As anticipated, the American Institute of Certified Public Accountants (AICPA) recently released new guidance for the System and Organization Controls (SOC) for Supply Chain assurance examination and report. This supply chain examination is part of the AICPA’s suite of SOC services (see also, SOC 1, SOC 2, SOC 3 and SOC for Cybersecurity).
The report intends to provide information about an organization’s manufacturing, production or distribution system(s), and the effectiveness of controls that mitigate supply chain risks.
Recently, supply chain risk management has become a significant issue for many organizations and their stakeholders. Given the massive disruption to supply chain caused by the COVID-19 pandemic and the lingering concerns about the vulnerability of supply chains moving forward, managing your supply chain risk – and showing proof of it – may become even more crucial.
Failure to successfully manage these supply chain risks can result in reputational damage, disruption of business or potential litigation. Therefore, organizations should carefully evaluate their current and future customers to determine if such reporting would be needed and/or beneficial.
Utilizing third-party vendors comes with inherent risks for your organization. Thus, supply chain risk management programs are vital in order to evaluate risks from the following:
The SOC for Supply Chain report can provide transparent information regarding the controls for an entity’s system to your business partners. This, in effect, offers assurance that the entity has effective processes and controls over the system in scope.
Benefits to the manufacturing organization issuing the report
Benefits to organizations receiving the report from their supply chain partners
The SOC for Supply Chain report demonstrates good business governance for the intended users. The report provides a set of common criteria for disclosures about an organization’s system for assessing control effectiveness.
As a result, the users can utilize the report as a tool to monitor the controls of their supply chain partners and make more informed decisions about the potential risks.
The SOC for Supply Chain report is similar to a SOC 2 report and contains different sections to provide intended users with relevant information about the system in scope. The entity may select the scope of the examination to include one or more of the AICPA’s trust services categories (i.e., security, availability, confidentiality, processing integrity and/or privacy). The SOC for Supply Chain report would contain the following:
For the description to satisfy the AICPA description criteria, it must include information about the system for each of the 10 various requirements (i.e., criteria) to the extent the criterion is applicable to the system.
If you employ third parties to manage your supply chain, consider requesting a SOC for Supply Chain report from these key supply chain partners. On the other side, proactive suppliers should consider undergoing a SOC for Supply Chain examination to prepare for these requests.
A few key items to consider and perform prior to undergoing an official SOC for Supply Chain examination:
As we navigate the unchartered territory, we are here to work with you to optimize your business strategies and tax planning. Baker Tilly’s manufacturing and distribution team has advanced knowledge and experience working with companies in the food and beverage sector. We make it a point to stay abreast of industry news, trends and challenges.
For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.