Change is coming. For those in industries utilizing supply chains, change has been a constant over the last few years.
Between evolving customer expectations, increased volatility and uncertainty in the market, and the emergence of networked supply chains (due in part to the rise of blockchain technology), those in manufacturing & distribution industries, for example, are feeling the weight of change on their supply chain operations. And they are not the only ones to notice.
The American Institute of Certified Public Accountants (AICPA), will begin offering SOC for Supply Chains, a new assurance framework, by the end of the month.
First and foremost, SOC refers to System of Organization Controls. CPAs utilize SOC guidelines to effectively provide audit, reporting and assurance services related to the relevant system of controls.
Each SOC report evaluates the description of the entity’s system, as well as the operating effectiveness and suitability of the design of the controls. The final SOC report intends to help users understand the controls the entity has in place to support operations and compliance.
SOC for Supply Chains builds on the AICPA’s current suite of SOC services including the SOC for Service Organizations and SOC for Cybersecurity frameworks.
Differentiating itself from the others, SOC for Supply Chains reports on the internal controls of an entity’s system for producing, manufacturing or distributing goods. The report provides a better understanding of the risks in the entity’s supply chains.
As we move into the new decade, we have to acknowledge the evolution of consumer expectations and the constant technological enhancements that continue to push innovation.
Customers are key for any business. So when their expectations for your business change, it is important to be mindful of that and adjust accordingly. In 2020, customers expect on-demand, personalized and customized products and services.
There is also an expectation of data protection. With more data available to companies and more data needed to personalize services, there is a growing uncertainty about the safety of our data.
The most recent Salesforce Research Study found that 62% of customers said they are more afraid of their data being compromised now than they were two years ago. This becomes especially relevant when we consider how technological supply chains are becoming with the integration of artificial intelligence and blockchain technology.
The changes in the manufacturing & distribution are not limited to customer expectations. In the last few years we have witnessed the growth of networked supply chains.
For example, the rise of Anything-as-a-Service (XaaS) and Manufacturing-as-a-Service (MaaS) has led to more connected supply chains and technologically integrated partners. With more participants in the supply chain, more vast technology and more available data, the need for proper controls becomes even more critical.
The evolution in customer expectations and the rise of networked supply chains both lead to a similar conclusion for you and your business: the demands on your supply chain are changing.
The question is, do your clients have confidence and trust in your systems? This is where the SOC for Supply Chains becomes invaluable.
There is a high level of interdependence and connectivity within any supply chain. These relationships can result in additional risks to suppliers, customers and business partners. Now it is up to you to instill confidence in your systems and controls with a SOC for Supply Chains report.
A SOC for Supply Chains intends to:
How can I use the SOC for Supply Chain report?
Those participating in supply chain operations can utilize the report in order to:
For whom is the SOC for Supply Chains report applicable?
A SOC for Supply Chains examination addresses any system used to produce, manufacture, or distribute goods. Some examples include the following:
The SOC for Supply Chains report will most likely consist of the following components:
The description criteria establishes the types of disclosures expected in the system description. The system description should include:
Control criteria evaluates the effectiveness of controls to provide reasonable assurance that the entity’s principal system objectives are met. This is the same control criteria as those in an SOC 2 report – the trust services criteria. The information of the control criteria may relate to one or more of the following categories:
1. Security – commitments regarding the system’s protection from physical and logical (including cybersecurity) risks.
2. Availability – the product’s availability in quantities and at times agreed-upon with customers, the achievement of delivery commitments and distribution in accordance with applicable laws and regulations.
3. Processing integrity – whether the product meets the product specifications agreed upon with customers, conformity with commitments or product requirements made to customers or to meet laws/regulations.
4. Privacy – achievement of commitments and system requirements identified in the entity’s privacy notice or policy.
5. Confidentiality – Achievement of specific commitments made to customers or business partners.
For example, if the SOC for Supply Chains report addresses security, entity management would provide information about the controls in place to address the security category criteria. The entity would identify its principal security system objectives and determine controls in place to achieve the objectives based on the security trust services criteria. This may include controls over logical and physical security, incident management, change management, or other.
As explained above, SOC is a suite of service offerings CPAs may provide in connection with system-level controls of a service organization or entity-level controls of other organizations. There are three main categories of SOC services:
1. SOC of Service Organizations
This is an internal controls report on the services provided by a service organization. It provides valuable information for users to assess and address the risks associated with an outsourced service. SOC of Service Organizations consists of:
2. SOC for Cybersecurity
SOC for Cybersecurity is a reporting framework through which organizations can communicate relevant and useful information about the effectiveness of their cybersecurity risk management program.
3. SOC for Supply Chains
As discussed, SOC for Supply Chains is an internal controls report on an entity’s system of controls for producing, manufacturing or distributing goods in order to better understand the cybersecurity risks in their supply chains.
As we navigate the unchartered territory, we are here to work with you to optimize your business strategies and tax planning. Baker Tilly’s manufacturing and distribution team has advanced knowledge and experience working with companies in the food and beverage sector. We make it a point to stay abreast of industry news, trends and challenges.
Let Baker Tilly be that partner for you.