Change is coming. For those in industries utilizing supply chains, change has been a constant over the last few years.
Between evolving customer expectations, increased volatility and uncertainty in the market, and the emergence of networked supply chains (due in part to the rise of blockchain technology), those in manufacturing & distribution industries, for example, are feeling the weight of change on their supply chain operations. And they are not the only ones to notice.
What is SOC for Supply Chain?
First and foremost, SOC refers to System of Organization Controls. CPAs utilize SOC guidelines to effectively provide audit, reporting and assurance services related to the relevant system of controls.
Each SOC report evaluates the description of the entity’s system, as well as the operating effectiveness and suitability of the design of the controls. The final SOC report intends to help users understand the controls the entity has in place to support operations and compliance.
SOC for Supply Chains builds on the AICPA’s current suite of SOC services including the SOC for Service Organizations and SOC for Cybersecurity frameworks.
Differentiating itself from the others, SOC for Supply Chains reports on the internal controls of an entity’s system for producing, manufacturing or distributing goods. The report provides a better understanding of the risks in the entity’s supply chains.
Why is this important?
As we move into the new decade, we have to acknowledge the evolution of consumer expectations and the constant technological enhancements that continue to push innovation.
Customers are key for any business. So when their expectations for your business change, it is important to be mindful of that and adjust accordingly. In 2020, customers expect on-demand, personalized and customized products and services.
There is also an expectation of data protection. With more data available to companies and more data needed to personalize services, there is a growing uncertainty about the safety of our data.
The most recent Salesforce Research Study found that 62% of customers said they are more afraid of their data being compromised now than they were two years ago. This becomes especially relevant when we consider how technological supply chains are becoming with the integration of artificial intelligence and blockchain technology.
The changes in the manufacturing & distribution are not limited to customer expectations. In the last few years we have witnessed the growth of networked supply chains.
For example, the rise of Anything-as-a-Service (XaaS) and Manufacturing-as-a-Service (MaaS) has led to more connected supply chains and technologically integrated partners. With more participants in the supply chain, more vast technology and more available data, the need for proper controls becomes even more critical.
The evolution in customer expectations and the rise of networked supply chains both lead to a similar conclusion for you and your business: the demands on your supply chain are changing.
The question is, do your clients have confidence and trust in your systems? This is where the SOC for Supply Chains becomes invaluable.
What is the purpose of SOC for Supply Chains?
There is a high level of interdependence and connectivity within any supply chain. These relationships can result in additional risks to suppliers, customers and business partners. Now it is up to you to instill confidence in your systems and controls with a SOC for Supply Chains report.
A SOC for Supply Chains intends to:
- Provide report users with information about a system used to produce, manufacture, or distribute goods and the relevant controls within that system.
- Address risks associated with doing business with manufacturers, producers and distribution companies.
- Allow for companies to communicate useful information about their systems, and the controls within their systems, to customers.
How can I use the SOC for Supply Chain report?
Those participating in supply chain operations can utilize the report in order to:
- Identify, assess and manage risks that arise from doing business with your business/entity;
- Communicate to suppliers, business partners and distribution companies the relevant information about your risk-management efforts related to production and delivery of goods used in a supply chain; and/or
- Express an opinion about whether:
- The presented description aligns with the description criteria; or
- Controls were effective to provide reasonable assurance that your system objectives were achieved based on the applicable trust services criteria.
For whom is the SOC for Supply Chains report applicable?
A SOC for Supply Chains examination addresses any system used to produce, manufacture, or distribute goods. Some examples include the following:
- Producers – includes entities that extract raw materials (e.g. oil and gas extraction, mining, dredging, and quarrying, etc.); produce food, feed, fiber and other products through the cultivation of plants and raising livestock; or develop software for onsite installation.
- Manufacturers – includes entities that transform raw materials or components into other components/finished goods for use or sale (e.g., manufacturers of automobiles, computer parts, appliances, furniture, sports equipment, etc.)
- Software Developers – includes those who develop and sell software designed for user implementation with minimal to no customization of the underlying computer code.
- Distributors – includes business that provides or manages another entity’s logistics, including inbound freight, customs, inventory management, order fulfillment, etc. In other words, distributors include third-party logistics (3PL or TPL) companies.
What are the proposed contents of a SOC for Supply Chains report?
The SOC for Supply Chains report will most likely consist of the following components:
- Description of the entity’s system prepared in accordance with the description criteria.
- Management’s assertion about the description of the system and whether controls were effective to provide reasonable assurance that the system’s principal objectives were achieved based on the applicable trust services criteria.
- The CPA/practitioner’s opinion on the description and whether the controls stated in the description effectively provided reasonable assurance that the system’s principal objectives were achieved based on the applicable trust services criteria.
- Description of the practitioner’s testing procedures and results.
The description criteria establishes the types of disclosures expected in the system description. The system description should include:
- Principal product/production manufacturing or distribution commitments and requirements (also known as the principal system objectives);
- Types of goods produced/manufactured/distributed;
- Risks that affect the entity’s production, manufacturing or distribution; and
- Inputs to the system and the components used to produce/manufacture or distribute the product
Control criteria evaluates the effectiveness of controls to provide reasonable assurance that the entity’s principal system objectives are met. This is the same control criteria as those in an SOC 2 report – the trust services criteria. The information of the control criteria may relate to one or more of the following categories:
1. Security – commitments regarding the system’s protection from physical and logical (including cybersecurity) risks.
2. Availability – the product’s availability in quantities and at times agreed-upon with customers, the achievement of delivery commitments and distribution in accordance with applicable laws and regulations.
3. Processing integrity – whether the product meets the product specifications agreed upon with customers, conformity with commitments or product requirements made to customers or to meet laws/regulations.
4. Privacy – achievement of commitments and system requirements identified in the entity’s privacy notice or policy.
5. Confidentiality – Achievement of specific commitments made to customers or business partners.
For example, if the SOC for Supply Chains report addresses security, entity management would provide information about the controls in place to address the security category criteria. The entity would identify its principal security system objectives and determine controls in place to achieve the objectives based on the security trust services criteria. This may include controls over logical and physical security, incident management, change management, or other.
How is SOC for Supply Chain different from other SOC reports?
As explained above, SOC is a suite of service offerings CPAs may provide in connection with system-level controls of a service organization or entity-level controls of other organizations. There are three main categories of SOC services:
1. SOC of Service Organizations
This is an internal controls report on the services provided by a service organization. It provides valuable information for users to assess and address the risks associated with an outsourced service. SOC of Service Organizations consists of:
- SOC 1 – SOC for Service Organizations: ICFR
- SOC 2 – SOC for Service Organizations: Trust Services Criteria
- SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report
2. SOC for Cybersecurity
SOC for Cybersecurity is a reporting framework through which organizations can communicate relevant and useful information about the effectiveness of their cybersecurity risk management program.
3. SOC for Supply Chains
As discussed, SOC for Supply Chains is an internal controls report on an entity’s system of controls for producing, manufacturing or distributing goods in order to better understand the cybersecurity risks in their supply chains.
How can Squar Milner help?
Squar Milner’s audit and assurance professionals have extensive experience handling various SOC reports. In particular, our Business Risk Services department boasts considerable expertise in performing SOC evaluations for a range of clients across a broad spectrum of industries.
Couple our SOC reporting experience with our dedicated Manufacturing & Distribution practice professionals and you have a team ready to help. Seeing as the SOC for Supply Chains report is new to the suite of SOC offerings, you need a partner by your side with the knowledge and technical skill to make sure everything is handled with utmost care and diligence.
Let Squar Milner be that partner for you.
Please note: The above information is based on guidance that is still in exposure draft by the AICPA. Changes and requirements may occur before the official release (expected in March 2020).
Disclaimer: This material has been prepared for informational purposes only, and is not intended to substitute for obtaining accounting, tax, or financial advice from a professional tax planner or financial planner. All information is provided “as is,” with no guarantee of completeness, accuracy, timeliness or of the results obtained from the use of this information.