Recently, the AICPA has released its exposure draft for the SOC for Supply Chain Description Criteria for public comment. I reviewed the draft and summarized the overview and main points below. This is an introductory post. Stay tuned for a 2-part deep dive into the new Criteria.
The AICPA’s SOC for Supply Chain examination was created to assist Board members, senior management, and other stakeholders in evaluating the risks of doing business with the company. The examination is both voluntary and adaptive.
Similar to a SOC 1 or SOC 2 examination, and the focus of this blog, the AICPA has released Description Criteria to assist management in preparing the Description of the System and the service auditor to evaluate the description based on the Description Criteria requirements.
Management is responsible for designing, implementing, and operating the System and the controls within their System, and by extension, the preparation and presentation of the Description of the System.
The AICPA plans to utilize the pre-existing 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (‘Trust Services’), similar to the SOC for Cybersecurity (Cybersecurity Risk Management) and the SOC 2.
The new framework is designed to provide useful information about the System used to produce, manufacture, or distribute products and the relevant controls. The report will allow stakeholders to identify, assess, and manage risks stemming from their relationships with the service provider.
- Business customers need information about the System in order to integrate those controls with the controls in their own systems and determine whether those controls are sufficient to mitigate their own business risks.
- Affiliated organizations need information about the System and the controls to manage and assess the risks associated with doing business with the entity.
- Industries that represent membership (e.g. consortiums, unions, federations) need information about the System to better meet the needs of their constituents.
- Prospective customers and business partners may need information about the System to assist with their supplier selection or to ensure the supplier’s compliance with regulatory requirements.
There are a total of ten Description Criteria (DC) requirements, summarized below. Remember, I will take a deep dive in a 2-part blog series later.
- DC 1: Describe the types of goods and the characteristics of their production, manufacturing, or distribution processes.
- DC 2: Describe the main product specifications, commitments, and requirements (System objectives).
- DC 3: For identified incidents resulting from (a) ineffective controls or (b) significant failure to achieve one or more System objectives, the Company must describe the nature, timing, and effect of each incident.
- DC 4: Describe significant risks that affect the Company’s production, manufacturing, or distribution.
- DC 5: Describe inputs to the System (e.g. raw materials) and components used to produce, manufacture, or distribute the product.
- DC 6: Describe applicable Trust Services Criteria and related controls designed to show that the Company’s System objectives were achieved.
- DC 7: If a customer’s controls are necessary when combined with Company controls to achieve System objectives, the Company must describe those complementary customer controls.
- DC 8: If a supplier’s controls are necessary when combined with Company controls to achieve System objectives, the Company must either use the carve-out method or inclusive method when describing the System objectives.
- DC 9: Describe any specific applicable trust services criteria not relevant to the System and the reasons it is not relevant.
- DC 10: Describe significant changes to the System and Company’s controls necessary for the success of the System objectives.
The comment period for this exposure draft ended February 28, 2019.
Upon its release, the SOC for Supply Chain Guide will assist organizations in addressing third-party risk, one of today’s leading threats to organizational security.