Article

AICPA releases SOC for Supply Chain reporting framework

As anticipated, the American Institute of Certified Public Accountants (AICPA) recently released new guidance for the System and Organization Controls (SOC) for Supply Chain assurance examination and report. This supply chain examination is part of the AICPA’s suite of SOC services (see also, SOC 1, SOC 2, SOC 3 and SOC for Cybersecurity).

The report intends to provide information about an organization’s manufacturing, production or distribution system(s), and the effectiveness of controls that mitigate supply chain risks.

Recently, supply chain risk management has become a significant issue for many organizations and their stakeholders. Given the massive disruption to supply chain caused by the COVID-19 pandemic and the lingering concerns about the vulnerability of supply chains moving forward, managing your supply chain risk – and showing proof of it – may become even more crucial.

Failure to successfully manage these supply chain risks can result in reputational damage, disruption of business or potential litigation. Therefore, organizations should carefully evaluate their current and future customers to determine if such reporting would be needed and/or beneficial.

Why is SOC for Supply Chain important?

Utilizing third-party vendors comes with inherent risks for your organization. Thus, supply chain risk management programs are vital in order to evaluate risks from the following:

  • Loss of sensitive data (i.e., food or drug recipes, product specifications, formulas, system codes, ingredients, engineering designs/drawings or other intellectual property, and commercial information).
  • Lack of adequate logical and physical access to production control systems (cybersecurity risks) utilized to manufacture products.
  • Products that fail to meet performance and qualify specifications.
  • Products become unavailable due to supply chain disruptions (inability to meet delivery commitments). This one is particularly relevant given the severe impact of COVID-19 on global supply chains.

The SOC for Supply Chain report can provide transparent information regarding the controls for an entity’s system to your business partners. This, in effect, offers assurance that the entity has effective processes and controls over the system in scope.

What are the potential benefits of the new reporting framework?

Benefits to the manufacturing organization issuing the report

  • A SOC for Supply Chain examination can serve as a way for suppliers to demonstrate to customers that they are adequately managing their risks. Serving as an increased risk assessment, the examination can help management assess and manage their risks, while simultaneously potentially saving the organization money and allowing for more informed decision-making.
  • The report offers improved transparency of your entity’s processes and controls to existing and potential clients.
  • The examination could elevate your company’s reputation and brand, thereby acting as a market differentiator.
  • The report may reduce your communication and compliance burden by decreasing the number of vendor questionnaires or on-site visits.

Benefits to organizations receiving the report from their supply chain partners

The SOC for Supply Chain report demonstrates good business governance for the intended users. The report provides a set of common criteria for disclosures about an organization’s system for assessing control effectiveness.

As a result, the users can utilize the report as a tool to monitor the controls of their supply chain partners and make more informed decisions about the potential risks.

What information does the report contain?

The SOC for Supply Chain report is similar to a SOC 2 report and contains different sections to provide intended users with relevant information about the system in scope. The entity may select the scope of the examination to include one or more of the AICPA’s trust services categories (i.e., security, availability, confidentiality, processing integrity and/or privacy). The SOC for Supply Chain report would contain the following:

  1. A description of the entity’s system used to produce, manufacture or distribute products in accordance with the AICPA description criteria
  2. The specific controls of the entity to achieve the principal system objectives based on the AICPA trust services criteria (updated in March 2020)
  3. The practitioner’s test procedures performed for the specific controls listed and the testing results.
  4. Management’s assertion and the practitioner’s opinion on the description and effectiveness of the controls.

For the description to satisfy the AICPA description criteria, it must include information about the system for each of the 10 various requirements (i.e., criteria) to the extent the criterion is applicable to the system.

What steps can I take now?

If you employ third parties to manage your supply chain, consider requesting a SOC for Supply Chain report from these key supply chain partners. On the other side, proactive suppliers should consider undergoing a SOC for Supply Chain examination to prepare for these requests.

A few key items to consider and perform prior to undergoing an official SOC for Supply Chain examination:

  • Understand the reporting requirements of the intended users
  • Understand the data flow and systems to produce, manufacture or distribute your product
  • Identify, map and assess controls to the various AICPA trust criteria
  • Develop a remediation plan for any control gaps

As we navigate the unchartered territory, we are here to work with you to optimize your business strategies and tax planning. Baker Tilly’s manufacturing and distribution team has advanced knowledge and experience working with companies in the food and beverage sector. We make it a point to stay abreast of industry news, trends and challenges. 

For more information on this topic, or to learn how Baker Tilly specialists can help, contact our team.

Students walk through hallway on campus
Next up

Enhancing student experience and support through shared services