Supply chain management and resilience is a key agenda item for many boards – often yielding a competitive advantage.

Supply chains and suppliers have been tested and found vulnerable over recent years as a result of unavoidable changes caused by the COVID-19 pandemic, geopolitical tensions, and high energy costs. Cyber-attacks are also an ever-present risk, with severe consequences for corporates, governments, and financial institutions.

Many organisations have poor visibility of supply-chain risks and understanding of relevant processes and controls operated by their key suppliers.

According to the National Cyber Security Centre (NCSC) 2022 survey, only 13% of businesses reviewed the risks posed by their immediate suppliers, and only 7% of businesses reviewed wider supply-chain risks.

To meet the growing need to understand and manage supply chain risks, the American Institute of Certified Public Accountants (AICPA) has developed a protocol for entities who want to increase transparency on how they're managing their supply-chain risk. The protocol includes guidance and a voluntary supply chain reporting framework: SOC for Supply Chain.

What is SOC for Supply Chain?

The SOC for Supply Chain reporting framework is focused on helping an organisation, its suppliers, customers, and business partners to evaluate and establish a supply chain-risk management programme, as they're responsible for identifying, evaluating, and addressing risks associated with it. The framework adopts a similar approach to existing SOC 1 and SOC 2 examinations, ensuring that the testing requirements, report format, and contents are robust, well established, and recognised in the market.

Who will benefit from SOC for supply chain?

SOC for Supply Chain can be used by organisations of any size, in any industry, but some entities will see greater benefits:

  • Producers: organisations that extract raw materials, produce food or other products, or develop software
  • Manufacturers: organisations that transform raw materials or components into other components or finished goods for use or sale
  • Commercial software developers: entities that develop and sell commercial software
  • Distribution companies: entities that provide or manage all or a significant part of another entity's logistics, including freight; customs; warehousing; packaging

What are the benefits of a SOC for Supply chain Report?

Organisations are looking for visibility across supply-chain networks to better understand the risks of doing business with suppliers both from a fraud and stability/quality basis. Putting controls in place is therefore necessary to mitigate risk.

Often organisations rely on manual, time-consuming third party risk assessments, or tailored audits addressing the supply chain risks. A SOC for Supply Chain examination can reduce vendor due diligence efforts as part of onboarding exercise, to a great extent by:

  • eliminating need for sending lengthy vendor assessment questionnaires
  • reducing need for information gathering about cyber security processes, HR processes, and other relevant controls in place
  • reducing need for site visits as the SOC report can provide visibility of controls and processes in place
  • establishing a standard set of criteria for supply chain controls design and effectiveness which can be maintained for key suppliers and eventually help provide assurance to the customers and key stakeholders
  • enhancing an entity’s reputation and brand, and a likely market differentiator.

Businesses are also exposed to bribery, human rights, and environmental risks in their supply chain which adversely impact their brand and global reputation. SOC for supply chain enables identification and assessment of ESG risks throughout the entire supply chain. This is especially relevant for industries such as agriculture, food, fashion, timber production, and mining, which are often vulnerable to these risks. Your organisation will be able to understand components that make up ESG compliance requirements and see tasks and their responsible people clearly, having clarity as to where to get information throughout your supply chain.

Learn more about how our Service organisation controls report services can help you
Independent assurance that gives your customers confidence
Learn more about how our Service organisation controls report services can help you
Visit our Service organisation controls report page

What is the focus area in SOC for Supply Chain reporting?

SOC for supply chain description criteria (DC300) aims to create a common framework for developing and reporting their supply chain risk management efforts, which will be used by an auditor in providing an opinion in the SOC report. The 10 description criteria listed in SOC for supply chain are below:

  • DC1: the types of goods produced, manufactured, or distributed by an entity
  • DC2: the principal product performance specifications, commitments, and requirements and production, manufacturing, or distribution components and requirements (principal system objectives)
  • DC3: system incidents
  • DC4: risks that may have a significant effect on the company’s ability to achieve its principal objectives
  • DC5: relevant information about the system that produces, manufactures, or distributes the products
  • DC6: the applicable trust services criteria and the related controls designed to provide reasonable assurance that the entity’s principal system objectives were achieved
  • DC7: complementary customer controls (CCCs)
  • DC8: complementary supplier controls (CSCs)
  • DC9: specific trust services criteria that isn't relevant to the system and the reason why it isn't relevant
  • DC10: significant changes to the system during the period (Type 2 reports only)

Next steps

It's important to produce a quality SOC report using a mature and robust framework to help respond effectively to stakeholder requirements. However, understanding issues that may arise when delivering your report is key for effectiveness and efficiency and ensuring it can be shared with multiple owners.

For more insight and guidance, get in touch with Tim Foster-Key or Eddie Best.

Heads of internal audit: technical updates and guidance to support your role

Get the latest insights, events and guidance, straight to your inbox.