SOC for Supply Chain

Internal and external forces such as globalization, global interconnectivity, automation, and other technological advancements are making today’s supply chains highly sophisticated and complex. For entities that produce, manufacture or distribute products, there’s often a high level of interdependence and connectivity between them and their suppliers and their customers and business partners. These relationships are considered part of the supply chain.

Although the interconnectedness of these organizations can be beneficial (increased revenues, expanded market opportunities, and cost reduction), the ability of such organizations to meet their goals is often increasingly dependent on events, processes, and controls that are not visible and are often beyond their control.  Every time an organization does business with a supplier or service provider, new risks are introduced into the supply chain. These risks may threaten an organization’s ability to meet commitments made to customers and business partners and other goals,  such as:

  • Providing products that meet the principal product performance specifications
  • Meeting delivery and quality commitments and other requirements
  • Meeting production, manufacturing, or distribution commitments and requirements

To help these organizations,  and their customers and business partners, identify, assess, and address supply chain risks, the AICPA has developed a solution to foster greater transparency in the supply chain —a market-driven, flexible, and voluntary reporting framework.  This resource helps organizations communicate certain information about the supply chain risk management efforts and assess the effectiveness of system controls that mitigate those risks. 
 

Guides and Relevant Criteria for SOC for Supply Chain

AICPA Guide SOC for Supply Chain Cover

AICPA Guide SOC for Supply Chain: Reporting on an Examination of Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy in a Production, Manufacturing, or Distribution System

The AICPA’s new SOC for Supply Chain is a market-driven, flexible, and voluntary reporting framework that includes Description Criteria and Trust Services Criteria. CPAs, management accountants and organization management can use this tool to communicate about the organization’s supply chain risk management efforts and assess the effectiveness of system controls that mitigate those risks.

Description criteria cover

Description Criteria for a Description of an Entity’s Production, Manufacturing or Distribution System in a SOC for Supply Chain Report

The AICPA’s Description Criteria for a Description of an Entity’s Production, Manufacturing or Distribution System in a SOC for Supply Chain Report includes the criteria used to prepare and evaluate the description of a manufacturer’s, producer’s, or distribution company’s system.  This description criteria presents a common language—or criteria—for those organizations to develop and describe their supply chain risk management efforts and for CPAs to evaluate the descriptions.

Trust services criteria cover

Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (includes March 2020 Updates)

The AICPA’s 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (the 2017 trust services criteria or 2017 TSC) includes the control criteria used to evaluate the effectiveness of controls within the system. The trust service criteria is comprised on a set of high-level objectives that reflect best practices (as opposed to specific, detailed or prescriptive controls requirements) designed to help organizations evaluate the effectiveness of their system controls in achieving  the goals or objectives that management has established for the organization.  Among those controls are controls designed to manage the ever-evolving supply chain risks. These controls will help organizations stay one step ahead of, not behind, current and future risks. (This is the same criteria that is used to evaluate system controls in a service organization (SOC 1 and 2) and that may be used to evaluate organization-wide controls in a cybersecurity examination).


SOC for Supply Chain Resources

Visit the AICPA Store for information about SOC for Supply Chain Certificate CPE.

SOC for Supply Chain CPE

We are the American Institute of CPAs, the world’s largest member association representing the accounting profession. Our history of serving the public interest stretches back to 1887. Today, you'll find our 431,000+ members in 130 countries and territories, representing many areas of practice, including business and industry, public practice, government, education and consulting.

About AICPA

Support

Association of International Certified Professional Accountants. All rights reserved.