X
X

Find Your Specialist

X

Contact Us

Go Back

Supply Chain: The AICPA’s New SOC for Supply Chain

Supply chain risk management (SCRM) has not only been a hot topic in 2020, it has become a realized risk. Dramatic product demand, coupled with abrupt reduced production and supply across the globe, created and continues to create historic levels of disruption. Industries like healthcare, consumer goods to construction supply experienced and continue to experience epic strain on their supply chains.  Consumers are waiting longer and paying more while industries realize that supply chain risk management and resiliency is critical and should have been in place years ago. While experiencing lost revenue, organizations may have been able to quickly react and assess the impacts of direct supplier issues; the level of impact on second and even third-tier suppliers was missed.

The AICPA has developed guidance and a voluntary reporting framework for entities wishing to provide greater transparency into how they are managing supply chain risk. The new AICPA System and Organizational Controls (SOC) for Supply Chain examination is an emerging resource built to assist organizations in communicating certain information regarding their supply chain risk and assess the effectiveness of controls that mitigate those risks.

What is a Supply Chain?

The AICPA Guide SOC for Supply Chain defines a supply chain as, “…a system of organizations, people, activities, information and resources involved in moving a product from supplier to customer. Supply chain activities involve the transformation of natural resources, raw materials and components into finished goods. In sophisticated supply chain systems, used products may reenter the supply chain at any point where residual value is recyclable”.

Suppliers, customers and business partners of an entity should evaluate and establish a supply chain risk management program as they are responsible for identifying, evaluating and addressing risks associated with the supply chain.  Suppliers, customers and business partners expect entity management to establish operational and compliance objectives (i.e., system objectives).

SOC for Supply Chain – A Comparison

If you are currently a SOC 2® practitioner, then you are likely familiar with all the various components of planning, executing and reporting a SOC report. Taking much from existing SOC 2® Guidance, the AICPA has recently published interpretive guidance for SOC for Supply Chain.  Any practitioner taking on SOC for Supply Chain examination engagements should read the interpretive guidance to fully understand the differences and similarities of Supply Chain versus SOC 2®.

A visual comparison of SOC 1®, SOC 2® and SOC for Supply Chain may assist in a practitioner’s understanding of the newest guidance. One key difference is the term Entity in the SOC for Supply Chain versus Service Organization in a SOC 2.  An Entity produces or manufactures goods or provides distribution services for goods.

SOC 1 

SOC 2 

SOC for Supply Chain 

Attestation StandardAT-C 105, 205 & 320AT-C 105 and 205 
Interpretive GuidanceAICPA Guide SOC 1® Reporting on an Examination of Controls at a Service Organization Relevant to User Entities’ Internal Control Over Financial ReportingAICPA Guide SOC 2® Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or PrivacyAICPA Guide SOC for Supply Chain: Reporting on an Examination of Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy in a Production, Manufacturing, or Distribution System
Examination CriteriaAT-320 paras.16 and 17: criteria for evaluating the design and operating effectiveness of controlsTSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and PrivacyTSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy
Description CriteriaAttributes of suitable criteria AT-320 para.15DC 200, 2018 Description Criteria for a Description of a Service Organization’s System in a SOC 2® ReportDC 300, 2020 Description Criteria for a Description of an Entity’s Production, Manufacturing, or Distribution System in a SOC for Supply Chain Report
Time frame“As of” a point in time (Type I) or covering a period of time (Type II)
SystemThe control objectives and related controls that may be relevant to user entities’ internal control over financial reporting (ICFR)Infrastructure, software, people, data and procedures that are designed, implemented, and operated by people to achieve one or more of the organization’s specific business objectives in accordance with management-specified requirements.Infrastructure, software, people, data and procedures that are designed, implemented, and operated by people to achieve one or more of the organization’s specific objectives as it relates to producing, manufacturing, or distributing products.
Subject MatterControls at the service organization relevant to user entities’ internal control over financial reporting.Controls at a service organization relevant to Security, Availability, Processing Integrity, Confidentiality, and/or Privacy.Controls at an entity relevant to Security, Availability, Processing Integrity, Confidentiality, and/or Privacy.
System BoundariesComponents of a service organization’s classes of transactions relevant to user entities’ internal control over financial reporting.Components of a service organization’s infrastructure, software, people, procedures, and data necessary to provide its services.Components of an entity’s infrastructure, software, people, procedures, and data that produce, manufacture, or distribute the product.
ObjectiveService organization’s ability to meet its control objectives as they relate to ICFR.Service organization’s ability to meet its service commitments and system requirements based on the TSC.An entity’s ability to meet its principal system objectives based on the TSC.
System Objectives

Control objectives are included in the description of the service organization’s system to provide sufficient information for user auditors to understand how the service organization’s processing affects user entities’ financial statements and enable user auditors to assess the risks of material misstatements in the use entities’ financial statements.

Control objectives are those that are relevant to meeting the common needs of a broad range of user entities and their user auditors.

Principal service commitments are disclosures included in the description of the service organization’s system related to the service commitments made by management to its customers about the system used to provide the service.

Principal service commitments are those that are relevant to meeting the common needs of the broad range of SOC 2® report users.

Principal system objectives are included in the system description related to the entity’s objectives, that are embodied in product commitments it makes to customers. The system objectives also include the requirements established for system functionality to meet production, manufacturing, or distribution commitments.

Principal system objectives are those that relate to the trust services category or categories addressed by the examination and that could reasonably be expected to influence the relevant decisions of intended users.

Management’s AssertionService organization management’s assertion about whether (a) the description of the system is fairly presented, (b) the controls are suitably designed, and (c) in a type 2 report, the controls operated effectively to achieve the service organization’s control objectives as they relate to user entities’ internal control over financial reporting.Service organization management’s assertion about whether (a) the description of the system is in accordance with the description criteria, (b) the controls are suitably designed, and (c) in a type 2 report, the controls operated effectively to achieve the service organization’s service commitments and system requirements based on the applicable trust services criteria.Entity management’s assertion addresses whether (a) the description presents the system designed and implemented in accordance with the description criteria and (b) the controls stated in the description, which are necessary to provide reasonable assurance that the entity achieved its principal system objectives, were effective based on the applicable trust services criteria.
User Entity ControlsComplementary User Entity Controls (CUEC)Complementary Customer Controls (CCC)
SubService OrganizationsComplementary Subservice Organization Controls (CSOC) – Controls that management assumed would be implemented by the subservice organization that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization’s control objectives are achieved.Complementary Subservice Organization Controls (CSOC) – Controls that management assumed would be implemented by the subservice organization that are necessary, in combination with controls at the service organization, to provide reasonable assurance that the service organization’s service commitments and system requirements based on the TSC are achieved.Complementary Supplier Controls (CSC) – Controls performed by the supplier that are necessary, in com-bination with the entity’s controls, to achieve the entity’s principal system objectives.
Inclusive or Carve Out Method

SOC Report Sections

Section IIndependent Service Auditor’s ReportService Organization Management’s AssertionEntity Management’s Assertion
Section IIService Organization Management’s AssertionIndependent Service Auditor’s ReportIndependent Accountant’s Report
Section IIISystem Description
Section IVControl Objectives, Related Controls (Type I), and Tests of Controls and Results of Tests (Type II)Trust Services Categories, Criteria, Related Controls (Type I), and Tests of Controls and Results of Tests (Type II)Any or all the Trust Services Categories, Criteria, Related Controls (Type I), and Tests of Controls and Results of Tests (Type II)
Section VOther Information Provided by Management

SOC for Supply Chain offers entities a voluntary framework for reassuring stakeholders of controls in place to manage supply chain risks. If you are considering the SOC for Supply Chain examination or want to understand the benefits of evaluating your supply chain risk, the SOC professionals at Frazier & Deeter are here to help you understand the new guidance, explain the examination process, and steps to take to become ready for a SOC for Supply Chain examination.

About the Author

Shelby Nelson (CISA, CISSP, CDPSE, Cyber SOC, Advanced SOC) is a Principal in Frazier & Deeter’s Process, Risk & Governance (PRG) Practice and is the 2020 author and instructor of the AICPA SOC for Service Organizations curriculum. Shelby contributes over 20 years of diverse experience in external and internal audit, as well as project and operational risk management. Her career includes responsibility for the successful creation, execution, implementation, optimization and testing of operational and IT controls, as well as specialization in SOC consulting, instruction, examination and reporting. Shelby is a frequent speaker for professional organizations including the AICPA, IIA and ISACA.

Related Articles

Privacy Overview

When you use or access the Site, we use cookies, device identifiers, and similar technologies such as pixels, web beacons, and local storage to collect information about how you use the Site. We process the information collected through such technologies, which may include Personal Information, to help operate certain features of the Site (e.g., to prevent online poll participants from voting more than once), to enhance your experience through personalization, and to help us better understand the features of the Site that you and other users are most interested in.

You can enable or disable our use of cookies per category.
Necessary
Always Enabled

Essential cookies enable you to navigate our Site and use certain features, such as accessing secure areas of our Site and using other features of our service that require us to keep track of certain information as you navigate from page to page. Although some of these cookies are “required” to enable certain functionality, you can disable them in the browser, but doing so will limit your ability to use the features supported by such cookies.

Functionality

Functionality cookies are cookies that support features of the Site, such as remembering your preferences.

Performance

These cookies collect information about how you use our Site, including which pages you go to most often and if they receive error messages from certain pages. These cookies are only used to improve how our Site functions and performs.

Tracking or Targeting

From time-to-time, we may engage third parties that track individuals who visit our Site. These third parties may track your use of the Site for purposes of providing us with certain marketing automation features (to help us improve our outreach to current and prospective clients) and providing you with targeted advertisements.