In 2020 the American Institute of Certified Public Accountants (AICPA) introduced the SOC for Vendor Supply Chain Assessment to provide a framework for reporting the risks related to vendor supply chains and adding to the existing SOC frameworks of SOC 1, 2, and 3; and SOC for Cybersecurity. With this new guidance, risks inherent to an organization’s production, manufacturing or distribution systems can be further mitigated, through testing and certification, granting greater reliance to user entities. In today’s technologically driven environment with a vast network of connections between manufacturers, vendors, and logistics organizations, a unifying framework of controls is needed to provide assurance to those who rely on supply chain services. Businesses that develop and maintain controls in these areas and are issued a SOC for Supply Chain report by a reputable CPA firm can set themselves apart on the competitive landscape compared to those who do not report on these activities.
Similar to traditional SOC 2 reports, SOC for Supply Chain reports use the Trust Service Criteria (TSC) as given by the AICPA of security, availability, processing integrity, confidentiality, and privacy. As with the SOC 2 reporting framework, the security criteria is a required component of all SOC for Supply Chain reports, while inclusion of the remaining criteria is left up to the discretion of the entity receiving the SOC for Supply Chain report. Organizations will need to consider their processes and select the appropriate criteria to meet the needs of the end users of the report. In a SOC for Supply Chain report, these end users could include boards of directors, senior management, and other stakeholders who are seeking to assess the various supply chain risks of an organization while evaluating potential supplier relationships. Once the relevant criteria have been chosen, there will be the need for the identification of controls and how they map to the different areas of the Trust Service Criteria. The other components of this type of report are the same as other SOC reports including the overall opinion of the independent auditor, management’s assertion, management’s description, and the independent auditor’s test of controls including the results of the testing.
SOC for Supply Chain reports help provide assurance over a wide range of risks that address many of the chief concerns of the industry that can include cyber breaches, physical security, and contractual commitments as well as the need to comply with industry standards, laws, and the demands of customers. Early adopters of the new SOC for Supply Chain report could gain efficiencies in their business through demonstrated compliance with industry standards and regulations and likely reduce the burden of frequent informational requests from would-be business partners, creating more time to focus on the other essential tasks of daily operations. A single report can help provide assurance to both new and existing customers, enhancing the organization’s reputation within the supply chain industry.
If you are involved in a business that produces, manufactures, or distributes products, or a business that is a supplier in a supply chain related business, a SOC for Supply Chain report could meet the needs of your business. Contact our knowledgeable and experienced team here at McKonly and Asbury for answers to your questions and to help determine if this type of report could meet the needs of your business.