AICPA introduces SOC for Supply Chain reporting framework
The American Institute of CPAs has debuted SOC for Supply Chain, a risk management reporting framework that CPAs can use to provide assurance services as they face risks in their supply chain ranging from coronavirus to trade to other threats.
The framework will enable CPAs to help manufacturers, producers, distribution companies and their customers and business partners identify, assess and address their supply chain risks. It’s one of a series of System and Organization Controls reporting frameworks offered by the AICPA, along with the earlier ones for providing SOC 1, SOC 2, SOC 3 and SOC for Cybersecurity reports (see our article). Organizations and their CPA firms can use the new reporting framework to communicate certain information about their manufacturing, production or distribution system and the effectiveness of controls that mitigate supply chain risks.
“Today’s supply chains are highly sophisticated and complex, there is often a high level of interdependence and connectivity between them, which increases an organization’s vulnerability to risk,” said Amy Pawlicki, vice president of assurance and advisory innovation at the AICPA, in a statement Thursday. “Our new SOC for Supply Chain framework can help an organization assess risk, understand the effectiveness of its controls and identify shortfalls.”
CPAs can use the new framework to audit or provide assurance on the supply chain around an organization’s manufacturing, production and distribution systems. The CPA can provide an opinion on the organization’s description of the system it uses to manufacture, produce or distribute products, as well as providing an opinion on the effectiveness of the controls within that system. A SOC for Supply Chain engagement can help an organization better assess and manage potentially costly risks. A SOC for Supply Chain examination and report can provide an audited track record for customers, business partners and other interested parties that shows a commitment to customers and business partners.
Three resources that support the framework were released Thursday:
- Description criteria: The AICPA’s Description Criteria for a Description of an Entity’s Production, Manufacturing, or Distribution System in a SOC for Supply Chain Report includes the criteria used to prepare and evaluate the description of a manufacturer’s, producer’s or distribution company’s system.
- Trust services criteria (updated): The AICPA’s 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy is used to evaluate and report on the effectiveness of the controls within an organization’s system.
- CPA guide: Reporting on an Examination of Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy in a Production, Manufacturing, or Distribution System. Developed by a joint working group of the AICPA Assurance Services Executive Committee and the Auditing Standards Board, the guide provides guidance to CPAs on performing the new SOC for Supply Chain Examination.