There continues to be extensive demand for SOC 2® reports from entities that provide services to other organizations to address their business risks—including cyber-risk—from outsourcing to an external party. With the continued request for assurance beyond entities that provided services, on March 2020, the AICPA issued a new SOC for Supply Chain attestation report. This report can provide useful information for users of products produced, manufactured and distributed by an entity in order to understand and manage the risks from their business relationships, including cybersecurity risks, with the entity.
Why SOC for Supply Chain is needed
Utilizing third-party vendors creates additional risk for organizations; supply chain risk management programs are essential. These programs evaluate risks from the following:
- Loss of sensitive data (i.e., food or drug recipes, product specifications, formulas, system code, ingredients, engineering designs/drawings or other intellectual property, and commercial information)
- Lack of adequate logical and physical access of production control systems (cybersecurity risks) utilized to manufacture products or internet connected devices.
- Products that do not meet performance and quality specifications
- Products not available due to supply chain disruptions (inability to meet delivery commitments)
The new examination report can provide business partners with transparent information and controls for the entity’s system to provide assurance that the entity has effective processes and controls over the system in scope.
Potential benefits of SOC for Supply Chain
- Improved transparency of entity’s processes and controls for current and potential clients
- Enhanced company’s reputation and brand, and a potential market differentiator
- Potential reduction of vendor questionnaires or on-site audits
What information is in the report?
The SOC for Supply Chain report is similar to a SOC 2 report and contains various sections to provide intended users with relevant information about the system in scope. The entity may select the scope of the examination to include one or many of the AICPA’s trust services categories (i.e., security, availability, confidentiality, processing integrity and/or privacy). The SOC for Supply Chain report would contain the following key elements:
- A description of the system used by the entity to produce, manufacture or distribute products in accordance with the AICPA description criteria (DC section 300: 2020 Description Criteria for a Description of an Entity’s Production, Manufacturing or Distribution System in a SOC for Supply Chain Report).
- The specific controls of the entity to achieve the principal system objectives based on the AICPA trust services criteria (TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality and Privacy).
- The practitioner’s test procedures performed for the specific controls listed and the testing results.
- Management’s assertion and the practitioner’s opinion on the description and effectiveness of the controls.
For the description to be in accordance with the AICPA description criteria, it must include information about the system for each of the 10 various requirements (i.e., criteria), to the extent the criterion is applicable to the system.
When SOC 2 was initially released, there was little to no demand for the SOC 2 report. Within a few years, however, demand skyrocketed. Having it has now become a valuable asset as service organizations try to close new business. In the early years of SOC 2, there was a higher demand for middle market service organizations to have a SOC 2, as large public companies required SOC 2 assurance to do business with these middle market service organizations.
Based on historical trends in SOC reporting and supply chain concerns from the 2020 worldwide pandemic, RSM believes there could be a similar trend with SOC for Supply Chain: larger organizations will demand middle market organizations to produce a SOC report to evaluate and monitor their supply chain risks. In order to be out in front of this trend, organizations should evaluate their current and future customers to determine if such reporting would be needed and/or beneficial.
Organizations should discuss this potential report with a trusted advisor to fully understand the requirements and develop a strategic road map for accomplishing a SOC for Supply Chain. A few of the key items that need to be considered and performed when developing the plan include:
- Understand the reporting requirements of the intended users
- Understand the data flow and systems within scope to produce, manufacture or distribute your product
- Identify, map and assess controls to the various AICPA trust criteria
- Develop a remediation plan for any control gaps
RSM can assist your organization prepare for a future SOC report through our SOC readiness offering, including educating your organization on the various technical aspects of SOC reporting.