DIRECT EXAMINATION ENGAGEMENTS (SSAE-21)

SOC FOR SUPPLY CHAIN

Internal and external forces such as globalization, global interconnectivity, automation,and other technological advancements are making today’s supply chains highly sophisticated and complex. For entities that produce, manufacture or distribute products, there’s often a high level of interdependence and connectivity between them and their suppliers and their customers and business partners. These relationships are considered part of the supply chain.

Although the interconnectedness of these organizations can be beneficial (increased revenues, expanded market opportunities, and cost reduction), the ability of such organizations to meet their goals is often increasingly dependent on events, processes, and controls that are not visible and are often beyond their control. Every time an organization does business with a supplier or service provider, new risks are introduced into the supply chain. These risks may threaten an organization’s ability to meet commitments made to customers and business partners and other goals, such as:

• Providing products that meet the principal product performance specifications
• Meeting delivery and quality commitments and other requirements
• Meeting production, manufacturing, or distribution commitments and requirements

 

To help these organizations, and their customers and business partners, identify, assess, and address supply chain risks, the AICPA has developed a solution to foster greater transparency in the supply chain —a market-driven, flexible, and voluntary reporting framework. This resource helps organizations communicate certain information about the supply chain risk management efforts and assess the effectiveness of system controls that mitigate those risks.

Compliance Attestation engagements examine an organization’s compliance with specified requirements.

Services we perform:

Examination reports on Compliance with requirements of specified laws, regulations, contracts, or grants or an assertion about compliance with specified requirements.
Kompleye Attestation performs compliance attestations on Cybersecurity and operational controls using the following frameworks and regulatory requirements:

• NIST SP 800-171
• FISMA
• HITRUST CSF
• Health Information Portability and Accountability Act (HIPAA)
• Health Information Technology for Economic and Clinical Health Act (HITECH)
• California Consumer Privacy Act
• Gramm Leach Bliley Act (GLB), also known as the Financial Services Modernization Act
• MSSPA

Agreed Upon Procedures SSAE 18

Agreed Upon Procedures are performed to obtain related to compliance with specified requirements that are established by specified parties.

Services we perform:

• Report on Agreed Upon Procedures (AUP) related to an entity’s compliance with specified requirements
• Report Agreed Upon Procedures (AUP) related to an entity’s internal control over compliance with specified requirements
• Kompleye Attestation performs Agreed Upon Procedures related to Cybersecurity and other requirements determined by specified parties

 

When an AUP should be considered?

To comply with a particular entity requirement.