Service Organization Controls Report Three
(SOC 3)
Report on Printing, Mailing and Fulfillment
Services System Relevant to Security,
Availability, Processing Integrity, and
Confidentiality
For the Period October 1, 2014 to September 30, 2015
LurieLLP.com
O/612.377.4404
F/612.377.1325
REPORT OF INDEPENDENT ACCOUNTANTS
Report by Lurie, LLP
To the Management of Shapco Printing, Inc.
We have examined management's assertion that Shapco Printing, Inc. (Shapco), during the period October
1, 2014 to September 30, 2015, maintained effective controls to provide reasonable assurance that its
printing, mailing and fulfillment services system:
 was protected against unauthorized access, use, or modification (both physical and logical);
 was available for operation and use, as committed or agreed;
 was processing completely, accurately, timely, and authorized; and
 information designated as confidential was protected by the system as committed or agreed
based on the criteria for the security, availability, processing integrity, and confidentiality principles set forth
in the AICPA’s TSP section 100, Trust Services Principles and Criteria for Security, Availability, Processing
Integrity, Confidentiality, and Privacy (Trust Services Security, Availability, Processing Integrity, and
Confidentiality Criteria). This assertion is the responsibility of Shapco management. Our responsibility is to
express an opinion based on our examination.
Our examination was conducted in accordance with attestation standards established by the American
Institute of Certified Public Accountants and, accordingly, included (1) obtaining an understanding of
Shapco’s relevant security, availability, processing integrity and confidentiality controls, (2) testing and
evaluating the operating effectiveness of the controls and (3) performing such other procedures as we
considered necessary in the circumstances. We believe that our examination provides a reasonable basis
for our opinion.
Because of inherent limitations in controls, error or fraud may occur and not be detected. Furthermore, the
projection of any conclusions, based on our findings, to future periods is subject to the risk that the validity
of such conclusions may be altered because of changes made to the system or controls, the failure to make
needed changes to the system or controls or a deterioration in the degree of effectiveness of the controls.
In our opinion, Shapco management's assertion referred to above is fairly stated, in all material respects,
based on the Trust Services Security, Availability, Processing Integrity, and Confidentiality Criteria.
The SOC 3 SysTrust for Service Organizations Seal on the Shapco website constitutes a symbolic
representation of the contents of this report and it is not intended, nor should it be construed, to update this
report or provide any additional assurance.
Lurie, LLP
Minneapolis, Minnesota
October 13, 2015
2501 Wayzata Boulevard • Minneapolis, MN 55405
Management’s Assertion Regarding the Effectiveness of its Controls Over the Printing,
Mailing And Fulfillment Services System Based on the Trust Services Principles and Criteria
for Security, Availability, Processing Integrity, and Confidentiality
October 13, 2015
Shapco Printing, Inc. (Shapco) maintained effective controls over the security, availability,
processing integrity and confidentiality of the Printing, Mailing and Fulfillment Services System
to provide reasonable assurance:
 the system was protected against unauthorized access, use, or modification (both physical
and logical);
 the system was available for operation and use, as committed or agreed;
 the system was processing completely, accurately, timely, and authorized; and
 information designated as confidential was protected by the system as committed or
agreed
during the period October 1, 2014 through September 30, 2015, based on the criteria for the
Security, Availability, Processing Integrity and Confidentiality principles set forth in the AICPA’s
TSP section 100, Trust Services Principles and Criteria for Security, Availability, Processing
Integrity, Confidentiality, and Privacy.
Our attached System Description of the Printing, Mailing and Fulfillment Services System
identified the aspects of the Shapco System covered by our assertion.
Shapco Printing, Inc.
System Description
Shapco Background
Shapco Printing, Inc. (Shapco), formed in 1976, provides print, mail, and fulfillment services
to a variety of industries. Specific services provided include: conventional printing, digital
printing, large format printing, books, packaging, annual reports, UV, kitting, finishing and
direct mailing.
In detail Shapco provides:
 Prepress
The ability for customers to upload files to Shapco’s secure site, or scan them using a high
resolution drum or flatbed scanner. Shapco prepares the customer’s files and sends the
customer a soft proof and a realistic proof from their system using real ink dyes.
 Conventional
Conventional printing services, as well as two 8-color, and one 6-color UV presses allowing
for the addition of coatings.
 UV
The two 8-color, and one 6-color UV presses print UV inks on paper, plastic or other
substrates up to 40 points thick.
 Digital Printing
 Variable data including tailored printing to include custom colors, photos or text to
individuals in the mailing lists.
 Point-of-purchase displays, booth graphics, decals, banners, outdoor signage on
paper, vinyl or other substrates, accommodating 96 inch wide capability with multiple
colors.
 Direct mail capability to individuals or geographic areas on customer mailing lists.
 Finishing
Cutting, folding, gluing, binding, assembling and kiting print jobs.
 Mailing and Fulfillment
Managing customers’ databases, sealing and metering pieces, and drop-shipping them.
Components of the System
Software
The Shapco system uses internally hosted, supported and managed applications supporting
its job scheduling, purchasing, other accounting, digital printing, conventional printing,
fulfillment, and mailing functions. In addition, Shapco uses externally hosted and supported
prepress tools. Shapco also utilizes various automated systems to monitor the security,
availability and performance of the Shapco Systems.
Access to Shapco’s various systems are based on business need and require a valid user ID
and password.
Infrastructure
Shapco’s local information systems run on Microsoft Windows file servers. Employees access
applications either through their:
 Microsoft Windows desktop company supplied computers, or
 Apple desktop company supplied computers, or
 through an encrypted secure virtual private network (VPN).
System Description
People
Shapco has a staff of approximately 120 employees and is organized in the functional areas:
 Digital Printing
 Accounting
 Conventional Printing
 Human Resources
 Bindery Services
 Information Technology
 Fulfillment
 Sales & Marketing
 Mailing Services
 Prepress
The organization structure of Shapco provides the overall framework for establishing
organization goals and ensuring resources are available to perform print, mail, and fulfillment
services. Performance and quality of these services is the responsibility of the Senior
Management team.
Management of Shapco is responsible for directing and controlling operations related to its
services and for establishing, communicating, and monitoring control policies and
procedures. The organization emphasizes integrity and ethical values of all Shapco personnel
and the importance of maintaining sound internal controls.
The hierarchy and reporting structure of Shapco has been established to support its strategic
objectives and to promote its operational independence from other functions. The
organization structure of Shapco provides the overall framework for planning, directing, and
controlling operations for its services and uses an approach whereby personnel are
segregated based on job responsibilities.
The current organization chart is presented below.
Processes
Shapco has documented policies and processes to support the operations and controls over
its System. Employees are required to undergo annual security and confidentiality training (if
required by their job responsibilities) and acknowledge their willingness to comply with
company policies.
Data
Shapco manages the print, mail and fulfillment operations within its IT infrastructure
System Description
environment. Access to data is limited to authorized personnel in accordance with Shapco
security policies. Shapco is responsible for the overall availability of data, including system
backups, monitoring of data processing and file transmissions as well as identifying and
resolving problems.