In March 2020, the AICPA launched a new risk reporting framework, SOC for Supply Chain. The new framework is the latest in the AICPA’s System and Organization Controls (SOC) suite of service offerings, including SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity.

What is SOC for Supply Chain?

Today, in large part due to technology innovations, supply chains are quite complex and include interdependence and connections between organizations that manufacture or produce goods or products and their suppliers, distributors, and business partners. The existence of multiple entities within the supply chain comes with an inherent level of risk. Some examples include:

  • Products may be provided that do not meet defined product performance specifications.
  • Delivery and quality commitment requirements may not be met.
  • Production, manufacturing, or distribution commitment requirements may not be met.

The new SOC for Supply Chain framework  is designed to identify, assess, and address these supply chain risks.

Who is interested in this report?

Any entity in the supply chain can benefit from the SOC for Supply Chain assessment. Companies that produce, manufacture, or distribute products, as well as their suppliers, can utilize the report to demonstrate how they have addressed risk in their environment. The SOC for Supply Chain report communicates useful information about a company’s systems and the controls within the systems to customers, business partners, and prospective customers and business partners.

Why is a CPA involved in this report?

Like the other SOC reporting frameworks, SOC for Supply Chain assessments are completed by a CPA firm. Because the CPA firm is required to follow all guidance issued by both the AICPA and individual state boards of accountancy, the consumer of the report gains a higher level of assurance and reliability from the final report. Additionally, many CPA firms, like LBMC, provide information security and cybersecurity services and the inclusion of SOC for Supply Chain assessments is a natural extension of existing expertise and experience. Additionally, LBMC’s team of assessors has significant experience with evaluating the effectiveness of controls relevant to security, availability, processing integrity, confidentiality, and privacy.

What information does the report consist of?

Similar to SOC 2 reporting, SOC for Supply Chain is based on the AICPA’s Trust Services Criteria (TSC): Security, Availability, Confidentiality, Processing Integrity, and Privacy.

Criteria Criteria Objectives
Security Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that could compromise the availability, integrity, confidentiality, and privacy of information or systems and affect the entity’s ability to meet its objectives.
Availability Information and systems are available for operation and use to meet the entity’s objectives.
Confidentiality Information designated as confidential is protected to meet the entity’s objectives.
Processing Integrity System processing is complete, valid, accurate, timely, and authorized to meet the entity’s objectives.
Privacy Personal information is collected, used, retained, disclosed, and disposed to meet the entity’s objectives.

 

As the Security category is foundational to the TSC, it is required in every SOC for Supply Chain assessment. Organizations can choose to also include any combination of the other four criteria, according to the needs and relevance of each to their customers.

The examination is generally performed on the organization’s system(s) that produce, manufacture, or distribute products. The SOC for Supply Chain report consists of the following components:

Section I: The independent auditor’s opinion The independent auditor defines the scope of what was examined as part of the assessment and provides an opinion on Management’s description of the system (as detailed in Section III below) as well as the design and operating effectiveness of the controls stated in the description.

Section II: Management’s assertion Management provides a written assertion that the description of the system (as detailed in Section III below) is presented accurately and in accordance with the AICPA’s description criteria and the controls identified to support the achievement of its principal system objectives were effective based on the applicable TSC.

Section III: Management’s description Management prepares a narrative description of the production, manufacturing, or distribution system used for producing a good or set of related goods (i.e., the system that is being evaluated).   The description of the system is to be presented in accordance with the AICPA’s description criteria.  While the criteria used for the SOC for Supply Chain assessment are the same as those used for the SOC 2, specific description criteria were defined to focus on information applicable to supply chain risks.

Section IV: The independent auditor’s test of controls and results The independent auditor provides a description of the testing procedures performed to evaluate the design and operating effectiveness of controls management has identified to support the achievement of its principal system objectives. Further, the results of the testing procedures used to support the opinion stated in Section I are detailed.

Use of the SOC for Supply Chain report is restricted, meaning it is limited in its distribution and is not for public or general use.

Want to learn more about the SOC for Supply Chain report? Contact LBMC to learn more and get started on a consultation!

Content provided by LBMC cybersecurity professional, Richard Beard.