Internal and external forces such as globalization, global interconnectivity, automation, and other technological advancements are making today’s supply chains highly sophisticated and complex. For entities that produce, manufacture or distribute products, there’s often a high level of interdependence and connectivity between them and their suppliers and their customers and business partners. These relationships are considered part of the supply chain.
Although the interconnectedness of these organizations can be beneficial (increased revenues, expanded market opportunities, and cost reduction), the ability of such organizations to meet their goals is often increasingly dependent on events, processes, and controls that are not visible and are often beyond their control. Every time an organization does business with a supplier or service provider, new risks are introduced into the supply chain. These risks may threaten an organization’s ability to meet commitments made to customers and business partners and other goals, such as:
- Providing products that meet the principal product performance specifications
- Meeting delivery and quality commitments and other requirements
- Meeting production, manufacturing, or distribution commitments and requirements
To help these organizations, and their customers and business partners, identify, assess, and address supply chain risks, the AICPA has developed a solution to foster greater transparency in the supply chain —a market-driven, flexible, and voluntary reporting framework. This resource helps organizations communicate certain information about the supply chain risk management efforts and assess the effectiveness of system controls that mitigate those risks.
Guides and Relevant Criteria for SOC for Supply Chain
AICPA Guide SOC for Supply Chain: Reporting on an Examination of Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy in a Production, Manufacturing, or Distribution System
The AICPA’s new SOC for Supply Chain is a market-driven, flexible, and voluntary reporting framework that includes Description Criteria and Trust Services Criteria. CPAs, management accountants and organization management can use this tool to communicate about the organization’s supply chain risk management efforts and assess the effectiveness of system controls that mitigate those risks.
The AICPA’s Description Criteria for a Description of an Entity’s Production, Manufacturing or Distribution System in a SOC for Supply Chain Report includes the criteria used to prepare and evaluate the description of a manufacturer’s, producer’s, or distribution company’s system. This description criteria presents a common language—or criteria—for those organizations to develop and describe their supply chain risk management efforts and for CPAs to evaluate the descriptions.
Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (includes March 2020 Updates)
The AICPA’s 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (the 2017 trust services criteria or 2017 TSC) includes the control criteria used to evaluate the effectiveness of controls within the system. The trust service criteria is comprised on a set of high-level objectives that reflect best practices (as opposed to specific, detailed or prescriptive controls requirements) designed to help organizations evaluate the effectiveness of their system controls in achieving the goals or objectives that management has established for the organization. Among those controls are controls designed to manage the ever-evolving supply chain risks. These controls will help organizations stay one step ahead of, not behind, current and future risks. (This is the same criteria that is used to evaluate system controls in a service organization (SOC 1 and 2) and that may be used to evaluate organization-wide controls in a cybersecurity examination).
SOC for Supply Chain Resources
- Trust Services Criteria (Red-lined version)
- Illustrative SOC for Supply Chain Report
- Information for Entity Management
- Comparison of SOC 2 vs SOC for Cybersecurity vs SOC for Supply Chain
- SOC for Supply Chain Backgrounder
- AICPA's New Examination Engagement: SOC for Supply Chain Webcast
- AICPA Unveils New Supply Chain Risk Management Reporting Framework press release