1 Introduction and Background .01-.75
Introduction .01-.09
Intended Users of a SOC for Supply Chain Report .10-.16
Overview of a SOC for Supply Chain Examination .17-.19
Contents of the SOC for Supply Chain Report .20-.21
Defining the System to Be Examined .22-.34
The Entity’s System Objectives and Principal System Objectives .27-.28
Selecting the Trust Services Category or Categories to Be Addressed by the Examination .29-.33
Determining the Time Frame for the Examination .34
Other Engagement Considerations .35-.41
Considerations for Entities That Distribute Products .35-.38
Considerations for Entities That Bundle Services With Their Products .39-.40
Considerations for a Design-Only Examination .41
Matters Not Addressed by a SOC for Supply Chain Examination .42-.43
Criteria for a SOC for Supply Chain Examination .44-.62
Description Criteria .45-.47
Trust Services Criteria .48-.58
Evaluating the Entity’s Principal System Objectives .59-.62
The Practitioner’s Opinion in a SOC for Supply Chain Examination .63-.65
Other Types of SOC Examinations: SOC Suite of Services .66
Professional Standards .67-.74
Attestation Standards .68-.70
Code of Professional Conduct .71
Quality in the SOC for Supply Chain Examination .72-.74
Definitions .75
2 Accepting and Planning a SOC for Supply Chain Examination .01-.154
Introduction .01-.02
Understanding Entity Management’s Responsibilities .03-.10
Entity Management’s Responsibilities Prior to Engaging the Practitioner .04-.07
Entity Management’s Responsibilities During the Examination .08-.09
Entity Management’s Responsibilities During Engagement Completion .10
Responsibilities of the Practitioner .11
Engagement Acceptance and Continuance .12-.15
Independence .16-.19
Competence of Engagement Team Members .20-.24
Preconditions of the Engagement .25-.49
Determining the Appropriateness of the Subject Matter .26-.27
Identifying the Components of the System to be Examined .28-.30
Determining the Boundaries of the System Being Examined .31-.38
Determining Whether Entity Management is Likely to Have a Reasonable Basis for Its Assertion .39-.43
Assessing the Suitability and Availability of Criteria .44
Determining Whether the Entity’s Principal System Objectives Are Reasonable in the Circumstances .45-.49
Requesting a Written Assertion and Representations From Entity Management .50-.54
Agreeing on the Terms of the Engagement .55-.64
Accepting a Change in the Terms of the Examination .60-.64
Establishing an Overall Examination Strategy for and Planning the Examination .65-.69
Performing Risk Assessment Procedures .70-.106
Obtaining an Understanding of the Description of the Entity’s System and Control Effectiveness .71-.83
Assessing the Risks of Material Misstatement .84-.95
Considering Materiality During Planning .96-.106
Considering Entity-Level Controls .107-.111
Understanding the Internal Audit Function .112-.119
Planning to Use the Work of a Practitioner’s Specialist .120-.126
Identifying Customer Responsibilities and Complementary Customer Controls .127-.133
Identifying Suppliers and Complementary Supplier Controls .134-.150
Suppliers Whose Controls Are Necessary for the Entity to Achieve Its Principal System Objectives .134-.135
Complementary Supplier Controls .136-.141
Using the Inclusive Method .142-.150
Planning to Use the Work of an Other Practitioner .151-.154
3 Performing the SOC for Supply Chain Examination .01-.199
Introduction .01
Designing Overall Responses to the Risk Assessment .02-.03
Designing and Performing Procedures .04
Obtaining Evidence About Whether the Description Presents the System That Was Designed and Implemented in Accordance With the Description Criteria .05-.59
Disclosures Related to the Types of Goods Produced, Manufactured, or Distributed .17-.18
Disclosures About the Entity’s Principal System Objectives .19-.24
Disclosures About System Incidents .25-.28
Disclosures About Risks That May Have a Significant Effect on the Entity’s Production, Manufacturing, or Distribution .29-.30
Disclosures About Inputs to and Components of the System .31-.32
Disclosures About Individual Controls and the Applicable Trust Services Criteria .33-.41
Disclosures About Complementary Customer Controls .42-.43
Disclosures Related to Complementary Supplier Controls .44-.56
Disclosures About Nonrelevant Criteria .57
Disclosures About Significant Changes to the System During the Period .58-.59
Evaluating Description Misstatements Identified During the Examination .60-.67
Considering Whether the Description is Misstated or Otherwise Misleading .68-.69
Obtaining Evidence About the Suitability of the Design of Controls .70-.85
Multiple Controls Are Necessary to Address an Applicable Trust Services Criterion .77-.78
More Than One Control Addresses a Particular Risk .79
Procedures to Obtain Evidence About the Suitability of Design of Controls .80-.85
Evaluating Deficiencies in the Suitability of Design of Controls .86-.88
Obtaining Evidence About the Operating Effectiveness of Controls .89-.94
Designing and Performing Tests of Controls .91-.94
Nature of Tests of Controls .95-.110
Testing Review Controls .101-.102
Evaluating the Reliability of Information Produced by the Entity .103-.110
Timing of Tests of Controls .111-.112
Extent of Tests of Controls .113-.118
Testing Superseded Controls .119-.120
Using Sampling to Select Items to Be Tested .121-.125
Selecting Items to Be Tested .124-.125
Additional Risk Considerations Related to Suppliers and Business Partners .126-.136
Controls That Suppliers Expect the Entity to Implement .126-.131
Entity Controls for Addressing Supplier Risks .132-.133
Complementary Supplier Controls .134-.136
Considering Controls That Did Not Need to Operate During the Period Covered by the Examination .137
Identifying and Evaluating Deviations in the Effectiveness of Controls .138-.142
Materiality Considerations When Evaluating Deficiencies in the Effectiveness of Controls .143-.146
Using the Work of the Internal Audit Function .147-.153
Using the Work of a Practitioner’s Specialist .154-.157
Revising the Risk Assessment .158-.162
Evaluating the Sufficiency and Appropriateness of Evidence .159-.160
Evaluating the Results of Procedures .161-.162
Responding to and Communicating Known and Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, and Deficiencies in the Effectiveness of Controls .163-.169
Known or Suspected Fraud or Noncompliance With Laws or Regulations .163-.165
Communicating Incidents of Known or Suspected Fraud, Noncompliance With Laws or Regulations, Uncorrected Misstatements, or Internal Control Deficiencies .166-.169
Obtaining Written Representations .170-.183
Requested Written Representations Not Provided or Not Reliable .180-.181
Engaging Party is Not the Responsible Party .182
Representations From the Engaging Party When It is Not the Responsible Party .183
Subsequent Events and Subsequently Discovered Facts .184-.191
Subsequent Events Unlikely to Have an Effect on the Practitioner’s Report .191
Documentation .192-.196
Considering Whether Entity Management Should Modify Its Assertion .197-.199
4 Forming the Opinion and Preparing the Practitioner’s Report .01-.91
Responsibilities of the Practitioner .01-.05
Forming the Practitioner’s Opinion .06-.15
Concluding on the Sufficiency and Appropriateness of Evidence .08-.13
Expressing an Opinion on Each of the Subject Matters in the SOC for Supply Chain Examination .14-.15
Describing Tests of Controls and Results of Tests in the Practitioner’s Report .16-.28
Describing Tests of Controls and Results When Using the Internal Audit Function .24-.26
Describing Tests of the Reliability of Information Produced by the Entity .27-.28
Preparing the Practitioner’s SOC for Supply Chain Report .29-.40
Elements of the Practitioner’s Report .29
Restricting the Use of the Practitioner’s Report .30-.31
Reporting When There Are Complementary Customer Controls .32-.35
Reporting When There Are Complementary Supplier Controls .36-.40
Reporting When the Practitioner Assumes Responsibility for the Work of an Other Practitioner .41
Modifications to the Practitioner’s Opinion .42-.67
Qualified Opinion .50-.51
Adverse Opinion .52-.56
Scope Limitation .57-.61
Disclaimer of Opinion .62-.67
Report Paragraphs Describing the Matter Giving Rise to the Modification .68-.76
Illustrative Separate Paragraphs When There Are Material Misstatements in the Description .68-.73
Illustrative Separate Paragraph: Material Deficiencies in the Effectiveness of Controls .74-.76
Other Matters Related to the Practitioner’s Report .77-.80
Emphasis-of-Matter Paragraphs and Other-Matter Paragraphs .77-.78
Distribution of the Report by Management .79-.80
Practitioner’s Recommendations for Improving Controls .81
Other Information Not Covered by the Practitioner’s Report .82-.86
Illustrative Report .87-.88
Preparing a SOC for Supply Chain Report in a Design-Only Examination .89-.91
Supplement
A 2020 Description Criteria for a Description of an Entity’s Production, Manufacturing, or Distribution System in a SOC for Supply Chain Report
B 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy
Appendix
A Information for Entity Management
B Comparison of SOC for Supply Chain, SOC 2®, and SOC for Cybersecurity Examinations and Related Reports
C Illustrative Management Assertion in a SOC for Supply Chain Examination
D Illustrative Accountant’s Report for a SOC for Supply Chain Examination
E Illustrative SOC for Supply Chain Report (Including Entity Management’s Assertion, Accountant’s Report, and Illustrative Description of the System)
F Definitions
G Overview of Statements on Quality Control Standards
Index of Pronouncements and Other Technical Guidance
Subject Index
