To determine if customer or external provider property is effectively controlled, start by reviewing procedures the organization has in place for identifying, verifying, protecting, and safeguarding such property. This includes any physical items, materials, components, or intellectual property supplied for use or incorporation into the organization’s products or services. Effective control means that the organization can account for all customer or provider property from the point of receipt, through storage and handling, to incorporation into the product or return to the provider. Evidence of control should include documented procedures and specific records showing traceability and accountability for each item.

Verify that the organization has a system for monitoring the condition and suitability of customer or external provider property throughout its handling and use. For compliance, procedures should address routine checks or verifications to ensure that property is not damaged or compromised. Any damages, losses, or instances where property is found unsuitable for use should be documented and reported to the customer or external provider as required. Review records of past incidents, if any, to confirm that they are handled consistently and in a timely manner.

Finally, assess whether the organization retains documented information on actions taken regarding the use or preservation of this property. Such documentation should cover any identification and traceability requirements, details of care taken, and specific steps for protection. For property with unique requirements, like sensitive intellectual property or specialized equipment, additional security or handling protocols may be needed. Evaluate the adequacy of these controls by reviewing sample records and examining how well they align with customer or regulatory expectations, ensuring the organization consistently meets all traceability and protection obligations.