Professional Documents
Culture Documents
Full download Guide: Reporting on an Examination of Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy in a Production, Manufacturing, or Distribution System Aicpa file pdf all chapter on 2024
Full download Guide: Reporting on an Examination of Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy in a Production, Manufacturing, or Distribution System Aicpa file pdf all chapter on 2024
Full download Guide: Reporting on an Examination of Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy in a Production, Manufacturing, or Distribution System Aicpa file pdf all chapter on 2024
https://ebookmass.com/product/pitch-tweet-or-engage-on-the-
street-1st-edition/
https://ebookmass.com/product/czech-security-dilemma-russia-as-a-
friend-or-enemy-1st-ed-edition-jan-holzer/
https://ebookmass.com/product/ready-or-not-assurance-security-
duet-part-two-assurance-security-book-2-1st-edition-jillian-west/
https://ebookmass.com/product/whats-the-t-the-guide-to-all-
things-trans-and-or-nonbinary-juno-dawson/
What's the T?: The Guide to All Things Trans And/or
Nonbinary Juno Dawson
https://ebookmass.com/product/whats-the-t-the-guide-to-all-
things-trans-and-or-nonbinary-juno-dawson-2/
https://ebookmass.com/product/british-autobiographies-an-
annotated-bibliography-of-british-autobiographies-published-or-
written-before-1951-william-matthews/
https://ebookmass.com/product/how-to-count-animals-more-or-less-
shelly-kagan/
https://ebookmass.com/product/sell-or-be-sold-how-to-get-your-
way-in-business-and-in-life/
https://ebookmass.com/product/the-language-of-managerialism-
organizational-communication-or-an-ideological-tool-1st-edition-
thomas-klikauer/
Guide
Reporting on an Examination of Controls Relevant
to Security, Availability, Processing Integrity,
Confidentiality, or Privacy in a Production,
Manufacturing, or Distribution System
1910-75488
© 2020 American Institute of Certified Public Accountants. All rights reserved.
For information about the procedure for requesting permission to make copies of
any part of this work, please email Copyright-Permissions@aicpa-cima.com with your
request. Otherwise, requests should be written and mailed to Permissions Department,
220 Leigh Farm Road, Durham, NC 27707-8110 USA.
1 2 3 4 5 6 7 8 9 0 AAP 2 9 8 7 6 5 4 3 2 1 0
ISBN 978-1-94830-695-9 (Print)
ISBN 978-1-119-72340-0 (ePDF)
ISBN 978-1-948306-96-6 (ePub)
ISBN 978-1-119-72344-8 (oBook)
iii
Preface
(As of March 1, 2020)
Recognition
Auditing Standards Board (2018–2019)
Michael J. Santay, Chair
Monique Booker
Jay Brodish
Dora Burzenski
Joseph S. Cascio
Lawrence Gill
Audrey A. Gramling
Gaylen R. Hansen
Tracy Harding
Jan Herringer
Ilene Kassman
Kristen A. Kociolek
Alan Long
Sara Lord
Marcia L. Marien
TABLE OF CONTENTS
Chapter Paragraph
1 Introduction and Background .01-.75
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .01-.09
Intended Users of a SOC for Supply Chain Report . . . . . . . . . . . .10-.16
Overview of a SOC for Supply Chain Examination . . . . . . . . . . .17-.19
Contents of the SOC for Supply Chain Report . . . . . . . . . . . . . . . .20-.21
Defining the System to Be Examined . . . . . . . . . . . . . . . . . . . . . . . . . .22-.34
The Entity’s System Objectives and Principal System
Objectives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .27-.28
Selecting the Trust Services Category or Categories
to Be Addressed by the Examination . . . . . . . . . . . . . . . . . . . .29-.33
Determining the Time Frame for the Examination . . . . . . . . . . . .34
Other Engagement Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . .35-.41
Considerations for Entities That Distribute Products . . . . . . . . .35-.38
Considerations for Entities That Bundle Services With
Their Products . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .39-.40
Considerations for a Design-Only Examination . . . . . . . . . . . . .41
Matters Not Addressed by a SOC for Supply Chain
Examination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .42-.43
Criteria for a SOC for Supply Chain Examination . . . . . . . . . . . . .44-.62
Description Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .45-.47
Trust Services Criteria . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48-.58
Evaluating the Entity’s Principal System Objectives . . . . . . . . . .59-.62
The Practitioner’s Opinion in a SOC for Supply Chain
Examination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .63-.65
Other Types of SOC Examinations: SOC Suite of Services . . . .66
Professional Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .67-.74
Attestation Standards . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68-.70
Code of Professional Conduct . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .71
Quality in the SOC for Supply Chain Examination . . . . . . . . . .72-.74
Definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75
Chapter Paragraph
2 Accepting and Planning a SOC for Supply Chain
Examination — continued
Competence of Engagement Team Members . . . . . . . . . . . . . . . . . .20-.24
Preconditions of the Engagement . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25-.49
Determining the Appropriateness of the Subject Matter . . . . .26-.27
Identifying the Components of the System to be
Examined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .28-.30
Determining the Boundaries of the System Being
Examined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31-.38
Determining Whether Entity Management Is Likely to
Have a Reasonable Basis for Its Assertion . . . . . . . . . . . . . . .39-.43
Assessing the Suitability and Availability of Criteria . . . . . . . .44
Determining Whether the Entity’s Principal System
Objectives Are Reasonable in the Circumstances . . . . . . . .45-.49
Requesting a Written Assertion and Representations From
Entity Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50-.54
Agreeing on the Terms of the Engagement . . . . . . . . . . . . . . . . . . . .55-.64
Accepting a Change in the Terms of the Examination . . . . . .60-.64
Establishing an Overall Examination Strategy for and
Planning the Examination . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .65-.69
Performing Risk Assessment Procedures . . . . . . . . . . . . . . . . . . . . . .70-.106
Obtaining an Understanding of the Description of the
Entity’s System and Control Effectiveness . . . . . . . . . . . . . . .71-.83
Assessing the Risks of Material Misstatement . . . . . . . . . . . . . . .84-.95
Considering Materiality During Planning . . . . . . . . . . . . . . . . . . .96-.106
Considering Entity-Level Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . .107-.111
Understanding the Internal Audit Function . . . . . . . . . . . . . . . . . . . .112-.119
Planning to Use the Work of a Practitioner’s Specialist . . . . . . . .120-.126
Identifying Customer Responsibilities and Complementary
Customer Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .127-.133
Identifying Suppliers and Complementary Supplier
Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134-.150
Suppliers Whose Controls Are Necessary for the
Entity to Achieve Its Principal System Objectives . . . . . . . . .134-.135
Complementary Supplier Controls . . . . . . . . . . . . . . . . . . . . . . . . . .136-.141
Using the Inclusive Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .142-.150
Planning to Use the Work of an Other Practitioner . . . . . . . . . . . .151-.154
Chapter Paragraph
3 Performing the SOC for Supply Chain Examination — continued
Considering Controls That Did Not Need to Operate
During the Period Covered by the Examination . . . . . . . . . . . .137
Identifying and Evaluating Deviations in the Effectiveness
of Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .138-.142
Materiality Considerations When Evaluating Deficiencies
in the Effectiveness of Controls . . . . . . . . . . . . . . . . . . . . . . . . . . .143-.146
Using the Work of the Internal Audit Function . . . . . . . . . . . . . . . . .147-.153
Using the Work of a Practitioner’s Specialist . . . . . . . . . . . . . . . . . .154-.157
Revising the Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158-.162
Evaluating the Sufficiency and Appropriateness
of Evidence . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159-.160
Evaluating the Results of Procedures . . . . . . . . . . . . . . . . . . . . . . . .161-.162
Responding to and Communicating Known and
Suspected Fraud, Noncompliance With Laws or
Regulations, Uncorrected Misstatements,
and Deficiencies in the Effectiveness of
Controls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163-.169
Known or Suspected Fraud or Noncompliance With
Laws or Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163-.165
Communicating Incidents of Known or Suspected Fraud,
Noncompliance With Laws or Regulations,
Uncorrected Misstatements, or Internal Control
Deficiencies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .166-.169
Obtaining Written Representations . . . . . . . . . . . . . . . . . . . . . . . . . . .170-.183
Requested Written Representations Not Provided or
Not Reliable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .180-.181
Engaging Party Is Not the Responsible Party . . . . . . . . . . . . . . . .182
Representations From the Engaging Party When It Is Not
the Responsible Party . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .183
Subsequent Events and Subsequently Discovered Facts . . . . . . .184-.191
Subsequent Events Unlikely to Have an Effect on
the Practitioner’s Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .191
Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .192-.196
Considering Whether Entity Management Should Modify
Its Assertion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .197-.199
Supplement
A 2020 Description Criteria for a Description of an Entity’s Production,
Manufacturing, or Distribution System in a SOC for Supply
Chain Report
B 2017 Trust Services Criteria for Security, Availability, Processing Integrity,
Confidentiality, and Privacy
Appendix
A Information for Entity Management
Introduction
1.01 Manufacturing is the production of goods or products2 for use or sale
using labor and machines, tools, chemical and biological processing, or formula-
tion. The term manufacturing is most commonly applied to industrial produc-
tion, in which inputs such as raw materials and components are transformed
into finished goods on a large scale. Finished goods may be sold directly to
(a) end users (for example, medical devices sold to health systems); (b) other
manufacturers who produce other, more complex products (for example, air-
craft, household appliances, furniture, sports equipment, or automobiles); or (c)
wholesalers, who in turn sell the goods to retailers, who then sell them to end
users and consumers.
1.02 A manufacturing (or production) process refers to the steps through
which inputs are transformed into a finished good. The manufacturing pro-
cess begins with the product design and materials specification from which the
product is made. The raw materials (including components) are then modified
through manufacturing processes to become the finished good.
1.03 Once the goods are manufactured or produced, entities may use sys-
tems to distribute the products to customers (for example, an entity3 that dis-
tributes feature films or game DVDs). In contrast, entities may contract with a
third-party logistics company to manage the distribution of their products (for
example, an air bag manufacturer that contracts with a company to manage its
inventory shipment of replacement airbag components to auto repair shops).4
1 Terms defined in appendix F, "Definitions," are italicized on first mention within the text of
this guide.
2 Throughout this guide, the terms goods and products are used interchangeably.
3 As used in this guide, an entity produces or manufactures goods or provides distribution ser-
guidance in this guide or that in AICPA Guide SOC 2® Reporting on an Examination of Controls
at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or
Privacy when engaged to examine and opine on a system and controls of a distributor.
5 In this guide, a supplier is an individual or business (and its employees) that provides products
(such as raw materials, components, or other goods) or services to a producer, manufacturer, or dis-
tributor (an entity). A service provider, for example, is a specific type of supplier that provides services
to an entity.
6 In this guide, controls are policies and procedures that are part of the entity's system. The
objective of an entity's system is to provide reasonable assurance that system objectives are achieved.
System objectives are discussed further beginning at paragraph 1.59.
7 Throughout this guide, the term effectiveness (as it relates to controls) encompasses both the
suitability of design and the operating effectiveness of controls to provide reasonable assurance that
system objectives are achieved.
8 The description criteria are discussed further beginning at paragraph 1.44.
9 The objective of an entity's system is to provide reasonable assurance that the entity's system
objectives are achieved. System objectives are discussed further beginning at paragraph 1.59.
10 Supplement B of this guide presents an excerpt from TSP section 100, 2017 Trust Services
Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (the 2017 trust
services criteria), which includes the criteria used to evaluate the effectiveness of controls relevant to
the trust services category or categories included within the scope of a specific examination. The use
of these criteria, referred to as the applicable trust services criteria, is discussed further beginning in
paragraph 1.44.
All TSP sections can be found in AICPA Trust Services Criteria.
COSMOLOGY—THE INTERPRETATION
OF NATURE
CHAPTER I
INTRODUCTORY
§ 1. Distinction between the experimental sciences and a Philosophy of Nature
and Mind. The former concerned with the description, the latter with the
interpretation, of facts. § 2. Cosmology is the critical examination of the
special characteristics of the physical order. Its main problems are: (1) the
problem of the nature of Material Existence; (2) problem of the justification of
the concept of the Mechanical Uniformity of Nature; (3) problems of Space
and Time; (4) problem of the Significance of Evolution; (5) problem of the
Place of descriptive Physical Science in the System of Human Knowledge.