Mitigate Risk and Reduce Due Diligence Effort with a SOC for Supply Chain Report

In today’s complex production, manufacturing, and distribution environment, many organizations face significant risks in supply chain management when delivering their products or services to customers.

However, understanding risks associated with providing goods or services—and how vendors, suppliers, and business partners are mitigating them—can help organizations operate with fewer errors and delays.

A System and Organization Controls (SOC) for Supply Chain Examination can help organizations demonstrate implementation and operating effectiveness of a set of internal controls to mitigate risks associated with security, availability, processing integrity, confidentiality or privacy.

Below, we’ll cover some of the key benefits of the SOC for Supply Chain Examination, as well as steps to reduce due diligence effort and mitigate risk.

What’s a SOC for Supply Chain Examination?

The American Institute of Certified Public Accountants (AICPA) developed the SOC for Supply Chain Examination to help organizations demonstrate adherence to internal controls that detect, prevent, and respond to supply chain risks.

Similar to the suite of other SOC reports, including SOC 1, SOC 2, SOC 3, and SOC for Cybersecurity, a SOC for Supply Chain Examination allows an independent certified public accountant (CPA) to report on the design, implementation, and operating effectiveness of an organization’s controls.

It then provides a way for vendors; suppliers; and production, manufacturing, and distribution companies to communicate controls over manufacturing, production, and distribution systems to partners and customers.

The SOC for Supply Chain Report includes four sections:

  1. The auditor’s opinion of management’s system description and design and operating effectiveness of internal controls
  2. Management’s assertion of its system description and responsibility for the design and operation of internal controls
  3. Management’s description of their manufacturing, production, or distribution system
  4. Presentation of management’s controls, how they map to the Trust Services Criteria, and the service auditor’s test procedures and conclusions on design and operating effectiveness

Criteria

During steps three and four of the SOC for Supply Chain assessment, two sets of criteria are used to determine a system’s effectiveness. The criteria are designed to allow for maximum applicability and scale for large and small organizations alike.

The Description Criteria

The description criteria are used as the framework for an organization to present a description of their production, manufacturing, or distribution system.

These criteria were released in March 2020 by the AICPA and titled, Description Criteria for a Description of an Entity’s Production, Manufacturing, or Distribution System in a SOC for Supply Chain Report.

The Control Criteria

The Trust Services Criteria are used as the framework to present the internal controls of an organization and how the Trust Services Criteria are met through those controls. These criteria use the 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, or Privacy.

Key Benefits

Reduce Time and Effort

Many customers or clients rely on manual, time-consuming assessment processes to assess if a vendor or supplier should be added to their supply chain. However, a SOC for Supply Chain Examination can quickly reduce an organization’s level of due diligence effort by cutting down time-consuming, manual procedures, such as:

  • Gathering information. Providing information on the organization’s security processes or other relevant operations through resources such as white papers and marketing materials.
  • Performing site visits. Accommodating a site visit of the manufacture, production, or distribution facilities to observe physical controls or processes.
  • Completing questionnaires. Completing lengthy questionnaires about internal controls, which are then assessed by the customer or client.
  • Getting a third-party assessment. Providing third-party assessments, such as the International Organization for Standardization (ISO), or other similar certifications.

Achieve Supply Chain Objectives

A SOC for Supply Chain Examination can also help an organization’s customers or clients achieve key supply chain objectives, such as:

  • Establishing a common set of criteria for disclosures about manufacturing, production, or distribution systems
  • Creating a common set of criteria for assessing control effectiveness and design
  • Reducing required communication between organizations related to information about the manufacturing, production, or distribution system
  • Providing a standard for communicating relevant information without being required to disclose trade secrets, patents, or other intellectual property
  • Maintaining a standard for organizations when comparing various vendors or suppliers

By helping customers and clients achieve their supply chain objectives through completing a SOC for Supply Chain Examination, organizations can strengthen customer and client relations as well as demonstrate compliance through internal controls.

Mitigate Risk

A SOC for Supply Chain Examination can help reveal, mitigate, or address disruptions associated with common operational challenges including:

  • Regulatory or compliance changes
  • Financial health and vitality of a key vendor or supplier
  • Natural disasters or inclement weather
  • Civil unrest, war, military or governmental action in certain geographical locations where key processes or vendors and suppliers operate
  • Pandemics, health hazards, and disease
  • Changing political climates

Through reporting on the internal control environment, risk assessment process, and information and communication systems—while monitoring controls and internal control design, implementation, and operating effectiveness—an organization can demonstrate how it responds to and addresses the risks noted above.

Who Should Complete an Examination?

In general, a SOC for Supply Chain Examination is an important assessment for two distinct entity types:

  1. Manufacturing, production, or distribution companies that may be required by a customer to get a SOC for Supply Chain Examination
  2. Vendors or suppliers that are deemed an important part of an organization’s supply chain and could cause disruptions if their operations were compromised

In both of these instances, a customer or partnering organization could request a SOC for Supply Chain Examination be completed to determine whether or not the partnership introduces risk to their operations.

Next Steps

If your organization determines that a SOC for Supply Chain Examination could be an appropriate action to take, here are some steps to get started:

  • Understand your organization’s role in a supply chain, in providing goods and services to customers or clients
  • Assess customer requests for information through requests for proposals, security questionnaires, site visits, third party assessments, and more
  • Engage with a CPA to discuss if a SOC for Supply Chain Examination could reduce the level of effort on vendor or supplier due diligence or when providing requested information to customers

We’re Here to Help

To learn more about the SOC for Supply Chain Examination or next steps for your organization, contact your Moss Adams professional.

Note on COVID-19

During this unparalleled time, we’re closely monitoring the COVID-19 situation as it evolves so we can provide up-to-date guidance and support to help you combat uncertainty. For regulatory updates, strategies to help cope with subsequent risk, and possible steps to bolster your workforce and organization, please see the following resources: