In March 2020, the AICPA launched a new risk reporting framework, 供应链SOC. 新 framework is the latest in the AICPA’s 系统 和 Organization Controls (SOC) suite of service offerings, 包括 SOC 1, SOC 2, SOC 3和网络安全SOC.
供应链的SOC是什么?
今天, 这在很大程度上归功于技术创新, supply chains are quite complex 和 include interdependence 和 connections between organizations that 制造 or produce goods or products 和 their suppliers, 分销商, 和业务合作伙伴. The existence of multiple entities within the supply chain comes with an inherent level of risk. 一些例子包括:
- Products may be provided that do not meet defined product performance specifications.
- 可能无法满足交付和质量承诺要求.
- Production, 制造业, or distribution commitment requirements may not be met.
新 供应链SOC框架 is designed to identify, assess, 和 address these supply chain risks.
谁对这份报告感兴趣?
Any entity in the supply chain can benefit from the 供应链SOC assessment. 公司生产, 制造, 或销售产品, 以及他们的供应商, can utilize the report to demonstrate how they have addressed risk in their environment. The 供应链SOC report communicates useful information about a company’s systems 和 the controls within the systems to customers, 业务合作伙伴, 以及潜在的客户和商业伙伴.
为什么这个报告涉及注册会计师?
就像其他SOC报告框架一样, 供应链SOC评估由注册会计师事务所完成. Because the CPA firm is required to follow all guidance 和 guidance issued by both the AICPA, 以及各州会计委员会, the consumer of the report gains a higher level of assurance 和 reliability from the final report. 另外, 许多会计师事务所, 像LBMC, provide information security 和 cybersecurity services 和 the inclusion of 供应链SOC assessments is a natural extension of existing expertise 和 experience. 另外, LBMC’s team of assessors has significant experience with evaluating the effectiveness of controls relevant to security, 可用性, 处理完整性, 保密, 和隐私.
这份报告包含哪些信息?
类似于SOC 2报告, 供应链SOC is based on the AICPA’s Trust 服务 标准 (TSC): 安全, 可用性, 保密, 处理完整性, 和隐私.
| 标准 | 标准的目标 |
| 安全 | 信息和系统受到保护,防止未经授权的访问, 未经授权披露资料, 对系统的破坏可能会影响可用性, 完整性, 保密, 和隐私 of information or systems 和 affect the entity’s ability to meet its objectives. |
| 可用性 | Information 和 systems are available for operation 和 use to meet the entity’s objectives. |
| 保密 | Information designated as confidential is protected to meet the entity’s objectives. |
| 处理完整性 | 系统处理完成, 有效的, 准确的, 及时的, 并被授权满足实体的目标. |
| 隐私 | 收集个人信息, 使用, 保留, 披露, 并愿意满足实体的目标. |
因为安全类别是TSC的基础, 每个SOC都需要进行供应链评估. Organizations can choose to also include any combination of the other four criteria, 根据他们的需要和客户的相关性.
The examination is generally performed on the organization’s system(s) that produce, 制造, 或销售产品. The 供应链SOC report consists of the following components:
第一节:独立审计师的意见 The independent auditor defines the scope of what was examined as part of the assessment 和 provides an opinion on Management’s description of the system (as detailed in Section III below) as well as the design 和 operating effectiveness of the controls stated in the description.
第二节:管理层的主张 Management provides a written assertion that the description of the system (as detailed in Section III below) is presented 准确的ly 和 in accordance with the AICPA’s description criteria 和 the controls identified to support the achievement of its principal system objectives were effective based on the applicable TSC.
第三部分:管理描述 管理层准备了一份生产的叙述说明, 制造业, or distribution system 使用 for producing a good or set of related goods (i.e.,正在评估的系统). The description of the system is to be presented in accordance with the AICPA’s description criteria. While the criteria 使用 for the 供应链SOC assessment are the same as those 使用 for the SOC 2, 具体的描述标准 定义的重点是适用于供应链风险的信息.
第四部分:独立审计师对控制和结果的检验 The independent auditor provides a description of the testing procedures performed to evaluate the design 和 operating effectiveness of controls management has identified to support the achievement of its principal system objectives. 进一步, the results of the testing procedures 使用 to support the opinion stated in Section I are detailed.
供应链SOC报告的使用受到限制, meaning it is limited in its distribution 和 is not for public or general use.
想了解更多关于供应链SOC报告? 联系 LBMC 信息安全 to learn more 和 get started on a consultation!