Part 1 of 2 in a deep dive into the AICPA’s proposed Description Criteria for its new SOC Suite of Services, SOC for Supply Chain

Recently, the AICPA has released its exposure draft for the SOC for Supply Chain Description Criteria for public comment. In a follow-up to our recent blog summarizing the Description Criteria, this blog will be part of a 2-part series exploring the details.

In the first part, we will discuss the importance of describing the inputs and outputs to the System in a Supply Chain SOC report.



 Description Criteria

There are a total of 10 Description Criteria, and in this post we’ll cover the first five. Let’s take a deep dive into each.

DC 1: Describe the types of goods and the characteristics of their production, manufacturing, or distribution processes.

The types of goods produced, manufactured, or distributed by the company will vary by industry. For example, some producers may describe their raw materials, whereas others (farmers) might describe the food products produced by their livestock. The system(s) used to produce these goods might include the applications and machinery used to drill for oil or inventory livestock.

DC 2: Describe the main product specifications, commitments, and requirements (system objectives).

A system provider has set objectives it needs to meet to operate effectively. These objectives generally focus on meeting customer needs and expectations and may include things such as cybersecurity protections, product specifications, and product conformity with commitments and requirements.

DC 3: For identified incidents resulting from (a) ineffective controls or (b) significant failure to achieve one or more System objectives, the Company must describe the nature, timing, and effect of each incident.

Similar to recent SOC 2 changes, incidents occurring during the period must be expounded on in the Description. Users of the report will need to determine the impact on their businesses or customers as a result of identified system incidents.

DC 4: Describe significant risks that affect the Company’s production, manufacturing, or distribution.

Significant risks disclosures are required related to characteristics disclosures, organizational and user characteristics, and the physical, environmental, technological, and organizational changes and that happened during the period.

Characteristic disclosures include such things as the use of supporting IT systems (e.g. production machinery), whether the software is internally-developed, and key product specifications.

Organizational and customer characteristics disclosures include such things as the structure of the company, changes to the structure during the period (e.g. legal changes such as acquisitions or mergers), types of business suppliers, or nature of in-house developed applications.

Physical, environmental, technological, organizational, and other changes, such as changes to manufacturing methods, changes to production business units, and changes to risk assessment monitoring resulting from the failure of controls.

DC 5: Describe inputs to the System (e.g. raw materials) and components used to produce, manufacture, or distribute the product.

Depending on the nature of the processes, the Description may need to address the system(s) used at the beginning of the cycle (raw materials or inputs) to the end, or the distribution, of the finished goods to customers.

This even includes some may “white-labeled” systems used to distribute products. In some cases, if the distributor doesn’t “transform” the product (e.g. raw materials to finished product), those processes may not be related to supply chain, but instead better addressed by a SOC 2 examination.

If portions of the System are used to create and implement executable logic, whether embedded in the product or not, and hardware and software used is used to produce and distribute the product, these should be described. Some typical examples include the use of developers, the use of automated procedures when assembling a product, the data used by the system that may be personally-identifiable, the use of purchased components as inputs, and listing the boundaries of the system (processes that may not be covered, such as the transfer of work in-between production steps) for clarity.


As noted above, the inputs and outputs to the System in the SOC for Supply Chain are crucial for users to understand the System’s operation and the controls in place to protect.

Stay tuned for DC 6-10, where we will conclude the remaining Description Criteria for Supply Chain SOC.



Ryan Wallace is a Cyber Risk Manager at HORNE Cyber where he works to provide IT-focused assurance to clients both public and private.