The interconnected relationship between those that manufacture or produce goods and their suppliers and distributors presents excellent opportunities such as process efficiencies and cost reductions. However, this relationship also increases the potential for supply chain risk. From regulatory requirements to ever-present cyber threats, the pressure on supply chains to protect and secure their network continues to grow.
In March of 2020, the American Institute of Certified Public Accountants (AICPA) released new guidance for reporting on controls related to supply chains. We’ll explore the What, Who, Where, Why and How of this new guidance below.
What is SOC for Supply Chain?
- As mentioned above, the AICPA released new guidance for the System and Organization Controls (SOC) for Supply Chain assurance and examination report. The supply chain examination is a part of the AICPA’s suite of SOC services.
- The SOC for Supply Chain report is intended to provide information regarding an organization’s manufacturing, production or distribution systems and the effectiveness of controls that mitigate supply chain risks.
- The SOC for Supply Chain framework and CPA’s report provide two common sets of criteria for:
- disclosures about a manufacturing, production or distribution company’s system (Description Criteria); and
- assessing control effectiveness (Trust Services Criteria).
- As with other SOC reports, components of the SOC for Supply Chain report include:
- Management’s Description
- Management’s Assertion
- Independent Auditor’s Opinion
Who needs it, and Why is it important?
Supply chain risk management continues to be a significant issue for many organizations and their stakeholders. Failure to successfully manage these risks can result in reputational damage, disruption of business and potential litigation. While the SOC for Supply Chain is industry agnostic, we’ve seen this report being driven initially by those in the utilities, automotive and pharmaceutical sectors.
The SOC for Supply Chain report provides value to both the report issuer and the report user in the following ways:
Where to learn more and How to get started?
- For more information, it is a good idea to discuss the SOC for Supply Chain reporting framework with an experienced SOC advisor. This advisor should be able to answer your questions and work with you to prepare for and issue the SOC for Supply Chain report if needed.
- Report Issuers should start by:
- Evaluating your current and future customers to determine if such reporting is needed/beneficial.
- Considering a SOC readiness assessment prior to starting the report examination.
- Report Users should start by:
- Requesting that key supply chain partners provide you with a SOC for Supply Chain report.
Have additional questions?
As SOC compliance can be a complex topic, we understand you might still have some questions: If that’s the case, please feel free to contact us.
Journet Greene is a Director in Moore Colson’s Risk Advisory and Compliance Services Practice. She leads Sarbanes-Oxley initiatives, internal audits, SOC audits and other compliance engagements for the firm’s many large IT and consulting engagements.