Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
Illustrative SOC for Supply Chain Report 277
Appendix E
Illustrative SOC for Supply Chain Report(Including Entity Management’s Assertion,Accountant’s Report, and IllustrativeDescription of the System)This appendix is nonauthoritative and is included for informational purposesonly.
Note to Readers: In the following illustrative SOC for Supply Chain report,Company X has engaged the practitioner to examine and report on the descrip-tion of the system that manufactures and distributes widgets and the effective-ness of controls therein, which are necessary to provide reasonable assurancethat the company's principal system objectives were achieved based on the ap-plicable trust services criteria relevant to security and availability.
This illustrative report assumes that, as discussed in the description in section3, the components received from Company Y are a critical part of Company X'smanufacture of its widgets. Company X management has decided to use thecarve-out method for Company Y, and the assertion and report include certaindisclosures related to Company Y and the complementary supplier controls thatit is expected to have in place.
Report on Company X’s Description of Its WidgetManufacturing and Distribution System and on theEffectiveness of Its Controls Relevant to Security andAvailability Throughout the Period January 1, 20X1,to December 31, 20X1CONTENTS
Section 1 — Assertion of Company X's Management
Section 2 — Independent Accountant's Report
Section 3 — Company X's Description of Its Widget Manufacturing and Distri-bution System
Manufacturing and Distribution System
Principal System Objectives
Components of the System
Infrastructure
Software
People
Procedures
Data
Materials
©2020, AICPA AAG-SSC APP E
278 SOC for Supply Chain
Section 4 — Trust Services Categories, Criteria, Related Controls, and Tests ofControls
Applicable Trust Services Criteria Relevant to Security and Availabil-ity
Section 5 — Other Information Provided by Company X Management That IsNot Covered by the Accountant's Report
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 279
Section 1 — Assertion of Company X’s Management[Company X’s Letterhead]
Assertion of Company X Management
We have prepared the accompanying description of Company X's widget manu-facturing and distribution system (system) in section 3 titled "Company X's De-scription of Its Widget Manufacturing System Throughout the Period January1, 20XX, to December 31, 20XX," (description) based on the criteria for a descrip-tion of a company's system in DC section 300, 2020 Description Criteria for aDescription of an Entity's Production, Manufacturing, or Distribution Systemin a SOC for Supply Chain Report, in AICPA Description Criteria (descriptioncriteria). The description is intended to provide report users with informationabout the system, including the effectiveness of controls stated therein, thatmay be helpful when assessing their risks arising from Company X's manufac-ture and distribution of widgets.
We have also evaluated whether the controls stated in the description, whichare necessary to provide reasonable assurance that Company X achieved itsprincipal system objectives, were effective throughout the period [date] to [date]based on the trust services criteria relevant to security and availability andwhether the controls stated in the description, which are necessary to providereasonable assurance that Company X achieved its principal system objectives,were effective throughout the period January 1, 20XX, to December 31, 20XX,based on the trust services criteria relevant to security and availability (appli-cable trust criteria) set forth in TSP section 100, 2017 Trust Services Criteriafor Security, Availability, Processing Integrity, Confidentiality, and Privacy, inAICPA Trust Services Criteria.
We assert that:
• The description presents Company X's system that was designedand implemented throughout the period January 1, 20XX, to De-cember 31, 20XX, in accordance with the description criteria.
• Based on the evaluation described in the preceding paragraph,the controls stated in the description, which are necessary to pro-vide reasonable assurance that Company X achieved its principalsystem objectives, were effective throughout the period January1, 20XX, to December 31, 20XX, based on the applicable trust ser-vices criteria.
Section 2 — Independent Accountant’s ReportIndependent Accountant's Report
To: Company X
Scope
We have examined:
• Company X's accompanying description of its widget manufactur-ing and distribution system (system) titled "Company X's Descrip-tion of Its Widget Manufacturing System Throughout the PeriodJanuary 1, 20XX, to December 31, 20XX," (description) based onthe criteria for a description of a company's system in DC sec-tion 300, 2020 Description Criteria for a Description of an Entity'sProduction, Manufacturing, or Distribution System in a SOC for
©2020, AICPA AAG-SSC APP E
280 SOC for Supply Chain
Supply Chain Report, in AICPA Description Criteria (descriptioncriteria), and
• The effectiveness of controls stated in the description, which arenecessary to provide reasonable assurance that ABC Entity's prin-cipal system objectives were achieved throughout the period [date]to [date] based on the trust services criteria relevant to securityand availability (applicable trust services criteria) set forth in TSPsection 100, 2017 Trust Services Criteria for Security, Availability,Processing Integrity, Confidentiality, and Privacy, in AICPA TrustServices Criteria.
Entity Management's Responsibilities
Company X is responsible for establishing the system objectives; identifyingthe risks that threaten the achievement of the system objectives; and design-ing, implementing, and operating effective controls within the system to pro-vide reasonable assurance that Company X's principal system objectives areachieved. Company X is also responsible for selecting the applicable trust ser-vices category or categories, preparing the description, and stating the controlsin the description. Company X has provided the accompanying assertion titled"Assertion of Company X Management" (assertion) about the description andthe effectiveness of controls stated therein.
Accountant's Responsibilities
Our responsibility is to express an opinion on the description and on the effec-tiveness of controls stated in the description, based on our examination. Our ex-amination was conducted in accordance with attestation standards establishedby the American Institute of Certified Public Accountants. Those standards re-quire that we plan and perform our examination to obtain reasonable assuranceabout whether, in all material respects, the description is presented in accor-dance with the description criteria and the controls stated therein, which arenecessary to provide reasonable assurance that the company achieved its prin-cipal system objectives, were effective based on the applicable trust servicescriteria.
An examination of the description of a company's system and effectiveness ofcontrols involves the following:
• Obtaining an understanding of the system and the company'sprincipal system objectives
• Assessing the risks that the description is not presented in ac-cordance with the description criteria and that controls were noteffective
• Performing procedures to obtain evidence about whether the de-scription is presented in accordance with the description criteria
• Performing procedures to obtain evidence about whether controlsstated in the description, which are necessary to provide reason-able assurance that the company achieved its principal systemobjectives, were effective based on the applicable trust servicescriteria
• Evaluating the overall presentation of the description.
Our examination also included performing such other procedures as we consid-ered necessary in the circumstances. We believe that the evidence we obtainedis sufficient and appropriate to provide a reasonable basis for our opinion.
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 281Our examination did not involve performing procedures to obtain evidenceabout the quality of the goods produced by the system to determine whetherthose goods met product performance specifications, nor did it involve perform-ing procedures to obtain evidence about whether other system objectives wereachieved. Therefore, the opinion expressed below relates only to the effective-ness of controls necessary to provide reasonable assurance that the companyachieved its principal system objectives and should not be considered a war-ranty or guarantee that the goods meet those specifications. Furthermore, wedo not express an opinion on the fitness for purpose or the commercial viabilityof the goods.
Inherent Limitations
The description is prepared to meet the common needs of intended users andmay not, therefore, include every aspect of the system that individual usersmay consider important to meet their informational needs.
There are inherent limitations in the effectiveness of any system of internalcontrol, including the possibility of human error and the circumvention of con-trols. Because of their nature, controls may not always be effective to pro-vide reasonable assurance that the company's principal system objectives areachieved. Also, the projection to the future of any conclusions about the effec-tiveness of controls is subject to the risk that controls may become inadequatebecause of changes in conditions or that the degree of compliance with the Com-pany's policies or procedures may deteriorate.
Furthermore, the goods produced, manufactured, or distributed may be subjectto rates of failure that have been deemed acceptable based on the principal sys-tem objectives. For those reasons, such goods may not always be free of defects.
Description of Tests of Controls
The specific controls we tested, and the nature, timing, and results of thosetests, are listed in section 4, "Trust Services Categories, Criteria, Related Con-trols, and Tests of Controls," in columns 2, 3 and 4, respectively.
Opinion
In our opinion, in all material respects,
a. the description presents Company X's system that was designedand implemented throughout the period January 1, 20XX, to De-cember 31, 20XX, in accordance with the description criteria.
b. the controls stated in the description, which are necessary to pro-vide reasonable assurance that Company X achieved its principalsystem objectives, were effective throughout the period January 1,20XX, to December 31, 20XX, based on the applicable trust servicescriteria.
Restricted Use
This report, including the description of tests of controls and results thereof insection 4, is intended solely for the information and use of Company X, its busi-ness customers and business partners, accountants providing services to suchbusiness customers and business partners, and prospective business customersand business partners, who have sufficient knowledge and understanding of thefollowing:
• The nature of the goods produced, manufactured, or distributedby the company
©2020, AICPA AAG-SSC APP E
282 SOC for Supply Chain
• Internal control and its inherent limitations
• The applicable trust services criteria
• The risks that may threaten the achievement of the company'sprincipal system objectives and how controls address those risks
This report is not intended to be, and should not be, used by anyone other thanthese specified parties.
[Accountant's signature][Accountant's city and state][Date of accountant's report]
Section 3 — Company X’s Description of Its WidgetManufacturing and Distribution SystemNote to Readers: The following illustrative system description is for illustrativepurposes only and is not meant to be prescriptive. For illustrative purposes, thedescription is organized by description criteria; however, there is no prescribedformat for the description of a system. For brevity, the description does not in-clude everything that might be included in the description of the entity's sys-tem. It also does not include a complete discussion of the processes and controlsCompany X designs, implements, and operates to achieve its principal systemobjectives for availability. Ellipses (...) or notes to readers indicate places wheredetail has been omitted from the illustration.
Widget Manufacturing and Distribution
Company X (Company X or the Company), located in Weehawken, NJ, is amanufacturer of widgets. Company X's widgets are an integral component ofautonomous vehicles manufactured by various automobile and truck originalequipment manufacturers (OEMs). Widgets are provided to the OEMs for usein manufacturing and replacement parts. The Company currently does not pro-vide widgets to the aftermarket parts industry. The widgets are the only prod-uct manufactured by the Company, and all widgets are made within the Wee-hawken facility.
Company X's widgets are built to meet or exceed the physical and functionalspecifications for the widgets described in the Company's technical specifica-tions, which are available to OEM customers through the customer web portal.The widgets comprise both a physical device and embedded software, which isconfigured during the manufacturing process. The source code for the softwareused in the widgets is supplied by Company Y Software and then customizedand configured for purpose during the manufacturing process by Company Xemployees. Supplies of other raw materials used in the manufacturing processcome from various sources throughout the world.
The Company maintains controls throughout the manufacturing process tohelp ensure its availability commitments are met and performs periodic testingon a sample of outputs to ensure that its widgets meet the published specifica-tions related to security and processing integrity.
The Company provides its customers with a limited warranty over productfunctionality, which includes a statement that the widgets are free from knownsoftware defects or intentionally embedded malicious code. Each widget modelis designed to meet the laws and regulations of specific countries. The coun-tries for which each model is intended are set forth in the product documen-tation for the model. Widgets are also designed to comply with ISO/TS16949
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 283requirements and other industry standards listed by model in the product doc-umentation.
Upon completion of widget manufacturing, the widgets are stored in twocompany-owned, on-site loading and storage facilities located in Edison, NJ,and New Brunswick, NJ. Company X has warehouse and inventory manage-ment systems in place to ensure widgets are tracked and processed completelyand accurately, ensuring they are available per the Company's availability com-mitments. The widgets are distributed by various contracted distribution logis-tics companies. Company X does not own or control the distribution companies.Widgets are shipped to customers with full insurance coverage.
Principal System Objectives
Company X's ability to achieve its overall business objectives depends, in largepart, on its ability to meet its commitments to customers with respect to prod-ucts that achieve product performance specifications and related delivery com-mitments.
The technical product specifications include:
• Physical: Interface criteria, weight, durability, environmental (i.e.,ability to withstand heat, dust, and humidity conditions), andpower specifications
• Performance: Specific requirements regarding the digital perfor-mance of the widget for the purposes stated in product documen-tation
• The terms and conditions place specific limitations on the use ofthe product for purposes other than those for which the productswere designed.
Company X warrants performance of its widgets to the specifications applicableat the time of sale, in accordance with the warranty included in the suppliercontract with the OEM.
To that end, Company X has made the following commitments to its customers:
• Company X will produce widgets that meet or exceed the physicaland functional specifications that are (a) provided as part of theordering process or (b) described in the related product documen-tation. Programmed firmware contained within Company X's wid-gets is free of known software defects that would prevent the wid-gets from meeting product performance specifications and doesnot contain any intentionally embedded malicious code.
• Company X will provide firmware updates to OEMs for 15 yearsbeyond the product release date for any software defects identi-fied that prevent the widgets from meeting product performancespecifications.
• Widget models are designed to comply with local and national reg-ulations as set forth in product documentation. Company X's wid-gets are designed to comply with industry standards as listed inthe terms and conditions of sale, including ISO/TS16949 require-ments.
• Company X recognizes that fulfilling manufacturing and distri-bution requirements is critical to customers' ability to fulfill theirown commitments. To that end, Company X's sales orders contain
©2020, AICPA AAG-SSC APP E
284 SOC for Supply Chain
financial incentives for meeting delivery commitments and con-tractual penalties for failure to meet agreed-upon quantities anddelivery deadlines.
• Company X recognizes that the timely provision of widgets to cus-tomers includes the secure storage, distribution, and delivery ofproducts. Company X commits to maintain distribution contractsin each of the applicable service areas and includes controls tomonitor timeliness and quality of distribution. Storage and dis-tribution facilities are protected against physical loss or theft ofproducts that might affect the achievement of the Company's se-curity and/or availability commitments.
• As part of Company X's customer-specific design and productionprocesses, the Company regularly receives information from cus-tomers that is considered customer proprietary and sensitive.Company X has established internal data-handling processes tosafeguard proprietary customer data from intentional and/or un-intentional disclosure, including protection of:
— Customer trade secrets (e.g., electronic specifications,manufacturing plans, semiconductors, distribution ar-rangements)
— Customer purchase quantities and delivery criteria— Other proprietary elements as identified by customers at
the time of sale
• In the ordinary course of business, Company X does not receivepersonally identifiable information regarding the end-users ofderivative products (e.g., autonomous vehicles). In limited circum-stances, the company may receive widgets that have been removedfrom end-user vehicles in order to perform diagnostic testing andquality analysis. Such information is treated as confidential in-formation of the OEM in accordance with terms of the contractbetween Company X and the OEM.
• Company X has established specific manufacturing system objec-tives that are reviewed at each Board of Directors (Board) meet-ing (e.g., Improving Quality, Managing Cybersecurity Risk, Reduc-ing Costs, Increasing Flexibility, Improving Sustainability). Thisreport addresses the controls relevant to the following principalsystem objectives:
— Manufacturing of widgets in accordance with productperformance specifications
— Meeting product availability commitments— Managing cybersecurity risk to an acceptable level to
support the production of widgets in accordance withspecifications, meet product availability commitments,and protect confidential information used in the produc-tion process from unauthorized use or disclosure
Description of Company X Software Assurance Process, as Applied toSourced Embedded Software
Company X follows a stringent set of software quality and security assur-ance checks with respect to its own software, as well as that of its suppliers.
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 285Company Y software embedded onto the Widget is subject to these softwarequality and security assurance checks to ensure the software is safe and securefor operation. The software assurance process includes use case testing for func-tionality, load and stress testing to simulate peak performance conditions, andpenetration and fuzz testing to remove security flaws. Company X also receivesa structural quality certification of the embedded software from Company Ybased on the CISQ standard and the OWASP Top-10, to minimize the risk oflatent security vulnerabilities, performance degradations, and failure modes.Both the testing and certification of structural quality are performed with eachmajor and minor release of the embedded software.
Identified System Incidents
During the period under assessment, the Company experienced an incident inwhich an online intruder gained access, through a previously unknown operat-ing system vulnerability in the server used to update a supplier's software, tothe server used to store and configure the embedded software used in its wid-gets. The intruder used the access to make unauthorized changes to the soft-ware and configuration parameters to be loaded in the widgets. The attack wasdetected approximately 66 hours after the unauthorized access was obtainedand was remediated within 5 days of detection. Company X ceased the manu-facturing of widgets during the 5-day period and recalled all widgets that wereloaded with the software from the time of initial unauthorized access throughthe remediation of the incident. The Company reconciled serial numbers of allrecalled and unshipped widgets to manufacturing records without exception.Based on this reconciliation, management believes that all widgets with theunauthorized software have been accounted for. All of these widgets were sub-sequently destroyed under controlled conditions.
As part of the remediation, Company X reinstalled the operating system andapplications from a backup made prior to the incident and applied the softwarepatch provided by the operating system supplier.
Production, Manufacturing, and Distribution Risks
Risks related to the production, manufacturing, and distribution systemand underlying information systems, use of suppliers, and delivery channelsused by the entity:
• The Company's widgets are manufactured with software suppliedby Company Y, which is configured and installed in each widgetduring the manufacturing process. Company Y is responsible forsupplying components, including the embedded software, whichmeet the Company's requirements. The quality of the Company'sfinal product is dependent on receiving materials and components,including embedded software, which are free of software defectsand do not contain any intentionally embedded malicious code.To that end, see the section "Description of Company X SoftwareAssurance Process, as Applied to Sourced Embedded Software" forcontrols Company X deploys to test the software that Company Ysupplies. The controls and processes of the various raw materialand component suppliers are outside the subject of this report.
• The Company's manufacturing and distribution processes arehighly automated and integrated, using various IT equipment andinformation systems. The failure of such equipment and informa-tion systems could result in a significant disruption to the manu-facture and distribution of widgets. One of the systems Company
©2020, AICPA AAG-SSC APP E
286 SOC for Supply Chain
X uses in its manufacturing process is the AAA system. The AAAsystem provider recently went bankrupt. The Company's risk as-sessment indicates that the Company has not experienced any sig-nificant issues with this system. While the Company has the capa-bilities to repair this system in-house, it will be difficult to replacethe AAA system. The Company is actively seeking a replacementstrategy before the system becomes obsolete.
• The Company regularly receives, from customers, informationthat is proprietary and sensitive, including customer trade secrets,customer purchase quantities and delivery criteria, and other pro-prietary elements as identified by customers at the time of sale.
Risks related to physical, environmental, technological, organizational, andother changes
• As part of the Company's strategic initiatives, the Companymoved its widgets manufacturing facility from Sacramento, CA,to Weehawken, NJ, at the beginning of the period. As part of thischange, the Company hired a new head of production managementthat oversees the Weehawken, NJ, facility.
• During the year, the Company also switched the embedded soft-ware supplier from Company Z to Company Y during this locationchange.
Components of the System that Manufactures and Distributes theWidgets
Infrastructure. Company X manufactures widgets on its own assembly line. Themanufacturing process includes the direct manufacture of certain key compo-nents from raw material, and the assembly of these components with othercomponents sourced from suppliers located in Asia, US, and Mexico.
Customers are given a view into Company X's production and distribution sys-tem (PADS) where they can place their orders and track the status and locationof the widgets they have ordered.
Components from suppliers are received in a near just-in-time (JIT) fashionbased on production forecasts to control inventories; however, some componentinventories are kept during peak volume season. This requires real-time track-ing of all components and shipments in SAP material management module.Suppliers are given access into an interface that shows real-time status of WIPinventories and order forecasts, enabling suppliers to ship components on anas-needed basis to Company X.
The manufacture of Company X specialty components requires the use of nu-merous computer controls machines and tools, including injection presses, ade-burring machines, and a soldering machine. These are controlled by auto-mated scheduling systems on the plant floor. The raw materials are deliveredinto one end of the manufacturing plant, where they are stored in vats andfed into the manufacturing equipment. The finished components are stored onspecialized racks and taken to the assembly area by human-operated forklifts.
The assembly of components into final widgets requires a line of specializedrobot arms with drilling, soldering, and compression attachments arranged inorder. The assembly line is controlled by software embedded into the robotsand a master control system (MCS) that operates the robot arms in propercadence. That software can be updated to assemble the 20 models of widgets
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 287that Company X manufactures. Each widget requires a different set of rawcomponents and different set of operations by the robot assembly line. MCS canhandle the 20 widget models and some types of customizations (e.g., includingor excluding certain components off the assembly).
The IT systems running the shop floor run on a set of Microsoft Windowsservers, running the Windows 10 OS. These are four-way servers housed in asmall data center, in a 30x20 room in each of the manufacturing sites. They areconnected to the local area networks (LAN) for these sites, which also connectto all the end-user workstations, running Microsoft Office, as well as the scan-ners used for checking shipments in and out, the mobile devices for shop floorstaff, and the HVAC system for climate control. The servers are also connectedby a wide area network (WAN) to the other sites in the Company as well as thecorporate systems in Company X's secured network operations centers (NOCs).The WAN connectivity is run over T3 lines provided by ABC Communications,with a redundant loop provided by DEF Communications. Business continuityand disaster recovery (BC/DR) services are provided by GHI Corporation witha 4-hour recovery SLA.
Employees access the applications (see "Software" section below) eitherthrough their desktop on company-supplied computers or through a Citrix Ac-cess Gateway. Data communications between offices are encrypted with Ciscovirtual private networking (VPN) technology using Advanced Encryption Stan-dard 256-bit encryption to protect data and intra-company communications.
Company X's IT systems and manufacturing control systems (MCS, PADS, andothers) use the Microsoft SQL Server relational database management system.These database servers and file servers are housed in Company X's securedNOCs. All data at rest in the DBMS is encrypted.
Company X uses Transport Layer Security to encrypt email exchangeswith customers, suppliers, facility and service providers, and transportationproviders. All sensitive data is also encrypted at rest in the DBMS.
Software. The software used in the manufacturing and distribution process fallsinto three main categories:
1. Embedded logic is the software or firmware that gets encoded in thewidgets and robots that operate on the manufacturing floor, in theassembly process, or as part of the distribution process. This soft-ware is updated only when it is patched for security vulnerabilities,or when upgrades to the device functionality are necessary.
2. Operating and network software is the software that is in the net-work routers, gateways, firewalls, etc., and on the operating sys-tems of all the devices, servers, and endpoint computers. The PCs,RDBMS, and servers have already been described. The networksare all running Cisco equipment and their latest operating soft-ware. Company X is also running security software for WAF, an-tivirus and intrusion detection. The HVAC systems are controlledby proprietary software from the HVAC supplier.
3. Information software includes the software that collects and pro-cesses data from the factory, distribution process, or customers (asdescribed in the "data" section below) and is used to control themanufacturing and distribution process and customer payments,account tracking, recordkeeping, etc. Company X uses the follow-ing IT systems:
©2020, AICPA AAG-SSC APP E
288 SOC for Supply Chain
• Master Control System (MCS) — The MCS was developedin-house. Together with the Production and DistributionSystem and the AAA system, it is responsible for the op-eration of the manufacturing and assembly process, in-cluding the robotic assembly line used to assemble the 20varieties of widgets that Company X manufactures.
• Production and Distribution System (PADS) — ThePADS, also developed in house, tracks widgets manu-factured and delivered. Customers can track materialsthrough PADS interfaces (portals and APIs). PADS is thesource of record for master transportation file data andtransportation logs.
• Warehouse and Inventory Management System(WIMS) — WIMS, also developed in house, tracks widgetsin the warehouse. Track inventory across every step ofyour operations from ordering to delivery, track items bylot number, serial numbers, expiration dates, and othermethods, monitor asset levels in multiple locations andtransfer from one to another when necessary. WIMSinterfaces with PADS and WIMS is the source of recordfor master inventory and warehouse data.
• The AAA system is a third-party supplier software and,together with the MCS and PADS, is responsible for theoperation of the manufacturing and assembly process.
• SAP — The manufacturing plants run SAP for allthe time-keeping, personnel management, HR, financialreporting, and materials management, including WIPinventories and component orders to ensure raw mate-rials and components are delivered on time for produc-tion while minimizing WIP. This system is customizedfor Company X using configurations and some RICEFcode.
• Quality Assurance System (QAS) — The is an in-housedeveloped system that tracks in-plant sampling tests aswell as returns and defects in the field. The system is in-tegrated into MCS and SAP to tie together manufacturingconfigurations and components used in specific batchesfor root cause analysis.
• Analytics — Company X uses a third-party commercial-off-the-shelf (COTS) analytics package for managing dataand business reporting.
• Customer Information System (CIS) — The CIS keepstrack of all customer data, including prior order historiesand account information. The CIS interfaces into the SAPsystem for AR.
• Application TRK is installed to enhance the workflow andapproval process in support of the policies. This applica-tion enables tracking of additions, modifications, or dele-tions of users; changes to data classification; changes toauthority levels in access approvals; tests of new securitycomponents prior to installation; and tracking of systemincidents and their resolution.
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 289People. Company X has a staff of approximately 150 employees organized in thefollowing functional areas:
• Corporate. Executives, senior production management, and seniorlogistics management. These individuals perform oversight re-sponsibilities over the production and transportation processesthrough the performance of various monitoring controls. The con-trols primarily consist of measurement and analyses of key per-formance indicators generated through internal reports.
• Operations. Staff that administer the day-to-day manufacturingactivities, and scheduling of transportation providers. Operationstaff are divided into the following categories:
— Design staff— Assemblers and assembly supervisors— Packaging staff— Computer control programmers and operators— Quality control inspectors— Facility managers— Safety coordinators— Warehouse workers— Transportation coordinators— Reports managers
Data. Data within the production system constitutes production requisitionscreated based on customer orders, production data related to batches, compo-nents, raw materials, WIP inventory, and production and quality control logsand reports. Data within the transportation system constitutes master trans-portation file data and transportation logs. Data within WIMS constitutes mas-ter inventory and warehouse data.
These reports are used by management for performing analyses and assess-ing the effectiveness of controls. They are generated internally within the pro-duction and transportation systems and are available in electronic PDF andcomma-delimited value file exports. They are not transmitted directly from theproduction and transportation systems to external parties.
Materials. Company X purchases raw materials and components from pre-approved suppliers, selected through a strict vetting and bidding process. Sup-pliers are responsible for the quality of materials and components; however,Company X has instituted a system of spot checks over certain significant rawmaterials.
Materials and components that are not being used within the manufacturingsystem are stored within facilities and secured by physical controls. Inventorycontrols are employed to ensure production at capacity that would enable theCompany to meet its distribution commitments.
Processes and Procedures. The Company's portfolio of security and availabilitycontrols is based on specifications set forth in the International Organizationfor Standardization and International Electrotechnical Commission (ISO/IEC)standards. The CRO is responsible for creating, updating, communicating, andmonitoring procedures and control activities based on these standards. Proce-dures and related controls address the following areas within the manufactur-ing areas:
©2020, AICPA AAG-SSC APP E
290 SOC for Supply Chain
• Authorized access to the manufacturing management and trans-portation scheduling systems
• Authorized access to reporting system
• Malware protection
• Filtering of network traffic
• Compartmentalization of manufacturing and transportation sys-tems from office networks
• Change management over SDLC
• Necessary backup and offline storage
• Physical access to production and warehouse facilities
• Environmental monitoring in production and warehouse facilities
• Disaster recovery programs
A description of procedures and controls is provided below.
This section provides information about the five interrelated components ofinternal control at Company X, including:
• Control Environment,
• Risk Assessment Process,
• Monitoring Activities,
• Information and Communication, and
• Control Activities
Control Environment
Company X's control environment exists under the organization's governancestructure and bodies which is led by the Board of Directors (Board). The Boardoversees and monitors Company X's control environment with the assistance ofits subcommittees including the Audit Committee, which provides general di-rection and oversight on matters related to the financial statement preparation,external audits and internal control assessment and reporting, and the Tech-nology Committee, which oversees the entity's IT and operations, especially asit relates to manufacturing, engineering and production. The role of these gov-ernance bodies as it relates to promoting the integrity of Company X's controlenvironment and are referenced, as warranted in under the subheadings of thissection.
Code of Conduct
A sound control environment is established through a commitment to integrityand ethical conduct throughout all levels of the organization. Company X pro-motes a culture of integrity through an organizational culture and philosophythat prioritizes standards and ethical conduct. To this end, Company X has de-veloped a Code of Conduct policy that has been mandated and approved by theBoard. The Code of Conduct provides detailed guidance on proper behavior andoutlines sanctions for a breach of conduct up to and including termination. Hu-man Resources is given responsibility for monitoring adherence to the code ofconduct and those in a supervisory capacity are trained and instructed to re-port violations. In addition, an anonymous ethics hotline has been establishedto facilitate the reporting of dubious conduct and provides a method of report-ing which is intended to shield the whistleblower from reprisals. All reportedincidents are assigned a case number and investigated. Record of these reportsand investigations are summarized and reported to the Board to provide proper
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 291visibility and oversight. The Code of Conduct applies to suppliers and criticalthird parties that meet certain predefined characteristics and profiles. All em-ployees and contract laborers under Company X's management are requiredto read and evidence their commitment to acknowledge the Code of Conductby signature at the time of hire and confirm their acknowledgement annuallythereafter.
Company X has anonymous third-party administered whistleblower hotlinesavailable to internal and external users. The CRO monitors customer and work-force complaints reported vie the hotlines.
Control Assessment, Oversight, and Reporting
Board members are appointed to act on behalf of the shareholders. Roles and re-sponsibilities of Board members as outlined in the Board of Directors' Charterare segregated from the roles and responsibilities of management. The Board,by charter, comprises at least 50% independent board members and bears ulti-mate responsibility for the Company X's control environment and the system ofinternal control. The Board, depending upon the subject matter on the docket,also assesses the need to supplement board membership with individuals that,for example, possess expertise related to supply chain and third-party risk man-agement. Specifically, the need for special expertise is evaluated prior to eachboard meeting, based on the meeting agenda. If warranted, the Board will pro-cure the needed experts or consultants, as needed.
Quarterly and annually, senior management and the Board receive informationand training needed to fulfill their roles with respect to the achievement ofCompany X's service commitments and system requirements.
Responsibility for oversight of internal control is delegated to the Audit Com-mittee, with at least 50% of its membership drawn from independent membersof the Board. The Audit Committee meets at least quarterly. The Audit Commit-tee comprises individuals who possess requisite expertise related to financialreporting, internal control, operations and logistics, and cybersecurity. In addi-tion, other expertise disciplines will be summons on ex officio basis to addressspecific topics, as required. Internal Audit, who reports directly to the chair ofthe Audit Committee, is responsible for assessing Company X's control envi-ronment, and planning, executing and issuing audit reports to the responsiblemanagement (for the subject matter examined) and the Audit Committee.
The Technology Committee comprises designated representatives of the Board,the Chief Technology Officer (CTO), the Chief Risk Officer (CRO), Chief In-formation Security Officer (CISO) and the General Managers of Company X'sbusiness units. Various internal and external business analysts and system an-alysts also participate in meetings of the committee, as warranted, to providesubject expertise. The purpose of the Technology Committee is to ensure thatCompany's technology direction and capability, including information technol-ogy, engineering and production can support Company X's current operations,its strategy and future growth. An important mandate of the Technology Com-mittee is to provide design governance to the entity, ensuring the importanttechnology components and application systems under consideration for acqui-sition and implementation in will support Company X's business strategy, willintegrate well into the existing application and technology infrastructure andwill scale well throughout the enterprise and support the intended user popu-lation(s), as needed.
©2020, AICPA AAG-SSC APP E
292 SOC for Supply Chain
Organizational Design, Span of Authority, and Reporting Lines
Company X has one primary business unit with a number of operating unitsand geographic locations. To simplify operations and reporting relationships,the organization and reporting relationships are, however, defined functionallyrather than geographically by operating center. Company X assesses its organi-zational structure, reporting lines, authorities, and responsibilities as part of itsongoing risk assessment and management process, which is summarized andapproved by the Board annually. Reporting relationships and organizationalstructures are reviewed periodically (and at least annually) by senior manage-ment and revised when necessary to reflect current organizational structure. Areviewed and updated (if necessary) risk assessment and organization chartsthat details reporting lines are included as part of a Board package along withother policies that is reviewed and approved by the board, annually.
Roles and responsibilities are documented in written job descriptions whichare specified for each position classification. Job descriptions are reviewed byCompany X management on an annual basis for needed changes and wherejob duty changes are required necessary changes to these job descriptions arealso made to enable execution of authorities and responsibilities and flow ofinformation to manage the activities of Company X.
Employee roles and responsibilities whose execution affect the achievementof objectives are communicated as part of the hiring or transfer process. Hu-man resources personnel screen internal and external job applicant qualifi-cations based on the defined requirements within the job description. Tran-scripts are obtained to evidence educational attainment, and job references arechecked to validate experience. Prior to extension of a job offer, job candidatesare subject to a background check by a third-party provider that conducts amulti-jurisdictional database search of criminal records and credit reportingagencies:
Management is committed to continually developing its workforce and attract-ing and retaining competent personnel to ensure continued achievement ofobjectives. To that end Company X provides continued internal and externaltrainings based on the employees' responsibilities. In addition, annual secu-rity, privacy, and safety trainings are mandatory for all employees, contractors,and supplier employee. New hires whether an employee, contractor, or supplieremployee, are provided the same training during the onboarding process. Thetraining includes communication of policies for accessing and using systemsand sanctions for violating the information security policy. In the training, em-ployees are also instructed to report potential security incidents to the helpdesk. Management monitors compliance with training requirements.
Company X believes in continuous monitoring and improvement of its environ-ment, processes, technology and people. As it relates to its people, Company Xmanagement and the Board perform annual performance evaluations to com-municate and hold individuals accountable for performance of internal controlresponsibilities. The performance evaluation is signed by the manager and em-ployee. The evaluation process may result in corrective actions, including train-ing or sanctions, as necessary.
Management and the Board establish measurable goals and performance eval-uation criteria, including incentives, other rewards, and sanctions appropri-ate for responsibilities at all levels of Company X, that are in alignmentwith Company's short-term and longer-term objectives. Established short-termand longer-term Company X goals and performance evaluation, reward and
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 293sanctions criteria for Company X executives are reviewed and approved annu-ally by the Compensation Committee to ensure the goals and rewards considerpressures associated with the achievement of objectives. For example, Com-pany X personnel with internal control responsibility are not rewarded basedon number of exceptions noted or lack thereof by the external auditor.
Management and the Board evaluate performance of internal control responsi-bilities, providing rewards and sanctions appropriate for responsibilities, con-sidering the achievement of both short-term and longer-term objectives.
During its ongoing and periodic business planning, business continuity plan-ning and budgeting process, management and the Board evaluate the need foradditional tools and resources to achieve business objectives including contin-gency plans for assignments of responsibility important for internal control.
Risk Assessment Process [not illustrated]
Information and Communication
A key step in the design of Company X's processes and controls is the identifica-tion of the information needed to operate, monitor and control the system andthe definition of the requirements for it. The identified information is includedin the system design specifications at the functional and detailed design levels.The subsequent testing of system changes includes procedures to evaluate thecompleteness and accuracy of the specified information.
Security availability objectives of the system are detailed through various poli-cies, procedures and manuals. These documents are available to internal per-sonnel through an intranet site. The policies and procedures are reviewed bysenior management and approved annually by the CRO. As part of senior man-agement's annual review, they identify information required and expected tosupport the achievement of Company X's service commitments and system re-quirements.
Company X's security, availability and processing policies and proceduresaddress employee's responsibility for production quality and performancespecifications, delivery requirements, operational failures, incidents, systemproblems, concerns and complaints. The documented policies and proceduresinclude internal controls for producing timely, accurate and complete prod-ucts. The policies, procedures, and manuals include, but are not limited to, thefollowing:
• Logical and Physical Security
• Change Management
• Incident Response and Monitoring
• Assembly Manuals
• ISO Compliance Procedures
• QAS Procedures
The policies and procedures help ensure that employees understand their indi-vidual roles and enable them to carry out their responsibilities and controls toensure significant events are communicated in a timely manner. These includeformal and informal training programs and the use of email to communicatetime-sensitive information and processes for security and system availabilitypurposes that notify key personnel in the event of problems. Employees alsoreceived updates via staff meetings and monthly newsletters. The documentedIncident Response and Monitoring Policy includes procedures regarding an
©2020, AICPA AAG-SSC APP E
294 SOC for Supply Chain
escalation plan based on the nature and severity of the incident to senior man-agement and the Board, as necessary.
Company X's security and availability commitments are communicated to cus-tomers through documented contracts while product specifications are set forthin product documentation. Agreements are established with service providers,including Company Y, that include clearly defined terms, conditions, and re-sponsibilities. Company X's website includes information regarding terms andresponsibilities. Any changes to the commitments and requirements are com-municated to internal personnel, customers, and third parties on a timely basis.
Monitoring Activities [not illustrated] ...
Control Activities [for brevity, only control activities that address CC5.1–5.3and CC6. 1–2 have been illustrated. The control activities that address the avail-ability criteria have not been illustrated.]
Control Design and Implementation
Company X follows a defined process for selecting, developing, and implement-ing controls when the need for an additional control is identified, whether as aresult of a change in risk assessment, the monitoring of controls, or other ac-tivities. Once the risk has been identified, a manager from the department re-sponsible for the process is assigned responsibility for developing the new con-trol with the assistance of a team comprising personnel from the controller'soffice, internal audit, information technology, engineering, and other depart-ments, as necessary. The team identifies the detailed characteristics of the riskand identifies potential controls that would address the risks. Potential con-trols are evaluated and one or more controls are selected for implementation.As part of the control selection process, the need for monitoring is evaluatedand, if needed, appropriate monitoring activities are selected.
The design and implementation of controls is considered a process change andfollows the change management process described below.
Security Policies
As a manufacturing organization, Company X treats all third-party informa-tion in its custody and all intellectual property as confidential information.Nonpublic information is also regarded as confidential, and as such, afforded allthe same protections and safeguards documented all confidential informationthrough the implementation policies, procedures, and controls. The Informa-tion Security Policy which defines protection requirements, access rights, andaccess restrictions, as well as retention and destruction requirements for con-fidential data. The Information Security Policy also defines assessing risks ona periodic basis, preventing unauthorized access, adding new users, modifyingaccess levels of existing users, and removing users who no longer need access.The functional organization design and on-going assessment facilitates effec-tive lines of reporting, enables execution of authority and responsibilities andthe flow of information to manage the activities of the Company.
The following security policies and related processes are in place for the MCS:
• Data classification and business impact assessment
• Selection, documentation, and implementation of security controls
• Assessment of security controls
• User access authorization and provisioning
• Removal of user access
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 295
• Monitoring of security controls
• Security management
Asset Management
Company X has an asset management (AM) application to track informationassets, including hardware, all stages of data (at-rest, during processing, or intransmission), all three types of software described above (IT software, softwareon-board manufacturing equipment, and software that's engineered into theproduct), mobile devices, and offline system components. This inventory is keptup to date by the CTO's office and reviewed by management at least once perannum to certify correctness. These reviews and certifications by managementare also tracked by the AM application.
Network Structure
Company X uses network segmentation to help limit access. The network seg-ment in user are:
• Manufacturing — used for IT systems that control the manufac-ture of widgets, including SCM systems
• Code injection — used for the server and client that configure in-stall embedded software in widgets
• Engineering — used for product design, development, and analy-sis
• Corporate — used for all other functions
• IT test — used by IT to test changes to software and hardware
• External — used to control access with outsides networks
Virtual firewall technology is used to control access between segments whileaccess to the manufacturing and code injection segment is controlled throughdedicated jump servers.
Physical and virtual IT device specification and configuration standards existfor each type of IT device. Operating system, database, and middleware config-uration standards are also defined. Variances from standards for a particularuse case must be documented and approved by the CISO and CIO. Configura-tions standards are reviewed and revised on an annual basis. Implementationof configuration changes required by changes to standards are made via thepatch management process.
Unique user identification numbers, names, and passwords are required to au-thenticate users to production systems and all data assets, as well as to thefacility services, transportation provider, member services, and client report-ing websites. Users are identified and authenticated to the corporate networkthrough a single sign-on tool. This tool is then used to identify and authenti-cate users to IT components on all but the manufacturing and code injectionsegments. Access to the manufacturing and code injection segments generallyrequires separate validation of credentials at dedicated workstations on thosesegments.
Inbound external traffic terminates at a DMZ that's separated via firewall fromthe internal network. External users, whether employees or approved thirdparty personnel, are permitted access to company systems via VPN over SSLnetworks and an access control system that uses two-factor authentication.
Access to applications, servers and other resources is based on role-based se-curity enforced by access control software. In-scope production systems are
©2020, AICPA AAG-SSC APP E
296 SOC for Supply Chain
configured to limit access to personnel based on the rule sets implemented bythe access control system.
Password parameters consist of the following:
• Passwords contain a minimum of eight characters, including onenon-alphanumeric character, and are complexity-enabled.
• Passwords expire every 90 days for non-privileged accounts and60 days for privileged accounts.
• Log-on sessions are terminated after three failed log-on attempts.
Users cannot reuse the last three passwords (five passwords for privileged ac-counts).
New software, hardware, and devices that are implemented in the companynetwork undergo a change management process, as documented in this report.This process includes the configuration of access credentials to network andinformation assets for the new software or hardware to function properly. Soft-ware and hardware assets are reviewed quarterly and any credentials are re-moved for any decommissioned assets.
Employees are granted logical and physical access to in-scope systems basedon documented approvals. All personnel with external access are documentedand access is reviewed by management at least once every six months by ap-propriate management personnel. Company X's transportation providers, sub-assembly providers, treating facilities, and component providers (subcontrac-tors) are approved for access by an authorized user. The ability to create ormodify user access accounts and user access privileges is limited to authorizedpersonnel. User access is reviewed quarterly to verify whether individuals' ac-cess is necessary for their job functions and to identify the existence of inap-propriate accounts. Accounts that are no longer needed are removed from theauthorized user list in the access control system.
Administrative access to Active Directory, Unix, SCM systems and systemservers and databases is restricted to authorized employees.
The human resources department provides IT personnel with an employee ter-mination report every two weeks. IT reconciles the termination report with cur-rent access privileges to determine if access has been appropriately removed ordisabled. Customer service and supply chain management teams also providemonthly updates to lists of third-party personnel who can have access to specificCompany X systems. Dormant network accounts are disabled after 90 days ofinactivity, and dormant MCS accounts are disabled after 45 days of inactivity.
Internal data-handling processes have been established to make sure thatconfidential customer information is adequately safeguarded. The Companyencrypts all e-mail exchanges with customers, suppliers, facility and serviceproviders, and transportation providers with Transport Layer Security. Addi-tionally, the Company encrypts all sensitive data at rest in the DBMS. All in-ternal data transmissions between Company offices are encrypted. Encryptionkeys are managed and protected using a COTS key vault product across theenterprise.
Change Management... [not illustrated]
Business Continuity and Recovery
The Company monitors its manufacturing plant equipment, systems and per-sonnel schedules, and inventory to ensure adequate system capacity is main-tained; equipment is maintained, replaced or upgraded timely; personnel are
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 297available as per manufacturing plans; and inventory of raw materials, WIP,and finished goods are maintained at forecasted levels. The Facilities Teammaintains HVAC and other environmental systems, such as UPS, backup gen-erators, sprinklers, fire extinguishers as part of its daily activities and a thirdparty is contracted to test the backup generators and inspect fire extinguishersannually. The Plant Equipment Maintenance Team monitors plant equipmentas part of the team's daily activities with routine maintenance performed dur-ing scheduled weekly maintenance windows. The Assembly Supervisors planand monitor personnel schedule and attendance, including penalties for repeattardiness, which may include employment termination. The NOC Team moni-tors the network and plant systems for capacity and any potential availabilityissues. The Assembly Supervisors and Managers, Sales Managers, and Ware-house Managers meet monthly to discuss inventory including planning for fu-ture as well as managing current inventory levels.
The Company has contracted with GHI Corporation for its business continuityand disaster recovery with a 4-hour recovery SLA based on its business impactanalysis. The Company works with GHI Corporation to test the plans annually.
The Computer Operators performs incremental backup of manufacturing datadaily and full backups weekly. Backups are monitored daily and re-run if failed.Backup tapes are shipped off weekly and stored at the GHI Corporation backupstorage facility.
Quality Management
As part of the Company X's Quality Assurance System (QAS), the entityremains cognizant of applicable laws and regulations regarding the manu-facture, distribution, and export of widgets and their components. The QASincludes quarterly reviews for changes to organizational policy, processes, spec-ifications, and results. Performance results are reviewed with key personnel toensure that available improvements are implemented and that quality controlshortcomings related to customer specifications, commitments, and delivery areadequately addressed on a timely basis.
Company X's widgets are produced using materials and parts from externalsources. As part of Company X's ISO 9000-based quality controls, the Companyprovides both material specifications and software quality requirements (whereapplicable) to suppliers from whom materials are purchased.
As a function of QAS, products and materials received are inspected for adher-ence to the Company's specifications and suitability for use in its manufactur-ing processes. While reasonable measures are instituted to verify the suitabilityof materials and logical components, the controls and processes of Company X'ssuppliers are not included in this description nor tested by the practitioner.
Section 4 — Trust Services Categories, Criteria, Related Controls,and Tests of ControlsNote to Readers: Although the applicable trust services criteria, related con-trols, and management responses to deviations, if any, would be presented inthis section, they are an integral part of Company X's description of its wid-get manufacturing and distribution system throughout the period January 31,20X1, to December 31, 20X1. Company X's controls relevant to security and thepractitioner's test of controls presented in this section are for illustrative pur-poses. For brevity, the table does not include the controls Company X designs,implements, and operates to achieve its principal system objectives relevant to
©2020, AICPA AAG-SSC APP E
298 SOC for Supply Chain
availability and processing integrity. Only selected controls, tests of controls, andresults thereof are illustrated in the table. Accordingly, the table is incomplete.
Applicable Trust Services Criteria Relevant to the Security and Avail-ability Categories
Information Produced by the Entity
For tests of controls requiring the use of Information Produced by the En-tity (IPE), including Electronic Audit Evidence (EAE) (e.g., controls requiringsystem-generated populations for sample-based testing), the practitioner per-formed a combination of the following procedures to address the completeness,accuracy, and data integrity of the data or reports used:
• Inspected the source of the IPE,
• Inspected the query, script, or parameters used to generate theIPE,
• Tied data between the IPE and the source, and/or
• Inspected the IPE for anomalous gaps in sequence or timing todetermine the data is complete, accurate, and maintains its in-tegrity.
For tests of controls requiring management's use of IPE in the execution of thecontrols (e.g., agreeing the general ledger to the sub-ledger), the practitionerinspected entity management's procedures, as applicable, to assess the validityof the IPE source and the completeness, accuracy, and integrity of the data orreports.
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 299
Tru
stS
ervi
ces
Cri
teri
afo
rth
eS
ecu
rity
an
dA
vail
abi
lity
Ca
tego
ries
Des
crip
tion
ofC
omp
an
yX
’sC
ontr
ols
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
sR
esu
lts
ofP
ract
itio
ner
’sT
ests
ofC
ontr
ols
Con
trol
En
viro
nm
ent
CC
1.1
Th
een
tity
dem
onst
rate
sa
com
mit
men
tto
inte
grit
yan
det
hic
alva
lues
.
Com
pan
yX
has
docu
men
ted
the
code
ofbu
sin
ess
con
duct
and
eth
ical
stan
dard
sw
hic
har
ere
view
ed,u
pdat
edif
appl
icab
le,a
nd
appr
oved
byth
ebo
ard
ofdi
rect
ors
and
sen
ior
man
agem
ent
ann
ual
ly.
Insp
ecte
dth
eco
deof
busi
nes
sco
ndu
ctan
det
hic
alst
anda
rds
ofC
ompa
ny
Xn
otin
gth
eco
ndu
ctan
dst
anda
rds
outl
ines
the
Com
pan
y's
com
mit
men
tsto
inte
grit
yan
det
hic
alva
lues
and
that
the
con
duct
and
stan
dard
sw
ere
upd
ated
and
appr
oved
byth
ebo
ard
ofdi
rect
ors
and
sen
ior
man
agem
ent
wit
hin
the
exam
inat
ion
peri
od.
No
exce
ptio
ns
not
ed.
Per
son
nel
,in
clu
din
gco
ntr
acto
rs,a
rere
quir
edto
read
and
acce
ptth
eco
deof
busi
nes
sco
ndu
ctan
det
hic
alst
anda
rds
upo
nth
eir
hir
ean
dfo
rmal
lyre
affi
rmth
eman
nu
ally
ther
eaft
er.
Agr
eem
ents
are
esta
blis
hed
wit
hsu
ppli
ers,
ven
dors
,an
dcr
itic
alth
ird
part
ies
(Com
pan
yY,
GH
IC
orpo
rati
onan
dot
her
crit
ical
thir
dpa
rtie
s)th
atin
clu
decl
earl
yde
fin
edte
rms,
con
diti
ons,
and
resp
onsi
bili
ties
for
supp
lier
s,ve
ndo
rs,a
nd
crit
ical
thir
dpa
rtie
s.
For
ase
lect
ion
ofn
ewh
ires
incl
udi
ng
con
trac
th
ires
,in
spec
ted
the
code
ofbu
sin
ess
con
duct
and
eth
ical
stan
dard
ssi
gned
and
dete
rmin
edth
atth
eco
ndu
ctan
dth
est
anda
rds
wer
eac
know
ledg
edby
each
hir
ese
lect
ed.
For
ase
lect
ion
ofcu
rren
tpe
rson
nel
,in
clu
din
gco
ntr
acto
rs,i
nsp
ecte
dth
eco
deof
busi
nes
sco
ndu
ctan
det
hic
alst
anda
rds
sign
edan
dde
term
ined
that
the
con
duct
and
the
stan
dard
sw
ere
ackn
owle
dged
ann
ual
lyby
each
pers
onse
lect
ed.
For
ase
lect
ion
ofag
reem
ents
wit
hth
esu
ppli
ers,
ven
dors
,an
dcr
itic
alth
ird
part
ies,
insp
ecte
dth
eag
reem
ents
and
dete
rmin
edth
atth
eag
reem
ent
outl
ined
Com
pan
yX
'sre
quir
emen
ts,i
ncl
udi
ng
term
s,co
ndi
tion
s,an
dre
spon
sibi
liti
esfo
rth
esu
ppli
ers,
ven
dors
,an
dcr
itic
alth
ird
part
ies.
Tw
oof
45n
ewh
ires
sele
cted
,di
dn
otsi
gnth
eco
ndu
ctan
dst
anda
rds
ackn
owle
dgem
ent.
(con
tin
ued
)
©2020, AICPA AAG-SSC APP E
300 SOC for Supply ChainT
rust
Ser
vice
sC
rite
ria
for
the
Sec
uri
tya
nd
Ava
ila
bili
tyC
ate
gori
esD
escr
ipti
onof
Com
pa
ny
X’s
Con
trol
sP
ract
itio
ner
’sT
ests
ofC
ontr
ols
Res
ult
sof
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
s
Man
agem
ent
mon
itor
spe
rson
nel
com
plia
nce
wit
hth
eco
deof
busi
nes
sco
ndu
ctan
det
hic
alst
anda
rds
thro
ugh
mon
itor
ing
ofcu
stom
eran
dw
orkf
orce
mem
ber
com
plai
nts
and
the
use
ofan
anon
ymou
sth
ird-
part
yad
min
iste
red
eth
ics
hot
lin
e.C
ompa
ny
X's
code
ofbu
sin
ess
con
duct
incl
ude
sa
san
ctio
ns
poli
cyfo
rpe
rson
nel
wh
ovi
olat
eth
eco
deof
busi
nes
sco
ndu
ct.T
he
san
ctio
ns
poli
cyis
appl
ied
tope
rson
nel
wh
ovi
olat
eth
eco
deof
busi
nes
sco
ndu
ct.
Insp
ecte
dC
ompa
ny
X's
web
site
and
test
dial
edth
eh
otli
ne
nu
mbe
rpr
ovid
edan
dde
term
ined
that
anan
onym
ous
thir
d-pa
rty
adm
inis
tere
dh
otli
ne
isav
aila
ble.
Insp
ecte
dC
ompa
ny
X's
code
ofbu
sin
ess
con
duct
and
dete
rmin
edth
atit
incl
ude
da
san
ctio
ns
poli
cyfo
rpe
rson
nel
wh
ovi
olat
eth
eco
deof
busi
nes
sco
ndu
ct.
For
ase
lect
ion
ofcu
stom
eran
dw
orkf
orce
mem
ber
com
plai
nts
logg
edvi
ath
eth
ird-
part
yad
min
iste
red
hot
lin
e,in
spec
ted
the
rela
ted
docu
men
tati
onan
dde
term
ined
that
pers
onn
elw
ho
viol
ated
the
code
ofbu
sin
ess
con
duct
wer
esa
nct
ion
edas
per
the
poli
cy.
No
exce
ptio
ns
not
ed.
Pri
orto
empl
oym
ent,
pers
onn
elar
eve
rifi
edag
ain
stre
gula
tory
scre
enin
gda
taba
ses,
incl
udi
ng
ata
min
imu
m,c
redi
t,cr
imin
al,
dru
g,an
dem
ploy
men
tch
ecks
.
For
ase
lect
ion
ofn
ewh
ires
,in
spec
ted
the
back
grou
nd
chec
ksan
dde
term
ined
that
sele
cted
pers
onn
elsu
cces
sfu
lly
com
plet
edba
ckgr
oun
dch
ecks
incl
udi
ng,
cred
it,c
rim
inal
,dr
ug
and
empl
oym
ent
chec
kspr
ior
tobe
ing
hir
edby
Com
pan
yX
.
No
exce
ptio
ns
not
ed.
CC
1.2
Th
ebo
ard
ofdi
rect
ors
dem
onst
rate
sin
depe
nde
nce
from
man
agem
ent
and
exer
cise
sov
ersi
ght
ofth
ede
velo
pmen
tan
dpe
rfor
man
ceof
inte
rnal
con
trol
.
Th
ebo
ard
ofdi
rect
ors
are
appo
inte
dto
act
onbe
hal
fof
the
shar
ehol
ders
.Rol
esan
dre
spon
sibi
liti
esof
the
boar
dof
dire
ctor
sas
outl
ined
inth
eB
oard
ofD
irec
tors
'Ch
arte
rar
ese
greg
ated
from
the
role
san
dre
spon
sibi
liti
esof
man
agem
ent.
Th
ebo
ard
ofdi
rect
ors
un
ders
tan
dan
dac
know
ledg
eth
eB
oard
ofD
irec
tors
'Ch
arte
rto
acce
ptit
sov
ersi
ght
resp
onsi
bili
ties
inre
lati
onto
esta
blis
hed
requ
irem
ents
and
expe
ctat
ion
san
du
ltim
ate
resp
onsi
bili
tyfo
rC
ompa
ny
X's
con
trol
envi
ron
men
t.T
he
Boa
rdov
erse
esan
dm
onit
ors
Com
pan
yX
'sco
ntr
olen
viro
nm
ent
wit
hth
eas
sist
ance
ofit
ssu
bcom
mit
tees
incl
udi
ng
the
Tec
hn
olog
yC
omm
itte
e,w
hic
hov
erse
esth
een
tity
'sIT
and
oper
atio
ns,
espe
cial
lyas
itre
late
sto
man
ufa
ctu
rin
g,en
gin
eeri
ng
and
prod
uct
ion
.
Insp
ecte
dth
eB
oard
ofD
irec
tors
'Ch
arte
ran
dde
term
ined
that
the
boar
dof
dire
ctor
sar
eap
poin
ted
toac
ton
beh
alf
ofth
esh
areh
olde
rsan
dth
ero
les
and
resp
onsi
bili
ties
are
segr
egat
edfr
omth
ero
les
and
resp
onsi
bili
ties
ofm
anag
emen
t.In
spec
ted
the
boar
dof
dire
ctor
s'ac
know
ledg
emen
tof
the
Boa
rdof
Dir
ecto
rs'
Ch
arte
rto
acce
ptit
sov
ersi
ght
resp
onsi
bili
ties
inre
lati
onto
esta
blis
hed
requ
irem
ents
and
expe
ctat
ion
s.In
spec
ted
the
Boa
rdof
Dir
ecto
rs'C
har
ter
and
dete
rmin
edth
atth
eT
ech
nol
ogy
Com
mit
tee
has
been
assi
gned
the
resp
onsi
bili
tyto
over
see
the
enti
ty's
ITan
dop
erat
ion
s,es
peci
ally
asit
rela
tes
tom
anu
fact
uri
ng,
engi
nee
rin
gan
dpr
odu
ctio
n.
No
exce
ptio
ns
not
ed.
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 301
Tru
stS
ervi
ces
Cri
teri
afo
rth
eS
ecu
rity
an
dA
vail
abi
lity
Ca
tego
ries
Des
crip
tion
ofC
omp
an
yX
’sC
ontr
ols
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
sR
esu
lts
ofP
ract
itio
ner
’sT
ests
ofC
ontr
ols
Th
eB
oard
ofD
irec
tors
'Ch
arte
rin
clu
des
the
min
imu
mba
ckgr
oun
dan
dsk
ills
requ
ired
ofbo
ard
ofdi
rect
ors.
Du
rin
gth
ean
nu
albo
ard
mee
tin
g,th
eba
ckgr
oun
dan
dsk
ills
ofea
chbo
ard
mem
ber
isco
mpa
red
toth
eba
ckgr
oun
dan
dsk
ills
not
edin
the
Boa
rdof
Dir
ecto
rs'C
har
ter.
Insp
ecte
dth
eB
oard
ofD
irec
tors
'Ch
arte
ran
dde
term
ined
that
the
min
imu
mba
ckgr
oun
dan
dsk
ills
requ
ired
ofbo
ard
ofdi
rect
ors
isdo
cum
ente
d.F
orth
ean
nu
albo
ard
mee
tin
g,in
spec
ted
the
mee
tin
gm
inu
tes
and
dete
rmin
edth
atth
eba
ckgr
oun
dan
dsk
ills
ofea
chbo
ard
mem
ber
was
com
pare
dto
the
back
grou
nd
and
skil
lsn
oted
inth
eB
oard
ofD
irec
tors
'Ch
arte
r.
No
exce
ptio
ns
not
ed.
Th
eB
oard
ofD
irec
tors
mee
tin
gag
enda
sis
revi
ewed
inad
van
ceof
the
mee
tin
gto
dete
rmin
ew
het
her
subj
ect
mat
ter
onth
eag
enda
requ
ires
spec
ific
expe
rtis
eth
atis
not
repr
esen
ted
and,
ifw
arra
nte
d,w
illp
rocu
reth
en
eede
dex
pert
sor
con
sult
ants
,as
nee
ded.
Insp
ecte
dm
eeti
ng
agen
das
and
min
ute
sfo
rev
iden
ceth
at(a
)th
eB
oard
ofD
irec
tors
mee
tin
gag
enda
sis
revi
ewed
inad
van
ceof
the
mee
tin
gto
dete
rmin
ew
het
her
subj
ect
mat
ter
onth
eag
enda
requ
ires
spec
ific
expe
rtis
eth
atis
not
repr
esen
ted
and
(b)
that
,if
war
ran
ted,
the
boar
dw
illp
rocu
reth
en
eede
dex
pert
sor
con
sult
ants
,as
nee
ded,
prio
rto
disc
uss
ing
the
topi
c.
Th
ebo
ard
ofdi
rect
ors
con
sist
ofm
ajor
ity
ofin
depe
nde
nt
mem
bers
aspe
rth
eB
oard
ofD
irec
tors
'Ch
arte
rto
mai
nta
inin
depe
nde
nce
from
man
agem
ent
and
isco
mpo
sed
ofat
leas
t50
%in
depe
nde
nt
boar
dm
embe
rs,
Insp
ecte
dth
eB
oard
ofD
irec
tors
'Ch
arte
ran
dde
term
ined
that
itn
otes
the
boar
dof
dire
ctor
ssh
ould
con
sist
ofm
ajor
ity
ofin
depe
nde
nt
mem
bers
.In
spec
ted
the
boar
dof
dire
ctor
s'st
ruct
ure
and
dete
rmin
edth
atth
ebo
ard
ofdi
rect
ors
con
sist
edof
maj
orit
yof
inde
pen
den
tm
embe
rs.
Insp
ecte
dth
ebo
ard
ofdi
rect
ors'
stru
ctu
rean
dde
term
ined
that
atle
ast
50%
orin
depe
nde
nt
ofC
ompa
ny
X.
No
exce
ptio
ns
not
ed. (c
onti
nu
ed)
©2020, AICPA AAG-SSC APP E
302 SOC for Supply Chain
Tru
stS
ervi
ces
Cri
teri
afo
rth
eS
ecu
rity
an
dA
vail
abi
lity
Ca
tego
ries
Des
crip
tion
ofC
omp
an
yX
’sC
ontr
ols
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
sR
esu
lts
ofP
ract
itio
ner
’sT
ests
ofC
ontr
ols
An
Au
dit
Com
mit
tee
has
been
form
edas
asu
bcom
mit
tee
ofth
ebo
ard
and
isch
arge
dw
ith
eval
uat
ing
the
con
trol
envi
ron
men
t,an
dfi
nan
cial
repo
rtin
gpr
oces
s.T
he
audi
tco
mm
itte
em
eets
quar
terl
yan
dre
port
sto
the
boar
ddi
rect
ors
and,
like
the
boar
d,is
com
pose
dof
atle
ast
50%
exte
rnal
(in
depe
nde
nt)
mem
bers
.In
tern
alA
udi
tre
port
sdi
rect
lyto
the
Au
dit
Com
mit
tee
and
isre
spon
sibl
efo
ras
sess
ing
Com
pan
yX
'sco
ntr
olen
viro
nm
ent.
Inte
rnal
Au
dit
wit
hth
ead
vice
and
appr
oval
ofth
eA
udi
tC
omm
itte
e,ar
ere
spon
sibl
efo
rpl
ann
ing,
exec
uti
ng
and
issu
ing
audi
tre
port
sto
the
resp
onsi
ble
man
agem
ent
(for
the
subj
ect
mat
ter
exam
ined
)an
dto
the
Au
dit
Com
mit
tee.
Eva
luat
edth
eA
udi
tC
har
ter
toco
nfi
rmth
atth
eyh
ave
resp
onsi
bili
tyfo
rov
erse
ein
gth
eco
ntr
olen
viro
nm
ent
and
fin
anci
alre
port
ing
proc
ess.
Eva
luat
edth
em
embe
rsh
ipan
dre
port
ing
stru
ctu
rean
dco
nfi
rmed
that
the
audi
tco
mm
itte
eis
com
pose
dof
atle
ast
50%
exte
rnal
mem
bers
.In
spec
ted
Au
dit
Com
mit
tee
mee
tin
gm
inu
tes
and
dete
rmin
edth
atm
eeti
ngs
occu
rat
leas
tqu
arte
rly
and
the
mee
tin
gm
inu
tes
are
shar
edw
ith
the
Boa
rd.
Insp
ecte
dth
eIn
tern
alA
udi
tC
har
ter
and
dete
rmin
edth
atIn
tern
alA
udi
tre
port
sdi
rect
lyto
the
Au
dit
Com
mit
tee.
Rev
iew
edA
udi
tC
omm
itte
eM
inu
tes
and
dete
rmin
edth
atIn
tern
alA
udi
tac
tive
lyre
port
sto
and
isov
erse
enby
the
Au
dit
Com
mit
tee.
Insp
ecte
dth
eIn
tern
alA
udi
tP
lan
nin
gpr
oces
san
dth
ree-
year
audi
tpl
anto
dete
rmin
eth
eco
mpl
eten
ess
ofth
eau
dit
un
iver
sean
dsp
anof
revi
ew.
No
exce
ptio
ns
not
ed.
Th
eT
ech
nol
ogy
Com
mit
tee
com
pris
esde
sign
ated
repr
esen
tati
ves
ofth
eB
oard
,th
eC
hie
fT
ech
nol
ogy
Offi
cer
(CT
O),
the
Ch
ief
Ris
kO
ffice
r(C
RO
),C
hie
fIn
form
atio
nS
ecu
rity
Offi
cer
(CIS
O)
and
the
Gen
eral
Man
ager
sof
Com
pan
yX
'sbu
sin
ess
un
its.
Eva
luat
edth
eT
ech
nol
ogy
Com
mit
tee
Ch
arte
ran
dde
term
ined
that
the
mem
bers
hip
com
pris
esth
epo
siti
ons
asde
scri
bed.
No
exce
ptio
ns
not
ed.
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 303
Tru
stS
ervi
ces
Cri
teri
afo
rth
eS
ecu
rity
an
dA
vail
abi
lity
Ca
tego
ries
Des
crip
tion
ofC
omp
an
yX
’sC
ontr
ols
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
sR
esu
lts
ofP
ract
itio
ner
’sT
ests
ofC
ontr
ols
Th
eT
ech
nol
ogy
Com
mit
tee
ensu
reth
eC
ompa
ny'
ste
chn
olog
ydi
rect
ion
and
capa
bili
ty,i
ncl
udi
ng
info
rmat
ion
tech
nol
ogy,
engi
nee
rin
g,an
dpr
odu
ctio
n,c
ansu
ppor
tit
scu
rren
top
erat
ion
s,st
rate
gy,a
nd
futu
regr
owth
.Th
eT
ech
nol
ogy
Com
mit
tee
mee
tsat
leas
tqu
arte
rly
and
repo
rts
toth
eB
oard
.
Eva
luat
edth
eT
ech
nol
ogy
Com
mit
tee
Ch
arte
ran
dde
term
ined
that
the
com
mit
tee
has
resp
onsi
bili
tyfo
rov
erse
ein
gth
een
tity
'ste
chn
olog
ydi
rect
ion
and
capa
bili
ty,i
ncl
udi
ng
ensu
rin
gth
atth
een
tity
'sin
form
atio
nte
chn
olog
y,en
gin
eeri
ng
and
prod
uct
ion
can
supp
ort
the
Com
pan
y's
curr
ent
and
futu
reob
ject
ives
asit
rela
tes
tose
curi
ty,a
vail
abil
ity
and
proc
essi
ng
inte
grit
y.In
spec
ted
the
Tec
hn
olog
yC
omm
itte
em
eeti
ng
min
ute
sto
dete
rmin
ew
het
her
mee
tin
gsoc
cur
atle
ast
quar
terl
yan
dth
em
eeti
ng
min
ute
sar
esh
ared
wit
hth
eB
oard
.
Exc
epti
onn
oted
.On
eof
two
quar
terl
yT
ech
nol
ogy
Com
mit
tee
mee
tin
gm
inu
tes
was
not
avai
labl
e.
CC
1.3
Man
agem
ent
esta
blis
hes
,wit
hbo
ard
over
sigh
t,st
ruct
ure
s,re
port
ing
lin
es,a
nd
appr
opri
ate
auth
orit
ies
and
resp
onsi
bili
ties
inth
epu
rsu
itof
obje
ctiv
es.
Com
pan
yX
man
agem
ent
and
the
boar
dof
dire
ctor
sev
alu
ate
its
orga
niz
atio
nal
stru
ctu
re,r
epor
tin
gli
nes
,au
thor
itie
s,an
dre
spon
sibi
liti
esas
part
ofit
sbu
sin
ess
plan
nin
gpr
oces
san
das
part
ofit
son
goin
gri
skas
sess
men
tan
dm
anag
emen
tpr
oces
san
dre
vise
thes
ew
hen
nec
essa
ryto
supp
ort
the
ach
ieve
men
tof
obje
ctiv
es.
Insp
ecte
dth
ean
nu
albu
sin
ess
plan
nin
gan
dri
skas
sess
men
tdo
cum
enta
tion
and
dete
rmin
edth
ator
gan
izat
ion
alst
ruct
ure
,re
port
ing
lin
es,a
uth
orit
ies,
and
resp
onsi
bili
ties
wer
ere
vise
d.
No
exce
ptio
ns
not
ed.
Job
desc
ript
ion
sar
ere
view
edby
Com
pan
yX
man
agem
ent
onan
ann
ual
basi
sfo
rn
eede
dch
ange
san
dw
her
ejo
bdu
tych
ange
sar
ere
quir
edn
eces
sary
chan
ges
toth
ese
job
desc
ript
ion
sar
eal
som
ade
toen
able
exec
uti
onof
auth
orit
ies
and
resp
onsi
bili
ties
and
flow
ofin
form
atio
nto
man
age
the
acti
viti
esof
Com
pan
yX
.
Insp
ecte
dth
ean
nu
albu
sin
ess
plan
nin
gan
dri
skas
sess
men
tdo
cum
enta
tion
and
dete
rmin
edth
ator
gan
izat
ion
alst
ruct
ure
,re
port
ing
lin
es,a
uth
orit
ies,
and
resp
onsi
bili
ties
wer
ere
vise
d.
No
exce
ptio
ns
not
ed. (c
onti
nu
ed)
©2020, AICPA AAG-SSC APP E
304 SOC for Supply ChainT
rust
Ser
vice
sC
rite
ria
for
the
Sec
uri
tya
nd
Ava
ila
bili
tyC
ate
gori
esD
escr
ipti
onof
Com
pa
ny
X’s
Con
trol
sP
ract
itio
ner
’sT
ests
ofC
ontr
ols
Res
ult
sof
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
s
Com
pan
yX
has
ada
tacl
assi
fica
tion
syst
emth
attr
eats
allt
hir
d-pa
rty
info
rmat
ion
init
scu
stod
yan
dal
lin
tell
ecti
onpr
oper
tyas
con
fide
nti
alin
form
atio
n.
All
info
rmat
ion
reso
urc
esde
emed
"con
fide
nti
al"
are
affo
rded
the
sam
eh
igh
-lev
elpr
otec
tion
san
dsa
fegu
ards
thro
ugh
the
impl
emen
tati
onpo
lici
es,p
roce
dure
s,an
dco
ntr
ols.
Th
eIn
form
atio
nS
ecu
rity
Pol
icy
defi
nes
prot
ecti
onre
quir
emen
ts,a
cces
sri
ghts
,an
dac
cess
rest
rict
ion
s,as
wel
las
rete
nti
onan
dde
stru
ctio
nre
quir
emen
tsfo
rco
nfi
den
tial
data
.Th
ese
curi
typo
licy
also
defi
nes
asse
ssin
gri
sks
ona
peri
odic
basi
s,pr
even
tin
gu
nau
thor
ized
acce
ss,a
ddin
gn
ewu
sers
,m
odif
yin
gac
cess
leve
lsof
exis
tin
gu
sers
,an
dre
mov
ing
use
rsw
ho
no
lon
ger
nee
dac
cess
.
Obt
ain
edth
eda
tacl
assi
fica
tion
syst
emto
dete
rmin
eth
atal
lth
ird-
part
yin
form
atio
nin
the
Com
pan
y's
cust
ody
iscl
assi
fied
con
fide
nti
al.
Insp
ecte
dth
eIn
form
atio
nS
ecu
rity
Pol
icy
tode
term
ine
wh
eth
erit
defi
nes
prot
ecti
onre
quir
emen
ts,a
cces
sri
ghts
,an
dac
cess
rest
rict
ion
s,as
wel
las
rete
nti
onan
dde
stru
ctio
nre
quir
emen
tsfo
rco
nfi
den
tial
data
and
that
he
secu
rity
poli
cyal
sode
fin
esas
sess
ing
risk
son
ape
riod
icba
sis,
prev
enti
ng
un
auth
oriz
edac
cess
,add
ing
new
use
rs,
mod
ifyi
ng
acce
ssle
vels
ofex
isti
ng
use
rs,a
nd
rem
ovin
gu
sers
wh
on
olo
nge
rn
eed
acce
ss.
No
exce
ptio
ns
not
ed.
Th
eT
ech
nol
ogy
Com
mit
tee
com
pris
esde
sign
ated
repr
esen
tati
ves
ofth
eB
oard
,th
eC
hie
fT
ech
nol
ogy
Offi
cer
(CT
O),
the
Ch
ief
Ris
kO
ffice
r(C
RO
),C
hie
fIn
form
atio
nS
ecu
rity
Offi
cer
(CIS
O)
and
the
Gen
eral
Man
ager
sof
Com
pan
yX
'sbu
sin
ess
un
its.
Eva
luat
edth
eT
ech
nol
ogy
Com
mit
tee
Ch
arte
ran
dde
term
ined
that
the
mem
bers
hip
com
pris
esth
epo
siti
ons
asde
scri
bed.
No
exce
ptio
ns
not
ed.
Th
eT
ech
nol
ogy
Com
mit
tee
ensu
res
that
the
Com
pan
y's
tech
nol
ogy
dire
ctio
nan
dca
pabi
lity
,in
clu
din
gin
form
atio
nte
chn
olog
y,en
gin
eeri
ng,
and
prod
uct
ion
,can
supp
ort
its
curr
ent
oper
atio
ns,
stra
tegy
,an
dfu
ture
grow
th.T
he
Tec
hn
olog
yC
omm
itte
em
eets
atle
ast
quar
terl
yan
dre
port
sto
the
Boa
rd.
Eva
luat
edth
eT
ech
nol
ogy
Com
mit
tee
Ch
arte
ran
dde
term
ined
that
the
com
mit
tee
has
resp
onsi
bili
tyfo
rov
erse
ein
gth
een
tity
'ste
chn
olog
ydi
rect
ion
and
capa
bili
ty,i
ncl
udi
ng
ensu
rin
gth
atth
een
tity
'sin
form
atio
nte
chn
olog
y,en
gin
eeri
ng
and
prod
uct
ion
can
supp
ort
the
Com
pan
y's
curr
ent
and
futu
reob
ject
ives
asit
rela
tes
tose
curi
ty,a
vail
abil
ity
and
proc
essi
ng
inte
grit
y.In
spec
ted
the
Tec
hn
olog
yC
omm
itte
em
eeti
ng
min
ute
sto
dete
rmin
ew
het
her
mee
tin
gsoc
cur
atle
ast
quar
terl
yan
dth
em
eeti
ng
min
ute
sar
esh
ared
wit
hth
eB
oard
.
Exc
epti
onn
oted
.On
eof
two
quar
terl
yT
ech
nol
ogy
Com
mit
tee
mee
tin
gm
inu
tes
was
not
avai
labl
e.
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 305
Tru
stS
ervi
ces
Cri
teri
afo
rth
eS
ecu
rity
an
dA
vail
abi
lity
Ca
tego
ries
Des
crip
tion
ofC
omp
an
yX
’sC
ontr
ols
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
sR
esu
lts
ofP
ract
itio
ner
’sT
ests
ofC
ontr
ols
CC
1.4
Th
een
tity
dem
onst
rate
sa
com
mit
men
tto
attr
act,
deve
lop,
and
reta
inco
mpe
ten
tin
divi
dual
sin
alig
nm
ent
wit
hob
ject
ives
.
Job
requ
irem
ents
and
requ
isit
esk
ills
ets
for
allc
andi
date
s(e
mpl
oyee
san
dco
ntr
acto
rs)
are
docu
men
ted
inth
ejo
bde
scri
ptio
ns,
and
can
dida
tes'
abil
itie
sto
mee
tth
ese
requ
irem
ents
are
eval
uat
edas
part
ofth
eh
irin
gor
tran
sfer
eval
uat
ion
proc
ess
tosu
ppor
tth
eac
hie
vem
ent
ofob
ject
ives
.T
he
expe
rien
cean
dtr
ain
ing
ofca
ndi
date
s,w
het
her
anem
ploy
ee,i
nte
rnal
tran
sfer
,co
ntr
acto
r,or
empl
oyee
,are
eval
uat
edbe
fore
they
assu
me
the
resp
onsi
bili
ties
ofth
eir
posi
tion
tosu
ppor
tth
eac
hie
vem
ent
ofob
ject
ives
.Exi
stin
gpe
rson
nel
are
eval
uat
edat
leas
tan
nu
ally
.
For
ase
lect
ion
ofn
ewh
ires
,wh
eth
eran
empl
oyee
,con
trac
tor,
orem
ploy
ee,a
nd
tran
sfer
s,in
spec
ted
the
pers
onn
elfi
lean
dde
term
ined
that
job
requ
irem
ents
and
requ
isit
esk
ills
ets
wer
edo
cum
ente
din
the
job
desc
ript
ion
s.F
ora
sele
ctio
nof
new
hir
es,w
het
her
anem
ploy
ee,i
nte
rnal
tran
sfer
,con
trac
tor,
orem
ploy
ee,i
nsp
ecte
dth
epe
rson
nel
file
and
dete
rmin
edth
atof
fer
lett
eran
dm
anag
emen
tn
otes
wer
em
ain
tain
edev
iden
cin
gth
atth
ese
lect
edpe
rson
nel
wer
eev
alu
ated
befo
reth
eyas
sum
eth
ere
spon
sibi
liti
esof
thei
rpo
siti
on.
For
ase
lect
ion
ofpe
rson
nel
,wh
eth
eran
empl
oyee
,con
trac
tor,
orem
ploy
ee,i
nsp
ecte
dth
epe
rson
nel
file
and
dete
rmin
edth
atan
nu
alpe
rfor
man
ceev
alu
atio
ns
wer
epe
rfor
med
incl
udi
ng
acti
onit
ems
for
any
shor
tcom
ings
orde
cisi
onto
term
inat
eth
eem
ploy
men
t.
No
exce
ptio
ns
not
ed.
Com
pan
yX
eval
uat
esou
tsou
rced
serv
ice
prov
ider
sag
ain
stes
tabl
ish
edpo
lici
esan
dpr
acti
ces
aspa
rtof
the
ann
ual
eval
uat
ion
proc
ess
orw
hen
new
outs
ourc
edse
rvic
epr
ovid
erre
lati
onsh
ips
are
esta
blis
hed
tosu
ppor
tth
eac
hie
vem
ent
ofC
ompa
ny
X's
serv
ice
com
mit
men
tsan
dsy
stem
requ
irem
ents
.An
ysh
ortc
omin
gsn
oted
duri
ng
the
eval
uat
ion
are
addr
esse
dw
ith
acti
onit
ems
and
reev
alu
ated
inth
efo
llow
ing
year
'sev
alu
atio
npr
oces
sor
soon
er.
For
ase
lect
ion
ofou
tsou
rced
serv
ice
prov
ider
s,in
clu
din
gex
isti
ng
and
new
prov
ider
s,in
spec
ted
the
ann
ual
serv
ice
prov
ider
risk
asse
ssm
ents
perf
orm
edan
dde
term
ined
that
exte
rnal
serv
ice
prov
ider
perf
orm
ance
and
risk
sw
ere
asse
ssed
,in
clu
din
gac
tion
item
sfo
ran
ysh
ortc
omin
gsas
wel
las
foll
ow-u
pon
prio
rye
ar's
acti
onit
ems
asn
eces
sary
.
No
exce
ptio
ns
not
ed. (c
onti
nu
ed)
©2020, AICPA AAG-SSC APP E
306 SOC for Supply Chain
Tru
stS
ervi
ces
Cri
teri
afo
rth
eS
ecu
rity
an
dA
vail
abi
lity
Ca
tego
ries
Des
crip
tion
ofC
omp
an
yX
’sC
ontr
ols
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
sR
esu
lts
ofP
ract
itio
ner
’sT
ests
ofC
ontr
ols
Man
agem
ent
prov
ides
con
tin
ued
inte
rnal
and
exte
rnal
trai
nin
gba
sed
onem
ploy
ees'
resp
onsi
bili
ties
.In
addi
tion
,an
nu
alse
curi
ty,
priv
acy,
and
safe
tytr
ain
ings
are
man
dato
ryfo
ral
lem
ploy
ees,
con
trac
tors
,an
dem
ploy
ee.
New
hir
esw
het
her
anem
ploy
ee,c
ontr
acto
r,or
empl
oyee
,are
prov
ided
the
sam
etr
ain
ings
duri
ng
the
onbo
ardi
ng
proc
ess.
Man
agem
ent
mon
itor
sco
mpl
ian
cew
ith
trai
nin
gre
quir
emen
ts.
Obt
ain
edth
eda
tes
ofan
dat
ten
dan
cesh
eets
for
the
ann
ual
secu
rity
trai
nin
gan
dde
term
ined
that
atte
nde
esh
adsi
gned
the
atte
nda
nce
shee
tfo
rtr
ain
ing
sess
ion
s.F
ora
sele
ctio
nof
pers
onn
el,o
btai
ned
the
date
sof
and
atte
nda
nce
shee
tsfo
rro
lesp
ecifi
ctr
ain
ings
and
dete
rmin
edth
atth
eem
ploy
ee,
con
trac
tor,
orem
ploy
eese
lect
ed,h
adsi
gned
the
atte
nda
nce
shee
tfo
rtr
ain
ing
sess
ion
s.F
ora
sele
ctio
nof
new
hir
es,o
btai
ned
the
date
sof
and
atte
nda
nce
shee
tsan
dde
term
ined
that
the
empl
oyee
,con
trac
tor,
orem
ploy
eese
lect
ed,h
adsi
gned
the
atte
nda
nce
shee
tfo
rtr
ain
ing
sess
ion
s.F
ora
sele
ctio
nof
pers
onn
eln
otpr
esen
tdu
rin
gth
etr
ain
ing
date
s,in
spec
ted
man
agem
ent's
trai
nin
gre
late
ddo
cum
enta
tion
and
dete
rmin
edth
atth
ese
lect
edpe
rson
nel
wer
ere
quir
edto
take
the
trai
nin
gsu
bseq
uen
tly
wit
hin
the
exam
inat
ion
peri
od.
No
exce
ptio
ns
not
ed.
Du
rin
git
son
goin
gan
dpe
riod
icbu
sin
ess
plan
nin
g,bu
sin
ess
con
tin
uit
ypl
ann
ing
and
budg
etin
gpr
oces
s,m
anag
emen
tan
dth
ebo
ard
ofdi
rect
ors
eval
uat
eth
en
eed
for
addi
tion
alto
ols
and
reso
urc
esto
ach
ieve
busi
nes
sob
ject
ives
incl
udi
ng
con
tin
gen
cypl
ans
for
assi
gnm
ents
ofre
spon
sibi
lity
impo
rtan
tfo
rin
tern
alco
ntr
ol.
Insp
ecte
dC
ompa
ny
X's
ann
ual
busi
nes
spl
ann
ing,
busi
nes
sco
nti
nu
ity
plan
nin
gan
dbu
dget
ing
rela
ted
docu
men
tati
onan
dde
term
ined
that
Com
pan
yX
con
tin
ual
lyev
alu
ated
its
nee
dfo
rad
diti
onal
tool
san
dre
sou
rces
asw
ella
sco
nti
nge
ncy
plan
sfo
ras
sign
men
tsof
resp
onsi
bili
tyim
port
ant
for
inte
rnal
con
trol
.
No
exce
ptio
ns
not
ed.
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 307
Tru
stS
ervi
ces
Cri
teri
afo
rth
eS
ecu
rity
an
dA
vail
abi
lity
Ca
tego
ries
Des
crip
tion
ofC
omp
an
yX
’sC
ontr
ols
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
sR
esu
lts
ofP
ract
itio
ner
’sT
ests
ofC
ontr
ols
Pri
orto
empl
oym
ent,
pers
onn
el,i
ncl
udi
ng
con
trac
tors
and
empl
oyee
s,ar
eve
rifi
edag
ain
stre
gula
tory
scre
enin
gda
taba
ses,
incl
udi
ng
ata
min
imu
m,c
redi
t,cr
imin
al,
dru
g,an
dem
ploy
men
tch
ecks
.For
pers
onn
elw
ith
acce
ssto
cust
omer
and
com
pan
yco
nfi
den
tial
info
rmat
ion
,su
chba
ckgr
oun
dch
ecks
are
re-p
erfo
rmed
ever
ytw
oye
ars.
For
ase
lect
ion
ofn
ewh
ires
,in
clu
din
gco
ntr
acto
rsan
dem
ploy
ees,
insp
ecte
dth
eba
ckgr
oun
dch
ecks
and
dete
rmin
edth
atse
lect
edpe
rson
nel
succ
essf
ull
yco
mpl
eted
back
grou
nd
chec
ksin
clu
din
g,cr
edit
,cri
min
al,
dru
gan
dem
ploy
men
tch
ecks
prio
rto
bein
gh
ired
byC
ompa
ny
X.
For
ase
lect
ion
ofpe
rson
nel
wit
hac
cess
tocu
stom
eran
dco
mpa
ny
con
fide
nti
alin
form
atio
n,i
nsp
ecte
dth
eba
ckgr
oun
dch
ecks
and
dete
rmin
edth
atse
lect
edpe
rson
nel
succ
essf
ull
yco
mpl
eted
back
grou
nd
chec
ksin
clu
din
g,cr
edit
,cri
min
al,d
rug
and
empl
oym
ent
chec
ksev
ery
two
year
s.
No
exce
ptio
ns
not
ed.
CC
1.5
Th
een
tity
hol
dsin
divi
dual
sac
cou
nta
ble
for
thei
rin
tern
alco
ntr
olre
spon
sibi
liti
esin
the
purs
uit
ofob
ject
ives
.
Com
pan
yX
man
agem
ent
and
the
boar
dof
dire
ctor
spe
rfor
man
nu
alpe
rfor
man
ceev
alu
atio
ns
toco
mm
un
icat
ean
dh
old
indi
vidu
als
acco
un
tabl
efo
rpe
rfor
man
ceof
inte
rnal
con
trol
resp
onsi
bili
ties
.Th
epe
rfor
man
ceev
alu
atio
nis
sign
edby
the
man
ager
and
empl
oyee
.Cor
rect
ive
acti
ons,
incl
udi
ng
trai
nin
gor
san
ctio
ns,
asn
eces
sary
.E
ach
Com
pan
yX
depa
rtm
ent,
such
asO
pera
tion
s,Q
ual
ity
Ass
ura
nce
,Sof
twar
eD
evel
opm
ent,
Info
rmat
ion
Sec
uri
ty,
Infr
astr
uct
ure
,Hu
man
Res
ourc
es,L
egal
,C
ompl
ian
ce,I
nte
rnal
Au
dit,
Fin
ance
,C
ust
omer
Su
ppor
t,h
old
peri
odic
(wee
kly)
mee
tin
gsto
mon
itor
and
man
age
resp
ecti
vede
part
men
t'spr
ogre
ssor
lack
ther
eof
asit
rela
tes
toth
eir
ach
ieve
men
tof
depa
rtm
ent's
resp
onsi
bili
ties
.
For
ase
lect
ion
ofpe
rson
nel
,wh
eth
eran
empl
oyee
,con
trac
tor,
orem
ploy
ee,i
nsp
ecte
dth
epe
rson
nel
file
and
dete
rmin
edth
atan
nu
alpe
rfor
man
ceev
alu
atio
ns
wer
epe
rfor
med
incl
udi
ng
acti
onit
ems
for
any
shor
tcom
ings
orde
cisi
onto
term
inat
eth
eem
ploy
men
t,an
dth
atev
alu
atio
ns
wer
esi
gned
byth
em
anag
eran
dth
eem
ploy
ee.
For
ase
lect
ion
ofw
eekl
yde
part
men
tm
eeti
ngs
insp
ecte
dth
em
eeti
ng
min
ute
san
dde
term
ined
that
depa
rtm
ent's
prog
ress
ism
onit
ored
and
mea
sure
dby
resp
ecti
vede
part
men
th
eads
,in
clu
din
ges
cala
tion
orco
rrec
tive
acti
onas
nec
essa
ry.
No
exce
ptio
ns
not
ed. (c
onti
nu
ed)
©2020, AICPA AAG-SSC APP E
308 SOC for Supply Chain
Tru
stS
ervi
ces
Cri
teri
afo
rth
eS
ecu
rity
an
dA
vail
abi
lity
Ca
tego
ries
Des
crip
tion
ofC
omp
an
yX
’sC
ontr
ols
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
sR
esu
lts
ofP
ract
itio
ner
’sT
ests
ofC
ontr
ols
Man
agem
ent
and
the
boar
dof
dire
ctor
ses
tabl
ish
mea
sura
ble
goal
san
dpe
rfor
man
ceev
alu
atio
ncr
iter
ia,i
ncl
udi
ng,
ince
nti
ves,
oth
erre
war
ds,a
nd
san
ctio
ns
appr
opri
ate
for
resp
onsi
bili
ties
atal
llev
els
ofC
ompa
ny
X,
that
are
inal
ign
men
tw
ith
Com
pan
y's
shor
t-te
rman
dlo
nge
r-te
rmob
ject
ives
.E
stab
lish
edsh
ort-
term
and
lon
ger-
term
Com
pan
yX
goal
san
dpe
rfor
man
ceev
alu
atio
n,r
ewar
dan
dsa
nct
ion
scr
iter
iafo
rC
ompa
ny
Xex
ecu
tive
sar
ere
view
edan
dap
prov
edan
nu
ally
byth
eC
ompe
nsa
tion
Com
mit
tee
toen
sure
the
goal
san
dre
war
dsco
nsi
der
pres
sure
sas
soci
ated
wit
hth
eac
hie
vem
ent
ofob
ject
ives
.
For
ase
lect
ion
ofro
les,
insp
ecte
dC
ompa
ny
X's
docu
men
ted
goal
s,pe
rfor
man
ceev
alu
atio
ncr
iter
iaan
dco
mpe
nsa
tion
mat
rix
incl
udi
ng
ince
nti
ves
and
rew
ards
and
dete
rmin
edth
ata
form
alpr
oces
sh
asbe
enim
plem
ente
dfo
rpe
rfor
man
cem
easu
res,
ince
nti
ves
and
rew
ards
and
that
the
goal
sdo
cum
ente
dfo
rse
lect
edro
les
incl
ude
dbo
thsh
ort-
term
and
lon
ger-
term
goal
sth
atal
ign
edw
ith
Com
pan
yX
'ssh
ort-
term
and
lon
ger-
term
goal
s.In
spec
ted
the
ann
ual
Tot
alE
xecu
tive
Com
pen
sati
onP
acka
gean
dde
term
ined
that
the
Com
pen
sati
onC
omm
itte
eap
prov
edth
epa
ckag
e.
No
exce
ptio
ns
not
ed.
Est
abli
shed
shor
t-te
rman
dlo
nge
r-te
rmC
ompa
ny
Xgo
als
and
perf
orm
ance
eval
uat
ion
,rew
ard
and
san
ctio
ns
crit
eria
for
Com
pan
yX
exec
uti
ves
are
revi
ewed
and
appr
oved
ann
ual
lyby
the
Com
pen
sati
onC
omm
itte
eto
ensu
reth
ego
als
and
rew
ards
con
side
rpr
essu
res
asso
ciat
edw
ith
the
ach
ieve
men
tof
obje
ctiv
es.
For
ase
lect
ion
ofro
les,
insp
ecte
dth
ean
nu
alT
otal
Exe
cuti
veC
ompe
nsa
tion
Pac
kage
appr
oved
byth
eC
ompe
nsa
tion
Com
mit
tee
wh
ich
incl
ude
dC
ompa
ny
X's
docu
men
ted
goal
s,pe
rfor
man
ceev
alu
atio
ncr
iter
iaan
dco
mpe
nsa
tion
mat
rix
incl
udi
ng
ince
nti
ves
and
rew
ards
and
dete
rmin
edth
ata
form
alpr
oces
sh
asbe
enim
plem
ente
dfo
rpe
rfor
man
cem
easu
res,
ince
nti
ves
and
rew
ards
and
that
the
goal
sdo
cum
ente
dfo
rse
lect
edro
les
con
side
rsex
cess
ive
pres
sure
sor
con
flic
tin
ggo
als
and
eval
uat
ion
crit
eria
.
No
exce
ptio
ns
not
ed.
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 309
Tru
stS
ervi
ces
Cri
teri
afo
rth
eS
ecu
rity
an
dA
vail
abi
lity
Ca
tego
ries
Des
crip
tion
ofC
omp
an
yX
’sC
ontr
ols
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
sR
esu
lts
ofP
ract
itio
ner
’sT
ests
ofC
ontr
ols
Man
agem
ent
and
the
boar
dof
dire
ctor
sev
alu
ate
perf
orm
ance
ofin
tern
alco
ntr
olre
spon
sibi
liti
es,p
rovi
din
gre
war
dsan
dsa
nct
ion
sap
prop
riat
efo
rre
spon
sibi
liti
es,
con
side
rin
gth
eac
hie
vem
ent
ofbo
thsh
ort-
term
and
lon
ger-
term
obje
ctiv
es.
For
ase
lect
ion
ofpe
rson
nel
,in
spec
ted
the
pers
onn
elfi
lean
dde
term
ined
that
ann
ual
perf
orm
ance
eval
uat
ion
sw
ere
perf
orm
edin
clu
din
gac
tion
item
sfo
ran
ysh
ortc
omin
gsan
dth
atre
war
dsor
disc
ipli
nes
docu
men
ted
wer
eco
nsi
sten
tw
ith
the
goal
san
dpe
rfor
man
ceev
alu
atio
ncr
iter
iaap
prov
edby
the
Com
pen
sati
onC
omm
itte
e.
No
exce
ptio
ns
not
ed.
Info
rmat
ion
and
Com
mu
nic
atio
n
CC
2.1
Th
een
tity
obta
ins
orge
ner
ates
and
use
sre
leva
nt,
qual
ity
info
rmat
ion
tosu
ppor
tth
efu
nct
ion
ing
ofin
tern
alco
ntr
ol.
Com
pan
yX
perf
orm
sas
sess
men
tat
leas
tan
nu
ally
toid
enti
fyth
ein
form
atio
nre
quir
edan
dex
pect
edto
supp
ort
the
inte
rnal
con
trol
and
the
ach
ieve
men
tof
Com
pan
yX
'ssy
stem
obje
ctiv
es.C
ompa
ny
X's
mos
tva
luab
lean
dse
nsi
tive
inte
llec
tual
prop
erty
,cri
tica
lde
sign
s,tr
ade
secr
ets,
man
ufa
ctu
rin
gde
pen
den
cies
,dat
aan
dm
issi
on-c
riti
cal
syst
ems,
"cro
wn
jew
els"
are
iden
tifi
eddu
rin
gth
eas
sess
men
t,in
clu
din
gin
tern
alan
dex
tern
also
urc
esof
data
.
Insp
ecte
dC
ompa
ny
X's
ann
ual
asse
ssm
ent
and
dete
rmin
edth
atit
iden
tifi
esth
ein
form
atio
nre
quir
edto
supp
ort
inte
rnal
con
trol
san
dth
eac
hie
vem
ent
ofC
ompa
ny
X's
syst
emob
ject
ives
,in
clu
din
gid
enti
fica
tion
ofm
ost
valu
able
and
sen
siti
vein
tell
ectu
alpr
oper
ty,c
riti
cald
esig
ns,
trad
ese
cret
s,m
anu
fact
uri
ng
depe
nde
nci
es,d
ata
and
mis
sion
crit
ical
syst
ems,
i.e.,
"cro
wn
jew
els"
wh
eth
erth
ose
are
inte
rnal
orex
tern
alto
Com
pan
yX
.
No
exce
ptio
ns
not
ed.
Com
pan
yX
has
impl
emen
ted
vari
ous
proc
esse
san
dpr
oced
ure
sre
leva
nt
tose
curi
tyan
dav
aila
bili
tyto
man
ufa
ctu
rew
idge
tsin
ati
mel
y,ac
cura
tean
dco
mpl
ete
man
ner
con
sist
ent
wit
hth
eC
ompa
ny'
sob
ject
ives
.C
ompa
ny
Xh
aslo
gica
lan
dph
ysic
alse
curi
ty,
chan
gem
anag
emen
t,in
cide
nt
mon
itor
ing,
and
data
clas
sifi
cati
on,i
nte
grit
y,an
dre
ten
tion
con
trol
s,as
nec
essa
ry,w
ith
chec
ksan
dba
lan
ces
wov
enin
toea
chap
plic
able
proc
ess
toen
sure
qual
ity
ofpr
oces
sin
g.
Insp
ecte
dC
ompa
ny
X's
docu
men
ted
poli
cies
and
proc
edu
res
asit
rela
tes
tose
curi
tyan
dav
aila
bili
tyof
its
man
ufa
ctu
rin
gpr
oces
san
dde
term
ined
that
thos
edo
cum
ent
Com
pan
yX
'sin
tern
alco
ntr
ols
for
man
ufa
ctu
rin
gw
idge
tsth
ath
elp
ach
ieve
the
Com
pan
y's
com
mit
men
tsan
dsy
stem
requ
irem
ents
ina
tim
ely,
accu
rate
and
com
plet
em
ann
er.
No
exce
ptio
ns
not
ed. (c
onti
nu
ed)
©2020, AICPA AAG-SSC APP E
310 SOC for Supply Chain
Tru
stS
ervi
ces
Cri
teri
afo
rth
eS
ecu
rity
an
dA
vail
abi
lity
Ca
tego
ries
Des
crip
tion
ofC
omp
an
yX
’sC
ontr
ols
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
sR
esu
lts
ofP
ract
itio
ner
’sT
ests
ofC
ontr
ols
CC
2.2
Th
een
tity
inte
rnal
lyco
mm
un
icat
esin
form
atio
n,
incl
udi
ng
obje
ctiv
esan
dre
spon
sibi
liti
esfo
rin
tern
alco
ntr
ol,n
eces
sary
tosu
ppor
tth
efu
nct
ion
ing
ofin
tern
alco
ntr
ol.
Info
rmat
ion
nec
essa
ryfo
rde
sign
ing,
deve
lopi
ng,
impl
emen
tin
g,op
erat
ing,
mai
nta
inin
g,an
dm
onit
orin
gco
ntr
ols,
rele
van
tto
the
secu
rity
ofth
esy
stem
,is
prov
ided
tope
rson
nel
toca
rry
out
thei
rre
spon
sibi
liti
es.
Insp
ecte
dC
ompa
ny
X's
intr
anet
and
dete
rmin
edth
atdo
cum
ente
dpo
lici
esan
dpr
oced
ure
sas
itre
late
sto
secu
rity
ofm
ost
valu
able
data
and
mis
sion
crit
ical
syst
ems
isav
aila
ble
toin
tern
alpe
rson
nel
onth
ein
tran
et.
No
exce
ptio
ns
not
ed.
Com
pan
yX
man
agem
ent
and
the
boar
dof
dire
ctor
sm
eet
quar
terl
yan
dan
nu
ally
toco
mm
un
icat
ein
form
atio
nn
eede
dto
fulfi
llth
eir
role
sw
ith
resp
ect
toth
eac
hie
vem
ent
ofC
ompa
ny
X's
serv
ice
com
mit
men
tsan
dsy
stem
requ
irem
ents
.C
ompa
ny
Xh
asIn
cide
nt
Res
pon
sepo
lici
esan
dpr
oced
ure
sin
plac
eth
atin
clu
des
anes
cala
tion
plan
base
don
the
nat
ure
and
seve
rity
ofth
ein
cide
nt
tose
nio
rm
anag
emen
tan
dth
ebo
ard
ofdi
rect
ors
asn
eces
sary
.
For
ase
lect
ion
ofqu
arte
rsan
dth
eye
ar,
insp
ecte
dth
equ
arte
rly
and
ann
ual
boar
dm
eeti
ng
min
ute
san
dde
term
ined
that
thos
em
inu
tes
docu
men
ted
disc
uss
ion
ofke
yit
ems
wit
hre
spec
tto
the
ach
ieve
men
tof
Com
pan
yX
'ssy
stem
obje
ctiv
es,i
ncl
udi
ng
prog
ress
,de
lays
,ris
ks,a
nd
chal
len
ges
rela
ted
toth
ose
key
item
sas
appl
icab
le.
Insp
ecte
dC
ompa
ny
X's
docu
men
ted
Inci
den
tR
espo
nse
poli
cies
and
proc
edu
res
and
dete
rmin
edth
atth
eyin
clu
dees
cala
tion
tree
and
com
mu
nic
atio
npl
ans
depe
ndi
ng
onth
en
atu
reof
the
inci
den
t,in
clu
din
ges
cala
tion
toth
eB
oard
,as
nec
essa
ry.
No
exce
ptio
ns
not
ed.
Com
pan
yX
has
anon
ymou
sth
ird-
part
yad
min
iste
red
wh
istl
eblo
wer
hot
lin
esav
aila
ble
toin
tern
alan
dex
tern
alu
sers
.Man
agem
ent
mon
itor
scu
stom
eran
dw
orkf
orce
mem
ber
com
plai
nts
repo
rted
via
the
hot
lin
es.
Insp
ecte
dC
ompa
ny
X's
web
site
and
test
dial
edth
eh
otli
ne
nu
mbe
rpr
ovid
edan
dde
term
ined
that
anan
onym
ous
thir
d-pa
rty
adm
inis
tere
dh
otli
ne
isav
aila
ble.
For
ase
lect
ion
ofcu
stom
eran
dw
orkf
orce
mem
ber
com
plai
nts
logg
edvi
ath
eth
ird-
part
yad
min
iste
red
hot
lin
e,in
spec
ted
the
rela
ted
docu
men
tati
onan
dde
term
ined
that
pers
onn
elw
ho
viol
ated
the
code
ofbu
sin
ess
con
duct
wer
esa
nct
ion
edas
per
the
poli
cy.
No
exce
ptio
ns
not
ed.
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 311
Tru
stS
ervi
ces
Cri
teri
afo
rth
eS
ecu
rity
an
dA
vail
abi
lity
Ca
tego
ries
Des
crip
tion
ofC
omp
an
yX
’sC
ontr
ols
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
sR
esu
lts
ofP
ract
itio
ner
’sT
ests
ofC
ontr
ols
Com
pan
yX
hol
dsqu
arte
rly
and
ann
ual
Boa
rdm
eeti
ngs
.In
addi
tion
,for
com
mu
nic
atio
nof
anu
nfo
rese
enev
ent,
Inci
den
tR
espo
nse
poli
cies
and
proc
edu
res
are
inpl
ace
that
incl
ude
ses
cala
tion
plan
base
don
the
nat
ure
and
seve
rity
ofth
ein
cide
nt
tose
nio
rm
anag
emen
tan
dth
ebo
ard
ofdi
rect
ors
asn
eces
sary
.
For
ase
lect
ion
ofqu
arte
rsan
dth
eye
ar,
insp
ecte
dth
equ
arte
rly
and
ann
ual
boar
dm
eeti
ng
min
ute
san
dde
term
ined
that
thos
edo
cum
ente
ddi
scu
ssio
nof
key
item
sw
ith
resp
ect
toth
eac
hie
vem
ent
ofC
ompa
ny
X's
syst
emob
ject
ives
,in
clu
din
gpr
ogre
ss,d
elay
s,ri
sks,
chal
len
ges
rela
ted
toth
ose
key
item
sas
appl
icab
le.
Insp
ecte
dC
ompa
ny
X's
docu
men
ted
Inci
den
tR
espo
nse
poli
cies
and
proc
edu
res
and
dete
rmin
edth
atit
incl
ude
ses
cala
tion
tree
and
com
mu
nic
atio
npl
ans
depe
ndi
ng
onth
en
atu
reof
the
inci
den
t,in
clu
din
ges
cala
tion
toth
eB
oard
,as
nec
essa
ry.
No
exce
ptio
ns
not
ed.
Com
pan
yX
'sse
curi
tyco
mm
itm
ents
are
com
mu
nic
ated
toex
tern
alu
sers
(Com
pan
yY,
GH
IC
orpo
rati
onan
dot
her
crit
ical
thir
dpa
rtie
s),a
sap
prop
riat
e,an
dth
ose
com
mit
men
tsan
dth
eas
soci
ated
syst
emre
quir
emen
tsar
eco
mm
un
icat
edto
inte
rnal
use
rsto
enab
leth
emto
carr
you
tth
eir
resp
onsi
bili
ties
.T
he
resp
onsi
bili
ties
ofin
tern
alu
sers
wh
ose
role
saf
fect
syst
emop
erat
ion
are
com
mu
nic
ated
toth
ose
part
ies.
Res
pon
sibi
liti
esan
dpo
lici
esan
dpr
oced
ure
spo
sted
onC
ompa
ny
X's
intr
anet
are
upd
ated
asn
eces
sary
.
Insp
ecte
dC
ompa
ny
X's
intr
anet
,cu
stom
erpo
rtal
,an
dw
ebsi
tes
and
dete
rmin
edth
atdo
cum
ente
dre
spon
sibi
liti
es,p
olic
ies
and
proc
edu
res
asth
eyre
late
tose
curi
tyco
mm
itm
ents
and
resp
onsi
bili
ties
are
avai
labl
eto
inte
rnal
pers
onn
elon
the
intr
anet
and
exte
rnal
pers
onn
elon
Com
pan
yX
'sw
ebsi
tes
and
cust
omer
port
als
asap
plic
able
.F
ora
sele
ctio
nof
resp
onsi
bili
ties
,pol
icie
san
dpr
oced
ure
spo
sted
onth
ein
tran
et,i
nsp
ecte
dth
edo
cum
ents
and
dete
rmin
edth
ath
isto
ryof
chan
ges
wit
hth
eda
teof
chan
gew
asdo
cum
ente
d.
No
exce
ptio
ns
not
ed.
Inte
rnal
and
exte
rnal
use
rsh
ave
been
prov
ided
wit
hin
form
atio
non
how
tore
port
secu
rity
fail
ure
s,in
cide
nts
,con
cern
s,an
dot
her
com
plai
nts
toap
prop
riat
epe
rson
nel
.
Insp
ecte
dC
ompa
ny
X's
docu
men
ted
Inci
den
tR
espo
nse
poli
cies
and
proc
edu
res
and
dete
rmin
edth
atit
incl
ude
ses
cala
tion
tree
and
com
mu
nic
atio
npl
ans
depe
ndi
ng
onth
en
atu
reof
the
inci
den
t,in
clu
din
ges
cala
tion
toth
eB
oard
,as
nec
essa
ry.
No
exce
ptio
ns
not
ed. (c
onti
nu
ed)
©2020, AICPA AAG-SSC APP E
312 SOC for Supply ChainT
rust
Ser
vice
sC
rite
ria
for
the
Sec
uri
tya
nd
Ava
ila
bili
tyC
ate
gori
esD
escr
ipti
onof
Com
pa
ny
X’s
Con
trol
sP
ract
itio
ner
’sT
ests
ofC
ontr
ols
Res
ult
sof
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
s
Ch
ange
sto
Com
pan
yX
'spr
inci
pals
yste
mob
ject
ives
are
com
mu
nic
ated
toin
tern
alan
dex
tern
alu
sers
,ven
dors
,an
dot
her
thir
dpa
rtie
s(C
ompa
ny
Y,G
HI
Cor
pora
tion
and
oth
ercr
itic
alth
ird
part
ies)
wh
ose
prod
uct
san
dse
rvic
esar
epa
rtof
the
syst
em.
Insp
ecte
dC
ompa
ny
X's
intr
anet
,cu
stom
erpo
rtal
,an
dw
ebsi
tes
and
dete
rmin
edth
atdo
cum
ente
dre
spon
sibi
liti
es,p
olic
ies
and
proc
edu
res
asit
rela
tes
tose
curi
tyco
mm
itm
ents
and
resp
onsi
bili
ties
are
avai
labl
eto
inte
rnal
pers
onn
elon
the
intr
anet
and
exte
rnal
pers
onn
elon
Com
pan
yX
'sw
ebsi
tes
and
cust
omer
port
als
asap
plic
able
,an
dth
atth
ose
resp
onsi
bili
ties
,po
lici
esan
dpr
oced
ure
sdo
cum
ente
dh
isto
ryof
chan
ges
wit
hth
eda
teof
chan
ge.
For
ase
lect
ion
ofag
reem
ents
wit
hth
esu
ppli
ers,
ven
dors
,an
dcr
itic
alth
ird
part
ies,
insp
ecte
dth
eag
reem
ents
and
dete
rmin
edth
atth
eag
reem
ent
outl
ined
Com
pan
yX
'sre
quir
emen
ts,i
ncl
udi
ng
term
s,co
ndi
tion
s,an
dre
spon
sibi
liti
esfo
rth
esu
ppli
ers,
ven
dors
,an
dcr
itic
alth
ird
part
ies
and
that
sign
edad
den
dum
toag
reem
ents
wer
eal
som
ain
tain
edw
hen
chan
ges
toco
mm
itm
ents
and
requ
irem
ents
occu
rred
,as
nec
essa
ry.
No
exce
ptio
ns
not
ed.
Man
agem
ent
prov
ides
con
tin
ued
trai
nin
gab
out
its
secu
rity
com
mit
men
tsan
dre
quir
emen
tsfo
rpe
rson
nel
tosu
ppor
tth
eac
hie
vem
ent
ofob
ject
ives
.M
anag
emen
tm
onit
ors
com
plia
nce
wit
hse
curi
tytr
ain
ing
requ
irem
ents
.C
ompa
ny
Xal
sopr
ovid
esu
ser
guid
es,s
ecu
rity
aler
tsan
dkn
own
issu
eson
its
web
site
san
dcu
stom
erpo
rtal
wit
hin
form
atio
nto
impr
ove
secu
rity
know
ledg
ean
daw
aren
ess.
Obt
ain
edth
eda
tes
ofan
dat
ten
dan
cesh
eets
for
the
ann
ual
secu
rity
trai
nin
g,as
wel
las
the
quar
terl
yse
curi
tyco
mpl
ian
ceu
pdat
esfo
rem
ploy
ees
and
dete
rmin
edth
atem
ploy
ees
had
sign
edth
eat
ten
dan
cesh
eet
for
trai
nin
gse
ssio
ns
and
upd
ates
onth
esp
ecifi
edda
tes.
For
ase
lect
ion
ofpe
rson
nel
not
pres
ent
duri
ng
the
trai
nin
gda
tes,
insp
ecte
dm
anag
emen
t'str
ain
ing
rela
ted
docu
men
tati
onan
dde
term
ined
that
the
sele
cted
pers
onn
elw
ere
requ
ired
tota
keth
etr
ain
ing
subs
equ
entl
yw
ith
inth
eex
amin
atio
npe
riod
.In
spec
ted
Com
pan
yX
'scu
stom
erpo
rtal
and
web
site
san
dde
term
ined
that
use
rgu
ides
and
his
tory
ofse
curi
tyal
erts
and
know
nis
sues
wit
hin
form
atio
nto
impr
ove
secu
rity
know
ledg
ean
daw
aren
ess
was
avai
labl
e.
No
exce
ptio
ns
not
ed.
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 313
Tru
stS
ervi
ces
Cri
teri
afo
rth
eS
ecu
rity
an
dA
vail
abi
lity
Ca
tego
ries
Des
crip
tion
ofC
omp
an
yX
’sC
ontr
ols
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
sR
esu
lts
ofP
ract
itio
ner
’sT
ests
ofC
ontr
ols
Com
pan
yX
post
sa
desc
ript
ion
ofit
ssy
stem
,sy
stem
bou
nda
ries
,an
dsy
stem
proc
esse
sth
atin
clu
dein
fras
tru
ctu
re,s
oftw
are,
peop
le,
proc
esse
san
dpr
oced
ure
s,da
ta,a
nd
raw
mat
eria
lson
its
intr
anet
for
inte
rnal
use
rsan
don
the
Inte
rnet
for
exte
rnal
use
rs.
Insp
ecte
dC
ompa
ny
X's
intr
anet
and
Inte
rnet
desc
ript
ion
sof
Com
pan
yX
'ssy
stem
,sys
tem
bou
nda
ries
,an
dsy
stem
proc
esse
san
dde
term
ined
that
the
desc
ript
ion
addr
esse
din
fras
tru
ctu
re,s
oftw
are,
peop
le,p
roce
sses
and
proc
edu
res,
data
,an
dra
wm
ater
ials
for
the
in-s
cope
tech
nol
ogy
and
loca
tion
s.
No
exce
ptio
ns
not
ed.
Agr
eem
ents
are
esta
blis
hed
wit
hsu
ppli
ers
and
busi
nes
spa
rtn
ers
(Com
pan
yY,
GH
IC
orpo
rati
onan
dot
her
crit
ical
thir
dpa
rtie
s)th
atin
clu
decl
earl
yde
fin
edte
rms,
con
diti
ons,
and
resp
onsi
bili
ties
for
supp
lier
s,ve
ndo
rs,
and
crit
ical
thir
dpa
rtie
s.
For
ase
lect
ion
ofag
reem
ents
wit
hth
esu
ppli
ers,
ven
dors
,an
dcr
itic
alth
ird
part
ies,
insp
ecte
dth
eag
reem
ents
and
dete
rmin
edth
atth
eag
reem
ent
outl
ined
Com
pan
yX
'sre
quir
emen
ts,i
ncl
udi
ng
term
s,co
ndi
tion
s,an
dre
spon
sibi
liti
esfo
rth
esu
ppli
ers,
ven
dors
,an
dcr
itic
alth
ird
part
ies.
No
exce
ptio
ns
not
ed.
Pla
nn
edch
ange
sto
syst
emco
mpo
nen
tsar
ere
view
ed,s
ched
ule
d,an
dco
mm
un
icat
edto
man
agem
ent
aspa
rtof
the
wee
kly
ITm
ain
ten
ance
proc
ess.
Pla
nn
edch
ange
sto
syst
emco
mpo
nen
tsar
eco
mm
un
icat
edto
exte
rnal
use
rs(C
ompa
ny
Y,G
HI
Cor
pora
tion
and
oth
ercr
itic
alth
ird
part
ies)
via
the
Com
pan
yX
'sw
ebsi
te.
For
ase
lect
ion
ofw
eeks
,in
spec
ted
wee
kly
ITm
ain
ten
ance
sch
edu
les
and
com
mu
nic
atio
ns
and
dete
rmin
edth
atpl
ann
edsy
stem
chan
ges
wer
ein
clu
ded
and
had
been
revi
ewed
and
sign
edof
fby
ITm
anag
emen
t.In
spec
ted
Com
pan
yX
'scu
stom
erpo
rtal
and
dete
rmin
edth
atit
publ
ish
eda
cale
nda
rof
upc
omin
gsy
stem
chan
ges
exis
ted
and
that
itco
mm
un
icat
edu
pcom
ing
chan
ges
and
thei
rim
pact
onu
sers
,if
any.
No
exce
ptio
ns
not
ed.
Con
trol
Act
ivit
ies
CC
5.1
Th
een
tity
sele
cts
and
deve
lops
con
trol
acti
viti
esth
atco
ntr
ibu
teto
the
mit
igat
ion
ofri
sks
toth
eac
hie
vem
ent
ofob
ject
ives
toac
cept
able
leve
ls.
As
part
ofit
san
nu
alri
skas
sess
men
t,m
anag
emen
tli
nke
dth
eid
enti
fied
risk
sto
con
trol
sth
ath
ave
been
desi
gned
and
oper
ated
toad
dres
sth
em.W
hen
the
nee
dfo
rn
ewco
ntr
ols
isid
enti
fied
,man
agem
ent
deve
lops
the
requ
irem
ents
for
the
new
con
trol
san
du
ses
the
chan
gem
anag
emen
tpr
oces
sto
impl
emen
tth
em.
Obt
ain
edan
din
spec
ted
the
ann
ual
risk
asse
ssm
ent
docu
men
tati
onto
dete
rmin
eth
atn
ewco
ntr
ols
wer
eim
plem
ente
dfo
ran
yri
sks
not
adeq
uat
ely
addr
esse
dby
exis
tin
gco
ntr
ols.
Insp
ecte
da
sam
ple
ofsy
stem
chan
gere
ques
tsto
dete
rmin
eth
atth
ech
ange
man
agem
ent
proc
ess
was
foll
owed
.
No
exce
ptio
ns
not
ed. (c
onti
nu
ed)
©2020, AICPA AAG-SSC APP E
314 SOC for Supply ChainT
rust
Ser
vice
sC
rite
ria
for
the
Sec
uri
tya
nd
Ava
ila
bili
tyC
ate
gori
esD
escr
ipti
onof
Com
pa
ny
X’s
Con
trol
sP
ract
itio
ner
’sT
ests
ofC
ontr
ols
Res
ult
sof
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
s
As
part
ofth
eri
skas
sess
men
t,m
anag
emen
tas
sess
edth
een
viro
nm
ent,
com
plex
ity,
nat
ure
and
scop
eof
its
oper
atio
ns
wh
ende
velo
pin
gco
ntr
olac
tivi
ties
tom
itig
ate
the
risk
s.
Obt
ain
edan
din
spec
ted
the
risk
asse
ssm
ent
docu
men
tati
onto
dete
rmin
ew
het
her
man
agem
ent
asse
ssed
the
envi
ron
men
t,co
mpl
exit
y,n
atu
rean
dsc
ope
ofit
sop
erat
ion
sw
hen
deve
lopi
ng
con
trol
acti
viti
esto
mit
igat
eth
eri
sks
No
exce
ptio
ns
not
ed.
Wh
enm
anag
emen
tid
enti
fies
the
nee
dfo
rn
ewco
ntr
ols,
man
agem
ent
con
side
rsa
mix
ofco
ntr
olac
tivi
ties
,in
clu
din
gbo
thm
anu
alan
dau
tom
ated
con
trol
san
dpr
even
tive
and
dete
ctiv
eco
ntr
ols.
Obt
ain
edan
din
spec
ted
the
risk
asse
ssm
ent
docu
men
tati
onto
dete
rmin
ew
het
her
man
agem
ent
con
side
red
am
ixof
con
trol
acti
viti
esto
mit
igat
eth
eid
enti
fied
risk
s.
No
exce
ptio
ns
not
ed.
Com
pan
yX
has
desi
gned
appl
icat
ion
-en
forc
edse
greg
atio
nof
duti
esto
defi
ne
wh
atpr
ivil
eges
are
assi
gned
tou
sers
wit
hin
the
MC
S.
Insp
ecte
dth
eac
cess
con
trol
poli
cyto
dete
rmin
ew
het
her
appl
icat
ion
con
trol
sw
ere
desi
gned
toen
forc
ese
greg
atio
nof
duti
esto
use
rsw
ith
inth
eM
CS.
No
exce
ptio
ns
not
ed.
CC
5.2
Th
een
tity
also
sele
cts
and
deve
lops
gen
eral
con
trol
acti
viti
esov
erte
chn
olog
yto
supp
ort
the
ach
ieve
men
tof
obje
ctiv
es.
As
part
ofth
eIT
stra
tegi
cpl
an,s
trat
egic
ITri
sks
affe
ctin
gth
eor
gan
izat
ion
and
reco
mm
ende
dco
urs
esof
acti
onar
eid
enti
fied
and
disc
uss
ed.T
he
plan
isde
velo
ped
ann
ual
lyby
the
CIO
and
appr
oved
byse
nio
rm
anag
emen
tan
dth
eS
ecu
rity
Ste
erin
gC
omm
itte
e.
Insp
ecte
dth
ean
nu
alIT
stra
tegi
cpl
ando
cum
enta
tion
tode
term
ine
wh
eth
erIT
risk
affe
ctin
gth
eor
gan
izat
ion
and
reco
mm
ende
dco
urs
esof
acti
onw
ere
iden
tifi
edan
ddi
scu
ssed
and
wh
eth
erth
epl
anw
asap
prov
edby
sen
ior
man
agem
ent
and
the
Sec
uri
tyS
teer
ing
Com
mit
tee.
No
exce
ptio
ns
not
ed.
Man
agem
ent
deve
lope
da
list
ofco
ntr
olac
tivi
ties
tom
anag
eth
ete
chn
olog
yin
fras
tru
ctu
reri
sks
iden
tifi
eddu
rin
gth
ean
nu
alri
skas
sess
men
tpr
oces
s.
Insp
ecte
dth
eri
skas
sess
men
t,in
tern
alau
dit
plan
and
audi
tpr
ogra
mfo
rth
eca
len
dar
year
tode
term
ine
wh
eth
erm
anag
emen
tde
velo
ped
and
impl
emen
ted
con
trol
acti
viti
esov
erth
ete
chn
olog
yin
fras
tru
ctu
re.
No
exce
ptio
ns
not
ed.
Man
agem
ent
deve
lope
da
list
ofco
ntr
olac
tivi
ties
tom
anag
eth
ese
curi
tyac
cess
man
agem
ent
risk
sid
enti
fied
duri
ng
the
ann
ual
risk
asse
ssm
ent
proc
ess.
Insp
ecte
dth
eri
skas
sess
men
t,in
tern
alau
dit
plan
and
audi
tpr
ogra
mfo
rth
eca
len
dar
year
tode
term
ine
wh
eth
erm
anag
emen
tde
velo
ped
and
impl
emen
ted
con
trol
acti
viti
esde
sign
edto
rest
rict
tech
nol
ogy
acce
ssri
ghts
toau
thor
ized
use
rsco
mm
ensu
rate
wit
hth
eir
job
resp
onsi
bili
ties
and
prot
ect
corp
orat
eas
sets
from
exte
rnal
thre
ats.
No
exce
ptio
ns
not
ed.
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 315
Tru
stS
ervi
ces
Cri
teri
afo
rth
eS
ecu
rity
an
dA
vail
abi
lity
Ca
tego
ries
Des
crip
tion
ofC
omp
an
yX
’sC
ontr
ols
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
sR
esu
lts
ofP
ract
itio
ner
’sT
ests
ofC
ontr
ols
Com
pan
yX
empl
oys
orga
niz
atio
n-d
efin
edta
ilor
edac
quis
itio
nst
rate
gies
and
proc
ure
men
tm
eth
ods
for
the
purc
has
e,de
velo
pmen
t,an
dm
ain
ten
ance
ofin
form
atio
nsy
stem
s,sy
stem
com
pon
ents
,or
info
rmat
ion
syst
emse
rvic
esfr
omte
chn
olog
ysu
ppli
ers.
Insp
ecte
dth
epr
ocu
rem
ent
poli
cym
anu
alto
dete
rmin
ew
het
her
man
agem
ent
empl
oyed
acqu
isit
ion
stra
tegi
esan
dpr
ocu
rem
ent
met
hod
sfo
rth
epu
rch
ase,
deve
lopm
ent,
and
mai
nte
nan
ceof
info
rmat
ion
syst
ems,
syst
emco
mpo
nen
ts,o
rin
form
atio
nsy
stem
serv
ices
from
tech
nol
ogy
supp
lier
s.
No
exce
ptio
ns
not
ed.
Com
pan
yX
has
afo
rmal
ized
secu
rity
and
syst
ems
deve
lopm
ent
met
hod
olog
yth
atin
clu
des
proj
ect
plan
nin
g,de
sign
,tes
tin
g,im
plem
enta
tion
,mai
nte
nan
ce,a
nd
disp
osal
orde
com
mis
sion
ing.
Insp
ecte
dth
esy
stem
sde
velo
pmen
tm
eth
odol
ogy
docu
men
tto
dete
rmin
ew
het
her
itin
clu
ded
proj
ect
plan
nin
g,de
sign
,tes
tin
g,im
plem
enta
tion
,mai
nte
nan
ce,a
nd
disp
osal
orde
com
mis
sion
ing.
No
exce
ptio
ns
not
ed.
Com
pan
yX
use
sa
stan
dard
ized
serv
erbu
ild
chec
klis
tto
hel
pse
cure
its
serv
ers.
For
ase
lect
ion
ofse
rver
s,in
spec
ted
the
asso
ciat
edse
rver
buil
dch
eckl
ist
tode
term
ine
wh
eth
erst
anda
rdiz
edch
eckl
ists
wer
eu
sed
toh
elp
secu
rese
rver
s.
No
exce
ptio
ns
not
ed.
Pat
ches
are
appl
ied
regu
larl
yap
plie
din
acco
rdan
cew
ith
Com
pan
yX
'spa
tch
man
agem
ent
proc
edu
res.
For
ase
lect
ion
ofpa
tch
es,i
nsp
ecte
dth
eas
soci
ated
patc
hin
gdo
cum
enta
tion
asw
ella
sth
epa
tch
man
agem
ent
proc
edu
res
tode
term
ine
wh
eth
erpa
tch
esw
ere
appl
ied
regu
larl
yap
plie
din
acco
rdan
cew
ith
Com
pan
yX
'spa
tch
man
agem
ent
proc
edu
res.
No
exce
ptio
ns
not
ed.
Com
pan
yX
uti
lize
sfi
rew
alls
,an
intr
usi
onde
tect
ion
syst
em(I
DS
),an
intr
usi
onpr
even
tion
syst
em(I
PS
),an
dop
erat
ing
syst
emev
ent
logs
topr
otec
tit
sen
viro
nm
ent.
Ale
rts
are
con
figu
red
arou
nd
the
uti
liti
esto
not
ify
the
secu
rity
adm
inis
trat
ion
team
ofpo
ten
tial
secu
rity
thre
ats
orin
cide
nts
.
Obs
erve
dth
efi
rew
allc
onfi
gura
tion
s,th
ein
tru
sion
dete
ctio
nsy
stem
,th
ein
tru
sion
prev
enti
onsy
stem
,an
dop
erat
ing
syst
emev
ent
logs
tode
term
ine
wh
eth
ersy
stem
mon
itor
ing
uti
liti
esw
ere
inpl
ace
topr
otec
tth
een
viro
nm
ent.
Obs
erve
dth
eal
ert
sett
ings
for
the
fire
wal
ls,
the
IDS,
the
IPS,
and
the
oper
atin
gsy
stem
even
tlo
gsto
dete
rmin
ew
het
her
aler
tsw
ere
inpl
ace
ton
otif
yth
ese
curi
tyad
min
istr
atio
nte
amof
pote
nti
alse
curi
tyth
reat
sor
inci
den
ts.
No
exce
ptio
ns
not
ed. (c
onti
nu
ed)
©2020, AICPA AAG-SSC APP E
316 SOC for Supply Chain
Tru
stS
ervi
ces
Cri
teri
afo
rth
eS
ecu
rity
an
dA
vail
abi
lity
Ca
tego
ries
Des
crip
tion
ofC
omp
an
yX
’sC
ontr
ols
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
sR
esu
lts
ofP
ract
itio
ner
’sT
ests
ofC
ontr
ols
On
ada
ily
basi
s,th
ese
curi
tyad
min
istr
atio
nte
amre
view
sth
efo
llow
ing
secu
rity
inci
den
tan
dev
ent
mon
itor
ing
(SIE
M)
repo
rts:
•fa
iled
obje
ctle
vela
cces
s;
•da
ily
IDS
orIP
Sat
tack
s;
•cr
itic
alID
Sor
IPS
aler
ts;
•de
vice
sn
otre
port
ing
inth
epa
st24
hou
rs;
•fa
iled
logi
nde
tail
;
•fi
rew
allc
onfi
gura
tion
chan
ges;
•W
indo
ws
poli
cych
ange
s;
•W
indo
ws
syst
emsh
utd
own
san
dre
star
ts;a
nd
secu
rity
even
tsre
quir
ing
furt
her
inve
stig
atio
nar
etr
acke
du
sin
ga
hel
pde
skti
cket
and
mon
itor
edu
nti
lres
olve
d.
For
ase
lect
ion
ofda
ys,i
nsp
ecte
dth
eS
IEM
repo
rts
and
veri
fied
that
the
secu
rity
adm
inis
trat
ion
team
revi
ewed
the
SIE
Mre
port
son
ada
ily
basi
s.
No
exce
ptio
ns
not
ed.
CC
5.3
Th
een
tity
depl
oys
con
trol
acti
viti
esth
rou
ghpo
lici
esth
ates
tabl
ish
wh
atis
expe
cted
and
inpr
oced
ure
sth
atpu
tpo
lici
esin
toac
tion
.
Com
pan
yX
'spo
licy
and
proc
edu
rem
anu
als
addr
ess
con
trol
sre
late
dto
the
MC
S.P
olic
yse
ctio
ns
incl
ude
a.da
tacl
assi
fica
tion
and
busi
nes
sim
pact
asse
ssm
ent;
b.se
lect
ion
,doc
um
enta
tion
,an
dim
plem
enta
tion
ofse
curi
tyco
ntr
ols;
c.as
sess
men
tof
secu
rity
con
trol
s;d
.u
ser
acce
ssau
thor
izat
ion
and
prov
isio
nin
g;e.
rem
oval
ofu
ser
acce
ss;u
ser
prov
isio
nin
gan
dde
prov
isio
nin
g;f.
mon
itor
ing
ofse
curi
tyco
ntr
ols;
and
g.se
curi
tym
anag
emen
t.
Insp
ecte
dth
epo
licy
and
proc
edu
rem
anu
als
rela
ted
toth
eM
CS
tode
term
ine
wh
eth
erth
eyin
clu
ded
sect
ion
hea
din
gsth
atad
dres
sed
con
trol
sov
erth
esi
gnifi
can
tas
pect
sof
syst
emop
erat
ion
s.
No
exce
ptio
ns
not
ed.
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 317
Tru
stS
ervi
ces
Cri
teri
afo
rth
eS
ecu
rity
an
dA
vail
abi
lity
Ca
tego
ries
Des
crip
tion
ofC
omp
an
yX
’sC
ontr
ols
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
sR
esu
lts
ofP
ract
itio
ner
’sT
ests
ofC
ontr
ols
App
lica
tion
TR
Kis
inst
alle
dto
enh
ance
the
wor
kflow
and
appr
oval
proc
ess
insu
ppor
tof
the
poli
cies
.
Obs
erve
dA
ppli
cati
onT
RK
tode
term
ine
wh
eth
erit
was
inst
alle
dto
enh
ance
the
wor
kflow
and
appr
oval
proc
ess
insu
ppor
tof
the
poli
cies
.
No
exce
ptio
ns
not
ed.
An
info
rmat
ion
secu
rity
poli
cyis
inpl
ace
toh
elp
ensu
reth
atem
ploy
ees
un
ders
tan
dth
eir
indi
vidu
alro
les
and
resp
onsi
bili
ties
con
cern
ing
proc
essi
ng
and
con
trol
s.
Insp
ecte
dth
ein
form
atio
nse
curi
typo
licy
tode
term
ine
wh
eth
erth
epo
licy
was
inpl
ace
and
wh
eth
erit
deta
iled
role
san
dre
spon
sibi
liti
esco
nce
rnin
gpr
oces
sin
gan
dco
ntr
ols.
No
exce
ptio
ns
not
ed.
Th
eC
ompa
ny'
sS
ecu
rity
Ste
erin
gC
omm
itte
eis
char
ged
wit
hes
tabl
ish
ing,
mai
nta
inin
g,an
den
forc
ing
the
over
alls
ecu
rity
poli
cies
and
proc
edu
res.
Insp
ecte
da
sam
ple
ofm
inu
tes
from
quar
terl
yS
ecu
rity
Ste
erin
gC
omm
itte
em
eeti
ngs
tode
term
ine
wh
eth
erth
eco
mm
itte
ew
asch
arge
dw
ith
esta
blis
hin
g,m
ain
tain
ing,
and
enfo
rcin
gth
eov
eral
lsec
uri
typo
lici
esan
dpr
oced
ure
s.
No
exce
ptio
ns
not
ed.
As
part
ofit
sQ
ual
ity
Ass
ura
nce
Sys
tem
(QA
S),
Com
pan
yX
perf
orm
squ
arte
rly
revi
ews
for
chan
ges
toor
gan
izat
ion
alpo
lici
es,
proc
esse
s,sp
ecifi
cati
ons
and
resu
lts.
For
ase
lect
ion
ofqu
arte
rs,i
nsp
ecte
dth
equ
arte
rly
revi
ewdo
cum
enta
tion
asw
ella
sth
eu
pdat
edpo
lici
esan
dpr
oced
ure
san
dde
term
ined
that
Com
pan
yX
perf
orm
edqu
arte
rly
revi
ews
for
chan
ges
toor
gan
izat
ion
alpo
lici
es,p
roce
sses
,sp
ecifi
cati
ons
and
resu
lts.
No
exce
ptio
ns
not
ed.
Th
ein
form
atio
nse
curi
tyte
amm
onit
ors
the
resu
lts
ofvu
lner
abil
ity
asse
ssm
ents
ona
mon
thly
basi
s.T
he
info
rmat
ion
secu
rity
team
use
sth
ese
resu
lts
toid
enti
fyn
eces
sary
chan
ges
toth
epo
lici
esan
dpr
oced
ure
s.
For
ase
lect
ion
ofm
onth
s,in
spec
ted
the
vuln
erab
ilit
yas
sess
men
tsas
wel
las
the
rela
ted
revi
ewdo
cum
enta
tion
tode
term
ine
wh
eth
erth
ere
sult
sof
vuln
erab
ilit
yas
sess
men
tsw
ere
mon
itor
edon
am
onth
lyba
sis.
Fu
rth
er,i
nsp
ecte
dth
epo
licy
and
proc
edu
rem
anu
als
and
veri
fied
that
nec
essa
rych
ange
sw
ere
mad
eas
are
sult
ofre
view
ing
the
resu
lts
ofth
evu
lner
abil
ity
asse
ssm
ents
.
No
exce
ptio
ns
not
ed. (c
onti
nu
ed)
©2020, AICPA AAG-SSC APP E
318 SOC for Supply ChainT
rust
Ser
vice
sC
rite
ria
for
the
Sec
uri
tya
nd
Ava
ila
bili
tyC
ate
gori
esD
escr
ipti
onof
Com
pa
ny
X’s
Con
trol
sP
ract
itio
ner
’sT
ests
ofC
ontr
ols
Res
ult
sof
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
s
Th
eC
hie
fR
isk
Offi
cer
isre
spon
sibl
efo
rcr
eati
ng,
upd
atin
g,co
mm
un
icat
ing,
and
mon
itor
ing
proc
edu
res
and
con
trol
acti
viti
esba
sed
onth
esp
ecifi
cati
ons
set
fort
hin
the
Inte
rnat
ion
alO
rgan
izat
ion
for
Sta
nda
rdiz
atio
nan
dIn
tern
atio
nal
Ele
ctro
tech
nic
alC
omm
issi
on(I
SO
/IE
C)
stan
dard
s.
Insp
ecte
dth
ejo
bde
scri
ptio
nfo
rth
eC
hie
fR
isk
Offi
cer
tode
term
ine
wh
eth
erth
ein
divi
dual
'sre
spon
sibi
liti
esin
clu
ded
upd
atin
g,co
mm
un
icat
ing,
and
mon
itor
ing
proc
edu
res
and
con
trol
acti
viti
es.
Insp
ecte
dth
epo
licy
and
proc
edu
rem
anu
als
asw
ella
sre
late
dre
view
docu
men
tati
onto
dete
rmin
ew
het
her
proc
edu
res
and
con
trol
acti
viti
esw
ere
upd
ated
base
don
ISO
and
IEC
stan
dard
s.
No
exce
ptio
ns
not
ed.
Com
pan
yX
has
wri
tten
job
desc
ript
ion
ssp
ecif
yin
gth
ere
spon
sibi
liti
esan
dth
eac
adem
ican
dpr
ofes
sion
alre
quir
emen
tsfo
rke
yjo
bpo
siti
ons.
Hu
man
reso
urc
espe
rson
nel
scre
enin
tern
alan
dex
tern
aljo
bap
plic
ant
qual
ifica
tion
sba
sed
onth
ede
fin
edre
quir
emen
tsw
ith
inth
ejo
bde
scri
ptio
n.T
ran
scri
pts
are
obta
ined
toev
iden
ceed
uca
tion
alat
tain
men
t,an
djo
bre
fere
nce
sar
ech
ecke
dto
vali
date
expe
rien
ce.
For
asa
mpl
eof
key
posi
tion
s,in
spec
ted
wri
tten
job
desc
ript
ion
sto
dete
rmin
ew
het
her
the
job
desc
ript
ion
sin
clu
ded
resp
onsi
bili
ties
and
acad
emic
and
prof
essi
onal
requ
irem
ents
.F
ora
sam
ple
ofem
ploy
ees,
inqu
ired
ofth
eem
ploy
ees
abou
tth
eir
un
ders
tan
din
gof
thei
rjo
bre
spon
sibi
liti
es,a
cade
mic
qual
ifica
tion
s,an
dpr
ofes
sion
alce
rtifi
cati
ons
and
com
pare
dth
eir
resp
onse
sfo
rco
nsi
sten
cyto
the
docu
men
ted
resp
onsi
bili
ties
,an
dac
adem
ican
dpr
ofes
sion
alre
quir
emen
tsdo
cum
ente
din
the
job
desc
ript
ion
appl
icab
leto
thei
rpo
siti
on.
For
asa
mpl
eof
new
empl
oyee
san
dem
ploy
ees
wh
oh
ave
tran
sfer
red
inte
rnal
ly,i
nsp
ecte
dth
epe
rson
nel
file
tode
term
ine
wh
eth
ertr
ansc
ript
sw
ere
obta
ined
,an
djo
bre
fere
nce
sw
ere
chec
ked.
No
exce
ptio
ns
not
ed.
Com
pan
yX
'spo
licy
and
proc
edu
rem
anu
als
are
revi
ewed
ann
ual
lyby
the
CIO
,Vic
eP
resi
den
tof
Ope
rati
ons,
and
the
Sec
uri
tyO
ffice
rfo
rco
nsi
sten
cyw
ith
the
orga
niz
atio
n's
risk
mit
igat
ion
stra
tegy
and
upd
ated
asn
eces
sary
for
chan
ges
inth
est
rate
gy.
Insp
ecte
dth
epo
licy
and
proc
edu
rem
anu
als
toas
cert
ain
wh
eth
erpo
lici
esan
dpr
oced
ure
sh
adbe
enu
pdat
edfo
rch
ange
sin
the
risk
mit
igat
ion
stra
tegy
.In
spec
ted
docu
men
tati
onof
the
ann
ual
revi
ewof
the
poli
cyan
dpr
oced
ure
sm
anu
als
byth
eC
IO,V
ice
Pre
side
nt
ofO
pera
tion
s,an
dth
eS
ecu
rity
Offi
cer.
No
exce
ptio
ns
not
ed.
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 319
Tru
stS
ervi
ces
Cri
teri
afo
rth
eS
ecu
rity
an
dA
vail
abi
lity
Ca
tego
ries
Des
crip
tion
ofC
omp
an
yX
’sC
ontr
ols
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
sR
esu
lts
ofP
ract
itio
ner
’sT
ests
ofC
ontr
ols
Log
ica
la
nd
Ph
ysic
al
Acc
ess
CC
6.1
Th
een
tity
impl
emen
tslo
gica
lacc
ess
secu
rity
soft
war
e,in
fras
tru
ctu
re,a
nd
arch
itec
ture
sov
erpr
otec
ted
info
rmat
ion
asse
tsto
prot
ect
them
from
secu
rity
even
tsto
mee
tth
een
tity
'sob
ject
ives
.
Th
eco
mpa
ny
iden
tifi
es,c
lass
ifies
and
man
ages
anin
ven
tory
ofin
form
atio
nas
sets
thro
ugh
anac
cess
data
base
.Th
ein
ven
tory
isre
view
edan
dap
prov
edby
man
agem
ent
onan
ann
ual
basi
s.
Insp
ecte
dth
eac
cess
data
base
tode
term
ine
wh
eth
eran
inve
nto
ryis
mai
nta
ined
and
info
rmat
ion
asse
tsar
ecl
assi
fied
.In
spec
ted
docu
men
tati
onof
man
agem
ent's
revi
ewan
dap
prov
alof
the
inve
nto
ryan
dcl
assi
fica
tion
.
No
exce
ptio
ns
not
ed.
Th
eC
ompa
ny
mon
itor
ssy
stem
com
pon
ents
thro
ugh
anau
tom
ated
man
agem
ent
inte
rfac
eto
log,
trac
k,an
dm
ain
tain
inve
nto
ryco
mpo
nen
ts.
Insp
ecte
dth
eau
tom
ated
inve
nto
rym
anag
emen
tto
olto
dete
rmin
eth
atth
eto
olis
inpl
ace
tom
onit
orth
esy
stem
com
pon
ents
.In
spec
ted
info
rmat
ion
syst
emin
ven
tory
reco
rds
from
the
inve
nto
rym
anag
emen
tto
olto
dete
rmin
eth
atth
eto
olw
aspr
ovid
ing
nec
essa
ryin
form
atio
nto
man
age
asse
ts.
No
exce
ptio
ns
not
ed.
Log
ical
acce
ssto
info
rmat
ion
asse
tsis
rest
rict
edth
rou
ghu
seof
acce
ssco
ntr
olso
ftw
are
and
rule
sets
.
Insp
ecte
din
form
atio
nsy
stem
sco
nfi
gura
tion
tode
term
ine
wh
eth
erac
cess
con
trol
soft
war
ean
dru
lese
tsw
ere
use
dto
rest
rict
acce
ss.
No
exce
ptio
ns
not
ed.
Pro
duct
ion
syst
ems
are
con
figu
red
toau
then
tica
teu
sers
wit
ha
un
iqu
eu
ser
acco
un
tan
den
forc
epr
edefi
ned
use
rac
cou
nt
and
min
imu
mpa
ssw
ord
requ
irem
ents
.
Insp
ecte
dth
eIn
form
atio
nS
ecu
rity
Pol
icy
tode
term
ine
wh
eth
eru
niq
ue
use
rac
cou
nts
are
requ
ired
and
min
imu
mpa
ssw
ord
requ
irem
ents
for
prod
uct
ion
syst
ems
are
defi
ned
.
No
exce
ptio
ns
not
ed.
Adm
inis
trat
ive
acce
ssto
Act
ive
Dir
ecto
ry,
Un
ix,S
CM
syst
ems
and
syst
emse
rver
san
dda
taba
ses
isre
stri
cted
toau
thor
ized
empl
oyee
s.
Insp
ecte
din
form
atio
nsy
stem
sco
nfi
gura
tion
tode
term
ine
wh
eth
erad
min
istr
ativ
eac
cess
toA
ctiv
eD
irec
tory
,UN
IX,S
CM
syst
ems,
serv
ers,
and
data
base
sis
rest
rict
edto
auth
oriz
edem
ploy
ees.
No
exce
ptio
ns
not
ed. (c
onti
nu
ed)
©2020, AICPA AAG-SSC APP E
320 SOC for Supply Chain
Tru
stS
ervi
ces
Cri
teri
afo
rth
eS
ecu
rity
an
dA
vail
abi
lity
Ca
tego
ries
Des
crip
tion
ofC
omp
an
yX
’sC
ontr
ols
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
sR
esu
lts
ofP
ract
itio
ner
’sT
ests
ofC
ontr
ols
Com
pan
yX
'str
ansp
orta
tion
prov
ider
s,as
sem
bly
prov
ider
s(u
ser
enti
ties
),tr
eati
ng
faci
liti
es,a
nd
com
pon
ent
prov
ider
s(s
ubc
ontr
acto
rs)
are
appr
oved
for
acce
ssby
anau
thor
ized
use
r.
Insp
ecte
da
sam
ple
ofdo
cum
ente
du
ser
enti
tyan
dsu
bcon
trac
tor
requ
ests
for
acce
ssto
the
syst
emto
dete
rmin
ew
het
her
they
wer
eap
prov
edfo
rac
cess
byan
auth
oriz
edu
ser.
Insp
ecte
da
sam
ple
ofu
ser
acce
ssco
nfi
gura
tion
san
dde
term
ined
that
syst
emco
nfi
gura
tion
sal
ign
edto
appr
oved
requ
ests
.
No
exce
ptio
ns
not
ed.
Com
pan
yX
perm
its
rem
ote
acce
ssto
prod
uct
ion
syst
ems
byau
thor
ized
empl
oyee
son
lyw
ith
mu
lti-
fact
orau
then
tica
tion
(MF
A)
over
encr
ypte
dvi
rtu
alpr
ivat
en
etw
ork
(VP
N)
con
nec
tion
Obs
erve
da
rem
ote
logi
nse
ssio
nto
dete
rmin
eth
atM
FA
VP
Nw
asre
quir
edto
acce
ssth
epr
odu
ctio
nn
etw
ork.
No
exce
ptio
ns
not
ed.
Web
serv
ers
uti
lize
TL
Sce
rtifi
cate
sfo
ren
cryp
ted
web
com
mu
nic
atio
nse
ssio
ns.
TL
Sce
rtifi
cate
sar
em
onit
ored
for
ren
ewal
.
Insp
ecte
dlo
gin
port
alfo
rea
chof
the
in-s
cope
info
rmat
ion
asse
tsto
dete
rmin
ew
het
her
web
com
mu
nic
atio
nse
ssio
ns
wer
ese
cure
dth
rou
ghT
LS
cert
ifica
tes.
Insp
ecte
dce
rtifi
cate
expi
rati
onre
port
tode
term
ine
wh
eth
erT
LS
cert
ifica
tes
wer
eva
lid
and
ren
ewal
sw
ere
trac
ked.
No
exce
ptio
ns
not
ed.
In-s
cope
syst
emco
mpo
nen
tsre
quir
eu
niq
ue
use
rnam
ean
dpa
ssw
ords
(or
auth
oriz
edS
SH
keys
)pr
ior
toau
then
tica
tin
gu
sers
.
Insp
ecte
dlo
gin
atte
mpt
sto
dete
rmin
eth
atth
ein
-sco
pesy
stem
com
pon
ents
requ
ired
auth
enti
cati
onm
easu
res
for
use
rs.
No
exce
ptio
ns
not
ed.
En
du
ser
and
serv
erw
orkl
oad
net
wor
ktr
affi
cis
segm
ente
dto
supp
ort
isol
atio
n.
Insp
ecte
dth
en
etw
ork
diag
ram
and
con
figu
rati
ons
tode
term
ine
that
cust
omer
envi
ron
men
tsan
dda
taar
ese
gmen
ted.
No
exce
ptio
ns
not
ed.
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 321
Tru
stS
ervi
ces
Cri
teri
afo
rth
eS
ecu
rity
an
dA
vail
abi
lity
Ca
tego
ries
Des
crip
tion
ofC
omp
an
yX
’sC
ontr
ols
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
sR
esu
lts
ofP
ract
itio
ner
’sT
ests
ofC
ontr
ols
Inbo
un
din
tern
ettr
affi
cte
rmin
ates
ath
osts
inth
eD
MZ
wh
ich
isse
para
tefr
omth
eL
AN
.O
bser
ved
fire
wal
lsys
tem
con
figu
rati
ons
tode
term
ine
wh
eth
erin
bou
nd
Inte
rnet
traf
fic
term
inat
edat
hos
tsin
the
DM
Zw
hic
hw
asse
para
tefr
omth
eL
AN
.
No
exce
ptio
ns
not
ed.
Ada
tacl
assi
fica
tion
poli
cyis
inpl
ace
toh
elp
ensu
reth
atco
nfi
den
tial
data
ispr
oper
lyse
cure
dan
dre
stri
cted
toau
thor
ized
pers
onn
el.
Insp
ecte
dth
eda
tacl
assi
fica
tion
poli
cyto
dete
rmin
eth
atpr
oced
ure
sex
iste
dar
oun
dcl
assi
fyin
gan
dpr
otec
tin
gco
nfi
den
tial
info
rmat
ion
.
No
exce
ptio
ns
not
ed.
SS
Lce
rtifi
cate
sar
eu
sed
atth
een
try-
poin
tfi
rew
alls
toin
form
atio
nas
sets
toes
tabl
ish
acce
ssco
ntr
olru
les.
Insp
ecte
dth
eS
SL
cert
ifica
tes
for
veri
fica
tion
,is
suan
ce,s
ign
atu
real
gori
thm
,an
dva
lidi
tyda
te.
No
exce
ptio
ns
not
ed.
Pas
swor
dsfo
rin
-sco
pesy
stem
com
pon
ents
are
con
figu
red
acco
rdin
gto
the
Com
pan
yX
'spo
licy
,wh
ich
(a)
requ
ires
eigh
t-ch
arac
ter
min
imu
man
d90
-day
pass
wor
dch
ange
s;(b
)is
com
plex
ity
enab
led;
and
(c)
lock
su
sers
out
ofth
esy
stem
afte
rth
ree
inva
lid
atte
mpt
s.
Insp
ecte
din
-sco
pesy
stem
com
pon
ents
tode
term
ine
that
pass
wor
dsw
ere
con
figu
red
acco
rdin
gto
com
pan
ypo
licy
.
No
exce
ptio
ns
not
ed.
All
new
soft
war
ean
dde
vice
sin
stal
led
onth
en
etw
ork
orin
the
man
ufa
ctu
rin
gfa
cili
tygo
thro
ugh
ach
ange
man
agem
ent
proc
ess,
wh
ich
incl
ude
ses
tabl
ish
ing
appr
opri
ate
cred
enti
als
for
said
soft
war
ean
d/or
devi
ces
toop
erat
eon
com
pan
yin
fras
tru
ctu
re.
Insp
ecte
da
sam
ple
ofn
ewso
ftw
are
and
devi
ces
inst
alle
don
the
net
wor
kto
dete
rmin
ew
het
her
appr
opri
ate
use
rcr
eden
tial
sw
ere
esta
blis
hed
and
use
rac
cou
nts
sett
ings
alig
ned
tose
curi
typo
lici
es.
No
exce
ptio
ns
not
ed.
Dat
abas
esh
ousi
ng
sen
siti
vecu
stom
erda
taar
een
cryp
ted
atre
st.
Insp
ecte
dda
taba
seco
nfi
gura
tion
sto
dete
rmin
eth
atda
taba
ses
wer
een
cryp
ted
atre
st.
No
exce
ptio
ns
not
ed.
En
cryp
tion
keys
use
dby
inte
grat
edse
rvic
esar
een
cryp
ted
them
selv
esw
ith
au
niq
ue
mas
ter
key.
Insp
ecte
dth
eco
nfi
gura
tion
for
the
encr
ypti
onpr
oces
sto
dete
rmin
eth
aten
cryp
tion
acti
viti
esu
sean
acce
ptab
lecr
ypto
grap
hic
algo
rith
m.
No
exce
ptio
ns
not
ed. (c
onti
nu
ed)
©2020, AICPA AAG-SSC APP E
322 SOC for Supply Chain
Tru
stS
ervi
ces
Cri
teri
afo
rth
eS
ecu
rity
an
dA
vail
abi
lity
Ca
tego
ries
Des
crip
tion
ofC
omp
an
yX
’sC
ontr
ols
Pra
ctit
ion
er’s
Tes
tsof
Con
trol
sR
esu
lts
ofP
ract
itio
ner
’sT
ests
ofC
ontr
ols
CC
6.2
Pri
orto
issu
ing
syst
emcr
eden
tial
san
dgr
anti
ng
syst
emac
cess
,th
een
tity
regi
ster
san
dau
thor
izes
new
inte
rnal
and
exte
rnal
use
rsw
hos
eac
cess
isad
min
iste
red
byth
een
tity
.For
thos
eu
sers
wh
ose
acce
ssis
adm
inis
tere
dby
the
enti
ty,u
ser
syst
emcr
eden
tial
sar
ere
mov
edw
hen
use
rac
cess
isn
olo
nge
rau
thor
ized
.
Acc
ess
toin
-sco
pesy
stem
com
pon
ents
requ
ires
ado
cum
ente
dac
cess
requ
est
form
and
man
ager
appr
oval
and
auth
oriz
atio
npr
ior
toac
cess
bein
gpr
ovis
ion
ed.
Insp
ecte
dac
cess
requ
ests
form
sfo
ra
sam
ple
ofn
ewh
ires
that
rece
ived
acce
ssto
the
in-s
cope
syst
emco
mpo
nen
tsto
dete
rmin
eth
atan
acce
sspr
ovis
ion
ing
requ
est
was
appr
oved
prio
rto
acce
ssbe
ing
prov
isio
ned
.
No
exce
ptio
ns
not
ed.
ITis
not
ified
ofte
rmin
atio
ns
byem
ailf
rom
HR
.Acc
ess
isre
mov
ed/d
isab
led
from
the
net
wor
k,an
din
-sco
peap
plic
atio
ns
tim
ely.
Com
pare
da
syst
em-g
ener
ated
list
ofac
tive
use
rsto
asy
stem
-gen
erat
edli
stof
term
inat
edem
ploy
ees
tode
term
ine
wh
eth
eran
yte
rmin
ated
empl
oyee
sh
adac
cess
toth
ein
-sco
peap
plic
atio
ns.
No
exce
ptio
ns
not
ed.
Ate
rmin
atio
nch
eckl
ist
isco
mpl
eted
and
acce
ssis
revo
ked
for
empl
oyee
sw
ith
in24
hou
rsas
part
ofth
ete
rmin
atio
npr
oces
s.
Insp
ecte
dte
rmin
atio
nti
cket
sfo
ra
sam
ple
ofte
rmin
ated
empl
oyee
sdu
rin
gth
ere
view
peri
odto
dete
rmin
eth
atac
cess
was
revo
ked
wit
hin
24h
ours
asa
part
ofth
ete
rmin
atio
npr
oces
s.
No
exce
ptio
ns
not
ed.
Man
agem
ent
perf
orm
sa
quar
terl
yac
cess
revi
ewfo
rth
ein
-sco
pesy
stem
com
pon
ents
toen
sure
that
acce
ssis
rest
rict
edap
prop
riat
ely.
Tic
kets
are
crea
ted
tore
mov
eac
cess
asn
eces
sary
ina
tim
ely
man
ner
.
Insp
ecte
dac
cess
revi
ewdo
cum
enta
tion
for
sam
ple
ofqu
arte
rsto
dete
rmin
eth
atan
acce
ssre
view
was
perf
orm
edfo
rin
-sco
pesy
stem
com
pon
ents
and
that
tick
ets
wer
ecr
eate
dto
rem
ove
inap
prop
riat
eac
cess
.
No
exce
ptio
ns
not
ed.
AAG-SSC APP E ©2020, AICPA
Illustrative SOC for Supply Chain Report 323
Section 5 — Other Information Provided by Company XManagement That Is Not Covered by the Accountant’s ReportNote to Readers: The entity may wish to attach to the description of the manu-facturer's system, or to include in a document containing the accountant's report,information in addition to its description. The following are examples of suchinformation:
• Future plans for new systems.
• Other services provided by the organization that are not includedin the scope of the engagement
• Qualitative information, such as marketing claims, that may notbe objectively measurable
• Responses from management to deviations identified by the prac-titioner when such responses have not been subject to proceduresby the practitioner
For brevity, an example is not provided.
©2020, AICPA AAG-SSC APP E
ii Main title here: Subhead title goes here
© 2020 Association of International Certified Professional Accountants. All rights reserved. AICPA and American Institute of CPAs are trademarks of the American Institute of Certified Public Accountants and are registered in the US, the EU and other countries. The Globe Design is a trademark owned by the Association of International Certified Professional Accountants and licensed to the AICPA. 2003A-52758