Software supply chain attacks increased by 650% during 2021. In addition, Gartner® predicts that by 2025 “45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021.” The need for users to understand supply chain processes and the controls that exist to minimize risks around supply chain activities have increased exponentially and continue to grow. Supply chain organizations have focused on globalization, automation, digitization of their supply chains, and placed larger emphases and investments in their logistics systems. The digitization and expansion in this market have increased the cyber risks and the supply chain software companies now face the same or worse cyber challenges and threats as other software companies. Disruptions to the supply chain of software companies can create significant impacts worldwide, and across all other industries.
What is SOC for Supply Chain?
Due to the increased risks identified with the supply chain industry growth and technological advances, auditing supply chain processes and controls are now expected. To accommodate the nuances of this industry-specific type of examination (or audit), engagement guidance was released in 2020 by the American Institute of CPAs (AICPA), referred to as System and Organization Control (SOC) for Supply Chain. The AICPA is a respected professional membership organization that has developed attestation criteria for the following (SOC) suite of services:
- SOC for Service Organizations
- SOC for Cyber Security
- SOC for Supply Chain
SOC for Supply Chain Reports
A SOC for Supply Chain report is an attestation report created to meet the needs of commercial customers and business partners of manufacturers, producers, and distribution companies. The AICPA has developed this framework for reporting on the controls over a manufacturing, production, or distribution system. With this reporting framework, supply chain organizations have an opportunity to communicate to stakeholders relevant information about their supply chain risk management program and the processes and controls they have in place to detect, prevent, and respond to supply chain risks.
This SOC for Supply Chain AICPA reporting framework is required to be performed by an independent CPA firm, in order to examine and report on the management-prepared system information and on the effectiveness of controls within the supply chain systems. The independent nature of the report increases the confidence that stakeholders may place in the supply chain information provided.
“Customers first” is always the primary supply chain goal. When a supply chain is disrupted, an entity is at risk of failing to meet production or delivery commitments that it has made to its customers. Attributes that were considered for the development of the attestation guide to perform and report on a SOC for supply chain report include:
- The definition of its supply chain
- The attributes of its supply chain
- The concept of supply chain management (SCM)
- The supply chain subservice providers and vendors
- The types of supply chain management systems and technology used
The above items are to be considered for the development of the description criteria utilized in the SOC for Supply Chain report. An understanding of these areas of supply chain enables the practitioner and the organization to determine where the risk lies within the supply chain systems. The report also gives companies an opportunity to disseminate useful information to their customers regarding their systems and the controls within their systems. The SOC for Supply Chain report is a market-driven, flexible, and voluntary audit and reporting framework. It provides organizations with a leg up over their competitors who do not have an attestation report covering their supply chain description, risks, and controls.
How Does a SOC for Supply Chain Report Differ from a SOC 2 Report?
A SOC for Supply Chain report appears initially very similar to the AICPA SOC 2 report. Both report types follow the SSAE 18 attestation standard and include management’s description, testing requirements, similar format, management assertions, and the CPA’s opinion. The main difference between the SOC for Supply chain report and the SOC 2 is within the system description.
The SOC 2 description criteria DC200-with revised implementation guidance in 2022 outlines nine criteria that are required to be addressed, however, in a SOC for Supply Chain report, the DC300 description criteria: DC 300 Description Criteria for a Description of an Entity’s Production, Manufacturing, or Distribution System in a SOC for Supply Chain Report is required. DC 300 requires a common language for the organizations to develop and describe the supply chain risk management efforts. Also required to prepare the SOC for Supply Chain report is the set of suitable control criteria which may include up to five trust service categories (security, availability, processing integrity, confidentiality, and privacy), depending on the reporting scope.
What are the Benefits of Obtaining a SOC for Supply Chain Report? Who Benefits?
The organizations that benefit from a SOC for Supply Chain report are organizations that produce, manufacture, or distribute products and the users of those services and products. The report includes details in the description of the understanding of the Company’s supply chain process, and the risks related to its specific supply chain processes. The report requires the audited organization to answer the hard questions as to how their description criteria accurately and completely explain their supply chain system and related components. The report also identifies what controls the Company has put in place to mitigate its identified supply chain risks around its included relevant trust service categories, as applicable: (security, processing integrity, availability, confidentiality, and privacy).
Who are SOC for Supply Chain Intended Users?
Intended users of a SOC for Supply Chain Report are restricted, and access is determined by the Company that is having the attestation performed. However, intended users may include the following:
- Current business customers
- Prospective customers
- Entities in the supply chain that use your products as components of their production and manufacturing systems
- Entities that use your products as inputs for their products
- Entities that use your products as part of their service delivery
- Entities that resell your products
- Entities that rely on a physical distribution system for your products
- Business partners
- Internal entity personnel
What are “Supply Chain” Risks?
A supply chain includes the activities and entities that are involved in moving a product from source to manufacturing to market. Supply chain management (SCM) has five components (planning, sourcing, manufacturing, delivery, and returns), and the risks from each of these component areas are required to be understood for a successful SOC for Supply Chain attestation report.
With rapid technology advances, the SCM processes often involve a high level of automation, interdependence, and connectivity between an entity and its:
- Business partners
A supply chain includes the all-encompassing components of processes that include:
- Transportation (the resources involved in moving a customer’s product from the original raw supplier to the final customer).
What are Dependencies that Impact Supply Chain Risks?
Supply chain organizations may manage a multitude of plants, service providers, and suppliers to operate efficiently and meet their customer commitments. This interdependence and connectivity with companies outside of an entity are referred to as an extended enterprise. Extended enterprise is the idea that an entity does not operate in isolation – instead, its success is dependent upon a complex network of third-party relationships. The relationships between an entity and its extended enterprise may:
- Increase revenues
- Expand market opportunities
- Reduce costs for the entity
However, these relationships also result in additional risks related to the suppliers, customers, and business partners that the entity does business with, as well as the entity.
These suppliers, customers, and business partners are responsible for identifying, evaluating, and addressing those risks as part of their own supply chain risk management programs. Leadership in charge of the supply chain program are expected to be constantly aware of the risks that are attributable to their business. Some of the risks that supply chain management will evaluate include:
- Financial risks
- Business continuity risks
- Reputational risks
- Strategic risks
- Operational risks
- Cyber risks
- Compliance and regulatory risks
If the risks identified are not mitigated appropriately, they may threaten the ability of the entity to:
- Provide products in alignment with originally decided product performance specifications
- Meet delivery and quality commitments
- Meet production, manufacturing, or distribution commitments
- Manage reputational damage
- Avoid loss of intellectual property and disruptions to key business operations
- Reduce fines and penalties for missed SLAs
- Manage litigation and remediation costs
- Compete in strategic markets
Supply Chain Technology Considerations
The technology that is supporting the supply chain needs to be understood completely throughout the entire chain for inclusion in the SOC for Supply Chain report.
The supply chain technology in place assists supply chain organizations with:
- The capability of increasing profitability and providing efficiencies
- Supply chain data visibility
- Focusing on the right problem areas in the supply chain
- Creating alignment with organizational and process expectations to help with decision making
The supply chain technology may enhance the interconnectedness between suppliers, warehouses, and distributors utilizing the Internet of Things. However, this technology also brings associated technology risk considerations. It is crucial that analysis of the general IT control considerations that an entity has applied be considered and tested for every application, database, and infrastructure relevant. As a part of a SOC for Supply Chain report, under the Security Trust Services category, IT technology risk considerations are included and tested.
What is the Value of a SOC for Supply Chain Report?
SOC for Supply Chain reports are very valuable reports. The value is evidenced by the dissemination of information around the risks and controls within a supply chain. With the use of extended enterprises and interconnected third-party usage, organizations cannot “outsource this risk.” If a problem occurs at a supply chain 3rd party, the reputational risk and impacts carry on far down the supply chain. The SOC for Supply Chain report adds value by giving the supply chain entities the opportunity to independently demonstrate to its Board of Directors, business partners, customers, distributors, manufacturers, and suppliers that it has effective controls to mitigate SOC for Supply Chain risks.
A SOC report is a relied-upon source of information for entities to use to gather audited information about another entity for reliance purposes. What better way to demonstrate the supply chain processes and procedures that a company has worked so hard to put in place than to willingly decide to have this attestation performed? When a SOC for Supply Chain report is completed, the reports can then be distributed to any user entities or relevant intended parties that have questions about the Company’s controls to provide assurance on the design and operation of the controls in place. This concept of assessing once, and reporting to many helps to save the supply chain companies time, not only time away from filling out questionnaires but from undergoing multiple compliance audits requested from its users.
In conclusion, as stated well in the AICPA SOC for Supply Chain Backgrounder, “Manufacturers, producers, and distribution companies are looking for visibility across their complex supply chain networks to better understand the risks of doing business with suppliers and the controls the suppliers have in place to mitigate those risks…This is why supply chain risk management has become such a significant issue to many organizations and their stakeholders.”
The time is now to consider whether supply chain risk is sufficiently addressed at your organization. A SOC for Supply Chain report may be just the right way for your organization to showcase that it has considered and addressed these risks.
If you are considering the need to undergo a SOC for Supply Chain audit or would like to learn more about the audit services offered here at Linford & Co, please contact us and we will be more than happy to help.
This article was originally published on 2/2/2021 and was updated on 4/26/2023.
Rhonda is a Partner at Linford & Co. delivering risk services including service organization control (SOC) engagements, and Internal Audit services (IT and Business process audits). Rhonda has her CPA, CISSP, PMP, and CISA certifications and delivers leading-edge client service. Previously, Rhonda was a Managing Director at Deloitte, and brings a wealth of expertise in the areas of risk management and compliance.