The SOC for Supply Chains framework is on its way

Change is coming. For those in industries utilizing supply chains, change has been a constant over the last few years.

Between evolving customer expectations, increased volatility and uncertainty in the market, and the emergence of networked supply chains (due in part to the rise of blockchain technology), those in manufacturing & distribution industries, for example, are feeling the weight of change on their supply chain operations. And they are not the only ones to notice.

The American Institute of Certified Public Accountants (AICPA), will begin offering SOC for Supply Chains, a new assurance framework, by the end of the month.

What is SOC for Supply Chain?

First and foremost, SOC refers to System of Organization Controls. CPAs utilize SOC guidelines to effectively provide audit, reporting and assurance services related to the relevant system of controls.

Each SOC report evaluates the description of the entity’s system, as well as the operating effectiveness and suitability of the design of the controls. The final SOC report intends to help users understand the controls the entity has in place to support operations and compliance.

SOC for Supply Chains builds on the AICPA’s current suite of SOC services including the SOC for Service Organizations and SOC for Cybersecurity frameworks.

Differentiating itself from the others, SOC for Supply Chains reports on the internal controls of an entity’s system for producing, manufacturing or distributing goods. The report provides a better understanding of the risks in the entity’s supply chains.

Why is this important?

As we move into the new decade, we have to acknowledge the evolution of consumer expectations and the constant technological enhancements that continue to push innovation.

Customers are key for any business. So when their expectations for your business change, it is important to be mindful of that and adjust accordingly. In 2020, customers expect on-demand, personalized and customized products and services.

There is also an expectation of data protection. With more data available to companies and more data needed to personalize services, there is a growing uncertainty about the safety of our data.

The most recent Salesforce Research Study found that 62% of customers said they are more afraid of their data being compromised now than they were two years ago. This becomes especially relevant when we consider how technological supply chains are becoming with the integration of artificial intelligence and blockchain technology.

The changes in the manufacturing & distribution are not limited to customer expectations. In the last few years we have witnessed the growth of networked supply chains.

For example, the rise of Anything-as-a-Service (XaaS) and Manufacturing-as-a-Service (MaaS) has led to more connected supply chains and technologically integrated partners. With more participants in the supply chain, more vast technology and more available data, the need for proper controls becomes even more critical.

The evolution in customer expectations and the rise of networked supply chains both lead to a similar conclusion for you and your business: the demands on your supply chain are changing.

The question is, do your clients have confidence and trust in your systems? This is where the SOC for Supply Chains becomes invaluable.

What is the purpose of SOC for Supply Chains?

There is a high level of interdependence and connectivity within any supply chain. These relationships can result in additional risks to suppliers, customers and business partners. Now it is up to you to instill confidence in your systems and controls with a SOC for Supply Chains report.

A SOC for Supply Chains intends to:

1. Provide report users with information about a system used to produce, manufacture, or distribute goods and the relevant controls within that system.
2. Address risks associated with doing business with manufacturers, producers and distribution companies.
3. Allow for companies to communicate useful information about their systems, and the controls within their systems, to customers.

How can I use the SOC for Supply Chain report?

Those participating in supply chain operations can utilize the report in order to:

• Identify, assess and manage risks that arise from doing business with your business/entity;
• Communicate to suppliers, business partners and distribution companies the relevant information about your risk-management efforts related to production and delivery of goods used in a supply chain; and/or
• Express an opinion about whether:
  undefinedundefined

For whom is the SOC for Supply Chains report applicable?

A SOC for Supply Chains examination addresses any system used to produce, manufacture, or distribute goods. Some examples include the following:

• Producers – includes entities that extract raw materials (e.g. oil and gas extraction, mining, dredging, and quarrying, etc.); produce food, feed, fiber and other products through the cultivation of plants and raising livestock; or develop software for onsite installation.
• Manufacturers – includes entities that transform raw materials or components into other components/finished goods for use or sale (e.g., manufacturers of automobiles, computer parts, appliances, furniture, sports equipment, etc.)
• Software Developers – includes those who develop and sell software designed for user implementation with minimal to no customization of the underlying computer code.
• Distributors – includes business that provides or manages another entity’s logistics, including inbound freight, customs, inventory management, order fulfillment, etc. In other words, distributors include third-party logistics (3PL or TPL) companies.

What are the proposed contents of a SOC for Supply Chains report?

The SOC for Supply Chains report will most likely consist of the following components:

1. Description of the entity’s system prepared in accordance with the description criteria.
2. Management’s assertion about the description of the system and whether controls were effective to provide reasonable assurance that the system’s principal objectives were achieved based on the applicable trust services criteria.
3. The CPA/practitioner’s opinion on the description and whether the controls stated in the description effectively provided reasonable assurance that the system’s principal objectives were achieved based on the applicable trust services criteria.
4. Description of the practitioner’s testing procedures and results.

Report Criteria

The description criteria establishes the types of disclosures expected in the system description. The system description should include:

• Principal product/production manufacturing or distribution commitments and requirements (also known as the principal system objectives);
• Types of goods produced/manufactured/distributed;
• Risks that affect the entity’s production, manufacturing or distribution; and
• Inputs to the system and the components used to produce/manufacture or distribute the product

Control criteria evaluates the effectiveness of controls to provide reasonable assurance that the entity’s principal system objectives are met. This is the same control criteria as those in an SOC 2 report – the trust services criteria. The information of the control criteria may relate to one or more of the following categories:

1. Security – commitments regarding the system’s protection from physical and logical (including cybersecurity) risks.

2. Availability – the product’s availability in quantities and at times agreed-upon with customers, the achievement of delivery commitments and distribution in accordance with applicable laws and regulations.

3. Processing integrity – whether the product meets the product specifications agreed upon with customers, conformity with commitments or product requirements made to customers or to meet laws/regulations.

4. Privacy – achievement of commitments and system requirements identified in the entity’s privacy notice or policy.

5. Confidentiality – Achievement of specific commitments made to customers or business partners.

For example, if the SOC for Supply Chains report addresses security, entity management would provide information about the controls in place to address the security category criteria. The entity would identify its principal security system objectives and determine controls in place to achieve the objectives based on the security trust services criteria. This may include controls over logical and physical security, incident management, change management, or other.

How is SOC for Supply Chain different from other SOC reports?

As explained above, SOC is a suite of service offerings CPAs may provide in connection with system-level controls of a service organization or entity-level controls of other organizations. There are three main categories of SOC services:

1. SOC of Service Organizations

This is an internal controls report on the services provided by a service organization. It provides valuable information for users to assess and address the risks associated with an outsourced service. SOC of Service Organizations consists of:

• SOC 1 – SOC for Service Organizations: ICFR
• SOC 2 – SOC for Service Organizations: Trust Services Criteria
• SOC 3 – SOC for Service Organizations: Trust Services Criteria for General Use Report

2. SOC for Cybersecurity

SOC for Cybersecurity is a reporting framework through which organizations can communicate relevant and useful information about the effectiveness of their cybersecurity risk management program.

3. SOC for Supply Chains

As discussed, SOC for Supply Chains is an internal controls report on an entity’s system of controls for producing, manufacturing or distributing goods in order to better understand the cybersecurity risks in their supply chains.

As we navigate the unchartered territory, we are here to work with you to optimize your business strategies and tax planning. Baker Tilly’s manufacturing and distribution team has advanced knowledge and experience working with companies in the food and beverage sector. We make it a point to stay abreast of industry news, trends and challenges. 

Let Baker Tilly be that partner for you.