Accounting
AICPA Unveils New Supply Chain Risk Management Reporting Framework
The SOC for Supply Chain framework is a market-driven, flexible and voluntary framework for organizations to communicate certain information about their manufacturing, production or distribution system and the effectiveness of controls that mitigate ...
Mar. 12, 2020
To help manufacturers, producers, distribution companies and their customers and business partners identify, assess and address supply chain risks, the American Institute of CPAs (AICPA) has launched SOC for Supply Chain, a new risk reporting framework.
The SOC for Supply Chain framework is a market-driven, flexible and voluntary framework for organizations to communicate certain information about their manufacturing, production or distribution system and the effectiveness of controls that mitigate supply chain risks.
“Today’s supply chains are highly sophisticated and complex, there is often a high level of interdependence and connectivity between them, which increases an organization’s vulnerability to risk,” said Amy Pawlicki, AICPA Vice President – Assurance and Advisory Innovation. “Our new SOC for Supply Chain framework can help an organization assess risk, understand the effectiveness of its controls and identify shortfalls.”
The introduction of this new framework provides an opportunity for organizations to have an examination engagement performed on their manufacturing, production or distribution system. This type of audit provides a CPA’s opinion on the organization’s description of the system it uses to manufacture, produce or distribute products and an opinion on the effectiveness of the controls within that system. The benefits of this examination include the following:
- Helps organizations save money and focus on business growth. Having a SOC for Supply Chain examination may help an organization better assess and manage risks that could potentially cost great expense and time.
- Demonstrates good governance, which is good business. Customers, business partners and other interested parties may want to know that organizations are exhibiting good governance, which includes good supply chain risk management. A SOC for Supply Chain examination provides an audited track record that demonstrates success and a commitment to customers and business partners.
- Provides a competitive edge. A SOC for Supply Chain examination provides stakeholders, such as customers and business partners, with confidence that an organization has the right systems and controls in place to mitigate and manage supply chain risk.
The new SOC for Supply Chain framework helps organizations take a proactive and agile approach to supply chain risk management. Three resources that support the framework were also released today:
- Description criteria: The AICPA’s Description Criteria for a Description of an Entity’s Production, Manufacturing, or Distribution System in a SOC for Supply Chain Report includes the criteria used to prepare and evaluate the description of a manufacturer’s, producer’s or distribution company’s system.
- Trust services criteria (updated): The AICPA’s 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy is used to evaluate and report on the effectiveness of the controls within an organization’s system.
- CPA guide: Reporting on an Examination of Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy in a Production, Manufacturing, or Distribution System. Developed by a joint working group of the AICPA Assurance Services Executive Committee and the Auditing Standards Board, the guide provides guidance to CPAs on performing the new SOC for Supply Chain Examination.
The SOC for Supply Chain examination is part of the AICPA’s suite of System and Organization Controls (SOC) services, which enable CPAs to examine and report on system or entity-level controls of a variety of different organizations. The SOC suite of services is unique, serving as a critical step to enabling a transparent, consistent, market- and business-based mechanism for companies to effectively communicate with key stakeholders on how they’re managing third party risks, including those related to cybersecurity and supply chain.
- SOC 1, SOC 2 and SOC 3 address system controls at service organizations.
- SOC for Cybersecurity addresses organization-wide cybersecurity controls within any type of organization.
- NEW: SOC for Supply Chain addresses controls related to manufacturing, production and distribution procedures.
“This framework is a vital step in helping companies that manufacture, produce, or distribute products explain how they are managing risks in their supply chains,” said Mimi Blanco-Best, CPA, AICPA Associate Director – Attestation Methodology and Guidance. “We believe investors, boards, audit committees, customers and business partners will see tremendous value in gaining a better understanding of how those companies are managing their supply chain risks. Combined with the CPA’s opinion, this will increase stakeholders’ confidence in a company’s due care and diligence.”