestationstandardstoassistpractitionersengagedtoexamineandreportonthesecurity,availability,orprocessingintegrityofasystemortheconfidentialityorprivacyofthe informationprocessedbythesystem.
c. SOC3® —SOCforServiceOrganizations:TrustServicesCriteriaforGeneralUseReport.AlthoughtherequirementsandguidanceforperformingaSOC3® examinationaresimilartothosefor aSOC2® examination,thereportingrequirementsaredifferent. Becauseofthedifferentreportingrequirements,aSOC2® report isappropriateonlyforspecifiedpartieswithsufficientknowledge andunderstandingoftheentityandthesystem,whereasaSOC 3® reportisordinarilyappropriateforgeneraluse.AICPAGuide SOC2® ReportingonanExaminationofControlsataServiceOrganizationRelevanttoSecurity,Availability,ProcessingIntegrity, Confidentiality,orPrivacy providesguidancetoassistpractitionersengagedtoexamineandreportonthesecurity,availability,or processingintegrityofasystemortheconfidentialityorprivacyof theinformationprocessedbythesystem.
d. SOCforCybersecurity.Aspartofanentity'scybersecurityrisk managementprogram,anentitydesigns,implements,andoperates cybersecuritycontrols.Anengagementtoexamineandreportona descriptionoftheentity'scybersecurityriskmanagementprogram andtheeffectivenessofcontrolswithinthatprogramisa cybersecurityriskmanagementexamination.Therequirementsandguidance forperformingacybersecurityriskmanagementexaminationand reportingontheresultsthereofareprovidedinAT-Csections105, 205,and320.AICPAGuide ReportingonanEntity'sCybersecurityRiskManagementProgramandControls providesinterpretive guidancefortherelevantattestationstandardstoassistpractitionersengagedtoexamineandreportonthedescriptionofanentity's cybersecurityriskmanagementprogramandtheeffectivenessof controlswithinthatprogram.
ThisguidefocusesonSOCforSupplyChainexaminations.TohelppractitionersunderstandhowthisexaminationdiffersfromseveraloftheotherSOC examinations,appendixB,"ComparisonofSOCforSupplyChainExaminationWithaSOC2® ExaminationandaSOCforCybersecurityExamination andRelatedReports,"includesatablethatcomparesthefeaturesofthethree typesofengagements.
DescriptionCriteriaforaDescriptionofanEntity’sSystem InMarch2020,ASECissueddescriptioncriteriaforadescriptionofanentity's systeminaSOCforSupplyChainreport.ThecriteriaarecodifiedinDCsection300, 2020DescriptionCriteriaforaDescriptionofanEntity'sProduction, Manufacturing,orDistributionSysteminaSOCforSupplyChainReport (descriptioncriteria),2 whicharepresentedinsupplementA. Inestablishinganddevelopingthesecriteria,ASECfolloweddueprocessprocedures,includingexposureofcriteriaforpubliccomment.BLsection360R,
ImplementingResolutionsUnderSection3.6Committees, 3 designatesASEC asaseniortechnicalcommitteewiththeauthoritytomakepublicstatements withoutclearancefromtheAICPAcouncilortheboardofdirectors.Paragraph .A44ofAT-Csection105indicatesthatcriteriapromulgatedbyabodydesignatedbytheCounciloftheAICPAundertheAICPACodeofProfessional Conductare,bydefinition,consideredsuitable.Accordingly,thesecriteriaare suitablecriteriaforpreparingandevaluatingadescriptionofasystemina SOCforSupplyChainexamination.ASEChasalsopublishedthedescription criteriaandmadethemavailabletousers.Therefore,thedescriptioncriteria meettherequirementsinparagraph.25biiofAT-Csection105forcriteriathat arebothsuitableandavailableforuseinanattestationengagement.
TrustServicesCriteria CodifiedasTSPsection100, 2017TrustServicesCriteriaforSecurity,Availability,ProcessingIntegrity,Confidentiality,andPrivacy (2017trustservices criteria),4 thetrustservicescriteriawereestablishedbyASECforusebypractitionerswhenprovidingattestationorconsultingservicestoevaluatecontrols relevanttothesecurity,availability,orprocessingintegrityofoneormoresystems,ortheconfidentialityorprivacyofinformationprocessedbyoneormore systems,usedbyanentity.Entitymanagementmayalsousethetrustservices criteriatoevaluatethesuitabilityofdesignandoperatingeffectivenessofsuch controls.
Inestablishinganddevelopingthesecriteria,ASECfolloweddueprocessprocedures,includingexposureofcriteriaforpubliccomment.BLsection360R designatesASECasaseniortechnicalcommitteewiththeauthoritytomake publicstatementswithoutclearancefromtheAICPAcouncilortheboardofdirectors.Paragraph.A44ofAT-Csection105indicatesthatcriteriapromulgated byabodydesignatedbytheCounciloftheAICPAundertheAICPACodeof ProfessionalConductare,bydefinition,consideredsuitable.Accordingly,these criteriaaresuitablecriteriaforevaluatingcontrolsinaSOCforSupplyChain examination.ASEChasalsopublishedthetrustservicescriteriaandmade themavailabletousers.Therefore,thetrustservicescriteriameettherequirementsinparagraph.25biiofAT-Csection105forcriteriathatarebothsuitable andavailableforuseinanattestationengagement.
ApplicabilityofQualityControlStandards QCsection10, AFirm'sSystemofQualityControl, 5 addressesaCPAfirm's responsibilitiesforitssystemofqualitycontrolforitsaccountingandauditingpractice.Asystemofqualitycontrolconsistsofpoliciesthatafirmestablishesandmaintainstoprovideitwithreasonableassurancethatthefirm anditspersonnelcomplywithprofessionalstandards,aswellasapplicable legalandregulatoryrequirements.Thepoliciesalsoprovidethefirmwith reasonableassurancethatreportsissuedbythefirmareappropriateinthe circumstances.
3 AllBLsectionscanbefoundinAICPA ProfessionalStandards
4 AllTSPsectionscanbefoundinAICPA TrustServicesCriteria
5 TheQCsectionscanbefoundinAICPA ProfessionalStandards.
QCsection10appliestoallCPAfirmswithrespecttoengagementsintheir accountingandauditingpractice.Inparagraph.13ofQCsection10,anaccountingandauditingpracticeisdefinedas
apracticethatperformsengagementscoveredbythissection,which areaudit,attestation,compilation,review,andanyotherservices forwhichstandardshavebeenpromulgatedbytheAICPAAuditing StandardsBoard(ASB)ortheAICPAAccountingandReviewServicesCommittee(ARSC)underthe"GeneralStandardsRule"(ET sec.1.300.001)orthe"ComplianceWithStandardsRule"(ETsec. 1.310.001)oftheAICPACodeofProfessionalConduct.AlthoughstandardsforotherengagementsmaybepromulgatedbyotherAICPA technicalcommittees,engagementsperformedinaccordancewith thosestandardsarenotencompassedinthedefinitionofan accounting andauditingpractice.6
InadditiontotheprovisionsofQCsection10,readersshouldbeawareofother sectionswithinAICPA ProfessionalStandards thataddressqualitycontrolconsiderations,includingthefollowingprovisionsthataddressengagement-level qualitycontrolmattersforvarioustypesofengagementsthatanaccounting andauditingpracticemightperform:
• AU-Csection220, QualityControlforanEngagementConducted inAccordanceWithGenerallyAcceptedAuditingStandards7
• AT-Csection105
Becauseoftheimportanceofengagementquality,thisguideincludesanappendix,"OverviewofStatementsonQualityControlStandards."Thisappendix summarizeskeyaspectsofthequalitycontrolstandard.Thissummarization shouldbereadinconjunctionwithQCsection10,AU-Csection220,AT-Csection105,andthequalitycontrolstandardsissuedbythePCAOB,asapplicable.
Recognition AuditingStandardsBoard(2018–2019)
MichaelJ.Santay, Chair
MoniqueBooker
JayBrodish
DoraBurzenski
JosephS.Cascio
LawrenceGill
AudreyA.Gramling
GaylenR.Hansen
TracyHarding
JanHerringer
IleneKassman
KristenA.Kociolek
AlanLong
SaraLord
MarciaL.Marien 6
RichardMiller
DanielD.Montgomery
JereG.Shawver
ChadSingletary
ThisguidewasapprovedbyamajorityofASBmembers. AssuranceServicesExecutiveCommittee (2018–2019)
JimBurton, Chair
BradleyAmes
ChristineM.Anderson
MaryGraceDavenport
ChrisHalterman
JenniferHaskell
ElaineHowle
BryanMartin
BradMuniz
DyanK.Rohal
MiklosVasarhelyi
SOCforSupplyChainWorkingGroup
ChrisHalterman, Chair
NealBeggan
MarkBurnette
JacquelineEaston
ForrestFrazier
TomHaberman
JackieHensgen
KimKoch
ChrisKradjan
LevLesokhin
HeatherPaquette
BinitaPradhan
SomaSinha
RodSmith
JeffTrent
GregWitte
DavidWood
AICPAStaff
RobertDohrer
ChiefAuditor AuditandAttestationStandards
AmyPawlicki VicePresident AssuranceandAdvisoryInnovation
MimiBlanco-Best AssociateDirector—AttestationMethodologyandGuidance AssuranceandAdvisoryInnovation
NishaGordhan LeadManager ProductManagementandDevelopment
AICPA.orgWebsite TheAICPAencouragesyoutovisititswebsiteataicpa.organdtheFinancial ReportingCenteratwww.aicpa.org/frc.TheFinancialReportingCentersupportsmembersintheexecutionofhigh-qualityfinancialreporting.Whether youareafinancialstatementprepareroramemberinpublicpractice,thiscenterprovidesexclusivemember-onlyresourcesfortheentirefinancialreporting processandprovidestimelyandrelevantnews,guidance,andexamplessupportingthefinancialreportingprocess.AnotherimportantfocusoftheFinancialReportingCenteriskeepingthoseinpublicpracticeuptodateonissues pertainingtopreparation,compilation,review,audit,attestation,assurance, andadvisoryengagements.CertaincontentontheAICPA'swebsitesreferenced inthisguidemayberestrictedtoAICPAmembersonly.
TABLEOFCONTENTS 2
AcceptingandPlanningaSOCforSupplyChain Examination—continued
DeterminingtheBoundariesoftheSystemBeing Examined ............................................
DeterminingWhetherEntityManagementIsLikelyto HaveaReasonableBasisforItsAssertion
DeterminingWhethertheEntity’sPrincipalSystem ObjectivesAreReasonableintheCircumstances .......
RequestingaWrittenAssertionandRepresentationsFrom EntityManagement ......................................
SuppliersWhoseControlsAreNecessaryforthe EntitytoAchieveItsPrincipalSystemObjectives
PerformingtheSOCforSupplyChainExamination—continued
DisclosuresAbouttheEntity’sPrincipalSystem
DisclosuresAboutSystemIncidents
DisclosuresAboutRisksThatMayHaveaSignificant EffectontheEntity’sProduction,Manufacturing, orDistribution
DisclosuresAboutInputstoandComponentsof theSystem
DisclosuresAboutSignificantChangestotheSystem
ObtainingEvidenceAbouttheOperatingEffectiveness ofControls ..............................................
PerformingtheSOCforSupplyChainExamination—continued
ConsideringControlsThatDidNotNeedtoOperate DuringthePeriodCoveredbytheExamination .137
IdentifyingandEvaluatingDeviationsintheEffectiveness ofControls .138-.142
MaterialityConsiderationsWhenEvaluatingDeficiencies intheEffectivenessofControls ..........................
UsingtheWorkoftheInternalAuditFunction
UsingtheWorkofaPractitioner’sSpecialist .................
RevisingtheRiskAssessment ................................
EvaluatingtheSufficiencyandAppropriateness ofEvidence ...........................................
EvaluatingtheResultsofProcedures ....................... .161-.162
RespondingtoandCommunicatingKnownand SuspectedFraud,NoncomplianceWithLawsor Regulations,UncorrectedMisstatements, andDeficienciesintheEffectivenessof Controls
KnownorSuspectedFraudorNoncomplianceWith LawsorRegulations .163-.165
CommunicatingIncidentsofKnownorSuspectedFraud, NoncomplianceWithLawsorRegulations, UncorrectedMisstatements,orInternalControl Deficiencies ...........................................
ObtainingWrittenRepresentations ..........................
RequestedWrittenRepresentationsNotProvidedor NotReliable
EngagingPartyIsNottheResponsibleParty
RepresentationsFromtheEngagingPartyWhenItIsNot theResponsibleParty ..................................
SubsequentEventsandSubsequentlyDiscoveredFacts ......
SubsequentEventsUnlikelytoHaveanEffecton thePractitioner’sReport ................................
ConsideringWhetherEntityManagementShouldModify ItsAssertion
FormingthePractitioner’sOpinion
ConcludingontheSufficiencyandAppropriateness ofEvidence
ExpressinganOpiniononEachoftheSubjectMatters intheSOCforSupplyChainExamination ..............
DescribingTestsofControlsandResultsofTestsin thePractitioner’sReport
DescribingTestsofControlsandResultsWhenUsing theInternalAuditFunction
FormingtheOpinionandPreparingthePractitioner’s Report—continued
DescribingTestsoftheReliabilityofInformationProduced bytheEntity
ReportingWhenthePractitionerAssumesResponsibility fortheWorkofanOtherPractitioner
IllustrativeSeparateParagraphsWhenThereAreMaterial MisstatementsintheDescription .......................
IllustrativeSeparateParagraph:MaterialDeficienciesin theEffectivenessofControls ...........................
2020DescriptionCriteriaforaDescriptionofanEntity’sProduction, Manufacturing,orDistributionSysteminaSOCforSupply ChainReport
2017TrustServicesCriteriaforSecurity,Availability,ProcessingIntegrity, Confidentiality,andPrivacy
InformationforEntityManagement B ComparisonofSOCforSupplyChain,SOC2® ,andSOCfor CybersecurityExaminationsandRelatedReports
C IllustrativeManagementAssertioninaSOCforSupplyChain Examination
D IllustrativeAccountant’sReportforaSOCforSupplyChain Examination
E IllustrativeSOCforSupplyChainReport(IncludingEntity Management’sAssertion,Accountant’sReport,andIllustrative DescriptionoftheSystem)
F Definitions
G OverviewofStatementsonQualityControlStandards
IndexofPronouncementsandOtherTechnicalGuidance
SubjectIndex
IntroductionandBackground Thischapterexplainstherelationshipbetweenan entity1 thatproduces,manufactures,ordistributes products andits suppliers,customers,and business partners;providesexamplesofsuchentitiesandtheproductstheyproduce, manufacture,ordistribute;explainstherelationshipbetweentheproducts andthe system thatproduces,manufactures,ordistributesthem;describes thecomponentsofthesystemanditsboundaries;identifiesthe criteria used toevaluateadescriptionofanentity'ssystem(descriptioncriteria);andidentifiesthecriteria(applicabletrustservicescriteria)usedtoevaluatewhether controls statedinthedescription,whicharenecessarytoprovidereasonable assurancethatanentityachievedits principalsystemobjectives,wereeffective.Thischapteralsoprovidesanoverviewofa SOCforSupplyChainexamination andthestandardsunderwhichtheexaminationisperformed.In addition,itprovidesanoverviewofotherSOCservices.
Introduction 1.01 Manufacturingistheproductionofgoodsorproducts 2 foruseorsale usinglaborandmachines,tools,chemicalandbiologicalprocessing,orformulation.Theterm manufacturing ismostcommonlyappliedtoindustrialproduction,inwhichinputssuchasrawmaterialsandcomponentsaretransformed intofinishedgoodsonalargescale.Finishedgoodsmaybesolddirectlyto (a)endusers(forexample,medicaldevicessoldtohealthsystems);(b)other manufacturerswhoproduceother,morecomplexproducts(forexample,aircraft,householdappliances,furniture,sportsequipment,orautomobiles);or(c) wholesalers,whointurnsellthegoodstoretailers,whothensellthemtoend usersandconsumers.
1.02 Amanufacturing(orproduction)processreferstothestepsthrough whichinputsaretransformedintoafinishedgood.Themanufacturingprocessbeginswiththeproductdesignandmaterialsspecificationfromwhichthe productismade.Therawmaterials(includingcomponents)arethenmodified throughmanufacturingprocessestobecomethefinishedgood.
1.03 Oncethegoodsaremanufacturedorproduced,entitiesmayusesystemstodistributetheproductstocustomers(forexample,anentity 3 thatdistributesfeaturefilmsorgameDVDs).Incontrast,entitiesmaycontractwitha third-partylogisticscompanytomanagethedistributionoftheirproducts(for example,anairbagmanufacturerthatcontractswithacompanytomanageits inventoryshipmentofreplacementairbagcomponentstoautorepairshops).4
1 TermsdefinedinappendixF,"Definitions,"areitalicizedonfirstmentionwithinthetextof thisguide.
2 Throughoutthisguide,theterms goods and products areusedinterchangeably.
3 Asusedinthisguide,an entity producesormanufacturesgoodsorprovidesdistributionservicesforgoods.
4 Paragraph1.35providesconsiderationstohelpapractitionerdeterminewhethertousethe guidanceinthisguideorthatinAICPAGuide SOC2® ReportingonanExaminationofControls ataServiceOrganizationRelevanttoSecurity,Availability,ProcessingIntegrity,Confidentiality,or Privacy whenengagedtoexamineandopineonasystemandcontrolsofadistributor.
1.04 Distributioncompaniesareentitiesthatusesystemstodistribute goodsproducedormanufacturedbyothers.Insomecases,theymayrepackage goodsproducedormanufacturedbyothersbeforetransportingthemtothefinal customers.Inothercases,theymayonlyprovidetransportationservicesfor productsmanufacturedorproducedbyothers(forexample,anexpressshipping company).
1.05 Examplesofentitiesthatmayproduce,manufacture,ordistribute productsincludethefollowing:
• Producers. Producersincludeentitiesthatextractrawmaterials throughoperationsthatremovemetals,minerals,andaggregates fromtheearth(suchasoilandgasextraction,mining,dredging, andquarrying);producefood,feed,fiber,andotherproductsby thecultivationofcertainplantsandtheraisingofdomesticated animals(livestock);anddevelopsoftwareforon-siteinstallation.
• Manufacturers. Manufacturersincludeentitiesthattransform rawmaterialsorcomponentsintoothercomponentsorfinished goodsforuseorsaleusinglaborandmachines,tools,chemicaland biologicalprocesses,fabrication,orformulation.Thecomponents orfinishedgoodsmaybesoldtoothermanufacturersfortheproductionofotherproductssuchasaircraft,computersorcomputer parts,householdappliances,furniture,sportsequipment,orautomobiles.Inothercases,thefinishedgoodsmaybesoldtowholesalersthat,inturn,sellthemtoretailersthatthensellthemto endusersandconsumers.Manufacturersincludecontractmanufacturersthatoutsourcemanufacturingforotherentities.
• Commercialsoftwaredevelopers. Commercialsoftwaredevelopers areentitiesthatdevelopandsellcommercialsoftware.Commercialsoftwaredevelopersaredistinguishedfromsoftwaredevelopmentserviceprovidersthatareengagedtocreate,modify,and implementsoftwaretomeetaparticularentity'sneedsbasedon acontractforservices.ThesystemthatprovidessoftwaredevelopmentservicesisbestaddressedbyaSOC2® examination.
• Distributioncompanies. Distributioncompaniesincludeentities thatprovideormanageallorasignificantpartofanotherentity's logistics,includingoneoracombinationofthefollowing:inbound freight,customs,warehousing,inventorymanagement,orderfulfillment(includingpickingandrepackagingofitems),distribution,oroutboundfreight.Suchcompaniesincludethird-partylogistics(3PLorTPL)companies.
1.06 Duetorapidtechnologicaladvancement,theproduction,manufacturing,ordistributionofproductsofteninvolvesahighlevelofinterdependence andconnectivitybetweentheentityand(a)organizationsthatsupplyrawmaterialsorcomponentsforthemanufacturingprocess(suppliers) 5 and(b)its customersandbusinesspartners.Theserelationshipsareoftenconsideredpart ofthe supplychain.Asupplychainisasystemoforganizations,people,activities,information,andresourcesinvolvedinmovingaproductfromsupplier
5 Inthisguide,a supplier isanindividualorbusiness(anditsemployees)thatprovidesproducts (suchasrawmaterials,components,orothergoods)orservicestoaproducer,manufacturer,ordistributor(anentity).Aserviceprovider,forexample,isaspecifictypeofsupplierthatprovidesservices toanentity.
tocustomer.Supplychainactivitiesinvolvethetransformationofnaturalresources,rawmaterials,andcomponentsintofinishedgoods.Insophisticated supplychainsystems,usedproductsmayreenterthesupplychainatanypoint whereresidualvalueisrecyclable.
1.07 Althoughtheserelationshipsmayincreaserevenues,expandmarket opportunities,andreducecostsfortheentity,theyalsoresultinadditionalrisks tothesuppliers,customers,andbusinesspartnerswithwhomtheentitydoes business.Accordingly,thosesuppliers,customers,andbusinesspartnersare responsibleforidentifying,evaluating,andaddressingthoseadditionalrisksas partoftheirsupplychainriskmanagementprograms.Suchrisksmaythreaten theentity'sabilitytodothefollowing:
• Provideproductsthatmeettheprincipalproductperformance specifications.
• Meetdeliveryandqualitycommitmentsandotherrequirements.
• Meetproduction,manufacturing,ordistributioncommitments andrequirements.
1.08 Forthatreason,suppliers,customersandbusinesspartnersexpect entitymanagementtoestablishoperationalandcomplianceobjectives.Such objectives,whicharereferredtowithinthisguideassystemobjectives,mayalso changeovertimebecauseofchangingrisksandchanginglawsandregulations.
1.09 Toidentify,assess,andaddresstherisksarisingfrominteractionsbetweentheentityandthesystemitusestoproduce,manufacture,ordistribute products,suppliers,customers,andbusinesspartnersusuallyneedinformation aboutthedesign,operation,and effectivenessofcontrols 6,7 withinthesystem. Tosupporttheirriskassessments,suppliers,customers,orbusinesspartners mayrequestanattestationreportfromtheentity.Suchareportistheresultof anattestationengagementinwhicha practitioner examinesandopineson(a) whetherthedescriptionoftheentity'ssystemthatproduces,manufactures,or distributesproducts(the descriptionofthesystem or description)presentsthe systemthatwasdesignedandimplementedinaccordancewiththedescription criteria 8 and(b)whetherthecontrolsstatedinthedescription,whicharenecessarytoprovidereasonableassurancethattheentityachieveditsprincipal systemobjectives,9 wereeffectivethroughouttheperiod,basedontheapplicabletrustservicescriteria.10 Thisexamination,referredtoasaSOCforSupply Chainexamination,ortheexamination,isthesubjectofthisguide.
6 Inthisguide, controls arepoliciesandproceduresthatarepartoftheentity'ssystem.The objectiveofanentity'ssystemistoprovidereasonableassurancethatsystemobjectivesareachieved. Systemobjectivesarediscussedfurtherbeginningatparagraph1.59.
7 Throughoutthisguide,theterm effectiveness (asitrelatestocontrols)encompassesboththe suitabilityofdesignandtheoperatingeffectivenessofcontrolstoprovidereasonableassurancethat systemobjectivesareachieved.
8 The descriptioncriteria arediscussedfurtherbeginningatparagraph1.44.
9 Theobjectiveofanentity'ssystemistoprovidereasonableassurancethattheentity'ssystem objectivesareachieved.Systemobjectivesarediscussedfurtherbeginningatparagraph1.59.
10 SupplementBofthisguidepresentsanexcerptfromTSPsection100, 2017TrustServices CriteriaforSecurity,Availability,ProcessingIntegrity,Confidentiality,andPrivacy (the2017trust servicescriteria),whichincludesthecriteriausedtoevaluatetheeffectivenessofcontrolsrelevantto thetrustservicescategoryorcategoriesincludedwithinthescopeofaspecificexamination.Theuse ofthesecriteria,referredtoasthe applicabletrustservicescriteria,isdiscussedfurtherbeginningin paragraph1.44.
AllTSPsectionscanbefoundinAICPA TrustServicesCriteria.
IntendedUsersofaSOCforSupplyChainReport 1.10 A SOCforSupplyChainreport isdesignedtoprovideintendedusers withinformationaboutasystemanentityusestoproduce,manufacture,or distributeproductsandtheeffectivenessofcontrolswithinthatsystem(that is,controlsrelatedtooneormoreoftheapplicabletrustservicescategories— security,availability,processingintegrity,confidentiality,orprivacy)toprovide reasonableassurancethattheentity'sprincipalsystemobjectivesareachieved basedontheapplicabletrustservicescriteria.Thereportisalsodesignedto provideintendeduserswithinformationtheymayusetoidentify,assess,and managetherisksthatarisefromtheirrelationshipswiththeentity.
1.11 ASOCforSupplyChainreportisintendedforusebythosewhohave sufficientknowledgeandunderstandingoftheentity;theproductsitproduces, manufactures,ordistributes;andthesystemthatproduces,manufactures,or distributesthem.Theexpectedknowledgeofintendedusersordinarilyincludes thefollowing:
a. Thenatureofthegoodsproduced,manufactured,ordistributedby theentity
b. Internalcontrol anditslimitations
c. Theapplicabletrustservicescriteria
d. Therisksthatmaythreatentheachievementoftheentity'sprincipalsystemobjectivesandhowcontrolsaddressthoserisks
1.12 Withoutsuchknowledge,intendedusersarelikelytomisunderstand thecontentofthereport,theassertionsmadebyentitymanagement,andthe practitioner'sopinion,allofwhichareincludedintheSOCforSupplyChain report.Forthatreason,thepractitioner'sreportisrequiredtoberestrictedto intendeduserswhopossessthatknowledge.Restrictingtheuseofapractitioner'sreportinaSOCforSupplyChainexaminationisdiscussedbeginning inparagraph4.30.Inaddition,entitymanagementandthepractitionerordinarilywouldagreeontheintendedusersofthereport.
1.13 InaSOCforSupplyChainreport,thefollowingintendedusersare presumedtohavetheknowledgeidentifiedinparagraph1.11:
a. Businesscustomers,includingimmediatecustomersorsimilar businessentitiesfurtherdownthesupplychain,thatdothefollowing:
i. Usethesystem'sproductsascomponentsoftheirproductionandmanufacturingsystems(forexample,production machinery)
ii. Usethesystem'sproductsasinputstotheirproducts(for example,computersusedinautomobiles)
iii. Usethesystem'sproductsasapartoftheirservicedelivery (forexample,IVbagsusedbyahospital)
iv. Reselltheproducts
v. Relyonaphysicaldistributionsystemforproductsused asinputstoproducts
Businesscustomersneedinformationabouttheentity'ssystem,includingthenatureandeffectivenessofcontrolswithinthatsystem, tounderstandtheentity'scontrolsandtodeterminewhetherthose controls,inadditiontotheirowncontrols,aresufficienttomitigate theirbusinessrisks.
b. Businesspartnersthat
i. aredependentontheentityforsalesofthebusinesspartners'goodsor
ii. licensetheuseofthebusinesspartners'intellectualpropertytotheentity.
Businesspartnersmayincludeaffiliatedorganizationsthatare customersorsuppliersoftheentity.Businesspartnersneedinformationabouttheentity'ssystemandthecontrolswithinthatsystemtomanageandassesstherisksassociatedwithdoingbusiness withtheentity.
1.14 Intendedusersmayalsoincludeentitypersonnel,practitionersprovidingservicestotheentity'scustomersandbusinesspartners,andregulators whohavesufficientknowledgeandunderstandingasdiscussedinparagraph 1.11.
1.15 Partiesotherthanthoseidentifiedinparagraphs1.13–.14mayalso havetherequisiteknowledgeandunderstandingidentifiedinparagraph1.11. Forexample,prospectivecustomersandbusinesspartnersmayhavegained suchknowledgewhileperformingtheirsupplierselectionprocessesorwhile assessingasupplier'scompliancewithregulatoryrequirements.Inaddition, nonregulatorystandard-settingbodiesconsistingofbusinesscustomersor businesspartnersthatrepresenttheirmembership(forexample,industryconsortiums)mayalsohavetherequisiteknowledge.Iftheyhavetherequisite knowledge,prospectivecustomersandbusinesspartnersandnonregulatory standard-settingbodiesmaybeintendedusersofthereport.
1.16 Aspreviouslydiscussed,theSOCforSupplyChainreporthasbeen designedtomeetthecommoninformationneedsofintendedusersdescribedin thissection.However,nothingprecludesthepractitionerfromrestrictingthe useofthepractitioner'sreporttoasmallersubsetofintendedusers.
OverviewofaSOCforSupplyChainExamination 1.17 ThepractitionerperformsaSOCforSupplyChainexaminationin accordancewithAT-Csection105, ConceptsCommontoAllAttestationEngagements,andAT-Csection205, ExaminationEngagements 11 Thosestandardsestablishperformanceandreportingrequirementsfortheexamination.Accordingtothosestandards,anattestationexaminationispredicatedontheconcept thatapartyotherthanthepractitioner(theresponsibleparty)makesanassertionaboutwhetherthesubjectmatterismeasuredorevaluatedinaccordancewithsuitablecriteria.An assertion isanydeclarationorsetofdeclarationsaboutwhetherthesubjectmatterisinaccordancewith,orbasedon,the criteria.
1.18 InaSOCforSupplyChainexamination,entitymanagementisusuallytheresponsibleparty.However,incertainsituations,theremaybeotherresponsibleparties.12 Astheresponsibleparty,entitymanagementpreparesthe descriptionoftheentity'ssystemthatisincludedintheSOCforSupplyChain report.Inaddition,thepractitionershouldrequestfromentitymanagement awrittenassertionaboutthemeasurementorevaluationofthesubjectmatteragainstthecriteria.13 Management'swrittenassertion,whichisincludedin theSOCforSupplyChainreport,addresseswhether(a)thedescriptionofthe entity'ssystemispresentedinaccordancewiththedescriptioncriteriaand(b) thecontrolsstatedinthedescription,whicharenecessarytoprovidereasonableassurancethattheentityachieveditsprincipalsystemobjectives,were effectivethroughouttheperiodbasedontheapplicabletrustservicescriteria.
1.19 Thepractitionerdesignsandperformsprocedurestoobtainsufficient appropriateevidencetosupportanopinionaboutwhether(a)thedescription presentsthesystemthatwasdesignedandimplementedinaccordancewith thedescriptioncriteriaand(b)thecontrolsstatedinthedescription,whichare necessarytoprovidereasonableassurancethattheentityachieveditsprincipal systemobjectives,wereeffectivethroughouttheperiodbasedontheapplicable trustservicescriteria.Asdiscussedbeginninginparagraph1.20,thepractitioneralsopresents,inaseparatesectionofthereport,adescriptionofthe practitioner'stestsofcontrolsandtheresultsthereof.
ContentsoftheSOCforSupplyChainReport 1.20 ASOCforSupplyChainexaminationresultsintheissuanceofa SOCforSupplyChainreport.TheSOCforSupplyChainreportincludesfour keycomponents:
1. Entitymanagement'sdescriptionofthesystemtheentityusesto produce,manufacture,ordistributeproductsinaccordancewith thedescriptioncriteria
2. Entitymanagement'sassertionaboutwhether,inallmaterialrespects,
a. thedescriptionoftheentity'ssystemispresentedinaccordancewiththedescriptioncriteriaand
b. thecontrolsstatedinthedescription,whicharenecessary toprovidereasonableassurancethattheentityachieved itsprincipalsystemobjectives,wereeffectivethroughout theperiod,basedontheapplicabletrustservicescriteria
3. Thepractitioner'sopinionaboutwhether,inallmaterialrespects,
a. thedescriptionoftheentity'ssystemispresentedinaccordancewiththedescriptioncriteriaand
b. thecontrolsstatedinthedescription,whicharenecessary toprovidereasonableassurancethattheentityachieved itsprincipalsystemobjectives,wereeffectivethroughout theperiod,basedontheapplicabletrustservicescriteria
12 Iftheentityusesasupplierandelectstousetheinclusivemethodforpreparingthedescription,suppliermanagementisalsoaresponsibleparty.Entitymanagement'sandthepractitioner's responsibilitieswhentheentityusesoneormoresuppliersandelectstousetheinclusivemethodare discussedfurtherinchapter2,"AcceptingandPlanningaSOCforSupplyChainExamination."
13 Seeparagraph.10ofAT-Csection205, ExaminationEngagements.
4. Thepractitioner'sdescriptionoftheproceduresperformedandthe resultsthereof 14,15
1.21 Thepractitioner'sopinionisdiscussedbeginninginparagraph1.63, andthecriteriausedintheexaminationarediscussedbeginninginparagraph 1.44.
DefiningtheSystemtoBeExamined 1.22 Thesubjectmatteroftheexaminationdiscussedinthisguiderevolvesaroundthesystemandrelatedcontrolsthattheentityhasdesigned, implemented,andoperatedtomanufacture,produce,ordistributegoods.The examinationisflexibleintermsofaddressinganyofthefollowing:
• Asystemandcontrolsthatanentityusestoproduce,manufacture,ordistributeaphysical(forexample,anairplaneengine) orintangibleproduct(forexample,acommercialoff-the-shelf [COTS]application)
• Systemsandcontrolsthatanentityusestooperateaproduction line
• Systemsandcontrolsthatanentityusestoproduce,manufacture, ordistributegoodsproducedormanufacturedwithinaspecific facilityorphysicalplant
1.23 Entitymanagementisresponsibleforidentifyingthespecificsubject mattertobeexamined,whichincludesidentifyingthecomponentsofthesystemandtheboundariesofthesystemtobeexamined.Entitymanagementis alsoresponsibleforestablishingitsprincipalsystemobjectivesandselecting thetrustservicescategoryorcategoriestobeaddressedbytheexamination,as wellasselectingtheperiodoftimetobeaddressed.Thefollowingparagraphs provideabriefoverviewofeachofthesefactorsandhowtheymightaffectthe subjectmatteroftheengagement.
1.24 A system isdefinedastheinfrastructure,software,procedures,and datathataredesigned,implemented,andoperatedbypeopletoachieveone ormoreoftheorganization'sspecificobjectives(forexample,objectivesthat addresstheproductionordeliveryofgoods)inaccordancewithmanagementspecifiedrequirements. Systemcomponents canbeclassifiedintothefollowing fivecategories:(1)infrastructure,(2)software,(3)people,(4)data,and(5)procedures.Foramanufacturingorproductionsystem,forinstance,infrastructure wouldincludethecomponentsofthemanufacturingsystemandtheprocesses bywhichtheyoperate.Althoughinputs,suchasrawmaterials,arenotacomponentofthesystem,theyareoftennecessaryforaproducttobeproducedor manufactured.Forthatreason,rawmaterialsandotherinputs(forexample, purchasedcomponents)thatareimportantintheproductionormanufacturing processareoftendisclosedinthedescriptioninadditiontothecomponentsof thesystem.
14 Accordingtoparagraph.A85ofAT-Csection205,theadditionofproceduresperformedand theresultsthereofinaseparatesectionofanexaminationreportmayincreasethepotentialforthe reporttobemisunderstoodwhentakenoutofthecontextoftheknowledgeoftherequestingparties. Forthatreason,apractitioner'sreportthatcontainsadescriptionofproceduresandresultsisusually restrictedtointendeduserswhoarelikelytounderstandit.
15 Adescriptionofproceduresperformedandresultsthereofwouldnotbeincludedinadesignonlyexamination.Adesign-onlyexaminationisdiscussedbeginningatparagraph1.41.
1.25 Determiningthefunctionsorprocessesthatareoutsidetheboundariesofthesystembeingexamined,anddescribingtheminthedescription,is alsonecessarytopreventintendedusersfrommisunderstandingthedescriptionofthesystemandthepractitioner'sopinion.Therefore,ifthereisariskthat intendedusersmightbeconfusedaboutwhetheraspecificfunctionorprocess ispartofthesystembeingexamined,thedescriptionneedstoclarifywhich processesorfunctionsarewithinthescopeoftheexaminationandwhichare not.
1.26 Understandingthecomponentsofthesystemtobeexaminedand theboundariesthereofisalsoimportanttothepractitionerbecauseitaffects howthesubjectmatterwillbeevaluatedagainstthecriteria,thenatureofthe practitioner'sexaminationprocedures,andothermatters.Describingthesystemtobeexaminedisdiscussedinfurtherdetailbeginningatparagraph2.28; discussingtheboundariesofthesystemisaddressedbeginningatparagraph 2.31.Thefollowingparagraphsprovideguidanceonothermattersthatmight affectthesubjectmatterofaspecificengagement.
TheEntity’sSystemObjectivesandPrincipalSystemObjectives 1.27 Anentityadoptsamissionandvision,setsstrategies,andestablishesobjectivestohelpitmeetitsmissionandvisionbasedonitsstrategies.Managementdesignsandimplementsindividualproduction,manufacturing,ordistributionsystemstoachievecertainspecificobjectives(referred toas systemobjectives)anddesignsandimplementscontrolswithinthesystemtomitigatetherisksthatwouldpreventtheentityfromachievingthose objectives.
1.28 ASOCforSupplyChainexaminationaddressesthesystemobjectivesthatcouldreasonablybeexpectedtoinfluencetherelevantdecisionsof intendedusers.Thesesystemobjectives,referredtoas principalsystemobjectives,typicallyrelatetothecategoryorcategoriesaddressedbytheexamination andtoachievingcommitments,specifications,orrequirements.Management disclosesitsprincipalsystemobjectivesinthesystemdescription.
SelectingtheTrustServicesCategoryorCategoriestoBe AddressedbytheExamination 1.29 Inadditiontoidentifyingthecomponentsofthesystem,itisalso necessarytoconsiderwhichtrustservicescategoryorcategoriesaretobeaddressedbytheexamination.Asdiscussedinparagraph1.48,thetrustservices criteriaareusedtomeasuretheeffectivenessofcontrolsinaSOCforSupplyChainexamination.Theexaminationcanaddressanyorallofthetrust servicescategoriesofsecurity,availability,processingintegrity,confidentiality, orprivacy.Inmostcases,theexaminationwouldaddressthecategoryorcategoriesthatwouldbestmeettheinformationneedsofintendedusers.Which categoryorcategoriesareaddressedinthedescriptionisoftendeterminedby consideringthecommitmentstheentitymakestoitscustomersandbusiness partners.
1.30 Becauseofincreaseddependenceontechnologyandconcernsabout cybersecurityrisks,securityislikelytobeaddressedinmostexaminationsperformedusingthetrustservicescriteria.Often,customersandbusinesspartners ofanentityarealsointerestedintheeffectivenessofcontrolsoveravailability
becausesuchcontrolsmaybeintegraltomeetingtheircommitments.Forinstance,acustomerthatreliesonairbagsmanufacturedbytheentityislikelyto wantinformationabouttheprocessesandcontrolstheentityhasdesignedand implementedandoperatestoachievetheavailabilitycommitmentsitmakes toitscustomers.Forthosereasons,aSOCforSupplyChainexaminationthat addressesbothsecurityandavailabilityislikelytomeettheinformationneeds ofintendedusersasagroup.
1.31 Insomecases,intendedusersmayalsobeinterestedintheprocessing integrityofthesystemtheentityusestoproduce,manufacture,ordistribute goods,includingtheprocessingintegrityofthecomponentsofthatsystem(for example,hardware,tooling,software,andinformation).Processingintegrity addressessystemcontrolsthatmitigatetheriskthattheentity'ssystemobjectiveswillnotbeachievedbecauseoffailuresintheproductionprocess.Assume thataproductcontainsembeddedlogic(forexample,firmwareofanembedded computer)necessarytoachieveoneormoreoftheentity'sprincipalsystemobjectives,andtheembeddedlogicisthesubjectofongoing servicecommitments theentitymakestoitscustomersandbusinesspartners.Inthatcase,intended usersmaybeinterestedintheprocessandcontrolstheentityhasdesigned andimplementedandoperatestoachievetheprocessingintegrityofthesystem,whichincludesthepartsoftheproductionsystemthatarepartofthe productsthemselves(forexample,microcodeinaCPUchip).Inthatsituation, anexaminationthataddressesprocessingintegrity,inadditiontosecurityand availability,maybestmeettheneedsofthoseintendedusers.
1.32 Whenanentityusesproprietarycustomerinformationor personal information intheproductionprocess,intendedusersmayalsobeinterestedin controlsoverthatinformation.Inthiscase,anexaminationthatalsoaddresses confidentialityorprivacymaybestmeetusers'needs.
1.33 Inothersituations,theomissionofacategorythatislikelytobe importanttoreportusersmayresultinamisleadingreport.Forexample, thepractitionermaybecomeawarethatreportusersareprimarilyconcerned aboutcybersecurityrisksarisingfromtheinterconnectionoftheentity'ssystemwithusers'systems.Ifentitymanagementaskedforareportaddressing onlytheavailabilitycategory,suchareportcouldbemisunderstoodbyusers, whowouldexpecttheexaminationtoaddresscontrolsdesigned,implemented andoperatedbytheentitytomitigateitscybersecurityrisks,notonlythose thatthreatentheachievementoftheentity'savailabilitycommitments.Inthis situation,thepractitionermightconcludethatanexaminationaddressingonly theavailabilitycategoryislikelytobemisleadingtoreportusersanddecideto declinetheengagement.
DeterminingtheTimeFramefortheExamination 1.34 Paragraph.A1ofAT-Csection105statesthatthesubjectmatterof anattestationexaminationmaybe"asofapointintime"or"foraperiodof time."Entitymanagementisresponsiblefordeterminingthetimeframetobe addressedbytheexamination.Generally,aSOCforSupplyChainexaminationaddressestheeffectivenessofcontrolsoveraspecifiedperiodoftime.In addition,theguidanceinthisguideisbasedontheassumptionthattheperiod oftimeoverwhichtheeffectivenessofcontrolswillbeevaluatedisthesame periodoftimeaddressedbythedescriptionoftheentity'ssystem.
OtherEngagementConsiderations ConsiderationsforEntitiesThatDistributeProducts 1.35 Whenanentitydistributesproducts,professionaljudgmentisnecessarytodeterminewhetherthesystemandcontrolsoverthedistributionprocesswouldbebestaddressedbytheexaminationdescribedinthisguideorbya SOC2® examination.16 Perhapsthemostimportantconsiderationwhenmakingthisdeterminationiswhetherthephysicaldistributionoftheproductsis inanywaytransformative.
1.36 Asanexample,considerawholesalerthatreceivesproductsfrom multiplemanufacturers,assemblestheproductsintosurgicalkits,anddistributesthemtohospitalsforuseinspecifictypesofsurgeries.Inthisexample, thewholesalerhastransformedthoseproductspriortodistribution,andthe systemcontrolsoverthereceipt,storage,repackaging,andtransportationof theproductsarelikelytohavemoreincommonwithcontrolswithinamanufacturer'ssystemthanwithcontrolswithinaserviceprovider'ssystem.Therefore,inthisexample,thesystemthatdistributestheproductswouldordinarily bebetteraddressedbyaSOCforSupplyChainexaminationthanbyaSOC2® examination.Thisapproachisalsomorelikelytomeettheinformationneeds ofreportusers,whoarelikelytobenefitmorefromSOCforSupplyChainreportsfromproducers,manufacturers,anddistributioncompanieswhenmaking decisionsrelatedtousers'supplychainriskmanagementprograms.
1.37 Inothersituations,adistributormayprovideonlytransportation anddeliveryofgoodsproducedormanufacturedbyothersormayelectronically distributemanufacturedsoftwareproducedbyothers.Inthesesituations,the systemandcontrolsusedtoprovidethedistributionservicesarelikelytohave moreincommonwiththesystemsandcontrolsusedbyaserviceproviderthan thesystemsandcontrolsusedtoproduceormanufactureproducts.Therefore, aSOC2® examinationmaybetteraddressthesystemandcontrolsusedto providethedistributionservices.
1.38 Whenmakingthisdecision,entitymanagementandthepractitioner wouldcarefullyconsiderthefactsandcircumstancesoftheengagement,the typeofdistributionservicesprovidedbytheentity,thetransformativenature ofsuchservices,andtheinformationneedsofintendedusersbeforedeciding whethertoexamineandreportonsuchsystemsandcontrolsinaccordance withtheguidanceinthisguideorinaccordancewiththeguidanceforaSOC2® examination.AppendixB,"ComparisonofSOCforSupplyChain,SOC2® ,and SOCforCybersecurityExaminationsandRelatedReports,"comparescertain characteristicsofthethreeexaminationsandrelatedreports.
ConsiderationsforEntitiesThatBundleServicesWith TheirProducts 1.39 Manyentitiesthatproduce,manufacture,ordistributeproductsbundleserviceswiththesalesofthoseproducts.Insuchsituations,itmaynot
16 AICPAGuide SOC2® ReportingonanExaminationofControlsataServiceOrganization RelevanttoSecurity,Availability,ProcessingIntegrity,Confidentiality,orPrivacy providesguidance topractitionersengagedtoexamineandopineonadescriptionofasystemandrelatedcontrolsofa serviceprovider.
bepracticaltoperformseparateexaminationsofsystemcontrolsrelevantto theproduction,manufacturing,ordistributionofproductsandsystemcontrols usedtoprovidethebundledservices.Inthatcase,theresponsiblepartyand thepractitionermayagreetoincludethesystemsandcontrolswithinthose bundledserviceswithinthescopeoftheSOCforSupplyChainexamination.
1.40 Whendeterminingwhethertoincludethebundledserviceswithin thescopeoftheexamination,practitionersmayconsiderthefollowingexamples:
Theservicesrelatetothephysical goodproduced(forexample, maintenanceservicesprovidedin connectionwithsalesofanairplane engine).
Theservicesrelatetodataor intangiblegoodsproduced(for example,healthcareclaimsor contractcoding).
Thephysicalgoodisincidentaltothe provisionofthebundledservice.(In thiscase,astand-alonereportonthe serviceorservicesmaybemore usefultointendedusers.)
ConsiderationsforaDesign-OnlyExamination 1.41 Theremaybecircumstancesinwhichentitymanagementmaynotbe preparedtomakeanassertionaboutwhetherthecontrolswithintheentity's systemwereeffectivetoachievetheentity'sprincipalsystemobjectives.Insuch circumstances,ratherthanmakinganassertionaboutwhethercontrolswere effectivetoachievetheentity'sprincipalsystemobjectivesoveraperiodoftime, entitymanagementmakesanassertiononlyaboutthesuitabilityofthedesign ofimplementedcontrolsasofapointintime.Inthisguide,suchanexaminationisreferredtoasa design-onlyexamination andincludesconsiderationof thefollowingasofapointintime:(1)whetherthedescriptionoftheentity'ssystemwaspresentedinaccordancewiththedescriptioncriteriaand(2)whether controlsstatedinthedescriptionweresuitablydesignedandimplementedto achievetheentity'sprincipalsystemobjectives,ifthecontrolsoperatedeffectively.Adesign-onlyexaminationmaybeusefultointendeduserswhowant toobtainanunderstandingoftheentity'ssystemandthecontrolstheentity hasimplementedtoachieveitsprincipalsystemobjectives.However,itwould notprovideintendeduserswithsufficientinformationtoassesstheoperating effectivenessofcontrolswithintheentity'ssystem.Paragraph4.89discusses howthepractitioner'sreportpresentedintable4-3couldbetailoredtorefer specificallytothesubjectmattersaddressedinadesign-onlyexamination.
MattersNotAddressedbyaSOCforSupply ChainExamination 1.42 Asdiscussedbeginningatparagraph1.29,anexaminationdescribed inthisguidemayaddressoneormoreofthetrustservicescategories.When
theexaminationaddressesprocessingintegrity,thepractitioner'sopinionaddresses,amongotherthings,whethersystemcontrolswereeffectivetoprovidereasonableassurancethatgoodsproducedormanufacturedwillmeettheir productperformancespecifications.
1.43 However,thepractitioner'sopiniondoesnotaddresswhetherthe goodsproducedbythesystemarefreefromdefectorwhethertheywillfunction asdesigned.Inotherwords,thepractitioner'sopinionisnota warranty or guarantee thatthegoodsproducedwillmeetproductperformancespecificationsor othercommitmentsmadetocustomers.Therefore,thepractitionerdoesnotexpressaconclusionontheproducts'fitnessforpurposeoronthemerchantability oftheproducts.
CriteriaforaSOCforSupplyChainExamination 1.44 ThefollowingtwotypesofcriteriasupporttheSOCforSupplyChain examination:
a. Descriptioncriteria.SupplementAofthisguidepresentsanexcerpt fromDCsection300, 2020DescriptionCriteriaforaDescriptionof anEntity'sProduction,Manufacturing,orDistributionSystemina SOCforSupplyChainReport,17 whichincludesthecriteriausedto prepareandevaluatethedescriptionoftheentity'ssystem.Theuse ofthesecriteria,referredtoasthe descriptioncriteria,isdiscussed furtherbeginninginparagraph1.45.
b. Trustservicescriteria.SupplementBofthisguidepresentsanexcerptfromTSPsection100, 2017TrustServicesCriteriaforSecurity,Availability,ProcessingIntegrity,Confidentiality,andPrivacy (the2017trustservicescriteria),whichincludesthecriteriaused toevaluatetheeffectivenessofcontrolsrelevanttothetrustservicescategoryorcategoriesincludedwithinthescopeofaspecific examination.Theuseofthesecriteria,referredtoasthe applicabletrustservicescriteria,isdiscussedfurtherbeginninginparagraph1.48.
DescriptionCriteria 1.45 Thedescriptioncriteriaareusedbyentitymanagementwhenpreparingthedescriptionoftheentity'ssystemandbythepractitionerwhenevaluatingthedescription.Applyingthedescriptioncriteriainactualsituationsrequiresjudgment.Therefore,inadditiontothedescriptioncriteria,supplement Apresentsimplementationguidanceforeachcriterion.Theimplementation guidancepresentsfactorstoconsiderwhenmakingjudgmentsaboutthenatureandextentofdisclosurescalledforbyeachcriterion.Theimplementation guidancedoesnotaddressallpossiblesituations;therefore,usersmayneedto considerthefactsandcircumstancesoftheentityanditsenvironmentwhen applyingthedescriptioncriteria.
1.46 ThedescriptioncriteriainsupplementAwerepromulgatedbythe AssuranceServicesExecutiveCommittee(ASEC).Inestablishinganddevelopingthesecriteria,ASECfolloweddueprocessprocedures,includingexposure
ofcriteriaforpubliccomment.BLsection360R, ImplementingResolutionsUnderSection3.6Committees, 18 designatesASECasaseniortechnicalcommitteewiththeauthoritytomakepublicstatementswithoutclearancefromthe AICPAcouncilortheboardofdirectors.Paragraph.A44ofAT-Csection105 indicatesthatcriteriapromulgatedbyabodydesignatedbytheCouncilofthe AICPAundertheAICPACodeofProfessionalConductare,bydefinition,consideredsuitable.Accordingly,thesecriteriaaresuitablecriteriaforpreparing andevaluatingadescriptionofasysteminaSOCforSupplyChainexamination.ASEChasalsopublishedthedescriptioncriteriaandmadethemavailable tousers.Therefore,thedescriptioncriteriameettherequirementsinparagraph .25biiofAT-Csection105forcriteriathatarebothsuitableandavailablefor useinanattestationengagement.
1.47 Chapter3,"PerformingtheSOCforSupplyChainExamination,"discusseshowthedescriptioncriteriaareusedbythepractitioner.
TrustServicesCriteria 1.48 Thetrustservicescriteriaareusedtoevaluatewhethercontrols wereeffectivetoprovidereasonableassurancethatanentity'sprincipalsystemobjectiveswereachieved.Becauseapplyingthetrustservicescriteriarequiresjudgment,supplementBalsopresentspointsoffocusforeachcriterion. TheCommitteeofSponsoringOrganizationsoftheTreadwayCommission's 2013 InternalControl—IntegratedFramework (COSOframework)statesthat pointsoffocusrepresentimportantcharacteristicsofthecriteriainthatframework.ConsistentwiththeCOSOframework,thepointsoffocusinsupplement Bmayassistentitymanagementwhendesigning,implementing,andoperatingcontrolsoversecurity,availability,processingintegrity,confidentiality,and privacy.Inaddition,thepointsoffocusmayassistbothentitymanagement andthepractitionerwhenevaluatingwhethercontrolsstatedinthedescriptionwereeffectivetoprovidereasonableassurancethattheentity'sprincipal systemobjectiveswereachievedbasedontheapplicabletrustservicescriteria.
1.49 ThetrustservicescriteriainsupplementBwerepromulgatedby ASEC.Inestablishinganddevelopingthesecriteria,ASECfolloweddueprocessprocedures,includingexposureofcriteriaforpubliccomment.BLsection 360RdesignatesASECasaseniortechnicalcommitteewiththeauthorityto makepublicstatementswithoutclearancefromtheAICPAcouncilortheboard ofdirectors.Paragraph.A44ofAT-Csection105indicatesthatcriteriapromulgatedbyabodydesignatedbytheCounciloftheAICPAundertheAICPA CodeofProfessionalConductare,bydefinition,consideredsuitable.Accordingly,thesecriteriaaresuitablecriteriaforevaluatingcontrolsinaSOCfor SupplyChainexamination.ASEChasalsopublishedthetrustservicescriteriaandmadethemavailabletousers.Therefore,thetrustservicescriteriameet therequirementsinparagraph.25biiofAT-Csection105forcriteriathatare bothsuitableandavailableforuseinanattestationengagement.
CategoriesofTrustServicesCriteria 1.50 Asdiscussedinparagraph1.48,thetrustservicescriteriainsupplementBareusedtoevaluatetheeffectivenessofcontrolsorthedesign ofimplementedcontrolstoprovidereasonableassurancethattheentity's
