Questions are frequently being asked of organizations that provide products or services regarding the processes and controls included in their supply chain activities (the activities involved to transform a raw material or natural resource into a finished good). If your company has experienced this, you are not alone. The need for organizations to understand supply chain processes and the controls that exist to minimize risks around the supply chain activities have increased exponentially over the past decade.
Auditing supply chain processes and controls are becoming commonplace, so much so that a new type of examination (or audit) engagement has been released by the American Institute of CPAs (AICPA). The AICPA released guidance that includes required description criteria, and a set of suitable control criteria around five trust service categories (security, availability, processing integrity, confidentiality, and privacy). The description criteria and control criteria are utilized as components to deliver a System and Organization Control (SOC) for Supply Chain Report that can be shared with intended users. The AICPA is a respected professional member organization that has developed attestation criteria for a System and Organization Control (SOC) suite of services that range from SOC for service organizations (SOC 1 and SOC 2, Type I and Type II), SOC for Cyber Security and now SOC for Supply Chain.
Intended users of a SOC for Supply Chain Report are restricted, and access is determined based on the entity having the attestation performed. However, intended users may include the following:
- Current business customers
- Prospective customers
- Suppliers
- Entities in the supply chain that use your products as components of their production and manufacturing systems
- Entities that use your products as inputs to their products
- Entities that use your products as part of their service delivery
- Entities that resell your products
- Entities that rely on a physical distribution system for your products
- Business partners
- Internal entity personnel
- Regulators
What is the Focus of a SOC for Supply Chain Report?
To understand why each of the intended users discussed above may want access to an entity’s SOC for Supply Chain report first requires an understanding of what supply chain is, as there are a lot of misconceptions on what is included in the term supply chain.
Some items that were considered for the development of the attestation guide to perform and report on a SOC for supply chain report include:
- The definition of supply chain
- The attributes of a strong supply chain
- The concept of supply chain management (SCM)
- The types of supply chains
- The types of supply chain management systems
These items would also be considered for the development of the description criteria utilized in the report. An understanding of these areas of supply chain enables the practitioner and the organization to determine where the risk lies within the supply chain system.
The guide was released to the public on March 12, 2020 by the AICPA. The intended organizations that benefit from a SOC for Supply Chain report are organizations that produce, manufacture, or distribute products. The report focuses on a description of understanding their supply chain process, and the risks related to their specific supply chain processes. The report requires the audited organization to answer the hard questions as to how their description criteria accurately and completely explains their supply chain system. The report also identifies what controls they have put in place to mitigate their identified supply chain risks around their selection of the relevant five trust service categories included, as applicable (security, processing integrity, availability, confidentiality, and privacy).
The Supply Chain Risk Management Reporting Framework is a market-driven, flexible, and voluntary audit and reporting framework. It also provides organizations with a leg up over their competitors who do not have an attestation report covering supply chain description, risks, and controls. This can be beneficial to showcase vendor risk and general risk reviews and demonstrate good governance and transparency. The supply chain report gives organizations a chance to communicate certain information about their manufacturing, production, or distribution system or systems, and the design and effectiveness of the controls that mitigate these supply chain risks.
Deep Dive: What is “Supply Chain” in Simple Terms?
As discussed, a supply chain includes the events that help a product move from raw source to manufacturing, and finally to market. With rapid technology advances, the production, manufacturing, and distribution of products often involve a high level of interdependence and connectivity between an entity and:
- Suppliers (organizations that supply them with raw materials or components of the manufacturing process)
- Customers
- Business partners
Supply chain includes the all-encompassing components of processes that include:
- People
- Equipment
- Technology
- Organizations
- Activities
- Information
- Transportation (the resources involved in moving a customer’s product from the original raw supplier to the final customer).
This interdependence and connectivity with companies outside of an entity is referred to as an extended enterprise. Extended enterprise is the idea that an entity does not operate in isolation, instead, its success is dependent upon a complex network of third-party relationships. Although the relationships between an entity and their extended enterprise may increase revenues, expand market opportunities, and reduce costs for the entity, they also result in additional risks related to the suppliers, customers, and business partners that the entity does business with, as well as the entity. These suppliers, customers, and business partners are responsible for identifying, evaluating, and addressing those risks as part of their own supply chain risk management programs.
If the risks identified are not mitigated appropriately, they may threaten the ability of the entity to:
- Provide products in alignment with original decided product performance specifications
- Meet delivery and quality commitments
- Meet production, manufacturing, or distribution commitments
With this, suppliers, customers, and business partners expect entity management to establish operational and compliance objectives (including but not limited to service level agreements (SLAs) in their contracts for known explicit expectations around where the risk resides in the supply chain).
What Companies are Typically Involved in Supply Chain?
Supply chain is primarily industry agnostic, each industry has its own driving forces behind advancing their oversight of suppliers within the supply chain to manage emerging risks to their processes. Supply, and the logistics related to it, are the backbone of any business and are critical to understand. Supply chains exist in both service and manufacturing companies. The types of companies most attributed to the use of a SOC for Supply Chain report are companies that produce, manufacture, or distribute products.
What are the 5 Basic Components of Supply Chain Management (SCM)?
Supply chain management (SCM) has five components (sometimes referred to as elements) that are necessary to be understood for a successful SOC for Supply Chain attestation report. These include components include planning, sourcing of raw materials, manufacturing, delivery, and returns.
In order to understand Supply Chain Management, the Supply Chain Model that the entity utilizes needs to be understood with management. Some of the common supply chain models include:
- Agile Model
- Continuous Flow Model
- Customer Configured Model
- Efficient Chain Model
- Fast Chain Model
- Flexible Model
- Supply Chain Operations Reference Model (SCOR)
Note that the Supply Chain Operations Reference (SCOR) model is unique because it links business processes, performance metrics, practices, and people skills into one all-encompassing model. Each model focuses on different objectives and priorities that have been established by the company. These models have a focus on either the efficiency of the supply chain process or the responsiveness of the supply chain process, it is merely the priorities related to efficiency versus responsiveness where a practitioner will see the differences between the models.
The components of SCM (described above: planning, sourcing, manufacturing, delivery, and returns) are what supply chain management and leaders look to while they make strategic decisions. Supply chain reporting is not always easy to pin down, due to the broad functional requirements, and the different business process areas are impacted by supply chain. Some of the most significant business areas impacted by supply chain are:
- Purchasing
- Manufacturing
- Inventory Management
- Demand Planning
- Warehousing
- Transportation
- Customer Service
On a typical organization chart, these supply chain business process areas typically report up under Operations or Supply Chain Management, typically reporting to the Chief Operations Officer, VP of Supply chain, or even in some cases the CEO. This leadership has primary responsibility in assessing the risk to their supply chain and asserting that the appropriate controls are in place to mitigate those risks.
Pillars of Supply Chain Resilience
Assessing supply chain resilience is one component included in the SOC for Supply Chain, especially related to the Availability trust services category. Leadership in charge of the supply chain program are expected to be constantly aware of the risks that are attributable to their business. Risks that supply chain management will evaluate include:
- Financial risks
- Business continuity risks
- Reputational risks
- Strategic risks
- Operational risks
- Cyber risks
- Compliance and regulatory risks
Keeping these risks at top of mind and developing a risk assessment and mitigation plan is crucial. Supply chain management typically will have resilience considerations related to:
- Entity-specific vulnerabilities – these vulnerabilities may include bottlenecks in supply chain, lack of redundancy with suppliers, and product quality
- Management culture – understanding and acceptance of the risk in the area of SCM
- Procurement – understanding the risk of suppliers, performing supplier audits, relationships, and contracts with suppliers
- Operations – cycle times, lead times, agility of operations
- Demand – data sharing for planning on needs
- Visibility – having statistics on performance internally, and understanding what is critical for visibility with distribution partners and customers
These resilience considerations may be included in the SOC for Supply Chain description criteria and mapped to appropriate testing points of focus and criteria to be able to attest via an opined report to leadership that not only is management aware of these considerations, but they are meeting them.
Supply Chain Technology Considerations
Another incredibly important consideration related to supply chain is the technology that is supporting the supply chain. Having appropriate technology in place assists with the capability of increasing profitability and providing efficiencies. Organizations have incorporated technology created during the 4th industrial revolution, and Industry 4.0 innovations we are in the midst of now, which also bring along additional risk.
The technology is expected to bring data visibility, data “slice-and-dice-ability,” bring a focus to the right problem areas, and create alignment with organizational and process expectations to help with decision making. The technology may enhance the interconnectedness between suppliers, warehouses, and distributors utilizing the internet of things. However, this also brings associated technology risk considerations and pulls the CIO or other information technology specific entity leadership to the “supply chain table.”
Software Development (SD) Times reports, “The past year saw a 430% increase in next-generation cyber-attacks aimed at actively infiltrating open source software supply chains.” The risks related to these technologies can be high, with bad actors everywhere trying to find vulnerabilities to gain access to steps in the supply chain systems. With such a high level of importance placed on supply chain technology and with the criticality in these systems, it is crucial that analysis over the general IT control considerations that an entity has applied to this area be considered and tested for every application, database, and infrastructure relevant. As a part of a SOC for Supply Chain report, under the Security Trust Services category, IT technology risk considerations are included and tested.
Supply Chain Audit Versus SOC for Supply Chain Attestation Report
A supply chain audit is the process of examining an entity’s extended supply chain processes and systems. Part of the supply chain audit process is to benchmark the entity’s processes to best practices in the industry, as well as best practices in other industries. A supply chain audit checklist may be utilized to facilitate the audit. The phases of a supply chain audit, whether it is performed by an internal audit department conducting a supply chain audit, or a SOC for Supply chain attestation report audit under AICPA guidelines, is typically are comprised of the following stages:
- Plan the Audit
- Walkthrough and Evaluate Design of Controls
- Test Operating Effectiveness of Controls (fieldwork)
- Report the Results (reporting and follow up)
Another consideration between an internal audit of supply chain versus an external attestation report (SOC for Supply Chain report) is that the external attestation report is performed by an independent source and includes description criteria and a common set of criteria developed for use with supply chain audits. Per the Soc for Supply Chain Backgrounder,
“The AICPA believes that a manufacturer, producer, or distributor and its customers and business partners will be best served if there is a defined set of information intended to enhance understanding of controls over manufacturing, production, and distribution systems. The information in the SOC for Supply Chain report is intended to provide useful information to stakeholders while also being transparent, consistent across time, comparable between entities, reasonably complete, scalable, and flexible.”
While the Internal audit report is useful for internal company development, metrics, and understanding, the SOC for Supply Chain examination could go further in meeting the information needs of internal company personnel, but also for customers, and business partners of the entity.
SOC for Supply Chain Attestation Reports for Everyone!
So, back to the initial question of this blog, “Is there value in obtaining a SOC for Supply Chain Report?” The value is evidenced by the understanding demonstrated over the risks with supply chain, and being able to demonstrate to a Board of Directors, business partners, customers, and suppliers that the entity has effective controls to mitigate those risks. A SOC report is a relied upon source of information for entities to use to gather audited information about another entity for reliance purposes. What better way to show off the processes and procedures that your company has worked so hard to put in place than to willingly decide to have this attestation performed.
In this tangled web of extended enterprises and interconnected third party usage, companies are very aware that an entity cannot “outsource risk.” Even if a problem occurs at a supply chain 3rd party, the reputational risk and impacts carry on far down the supply chain. Once again, as stated in the AICPA SOC for Supply Chain Backgrounder:
‘As discussed, manufacturers, producers, and distribution companies are required to manage a web of plants, service providers, and suppliers to operate efficiently and meet commitments to customers. When a supply chain is disrupted, the organization is at risk of failing to meet production or delivery commitments. There are many causes of disruption that can impact supply chains, and an organization’s ability to achieve its objectives is increasingly dependent on processes, and controls that are not visible to the organization and are often beyond its control, such as controls at the suppliers.’
‘Manufacturers, producers, and distribution companies are looking for visibility across their complex supply chain networks to better understand the risks of doing business with 3rd parties and the controls the 3rd parties have in place to mitigate those risks. This is why supply chain risk management has become such a significant issue to many organizations and their stakeholders. Suppliers, manufacturers, and distributors of goods are increasingly interested in communicating how they manage the production and distribution risks in their own systems as a way of reassuring the organizations with whom they do business.”
So, consider the suppliers, and business partners you do business with and ask them if they have a SOC for Supply Chain you can review to understand their controls. In addition, consider having a SOC for Supply Chain performed on your own company so you can proactively provide, or be ready to provide when the same is asked of your entity.
If you are considering the need to undergo a SOC for Supply Chain audit, or would like to learn more about the audit services offered here at Linford & Co, please contact us and we will be more than happy to help.
Rhonda is a Partner at Linford & Co. delivering risk services including service organization control (SOC) engagements, and Internal Audit services (IT and Business process audits). Rhonda has her CPA, CISSP, PMP, and CISA certifications and delivers leading-edge client service. Previously, Rhonda was a Managing Director at Deloitte, and brings a wealth of expertise in the areas of risk management and compliance.