ebook img

SOC FOR SUPPLY CHAIN reporting on an examination of controls relevant to security, availability, ... processing integrity, confidentiality, or privacy PDF

359 Pages·2020·2.528 MB·English
by  Aicpa
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview SOC FOR SUPPLY CHAIN reporting on an examination of controls relevant to security, availability, ... processing integrity, confidentiality, or privacy

Guide Reporting on an Examination of Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy in a Production, Manufacturing, or Distribution System SOC for Supply Chain March 1, 2020 1910-75488 © 2020 American Institute of Certified Public Accountants. All rights reserved. For information about the procedure for requesting permission to make copies of any part of this work, please email [email protected] with your request. Otherwise, requests should be written and mailed to Permissions Department, 220 Leigh Farm Road, Durham, NC 27707-8110 USA. 1 2 3 4 5 6 7 8 9 0 AAP 2 9 8 7 6 5 4 3 2 1 0 ISBN 978-1-94830-695-9(Print) ISBN 978-1-119-72340-0 (ePDF) ISBN 978-1-948306-96-6(ePub) ISBN 978-1-119-72344-8(oBook) iii Preface (AsofMarch1,2020) About AICPA Guides ThisAICPAGuide,ReportingonanExaminationofControlsRelevanttoSecu- rity,Availability,ProcessingIntegrity,Confidentiality,orPrivacyinaProduc- tion,Manufacturing,orDistributionSystem,hasbeendevelopedbymembersof theSOCforSupplyChainWorkingGroupoftheAICPAAssuranceServicesEx- ecutiveCommittee(ASEC)inconjunctionwithmembersoftheAuditingStan- dardsBoard(ASB). Thepurposeoftheguideistoassistpractitionersengagedtoexamineandre- portonasystemthatproduces,manufactures,ordistributesproducts,includ- ingcontrolsoveroneormoreofthefollowing: a. Thesecurityoftheentity'ssystem b. Theavailabilityoftheentity'ssystem c. Theprocessingintegrityoftheentity'ssystem d. Theconfidentialityoftheinformationthattheentity'ssystempro- cessesormaintainsforcustomersandbusinesspartners e. The privacy of personal information that the entity's system col- lects, uses, retains, discloses, and disposes of for customers and businesspartners AnAICPAGuidecontainingattestationguidanceisrecognizedasaninterpre- tivepublicationasdescribedinAT-Csection105,ConceptsCommontoAllAttes- tationEngagements.1 Interpretativepublicationsarerecommendationsonthe applicationofStatementsonStandardsforAttestationEngagements(SSAEs) inspecificcircumstances,includingengagementsforentitiesinspecializedin- dustries.InterpretivepublicationsareissuedundertheauthorityoftheASB. ThemembersoftheASBhavefoundtheattestationguidanceinthisguideto beconsistentwithexistingSSAEs. Apractitionershouldbeawareofandconsidertheguidanceinthisguideap- plicabletohisorherattestationengagement.Ifthepractitionerdoesnotapply theattestationguidanceincludedinanapplicableinterpretivepublication,the practitioner should document how the requirements of the SSAEs were com- pliedwithinthecircumstancesaddressedbysuchattestationguidance. Any attestation guidance in a guide appendix or exhibit (whether a chapter or back matter appendix or exhibit), though not authoritative, is considered an other attestation publication. In applying such guidance, the practitioner should,exercising professional judgment,assess the relevance and appropri- ateness of such guidance to the circumstances of the engagement. Although the practitioner determines the relevance of other attestation guidance,such guidanceinaguideappendixorexhibithasbeenreviewedbytheAICPAAudit andAttestStandardsstaff,andthepractitionermaypresumethatitisappro- priate. TheASBandtheAccountingandReviewServicesCommittee(ARSC)arethe designatedseniorcommitteesoftheAICPAauthorizedtospeakfortheAICPA 1 AllAT-CsectionscanbefoundinAICPAProfessionalStandards. ©2020, AICPA AAG-SSC iv on all matters related to attestation in their respective areas of responsibil- ity. Conforming changes made to the attestation guidance contained in this guideareapprovedbytheASBchair(orhisorherdesignee)andthedirectorof theAICPAAuditandAttestStandardsstaff.Updatesmadetotheattestation guidance in this guide exceeding that of conforming changes are issued after allASBmembershavebeenprovidedanopportunitytoconsiderandcomment onwhethertheguideisconsistentwiththeSSAEs. AICPAGuidesmayincludecertaincontentpresentedasa"supplement,""ap- pendix," or "exhibit." A supplement is a reproduction,in whole or in part,of authoritative guidance originally issued by a standard-setting body (includ- ingregulatorybodies)andisapplicabletoentitiesorengagementswithinthe purviewofthatstandardsetter,independentoftheauthoritativestatusofthe applicable AICPA Guide. Appendixes and exhibits are included for informa- tionalpurposesandhavenoauthoritativestatus. Purpose and Applicability Aspreviouslydiscussed,thisguideprovidesguidancetopractitionersengaged toexamineandreportonasystemanentityusestoproduce,manufacture,or distributeproducts. InApril2016,theASBissuedSSAENo.18,AttestationStandards:Clarification andRecodification,whichincludesAT-Csection105,AT-Csection205,Exam- ination Engagements,and AT-C section 320,Reporting on an Examination of ControlsataServiceOrganizationRelevanttoUserEntities' InternalControl Over Financial Reporting.AT-C sections 105 and 205 establish requirements andapplicationguidanceforreportingonanentity'scontrolsoveritssystem relevanttosecurity,availability,processingintegrity,confidentiality,orprivacy. AT-Csection320includesrequirementsandapplicationguidancethatmaybe relevant for reporting on an entity's controls over its system relevant to se- curity,availability,processingintegrity,confidentiality,orprivacybecausecer- tainunderlyingcircumstancesofthesubjectmatteraddressedinthisguideare analogoustocircumstancesaddressedinAT-Csection320. The attestation standards enable a practitioner to report on subject matter other than historical financial statements.A practitioner may be engaged to examineandreportoncontrolsatanentityrelatedtovarioustypesofsubject matter(forexample,controlsthataffectcustomers'financialreportingorthe privacyofinformationprocessedforcustomers'customers). Terms Used to Define Professional Responsibilities in This AICPA Guide Any requirements described in this guide are normally referenced to the ap- plicablestandardsorregulationsfromwhichtheyarederived.Generally,the termsusedinthisguidedescribingtheprofessionalrequirementsoftherefer- encedstandardsetter(forexample,theASB)arethesameasthoseusedinthe applicablestandardsorregulations(forexample,"must"or"should"). Readersshouldrefertotheapplicablestandardsandregulationsformorein- formation on the requirements imposed by the use of the various terms used todefineprofessionalrequirementsinthecontextofthestandardsandregula- tionsinwhichtheyappear. AAG-SSC ©2020, AICPA v Certainexceptionsapplytothesegeneralrules,particularlyincircumstances inwhichtheguidedescribesprevailingorpreferredindustrypracticesforthe application of a standard or regulation. In these circumstances, the applica- bleseniorcommitteeresponsibleforreviewingtheguide'scontentbelievesthe guidancecontainedhereinisappropriateforthecircumstances. References to Professional Standards Incitingattestationstandardsandtheirrelatedinterpretations,referencesto standardsthathavebeencodifiedusesectionnumberswithinthecodification ofcurrentlyeffectiveSSAEsandnottheoriginalstatementnumber. Examinations of System and Organization Controls: SOC Suite of Services In 2017, the AICPA introduced the term system and organization controls (SOC) to refer to the suite of services practitioners may provide relating to system-levelcontrolsofanentityorsystem-orentity-levelcontrolsofotheror- ganizations.Formerly,SOCreferredtoserviceorganizationcontrols,andsuch reportsaddressedcontrolsaroundsystemsusedtoprovideservices.Byredefin- ingthatacronym,theAICPAenablestheintroductionofnewinternalcontrol examinations that may be performed (a) for other types of organizations, in additiontoserviceorganizations,and(b)oneithersystem-levelorentity-level controls of such organizations. This guide provides interpretive guidance for therelevantattestationstandardsusedtoreportonthesecurity,availability, or processing integrity of a system or the confidentiality or privacy of the in- formationprocessedbythesystem.Theengagementdiscussedinthisguideis referredtoasaSOCforSupplyChainexamination.OtherSOCengagements includethefollowing: a. SOC 1® — SOC for Service Organizations:ICFR.Service organi- zationsmayprovideservicesthatarerelevanttotheircustomers' internalcontrolover financialreportingand,therefore,totheau- dit of financial statements. The requirements and guidance for performing and reporting on such controls is provided in AT-C sections 105 and 320. AICPA Guide Reporting on an Examina- tionofControlsatanEntityRelevanttoCustomers' InternalCon- trol Over Financial Reporting (SOC 1®) provides relevant inter- pretiveguidancefortherelevantstandardstoassistpractitioners engagedtoexamineandreportoncontrolsatserviceorganizations that are likely to be relevant to customers' internal control over financialreporting. b. SOC2® —SOCforServiceOrganizations:TrustServicesCriteria. Some service organizations provide services that are relevant to controls other than internal control over financial reporting, for example, controls relevant to the security of a system or to the privacy of information processed by a system for customers. The requirements and guidance for performing and reporting on such engagements are provided in AT-C sections 105, 205, and 320. AICPAGuideSOC2®ReportingonanExaminationofControlsata ServiceOrganizationRelevanttoSecurity,Availability,Processing Integrity,Confidentiality,orPrivacyprovidesinterpretiveguidance ©2020, AICPA AAG-SSC vi for the relevant attestation standards to assist practitioners en- gaged to examine and report on the security, availability, or pro- cessingintegrityofasystemortheconfidentialityorprivacyofthe informationprocessedbythesystem. c. SOC 3® — SOC for Service Organizations: Trust Services Crite- ria for General Use Report.Although the requirements and guid- anceforperformingaSOC3®examinationaresimilartothosefor a SOC 2® examination, the reporting requirements are different. Because of the different reporting requirements,a SOC 2® report isappropriateonlyforspecifiedpartieswithsufficientknowledge and understanding of the entity and the system,whereas a SOC 3® report is ordinarily appropriate for general use.AICPA Guide SOC2® ReportingonanExaminationofControlsataServiceOr- ganization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy provides guidance to assist practition- ersengagedtoexamineandreportonthesecurity,availability,or processingintegrityofasystemortheconfidentialityorprivacyof theinformationprocessedbythesystem. d. SOC for Cybersecurity. As part of an entity's cybersecurity risk managementprogram,anentitydesigns,implements,andoperates cybersecuritycontrols.Anengagementtoexamineandreportona descriptionoftheentity'scybersecurityriskmanagementprogram andtheeffectivenessofcontrolswithinthatprogramisacybersecu- rityriskmanagementexamination.Therequirementsandguidance forperformingacybersecurityriskmanagementexaminationand reportingontheresultsthereofareprovidedinAT-Csections105, 205, and 320. AICPA Guide Reporting on an Entity's Cybersecu- rityRiskManagementProgramandControlsprovidesinterpretive guidancefortherelevantattestationstandardstoassistpractition- ersengagedtoexamineandreportonthedescriptionofanentity's cybersecurity risk management program and the effectiveness of controlswithinthatprogram. ThisguidefocusesonSOCforSupplyChainexaminations.Tohelppractition- ers understand how this examination differs from several of the other SOC examinations, appendix B, "Comparison of SOC for Supply Chain Examina- tion With a SOC 2® Examination and a SOC for Cybersecurity Examination andRelatedReports,"includesatablethatcomparesthefeaturesofthethree typesofengagements. Description Criteria for a Description of an Entity’s System in a SOC for Supply Chain Report InMarch2020,ASECissueddescriptioncriteriaforadescriptionofanentity's systeminaSOCforSupplyChainreport.ThecriteriaarecodifiedinDCsec- tion300,2020DescriptionCriteriaforaDescriptionofanEntity'sProduction, Manufacturing,orDistributionSysteminaSOCforSupplyChainReport(de- scriptioncriteria),2whicharepresentedinsupplementA. Inestablishinganddevelopingthesecriteria,ASECfolloweddueprocesspro- cedures, including exposure of criteria for public comment. BL section 360R, 2 AllDCsectionscanbefoundinAICPADescriptionCriteria. AAG-SSC ©2020, AICPA vii Implementing Resolutions Under Section 3.6 Committees,3 designates ASEC asaseniortechnicalcommitteewiththeauthoritytomakepublicstatements withoutclearancefromtheAICPAcouncilortheboardofdirectors.Paragraph .A44 of AT-C section 105 indicates that criteria promulgated by a body des- ignated by the Council of the AICPA under the AICPA Code of Professional Conductare,bydefinition,consideredsuitable.Accordingly,thesecriteriaare suitable criteria for preparing and evaluating a description of a system in a SOCforSupplyChainexamination.ASEChasalsopublishedthedescription criteria and made them available to users.Therefore,the description criteria meettherequirementsinparagraph.25biiofAT-Csection105forcriteriathat arebothsuitableandavailableforuseinanattestationengagement. Trust Services Criteria Codified as TSP section 100,2017 Trust Services Criteria for Security,Avail- ability, Processing Integrity, Confidentiality, and Privacy (2017 trust services criteria),4thetrustservicescriteriawereestablishedbyASECforusebyprac- titionerswhenprovidingattestationorconsultingservicestoevaluatecontrols relevanttothesecurity,availability,orprocessingintegrityofoneormoresys- tems,ortheconfidentialityorprivacyofinformationprocessedbyoneormore systems,usedbyanentity.Entitymanagementmayalsousethetrustservices criteriatoevaluatethesuitabilityofdesignandoperatingeffectivenessofsuch controls. Inestablishinganddevelopingthesecriteria,ASECfolloweddueprocesspro- cedures, including exposure of criteria for public comment. BL section 360R designatesASECasaseniortechnicalcommitteewiththeauthoritytomake publicstatementswithoutclearancefromtheAICPAcouncilortheboardofdi- rectors.Paragraph.A44ofAT-Csection105indicatesthatcriteriapromulgated by a body designated by the Council of the AICPA under the AICPA Code of ProfessionalConductare,bydefinition,consideredsuitable.Accordingly,these criteriaaresuitablecriteriaforevaluatingcontrolsinaSOCforSupplyChain examination. ASEC has also published the trust services criteria and made themavailabletousers.Therefore,thetrustservicescriteriameettherequire- mentsinparagraph.25biiofAT-Csection105forcriteriathatarebothsuitable andavailableforuseinanattestationengagement. Applicability of Quality Control Standards QC section 10, A Firm's System of Quality Control,5 addresses a CPA firm's responsibilities for its system of quality control for its accounting and audit- ingpractice.Asystemofqualitycontrolconsistsofpoliciesthatafirmestab- lishes and maintains to provide it with reasonable assurance that the firm and its personnel comply with professional standards, as well as applicable legal and regulatory requirements. The policies also provide the firm with reasonable assurance that reports issued by the firm are appropriate in the circumstances. 3 AllBLsectionscanbefoundinAICPAProfessionalStandards. 4 AllTSPsectionscanbefoundinAICPATrustServicesCriteria. 5 TheQCsectionscanbefoundinAICPAProfessionalStandards. ©2020, AICPA AAG-SSC viii QC section 10 applies to all CPA firms with respect to engagements in their accounting and auditing practice. In paragraph .13 of QC section 10, an ac- countingandauditingpracticeisdefinedas apracticethatperformsengagementscoveredbythissection,which are audit, attestation, compilation, review, and any other services for which standards have been promulgated by the AICPA Auditing Standards Board (ASB) or the AICPA Accounting and Review Ser- vices Committee (ARSC) under the "General Standards Rule" (ET sec. 1.300.001) or the "Compliance With Standards Rule" (ET sec. 1.310.001)oftheAICPACodeofProfessionalConduct.Althoughstan- dards for other engagements may be promulgated by other AICPA technical committees, engagements performed in accordance with thosestandardsarenotencompassedinthedefinitionofanaccounting andauditingpractice.6 InadditiontotheprovisionsofQCsection10,readersshouldbeawareofother sectionswithinAICPAProfessionalStandardsthataddressqualitycontrolcon- siderations,includingthefollowingprovisionsthataddressengagement-level quality control matters for various types of engagements that an accounting andauditingpracticemightperform: • AU-Csection220,QualityControlforanEngagementConducted inAccordanceWithGenerallyAcceptedAuditingStandards7 • AT-Csection105 Because of the importance of engagement quality,this guide includes an ap- pendix,"OverviewofStatementsonQualityControlStandards."Thisappendix summarizes key aspects of the quality control standard.This summarization shouldbereadinconjunctionwithQCsection10,AU-Csection220,AT-Csec- tion105,andthequalitycontrolstandardsissuedbythePCAOB,asapplicable. Recognition AuditingStandardsBoard(2018–2019) MichaelJ.Santay,Chair MoniqueBooker JayBrodish DoraBurzenski JosephS.Cascio LawrenceGill AudreyA.Gramling GaylenR.Hansen TracyHarding JanHerringer IleneKassman KristenA.Kociolek AlanLong SaraLord MarciaL.Marien 6 AllETsectionscanbefoundinAICPAProfessionalStandards. 7 AllAU-CsectionscanbefoundinAICPAProfessionalStandards. AAG-SSC ©2020, AICPA ix RichardMiller DanielD.Montgomery JereG.Shawver ChadSingletary ThisguidewasapprovedbyamajorityofASBmembers. AssuranceServicesExecutiveCommittee (2018–2019) JimBurton,Chair BradleyAmes ChristineM.Anderson MaryGraceDavenport ChrisHalterman JenniferHaskell ElaineHowle BryanMartin BradMuniz DyanK.Rohal MiklosVasarhelyi SOCforSupplyChainWorkingGroup ChrisHalterman,Chair NealBeggan MarkBurnette JacquelineEaston ForrestFrazier TomHaberman JackieHensgen KimKoch ChrisKradjan LevLesokhin HeatherPaquette BinitaPradhan SomaSinha RodSmith JeffTrent GregWitte DavidWood AICPAStaff RobertDohrer ChiefAuditor AuditandAttestationStandards AmyPawlicki VicePresident AssuranceandAdvisoryInnovation MimiBlanco-Best AssociateDirector—AttestationMethodologyandGuidance AssuranceandAdvisoryInnovation NishaGordhan LeadManager ProductManagementandDevelopment ©2020, AICPA AAG-SSC

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.