Supply chain problems appeared in the headlines shortly after the COVID-19 pandemic started. Raw materials and parts became scarce, causing significant disruptions in production and distribution. Industries such as manufacturing, on a global scale, saw operations slow or grind to a halt. A weakened supply chain also pushed prices higher for consumers, while affecting the quality and delivery of finished goods.
Volatility of Global Supply Chains Reveals Need for Governance
A recent study by EY, including interviews with 200 senior-level supply chain executives in various industries, revealed sobering news. Only two percent of these executives said they were prepared for the pandemic, and 57 percent described their business as “seriously disrupted,” including all respondents in the automotive industry.
Ultimately, the EY survey indicated the volatility of global supply chains and the need for a better view of vendor-to-vendor governance across the supply chain. This increased visibility would allow a better understanding of risk to guide more effective risk management so that supply chain executives are not caught flat-footed. Companies could hold suppliers accountable, requiring stronger governance over their products and network partners including a heightened awareness of cybersecurity governance depending on the supplier relationship and goods manufactured.
Recognizing the need for more transparent global supply chain management, The American Institute for Certified Public Accountants (AICPA) recently introduced its SOC for Supply Chain. CPAs can now use SOC (System and Organization Controls) guidelines for supply chain audit, reporting and assurance services. This addition to the SOC reporting suite helps produce a detailed view of systemic risk and the current state of risk mitigation controls.
Who Can Use a SOC for Supply Chain Examination
The American Institute of Certified Public Accountants (AICPA) didn’t develop SOC for Supply Chain to help companies meet compliance requirements. It’s a voluntary risk reporting framework for attestation or consulting engagements, to assess risk, understand control effectiveness and identify deficiencies.
A SOC for Supply Chain examination offers actionable intelligence for every company within a supply chain:
- Producers — operations that produce and/or prepare raw materials
- Manufacturers — companies that use raw materials or components to manufacture other components or finished goods
- Distributors — companies providing or managing logistics (shipping, warehousing, inventory management, fulfillment)
The SOC for Supply Chain examination identifies and classifies risks that could prevent you from meeting your commitments, regardless of where you fit in the supply chain. Auditors use a scope customized for your business with the appropriate combination of AICPA Trust Services Categories — Security, Availability, Processing Integrity, Confidentiality and Privacy. These control criteria use high-level objectives instead of specific technical requirements to evaluate your organization, subsidiaries, divisions or operating units.
What’s Covered in a SOC for Supply Chain Examination
Like other SOC reports, a SOC for Supply Chain examination requires suppliers to describe their systems and processes. These descriptions detail supplier processes for production, manufacturing or distribution, and how these processes meet standard criteria. The AICPA developed DC300, a set of specific description criteria for supplier operational processes. Reporting must also detail system controls. This provides reasonable assurance that relevant trust services criteria guided the development of supplier system objectives. These include the following:
- Appropriate protection from physical and logical risks
- The ability to produce materials or intermediate goods in the specified quantities, with the specified quality, performance and functionality
- The ability to meet contractual delivery commitments
- System compliance with industry standards, applicable statutes and customer requirements
- Compliance with specific confidentiality requirements, to protect intellectual property and privacy
Your SOC for Supply Chain report will also include the following information:
- Management assertions that system controls provide reasonable assurance of achieving principal objectives, using applicable trust services criteria
- The auditor’s opinion on the description and controls, and whether they provide reasonable assurance that principal objectives are achieved using applicable trust services criteria
- A description of the auditor’s test procedures and results
Given the global upheaval of the past two years, an assessment of your supply chain resilience may be useful. As the aforementioned EY report noted, 98 percent of the supply chain executives interviewed weren’t prepared for the pandemic. This lack of readiness demonstrates the need for periodic risk assessment and mitigation planning.
Your report will include evaluations of various forms of risk — financial, business continuity, reputational, strategic and operational, cybersecurity and regulatory compliance. Managing supply chain risk means identifying potential weaknesses and either correcting or preparing for them. These include bottlenecks, lack of redundant capability, unpredictable lead times and the inability to provide internal performance metrics.
Benefits of a SOC for Supply Chain Examination
SOC reports use AICPA attestation standards and its reporting guidelines for internal controls carry significant weight within government offices and the global business community. You can share your SOC for Supply Chain report with prospective customers and business partners as part of their diligence. Your findings may also inform revised contractual language for maintaining security programs, with supplier governance subject to audit.
An optimized global supplier network can confer a sustainable competitive advantage, and this optimization begins with a better view of the moving parts. To discuss how a SOC for Supply Chain examination might benefit your organization, talk to your Windham Brannon advisor or contact Dean Flores, Principal at Windham Brannon.
