|
Chapter 1 Introduction And Background |
|
|
|
|
|
|
Intended Users of a SOC for Supply Chain Report |
|
|
|
Overview of a SOC for Supply Chain Examination |
|
|
|
Contents of the SOC for Supply Chain Report |
|
|
|
Defining the System to Be Examined |
|
|
|
The Entity's System Objectives and Principal System Objectives |
|
|
|
Selecting the Trust Services Category or Categories to Be Addressed by the Examination |
|
|
|
Determining the Time Frame for the Examination |
|
|
|
Other Engagement Considerations |
|
|
|
Considerations for Entities That Distribute Products |
|
|
|
Considerations for Entities That Bundle Services With Their Products |
|
|
|
Considerations for a Design-Only Examination |
|
|
|
Matters Not Addressed by a SOC for Supply Chain Examination |
|
|
|
Criteria for a SOC for Supply Chain Examination |
|
|
|
|
|
|
|
|
|
Evaluating the Entity's Principal System Objectives |
|
|
|
The Practitioner's Opinion in a SOC for Supply Chain Examination |
|
|
|
Other Types of SOC Examinations: SOC Suite of Services |
|
|
|
|
|
|
|
|
|
Code of Professional Conduct |
|
|
|
Quality in the SOC for Supply Chain Examination |
|
|
|
|
|
|
Chapter 2 Accepting And Planning A Soc For Supply Chain Examination |
|
|
|
|
|
|
Understanding Entity Management's Responsibilities |
|
|
|
Entity Management's Responsibilities Prior to Engaging the Practitioner |
|
|
|
Entity Management's Responsibilities During the Examination |
|
|
|
Entity Management's Responsibilities During Engagement Completion |
|
|
|
Responsibilities of the Practitioner |
|
|
|
Engagement Acceptance and Continuance |
|
|
|
|
|
|
Competence of Engagement Team Members |
|
|
|
Preconditions of the Engagement |
|
|
|
Determining the Appropriateness of the Subject Matter |
|
|
|
Identifying the Components of the System to be Examined |
|
|
|
Determining the Boundaries of the System Being Examined |
|
|
|
Determining Whether Entity Management Is Likely to Have a Reasonable Basis for Its Assertion |
|
|
|
Assessing the Suitability and Availability of Criteria |
|
|
|
Determining Whether the Entity's Principal System Objectives Are Reasonable in the Circumstances |
|
|
|
Requesting a Written Assertion and Representations From Entity Management |
|
|
|
Agreeing on the Terms of the Engagement |
|
|
|
Accepting a Change in the Terms of the Examination |
|
|
|
Establishing an Overall Examination Strategy for and Planning the Examination |
|
|
|
Performing Risk Assessment Procedures |
|
|
|
Obtaining an Understanding of the Description of the Entity's System and Control Effectiveness |
|
|
|
Assessing the Risks of Material Misstatement |
|
|
|
Considering Materiality During Planning |
|
|
|
Considering Entity-Level Controls |
|
|
|
Understanding the Internal Audit Function |
|
|
|
Planning to Use the Work of a Practitioner's Specialist |
|
|
|
Identifying Customer Responsibilities and Complementary Customer Controls |
|
|
|
Identifying Suppliers and Complementary Supplier Controls |
|
|
|
Suppliers Whose Controls Are Necessary for the Entity to Achieve Its Principal System Objectives |
|
|
|
Complementary Supplier Controls |
|
|
|
Using the Inclusive Method |
|
|
|
Planning to Use the Work of an Other Practitioner |
|
|
|
Chapter 3 Performing The Soc For Supply Chain Examination |
|
|
|
|
|
|
Designing Overall Responses to the Risk Assessment |
|
|
|
Designing and Performing Procedures |
|
|
|
Obtaining Evidence About Whether the Description Presents the System That Was Designed and Implemented in Accordance With the Description Criteria |
|
|
|
Disclosures Related to the Types of Goods Produced, Manufactured, or Distributed |
|
|
|
Disclosures About the Entity's Principal System Objectives |
|
|
|
Disclosures About System Incidents |
|
|
|
Disclosures About Risks That May Have a Significant Effect on the Entity's Production, Manufacturing, or Distribution |
|
|
|
Disclosures About Inputs to and Components of the System |
|
|
|
Disclosures About Individual Controls and the Applicable Trust Services Criteria |
|
|
|
Disclosures About Complementary Customer Controls |
|
|
|
Disclosures Related to Complementary Supplier Controls |
|
|
|
Disclosures About Nonrelevant Criteria |
|
|
|
Disclosures About Significant Changes to the System During the Period |
|
|
|
Evaluating Description Misstatements Identified During the Examination |
|
|
|
Considering Whether the Description Is Misstated or Otherwise Misleading |
|
|
|
Obtaining Evidence About the Suitability of the Design of Controls |
|
|
|
Multiple Controls Are Necessary to Address an Applicable Trust Services Criterion |
|
|
|
More Than One Control Addresses a Particular Risk Procedures to Obtain Evidence About the Suitability of Design of Controls |
|
|
|
Evaluating Deficiencies in the Suitability of Design of Controls |
|
|
|
Obtaining Evidence About the Operating Effectiveness of Controls |
|
|
|
Designing and Performing Tests of Controls |
|
|
|
Nature of Tests of Controls |
|
|
|
|
|
|
Evaluating the Reliability of Information Produced by the Entity |
|
|
|
Timing of Tests of Controls |
|
|
|
Extent of Tests of Controls |
|
|
|
Testing Superseded Controls |
|
|
|
Using Sampling to Select Items to Be Tested |
|
|
|
Selecting Items to Be Tested |
|
|
|
Additional Risk Considerations Related to Suppliers and Business Partners |
|
|
|
Controls That Suppliers Expect the Entity to Implement --- Entity Controls for Addressing Supplier Risks |
|
|
|
Complementary Supplier Controls |
|
|
|
Considering Controls That Did Not Need to Operate During the Period Covered by the Examination |
|
|
|
Identifying and Evaluating Deviations in the Effectiveness of Controls |
|
|
|
Materiality Considerations When Evaluating Deficiencies in the Effectiveness of Controls |
|
|
|
Using the Work of the Internal Audit Function |
|
|
|
Using the Work of a Practitioner's Specialist |
|
|
|
Revising the Risk Assessment |
|
|
|
Evaluating the Sufficiency and Appropriateness of Evidence |
|
|
|
Evaluating the Results of Procedures |
|
|
|
Responding to and Communicating Known and Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, and Deficiencies in the Effectiveness of Controls |
|
|
|
Known or Suspected Fraud or Noncompliance With Laws or Regulations |
|
|
|
Communicating Incidents of Known or Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, or Internal Control Deficiencies |
|
|
|
Obtaining Written Representations |
|
|
|
Requested Written Representations Not Provided or Not Reliable |
|
|
|
Engaging Party Is Not the Responsible Party |
|
|
|
Representations From the Engaging Party When It Is Not the Responsible Party |
|
|
|
Subsequent Events and Subsequently Discovered Facts |
|
|
|
Subsequent Events Unlikely to Have an Effect on the Practitioner's Report |
|
|
|
|
|
|
Considering Whether Entity Management Should Modify Its Assertion |
|
|
|
Chapter 4 Forming The Opinion And Preparing The Practitioner's Report |
|
|
|
Responsibilities of the Practitioner |
|
|
|
Forming the Practitioner's Opinion |
|
|
|
Concluding on the Sufficiency and Appropriateness of Evidence |
|
|
|
Expressing an Opinion on Each of the Subject Matters in the SOC for Supply Chain Examination |
|
|
|
Describing Tests of Controls and Results of Tests in the Practitioner's Report |
|
|
|
Describing Tests of Controls and Results When Using the Internal Audit Function |
|
|
|
Describing Tests of the Reliability of Information Produced by the Entity |
|
|
|
Preparing the Practitioner's SOC for Supply Chain Report |
|
|
|
Elements of the Practitioner's Report |
|
|
|
Restricting the Use of the Practitioner's Report |
|
|
|
Reporting When There Are Complementary Customer Controls |
|
|
|
Reporting When There Are Complementary Supplier Controls |
|
|
|
Reporting When the Practitioner Assumes Responsibility for the Work of an Other Practitioner |
|
|
|
Modifications to the Practitioner's Opinion |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Report Paragraphs Describing the Matter Giving Rise to the Modification |
|
|
|
Illustrative Separate Paragraphs When There Are Material Misstatements in the Description |
|
|
|
Illustrative Separate Paragraph: Material Deficiencies in the Effectiveness of Controls |
|
|
|
Other Matters Related to the Practitioner's Report |
|
|
|
Emphasis-of-Matter Paragraphs and Other-Matter Paragraphs |
|
|
|
Distribution of the Report by Management |
|
|
|
Practitioner's Recommendations for Improving Controls |
|
|
|
Other Information Not Covered by the Practitioner's Report |
|
|
|
|
|
|
Preparing a SOC for Supply Chain Report in a Design-Only Examination |
|
|
|
|
|
|
A 2020 Description Criteria for a Description of an Entity's Production, Manufacturing, or Distribution System in a SOC for Supply Chain Report |
|
|
|
B 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy |
|
|
|
|
|
|
A Information for Entity Management |
|
|
|
B Comparison of SOC for Supply Chain, SOC 2®, and SOC for Cybersecurity Examinations and Related Reports |
|
|
|
C Illustrative Management Assertion in a SOC for Supply Chain Examination |
|
|
|
D Illustrative Accountant's Report for a SOC for Supply Chain Examination |
|
|
|
E Illustrative SOC for Supply Chain Report (Including Entity Management's Assertion, Accountant's Report, and Illustrative Description of the System) |
|
|
|
|
|
|
G Overview of Statements on Quality Control Standards |
|
|
| Index of Pronouncements and Other Technical Guidance |
|
| Subject Index |
|
