SOC for Supply Chain

SOC for Supply Chain

by AICPA
Released June 2020
Publisher(s): Wiley
ISBN: 9781948306959

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Internal and external forces such as globalization, global interconnectivity, automation, and other technological advancements are making today’s supply chains highly sophisticated and complex. For organizations that produce, manufacture or distribute products, there’s often a high level of interdependence and connectivity with their suppliers and their customers and business partners.

Although the interconnectedness of these organizations can be beneficial (increased revenues, expanded market opportunities, and cost reduction), the ability of organizations to meet their goals is often increasingly dependent on events, processes, and controls that are not visible and are often beyond their control – such as a supplier’s controls. That’s why the demand for transparency in supply chains is now higher than ever before, and why this is the perfect time for you to help organizations assess their supply chain risks, evaluate the system controls within their manufacturing, production, or distribution systems, and communicate their supply chain management efforts to those with whom they do business.

Accountants and financial managers can also increase the credibility of the supply chain information communicated by the organization by providing an opinion on the organization’s supply chain efforts. This guide enables the accountant and financial manager to examine and report on the description of a system for manufacturing, producing and distributing goods as well as on the controls within that system using a dynamic, proactive, and agile approach. It will show how to conduct this examination in accordance with the attestation standards. The guide may also be helpful when providing readiness assessments to clients, who are not quite ready for an examination level service and need help to get there.

The guide also includes excerpts from the two distinct, but complementary sets of criteria developed by the AICPA to assist practitioners with SOC for Supply Chain engagements: the description criteria and the 2017 trust services criteria.

 

Table of contents

  1. Cover
  2. Preface
    1. About AICPA Guides
    2. Purpose and Applicability
    3. Terms Used to Define Professional Responsibilities in This AICPA Guide
    4. References to Professional Standards
    5. Examinations of System and Organization Controls: SOC Suite of Services
    6. Description Criteria for a Description of an Entity's System in a SOC for Supply Chain Report
    7. Trust Services Criteria
    8. Applicability of Quality Control Standards
    9. Recognition
    10. AICPA.org Website
    11. Notes
  3. Chapter 1: Introduction and Background
    1. Introduction
    2. Intended Users of a SOC for Supply Chain Report
    3. Overview of a SOC for Supply Chain Examination
    4. Contents of the SOC for Supply Chain Report
    5. Defining the System to Be Examined
    6. Other Engagement Considerations
    7. Matters Not Addressed by a SOC for Supply Chain Examination
    8. Criteria for a SOC for Supply Chain Examination
    9. The Practitioner's Opinion in a SOC for Supply Chain Examination
    10. Other Types of SOC Examinations: SOC Suite of Services
    11. Professional Standards
    12. Definitions
    13. Notes
  4. Chapter 2: Accepting and Planning a SOC for Supply Chain Examination
    1. Introduction
    2. Understanding Entity Management's Responsibilities
    3. Responsibilities of the Practitioner
    4. Engagement Acceptance and Continuance
    5. Independence
    6. Competence of Engagement Team Members
    7. Preconditions of the Engagement
    8. Requesting a Written Assertion and Representations From Entity Management
    9. Agreeing on the Terms of the Engagement
    10. Establishing an Overall Examination Strategy for and Planning the Examination
    11. Performing Risk Assessment Procedures
    12. Considering Entity‐Level Controls
    13. Understanding the Internal Audit Function
    14. Planning to Use the Work of a Practitioner's Specialist
    15. Identifying Customer Responsibilities and Complementary Customer Controls
    16. Identifying Suppliers and Complementary Supplier Controls
    17. Planning to Use the Work of an Other Practitioner
    18. Notes
  5. Chapter 3: Performing the SOC for Supply Chain Examination
    1. Introduction
    2. Designing Overall Responses to the Risk Assessment
    3. Designing and Performing Procedures
    4. Obtaining Evidence About Whether the Description Presents the System That Was Designed and Implemented in Accordance With the Description Criteria
    5. Evaluating Description Misstatements Identified During the Examination
    6. Considering Whether the Description Is Misstated or Otherwise Misleading
    7. Obtaining Evidence About the Suitability of the Design of Controls
    8. Evaluating Deficiencies in the Suitability of Design of Controls
    9. Obtaining Evidence About the Operating Effectiveness of Controls
    10. Nature of Tests of Controls
    11. Timing of Tests of Controls
    12. Extent of Tests of Controls
    13. Testing Superseded Controls
    14. Using Sampling to Select Items to Be Tested
    15. Additional Risk Considerations Related to Suppliers and Business Partners
    16. Considering Controls That Did Not Need to Operate During the Period Covered by the Examination
    17. Identifying and Evaluating Deviations in the Effectiveness of Controls
    18. Materiality Considerations When Evaluating Deficiencies in the Effectiveness of Controls
    19. Using the Work of the Internal Audit Function
    20. Using the Work of a Practitioner's Specialist
    21. Revising the Risk Assessment
    22. Responding to and Communicating Known and Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, and Deficiencies in the Effectiveness of Controls
    23. Obtaining Written Representations
    24. Subsequent Events and Subsequently Discovered Facts
    25. Documentation
    26. Considering Whether Entity Management Should Modify Its Assertion
    27. Notes
  6. Chapter 4: Forming the Opinion and Preparing the Practitioner's Report
    1. Responsibilities of the Practitioner
    2. Forming the Practitioner's Opinion
    3. Describing Tests of Controls and Results of Tests in the Practitioner's Report
    4. Preparing the Practitioner's SOC for Supply Chain Report
    5. Reporting When the Practitioner Assumes Responsibility for the Work of an Other Practitioner
    6. Modifications to the Practitioner's Opinion
    7. Report Paragraphs Describing the Matter Giving Rise to the Modification
    8. Other Matters Related to the Practitioner's Report
    9. Practitioner's Recommendations for Improving Controls
    10. Other Information Not Covered by the Practitioner's Report
    11. Illustrative Report
    12. Preparing a SOC for Supply Chain Report in a Design‐Only Examination
    13. Notes
  7. Supplement A: Supplement A2020 Description Criteria for a Description of an Entity’s Production, Manufacturing, or Distribution System in a SOC for Supply Chain Report 2020 Description Criteria for a Description of an Entity’s Production, Manufacturing, or Distribution System in a SOC for Supply Chain Report
    1. Notes
  8. Supplement B: Supplement B2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy
    1. Notes
  9. Appendix A: Information for Entity Management
    1. Introduction and Background
    2. Intended Users of a SOC for Supply Chain Report
    3. Overview of a SOC for Supply Chain Examination
    4. Contents of the SOC for Supply Chain Report
    5. Description Criteria for Preparation of the Description of an Entity's System
    6. The Trust Services Criteria for Evaluation of Control Effectiveness
    7. The Entity's System Objectives and Principal System Objectives
    8. Matters Not Addressed by a SOC for Supply Chain Examination
    9. Entity Management Responsibilities Prior to Engaging the Practitioner
    10. Defining the System to Be Examined
    11. Selecting the Trust Services Category or Categories to Be Addressed by the Examination
    12. Identifying Customer Responsibilities and Complementary Customer Controls
    13. Identifying Suppliers and Complementary Supplier Controls
    14. Agreeing on the Terms of the Engagement
    15. Entity Management Responsibilities During the Examination
    16. Preparing the Description of the Service Organization's System
    17. Materiality Considerations When Preparing the Description in Accordance With the Description Criteria
    18. Providing a Written Assertion
    19. Entity Management's Responsibilities During Engagement Completion
    20. Modifying the Assertion
    21. Other Types of SOC Examinations: SOC Suite of Services
    22. Notes
  10. Appendix B: Comparison of SOC for Supply Chain, SOC 2®, and SOC for Cybersecurity Examinations and Related Reports
  11. Appendix C: Illustrative Management Assertion in a SOC for Supply Chain Examination
    1. Note
  12. Appendix D: Illustrative Accountant's Report for a SOC for Supply Chain Examination
    1. Notes
  13. Appendix E: Illustrative SOC for Supply Chain Report (Including Entity Management's Assertion, Accountant's Report, and Illustrative Description of the System)
    1. Report on Company X's Description of Its Widget Manufacturing and Distribution System and on the Effectiveness of Its Controls Relevant to Security and Availability Throughout the Period January 1, 20X1, to December 31, 20X1
    2. Section 1 — Assertion of Company X's Management
    3. Section 2 — Independent Accountant's Report
    4. Section 3 — Company X's Description of Its Widget Manufacturing and Distribution System
    5. Section 4 — Trust Services Categories, Criteria, Related Controls, and Tests of Controls
    6. Section 5 — Other Information Provided by Company X Management That Is Not Covered by the Accountant's Report
  14. Appendix F: Definitions
  15. Appendix G: Overview of Statements on Quality Control Standards
    1. Communication of Quality Control Policies and Procedures
    2. Elements of a System of Quality Control
    3. Leadership Responsibilities for Quality Within the Firm (the “Tone at the Top”)
    4. Relevant Ethical Requirements
    5. Acceptance and Continuance of Client Relationships and Specific Engagements
    6. Human Resources
    7. Engagement Performance
    8. Monitoring
    9. Documentation of Quality Control Policies and Procedures
    10. Notes
  16. Index of Pronouncements and Other Technical Guidance
  17. Subject Index
  18. End User License Agreement

Product information

  • Title: SOC for Supply Chain
  • Author(s): AICPA
  • Release date: June 2020
  • Publisher(s): Wiley
  • ISBN: 9781948306959